RH134 - ch11s05

Bookmark this page

Lab: Manage Network Security

In this lab, you configure firewall and SELinux settings to allow access to multiple web servers that run on the same host.

Outcomes

Configure firewall and SELinux settings on a web server host.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command prepares your environment and ensures that all required resources are available.

[student@workstation ~]$ lab start netsecurity-review

Instructions

Your company decided to run a new web application. This application listens on the 80/TCP and 1001/TCP ports. All changes that you make must persist across a reboot.

Important

The Red Hat Online Learning environment needs the 5900/TCP port to remain available to use the graphical interface. This port is also known under the vnc-server service. If you accidentally lock yourself out from the serverb machine, then you can either try to recover by using the ssh command to your serverb machine from your workstation machine, or reset your serverb machine. If you elect to reset your serverb machine, then you must run the setup scripts for this lab again. The configuration on your machines already includes a custom zone called ROL that opens these ports.

From the workstation machine, test access to the default web server at http://serverb.lab.example.com and to the http://serverb.lab.example.com:1001 virtual host.
Test access to the http://serverb.lab.example.com web server. The test currently fails. The web server should return SERVER B.
[student@workstation ~]$ curl http://serverb.lab.example.com curl: (7) Failed to connect to serverb.lab.example.com port 80: Connection refused
Test access to the http://serverb.lab.example.com:1001 virtual host. The test currently fails. The virtual host should return VHOST 1.
[student@workstation ~]$ curl http://serverb.lab.example.com:1001 curl: (7) Failed to connect to serverb.lab.example.com port 1001: No route to host

[student@workstation ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$

Determine whether the httpd service is active.

[student@serverb ~]$ systemctl is-active httpd
inactive

Enable and start the httpd service. The httpd service fails to start.

[student@serverb ~]$ sudo systemctl enable --now httpd
[sudo] password for student: student
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.

Investigate why the httpd service fails to start.

[student@serverb ~]$ systemctl status httpd.service
× httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Wed 2022-04-13 06:55:01 EDT; 2min 52s ago
       Docs: man:httpd.service(8)
    Process: 1640 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
   Main PID: 1640 (code=exited, status=1/FAILURE)
     Status: "Reading configuration..."
        CPU: 31ms

Apr 13 06:55:01 serverb.lab.example.com systemd[1]: Starting The Apache HTTP Server...
Apr 13 06:55:01 serverb.lab.example.com httpd[1640]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:1001
Apr 13 06:55:01 serverb.lab.example.com httpd[1640]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:1001
Apr 13 06:55:01 serverb.lab.example.com httpd[1640]: no listening sockets available, shutting down
Apr 13 06:55:01 serverb.lab.example.com httpd[1640]: AH00015: Unable to open logs
Apr 13 06:55:01 serverb.lab.example.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Apr 13 06:55:01 serverb.lab.example.com systemd[1]: httpd.service: Failed with result 'exit-code'.
Apr 13 06:55:01 serverb.lab.example.com systemd[1]: Failed to start The Apache HTTP Server.

Check whether SELinux is blocking the httpd service from binding to the 1001/TCP port.

[student@serverb ~]$ sudo sealert -a /var/log/audit/audit.log
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 1001.

*****  Plugin bind_ports (99.5 confidence) suggests   ************************

If you want to allow /usr/sbin/httpd to bind to network port 1001
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 1001
    where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.

*****  Plugin catchall (1.49 confidence) suggests   **************************
...output omitted...

Configure SELinux to allow the httpd service to listen on the 1001/TCP port.

Use the semanage command to find the correct port type.

[student@serverb ~]$ sudo semanage port -l | grep 'http'
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

Bind the 1001/TCP port to the http_port_t type.

[student@serverb ~]$ sudo semanage port -a -t http_port_t -p tcp 1001

Confirm that the 1001/TCP port is bound to the http_port_t port type.

[student@serverb ~]$ sudo semanage port -l | grep '^http_port_t'
http_port_t            tcp      1001, 80, 81, 443, 488, 8008, 8009, 8443, 9000

Enable and start the httpd service.

[student@serverb ~]$ sudo systemctl enable --now httpd

Verify the running state of the httpd service.

[student@serverb ~]$ systemctl is-active httpd
active
[student@serverb ~]$ systemctl is-enabled httpd
enabled

Return to the workstation machine as the student user.

[student@serverb ~]$ exit
logout
Connection to serverb closed.
[student@workstation ~]$

From workstation, test again access to the default web server at http://serverb.lab.example.com and to the http://serverb.lab.example.com:1001 virtual host.
Test access to the http://serverb.lab.example.com web server. The web server should return SERVER B.
[student@workstation ~]$ curl http://serverb.lab.example.com SERVER B
Test access to the http://serverb.lab.example.com:1001 virtual host. The test continues to fail.
[student@workstation ~]$ curl http://serverb.lab.example.com:1001 curl: (7) Failed to connect to serverb.lab.example.com port 1001: No route to host

[student@workstation ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$

Verify that the default firewall zone is set to the public zone.
```
[student@serverb ~]$ firewall-cmd --get-default-zone
public
```
If the previous step does not return public as the default zone, then correct it with the following command:
```
[student@serverb ~]$ sudo firewall-cmd --set-default-zone public
```

Determine the open ports that are listed in the public network zone.

[student@serverb ~]$ sudo firewall-cmd --zone=public --list-all
[sudo] password for student: student
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client http ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Add the 1001/TCP port to the permanent configuration for the public network zone. Confirm your configuration.

Add the 1001/TCP port to the public network zone.

[student@serverb ~]$ sudo firewall-cmd --permanent --zone=public \
--add-port=1001/tcp
success

Reload the firewall configuration.

[student@serverb ~]$ sudo firewall-cmd --reload
success

Verify your configuration.

[student@serverb ~]$ sudo firewall-cmd --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client http ssh
  ports: 1001/tcp
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Return to the workstation machine as the student user.

[student@serverb ~]$ exit
logout
Connection to serverb closed.
[student@workstation ~]$

From workstation, confirm that the default web server at http://serverb.lab.example.com returns SERVER B, and that the virtual host at http://serverb.lab.example.com:1001 returns VHOST 1.
Test access to the http://serverb.lab.example.com web server.
[student@workstation ~]$ curl http://serverb.lab.example.com SERVER B
Test access to the http://serverb.lab.example.com:1001 virtual host.
[student@workstation ~]$ curl http://serverb.lab.example.com:1001 VHOST 1

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade netsecurity-review

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish netsecurity-review

This concludes the section.

Discuss Red Hat System Administration II

Go to community

Is It possible to reset root password when the system is on multi-user.target?

jennifer1987

27 lip 2023

Hi thereWell, i have a question, Is It possible to reset root password when the system is on multi-user.target? I was not be able to found a foro o some information related with this and another question that I have, If the grub menu dont show up, is it posible to reset the root password?

991

Red Hat System Administration II (RH134)

Haley_Ruccio

21 lip 2023

Build the skills to perform the key tasks needed to become a full-time Linux administratorRed Hat System Administration II (RH134) is the second part of the RHCSA training track for IT professionals who have already attended Red Hat System Administration I. The course goes deeper into core Linux system administration skills in storage configuration and management, installation and deployment of Red Hat Enterprise Linux, management of security features such as SELinux, control of recurring system tasks, management of the boot process and troubleshooting, basic system tuning, and command-line automation and productivity. This course assumes that students have attended Red Hat System Administration I (RH124).Experienced Linux administrators who seek rapid preparation for the RHCSA certification should instead start with RHCSA Rapid Track (RH199).This course is based on Red Hat Enterprise Linux 9.0.Course summaryInstall Red Hat Enterprise Linux using scalable methodsAccess security files, file systems, and networksExecute shell scripting and automation techniquesManage storage devices, logical volumes, and file systemsManage security and system accessControl the boot process and system servicesRun containersAudience for this courseThis course is geared toward Windows system administrators, network administrators, and other system administrators who are interested in supplementing current skills or backstopping other team members, in addition to Linux system administrators who are responsible for these tasks:Configuring, installing, upgrading, and maintaining Linux systems using established standards and proceduresProviding operational supportManaging systems for monitoring system performance and availabilityWriting and deploying scripts for task automation and system administrationRecommended trainingSuccessful completion of Red Hat System Administration I (RH124) is recommended.Experienced Linux administrators seeking to accelerate their path toward becoming a Red Hat Certified System Administrator should start with the RHCSA Rapid Track course (RH199).Take our free assessment to gauge whether this offering is the best fit for your skills.Technology considerationsThere are no special technology requirements.This course is not designed for bring your own device (BYOD).Internet access is not required, but is recommended to allow students to research and access Red Hat online resources.

Welcome to the Red Hat System Administration II (RH134) group in the Red Hat Learning Community!

Deanna

18 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat System Administration II! To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH134.Read more about Red Hat System Administration II here.

417

Revision: rh134-9.0-fa57cbe