===================== Lab 10 sample answers ===================== - Ian! D. Allen - idallen@idallen.ca - www.idallen.com Create an ANSWER file named lab10answers.txt and copy into it the contents of this lab (all the steps). Delete everything that doesn't require an ANSWER. Keep the questions marked ANSWER, and give your answer below each question in the lab10answers.txt file. For each answer that is the output of a command, give the command that produces the output as well as the output itself. Give the command line too. (The output below was borrowed with permission from a student submission.) 4) On Red, configure the ssh daemon (server) to *start* in run level 4. (See Week 7 for notes on creating symbolic links to start-up scripts.) ANSWER: Record the command you used to make this possible: # ln -s /etc/init.d/ssh /etc/rc4.d/S50ssh ANSWER: Show a long listing with inode ("ls -li") of the file you created: # ls -li /etc/rc4.d/ 1568 lrwxrwxrwx 1 root root 15 2007-03-24 16:04 S50ssh -> /etc/init.d/ssh 5) On Red, configure the ssh daemon (server) to *stop* in run level 2. ANSWER: Record the command you used to make this possible: # ln -s /etc/init.d/ssh /etc/rc2.d/K50ssh ANSWER: Show a long listing with inode ("ls -li") of the file you created: # ls -li /etc/rc2.d/ 1569 lrwxrwxrwx 1 root root 15 2007-03-24 16:06 K50ssh -> /etc/init.d/ssh 6) Tell Red to change to run level 4. (See Week 7 notes.) ANSWER: Record the command you used to make this possible: # telinit 4 -OR- init 4 ANSWER: Record the system log entries showing that sshd started: Mar 24 16:10:20 red1 init: Switching to runlevel: 4 Mar 24 16:10:23 red1 kernel: NET: Registered protocol family 10 Mar 24 16:10:23 red1 kernel: IPv6 over IPv4 tunneling driver Mar 24 16:10:23 red1 sshd[812]: Server listening on :: port 22. Mar 24 16:10:32 red1 kernel: eth1: no IPv6 routers present 7) Tell Red to change to run level 2. ANSWER: Record the command you used to make this possible: # telinit 2 ANSWER: Record the system log entries showing that sshd stopped: Mar 24 16:14:34 red1 init: Switching to runlevel: 2 Mar 24 16:14:35 red1 sshd[812]: Received signal 15; terminating. 9) Tell Red to change to run level 4 again (from run level 4). ANSWER: Does the system restart sshd again when you go from run level 4 to run level 4? No. 10) On Red, confirm that the sshd process is running: red~# ps ax | grep sshd 969 ? Ss 0:00 /usr/sbin/sshd ANSWER: Record the output of the above command: # ps ax | grep sshd 853 ? Ss 0:00 /usr/sbin/sshd 857 tty0 S+ 0:00 grep sshd 12) ANSWER: Record the one-line system log entry made by the sshd process in response to your typing "." into netcat to sshd: Mar 24 16:18:49 red1 sshd[874]: Bad protocol version identification '.' from ::ffff:127.0.0.1 13) On Red, use ssh to login via localhost and then log out again: * red~# ssh localhost Password: * red~# who root vc0 Mar 21 22:39 root pts/0 Mar 24 10:23 (localhost) ANSWER: Record the above "who" output: red~# who root vc0 Mar 24 15:54 root pts/0 Mar 24 16:20 (localhost) 14) a) Enable the "Banner" file in the Red sshd config file. (Week 10) b) Restart (stop then start) the ssh daemon using its start-up script. c) Confirm that the banner file now prints before the Password prompt: * red~# ssh localhost Debian GNU/Linux 3.1 %h Password: ANSWER: Give a command that will extract just the Banner line from the Red sshd config file, along with its output (the Banner line): # grep Banner /etc/ssh/sshd_config Banner /etc/issue.net 16) Edit the TCP wrappers config file and allow sshd access from Green to Red. (*Only* enable sshd.) Confirm that you can access sshd using netcat: * green~# nc -v red 22 red1 [10.1.1.1] 22 (ssh) open SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4 * . Protocol mismatch. ANSWER: Give the contents of the line you added to the Red TCP Wrappers file to permit ssh (and *only* ssh) from Green: sshd: 10.1.1.2 18) On Red, in the Postfix config file, change the message_size_limit to 10000. ANSWER: Give the absolute pathname of the postfix config file you changed: /etc/postfix/main.cf 19) On Red, configure the postfix system to *start* in run level 4. ANSWER: Record the command you used to make this possible: # ln -s /etc/init.d/postfix /etc/rc4.d/S60postfix ANSWER: Show a long listing with inode ("ls -li") of the file you created: # ls -li /etc/rc4.d/S60postfix 1574 lrwxrwxrwx 1 root root 19 2007-03-24 16:53 /etc/rc4.d/S60postfix -> /etc/init.d/postfix 20) On Red, configure the postfix system to *stop* in run level 2. ANSWER: Record the command you used to make this possible: # ln -s /etc/init.d/postfix /etc/rc2.d/K60postfix ANSWER: Show a long listing with inode ("ls -li") of the file you created: # ls -li /etc/rc2.d/K60postfix 1575 lrwxrwxrwx 1 root root 19 2007-03-24 16:58 /etc/rc2.d/K60postfix -> /etc/init.d/postfix 21) Tell Red to change to run level 2 (from run level 4). ANSWER: Record the system log entries showing that sshd stopped: Mar 24 17:02:48 red1 init: Switching to runlevel: 2 Mar 24 17:02:50 red1 sshd[931]: Received signal 15; terminating. 22) Tell Red to change to run level 4 (from run level 2). ANSWER: Record the system log entries showing that both sshd and postfix have started: Mar 24 17:05:51 red1 init: Switching to runlevel: 4 Mar 24 17:05:53 red1 sshd[982]: Server listening on :: port 22. Mar 24 17:06:13 red1 postfix/postfix-script: starting the Postfix mail system Mar 24 17:06:14 red1 postfix/master[1081]: daemon started -- version 2.1.5 23) On Red, confirm that the postfix master process is running: red~# ps ax | grep postfix 917 ? Ss 0:00 /usr/lib/postfix/master ANSWER: Record the output of the above command: # ps ax | grep postfix 1081 ? Ss 0:00 /usr/lib/postfix/master 24) On Red, confirm that you can access the SMTP port and get the SMTP banner string using netcat; respond by typing "QUIT": * red~# nc -v localhost smtp localhost [127.0.0.1] 25 (smtp) open 220 localhost.localdomain ESMTP Postfix (Debian/GNU) * QUIT 221 Bye ANSWER: Record all the system log entries made by the above connection: Mar 24 17:09:15 red1 postfix/smtpd[1089]: connect from localhost[127.0.0.1] Mar 24 17:09:20 red1 postfix/smtpd[1089]: disconnect from localhost[127.0.0.1] 26) Locate the commented postfix default/distribution config file (over 600 lines). By reading the comments in that file find out which postfix parameter controls "network interface addresses". ANSWER: Give the absolute path of the postfix commented config file: /usr/share/postfix/main.cf.dist 27) Reconfigure postfix to listen on all the network interfaces, not just on the localhost interface. Remember to restart postfix. ANSWER: Give the updated line you fixed to allow access: inet_interfaces = all ANSWER: Give the command(s) you used to tell postfix to restart: # /etc/init.d/postfix restart 29) Following the model session from ALN p.483 (or Notes smtp_session.txt), use netcat to send a message from your email address to via the localhost interface: red~# nc -v localhost smtp localhost [127.0.0.1] 25 (smtp) open 220 localhost.localdomain ESMTP Postfix (Debian/GNU) HELO example.com 250 localhost.localdomain MAIL FROM: 250 Ok RCPT TO: 250 Ok DATA 354 End data with . hi . 250 Ok: queued as B1F82659 QUIT 221 Bye ANSWER: Copy the multiple system log entries for postfix that received and delivered the above email: Mar 24 17:47:00 red1 postfix/smtpd[1216]: connect from localhost[127.0.0.1] Mar 24 17:47:37 red1 postfix/smtpd[1216]: EC5E5656: client=localhost[127.0.0.1] Mar 24 17:47:50 red1 postfix/cleanup[1221]: EC5E5656: message-id=<20070324224725.EC5E5656@localhost.localdomain> Mar 24 17:47:50 red1 postfix/qmgr[1214]: EC5E5656: from=, size=351, nrcpt=1 (queue active) Mar 24 17:47:51 red1 postfix/local[1222]: EC5E5656: to=, relay=local, delay=26, status=sent (delivered to command: procmail -a "$EXTENSION") Mar 24 17:47:51 red1 postfix/qmgr[1214]: EC5E5656: removed Mar 24 17:47:54 red1 postfix/smtpd[1216]: disconnect from localhost[127.0.0.1] ANSWER: Copy the contents of the above single mail message from file /var/mail/vns to here: From abcd0001@algonquincollege.com Sat Mar 24 17:47:50 2007 Return-Path: X-Original-To: vns@localhost Delivered-To: vns@localhost Received: from example.com (localhost [127.0.0.1]) by localhost.localdomain (Postfix) with SMTP id EC5E5656 for ; Sat, 24 Mar 2007 17:47:25 -0500 (EST) Message-Id: <20070324224725.EC5E5656@localhost.localdomain> Date: Sat, 24 Mar 2007 17:47:25 -0500 (EST) From: abcd0001@algonquincollege.com To: undisclosed-recipients:; hi 30) You can't send mail to ; because, the postfix config file does not list "red" as a known name for this machine. Redo the above SMTP session using instead of and check the system log for the errors. The message will be queued by postfix instead of delivered to the vns mail spool file. ANSWER: Copy the system log entries for postfix when it failed to deliver the above localhost email to : Mar 24 17:53:35 red1 postfix/qmgr[1214]: 34AB8656: from=, size=351, nrcpt=1 (queue active) Mar 24 17:53:38 red1 postfix/smtpd[1229]: disconnect from localhost[127.0.0.1] Mar 24 17:54:16 red1 postfix/smtp[1233]: 34AB8656: to=, relay=none, delay=74, status=deferred (Host or domain name not found. Name service error for name=red type=MX: Host not found, try again) 31) Reconfigure postfix to allow "red" as a destination host/domain. Remember to restart postfix (to re-read the config file). ANSWER: Give the postfix config parameter that permits "red" as a destination host/domain name: mydestination = localhost.localdomain, localhost, red 32) Use netcat to confirm that you can now send mail to . ANSWER: Copy the seven postfix system log entries showing successful delivery of localhost mail to : Mar 24 18:01:29 red1 postfix/smtpd[1343]: connect from localhost[127.0.0.1] Mar 24 18:01:59 red1 postfix/smtpd[1343]: EBA31662: client=localhost[127.0.0.1] Mar 24 18:02:06 red1 postfix/cleanup[1346]: EBA31662: message-id=<20070324230153.EBA31662@localhost.localdomain> Mar 24 18:02:06 red1 postfix/qmgr[1341]: EBA31662: from=, size=356, nrcpt=1 (queue active) Mar 24 18:02:07 red1 postfix/local[1347]: EBA31662: to=, relay=local, delay=14, status=sent (delivered to command: procmail -a "$EXTENSION") Mar 24 18:02:07 red1 postfix/qmgr[1341]: EBA31662: removed Mar 24 18:02:08 red1 postfix/smtpd[1343]: disconnect from localhost[127.0.0.1] 33) ANSWER: TRUE/FALSE: TCP wrappers prevents SMTP access from Green to Red. FALSE - TCP wrappers (libwrap) is not used by the postfix system (because postfix has its own IP-based access controls). 34) You cannot send mail from yourself to yourself from Green via Red, since Green is not a trusted mail relay host for Red. From Green try to drop off an email on Red that is not destined for a user on Red: * green~# nc -v red smtp red1 [10.1.1.1] 25 (smtp) open 220 localhost.localdomain ESMTP Postfix (Debian/GNU) * HELO example.com 250 localhost.localdomain * MAIL FROM: 250 Ok * RCPT TO: 554 : Relay access denied * QUIT Note the "Relay access denied" error from Red. ANSWER: Copy the system log entries for postfix when it failed to allow the above email relay from Green to Red: Mar 24 18:17:44 red1 postfix/smtpd[1361]: connect from green1[10.1.1.2] Mar 24 18:18:14 red1 postfix/smtpd[1361]: NOQUEUE: reject: RCPT from green1[10.1.1.2]: 554 : Relay access denied; from= to= proto=SMTP helo= Mar 24 18:18:15 red1 postfix/smtpd[1361]: disconnect from green1[10.1.1.2] 35) Reconfigure postfix to allow Green to send email using Red as a relay. (ALN p.511-512.) Repeat the netcat session you used in the previous step. You will know relaying is allowed if, after "MAIL FROM", the address is accepted and you do *not* get the same "Relay access denied" error from Red that you got in the previous attempt (above). (Note that Red may not be able to actually deliver the message it accepted from Green if outgoing SMTP from Red is blocked, as it is at Algonquin College.) ANSWER: Give the postfix parameters you changed to permit Green to accept to relay email via Red: mynetworks = 127.0.0.0/8, 10.1.1.2/32 36) ANSWER: If your machine must use an external SMTP relay (e.g. via your ISP or via a "smart" host), what postfix config parameter would you set to do this relaying? (ALN p.512) relayhost = outmail.algonquincollege.com 37) ANSWER: Show all the open tcp ports and associated processes on Red: (You should see both SSH and SMTP as open.) # netstat -natp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1468/master tcp6 0 0 :::22 :::* LISTEN 982/sshd tcp6 0 0 :::25 :::* LISTEN 1468/master