RHCSA Rapid Track

Bookmark this page
P1234567891011121314151617
PreviousNext

Lab: Manage Network Security

Configure firewall and SELinux settings to allow access to multiple web servers that run on the same host.

Outcomes

  • Configure firewall and SELinux settings on a web server host.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command prepares your environment and ensures that all required resources are available.

[student@workstation ~]$ lab start netsecurity-review

Instructions

Your company decided to run a new web application. This application listens on the 80/TCP and 1001/TCP ports. All changes that you make must persist across a reboot.

Important

The Red Hat Online Learning environment needs the 5900/TCP port to remain available to use the graphical interface. This port is also known under the vnc-server service. If you accidentally lock yourself out from the serverb machine, then you can either try to recover by using the ssh command to your serverb machine from your workstation machine, or reset your serverb machine. If you elect to reset your serverb machine, then you must run the setup scripts for this lab again. The configuration on your machines already includes a custom zone called ROL that opens these ports.

  1. From the workstation machine, test access to the default web server at http://serverb.lab.example.com and to the http://serverb.lab.example.com:1001 virtual host.

    1. Test access to the http://serverb.lab.example.com web server. The test currently fails. The web server should return SERVER B.

      [student@workstation ~]$ curl http://serverb.lab.example.com
curl: (7) Failed to connect to serverb.lab.example.com port 80: Connection refused

    2. Test access to the http://serverb.lab.example.com:1001 virtual host. The test currently fails. The virtual host should return VHOST 1.

      [student@workstation ~]$ curl http://serverb.lab.example.com:1001
curl: (7) Failed to connect to serverb.lab.example.com port 1001: No route to host

  2. Log in to the serverb machine to determine what is preventing access to the web servers.

    1. Log in to the serverb machine as the student user.

      [student@workstation ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$

    2. Determine whether the httpd service is active.

      [student@serverb ~]$ systemctl is-active httpd
inactive

    3. Enable and start the httpd service. The httpd service fails to start.

      [student@serverb ~]$ sudo systemctl enable --now httpd
[sudo] password for student: student
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.

    4. Investigate why the httpd service fails to start.

      [student@serverb ~]$ systemctl status httpd.service
× httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Wed 2022-04-13 06:55:01 EDT; 2min 52s ago
       Docs: man:httpd.service(8)
    Process: 1640 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
   Main PID: 1640 (code=exited, status=1/FAILURE)
     Status: "Reading configuration..."
        CPU: 31ms

Apr 13 06:55:01 serverb.lab.example.com systemd[1]: Starting The Apache HTTP Server...
Apr 13 06:55:01 serverb.lab.example.com httpd[1640]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:1001
Apr 13 06:55:01 serverb.lab.example.com httpd[1640]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:1001
Apr 13 06:55:01 serverb.lab.example.com httpd[1640]: no listening sockets available, shutting down
Apr 13 06:55:01 serverb.lab.example.com httpd[1640]: AH00015: Unable to open logs
Apr 13 06:55:01 serverb.lab.example.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Apr 13 06:55:01 serverb.lab.example.com systemd[1]: httpd.service: Failed with result 'exit-code'.
Apr 13 06:55:01 serverb.lab.example.com systemd[1]: Failed to start The Apache HTTP Server.

    5. Check whether SELinux is blocking the httpd service from binding to the 1001/TCP port.

      [student@serverb ~]$ sudo sealert -a /var/log/audit/audit.log
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 1001.

*****  Plugin bind_ports (99.5 confidence) suggests   ************************

If you want to allow /usr/sbin/httpd to bind to network port 1001
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 1001
    where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.

*****  Plugin catchall (1.49 confidence) suggests   **************************
...output omitted...

  3. Configure SELinux to allow the httpd service to listen on the 1001/TCP port.

    1. Use the semanage command to find the correct port type.

      [student@serverb ~]$ sudo semanage port -l | grep 'http'
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

    2. Bind the 1001/TCP port to the http_port_t type.

      [student@serverb ~]$ sudo semanage port -a -t http_port_t -p tcp 1001

    3. Confirm that the 1001/TCP port is bound to the http_port_t port type.

      [student@serverb ~]$ sudo semanage port -l | grep '^http_port_t'
http_port_t            tcp      1001, 80, 81, 443, 488, 8008, 8009, 8443, 9000

    4. Enable and start the httpd service.

      [student@serverb ~]$ sudo systemctl enable --now httpd

    5. Verify the running state of the httpd service.

      [student@serverb ~]$ systemctl is-active httpd
active
[student@serverb ~]$ systemctl is-enabled httpd
enabled

    6. Return to the workstation machine as the student user.

      [student@serverb ~]$ exit
logout
Connection to serverb closed.
[student@workstation ~]$

  4. From workstation, test again access to the default web server at http://serverb.lab.example.com and to the http://serverb.lab.example.com:1001 virtual host.

    1. Test access to the http://serverb.lab.example.com web server. The web server should return SERVER B.

      [student@workstation ~]$ curl http://serverb.lab.example.com
SERVER B

    2. Test access to the http://serverb.lab.example.com:1001 virtual host. The test continues to fail.

      [student@workstation ~]$ curl http://serverb.lab.example.com:1001
curl: (7) Failed to connect to serverb.lab.example.com port 1001: No route to host

  5. Log in to the serverb machine to determine whether the correct ports are assigned to the firewall.

    1. Log in to the serverb machine as the student user.

      [student@workstation ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$

    2. Verify that the default firewall zone is set to the public zone.

      [student@serverb ~]$ firewall-cmd --get-default-zone
public

    3. If the previous step does not return public as the default zone, then correct it with the following command:

      [student@serverb ~]$ sudo firewall-cmd --set-default-zone public

    4. Determine the open ports that are listed in the public network zone.

      [student@serverb ~]$ sudo firewall-cmd --zone=public --list-all
[sudo] password for student: student
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client http ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

  6. Add the 1001/TCP port to the permanent configuration for the public network zone. Confirm your configuration.

    1. Add the 1001/TCP port to the public network zone.

      [student@serverb ~]$ sudo firewall-cmd --permanent --zone=public \
--add-port=1001/tcp
success

    2. Reload the firewall configuration.

      [student@serverb ~]$ sudo firewall-cmd --reload
success

    3. Verify your configuration.

      [student@serverb ~]$ sudo firewall-cmd --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client http ssh
  ports: 1001/tcp
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

    4. Return to the workstation machine as the student user.

      [student@serverb ~]$ exit
logout
Connection to serverb closed.
[student@workstation ~]$

  7. From workstation, confirm that the default web server at http://serverb.lab.example.com returns SERVER B, and that the virtual host at http://serverb.lab.example.com:1001 returns VHOST 1.

    1. Test access to the http://serverb.lab.example.com web server.

      [student@workstation ~]$ curl http://serverb.lab.example.com
SERVER B

    2. Test access to the http://serverb.lab.example.com:1001 virtual host.

      [student@workstation ~]$ curl http://serverb.lab.example.com:1001
VHOST 1

Evaluation

As the student user on the workstation machine, use the lab command to grade your work. Correct any reported failures and rerun the command until successful.

[student@workstation ~]$ lab grade netsecurity-review

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish netsecurity-review

PreviousNext
Revision: rh199-9.3-8dd73db