Answer for KodeKloud Question - Web Server Security

 During a recent security audit, the application security team of xFusionCorp Industries found security issues with the Apache web server on Nautilus App Server 1 server in Stratos DC. They have listed several security issues that need to be fixed on this server. Please apply the security settings below:

a. On Nautilus App Server 1 it was identified that the Apache web server is exposing the version number. Ensure this server has the appropriate settings to hide the version number of the Apache web server.

b. There is a website hosted under /var/www/html/media on App Server 1. It was detected that the directory /media lists all of its contents while browsing the URL. Disable the directory browser listing in Apache config.

c. Also make sure to restart the Apache service after making the changes.

Sample Answer:

#login to app server ( as given in the question, check your question)

    ssh <user>@<app_server>

# switch to root user

    sudo su 

# start and check status of the apache service 

     systemctl start httpd

     systemctl status httpd

#before doing the task, verify from the jump host  (you can open another terminal on top and check )

    curl -I http://your respective app server IP:8080

* you will see the output with the apache version 

#navigate to httpd conf directory and edit httpd.conf file as below 

    cd /etc/httpd/conf/

    vi httpd.conf

#add below line at the end 

     ServerTokens Prod

     ServerSignature Off

#now go to the section  (directory "var/www/html") and change as below 

<Directory “/var/www/html/<dir from from your  question>/”>

Options -Indexes +FollowSymLinks

AllowOverride None

Require all granted

# save conf file 

# restart the httpd 

     systemctl restart httpd

*Please comment on this post if you are facing any issues in the steps, also provide your feedback in the comments :)

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question -Install & Configure Web Application

 xFusionCorp Industries is planning to host two static websites on their infra in Stratos Datacenter. The development of these websites is still in -progress, but we want to get the servers ready. The storage server has a shared directory /data that is mounted on each app host under /var/www/html directory. Please perform the following steps to accomplish the task:

a. Install httpd package and dependencies on all app hosts.

b. Apache should serve on port 8080 within the apps.

c. There are two website's backups /home/thor/news and /home/thor/games on jump_host. Set them up on Apache in a way that news should work on link http://<<lb-url>>/news/ and games should work on link http://<<lb-url>>/games. (do not worry about load balancer configuration, as its already configured).

d. You can access the website on LBR link; to do so click on the + button on top of your terminal, select the option Select port to view on Host 1, and after adding port 80 click on Display Port.

Sample Answer:

#Login to an app server using ssh( below steps need to be done in all the app servers)

ssh <user>@<DB-server>

#login as root

sudo su

#install httpd (apache)

yum -y install httpd

#install openssh-clients

yum -y install openssh-clients

#restart sshd service

        systemctl restart sshd

#Next change Listen port to 8080 (check your question, your port might be different )

vi /etc/httpd/conf/httpd.conf

Listen 8080

* DO ALL THE ABOVE STEPS IN ALL THE APP SERVERS

# Copy mentioned folders in the question to every app server from jump host

scp -r /home/thor/<folder_from_question> <user>@<app-server-01>:/tmp

scp -r /home/thor/<folder_from_question> <user>@<app-server-01>:/tmp

scp -r /home/thor/<folder_from_question> <user>@<app-server-02>:/tmp

scp -r /home/thor/<folder_from_question> <user>@<app-server-02>:/tmp

scp -r /home/thor/<folder_from_question> <user>@<app-server-03>:/tmp

scp -r /home/thor/<folder_from_question> <user>@<app-server-03>:/tmp

#Then from any app server move the folders to server html folder

mv /tmp/<folder_from_question> /var/www/html/

mv /tmp/<folder_from_question> /var/www/html/

#enable and start httpd

systemctl enable httpd

systemctl start httpd

 

#TESTING

Check from the jump host

curl http://<app-server-01>:8080/<folder_from_question>/

curl http://<app-server-01>:8080/<folder_from_question>/

curl http://<app-server-02>:8080/<folder_from_question>/

curl http://<app-server-02>:8080/<folder_from_question>/

curl http://<app-server-03>:8080/<folder_from_question>/

curl http://<app-server-03>:8080/<folder_from_question>/

click on the + button on top of your terminal, select the option Select port to view on Host 1, and after adding port 80 click on Display Port.

*Please comment on this post if you are facing any issues in the steps, also provide your feedback in the comments :)

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question -Install and Configure DB Server

We recently migrated one of our WordPress websites from an old server to a new infrastructure in Stratos Datacenter. We have already set up LAMP, except for the database. We have also restored website code; however, we need to restore the database to make it work on the new infra. Please perform the below given steps on DB host:

a. Install/Configure MariaDB server.

b. Create a database with name kodekloud_db8.

c. There is a DB dump on jump_host under location /home/thor/db.sql. Restore this database in newly created database.

d. Create a user kodekloud_top and set any password you like.

e. Grant full permissions to user kodekloud_top on database kodekloud_db8.

f. Update database-related details in /data/wp-config.php file on storage server, which is our NFS server having a share /data mounted on each app server on location /var/www/html. (for more details about how to update WordPress config file please visit https://wordpress.org/support/article/editing-wp-config-php/)

g. You can access the website on LBR link; to do so click on the + button on top of your terminal, select option Select port to view on Host 1, and after adding port 80 click on Display Port.

Sample Answer:

#Login to db server using ssh

ssh <user>@<DB-server>

#login as root

sudo su

#install mariaDB

yum -y install mariadb*

#enable, start and check status of mariaDB

    systemctl enable mariadb && systemctl start mariadb && systemctl status mariadb

#Start mysql secure installation(press 'Enter' to give a new root password) 

#run below command and press enter

mysql_secure_installation

*now give new password as your wish 

#Now, login with root password that you have given in above step

mysql -u root -p

#create DB,user and grant permissions (check your question, DB name and user name from your question but for password you can give your own password) 

CREATE DATABASE <DB_from_your_question>;

CREATE USER '<user_from_your question>'@'localhost' identified by '<your_own>';

GRANT ALL PRIVILEGES on <DB_from_your_question>.* to '<user_from_your_question>' identified by '<your_own>';

GRANT ALL PRIVILEGES on <DB_from_your_question>.* to '<user_from_your_question>'@'%';

FLUSH PRIVILEGES;

exit

#Edit the configuration file and bind the mysql to the database ip address and port

vi /etc/<any_name>.cnf

bind-address=<DB_server_IP_address>

port=3306

#Install Open ssh if the SCP isn't working

yum -y install openssh-clients

#Go to jump server and copy db.sql from jump server to db server

scp /home/thor/db.sql <user>@<DB_server>:/tmp/

#Go to db server and import db.sql to newly created datatbase

mysql -u <user_from_your_question> -p <DB_from_your_question> < /tmp/db.sql

#restart mariaDB

systemctl restart mariadb

#check connection

mysql -u <user_from_your_question> -p -h <db_server>

mysql -u <user_from_your_question> -p -h localhost

#Next go to the storage server and 

ssh <user>@<storageserver>

#login as root

sudo su 

#Now check the configuration

cat /data/wp-config.php | grep DB_NAME

cat /data/wp-config.php | grep DB_USER

cat /data/wp-config.php | grep DB_PASSWORD

cat /data/wp-config.php | grep DB_HOST

Replace with correct configuration

sudo sed -i 's/dbname/<DB_from_your_question>/g' /data/wp-config.php

sudo sed -i 's/dbuser/<user_from_your_question>/g' /data/wp-config.php

sudo sed -i 's/dbpass/<your_own>/g' /data/wp-config.php

sudo sed -i 's/dbhost/<DB_host_name>/g' /data/wp-config.php

#TESTING

click on the + button on top of your terminal, select option Select port to view on Host 1, and after adding port 80 click on Display Port.

*Please comment on this post if you are facing any issues in the steps, also provide your feedback in the comments :)

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question -PAM Authentication For Apache

 The document root /var/www/html of all web apps is on NFS share /data on storage server in Stratos Datacenter. We have a requirement where we want to password protect a directory in the Apache web server document root. We want to password protect http://<website-url>:<apache_port>/protected URL as per the following requirements (you can use any website-url for it like localhost since there are no such specific requirements as of now):

a. We want to use basic authentication.

b. We do not want to use htpasswd file base authentication. Instead, we want to use PAM authentication, i.e Basic Auth + PAM so that we can authenticate with a Linux user.

c. We already have a user mark with password BruCStnMT5 which you need to provide access to.

d. You can access the website on LBR link. To do so click on the + button on top of your terminal, select Select port to view on Host 1, and after adding port 80 click on Display Port

Sample Answer:

#login to an app server 

    ssh <user>@<app-server-Ip>

#switch to root user 

    sudo su

#install mod_authnz_external pwauth package

    yum --enablerepo=epel -y install mod_authnz_external pwauth

#create the protected directory 

   mkdir -p  /var/www/html/protected/

#create an index.html file side the protected directory 

    vi /var/www/html/protected/index.html

#do below configuration in authnz_external.conf file for basic auth+  PAM authentication 

    vi /etc/httpd/conf.d/authnz_external.conf

    # add below lines to  the end

    <Directory /var/www/html/protected>

         AuthType Basic

        AuthName "PAM Authentication"

        AuthBasicProvider external

        AuthExternal pwauth

        require valid-user

    </Directory>

  #save the file 

# restart the httpd services 

    systemctl restart httpd

*AS PER THE QUESTION YOU MUST TO ABOVE STEPS FOR ALL THE APP SERVER

#TESTING

    curl -u <user>:<password> http://localhost:8080/protected/

*Please comment on this post if you are facing any issues in the steps, also provide your feedback in the comments :)

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question - Install And Configure PostgreSQL

 The Nautilus application development team has shared that they are planning to deploy one newly developed application on Nautilus infra in Stratos DC. The application uses PostgreSQL database, so as a pre-requisite we need to set up PostgreSQL database server as per requirements shared below:

a. Install and configure PostgreSQL database on Nautilus database server.

b. Create a database user kodekloud_joy and set its password to HyAGFRVNr3.

c. Create a database kodekloud_db8 and grant full permissions to user kodekloud_joy on this database.

d. Make appropriate settings to allow all local clients (local socket connections) to connect to the kodekloud_db8 database through kodekloud_joy user using md5 method (Please do not try to encrypt password with md5sum).

e. At the end its good to test the db connection using these new credentials from root user or server's sudo user.

Sample Answer:

#login to DB server

    ssh <user>@<<DB-server-IP>

#switch to root user

    sudo su 

#install postgresql

    yum -y install postgresql-server postgresql-contrib

#initiate DB setup

    postgresql-setup initdb

#enable and start postgresql servcie

    systemctl enable postgresql 

    systemctl start postgresql

#let's Create user, database, and grant permission

    sudo -u postgres psql

CREATE USER <user_from_your question> WITH PASSWORD '<password_from_your question>';

CREATE <DB_from_your question>;

GRANT ALL PRIVILEGES ON DATABASE "<DB_from_your question>" to <user_from_your question>;

type \q to exit from pgsql 

#now do the configuration changes 

    vi /var/lib/pgsql/data/postgresql.conf

            Uncomment below line

            listen_addresses = 'localhost' 

#another config change

       vi /var/lib/pgsql/data/pg_hba.conf

#Go to bottom of the config and edit as below

        local all all md5

        host all all 127.0.0.1/32 md5 

#restart psql service and check status

    systemctl restart postgresql

    systemctl status postgresql

#Testing 

psql -U <user_from your _question> -d <DB_from_your_question> -h 127.0.0.1 -W

psql -U <user_from your _question> -d <DB_from_your_question> -h localhost -W

*Please comment on this post if you are facing any issues in the steps, also provide your feedback in the comments :)

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question - Install And Configure SFTP

 Some of the developers from Nautilus project team have asked for SFTP access to at least one of the app server in Stratos DC. After going through the requirements, the system admins team has decided to configure the SFTP server on App Server 2 server in Stratos Datacenter. Please configure it as per the following instructions:

a. Create an SFTP user kirsty and set its password to TmPcZjtRQx.

b. Password authentication should be enabled for this user.

c. Set its ChrootDirectory to /var/www/apps.

d. SFTP user should only be allowed to make SFTP connections.

Sample Answer:

#login to correct app server ( check your question)

    ssh <user>@<app-server-IP>

#switch to root user

    sudo su

#create the SFTP user and set password as per the question ( check your question)

    adduser --shell /bin/false <SFTP-user-name>

    passwd < SFTP-user-name>

#create directoty as per the question 

    mkdir -p /var/www/apps

#set newly created SFTP user as the owner for this directory.

    chown <your sftpuser>:<your sftpuser> /var/www/apps

#set owner and read/write permission for root user

    chown root:root /var/www

    chmod 755 /var/www

#now do the require sftp configuration as below on sshd_conf file

    vi /etc/sshd/sshd_config

        # override default of no subsystems

        #Subsystem      sftp    /usr/libexec/openssh/sftp-server

        Subsystem sftp internal-sftp

        # Example of overriding settings on a per-user basis

        #Match User anoncvs

        #       X11Forwarding no

        #       AllowTcpForwarding no

        #       PermitTTY no

        #       ForceCommand cvs server

        Match User <your sftpuser from your question>

        ForceCommand internal-sftp

        PasswordAuthentication yes

        ChrootDirectory /var/www

        PermitTunnel no

        AllowAgentForwarding no

        AllowTcpForwarding no

        X11Forwarding no

press Esc and type :wq! for save

#restart sshd service 

    systemctl restart sshd

#Testing ( you have to give the sftp user password to access )

    sftp <your sftpuser>@localhost

#from jump host 

    sftp <your sftpuser>@<app-server-IP>

*Please comment on this post if you are facing any issues in the steps, also provide your feedback in the comments :)

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question -Install and Configure Tomcat Server

 The Nautilus application development team recently finished the beta version of one of their Java-based applications, which they are planning to deploy on one of the app servers in Stratos DC. After an internal team meeting, they have decided to use the tomcat application server. Based on the requirements mentioned below complete the task:

a. Install tomcat server on App Server 3 using yum.

b. Configure it to run on port 8082.

c. There is a ROOT.war file on Jump host at location /tmp. Deploy it on this tomcat server and make sure the webpage works directly on base URL i.e without specifying any sub-directory anything like this http://URL/ROOT .

d. You can access the website on LBR link. To do so click on the + button on top of your terminal, select option Select port to view on Host 1, and after adding port 80 click on Display Port.

Sample Answer:

#login to app server as per the question(check your question )

ssh <user>@<App-server-03-IP>

#switch to root user

sudo su 

#install tomcat server

yum -y install tomcat

#configure tomcat port in below section(port should be as per your question )

vi /usr/share/tomcat/conf/server.xml

        <Connector port="<from your question>" protocol="HTTP/1.1"

        connectionTimeout="20000"

    press Esc key and type :wq! 

#from jump host copy the ROOT.war file from jump host to app server (app server as per your question).To open jump host terminal, click on the + button on top of your terminal,

    scp /tmp/ROOT.war <user>@<your-app-server-IP>:/tmp/

#Now from app server you have to copy the ROOT.war file to the correct location

    cp /tmp/ROOT.war /usr/share/tomcat/webapps/

#enable and start tomcat server

    systemctl enable tomcat 

    systemctl start tomcat 

##Final testing 

#from jump host 

    curl -I http://<app-server-IP>:<port>/

or 

You can access the website on LBR link. To do so click on the + button on top of your terminal, select option Select port to view on Host 1, and after adding port 80 click on Display Port.

*Please comment on this post if you are facing any issues in the steps, also provide your feedback in the comments :)

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.

Answer for KodeKloud Question -IPtables Installation And Configuration

 We have one of our websites up and running on our Nautilus infrastructure in Stratos DC. Our security team has raised a concern that right now Apache’s port i.e 5002 is open for all since there is no firewall installed on these hosts. So we have decided to add some security layer for these hosts and after discussions and recommendations we have come up with the following requirements:

1. Install iptables and all its dependencies on each app host.

2. Block incoming port 5002 on all apps for everyone except for LBR host.

3. Make sure the rules remain, even after the system reboot.

sample Answer:

#login to a app server 

    ssh <user>@<app-server-IP>

#switch to root user 

    sudo su 

#install iptables and its dependencies 

    yum -y install iptables-services 

#enable, start the Iptables and check the status 

    sysetemctl enable iptables 

    systemctl start iptables 

    systemctl status iptables

#now verify the iptable rules before change anything

      cat /etc/sysconfig/iptables 

*it will show you the list of ACCEPT rules and DROP rules 

 #now let's add iptables rules as per question

##by the below rule we are allowing the LBR host to access the app server

   iptables -R INPUT 5 -p tcp --destination-port <port from your question> -s 172.16.238.14 -j ACCEPT

##by the below rule we are blocking the access to app server

    iptables -A INPUT -p tcp --destination-port <port from your question> -j DROP

#save the rules 

    service iptables save

*AS PER THE QUESTION YOU MUST DO ALL THE ABOVE STEPS ON ALL THE APP SERVERS. 

##final testing/verification 

 #login to LBR host 

    ssh <user>@<LBR-server>

#run below commands

    telnet <app-server-01 -IP> <port from your question>
    telnet <app-server-02 -IP> <port from your question>
    telnet <app-server-03 -IP> <port from your question>

    curl <app-server-01 -IP>:<port from your question>
    curl <app-server-02 -IP>:<port from your question>
    curl <app-server-03 -IP>:<port from your question>

    *Please comment on this post if you are facing any issues in the steps, also provide your feedback in the comments :)

Note: **The Question copied it for learning purposes.** Commands are correct but based on your question the server, user name, and other details might differ, so please do check.