LTEC 4560

Internet Services Administration

Mr. Santa Maria

Spring 2011

CECS 5450

Building Internet Information Services

Dr. Jones

Spring 2011

This course is offered by the Department of Learning Technologies in the College of Information at UNT. Undergraduate and Graduate degrees are availble. For more information call
1-877-275-7547.

Schedule

Book

The chapters listed below are from the LINUX+ GUIDE TO LINUX CERT
UNT Electronic Books. I have provided a link to the e-books via the UNT portal. If it doesn't work, then you will need to access the UNT Safari portal directly, then select the book that is referenced.

Additional Course Links

Start of Course - January 18 - 31

Readings

Chapter 1: Is an overview of the Linux.
Be sure to pay special attention to the keywords at the end of each chapter and the review questions.
- Open Source
- Internet Services
Chapter 2: Covers the hardware required to support Linux.

Chapter 3: This reviews the install of Linux.
- Basic Linux Usage
- Basic Shell Commands
- Getting Command Help
- Using SSH to connect to the remote server (What is SSH?)
The instructor, during the start of the course, will provide server information.
For this course, we have already installed Linux on the server, but this is an important part of Linux.
The install covered in the 2nd edition of this book is valid for Fedora before 10.
We are using Fedora 14 and the install process has changed a lot, but the basic process is very similar.
The additional course web links above have links to a number of good sites that review the install process.
We did a number of steps during the install to get the system to the stage where you can login.

Chapter 4: Exploring the Linux File System

Time to remote access your system and start working with the command line shell

We want to complete the following things:
1. Using SSH Terminal on your computer access your system. If you do not have a SSH terminal then you need to download PuTTY, a free Telnet/SSH client for Windows. Mac users already have a Terminal program in the Utilities folder under Applications; to connect to your system, open Terminal and run: ssh -l useraccount@systemname
2. Using the information that your instructor sent you, access your system.
  
  Using PuttySSH to login into your server.
3. Learn to use the bash shell (UNT Library: Chapter 7, Bash Shell in Learning RedHat Linux and Fedora)
4. Navigate your Linux system (UNT Library: Part II, Working with Unix Files in Practical UNIX)
5. Learn and run shell commands ( UNT Library: Section 2.1, Common Linux Commands in Linux in a NutShell)
6. Learn vi (Book Learning the vi editor); however you can use the nano editor (which is the improved pico editor). You might find nano easier to use since it is a graphical editor, unlike vi which is a visual line editor)
  
  Using vi and nano
7. You will also need a SFTP program if you plan on uploading or downloading to your system. Windows users can use WINSCP (download). Mac users can try Transmit3.
  
  Basic WinSCP.
8. Add users to the /etc/sudoers file
  What is sudoers?
  1. Switch to the root user:
    $ su
  2. Change the permissions on /etc/sudoers so it can be modified:
    # chmod o+w /etc/sudoers
  3. Edit the /etc/sudoers file with either 'vi' or 'nano':
    # nano /etc/sudoers
    Enter the following at the end of the file (where 'ACCOUNT_NAME' is the name of the user account you want to be able to use the 'sudo' command):
    ACCOUNT_NAME ALL=(ALL) ALL
  4. Save and exit
  5. Change the permissions on /etc/sudoers back its original settings (otherwise the 'sudo' command won't work):
    # chmod o-w /etc/sudoers
  6. Test the 'sudo' command by exiting the root account and reading the last 30 lines of one of the system logs:
    # exit $ sudo tail -n 30 /var/log/messages
9. Create explicit SSH user file to limit ssh access to recognized users
  1. Create the following file, you can use 'vi' or 'nano':
    $ sudo nano /etc/ssh/ssh_allowed_users
    The contents of this file should be the names of user accounts, each on its own line.
  2. Edit the PAM (Pluggable Authentication Module) file for the SSH daemon to use our list of allowed accounts:
    $ sudo nano /etc/pam.d/sshd
    Add the following to the top of the file (should be the first line after "#%PAM-1.0"):
    auth required pam_listfile.so sense=allow item=user file=/etc/ssh/ssh_allowed_users onerr=fail
  3. Save and exit
  4. Restart the SSH daemon:
    $ sudo service sshd restart
10. Learn yum (Yellowdog Updater Modified), update your system as part of assignment 1.
  1. To update your system via the command line:
    $ sudo yum update
  2. To update your system via YUMEX (graphical interface):
    $ sudo yum install yumex $ sudo yumex
  Yum Update
  
  If you do this correctly, you will get a long list of things to update and download. Eventually it will ask you to confirm that you want to proceed. Just follow the directions.
11. Getting sendmail to send off campus
  1. First you have to in stall the Sendmail Configuration File package via 'yum':
    $ sudo yum install sendmail-cf
  2. Next, we edit the configuration file for sendmail using either 'vi' or 'nano':
    $ sudo nano /etc/mail/sendmail.mc
    Change the following line:
    dnl define(`SMART_HOST',`smtp.your.provider')dnl
    To this:
    define(`SMART_HOST',`mailhost.unt.edu')dnl
    And change this line:
    DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
    To this:
    dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
  3. Save and exit
  4. Next we have to 'make' the changes:
    $ sudo make -C /etc/mail
  5. Restart the sendmail daemon:
    $ service sendmail restart
  6. Edit the /etc/aliases file to setup email forwarding:
    $ sudo nano /etc/aliases
  7. Add the aliases to the end of the file in the following format. Please note that while 'USER_ACCOUNT' is the actual name of the user account, 'GROUP_ALIAS' does not have to correspond to a system group, just a group of email aliases (Note that for group aliases, multiple account aliases must be separated by a comma with NO SPACES in between):
    # Local Aliases USER_ACCOUNT1: users_email@service.com ... # Local Groups GROUP_ALIAS1: USER_ACCOUNT1 GROUP_ALIAS2: USER_ACCOUNT1,USER_ACCOUNT2,USER_ACCOUNT3
    The entry for the root user account is commented out:
    # Person who should get root's mail #root: marc
    Uncomment the line (remove the #) and replace 'marc' with either an account alias, a list of account aliases, or a group aliases:
    root: GROUP_ALIAS1
  8. Save and exit
  9. Commit the changes to the /etc/aliases file:
    $ sudo newaliases
  10. Send an email to the root account from the command line (to end the message, put a sole period on a line and hit Enter):
    mail root Subject: Test email to root This is a test message. .
  Installing Sendmail
12. Install Logwatch to receive nightly emails
  1. Install the Logwatch package via 'yum':
    $ sudo yum install logwatch
  You will now get all system e-mails including the nightly logs. It is your responsibility to read these daily messages and monitor activity on your system.
  
  Note: If your server requires a password to authenticate against a network mailserver the following web site gives some examples of how to setup your system for use on the Verizon network.
13. Install BlockHost in order to limit IP abuse.

February 1 - 21

Readings

Chapter 5: Filesystem Management
Be sure to pay special attention the file permission system and how you use the chmod command.

Chapter 6: Filesystem Admin
If you plan on taking the cert, be sure to read this chapter.

Chapter 7: Adv Installation
If you plan on taking the cert, be sure to read this chapter.

Chapter 8: More Bash Shell
This chapter goes beyond the basics we did earlier in the semester. The ability to pipe and redirect is essential in using the command line.

Chapter 9: System Ini and X Windows
If you plan on taking the cert, be sure to read this first half of the chapter. Be sure to review the X windows system section. We will be using the GNOME desktop.

Chapter 10: Managing Linux Processes
UNIX is a multi processing system, which allows it to run more than one process at a time. This chapter discusses how to manage and control processes. Be sure to review run levels and managing processes.

Assignment 2 - (Web / Apache Install)

Assignment 2 focuses on the following issues. Be sure to examine these issues in the book and online in order to fully understand the concepts and terms:
- What is the Web
- What is HTTP
- What is HTML
- What is Apache
- What is a LAMP install
- What are Firewalls and what do they do and why
Open firewall port 80 for Web Service

Fedora uses what is called IPTABLES to control the firewall on your server. IPTABLES is a rules file that tells the OS which ports should be open and how and who should have access to them. We will be doing the basic setup for Assignment 2. IPTABLES provides a many ways to configure your server to provide protection from outside attacks. One of the best ways to protect your server is to only open ports that you are using and to control access as required. This is in addition to only running software that accesses these ports as required.

Since, we have not enabled remote desktop access yet (assignment 3), we will edit the iptables file by hand using vi or another command line editor. IPTABLES is already installed on your server as the basic install package. You will need to open up ports 80 (http) and 443 (https) to allow the apache server, that we have not started yet, to talk to the outside world via these ports. As discussed in the defition above, a port can be thought of as a conduit between the outside network and software running on your server. While port 80 is the default for web services (and 443 the default for encrypted web services), you can run a web server on any port you want to define depending on conditions you find your server operating in.
1. Edit /etc/sysconfig/iptables:
  $ sudo nano /etc/sysconfig/iptables
2. Enter the folling rules before the last three lines:
  -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
  You can add other rules for other services later if needed. If you would like to see a list of standard ports, you can 'cat /etc/services' to view them.
3. Save and exit
4. Restart the iptables service, so that it reads in the new settings you have created.
  $ sudo service iptables restart
  If this work correctly, you will get the following OKs back. If you get an error message, then go back and look at the file to see if you made a mistake in the edit
```
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
```
  You have now opened up ports 80 and 443. There is way using the GUI to control these ports, but learning to work on the file directly allows you to use SSH to open a session to your server from just about anywhere (like from my iphone now) to be able to control access.
  
  Configuring IPTABLES
Install Apache using yum
1. First, lets check to make sure that httpd is installed:
  $ rpm -qa httpd
2. If nothing outputs from this command, the package is not installed, otherwise it will display the complete name (including version information) of the installed package. If the package needs to be installed, simply run:
  $ sudo yum install httpd
Enable Apache and set to auto-start upon system reboot
1. Check the status of the Apache daemon at boot:
  $ chkconfig --list | grep httpd
  You should see the following:
  httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
  These are the various runlevels and the status of the daemon when the computer is booted into these runlevels: runlevel 1 is single-user mode (usually a recovery mode), runlevel 3 is a text-only mode (what a lot of servers run in), and runlevel 5 is a graphical mode (what a desktop computer would normally run).
2. To make the Apache daemon start at boot, run:
  $ sudo chkconfig httpd on
  You can verify the status change with:
  $ chkconfig --list | grep httpd
  You should now see the updated run states:
  httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
3. Start the Apache daemon:
  $sudo service httpd start
  The command should have output:
```
Starting httpd:                                            [  OK  ]
```
  As a further check, lets look at the process table and see if the Apache daemon is running:
  $ ps aux | grep httpd
  You should see something similar to the following:
```
root     17960     1  0 15:14 ?        00:00:00 /usr/sbin/httpd
apache   17962 17960  0 15:14 ?        00:00:00 /usr/sbin/httpd
apache   17963 17960  0 15:14 ?        00:00:00 /usr/sbin/httpd
apache   17964 17960  0 15:14 ?        00:00:00 /usr/sbin/httpd
apache   17965 17960  0 15:14 ?        00:00:00 /usr/sbin/httpd
apache   17966 17960  0 15:14 ?        00:00:00 /usr/sbin/httpd
apache   17967 17960  0 15:14 ?        00:00:00 /usr/sbin/httpd
apache   17968 17960  0 15:14 ?        00:00:00 /usr/sbin/httpd
apache   17969 17960  0 15:14 ?        00:00:00 /usr/sbin/httpd
     						
```
Test Web Server
1. You have now set httpd to autostart on server reset and have started the web server. It should display the default web page if you go to your server.
  Using a browser, enter http://yourserverdomainname
2. If it does not, then you need to check iptables again (did you enter the right enter and did you restart it) and check httpd (did you start it).
Upload new Web Site Page
1. It is now time to upload a web site (or pages) to replace the default page just seen
2. Using whatever web authoring package you like, create a home page for your site. Please create a motif/layout that goes with the name of your system. NOTE: Apache uses index.html as the default startup web page, so make sure your first page in any new web directory is called index.html. We will talk more about how to configure httpd.conf in a bit, when we setup user web areas.
3. You will need to make sure you have the proper permissions to load files into this directory, since the default owner and group is 'root'. You should change the group of the web directory to 'apache', add the appropriate user accounts to the 'apache' group (where USER_ACCOUNT is the actual user account), and give the group the appropriate permissions and restart the webserver:
  $ sudo chgrp -R apache /var/www/html $ sudo usermod -G apache USER_ACCOUNT $ sudo chmod -R g+w /var/www/html $ sudo service httpd restart
4. Uising WINSCP upload the new web content to the default web area of /var/www/html.
5. Using your browser check your new home page. Congrats! You now have a working web server.
Enable User Home Page
1. You now have a server web area. Apache supports the ability to setup user web areas that reside under the user's account. This is handy in several cases. One of the main reasons is that users are then responsble for their own content and you do not have to allow user access to your web directory (/var/www/html) for security issues. Keep in mind, there are some downsides, so the choice of enabling this or not depends on your server needs. We will enable it on your server as a further use of Apache.
2. The first is to edit the httpd configuration file: /etc/httpd/conf/httpd.conf is a very complex settings file. It controls everything to do with the Apache daemon. It would be well advised to make a copy of this file as a backup before you start editing.
3. Edit the httpd.conf file:
  $ sudo nano /etc/httpd/conf/httpd.conf
4. Look for the setting for serving user directories (will be around line 360). You want to change:
  UserDir disable
  To this:
  #UserDir disable
  And right below it is this:
  #UserDir public_html
  Should be changed to this:
  UserDir public_html
5. Save and exit.
6. Restart Apache:
  $ sudo service httpd restart
  You should receive the following output. If you get a status of 'FAILED' on restarting the daemon, then you have an error in your httpd.conf file. Either try to find it or copy back the backup and start the edit again. Mistakes in editing httpd.conf are very unforgiving.
```
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
```
  We have a number of steps now to create a user's public_html area and the open it for outside viewing. This is the more complex part of the process and any problem in this chain can cause a failure notice when you try to access the user web area.
  
  Configuring Public_Html. A run through of the steps that are discussed next.
7. Each student will have to perform the following from their home directory (/home/USER_ACCONT):
  $ mkdir public_html $ sudo chgrp apache /home/USER_ACCOUNT /home/USER_ACCOUNT/public_html $ sudo chmod 711 /home/USER_ACCOUNT $ sudo chmod -R 755 /home/USER_ACCOUNT/public_html $ chcon -R -t httpd_sys_content_t /home/USER_ACCOUNT/public_html $ setsebool -P httpd_enable_homedirs 1
  The last two commands will allow Apache to view the contents of the users' public_html directory with SELinux enabled.
8. Upload or create (via 'vi' or 'nano') a test file into the public_html directory to test the following steps:
  $ nano public_html/index.html
  The file should contain the following:
  <html> <head> <title></title> </head> <body> <h1>SERVER_NAME</h1> </body> </html>
9. Save and exit.
10. View your HTML file by opening a web browser and going to:
  http://SERVER_NAME.lt.unt.edu/~USER_ACCOUNT
  If you don't get the test page, then you missed or made a mistake in one of the above steps. Go back and review.
Upload User Home Page
1. It is now time to upload a web site (or pages) for the empty user home page
2. Using whatever web authoring package you like, create a home page for your user site. Be sure to put your name, photo, and a bio about yourself on the personal page. Also, be sure to provide a link on your system home page to your personal web site. NOTE: Apache uses index.html as the default startup web page, so make sure your first page in any new web directory is called index.html.
3. Uising WINSCP, each student should upload the new web content to their public_html directory.
4. Using your browser check your new home page:
  http://SERVER_NAME.lt.unt.edu/~USER_ACCOUNT
Enabling Virtual Hosts

Many webservers serve more than one domain per each installation. The way they are able to do this is by configuring Apache to serve Virtual Hosts, one Virtual Host per domain.
1. We'll first need to define our Virtual Hosts. This can be done in the main Apache configuration file (/etc/httpd/conf/httpd.conf), though in my experience it's easier to have a separate file for this. We first create the file:
  $ sudo nano /etc/httpd/conf.d/vhosts.conf
2. The first line in the file needs to enable Name-based Virtual Hosting:
  NameVirtualHost *:80
  The '*:80' tells Apache that it will serve Name-based Virtual Hosting on all IPs on the server on port 80.
3. Each site needs its own Virtual Host section. It's usually a good idea to have the first entry be the IP address of the server with its own directory. Each site should have its own directory under the web root (/var/www/html). In this example, the FQDNs for the sites hosted from this server are 'pegasus.lt.unt.edu', and 'pegasus-vh.lt.unt.edu':
```
NameVirtualHost *:80
<VirtualHost *:80>
	ServerName 129.120.117.59
    DocumentRoot /var/www/html/default
</VirtualHost>
<VirtualHost *:80>
	ServerName pegasus.lt.unt.edu
    DocumentRoot /var/www/html/pegasus.lt.unt.edu
    ErrorLog logs/pegasus.lt.unt.edu_error-log
    CustomLog logs/pegasus.lt.unt.edu_access-log common
</VirtualHost>
<VirtualHost *:80>
	ServerName pegasus-vh.lt.unt.edu
    DocumentRoot /var/www/html/pegasus-vh.lt.unt.edu
    ErrorLog logs/pegasus-vh.lt.unt.edu_error-log
    CustomLog logs/pegasus-vh.lt.unt.edu_access-log common
</VirtualHost>
    
```
4. Save and exit
5. If you had a site with multiple FQDNs associated with it, you could use the 'ServerAlias' directive to associate them with a host like so:
```
<VirtualHost *:80>
	ServerName pegasus.lt.unt.edu
    ServerAlias www.pegasus.lt.unt.edu pegasus.learningtechnologies.unt.edu
    DocumentRoot /var/www/html/pegasus.lt.unt.edu
    ErrorLog logs/pegasus.lt.unt.edu_error-log
    CustomLog logs/pegasus.lt.unt.edu_access-log common
</VirtualHost>
    
```
  Please note that the above is just an example, and for this course you will only be assigned two FQDNs for your server.
6. Create the directories for your Virtual Hosts that you defined in the /etc/httpd/conf.d/vhosts.conf file:
  $ sudo mkdir /var/www/html/default/ /var/www/html/pegasus.lt.unt.edu/ /var/www/html/pegasus-vh.lt.unt.edu/
7. Create a test HTML file forea each Virtual Host:
  $ sudo nano /var/www/html/default/index.html <html> <head> <title></title> </head> <body> <h1>129.120.117.59</h1> </body> </html> $ sudo nano /var/www/html/pegasus.lt.unt.edu/index.html <html> <head> <title></title> </head> <body> <h1>pegasus.lt.unt.edu</h1> </body> </html> $ sudo nano /var/www/html/pegasus-vh.lt.unt.edu/index.html <html> <head> <title></title> </head> <body> <h1>pegasus-vh.lt.unt.edu</h1> </body> </html>
8. Restart the Apache daemon:
  $ sudo service httpd restart
9. Open your web browser and go to your server's IP and both FQDNs and make sure you see the correct corresponding test pages.
Enable SSL Connections with Apache

Encrypted web traffic is essential for passing sensitive information over the web. For part of this assignment you will be required to enable encryption via SSL with Apache. The method used in this class takes advantage of an extension to the SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols called SNI (Server Name Indication). Before this a server could only serve one certificate per IP & port combination, but now we can use TLS with virtual hosting. You can read more about this here.
1. You first need to install the SSL module that Apache will use to establish encrypted connections:
  $sudo yum install mod_ssl
2. Next, you have to generate a Certificate Signing Request. This uses your server's public RSA key as well as some identifying information which will be sent to a Certificate Authority to create the certifcate. Make sure to replace 'pegasus_lt_unt_edu' with the name of your server.
  $ sudo openssl req -new -newkey rsa:2048 -nodes -out pegasus_lt_unt_edu.csr -keyout pegasus_lt_unt_edu.key -subj "/C=US/ST=TEXAS/L=Denton/O=University of North Texas/OU=Learning Technologies/CN=*.lt.unt.edu"
3. This will generate two files: the Certificate Signing Request and the private RSA key. You need to email the .csr file to your instructor so they can send it to a Certificate Authority. Afterwards you need to move the .key file to the default certificate directory and set the appropriate SELinux contexts to them:
  $ sudo mv *.key /etc/pki/tls/private/ $ sudo restorecon /etc/pki/tls/private/*.key
4. Your instructor will email you two files: one will be the public certificate for your server, and the other will be the Certificate Authority's public certificate; put the files in the following directories:
  $ sudo mv pegasus_lt_unt_edu.crt /etc/pki/tls/certs/ $ sudo mv DigiCertCA.crt /etc/pki/tls/certs/ $ sudo restorecon /etc/pki/tls/certs/*.crt
5. The next step is to alter the SSL configuration file that Apache uses, /etc/httpd/conf.d/ssl.conf. First, find the line containing the following:
  <VirtualHost _default_:443>
  Replace it with the following lines:
  NameVirtualHost *:443 SSLStrictSNIVHostCheck off <VirtualHost *:443>
6. Find the following lines:
  #DocumentRoot "/var/www/html" #ServerName www.example.com:443
  And replace the values with those we used in the /etc/httpd/conf.d/vhosts.conf file for the Virtual Host section of the server's IP address:
  DocumentRoot /var/www/html/default ServerName 129.120.117.59
7. Change the 'SSLCertiicateFile' variable to:
  SSLCertificateFile /etc/pki/tls/certs/pegasus_lt_unt_edu.crt
8. Change the 'SSLCertiicateKeyFile' variable to:
  SSLCertificateKeyFile /etc/pki/tls/private/pegasus_lt_unt_edu.key
9. Change the 'SSLCertiicateChainFile' variable to:
  SSLCertificateChainFile /etc/pki/tls/certs/DigiCertCA.crt
10. Add Virtual Host sections for your virtual hosts at the end of the file. Make sure you have the correct paths for your SSL certificate and key directives:
```
    <VirtualHost *:443>
        SSLEngine On
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLCertificateFile /etc/pki/tls/certs/pegasus_lt_unt_edu.crt
        SSLCertificateKeyFile /etc/pki/tls/private/pegasus_lt_unt_edu.key
        SSLCertificateChainFile /etc/pki/tls/certs/DigiCertCA.crt
        ServerName pegasus.lt.unt.edu
        DocumentRoot /var/www/html/pegasus.lt.unt.edu
        ErrorLog logs/pegasus.lt.unt.edu_error-log
        CustomLog logs/pegasus.lt.unt.edu_access-log common
        SetEnvIf User-Agent ".*MSIE.*" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
    </VirtualHost>
    <VirtualHost *:443>
        SSLEngine On
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLCertificateFile /etc/pki/tls/certs/pegasus_lt_unt_edu.crt
        SSLCertificateKeyFile /etc/pki/tls/private/pegasus_lt_unt_edu.key
        SSLCertificateChainFile /etc/pki/tls/certs/DigiCertCA.crt
        ServerName pegasus-vh.lt.unt.edu
        DocumentRoot /var/www/html/pegasus-vh.lt.unt.edu
        ErrorLog logs/pegasus-vh.lt.unt.edu_error-log
        CustomLog logs/pegasus-vh.lt.unt.edu_access-log common
        SetEnvIf User-Agent ".*MSIE.*" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
    </VirtualHost>
        
```
11. Save and exit
12. Restart the Apache daemon:
  $ sudo service httpd restart
13. Open your web browser and go to your server's IP and both FQDNs, but make sure to change the protocol to https:// and make sure you see the correct corresponding test pages.

February 22 - March 21

Assignment 3 - (Remote Desktop Viewing / SWiki)

Assignment 3 focuses on the following issues. Be sure to examine these issues in the book and online in order to fully understand the concepts and terms:
- What is NX NoMachine Software
- What is a wiki
- What is swiki
NX NoMachine - Remote Desktop
1. Go here for the NoMachine Client, Node, and Server Installers for Linux.
2. Download the i386 RPMs.
3. Change your working directory to the location where you saved the package and install it by running from the console as root. We use yum with the options so that the system will install any dependencies it needs. Change the file name based on the download:
  $ sudo yum -y --nogpgcheck localinstall nxclient-3.4.0-7.x86_64.rpm $ sudo yum -y --nogpgcheck localinstall nxnode-3.4.0-14.x86_64.rpm $ sudo yum -y --nogpgcheck localinstall nxserver-3.4.0-14.x86_64.rpm
4. Download the CLIENT software for your system and install.
5. See the directions on accessing a remote system.
An example of setup and use of NX Machine.

March 22 - April 11

Reading: L+ - Chapter 13 Assignment 4 Due - (Mysql, PHP5, Apache2, Joomla Content)
Dynamic Web Web Pages
Basic Server Security
Choosing the right educational application
Assignment 5 Discussion

Assignment 4 - (PHP & Mysql)

Assignment 4 focuses on the following issues. Be sure to examine these issues in the book and online in order to fully understand the concepts and terms:
- What is MYSQL
- What is PHP
- What is Apache
- What are the ports (primary and alternate) that HTTP uses
- How does a web browser talk to the web server
Install PHP & Mysql
1. The following steps will install PHP and MySQL:
  $ sudo yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml-devel mysql mysql-server mysql-workbench phpMyAdmin
2. Edit your /etc/httpd/conf/httpd.conf file, change this:
  DirectoryIndex index.html index.html.var
  To this:
  DirectoryIndex index.html index.htm index.php
  Then insert an AddType declaration (after '#AddType application/x-tar .tgz'):
  AddType application/x-httpd-php .php .html
  Save changes to the file.
3. Restart the Apache daemon:
  $ sudo service httpd restart
4. Go into your web root directory, create/edit a file (with a .html extension) with the following contents:
  <html> <head> <title></title> </head> <body> <?php phpinfo(); ?> </body> </html>
5. Open a web browser and navigate to the page you just created. You should see a series of tables detailing information about your PHP installation and installed modules.
6. Start the MySQL daemon:
  $ sudo service mysqld start
7. By default MySQL comes with one built-in user account: 'root'. This account initially has no password, so it is possible to log in without having to supply one. This is quite undesirable, so the first thing you need to do is create a password:
  $ sudo mysqladmin -u root password "ACTUALPASSWORDHERE"
  The bad thing about this method is that while it is quick and doesn't require us to run any SQL commands, the command will be stored in our .bash_history file, so if our account is ever compromised, the attacker could conceivably have access to the MySQL root password. Therefore once we start using our MySQL graphical database management package of choice, one of our first priorities should be to change this initial password.
8. Log into the MySQL service. First, try it without providing a password:
  $ mysql -u root
  You should be presented with a message similar to "ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)". Now, try it using the password switch:
  $ mysql -u root -p
  You will be prompted for your password. If your credentials are good, you will be presented with a MySQL prompt (mysql> ). Exit MySQL:
  mysql> exit
9. Make sure the MySQL daemon is set to run at boot:
  $ sudo chkconfig mysqld on
10. You have two options for managing your database via a graphical interface, and both will require you to log into your server via the No Machine client. One is a stand-alone application called MySQL Workbench which is developed by MySQL. To access it, on your desktop go to Applications -> Programming -> MySQL Workbench. Tutorials can be found online on how to use it.
  
  The second method is by using phpMyAdmin, which is a web-based application that uses PHP. Open a browser and go to http://localhost/phpmyadmin: you should be presented with a login prompt. Enter your MySQL root user's information. By default phpMyAdmin will only be accessible from the computer it is running on, but this can be changed in the /etc/httpd/conf.d/phpMyAdmin.conf file. It is recommended that you do not open this up to everyone, as phpMyAdmin is a popular MySQL management application and as such your server will be probed for this address by remote hosts with the intention of using brute force attacks to access your database.

April 12 - May 2

Assignment 5 Due - (Dynamic Web Content)

For Assignment 5 we're going to move the database off our host servers and onto a dedicated machine of its own so that it can consolidate databases across multiple systems. We'll be creating an SSH tunnel from our host system to the database server, so that our data is encrypted as it passes between the two.

For this class I have already setup another system (poseidon.lt.unt.edu) running Fedora 14 with a MySQL database installed and running. All student user accounts have been created and should have access to the system via SSH. Some of the steps outlined below I have already done and will indicate that they do NOT need to be carried out in this class, but I have included them if you wish to duplicate this setup in another environment.

Configuring Web Host

We'll start by configuring the system that is hosting our web-based services, which will eventually connect to the centralized database system.
1. The first thing you will want to do is backup your databases. You can do this by logging into phpMyAdmin, selecting your database and clicking the 'Export' tab. Make sure to check 'Save as file' to download your exported data.
2. Next, you'll want to shut down your MySQL daemon and stop it from starting at boot:
  # service mysqld stop # chkconfig mysql off
3. Next, in order for our SSH tunnel to be established without having to be created manually, we'll be using public key authentication, and in order to do so, we must create the keys for our root account:
  # ssh-keygen -t rsa
  Hit Enter to save to the default path (/root/.ssh), and hit Enter when it asks for a passphrase (no passphrase): DO NOT ENTER A PASSPHRASE!
4. Now we must transfer the public key for the root account to the database server. Since the server has been configured to not allow the root account to log in over SSH, you'll have to use your regular user account:
  # scp /root/.ssh/id_rsa.pub USERACCOUNT@poseidon.lt.unt.edu:
5. While we're still on the host system, we can go ahead and make some changes to phpMyAdmin's configuration file (/etc/phpMyAdmin/config.inc.php). Change this line:
  $cfg['Servers'][$i]['host'] = 'localhost';
  To this:
  $cfg['Servers'][$i]['host'] = '127.0.0.1';
6. Also, while we're here, we need to change an SELinux boolean so that Apache can connect to the MySQL database over the network:
  # setsebool -P httpd_can_network_connect_db 1
Configuring Database Server

We've done all we can do on our host machine, so we'll have to move on to the database server. For this course, I have already completed the first five steps, so do not do these now.
1. Install the MySQL server daemon:
  $ sudo yum install mysql mysql-server
2. Edit the MySQL configuration file (/etc/my.cnf). Find this line:
  socket=/var/lib/mysql/mysql.sock
  And comment it out:
  #socket=/var/lib/mysql/mysql.sock
  Also, add the following line right after it:
  bind-address=127.0.0.1
  Save and exit
3. Start the MySQL daemon and set it to run at boot:
  $ sudo service mysqld start $ sudo chkconfig mysqld on
4. Set password for the MySQL root account:
  $ sudo mysqladmin -u root password "ACTUALPASSWORDHERE"
5. Create a user account for the SSH tunnel creation (NOTE: you can name this account anything you want):
  $ sudo useradd tunnel $ sudo passwd tunnel
6. Now we'll have to copy the public key we copied earlier to the authorized_keys file for the SSH tunnel account:
  $ sudo cat /home/USERACCOUNT/id_rsa.pub >> /home/tunnel/.ssh/authorized_keys $ sudo chown -R tunnel:tunnel /home/tunnel/.ssh $ sudo chmod 700 /home/tunnel/.ssh $ sudo chmod 600 /home/tunnel/.ssh/authorized_keys
7. We'll have to set an SELinux boolean to allow SSH to forward ports through the tunnel:
  $ sudo setsebool -P sshd_forward_ports 1
Final Steps on Web Host
1. Back on the web host, we'll first established the SSH tunnel:
  # ssh -fNL 3306:127.0.0.1:3306 tunnel@poseidon.lt.unt.edu
  What this command does is binds our port (3306) to an IP address (127.0.0.1) and connects it to the remote port (3306) on the remote system (poseidon.lt.unt.edu) that we will connect to with public key authentication against the remote user account (tunnel).
  
  To test the connection, run the following:
  $ mysql -h 127.0.0.1 -u root -p
  If after entering the password you're presented with a MySQL prompt (mysql> ), then everything is working.
2. Open a browser and go to your phpMyAdmin installation, using the password for the new database root account. If you're successful, create the database that you had on your local MySQL server and import the data that you exported earlier.
3. If everything is working, the last step is to add the following to the /etc/rc.local file, which is run at boot:
  ssh -fNL 3306:127.0.0.1:3306 tunnel@poseidon.lt.unt.edu

LTEC 4560

CECS 5450

Schedule

Book

Additional Course Links

Start of Course - January 18 - 31

Readings

Time to remote access your system and start working with the command line shell

February 1 - 21

Readings

Assignment 2 - (Web / Apache Install)

Open firewall port 80 for Web Service

Install Apache using yum

Enable Apache and set to auto-start upon system reboot

Test Web Server

Upload new Web Site Page

Enable User Home Page

Upload User Home Page

Enabling Virtual Hosts

Enable SSL Connections with Apache

February 22 - March 21

Assignment 3 - (Remote Desktop Viewing / SWiki)

NX NoMachine - Remote Desktop

March 22 - April 11

Assignment 4 - (PHP & Mysql)

Install PHP & Mysql

April 12 - May 2

Assignment 5 Due - (Dynamic Web Content)

Configuring Web Host

Configuring Database Server

Final Steps on Web Host