----------------------- Lab #10 for NET2003 due April 2, 2007 ----------------------- -Ian! D. Allen - idallen@idallen.ca Remember - knowing how to find out an answer is more important than memorizing the answer. Learn to fish! RTFM! (Read The Fine Manual) Global weight: 5% of your total mark this term. Due date: before 10h00 Monday April 2. The deliverables for this lab exercise are to be submitted online on the Course Linux Server using the "netsubmit" method described in the lab exercise description, below. No paper; no email; no FTP. Late-submission date: I will accept without penalty lab exercises that are submitted late but before 12h00 (noon) on Wednesday, April 4. After that late-submission date, the lab exercise is worth zero marks. Lab exercises submitted by the *due date* will be marked online and your marks will be sent to you by email after the late-submission date. Lab Synopsis ------------ Configure and start the SSH daemon "sshd". Configure and start the SMTP daemon "postfix". (The initials "ALN" refer to your required course textbook - Advanced Linux Networking.) Configuring network services under Unix/Linux --------------------------------------------- Reference: Week 10-11 notes. 1) Create an ANSWER file named lab10answers.txt and copy into it the contents of this lab (all the steps). Delete everything that doesn't require an ANSWER. Keep the questions marked ANSWER, and give your answer below each question in the lab10answers.txt file. For each answer that is the output of a command, give the command that produces the output as well as the output itself. Give the command line too. 2) Start your VNS with (at least) Red and Green and ensure that Red and Green can ping each other. You only need Red and Green for this lab. You do not need Internet access. 3) Ensure that the Red and Green system logs are saved somewhere that you can read them. You will need to read them. (Your earlier labs already set up these logs in /host/log/ - see your instructor if you need help making this work.) Starting SSH - Week 10 notes ------------ 4) On Red, configure the ssh daemon (server) to *start* in run level 4. (See Week 7 for notes on creating symbolic links to start-up scripts.) ANSWER: Record the command you used to make this possible: ANSWER: Show a long listing with inode ("ls -li") of the file you created: 5) On Red, configure the ssh daemon (server) to *stop* in run level 2. ANSWER: Record the command you used to make this possible: ANSWER: Show a long listing with inode ("ls -li") of the file you created: 6) Tell Red to change to run level 4. (See Week 7 notes.) ANSWER: Record the command you used to make this possible: ANSWER: Record the system log entries showing that sshd started: Troubleshooting: If you don't see the sshd program starting up in the system log when you go from run level 2 to run level 4, check these possible errors: a) Is the run level symlink correct? Can you use "less" on the symlink and view the start-up script? Does the symlink start with the letter "S" followed by two digits and a name? b) The system will only start a service if the service is present in the new run level and *not* present in the current run level. Make sure that you do *not* start ssh in run level 2, otherwise changing to run level 4 will do nothing. 7) Tell Red to change to run level 2. ANSWER: Record the command you used to make this possible: ANSWER: Record the system log entries showing that sshd stopped: 8) Tell Red to change to run level 4 (from run level 2). 9) Tell Red to change to run level 4 again (from run level 4). ANSWER: Does the system restart sshd again when you go from run level 4 to run level 4? 10) On Red, confirm that the sshd process is running: red~# ps ax | grep sshd 969 ? Ss 0:00 /usr/sbin/sshd ANSWER: Record the output of the above command: 11) On Red, confirm that you can access the ssh port and get the SSH protocol string using netcat; respond by typing ".": * red~# nc -v localhost 22 SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4 * . Protocol mismatch. 12) ANSWER: Record the one-line system log entry made by the sshd process in response to your typing "." into netcat to sshd: 13) On Red, use ssh to login via localhost and then log out again: * red~# ssh localhost Password: * red~# who root vc0 Mar 21 22:39 root pts/0 Mar 24 10:23 (localhost) ANSWER: Record the above "who" output: Disconnect from your ssh session: * red~# exit 14) a) Enable the "Banner" file in the Red sshd config file. (Week 10) b) Restart (stop then start) the ssh daemon using its start-up script. c) Confirm that the banner file now prints before the Password prompt: * red~# ssh localhost Debian GNU/Linux 3.1 %h Password: ANSWER: Give a command that will extract just the Banner line from the Red sshd config file, along with its output (the Banner line): 15) Note that TCP wrappers prevents ssh access from Green to Red; the connection opens but then closes without any ssh protocol string. Try to connect from Green to Red via netcat to the ssh port: * green~# nc -v red 22 red1 [10.1.1.1] 22 (ssh) open green~# Check the system log file on Red to verify that the connection was rejected by "libwrap" (the TCP wrappers library). 16) Edit the TCP wrappers config file and allow sshd access from Green to Red. (*Only* enable sshd.) Confirm that you can access sshd using netcat: * green~# nc -v red 22 red1 [10.1.1.1] 22 (ssh) open SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4 * . Protocol mismatch. ANSWER: Give the contents of the line you added to the Red TCP Wrappers file to permit ssh (and *only* ssh) from Green: 17) Confirm that you can use ssh to login from Green to Red: * green~# ssh red Debian GNU/Linux 3.1 %h Password: * red~# exit Starting SMTP - Week 11 notes ------------- 18) On Red, in the Postfix config file, change the message_size_limit to 10000. ANSWER: Give the absolute pathname of the postfix config file you changed: 19) On Red, configure the postfix system to *start* in run level 4. ANSWER: Record the command you used to make this possible: ANSWER: Show a long listing with inode ("ls -li") of the file you created: 20) On Red, configure the postfix system to *stop* in run level 2. ANSWER: Record the command you used to make this possible: ANSWER: Show a long listing with inode ("ls -li") of the file you created: 21) Tell Red to change to run level 2 (from run level 4). ANSWER: Record the system log entries showing that sshd stopped: 22) Tell Red to change to run level 4 (from run level 2). ANSWER: Record the system log entries showing that both sshd and postfix have started: Troubleshooting: If you don't see the postfix system starting up in the system log when you go from run level 2 to run level 4, check the "Troubleshooting" steps previously mentioned under "Starting SSH". 23) On Red, confirm that the postfix master process is running: red~# ps ax | grep postfix 917 ? Ss 0:00 /usr/lib/postfix/master ANSWER: Record the output of the above command: 24) On Red, confirm that you can access the SMTP port and get the SMTP banner string using netcat; respond by typing "QUIT": * red~# nc -v localhost smtp localhost [127.0.0.1] 25 (smtp) open 220 localhost.localdomain ESMTP Postfix (Debian/GNU) * QUIT 221 Bye ANSWER: Record all the system log entries made by the above connection: 25) Note that postfix is only listening on the localhost interface; it refuses connections on the other interfaces: * red~# nc -v red smtp red1 [10.1.1.1] 25 (smtp) : Connection refused 26) Locate the commented postfix default/distribution config file (over 600 lines). By reading the comments in that file find out which postfix parameter controls "network interface addresses". ANSWER: Give the absolute path of the postfix commented config file: 27) Reconfigure postfix to listen on all the network interfaces, not just on the localhost interface. Remember to restart postfix. ANSWER: Give the updated line you fixed to allow access: ANSWER: Give the command(s) you used to tell postfix to restart: 28) Confirm that you can now get the SMTP banner from the other interface (not just via localhost). Check the system log if you have problems. 29) Following the model session from ALN p.483 (or Notes smtp_session.txt), use netcat to send a message from your email address to via the localhost interface: red~# nc -v localhost smtp localhost [127.0.0.1] 25 (smtp) open 220 localhost.localdomain ESMTP Postfix (Debian/GNU) HELO example.com 250 localhost.localdomain MAIL FROM: 250 Ok RCPT TO: 250 Ok DATA 354 End data with . hi . 250 Ok: queued as B1F82659 QUIT 221 Bye ANSWER: Copy the multiple system log entries for postfix that received and delivered the above email: ANSWER: Copy the contents of the above single mail message from file /var/mail/vns to here: 30) You can't send mail to ; because, the postfix config file does not list "red" as a known name for this machine. Redo the above SMTP session using instead of and check the system log for the errors. The message will be queued by postfix instead of delivered to the vns mail spool file. ANSWER: Copy the system log entries for postfix when it failed to deliver the above localhost email to : 31) Reconfigure postfix to allow "red" as a destination host/domain. Remember to restart postfix (to re-read the config file). ANSWER: Give the postfix config parameter that permits "red" as a destination host/domain name: 32) Use netcat to confirm that you can now send mail to . ANSWER: Copy the seven postfix system log entries showing successful delivery of localhost mail to : 33) ANSWER: TRUE/FALSE: TCP wrappers prevents SMTP access from Green to Red. 34) You cannot send mail from yourself to yourself from Green via Red, since Green is not a trusted mail relay host for Red. From Green try to drop off an email on Red that is not destined for a user on Red: * green~# nc -v red smtp red1 [10.1.1.1] 25 (smtp) open 220 localhost.localdomain ESMTP Postfix (Debian/GNU) * HELO example.com 250 localhost.localdomain * MAIL FROM: 250 Ok * RCPT TO: 554 : Relay access denied * QUIT Note the "Relay access denied" error from Red. ANSWER: Copy the system log entries for postfix when it failed to allow the above email relay from Green to Red: 35) Reconfigure postfix to allow Green to send email using Red as a relay. (ALN p.511-512.) Repeat the netcat session you used in the previous step. You will know relaying is allowed if, after "MAIL FROM", the address is accepted and you do *not* get the same "Relay access denied" error from Red that you got in the previous attempt (above). (Note that Red may not be able to actually deliver the message it accepted from Green if outgoing SMTP from Red is blocked, as it is at Algonquin College.) ANSWER: Give the postfix parameters you changed to permit Green to accept to relay email via Red: 36) ANSWER: If your machine must use an external SMTP relay (e.g. via your ISP or via a "smart" host), what postfix config parameter would you set to do this relaying? (ALN p.512) (You can try to relay via "outmail.algonquincollege.com" while on campus; that might let your machine actually relay and send email to your own Algonquin address. Or maybe not. At home, you could try using your ISP's SMTP server as a relay host.) Seeing system services ---------------------- The command "netstat -natp" is useful for showing numerically (-n) all (-a) the open TCP (-t) ports and associated process names (-p) on the current system. (Only root will see the process names of all processes.) 37) ANSWER: Show all the open tcp ports and associated processes on Red: (You should see both SSH and SMTP as open.) Submission ---------- Submission Standards: See Lab #1 for details. A. Make sure all files contain an Exterior Assignment Submission label. For full marks, where possible, lines that you type must be shorter than 80 columns. B. Submit your files for marking as Lab 10 using the following *single* netsubmit command line exactly as given here: $ netsubmit 10 lab10answers.txt Always submit *all* files at the same time for every submission. Files submitted under the wrong names are worth zero marks. P.S. Did you spell all the assignment label fields and file names correctly?