RH134 - ch11s05

Bookmark this page

Lab: Managing Network Security

Performance Checklist

In this lab, you will configure firewall and SELinux settings to allow access to multiple web servers running on serverb.

Outcomes

You should be able to configure firewall and SELinux settings on a web server host.

From workstation, run the lab netsecurity-review start command. The command runs a start script to determine whether the serverb host is reachable on the network.

[student@workstation ~]$ lab netsecurity-review start

Your company has decided to run a new web app. This application listens on ports 80/TCP and 1001/TCP. Port 22/TCP for ssh access must also be available. All changes you make should persist across a reboot.

If prompted by sudo, use student as the password.

Important: The graphical interface used in the Red Hat Online Learning environment needs port 5900/TCP to remain available as well. This port is also known under the service name vnc-server. If you accidentally lock yourself out from your serverb, you can either attempt to recover by using ssh to your serverb machine from your workstation machine, or reset your serverb machine. If you elect to reset your serverb machine, you must run the setup scripts for this lab again. The configuration on your machines already includes a custom zone called ROL that opens these ports.

From workstation, test access to the default web server at http://serverb.lab.example.com and to the virtual host at http://serverb.lab.example.com:1001.
Test access to the http://serverb.lab.example.com web server. The test currently fails. Ultimately, the web server should return SERVER B.
[student@workstation ~]$ curl http://serverb.lab.example.com curl: (7) Failed to connect to serverb.lab.example.com port 80: Connection refused
Test access to the http://serverb.lab.example.com:1001 virtual host. The test currently fails. Ultimately, the virtual host should return VHOST 1.
[student@workstation ~]$ curl http://serverb.lab.example.com:1001 curl: (7) Failed to connect to serverb.lab.example.com port 1001: No route to host

From workstation, open an SSH session to serverb as student user. The systems are configured to use SSH keys for authentication, so a password is not required.
```
[student@workstation ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$ 
```

Determine whether the httpd service is active.

[student@serverb ~]$ systemctl is-active httpd
inactive

Enable and start the httpd service. The httpd service fails to start.

[student@serverb ~]$ sudo systemctl enable --now httpd
[sudo] password for student: student
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.

Investigate the reasons why the httpd.service service failed to start.

[student@serverb ~]$ systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2019-04-11 19:25:36 CDT; 19s ago
     Docs: man:httpd.service(8)
  Process: 9615 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 9615 (code=exited, status=1/FAILURE)
   Status: "Reading configuration..."

Apr 11 19:25:36 serverb.lab.example.com systemd[1]: Starting The Apache HTTP Server...
Apr 11 19:25:36 serverb.lab.example.com httpd[9615]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:1001
Apr 11 19:25:36 serverb.lab.example.com httpd[9615]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:1001
Apr 11 19:25:36 serverb.lab.example.com httpd[9615]: no listening sockets available, shutting down
Apr 11 19:25:36 serverb.lab.example.com httpd[9615]: AH00015: Unable to open logs
Apr 11 19:25:36 serverb.lab.example.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Apr 11 19:25:36 serverb.lab.example.com systemd[1]: httpd.service: Failed with result 'exit-code'.
Apr 11 19:25:36 serverb.lab.example.com systemd[1]: Failed to start The Apache HTTP Server.

Use the sealert command to check whether SELinux is blocking the httpd service from binding to port 1001/TCP.

[student@serverb ~]$ sudo sealert -a /var/log/audit/audit.log
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 1001.

*****  Plugin bind_ports (99.5 confidence) suggests   ************************

If you want to allow /usr/sbin/httpd to bind to network port 1001
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 1001
    where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.

*****  Plugin catchall (1.49 confidence) suggests   **************************

...output omitted...

Configure SELinux to allow the httpd service to listen on port 1001/TCP.

Use the semanage command to find the correct port type.

[student@serverb ~]$ sudo semanage port -l | grep 'http'
http_cache_port_t      tcp  8080, 8118, 8123, 10001-10010
http_cache_port_t      udp  3130
http_port_t            tcp  80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t    tcp  5988
pegasus_https_port_t   tcp  5989

Use the semanage command to bind port 1001/TCP to the http_port_t type.

[student@serverb ~]$ sudo semanage port -a -t http_port_t -p tcp 1001
[student@serverb ~]$

Confirm that port 1001/TCP is bound to the http_port_t port type.

[student@serverb ~]$ sudo semanage port -l | grep '^http_port_t'
http_port_t            tcp  1001, 80, 81, 443, 488, 8008, 8009, 8443, 9000

Enable and start the httpd service.

[student@serverb ~]$ sudo systemctl enable --now httpd

Verify the running state of the httpd service.

[student@serverb ~]$ systemctl is-active httpd; systemctl is-enabled httpd
active
enabled

Exit from serverb.

[student@serverb ~]$ exit
logout
Connection to serverb closed.
[student@workstation ~]$

From workstation, test access to the default web server at http://serverb.lab.example.com and to the virtual host at http://serverb.lab.example.com:1001.
Test access to the http://serverb.lab.example.com web server. The web server should return SERVER B.
[student@workstation ~]$ curl http://serverb.lab.example.com SERVER B
Test access to the http://serverb.lab.example.com:1001 virtual host. The test continues to fail.
[student@workstation ~]$ curl http://serverb.lab.example.com:1001 curl: (7) Failed to connect to serverb.lab.example.com port 1001: No route to host

From workstation, log in to serverb as the student user.

[student@workstation ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$

Verify that the default firewall zone is set to public.

[student@serverb ~]$ firewall-cmd --get-default-zone
public

If the previous step did not return public as the default zone, correct it with the following command:
```
[student@serverb ~]$ sudo firewall-cmd --set-default-zone public
```

Determine the open ports listed in the public network zone.

[student@serverb ~]$ sudo firewall-cmd --permanent --zone=public --list-all
[sudo] password for student: student
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client http ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Add port 1001/TCP to the permanent configuration for the public network zone. Confirm your configuration.

Add port 1001/TCP to the public network zone.

[student@serverb ~]$ sudo firewall-cmd --permanent --zone=public \
--add-port=1001/tcp
success

Reload the firewall configuration.

[student@serverb ~]$ sudo firewall-cmd --reload
success

Confirm your configuration.

[student@serverb ~]$ sudo firewall-cmd --permanent --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client http ssh
  ports: 1001/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Exit from serverb.

[student@serverb ~]$ exit
logout
Connection to serverb closed.
[student@workstation ~]$

From workstation, confirm that the default web server at serverb.lab.example.com returns SERVER B and the virtual host at serverb.lab.example.com:1001 returns VHOST 1.
Test access to the http://serverb.lab.example.com web server.
[student@workstation ~]$ curl http://serverb.lab.example.com SERVER B
Test access to the http://serverb.lab.example.com:1001 virtual host.
[student@workstation ~]$ curl http://serverb.lab.example.com:1001 VHOST 1

Evaluation

On workstation, run the lab netsecurity-review grade command to confirm success of this lab exercise.

[student@workstation ~]$ lab netsecurity-review grade

Finish

On workstation, run the lab netsecurity-review finish script to complete this exercise.

[student@workstation ~]$ lab netsecurity-review finish

This concludes the lab.

Discuss Red Hat System Administration II

Go to community

Is It possible to reset root password when the system is on multi-user.target?

jennifer1987

27 lip 2023

Hi thereWell, i have a question, Is It possible to reset root password when the system is on multi-user.target? I was not be able to found a foro o some information related with this and another question that I have, If the grub menu dont show up, is it posible to reset the root password?

991

Red Hat System Administration II (RH134)

Haley_Ruccio

21 lip 2023

Build the skills to perform the key tasks needed to become a full-time Linux administratorRed Hat System Administration II (RH134) is the second part of the RHCSA training track for IT professionals who have already attended Red Hat System Administration I. The course goes deeper into core Linux system administration skills in storage configuration and management, installation and deployment of Red Hat Enterprise Linux, management of security features such as SELinux, control of recurring system tasks, management of the boot process and troubleshooting, basic system tuning, and command-line automation and productivity. This course assumes that students have attended Red Hat System Administration I (RH124).Experienced Linux administrators who seek rapid preparation for the RHCSA certification should instead start with RHCSA Rapid Track (RH199).This course is based on Red Hat Enterprise Linux 9.0.Course summaryInstall Red Hat Enterprise Linux using scalable methodsAccess security files, file systems, and networksExecute shell scripting and automation techniquesManage storage devices, logical volumes, and file systemsManage security and system accessControl the boot process and system servicesRun containersAudience for this courseThis course is geared toward Windows system administrators, network administrators, and other system administrators who are interested in supplementing current skills or backstopping other team members, in addition to Linux system administrators who are responsible for these tasks:Configuring, installing, upgrading, and maintaining Linux systems using established standards and proceduresProviding operational supportManaging systems for monitoring system performance and availabilityWriting and deploying scripts for task automation and system administrationRecommended trainingSuccessful completion of Red Hat System Administration I (RH124) is recommended.Experienced Linux administrators seeking to accelerate their path toward becoming a Red Hat Certified System Administrator should start with the RHCSA Rapid Track course (RH199).Take our free assessment to gauge whether this offering is the best fit for your skills.Technology considerationsThere are no special technology requirements.This course is not designed for bring your own device (BYOD).Internet access is not required, but is recommended to allow students to research and access Red Hat online resources.

Welcome to the Red Hat System Administration II (RH134) group in the Red Hat Learning Community!

Deanna

18 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat System Administration II! To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH134.Read more about Red Hat System Administration II here.

417

Revision: rh134-8.2-f0a9756