Chapters 15-21 - Exam 3 - Microcomputers & Networks

Users

- After installation, your linux server will have a single account called "root" - This is the administrative account, and has full permissions to do anything on the server - Individual accounts can be added with the 'adduser' command - Accounts may be removed with the 'userdel' command - Accounts can be changed with the 'usermod' command

Certificates

- Another basic level of security is to use the HTTPS protocol, rather than unencrypted HTTP. - To accomplish this, you need to register with a certificate authority. - A certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. - This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. - Many CA's are for-profit companies. - Trusted certificates can be used to create secure connections to a server via the Internet. - A CA issues digital certificates that contain a public key and the identity of the owner. - The matching private key is not made available publicly, but kept secret by the end user who generated the key pair. - The certificate is also a confirmation or validation by the CA that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate

Apache Virtual Host

- Apache HTTP Server is configured by placing directives in plain text configuration files. - httpd configuration files contain one directive per line. - The backslash "\" may be used as the last character on a line to indicate that the directive continues onto the next line. - There must be no other characters or white space between the backslash and the end of the line. - Arguments to directives are separated by whitespace. If an argument contains spaces, you must enclose that argument in quotes - Directives in the configuration files are case-insensitive, but arguments to directives are often case sensitive. - Lines that begin with the hash character "#" are considered comments, and are ignored. - The default port (80) can be changed in /etc/apache2/ports.conf - By default, Ubuntu does not allow access through the web browser to any file apart of those located in /var/www, public_html directories (when enabled) and /usr/share (for web applications). - For a server with only one user/web structure, this may be sufficient. But for multiple users, you likely will separate uses files out into their own folders (~user/public_html, for example) - You can add, or remove folders from being accessible by the web server in the configuration files.

SSH

- By default, password authentication is used to connect to your Linode via SSH. - SSH is an encrypted connection - An SSH key pair consists of a private and a public key, usually an RSA pair. - The public key is added to servers you wish to connect to and the private key should be secured on your local machine with strict access rules. - A private key can be encrypted when generated so that only individuals with the decryption password will be able to use the key, even if the key pair itself becomes compromised. - A password is only used to unlock the private key locally and is not transmitted to the remote host.

Apache Configuration

- Configuration for the apache web server is contained within the folder /etc/apache2 - This configuration is spread over several different areas: /etc/apache2/apache.conf contains server wide configuration information. /etc/apache2/conf-available contains a list of configuration files /etc/apache2/conf-enabled the configuration files that are currently being used - By having separate "available" and "enabled" lists, we can more quickly switch back and forth between different configurations. - Apache provides a number of ways to configure the behavior of your web server on a very narrow per-directory and even per-file level - Apache must be restarted for any changes in the configuration files to be implemented.

DHCP Configuration

- Domain Name Service (DNS) is an Internet service that maps IP addresses and fully qualified domain names (FQDN) to one another. - Ubuntu ships with BIND (Berkley Internet Naming Daemon), the most common program used for maintaining a name server on Linux. - To install: apt install bind9 - There are many ways to configure BIND9. Some of the most common configurations are a caching nameserver, primary master, and as a secondary master. - The DNS configuration files are stored in the /etc/bind directory. The primary configuration file is /etc/bind/named.conf. - It contains a list of other files with details to be served.

Permissions

- Each file has 3 possible permissions, read, write, execute. - Each of these permissions can be assigned for three possible groups: user, group, world - File permissions are listed as 3 letters, and 3 groups. They are "read/write/execute" for "user/group/world" - A dash "-" says "no permission in that column - The "chmod" command can be used to change permissions. - Options include + or -, and the characters r, w, or x for read/write/execute - If you imagine a permission group "rwx" as an binary number, where a 1 is "on" and a 0 "off" for that attribute. The number "111" would be "read/write/execute" all "on". In binary that is 7. - If you then combine the three groups into 3 octal numbers, you can use chmod to set all 9 permissions using those numbers - If you then combine the three groups into 3 octal numbers, you can use chmod to set all 9 permissions using those numbers - 640, would be "6 for user", "4 for group", "0 for world". - 6 is 110, 4 is 100, and 0 is 000. So "read & write for user, read for group, nothing for world".

Password Policies

- If using simple password authentication, it is a good idea to put some password policy in place to force users to use better passwords. - The application "chage" can handle expiring passwords, forcing users to regularly change them. It is built into Ubuntu.

Domain Name Registration

- In order to register your own domain name, you will need to purchase a name from a registrar, then configure the DNS services - This involves letting the registrar know the address of your DNS server. In the previous example we already configured our DNS to serve our 'example.com' domain. - Most registrars have a simple web interface for registering, and pointing to your DNS. - For linode hosted servers, DNS is provided by linode, and isn't necessary on your server - You simply configure your linode with the domain name, and tell the registrat to use the linode DNS servers

Postfix

- Is part of Linode's recommended mail server build. It's modern, security-oriented, and very flexible. It is slightly simpler to set up than Exim. - Postfix's MDA is part of the Postfix MTA software. Postfix is a modern, security-oriented, flexible MTA.

LVM

- Linux also includes a more advanced file system management system using Logical Volume Management - Creating single logical volumes of multiple physical volumes or entire hard disks (somewhat similar to RAID 0, but more similar to JBOD), allowing for dynamic volume resizing. - Managing large hard disk farms by allowing disks to be added and replaced without downtime or service disruption, in combination with hot swapping. - On small systems (like a desktop), instead of having to estimate at installation time how big a partition might need to be, LVM allows filesystems to be easily resized as needed. - Performing consistent backups by taking snapshots of the logical volumes. - Encrypting multiple physical partitions with one password. - LVM can be considered as a thin software layer on top of the hard disks and partitions, which creates an abstraction of continuity and ease-of-use for managing hard drive replacement, repartitioning and backup. - LVM uses volume groups, physical volumes, and logical volumes: A Volume Group is a named collection of physical and logical volumes. Typical systems only need one Volume Group to contain all of the physical and logical volumes on the system, and I like to name mine after the name of the machine. Physical Volumes correspond to disks; they are block devices that provide the space to store logical volumes. Logical volumes correspond to partitions: they hold a filesystem. Unlike partitions though, logical volumes get names rather than numbers, they can span across multiple disks, and do not have to be physically contiguous.

Linux Overview

- Linux is a family of free and open-source software operating systems. - The defining component of a Linux distribution is the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds - Adoption of Linux in production environments, rather than being used only by hobbyists, started to take off first in the mid-1990s in the supercomputing community, where organizations such as NASA started to replace their increasingly expensive machines with clusters of inexpensive commodity computers running Linux. - Today, Linux systems are used throughout computing, from embedded systems to virtually all supercomputers, and have secured a place in server installations such as the popular LAMP application stack. - Linux have also become popular in the netbook & smart phone market. Android is based on Linux.

Filesystem

- Linux uses a hierarchical filesystem.

Dovecot

- MDA and Dovecot's LMTP server are part of the Dovecot IMAP/POP3 server. Dovecot is a lightweight, modern, and configurable mail server. - Is a lightweight, modern, and configurable mail server, and is part of Linodes recommended mail server build.

MySQL Configuration

- Many applications use databases as their data storage and data access logic solutions. - Ubuntu has several database options available for installation, with MySQL being a poplar choice - MySQL runs as a 'database server' in linux, and can be configured to be accessible from the server itself, or externally by other systems. - MySQL is a central component of the LAMP open-source web application software stack. LAMP is an acronym for "Linux, Apache, MySQL, Perl/PHP/Python". - MySQL is also used in many high-profile, large-scale websites, including Facebook, Twitter, Flickr, and YouTube. - Connecting to a MySQL server, even from the local machine requires authentication. Applications will have to ''log in' with an account and password. - MySQL allows you to create accounts, and then flag which databases those accounts have access to. - This is a "many to many" type relationship, databases can have many authorized users, users can have many authorized databases, with any of the above privileges available - Account creation and permission handling is handled within the mysql interface, using SQL commands - To connect to the mysql interace, you can enter the mysql command with the -u parameter to specify the user - The installation creates a "root" user, which has full access to the database. - mysql is a simple SQL shell with input line editing capabilities. It supports interactive and non-interactive use. - SQL commands are just text commands, so you can put many into a file, and use the shell directives to send those commands to MySQL - The "<" operator says to send the file on the right as the input to the program on the left. So the commands in "script.sql" would be effectively just typed in at the prompt for mysql

Filesystem Management

- Often, a server will contain not just one, but multiple different storage devices. - Linux does not use "drive letters" for disks, but allows them to be attached to any folder - An example of a common use for this would be to have user data on its own storage volume, separate from the operating system files. That way, if a user 'fills up' the user area, the operating system section would still have space available. - The word volume is used to describe a storage device, like a hard disk. It can also refer to a part of the storage on that device, because you can split the storage up into chunks. - The computer makes this storage accessible via your file system in a process referred to as mounting. Mounted volumes may be hard drives, USB drives, DVD-RWs, SD cards, and other media. If a volume is currently mounted, you can read (and possibly write) files on it. - Often, a mounted volume is called a partition, though they are not necessarily the same thing. A "partition" refers to a physical area of storage on a single disk drive. Once a partition has been mounted, it can be referred to as a volume because you can access the files on it. You can think of volumes as the labeled, accessible "storefronts" to the functional "back rooms" of partitions and drives.

Process Management

- Programs running on your server are listed as processes, and identified with a unique process id. - Two commands can be used to monitor processes; top: provides a regularly updated ps: provides a static snapshot of all running processes

Package Management

- The "apt" command is used as the gateway for software management on Ubuntu. - "app install" is the primary method for installing new software. - "app-install" not only installs software, but it also: Checks to see if any additional is software is needed as well. Some software depends on other software to run. Sets automatically configures most packages to have automatically start when the computer boots. - To uninstall software, use "apt remove" - If you would like to also remove all configuration data associated with the app, add the --purge option to apt-remove - You can use "apt search <search term>" to look for a package

Remote Access & Command Line "Shell"

- The term "Shell" is used to describe the specific piece of software that handles interaction with the operating system. - Though Ubuntu comes with a graphical shell, in a server environment we will be accessing it remotely, through a command line interface. - The free program "PuTTY" can be used to remotely connect to the server, allowing us to enter commands.

MyPHPAdmin

- There are a few alternatives for a more graphical based interface for database management - PHPMyAdmin provides a web based administration tools, that has a graphical user interface, and allows more easy management of a MySQL server - Security is a concern, however, as the web site will accessible through your web server - MyPHPAdmin can be installed through the standard package management system: apt intall phpmyadmin - Since it uses web & php, both apache and PHP will need to be installed and configured beforehand.

Operating System Updates

- There are arguments for and against automatic updates on servers. - Some things which might make your machine a good candidate for automatic updates are: You are unlikely to apply updates manually for whatever reason(s). The machine is not critical and occasional unplanned downtime is acceptable. You can live without remote access to the machine until you can get to its physical location to resolve problems. You do not have any irreplaceable data on the machine, or have proper backups of such data. - Some things which might make your machine be a bad candidate for automatic updates are: It provides a critical service that you don't want to risk having unscheduled downtime. You installed custom software, compiled software from source, or use third party software that has strict package version requirements. You installed a custom kernel, custom kernel modules, third party kernel modules, or have a third party application that depends on kernel versions Your environment requires meticulous change-control procedures.

PHP Configuration

- To install php with the most common functionality, we actually need to install several applications apt install php php-pear php-mysql libapache2-mod-php - This includes the base php language, as well as the mysql module (used later in this course), and the apache integration. - After the install, PHP will be enabled for everything in our /var/www/html folder, but not user folders - The primary configuration file for php is /etc/php/7.2/apache2/php.ini

Groups

- You may also create groups for users. - Each user may be in many groups, and each group may have many users. - Groups are useful for classifying users, and assigning permissions based on that classification. - For example, we could define a group called "bis4513", put a group of student accounts in that group, and then create a folder where everyone in that group could access it. - Creating a group can be done with the "groupadd" command. - "groupdel" deletes groups - Adding users to groups can be done with the usermod command. - If you are "root", you can change other account passwords using the "passwd"