Exercise 7

Table of Contents

1 Introduction: exercise 7

In the final exercise, you setup a firewall for KONE2 with UFW, and Let's Encrypt for KONE1. In addition to that, there also is a tiny cron exercise.

2 Steps

2.1 SSH restrictions with iptables and cron (KONE1)

2.1.1 Testing with once a minute

Make a cron job that allows ssh login only every other minute (every odd or every even minute). You can do this either with stopping the service or adding an iptables rule that blocks ssh port.

2.1.2 Make SSH open daytime only

When the previous step works, change it so that SSH is only enabled between 7:00 and 21:00.

2.2 Make NFS use only certain ports (KONE2)

NFS and the daemon it needs allocate random ports by default. That's challenging if you have a firewall. Before you enable UFW, configure these daemons to use set ports that you also open in the firewall. Below are the changes that you need to do to achieve this. You might have to restart the VM after these changes to apply them.

/etc/default/nfs-common

STATDOPTS="--port 4000 --outgoing-port 4001"

/etc/default/nfs-kernel-server

RPCMOUNTDOPTS="--manage-gids --port 4002"

/etc/default/quota (new file)

RPCRQUOTADOPTS="-p 4005"

/etc/modprobe.d/lockd.conf (new file)

options lockd nlm_udpport=4003 nlm_tcpport=4003
options nfs callback_tcpport=4004

2.3 Enable UFW (KONE2)

Here's a link to Ubuntu community wiki page about UFW. See also the man page for reference. Make rules so that all the provided services work as usual while ruling out everything else. Limit ssh connections with ufw limit ssh/tcp.

2.4 Setup Let's Encrypt (KONE1)

Enable HTTPS on lighttpd.

2.4.1 Enable ties478.fun domain

ties478.website domain expires soon. We have a new domain, ties478.fun which was way cheaper funnier. Make lighttpd serve the old .website page in the new .fun domain (just edit the existing config).

2.4.2 Install certbot

apt-get install certbot

2.4.3 Get the certificate

In the following command, replace WEBROOT with the path to the .website/.fun domain's webroot (where the index file with text "tarzan" is located).

Run certbot certonly --webroot -w WEBROOT -d KONE1.ties478.fun. Follow the given instructions.

2.4.4 Setup certificate with lighttpd

You can find the new certificates in /etc/letsencrypt/live/KONE1.ties478.fun. Inside the folder you should find privkey.pem and cert.pem. Concatenate those and put the result in the same folder in the file both.pem. To allow lighttpd access to those files, allow group access to the directory and change the group to www-data.

2.4.5 Enable HTTPS

Write the followin in a configuration file and enable it:

$SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.ca-file = "/etc/letsencrypt/live/KONE1.ties478.fun/chain.pem"
    ssl.pemfile = "/etc/letsencrypt/live/KONE1.ties478.fun/both.pem"
}

2.4.7 (Bonus) SSL hardening

The most simple working configuration can be vastly improved for security. See this guide on how and why to enable HSTS. And here's a list of tinfoil-approved ciphers.

2.4.8 In case HTTPS doesn't work anymore

You have to renew the certificate every 90 days. Every time you renew it, remember to concatenate the key and the certificate! This is easily automated though.

2.5 Finish

  • Check and install any updates. Both VMs must be up to date. Restart if you have any system updates, e.g. kernel.
  • Run checker script.

2.6 After exercise is done and approved

  • Lonkas 7 and 8 have to be cleaned after the exam. If you are affected, make sure that you have moved out everything you want to keep.
  • More instructions later.

Date: 2019-03-08T13:32+0200

Author: Janne Uusitupa

Org version 7.9.3f with Emacs version 24

Validate XHTML 1.0