ISE-311 (Spring 2010) Homework Assignment #1 Handout number 3 (100 points, 15% of your overall grade) Version 1 (1/25/2010) Due Saturday 2/20/2010 @ 11:59pm * PURPOSE: To setup a small Linux system to run a secure Web server, and serve some content. To learn how to install and maintain a Linux server. To write and install a shell script to periodically check the integrity of the Web server. To learn how to use Virtualization technologies using VMware Workstation. * TASK: This assignment has five sub-tasks: virtual machine configuration, Linux installation, configure Linux, setup/configure apache, add integrity checking shell script. They are described in detail below. 1. Configure a Virtual machine using VMware. To learn how to start Vmware, see the class Web site under "Computer Facilities". Set the VM to have the least number of CPUs/cores possible, and no more than 128MB RAM (the less the better). Configure your VM to have a hard disk of the SMALLEST possible size that would suit your needs. Your VM should not have any extra hardware it does not need (high-end graphics? USB? Sound?) The goal is to setup your virtual hardware to be the smallest possible to run the Web server effectively, because it would cost less money to buy smaller/cheaper hardware to run a Web server, and be more secure. You will be graded on how SMALL you managed to get your VM and still run effectively; we will deduct points for systems that consume too much resources. Note that you may have to experiment with different disk sizes until you find the optimal size: not too large so as to waste a lot of space, but not too small so you can keep some space for future Web content growth (as well as logs). Also, configure your virtual disks to grow dynamically (not pre-allocated) so you won't consume more space than absolutely needed on the file server. Please configure your Virtual Ethernet card for "bridging" mode, so it would get a public address on the OSLAB. That way you'd be able to login to your Web server remotely. 2. Install Linux Configure your VM to have a virtual CDROM drive that uses the local disk file called /home/ise311/CentOS-5.4-i386-bin-DVD.iso: this is the ISO image for the latest 32-bit distribution of CentOS Linux. I've downloaded it for you from www.centos.org, so you won't all have download this large ISO image yourselves. When you boot from the virtual CDROM, the CentOS Linux installation will start. Follow the instructions. You may have to reinstall the system several times until you get it right: using VMs makes this easier. You will have to choose which options to use to install your system with, how to partition your disks, setup accounts, which packages to install (or not), and so on. It is important that you only install necessary packages and no more: the fewer packages run on your system, the smaller and safer it would be (and the sysadmin will have less to manage). For example, you definitely don't need to install X11/Gnome, because this Web server will be managed using a Command Line Interface (CLI). Be sure to configure your Ethernet interface to DHCP, so it'll get an address and hostname in the dhcpNNN.oslab.cs.sunysb.edu domain. In order to help us fix problems for you, we ask that you setup your root account with a password that we will give you in person. This would be required for the TAs/graders to start and login to your VM. 3. Configure and update Linux After you boot Linux for the first time, login to it (as root). You will need to turn on/off services that are un/necessary. Keep only the services that are needed and no more. So you'd have to learn what each service that gets installed by default is used for, and decide what to keep or not. See chkconfig(8). At the very least, you need to enable httpd and sshd. Also install/configure ntpd so that your system keeps an accurate time. Now, turn off selinux (a special security system available on linux). It is unnecessary at this stage. (Don't worry, we'll get to learn a lot about system security throughout the course.) However, keep the firewall on. You will have to configure the Linux firewall to enable access to ONLY the services that you are enabling: ssh, http, and https. Next, update your system. It's vital to keep systems up-to-date with the latest patches, especially security patches. Run the "yum" utility to patch your system, and reboot. 4. Setup Apache Setup the apache Web server. You'll have to create a self-signed certificate using openssl. This would be used for the secure part of the Web server (https). Setup a simple Web page (index.html) which lists your name and a small message (e.g., "hello world"). Please setup two Web pages: on for the secure/encrypted https Web server, and one for the unencrypted one; each Web page should have different content clearly identifying the http vs. https pages. Note: Apache has lots of features and options that are available, including numerous CGI extension modules. You should NOT install any more modules than needed because they could be abused to break into your server (e.g., if you don't need PhP, then don't install it, or uninstall it if already is installed). If you've setup Apache correctly, you should be able to browse it from any Web browser (e.g., a laptop/desktop at home). Be sure to test both your http and https Web pages. 5. Integrity checking shell script To ensure that your Web server isn't compromised (e.g., by viruses or trojans), you should check that all files related to Web services, and only those files, are monitored. Write a shell script (using /bin/sh) to calculate the checksum (using md5sum or sha1sum) of the Web server files (binaries, libraries, content, etc.). Save the checksum somewhere safe on your system, with a timestamp. Setup the script to run daily from cron(8). The script should compare the last checksum against the new checksum, and if they differ, it should produce an alert (using logger(1) or an email sent to the administrator -- yourself). Be sure to test your script thoroughly: that it succeeds to detect a problem, that it doesn't fail arbitrarily, and that it reports its status back to the sysadmin running it. Also, document your script well (comments). Please name your script "monitor-apache.sh" and place a copy of it in /root for our reference (for grading). * SUBMISSION At the deadline in question, we will shut off all virtual machines and snapshot your VMs. This snapshot will be what we test. So the snapshot should have everything in it that we need to test your system. (Remember to set the root password to what we said so we can login into your system.) You must write a text file called README and place it in /root/README. In this file, describe briefly what you've done for the five sub-tasks * EXTRA CREDIT (OPTIONAL, total 22 points) [A] Custom Kernel [10 pts] The Linux kernel that comes up with CentOS is designed to support as many hardware platforms as possible. This makes the kernel bigger than it needs to be, and hence reduces system performance. As a sysadmin, you will often have to optimize performance by reconfiguring the system or compiling software from sources. Pick the latest stable Linux kernel (at the time of this writing it is 2.6.32.6), unpack it in /usr/src, and configure the smallest possible kernel that boots your system and has all of the features you need. Note, you will most definitely have to try to build your kernel multiple times. A good starting point might be "make allnoconfig". [B] Tripwire [4 pts] Tripwire is a system for computing checksums on the entire installed system, and alerting of any changes. It's similar to what you are asked to do in the main body of the assignment, but Tripwire is much more comprehensive. Get the binary RPMs for Tripwire using Yum, install them, and configure the system. Test that it works by changing a couple of files (i.e., simulate a trojan attack) and see that Tripwire detects it. [C] What's My IP Address? [8 pts] Write a CGI script called myip.cgi, in any CGI language of your choosing (shell, PhP, etc.). Install the CGI on your Web server and test it. When run, he CGI should output the IP address and hostname of the CLIENT machine which tried to browse your Web server. This is often useful for Web server operator to collect logs about who is browsing their content. Good luck. * Change History: 1/25/2010: first version