System Administration 2018/19 spring

Use the apt or aptitude package manager to update the local package indexes:

• Using apt :
  • # apt update
  • It is a good practice to do it each time you intend to install something with apt
• In aptitude you can just press "u" button.

Use the aptitude's interactive interface to install the suggested security updates. If you prefer the apt command line, refer to it's manual and find a way to install the security updates

• You may find out that there is no explicit way to tell apt to install just the security updates omitting regular ones.
• Therefore aptitude is more preferable for this task (gives a possibility to select what to update).
• I you decide to update everything, then it is enough to use apt .

• In the ( <vm_name>.est ) zone file, add following CNAME records:
  • www pointing to <vm_name>.est
  • webmail pointing to <vm_name>.est
  • monitor pointing to <vm_name>.est
  • info pointing to <vm_name>.est
  • test pointing to <vm_name>.est
• Think of the other routines (actions) that are required when changing Zone files.

• Install Apache Web Server
  • # apt install apache2
• Add the default Security group in ETAIS called web with tcp ports 80 and 443 to your Virtual machine, if necessary.

Repeat following actions for www.<vm_name>.est, webmail.<vm_name>.est and test.<vm_name>.est :

• Create a virtual host root directories. The contents of these directories will be published to web via HTTP. For www.<vm_name>.est, /var/www/html directory is created during apache installation for default page (usually web pages are located in /var/www folder). For other virtual hosts, create /var/www/vhosts/name-of-the-virtual-host directories (like webmail that you defined as a CNAME; e.g. /var/www/vhosts/webmail).
• Create a configuration file for each virtual host. The file must be in the /etc/apache2/sites-available/ directory. As the file name, use virtual-host-name.conf - e.g. webmail.conf, <vm_name>.conf, (name does not actually matter, it just makes it easier for you to keep track of things)
• Into the virtual host configuration file just created, add the configuration directives to define a new name-based virtual host. This is just an example (given below), you should insert correct values

  
  <VirtualHost *:80>
    ServerName InsertRightValueHere
    DocumentRoot InsertRightValueHere
  
    ErrorLog ${APACHE_LOG_DIR}/InsertRightValueHere-error.log
  
    # Possible values include: debug, info, notice, warn, error,
    # crit, alert, emerg.
    LogLevel warn
  
    CustomLog ${APACHE_LOG_DIR}/InsertRightValueHere-access.log combined
  </VirtualHost>
  
  
• Overview of the important parameters/directives for the virtual host you will need to set:
  • ServerName - the full DNS name for virtual host i.e. webmail.student-test.est
  • DocumentRoot - virtual host root directory, for webmail would be /var/www/vhosts/webmail
  • ErrorLog, CustomLog - error log and access (query) log for the virtual host - the name and location of log files can be set to any value, but we recommend to stick to common values e.g.: ${APACHE_LOG_DIR}/webmail-error.log and ${APACHE_LOG_DIR}/webmail-access.log combined
  • For easier troubleshooting change LogLevel to debug

NB! Did you complete this activity to all three (3) virtualhosts www, webmail and test.

• Disable default site.
  • e.g. a2dissite 000-default.conf
• Enable www, webmail and test web-sites.
  • e.g a2ensite webmail.conf

Before we restart apache we should check if the configuration is OK for this run:

• # apache2ctl configtest (should return OK!)
• Restart apache service.
  • systemctl restart apache2.service)

• In the root directory for each virtual host, create an index.html file. The content of this file can be freely chosen, but the files of different virtual host must be different and clearly state which index.html file it is displaying. Also, all the different sites need to at least have their domain name on the page. Example page at test.student-test.est.
• For the www.<your-domain>.est virtual host, create an index.html file that contains links to front pages to the rest of the virtual hosts, every link on separate line.
  • This index.html should also have a string of www.<vm_name>.est somewhere inside it for Nagios to test.

For the www.<your-domain>.est virtual host, enable the user web pages functionality (enable userdir module) - set the UserDir directive to public_html (in <your-host> site declaration). The rest of your virtual hosts must not be affected by this configuration!

• As the scoring account, create a public_html directory under the account's home directory. The access rights for public_html directory must be 705, access rights for the scoring's home directory must be 701.
• In the public_html directory, create an index.html file with text " scoring user homepage " so our scoring server can verify its served properly.
• For almost every module you have appropriate configuration file in mods-available folder. Check the content of userdir module configuration file and change it if needed.
  • Disable userdir module for cloud generated default user called debian (you have to figure out which parameter and how to change yourself).
    • Hint userdir module is disabled for root user by default.
• In order to allow specific module or configuration to only one site its configuration needs to be added to only that particular virtualhost configuration file. Your first idea might be to copy userdir.conf content to www.<yourdomain>.est config file, but it wont work as you also need to copy content of userdir.load that actually loads the module. Better way to enable specific module for specific Virtualhost is to add a Include statement to it into Virtualhost configuration file you want to enable it. Difference with normal configuration scripts available in conf-available folder is that you also need to load a specific *.load file and this must be before module *.conf file. If you *.load for 2 or more virtualhost configurations you would get Apache warning module already loaded etc... So nice thing would be to check if module is loaded before adding it to configuration. Therefore in www Virtualhost configuration file add following lines:

<IfModule !mod_userdir.c>
  Include mods-available/userdir.load
</IfModule>
  Include mods-available/userdir.conf

• More about Apache Include directive can be read here https://httpd.apache.org/docs/current/mod/core.html#include

• If you have not now you should disable userdir module with command a2dismod userdir

• Enable and start/restart the Apache web server (service name is apache2)
  • # apache2ctl restart

Install the php7 package:

# apt install php7.0 php7.0-mysql

• The installation process should also automatically include corresponding Apache module, so we just need to check if it works.
• Create new virtual host description for info.<yourdomain>.est
  • Refer to previous parts of manual how to do it.
  • Dont forgot to enable the site and make a DocumentRoot folder for it
  • Restart web server after installation: # apache2ctl restart
• Create a file containing the information for PHP installed on the system. This function should return general php information. The file should be located in /var/www/vhosts/info. The file name should be index.php.

<?php echo phpinfo(); ?>

• create a new folder called pictures into /var/www folder
  • copy / download into /var/www/pictures at least 3 pictures (i.e. https://opengameart.org provides archives with free / open images)
• Edit test.<your-domain>.est configuration file and add alias statement so test.<your-domain>.est/images will be served from /var/www/pictures
• Try to understand if <Directory> directive is needed? PS! If yes add it.
  • Read about Require directive and allow everybody access to alias and directory http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require
• restart Apache service
  • NB! Think about which permissions the web server needs to access these files!

• Under the info site configuration (info.<your-domain>.conf):
  • add alias /phpinfo should point to /var/www/vhosts/info
  • add <Location> directive for /phpinfo so that the PHP info page info.<your-domain>.conf/phpinfois only accessible from machines in your domain.
    • Between the <Location> directives add the following lines:

Require host <yourdomain>.est
Require ip 127.0.0.1
Require ip 193.40.154.247

• Add any other hosts you want access from.
• Apache processes virtual hosts in alphabetical order, and server administrators can prioritize Apache's virtual host processing by prefixing a virtual host's configuration file name with a number. Therefore, if info.<your-domain>.conf is not alphabetically first file in /etc/apache/sites-enable add a 0 (zero) in the the info site configuration file name, so it will be served first when accessing http://127.0.0.1:80

• Enable the status module only for info.<your_domain>.est Virtualhost
• Read Apache manual and as specified there enable info.<your_domain>.est/server-status only for: localhost, 193.40.154.247, <yourdomain>.est and your personal machine.
• For easier testing lets also enable it for whole site. In virtualhost configuration (outside any location directive) put following lines:

 DirectoryIndex disabled
 SetHandler server-status

• Inside <Location "/phpinfo"> directive add 2 lines:

 DirectoryIndex index.php
 RemoveHandler server-status

• Configure mod_info module only to be available for info.<your_domain>.est/server-info address
  • We can achieve it by enabling module info (NB! Enable module info now)
  • Look at the content of mods-enabled/info.conf file and copy the content of it into info.<your_domain>.est configuration file.
  • Now you can remove the mods-enabled/info.conf file.
    • PS! Do not remove mods-enabled/info.load file.
  • Edit the configuration copied from info.conf earlier so that /server-info should be similarly to /server-status and /phpinfo only accessible from:
    • localhost,
    • 193.40.154.247,
    • <vm_name>.est,
    • your personal client machine / laptop.

• In the test site configuration file, create a new Alias named /secure, add the correct <Location> directive for the Alias to be available from everywhere for easier testing
• Inside the <Location> directive we are going to use htpasswd utility.
  • Set AuthType to Basic
  • Set AuthUserFile to /etc/htpasswd/.htpasswd
  • Set AuthName to "Login with htpasswd utility!"
  • Set Require to valid-user. This will enable that all the users specified in the .htpasswd file get access when entering correct username and password.
• htpasswd utility is already installed with Apache server. So we only need to create the .htpasswd file now.
  • Make a new directory called htpasswd under directory /etc.
  • Go inside the newly created directory. When running command pwd, the correct output should be /etc/htpasswd.
  • To create a new .htpasswd file, run the command

    htpasswd -c /etc/htpasswd/.htpasswd UserNameHere
    

    This will ask for a password for the user you are adding to the .htpasswd file.
  • To add users to .htpasswd file, run the command

    htpasswd /etc/htpasswd/.htpasswd UserNameHere
    

• Install PAM packages.

# apt install libapache2-mod-authnz-external pwauth

• Enable authnz_external module.
• In the test site configuration file, create a new Alias named /pam, add the correct <Location> directive for the Alias to be available from everywhere for easier testing
• In the same configuration file as in the last point, add the following lines:

<IfModule mod_authnz_external.c>
  AddExternalAuth pwauth /usr/sbin/pwauth
  SetExternalAuthMethod pwauth pipe
</IfModule>

This will add PAM to the external authentication list if the authnz_external module is enabled.

• Inside the <Location> directive we are going to use PAM.
  • Set AuthType to Basic
  • Set AuthName to "Login with PAM"
  • Set AuthBasicProvider to external
  • Set AuthExternal to pwauth
  • Set Require to valid-user. This will enable that all the users that are in the system get access when entering correct username and password.

Install MySQL Client and Server software:

• # apt-get install mysql-server mysql-client
  • Opposed to the previous MySQL packages in previous Debian distributions MariaDB will not ask for a password for the database administrator (also called “root”). Instead you will be able to manage all databases by just running mysql in your shell when you are logged in as “root”.
  • By default installer should start the mysql service and enable it on startup, but it is a good practice to check it.

With the MySQL command line tool, log in to your MySQL server:

• # mysql

Now you are connected to the database and can issue SQL commands. First create the database:

• mysql> CREATE DATABASE roundcubemail;

We also need to create a MySQL user called ‘mailuser’ that gets access to that database. Instead of “ChangeMe” use the password you prefer.

• mysql> CREATE USER 'mailuser'@'127.0.0.1' IDENTIFIED BY 'ChangeMe1';

…and mailadmin user to allow you to manage the database:

• mysql> CREATE USER 'mailadmin'@'localhost' IDENTIFIED BY 'ChangeMe2';

The admin needs read and write access to the database:

• mysql> GRANT ALL ON roundcubemail.* TO 'mailadmin'@'localhost';

The other account just needs read permissions:

• mysql> GRANT SELECT ON roundcubemail.* TO 'mailuser'@'127.0.0.1';

Lets add a mailtester account with read-only permission and password 12345 too.

• mysql> CREATE USER 'mailtester'@'localhost' IDENTIFIED BY '12345';
• mysql> GRANT SELECT ON roundcubemail.* TO 'mailtester'@'localhost';
• mysql> SELECT User, Host, Password FROM mysql.user;
• mysql> exit

Install the phpMyAdmin package:

• # apt-get install phpmyadmin

PHPMyAdmin creates an own small SQL database on your server to store configuration data. So you will get asked:

• Choose yes to configure database with dbconfig-common

The installer will also create a database access user to allow PHPMyAdmin to access its own database. That password does not matter much to you.

• Just press Enter to get a randomly created password:

You will also get asked which web server software you want to use. Select Apache:

• Choose apache2 server (need to press space to select)

The installer will create a file /etc/phpmyadmin/apache.conf that needs to be included in your Apache virtual host so you can access with your web browser. Edit the file /etc/apache2/sites-available/test.<vm_name>.est.conf and put this line anywhere between the <VirtualHost> and the </VirtualHost> tags but before any other “Include” lines:

• Include /etc/phpmyadmin/apache.conf

Reload the Apache process:

• service apache2 reload

Now lets install roundcube

• # apt install roundcube roundcube-plugins roundcube-plugins-extra php-net-sieve

Take a look at the file /usr/share/roundcube/SQL/mysql.initial.sql (that can be used to create default database for roundcube). So let the database magically be created...

• # mysql roundcubemail < /usr/share/roundcube/SQL/mysql.initial.sql

Now lets enable alias /roundcube and with it whole roundcube

• # nano /etc/apache2/conf-enabled/roundcube.conf
  • Uncomment line Alias /roundcube /var/lib/roundcube
• Restart Apache service

All roundcube configuration is available at /etc/roundcube

• Look at the config.inc.php file, search for the db_dsnw setting nano -> CTRL+W -> search word -> ENTER:
  • you may notice that only occurrence is in the comment ...

Do not set db_dsnw here, use dpkg-reconfigure roundcube-core to configure database ! Basically what it says is that you should run the command dpkg-reconfigure roundcube-core command and everything would be configured automatically for you. Dont do it yet, we will complete the task manually (for educational purposes) and then will reinstall everything with automated installation. Add a following line at the end of file /etc/roundcube/config.inc.php

• $config['db_dsnw'] = 'mysql://mailadmin:secretpassword@localhost/roundcubemail';
  • The word "secretpassword" has to be replaced with the password that you chose for the mailadmin user earlier.
  • Restart Apache service (YES Apache as roundcube is not a separate service but a configuration / webpage in Apache)

• Visit http://webmail.<vm_name>.est/roundcube and try to log in:
  • Create a new user called mailtester with password 12345 if its not it yet please change so teachers could test your roundcube.
  • Server: localhost
  • it should work and you should be capable of sending and receiving e-mail.
• Log out and log in again with http://webmail.<vm_name>.est/roundcube and try to log in:
  • User: mailtester
  • Password: 12345
  • Server: <vm_name>.est (e.g. student-test.est)
  • it should not work and result in error displayed clearly in dovecot log file...

cat /var/log/dovecot/dovecot.log. (YES it is dovecot ... as once again roundcube is not "proper" service on its own thus does not provide method for authentication, roundcube uses IMAP that we configured in dovecot and already used to connect with Thunderbird. Only problem is that we configured it to not allow log in with cleartext passwords, but as we have not configured our Apache to be secure yet we are not allowed to log in.)

To test our theory lets enable plaintext password for now.

• nano /etc/dovecot/conf.d/10-auth.conf
  • Set disable_plaintext_auth = no

• First create a folder /etc/ssl/cacert and change your working directory to it ( PS! All following command execute at /etc/ssl/cacert folder).
• # cd /etc/ssl/cacert
• # cp /etc/ssl/openssl.cnf /etc/ssl/cacert/openssl.cnf
• # wget http://scoring.sa.cs.ut.ee/files/cacert.pem
• # wget http://scoring.sa.cs.ut.ee/files/cakey.pem
• # mkdir certs crl newcerts private
• # echo 01 > serial
• # touch index.txt
• # nano openssl.cnf
• Find the block [ CA_default ] section and under it configure
  • dir = /etc/ssl/cacert
  • unique_subject = no (uncomment)
  • default_md = sha512
• Find the block [ req ] section and under it configure:
  • default_bits = 4096
• Find the block [ req_distinguished_name ] section and under it configure:
  • countryName_default = EE
  • stateOrProvinceName_default = Tartumaa
  • localityName_default = Tartu (you must add it manually to correct place)
  • 0.organizationName_default = System Administration course
  • organizationalUnitName_default = Institute of Computer Science
• Find the block [ usr_cert ] section and under it configure:
  • subjectAltName=@alternate_names
• Add the block at the end of file [ alternate_names ]

[ alternate_names ]
DNS.0 = *.<vm_name>.est
DNS.1 = <vm_name>.est
DNS.2 = mail.<vm_name>.est

• Save the changes.

Everybody will use same CA certificates to sign your server certificate with. Teachers created it for you with a command ... (DO NOT execute this command it is here for informational purpose only $openssl req -new -x509 -keyout /etc/ssl/cacert/private/cakey.pem -out /etc/ssl/cacert/cacert.pem -config /etc/ssl/cacert/openssl.cnf). In real world you would have to make a certificate request send it to CA and in few days get answer. To speed things up we will give you also CA private key that normally is very-super-extra SECRET thing but as our CA certificates are only used for educational purpose we can afford to make that "BIG" mistake.

• # cd /etc/ssl/cacert - makes sure you are in right folder
• # wget -O private/cakey.pem http://scoring.sa.cs.ut.ee/files/cakey.pem - Download CA secret private key.
• # wget -O cacert.pem http://scoring.sa.cs.ut.ee/files/cacert.pem - Download ca public key

Let' generate the new private key first:

• # openssl genrsa -out newkey.pem 4096

Now lets make certificate request for your domain

• # openssl req -new -key newkey.pem -out newreq.pem -days 360 -config /etc/ssl/cacert/openssl.cnf
  • If asked use ENTER to select default value from openssl.cnf or if needed provide a new one
  • Country = EE
  • State = Tartumaa
  • Locality = Tartu
  • Organization = System Administration course
  • Organizational Unit = Institute of Computer Science
  • Common Name = *.<vm_name>.est - THIS MUST BE CHANGED
  • Email = debian@<vm_name>.est
  • A challenge password []: - leave empty (hit ENTER)
  • An optional company name []:- leave empty (hit ENTER)

Now you should sign a certificate with CA private key you downloaded earlier

• # openssl ca -config /etc/ssl/cacert/openssl.cnf -policy policy_anything -out newcert.pem -infiles newreq.pem

It should ask for a CA private key password that would be "sysadm2019!" and 2 times Y to confirm signing process.

Copy newly created keys to proper folders and fix file permissions

• # cp newcert.pem /etc/ssl/certs/server.crt
• # cp cacert.pem /etc/ssl/certs/cacert.crt
• # cp newkey.pem /etc/ssl/private/server.key
• # chgrp ssl-cert /etc/ssl/private/server.key
• # chmod g+r /etc/ssl/private/server.key
• # chmod a+r /etc/ssl/certs/server.crt
• # chmod a+r /etc/ssl/certs/cacert.crt

• Enable ssl module
  • You are expected to know how to do it already so no exact command given.

Set the SSL parameter in /etc/apache2/apache2.conf file. (Because we use multidomain-certificate we dont have to specify SSL parameters separately for each virtualhost as they would be exactly the same anyway.)

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCACertificateFile /etc/ssl/certs/cacert.crt

Repeat for all virtual hosts:

• Copy the original configuration file for a virtual host to <original-virtual-host-file-name>-ssl.conf file (e.g. webmail-ssl.conf)
  • For example, if the original configuration file for www.student-test.est is www.conf, then the new file should be www-ssl.conf.
• Copy all SSL related directives lines from default-ssl.conf file to <original-virtual-host-file-name>-ssl.conf.
  • Do not copy whole file only parts (parameters) needed for SSL to work. If in doubt refer to manual https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html.
  • Do keep in mind, that you set some of those parameters already inside apache2.conf file. Do not override those settings with new ones inside the virtualhost.
• Edit the <original-virtual-host-file-name>-ssl.conf file:
  • Change <VirtualHost *:80> to <VirtualHost *:443>
  • check the SSLEngine directive is set to on
• Enable <original-virtual-host-file-name>-ssl site (a2ensite command)

If the configuration for all virtual hosts is done, proceed with this:

• Add the firewall rules to accept packets on port 443/tcp
  • You dont have to enable specific Security group because web group we added to your VM earlier already allows connections to HTTPS port 443
• In the global SSL configuration (module ssl conf file) in /etc/apache2/mods-enabled/ssl.conf set SSLStrictSNIVHostCheck to On as we want to deny the access for non-SNI clients to our name based virtual hosts (old browsers).
• There is a chance that symbolic links to your new certificates needs to be updated so here is the command that at least in student-test.est solved :tlsv1 alert unknown ca: SSL alert number 48 errors that prevented users from using TLS.
  • # update-ca-certificates --fresh
• Restart the Apache web server

In info.<vm_name>.est.ssl.conf add/modify following lines

• SSLVerifyClient optional
• SSLVerifyDepth 2

SSLOptions +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars +ExportCertData
</FilesMatch>

ScriptAlias "/cgi-bin" "/usr/lib/cgi-bin/"
<Location "/cgi-bin">
  RemoveHandler server-status
  SetHandler cgi-script
  DirectoryIndex env.cgi
</Location>

Create a new script file with a command

• # nano /usr/lib/cgi-bin/env.cgi :
  • Add following content into it...

#!/bin/bash

cat <<EOF
Content-type: text/html

<html>
<pre>
`env`
</pre>
</html>
EOF
exit 0

Give it execute rights

• # chmod +x /usr/lib/cgi-bin/env.cgi
• Enable cgi Apache module # a2enmod cgi
• restart Apache service

• Disable plaintext logins again in dovecot configuration
• In /etc/postfix/main.cf change postfix certificates to new ones we are using server.crt and server.key
• In /etc/dovecot/conf.d/10-ssl.conf change dovecot certificates to new ones we are using server.crt and server.key
• Add/modify following lines into webmail.<vm_name>.est.ssl.conf file

DocumentRoot /var/lib/roundcube
Include conf-available/roundcube.conf 

• These lines will change webmail document root to roundcube folder and include roundcube configuration to webmail virtualhost site only.

• Specifying which server to use every time when user connects in roundcube can be tedious and annoying task.
  • Edit /etc/roundcube/config.inc.php:
    • Modify configuration variable $config['default_host']
    • Set new value to 'tls://<vm_name>.est'
      • Here <vm_name> has to be replaced with your actual domain name

Now lets disable roundcube config for other sites that secure webmail

• # a2disconf roundcube

Its always good idea to check Apache config file syntax

• # apachectl configtest

Restart postfix, dovecot and apache2 services to apply new configuration

• # service postfix restart
• # service dovecot restart
• # service apache2 restart

Configure Redirect to all of the HTTP conf sites to automatically send users to HTTPS pages instead.

• In all of the HTTP configuration files add following line just after ServerName parameter.
  • Redirect "/" "https://<sitename>.<vm_name>.est/" where
    • <sitename> your subsite (i.e. www, info, test, webmail)
    • <vm_name> your domain name
• restart Apache server

• Configure a redirect / rewrite / Alias for http://webmail.<your-domain>.est/roundcube so that it redirects to http://webmail.<your-domain>.est and do the same for the SSL version of webmail.conf.
  • You would be tempted to use URL Aliasing but remember that we already have one /roundcube alias in /etc/apache2/conf-available/roundcube.conf Alias /roundcube /var/lib/roundcube.

We really dont want to use rewrite conditions yet so lets do more magic ... in webmail.<yourdomain>.est.conf and in webmail.<yourdomain>.est.ssl.conf virtualhost files specify following parameter just after ServerName ServerAlias mail.<yourdomain>.est

It basically tells your webserver that webmail.<yourdomain>.est.conf will also server any request made to mail.teacher.est. This time we dont even want to redirect users because mail.<yourdomain>.est is actually shorter and makes more sense.

TODO here needs to be added rewrite task that can not be done by Redirect or Alias

• Enable rewrite module:

  
    # a2enmod rewrite