Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

ABC

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 40

Lab Report

(System & Network Administration)

Submitted by : M Mehran Ul Zaman

Submitted to: Sir Waseeq Ul Islam

Roll no: Bsf2103917

Semester: 5th

Shift: Morning
 How to Install DHCP Server
This guide was created using Windows Server 2016. The steps should be similar for other server
versions.

Step 1: Open Server Manager

Click the start button then click the Server Manager


Step 2: Add roles and features

On the server manager dashboard click “Add roles and features” This will start the add roles and features
wizard

Click next on the before you begin page.


Step 3: Select Role-based or feature-based installation

Make sure “Role-based or feature-based installation is selected and click next

Step 4: Select the destination server

On this page choose the server you want the DHCP service installed on. In this example, I’ll be choosing
the local server.

Step 5: Select server roles

On this page, you want to select the DHCP server roles and click next.
When you select the roll you will get a pop up asking to add features that are required for DHCP server.
Click add features
Back on the
select server roles page click next

Step 6: Feature, DHCP Server

On the features screen click next

On the DHCP server click next

Step 7: Confirmation

On the confirmation page, you can select to automatically restart the server if required.

On 2016 server it does not require a restart.

Click install and the install will start.

You will get an install progress page, it will say install succeeded when complete.

That completes the install of the DHCP role. Move onto the next section for steps on configuring the
DCHP server.
Configure DHCP Server
If you followed the steps above you should now have the DHCP service installed.

But.. It still needs to be configured.

Step 1: Server Manager

In the server manager dashboard, you will see a yellow notification at the top left.

Click on it.

Now click on “Complete DHCP configuration”

Step 2 configuration wizard: Post-Install

On the description screen click next

On the authorization page use AD credentials if the server is joined to the domain.

Choose “Skip AD authorization” if the DHCP server is standalone and not joined to the domain.

Click commit
You will see a summary page of the configuration steps

Click close
Now you can open the DHCP management console to configure DHCP scopes and other options.

To access the DHCP management console click start -> Windows Administrative Tool -> DHCP

The DHCP management console


How to Setup DHCP Server in Ubuntu Server 20.04

Step 1 : Install a DHCP server:

sudo apt-get install isc-dhcp-server

Step 2 : Open the DHCP configuration file:

sudo nano /etc/dhcp/dhcpd.conf

Step 3 : Change the default and max lease time if necessary:

default-lease-time 600;
max-lease-time 7200;

Step 4 : Add the following lines at the end of the file (replace the IP
address to match your network):

subnet 192.168.1.0 netmask 255.255.255.0 {


range 192.168.1.80 192.168.1.90;
option routers 192.168.1.1;
option domain-name-servers 192.168.1.2, 192.168.1.3;
option domain-name "example.com";
}

Step 5 : You can reserve an IP address to be assigned to a specific


device on network. Reservation ensures that a specified device is
always assigned to the same IP address. To create a reservation, add
the following lines to dhcpd.conf. It will assign IP 192.168.1.88 to the
client with the 08:00:07:26:c0:a5 MAC ID:

host Server1 {
hardware ethernet 08:00:07:26:c0:a5;
fixed-address 192.168.1.88;
}
Step 6 : Save the configuration file and exit with Ctrl + O and Ctrl + X.
Step 7 : After changing the configuration file, restart dhcpd
sudo service isc-dhcp-server restart
 Install Squid Proxy Server on
Ubuntu 22.04|20.04
First, update your system packages. Note that for all the commands, I will be
running them as root user

sudo apt update && sudo apt upgrade -y

Check if a system needs to be rebooted after successful upgrade.

[ -e /var/run/reboot-required ] && sudo reboot

Next, install squid proxy on Ubuntu. Installing Squid proxy in Ubuntu is easy
because it is already available in Ubuntu 20 repositories. Confirm this with
the below command.

sudo apt-cache policy squid

To install Squid proxy, run the below commands. Also enable to start on
system boot then check status

sudo apt install -y squid

sudo systemctl start squid

sudo systemctl enable squid

sudo systemctl status squid

Configure Squid proxy server on Ubuntu 22.04|20.04

The default Squid proxy configuration file is found


in /etc/squid/squid.conf. The file already has a number of setting that work at
the minimum but we can modify to suit our preference. First, create a
backup of the original file.

sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.orig

Now, do your custom settings in /etc/squid/squid.conf. Open the file with your
preferred file editor

sudo vim /etc/squid/squid.conf

1. Change squid default port

The default Squid tcp port is 3128.To alter this, open squid.conf file and look
for http_port line. Change to your desired port number and save the file.

#http_port 3128

http_port 8080

Make sure to allow the port though the firewall

sudo ufw allow 8080/tcp

sudo ufw enable

2. Set Squid cache memory size

To set your desired cache memory, use the settings below. For my case, I am
using 256 MB

cache_mem 256 MB
3. Specify DNS name-servers to use

To define your own DNS servers, use the command as shown

dns_nameservers 8.8.8.8 8.8.4.4

4. Squid ACL and http_access

Now, edit squid.conf to add rules of your choice. A proxy server is selective of
what goes through it. We can allow access from specific networks/ IP
addresses and deny others. It can also be used to filter traffic by restricting
access to certain sites or by blocking content based on certain keywords. This
is achieved by use of ACLs (Access Control Lists), which define what is
allowed and what is denied. Http_access define the allow or deny based on
an ACL.

acl aclname acltype argument..

acl aclname acltpe “file”…

The default defined ACL rules are as shown. Tou can choose to disable the by
adding # at the beginning of each line. To create new rules, follow the
examples below:

Examples1: Allow LAN network through Squid proxy server

Create the acl rule

acl my_lan src 192.168.100.0/24

Now either allow or deny based on the defined rule, with the use
of http_access directive. In our case, we need to allow
http_access allow my_lan

Note that the last rule every time you create ACL access rules should be
the deny all. This should be done when you have allowed all the required
sites otherwise you might block yourselves from accessing some needed
sites.

http_access deny all

Deny access to specific websites in Squid proxy server

When dealing with a number of websites, it is easier and more organized to


put all the sites in a file then call it, otherwise you would list the cites in the
acl rule. In our example, I will create a file called deniedsites.squid in the
squid directory.

sudo vim /etc/squid/deniedsites.squid

Add the sites that you wish to deny access. For my case, I am using facebook
and youtube. Save the file after.

.facebook.com

.youtube.com

Now open squid.conf and create an acl rule for the denied sites and add a
deny rule then save the file.

acl deniedsites dstdomain “/etc/squid/deniedsites.squid”

http_access deny deniedsites

If you were to list the sites in the acl rule:


acl deniedsites dstdomain facebook.com youtube.com

http_access deny deniedsites

Note that everytime you make changes, you must restart squid server

sudo systemctl restart squid

How to block traffic basing on some keywords in Squid proxy server

Create a file containing the key words. Use the file name to create an acl rule
the deny traffic.

sudo vim /etc/squid/keywords.squid.

Add you keywords and save.

gamble

nudes

xxx

Edit squid.conf to create acl and deny rule the save and remember to restart
squid.

acl keywords url_regex -i "/etc/squid/keywords.squid"

http_access deny keywords

To open ports in Squid proxy server, use the command syntax as shown
below
acl Safe_ports port <port-number>

How to mask outgoing traffic on Squid proxy server

A proxy server is suppose to hide our identity by exposing the proxy IP


address instead of our own. However, the proxy can let oTo avoid revealing
your Squid proxy server, you can remove Squid proxy header. Add the line
below in TAG; request_header_access. ur IP get known via http outgoing
traffic. To disable this, edit squid.conf file and disable via headers. To do this,
check for the line with #via on. Uncomment and change from on to off.

# via on

via off

Also Proxy server should not append clients IP address in the http requests
which it forwards. Disable this by modifying the following lines
in squid.conf file.

request_header_access From deny all

request_header_access Server deny all

request_header_access WWW-Authenticate deny all

request_header_access Link deny all

request_header_access Cache-Control deny all

request_header_access Proxy-Connection deny all


request_header_access X-Cache deny all

request_header_access X-Cache-Lookup deny all

request_header_access X-Forwarded-For deny all

request_header_access Pragma deny all

request_header_access Keep-Alive deny all

Save squid.conf file and remember to restart squid

systemctl restart squid

How to check Squid configuration errors

The command below will point out where there could be errors in your
configuration file

sudo squid -k parse

Configure clients to connect through Squid proxy


server

Configure user authentication

First, let us create and allow users to authenticate through Squid proxy. We
need to enable http authentication in squid.conf file. Install apache2-utils.

sudo apt update


sudo apt install -y apache2-utils

Create a file that will be used to store users. Mine is called ‘passwd’. The file
should be owned by proxy which is the default Squid user.

sudo touch /etc/squid/passwd

sudo chown proxy: /etc/squid/passwd

Let’s add a user called lorna

$ sudo htpasswd /etc/squid/passwd lorna

New password:

Re-type new password:

Adding password for user lorna

Now add the following lines in squid.conf file. After adding, save and restart
squid.

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd

auth_param basic children 5

auth_param basic realm Squid Basic Authentication

auth_param basic credentialsttl 2 hours

acl auth_users proxy_auth REQUIRED

http_access allow auth_users


It is important to check the location of basic_ncsa_auth to be sure that you are
using the right path and that you do not get errrors. Use the command
below:

dpkg -L squid | grep ncsa_auth

 Domain Name Service (DNS)

Installation
At a terminal prompt, enter the following command to install dns:
sudo apt install bind9
A very useful package for testing and troubleshooting DNS issues is
the dnsutils package. Very often these tools will be installed already, but to
check and/or install dnsutils enter the following:
sudo apt install dnsutils

Configuration
There are many ways to configure BIND9. Some of the most common
configurations are a caching nameserver, primary server, and secondary
server.
 When configured as a caching nameserver BIND9 will find the
answer to name queries and remember the answer when the domain
is queried again.
 As a primary server, BIND9 reads the data for a zone from a file on
its host and is authoritative for that zone.
 As a secondary server, BIND9 gets the zone data from another
nameserver that is authoritative for the zone.
Overview
The DNS configuration files are stored in the /etc/bind directory. The
primary configuration file is /etc/bind/named.conf, which in the layout
provided by the package just includes these files.
 /etc/bind/named.conf.options: global DNS options
 /etc/bind/named.conf.local: for your zones
 /etc/bind/named.conf.default-zones: default zones such as
localhost, its reverse, and the root hints
The root nameservers used to be described in the file /etc/bind/db.root.
This is now provided instead by the /usr/share/dns/root.hints file shipped
with the dns-root-data package, and is referenced in
the named.conf.default-zones configuration file above.
It is possible to configure the same server to be a caching name server,
primary, and secondary: it all depends on the zones it is serving. A server
can be the Start of Authority (SOA) for one zone, while providing secondary
service for another zone. All the while providing caching services for hosts
on the local LAN.
Caching Nameserver

The default configuration acts as a caching server. Simply uncomment and


edit /etc/bind/named.conf.options to set the IP addresses of your ISP’s
DNS servers:
forwarders {
1.2.3.4;
5.6.7.8;
};
Note
Replace 1.2.3.4 and 5.6.7.8 with the IP Addresses of actual nameservers.
To enable the new configuration, restart the DNS server. From a terminal
prompt:
sudo systemctl restart bind9.service
See dig for information on testing a caching DNS server.
Primary Server
In this section BIND9 will be configured as the Primary server for the
domain example.com. Simply replace example.com with your FQDN (Fully
Qualified Domain Name).
Forward Zone File
To add a DNS zone to BIND9, turning BIND9 into a Primary server, first
edit /etc/bind/named.conf.local:
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};
Note
If bind will be receiving automatic updates to the file as with DDNS, then
use /var/lib/bind/db.example.com rather
than /etc/bind/db.example.com both here and in the copy command below.
Now use an existing zone file as a template to create
the /etc/bind/db.example.com file:
sudo cp /etc/bind/db.local /etc/bind/db.example.com
Edit the new zone file /etc/bind/db.example.com and change localhost. to
the FQDN of your server, leaving the additional . at the end.
Change 127.0.0.1 to the nameserver’s IP Address and root.localhost to a
valid email address, but with a . instead of the usual @ symbol, again
leaving the . at the end. Change the comment to indicate the domain that
this file is for.
Create an A record for the base domain, example.com. Also, create an A
record for ns.example.com, the name server in this example:
;
; BIND data file for example.com
;
$TTL 604800
@ IN SOA example.com. root.example.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL

@ IN NS ns.example.com.
@ IN A 192.168.1.10
@ IN AAAA ::1
ns IN A 192.168.1.10
You must increment the Serial Number every time you make changes to
the zone file. If you make multiple changes before restarting BIND9, simply
increment the Serial once.
Now, you can add DNS records to the bottom of the zone file.
See Common Record Types for details.
Note
Many admins like to use the last date edited as the serial of a zone, such
as 2020012100 which is yyyymmddss (where ss is the Serial Number)
Once you have made changes to the zone file BIND9 needs to be restarted
for the changes to take effect:
sudo systemctl restart bind9.service

Reverse Zone File


Now that the zone is setup and resolving names to IP Addresses,
a Reverse zone needs to be added to allows DNS to resolve an address to
a name.
Edit /etc/bind/named.conf.local and add the following:
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
};
Note
Replace 1.168.192 with the first three octets of whatever network you are
using. Also, name the zone file /etc/bind/db.192 appropriately. It should
match the first octet of your network.
Now create the /etc/bind/db.192 file:
sudo cp /etc/bind/db.127 /etc/bind/db.192
Next edit /etc/bind/db.192 changing the same options
as /etc/bind/db.example.com:
;
; BIND reverse data file for local 192.168.1.XXX net
;
$TTL 604800
@ IN SOA ns.example.com. root.example.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.
10 IN PTR ns.example.com.
The Serial Number in the Reverse zone needs to be incremented on each
change as well. For each A record you configure
in /etc/bind/db.example.com, that is for a different address, you need to
create a PTR record in /etc/bind/db.192.
After creating the reverse zone file restart BIND9:
sudo systemctl restart bind9.service
Secondary Server
Once a Primary Server has been configured a Secondary Server is highly
recommended in order to maintain the availability of the domain should the
Primary become unavailable.
First, on the Primary server, the zone transfer needs to be allowed. Add
the allow-transfer option to the example Forward and Reverse zone
definitions in /etc/bind/named.conf.local:
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
allow-transfer { 192.168.1.11; };
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
allow-transfer { 192.168.1.11; };
};
Note
Replace 192.168.1.11 with the IP Address of your Secondary nameserver.
Restart BIND9 on the Primary server:
sudo systemctl restart bind9.service
Next, on the Secondary server, install the bind9 package the same way as
on the Primary. Then edit the /etc/bind/named.conf.local and add the
following declarations for the Forward and Reverse zones:
zone "example.com" {
type secondary;
file "db.example.com";
masters { 192.168.1.10; };
};
zone "1.168.192.in-addr.arpa" {
type secondary;
file "db.192";
masters { 192.168.1.10; };
};
Note
Replace 192.168.1.10 with the IP Address of your Primary nameserver.
Restart BIND9 on the Secondary server:
sudo systemctl restart bind9.service

In /var/log/syslog you should see something similar to the following (some


lines have been split to fit the format of this document):
client 192.168.1.10#39448: received notify for zone '1.168.192.in-
addr.arpa'
zone 1.168.192.in-addr.arpa/IN: Transfer started.
transfer of '100.18.172.in-addr.arpa/IN' from 192.168.1.10#53:
connected using 192.168.1.11#37531
zone 1.168.192.in-addr.arpa/IN: transferred serial 5
transfer of '100.18.172.in-addr.arpa/IN' from 192.168.1.10#53:
Transfer completed: 1 messages,
6 records, 212 bytes, 0.002 secs (106000 bytes/sec)
zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 5)

client 192.168.1.10#20329: received notify for zone 'example.com'


zone example.com/IN: Transfer started.
transfer of 'example.com/IN' from 192.168.1.10#53: connected using
192.168.1.11#38577
zone example.com/IN: transferred serial 5
transfer of 'example.com/IN' from 192.168.1.10#53: Transfer completed: 1
messages,
8 records, 225 bytes, 0.002 secs (112500 bytes/sec)
Note
Note: A zone is only transferred if the Serial Number on the Primary is
larger than the one on the Secondary. If you want to have your Primary
DNS notifying other Secondary DNS Servers of zone changes, you can
add also-notify { ipaddress; }; to /etc/bind/named.conf.local as shown in the
example below:
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
allow-transfer { 192.168.1.11; };
also-notify { 192.168.1.11; };
};

zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
allow-transfer { 192.168.1.11; };
also-notify { 192.168.1.11; };
};
Note
The default directory for non-authoritative zone files is /var/cache/bind/.
This directory is also configured in AppArmor to allow the named daemon
to write to it. For more information on AppArmor see Security - AppArmor.
Troubleshooting
This section covers diagnosing problems with DNS and BIND9
configurations.
Testing
resolv.conf
The first step in testing BIND9 is to add the nameserver’s IP Address to a
hosts resolver. The Primary nameserver should be configured as well as
another host to double check things. Refer to DNS client configuration for
details on adding nameserver addresses to your network clients. In the end
your nameserver line in /etc/resolv.conf should be pointing
at 127.0.0.53 and you should have a search parameter for your domain.
Something like this:
nameserver 127.0.0.53
search example.com
To check which DNS server your local resolver is using, run:
resolvectl status
Note
You should also add the IP Address of the Secondary nameserver to your
client configuration in case the Primary becomes unavailable.
dig
If you installed the dnsutils package you can test your setup using the DNS
lookup utility dig:
 After installing BIND9 use dig against the loopback interface to make
sure it is listening on port 53. From a terminal prompt:
 dig -x 127.0.0.1
You should see lines similar to the following in the command output:
;; Query time: 1 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
 If you have configured BIND9 as a Caching nameserver “dig” an
outside domain to check the query time:
 dig ubuntu.com
Note the query time toward the end of the command output:
;; Query time: 49 msec
After a second dig there should be improvement:
;; Query time: 1 msec
ping
Now to demonstrate how applications make use of DNS to resolve a host
name use the ping utility to send an ICMP echo request:
ping example.com
This tests if the nameserver can resolve the name ns.example.com to an IP
Address. The command output should resemble:
PING ns.example.com (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=0.800 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.813 ms
named-checkzone
A great way to test your zone files is by using the named-checkzone utility
installed with the bind9 package. This utility allows you to make sure the
configuration is correct before restarting BIND9 and making the changes
live.
 To test our example Forward zone file enter the following from a
command prompt:
 named-checkzone example.com /etc/bind/db.example.com
If everything is configured correctly you should see output similar to:
zone example.com/IN: loaded serial 6
OK
 Similarly, to test the Reverse zone file enter the following:
 named-checkzone 1.168.192.in-addr.arpa /etc/bind/db.192
The output should be similar to:
zone 1.168.192.in-addr.arpa/IN: loaded serial 3
OK
Note
The Serial Number of your zone file will probably be different.
Quick temporary query logging
With the rndc tool, you can quickly turn query logging on and off, without
restarting the service or changing the configuration file.
To turn query logging on, run:
sudo rndc querylog on
Likewise, to turn it off, run:
sudo rndc querylog off
The logs will be sent to syslog and will show up in /var/log/syslog by
default:
Jan 20 19:40:50 new-n1 named[816]: received control channel command
'querylog on'
Jan 20 19:40:50 new-n1 named[816]: query logging is now on
Jan 20 19:40:57 new-n1 named[816]: client @0x7f48ec101480
192.168.1.10#36139 (ubuntu.com): query: ubuntu.com IN A +E(0)K
(192.168.1.10)
Note
The amount of logs generated by enabling querylog could be huge!
Logging
BIND9 has a wide variety of logging configuration options available, but the
two main ones are channel and category, which configure where logs go,
and what information gets logged, respectively.
If no logging options are configured the default configuration is:
logging {
category default { default_syslog; default_debug; };
category unmatched { null; };
};
Let’s instead configure BIND9 to send debug messages related to DNS
queries to a separate file.
We need to configure a channel to specify which file to send the messages
to, and a category. In this example, the category will log all queries.
Edit /etc/bind/named.conf.local and add the following:
logging {
channel query.log {
file "/var/log/named/query.log";
severity debug 3;
};
category queries { query.log; };
};
Note
The debug option can be set from 1 to 3. If a level isn’t specified, level 1 is
the default.
 Since the named daemon runs as the bind user
the /var/log/named directory must be created and the ownership
changed:
 sudo mkdir /var/log/named
 sudo chown bind:bind /var/log/named
 Now restart BIND9 for the changes to take effect:
 sudo systemctl restart bind9.service
You should see the file /var/log/named/query.log fill with query information. This is a
simple example of the BIND9 logging options.

 Samba as a file server


Install Samba
The first step is to install the samba package. From a terminal prompt
enter:
sudo apt install samba
That’s all there is to it; you are now ready to configure Samba to share files.
Configure Samba as a file server
The main Samba configuration file is located in /etc/samba/smb.conf. The
default configuration file contains a significant number of comments, which
document various configuration directives.
Note:
Not all available options are included in the default configuration file. See
the smb.conf man page or the Samba HOWTO Collection for more details.
First, edit the workgroup parameter in the [global] section
of /etc/samba/smb.conf and change it to better match your environment:
workgroup = EXAMPLE
Create a new section at the bottom of the file, or uncomment one of the
examples, for the directory you want to share:
[share]
comment = Ubuntu File Server Share
path = /srv/samba/share
browsable = yes
guest ok = yes
read only = no
create mask = 0755
 comment
A short description of the share. Adjust to fit your needs.
 path
The path to the directory you want to share.
Note:
This example uses /srv/samba/sharename because, according to
the Filesystem Hierarchy Standard (FHS), /srv is where site-specific
data should be served. Technically, Samba shares can be placed
anywhere on the filesystem as long as the permissions are correct,
but adhering to standards is recommended.
 browsable
Enables Windows clients to browse the shared directory using
Windows Explorer.
 guest ok
Allows clients to connect to the share without supplying a password.
 read only: determines if the share is read only or if write privileges are
granted. Write privileges are allowed only when the value is no, as is
seen in this example. If the value is yes, then access to the share is
read only.
 create mask
Determines the permissions that new files will have when created.
Create the directory
Now that Samba is configured, the directory needs to be created and the
permissions changed. From a terminal, run the following commands:
sudo mkdir -p /srv/samba/share
sudo chown nobody:nogroup /srv/samba/share/
The -p switch tells mkdir to create the entire directory tree if it doesn’t
already exist.
Enable the new configuration
Finally, restart the Samba services to enable the new configuration by
running the following command:
sudo systemctl restart smbd.service nmbd.service

Once again, the above configuration gives full access to any client on
the local network. For a more secure configuration see Share Access
Control.
From a Windows client you should now be able to browse to the
Ubuntu file server and see the shared directory. If your client doesn’t
show your share automatically, try to access your server by its IP
address, e.g. \\192.168.1.1, in a Windows Explorer window. To check
that everything is working try creating a directory from Windows.
To create additional shares simply create new [sharename] sections
in /etc/samba/smb.conf, and restart Samba. Just make sure that the
directory you want to share actually exists and the permissions are
correct.
The file share named [share] and the path /srv/samba/share used in
this example can be adjusted to fit your environment. It is a good idea
to name a share after a directory on the file system. Another example
would be a share name of [qa] with a path of /srv/samba/qa.

 Ubuntu configuring SSH Key-based


Authentication
The procedure to configuring SSH Key-based Authentication under Ubuntu
is as follows:

1. Log in to your Ubuntu-based system.


2. Open the terminal application.
3. Use the ssh-keygen command to generate SSH keys. For extra
protection for the private key, do enter a passphrase:
{vivek@ubuntu-desktop:~ }$ ssh-keygen
Click to enlarge
4. Use the ssh-copy-id command to send the public key of the SSH key pair
to vivek on server1.cyberciti.biz:
{vivek@ubuntu-desktop:~ }$ ssh-copy-id vivek@ec2-linode-ipv4-address
{vivek@ubuntu-desktop:~ }$ ssh-copy-id vivek@server1.cyberciti.biz
5. Test by executing the date command on server1.cyberciti.biz remotely
using SSH without accessing the remote interactive shell:
{vivek@ubuntu-desktop:~ }$ ssh vivek@server1.cyberciti.biz date
6. Please witness that the ssh command cued you for the passphrase you
used to protect the private key of the SSH key pair. This passphrase
shields the private key. Should an attacker or malware gain access to the
ssh private key, they cannot use it to access other systems because the
private key is protected with a passphrase. The ssh command uses a
different passphrase than the one for the vivek user on
server1.cyberciti.biz, requiring users to know both. This is a security
feature and recommends for all Ubuntu users.
7. Is typing passphrase cumbersome for you each time you use the ssh
command? Fear not; you can use ssh-agent command, as in the following
step, to avoid interactively typing in the passphrase while logging in with
SSH. In other words, using ssh-agent is more convenient and secure
when logging in to remote Linux or Unix systems regularly for
maintenance or troubleshooting.
8. Let us type ssh-agent command in your Bash/ZSH or other shells. To
save time, you will add the passphrase-protected private key of the SSH
key pair to the shell session. Here is the bash/sh compatible syntax:
{vivek@ubuntu-desktop:~ }$ eval $(ssh-agent)
So the eval command created an ssh-agent and configured the current
shell session to use it. Next, you run the ssh-add command to provide the
unlocked private key to ssh-agent and thus our working shell environment.
For instance:
{vivek@ubuntu-desktop:~ }$ ssh-add {~/.ssh/your_private_key}
# Try id_rsa or id_ed25519 private keys #
{vivek@ubuntu-desktop:~ }$ ssh-add ~/.ssh/id_rsa
{vivek@ubuntu-desktop:~ }$ ssh-add ~/.ssh/id_ed25519
9. Now again, try to execute the uptime command/w command or date
command on server1.cyberciti.biz remotely without accessing a remote
interactive shell and passphrase:
{vivek@ubuntu-desktop:~ }$ ssh vivek@server1.cyberciti.biz date
# Use ~/.ssh/aws-key as the identity file #
{vivek@ubuntu-desktop:~ }$ ssh -i ~/.ssh/aws-key
vivek@server1.cyberciti.biz date
10. Here is how to log into the server:
{vivek@ubuntu-desktop:~ }$ ssh vivek@server1.cyberciti.biz
State the private ~/.ssh/linode-db2-key as the identity file:
ssh -i ~/.ssh/linode-db2-key
{vivek@ubuntu-desktop:~ }$
vivek@server2.cyberciti.biz
Please note that you can use keygen as an alternative to ssh-add and ssh-
agent.
The ssh-keygen command options
You can pass the -t to the ssh-keygen for key type such as rsa, ed25519,
ecdsa-sk, ed25519-sk and so on. Also, you can state key file name using
the -f option. You can add comment using the -C comment option. For example:
{vivek@ubuntu-desktop:~ }$ ssh-keygen -t ed25519 -f ~/.ssh/linode-cluser -C
"Linode nixCraft cluser
Here is how to create SSH Key-based Authentication with YuiKey with 2FA
hardware key:
{vivek@ubuntu-desktop:~ }$ ssh-keygen -t ed25519-sk \
-f ~/.ssh/AWS_bastion_host_id_ed25519-sk \
-C "${USER}@${HOSTNAME}_$(date +'%Y-%d-%m')_YubiKey"

Exiting from remote ssh session


To log out of server1.cyberciti.biz on the terminal, type the exit command:
{vivek@server1.cyberciti.biz:~}$ exit

Getting help is easy


You must read the following help pages using the man command or help
command. For example:
{vivek@ubuntu-desktop:~ }$ man ssh-keygen
{vivek@ubuntu-desktop:~ }$ man ssh-copy-id
{vivek@ubuntu-desktop:~ }$ man ssh-agent
{vivek@ubuntu-desktop:~ }$ man ssh-add
{vivek@ubuntu-desktop:~ }$ man bash
{vivek@ubuntu-desktop:~ }$ man zsh
{vivek@ubuntu-desktop:~ }$ help eval #<--bash only
 Install and Configure Apache
Installing Apache
To install Apache, install the latest meta-package apache2 by running:
sudo apt update
sudo apt install apache2

After letting the command run, all required packages are installed and we
can test it out by typing in our IP address for the web server.
Creating Your Own Website

By default, Apache comes with a basic site (the one that we saw in the
previous step) enabled. We can modify its content in /var/www/html or
settings by editing its Virtual Host file found in /etc/apache2/sites-
enabled/000-default.conf.
We can modify how Apache handles incoming requests and have multiple
sites running on the same server by editing its Virtual Hosts file.
Today, we’re going to leave the default Apache virtual host configuration
pointing to www.example.com and set up our own at gci.example.com.
So let’s start by creating a folder for our new website in /var/www/ by
running
sudo mkdir /var/www/gci/

We have it named gci here but any name will work, as long as we point to it
in the virtual hosts configuration file later.
Now that we have a directory created for our site, lets have an HTML file in
it. Let’s go into our newly created directory and create one by typing:
cd /var/www/gci/
nano index.html
Paste the following code in the index.html file:
<html>
<head>
<title> Ubuntu rocks! </title>
</head>
<body>
<p> I'm running this website on an Ubuntu Server server!
</body>
</html>

Setting up the VirtualHost Configuration File


We start this step by going into the configuration files directory:
cd /etc/apache2/sites-available

Since Apache came with a default VirtualHost file, let’s use that as a base.
(gci.conf is used here to match our subdomain name):
sudo cp 000-default.conf gci.conf

Now edit the configuration file:


sudo nano gci.conf

We should have our email in ServerAdmin so users can reach you in case
Apache experiences any error:
ServerAdmin yourname@example.com

We also want the DocumentRoot directive to point to the directory our site
files are hosted on:
DocumentRoot /var/www/gci/

The default file doesn’t come with a ServerName directive so we’ll have to
add and define it by adding this line below the last directive:
ServerName gci.example.com

This ensures people reach the right site instead of the default one when
they type in gci.example.com.
Activating VirtualHost file

After setting up our website, we need to activate the virtual hosts


configuration file to enable it. We do that by running the following command
in the configuration file directory:
sudo a2ensite gci.conf

You should see the following output


Enabling site gci.
To activate the new configuration, you need to run:
service apache2 reload
root@ubuntu-server:/etc/apache2/sites-available#
To load the new site, we restart Apache by typing:
service apache2 reload

 Setting Up Proxy with Ubuntu


Desktop GUI
1. To access proxy settings using the Ubuntu GUI, open Ubuntu’s
main Settings.
2. Select the Network setting in the menu on the left side of the window.
3. Then, click the cog in the Network Proxy section.

4.A Network Proxy dialogue appears. Choose Manual and enter your proxy info into the
fields below.
5. Exit the dialogue and Ubuntu will automatically apply the proxy settings.

Setting up Proxy With Ubuntu Desktop


Terminal
Use the command line interface for more granular control of proxy settings. This allows
you to:
 Make temporary or permanent changes to the configuration.
 Set up proxy for a single user or for all users.

Setting Up Temporary Proxy for a Single User


A temporary proxy connection resets after a system reboot. To establish such a
connection for the current user, use the export command.
The syntax for establishing a temporary proxy connection is:
export HTTP_PROXY=[username]:[password]@[proxy-web-or-IP-address]:[port-
number] export HTTPS_PROXY=[username]:[password]@[proxy-web-or-IP-address]:
[port-number] export FTP_PROXY=[username]:[password]@ [proxy-web-or-IP-
address]:[port-number] ... export NO_PROXY=localhost,127.0.0.1,::1
Provide the proxy address (web or IP), followed by the port number. If
the proxy server requires authentication, add your
proxy username and password as the initial values.
This is what the set of commands should look like in terminal:
The purpose of the NO_PROXY line is to tell the system that local traffic should ignore the
proxy.
Setting Up Permanent Proxy for a Single User
As stated above, proxy settings configured through a terminal window reset after you
reboot your system. To make permanent changes for a single user, edit the .bashrc file.
1. Open the file with a text editor of your choice:

sudo nano ~/.bashrc

2. Now add the following lines at the bottom of the .bashrc file:

export HTTP_PROXY="[username]:[password]@[proxy-web-or-IP-address]:[port-number]"
export HTTPS_PROXY="[username]:[password]@[proxy-web-or-IP-address]:[port-number]"
export FTP_PROXY="[username]:[password]@ [proxy-web-or-IP-address]:[port-number]"
...
export NO_PROXY="localhost,127.0.0.1,::1"

3. Save and exit the file.


4. Then, run the following command in to apply the new settings to the
current session:
source ~/.bashrc

Setting Up Permanent Proxy for All Users


To permanently set up proxy access for all users, you have to edit
the /etc/environment file.
1. First, open the file in a text editor:

sudo nano /etc/environment

2. Next, update the file with the same information you added to
the .bashrc file in the previous scenario:

export HTTP_PROXY="[username]:[password]@[proxy-web-or-IP-address]:[port-number]"
export HTTPS_PROXY="[username]:[password]@[proxy-web-or-IP-address]:[port-number]"
export FTP_PROXY="[username]:[password]@ [proxy-web-or-IP-address]:[port-number]"
...
export NO_PROXY="localhost,127.0.0.1,::1"

3. Save the file and exit. The changes will be applied the next time you log
in.
Setting Up Proxy for APT
On some systems, the apt command-line utility needs a separate proxy
configuration, because it does not use system environment variables.
1. To define proxy settings for apt, create or edit (if it already exists) a file
named apt.conf in /etc/apt directory:
sudo nano /etc/apt/apt.conf

2. Add the following lines to the file:

Acquire::http::Proxy "http://[username]:[password]@ [proxy-web-or-IP-address]:[port-


number]";
Acquire::https::Proxy "http://[username]:[password]@ [proxy-web-or-IP-address]:[port-
number]";

3. Save the file and exit. The configuration will be applied after a reboot.

You might also like