This is an assignment h4 - Linux palvelimet ICT4TN021-8 in Haaga-Helia University of Applied Sciences

This weeks assignment was to:

  • Make it possible to make changes to Apaches websites with regular user privileges (name-based virtual host)
  • Find entries of break-in attempts in your system from your syslog
  • Make website in your local computer and send it to your server via scp
  • Then make a simple PHP-site in your server.

Then we had a few optional assignments, in which I chose getting a TLS-certification from Let’s Encrypt.

During this assignment I’m using Lenovo Z710 as my local computer, which is running Arch Linux x86_64, and my server is running Ubuntu 16.04.03 provided by DigitalOcean. Get $10 free in credits when registering to DigitalOcean via my referral.

Name-Based Virtual Host

I covered this topic at my last assignment, which can be found here.

Log Entries of Break-In Attempts

Next part was to look for different break-in attempts from your computer. Usually these entries are not hard to find from your logs since from the moment your server goes online it has under attack, so the system logs are often filled with these attempts.

My server doesn’t use the modern journlactl to log system entries, but instead it uses /var/log/syslog for system logging. To read these entries use:

$ sudo less /var/log/syslog

This opens a long list of different event in your system. Usually most of these events are break-in attempts to your system if your server is connected to internet.

When you’re in less view you can go directly to end of the file with SHIFT-g. Here for example are the last 10 entries from my syslog, all of which are break-in attempts to my system blocked by my firewall.

.
.
.
Feb  9 13:46:49 linux-palvelimet kernel: [701558.900932] [UFW BLOCK] IN=eth0 OUT= MAC=86:0f:93:31:49:db:f4:a7:39:d7:82:7d:08:00 SRC=185.222.209.51 DST=188.166.105.129 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=21408 PROTO=TCP SPT=50104 DPT=3988 WINDOW=1024 RES=0x00 SYN URGP=0 
Feb  9 13:47:35 linux-palvelimet kernel: [701605.350484] [UFW BLOCK] IN=eth0 OUT= MAC=86:0f:93:31:49:db:f4:a7:39:d7:8a:7d:08:00 SRC=213.136.81.167 DST=188.166.105.129 LEN=446 TOS=0x00 PREC=0x00 TTL=57 ID=5159 DF PROTO=UDP SPT=5276 DPT=5062 LEN=426 
Feb  9 13:48:16 linux-palvelimet kernel: [701645.926184] [UFW BLOCK] IN=eth0 OUT= MAC=86:0f:93:31:49:db:f4:a7:39:d7:8a:7d:08:00 SRC=77.72.82.147 DST=188.166.105.129 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=22125 PROTO=TCP SPT=55442 DPT=1695 WINDOW=1024 RES=0x00 SYN URGP=0 
Feb  9 13:48:46 linux-palvelimet kernel: [701676.091231] [UFW BLOCK] IN=eth0 OUT= MAC=86:0f:93:31:49:db:f4:a7:39:d7:82:7d:08:00 SRC=221.213.54.71 DST=188.166.105.129 LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=7929 PROTO=TCP SPT=54215 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 
Feb  9 13:49:23 linux-palvelimet kernel: [701713.155671] [UFW BLOCK] IN=eth0 OUT= MAC=86:0f:93:31:49:db:f4:a7:39:d7:8a:7d:08:00 SRC=81.171.17.4 DST=188.166.105.129 LEN=440 TOS=0x00 PREC=0x00 TTL=58 ID=23520 DF PROTO=UDP SPT=5108 DPT=5060 LEN=420 
Feb  9 13:49:38 linux-palvelimet kernel: [701727.410368] [UFW BLOCK] IN=eth0 OUT= MAC=86:0f:93:31:49:db:f4:a7:39:d7:8a:7d:08:00 SRC=201.27.36.67 DST=188.166.105.129 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=42532 PROTO=TCP SPT=39414 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0 
Feb  9 13:50:01 linux-palvelimet kernel: [701750.774258] [UFW BLOCK] IN=eth0 OUT= MAC=86:0f:93:31:49:db:f4:a7:39:d7:82:7d:08:00 SRC=186.90.243.96 DST=188.166.105.129 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=37518 PROTO=TCP SPT=25411 DPT=23 WINDOW=7475 RES=0x00 SYN URGP=0 
Feb  9 13:50:27 linux-palvelimet kernel: [701776.434306] [UFW BLOCK] IN=eth0 OUT= MAC=86:0f:93:31:49:db:f4:a7:39:d7:8a:7d:08:00 SRC=185.222.209.51 DST=188.166.105.129 LEN=40 TOS=0x10 PREC=0x40 TTL=247 ID=47546 PROTO=TCP SPT=50104 DPT=2188 WINDOW=1024 RES=0x00 SYN URGP=0 
Feb  9 13:50:38 linux-palvelimet kernel: [701787.433881] [UFW BLOCK] IN=eth0 OUT= MAC=86:0f:93:31:49:db:f4:a7:39:d7:8a:7d:08:00 SRC=109.248.9.18 DST=188.166.105.129 LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=11716 PROTO=TCP SPT=45833 DPT=13495 WINDOW=1024 RES=0x00 SYN URGP=0 
Feb  9 13:50:59 linux-palvelimet kernel: [701809.275351] [UFW BLOCK] IN=eth0 OUT= MAC=86:0f:93:31:49:db:f4:a7:39:d7:82:7d:08:00 SRC=148.72.168.192 DST=188.166.105.129 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=31137 PROTO=TCP SPT=45807 DPT=90 WINDOW=1024 RES=0x00 SYN URGP=0 

To exit the less view simply press q.

You can see that all of this has happened in 5 minutes. Times are in UTC so they are two hours behind my local time. Following the time you can see my host name in my server, which is simply called linux-palvelimet, the server I made for this course. The next comes kernel: [701787.433881]. I’m not entirely sure what this tells you but safe assumption is that it tells something relevant about your kernel-in-use. Next it tells you that UFW blocked some connection and after that it give you information about where this connection was made. I’m not entirely sure about every internal here, but I know that SRC is the source of the connection so where it comes, DST is the destination, which in this case is my ip-address, PROTO is the protocol used for this connection and DPT is the destination port and SPT is connections source port.

You can also see that in these 10 entries there are 10 different source ip-address. So all the entries are from different computers. You can also see that almost every entry tries different port.

You can see more information about where the connection was made with whois for example:

$ whois 148.72.168.192

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=148.72.168.192?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       148.72.0.0 - 148.72.255.255
CIDR:           148.72.0.0/16
NetName:        GO-DADDY-COM-LLC
NetHandle:      NET-148-72-0-0-1
Parent:         NET148 (NET-148-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   GoDaddy.com, LLC (GODAD)
RegDate:        2015-10-26
Updated:        2015-10-26
Ref:            https://whois.arin.net/rest/net/NET-148-72-0-0-1



OrgName:        GoDaddy.com, LLC
OrgId:          GODAD
Address:        14455 N Hayden Road
Address:        Suite 226
City:           Scottsdale
StateProv:      AZ
PostalCode:     85260
Country:        US
RegDate:        2007-06-01
Updated:        2014-09-10
Comment:        Please send abuse complaints to [email protected]
Ref:            https://whois.arin.net/rest/org/GODAD


OrgNOCHandle: NOC124-ARIN
OrgNOCName:   Network Operations Center
OrgNOCPhone:  +1-480-505-8809 
OrgNOCEmail:  [email protected]
OrgNOCRef:    https://whois.arin.net/rest/poc/NOC124-ARIN

OrgTechHandle: NOC124-ARIN
OrgTechName:   Network Operations Center
OrgTechPhone:  +1-480-505-8809 
OrgTechEmail:  [email protected]
OrgTechRef:    https://whois.arin.net/rest/poc/NOC124-ARIN

OrgAbuseHandle: ABUSE51-ARIN
OrgAbuseName:   Abuse Department
OrgAbusePhone:  +1-480-624-2505 
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE51-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


Transfer Locally Made Website via SCP

I’ve assigned mine Apache’s virtual host’s document root to /home/user/public_html. So everything in there should be visible to public and also available for regular user editing. So I make this following file and send it to my server on my local computer:

$ emacs scp.html
<!doctype html>
<html lang="en">
  <head>
    <meta charset="UTF-8"/>
    <title>Document</title>
  </head>
  <body>
    This is locally made website!
  </body>
</html>

To transfer this file to my server you can use scp for that:

$ scp scp.html [email protected]:public_html/scp.html

Command then shows progress bar for the sending event, which in this case is very quick. Now you can test that if it works simply by typing the following to your browser’s URL bar:

your-ip-address/scp.html

And it seems to work!

SCP HTML

Making a Simple PHP-site

I already covered this topic when I was testing my PHP installation on last assignment, which can be found here.

TLS-certification From Let’s Encrypt

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). Let’s Encrypt also provides automated way to get these TLS-certifications in co-operation with Electronic Frontier Foundation. This service is called Certbot.

Pre-requisites for using Certbot are that you’ve installed Apache web server (Installing Apache) and you’ve configured your Virtual Hosts that specify your domain. I’ve configured virtual hosts already in the previous assignment (Apache Virtual Host) but that’s done without domain name. Here I’m gonna show an example with my domain name.

Apache Virtual Host With Your Domain Name

I’m going to make this Virtual Host’s DocumentRoot to my user’s home directory. I already have folder called public_html in there, which contains two different HTML-files (one of which was done last assignment and another which was done here). So I’m going to delete that folder just for exercises sake:

$ rm -r public_html

I’m going to make a folder to my home directory called topikettunen.me which represents my domain and sub-directory for that called public_html":

$ mkdir -p topikettunen.me/public_html

Option -p says that it makes the parent folder also if its not existing already.

Next, I’m going to make a simple test site:

$ cd public_html

$ emacs index.html
<!doctype html>
<html lang="en">
  <head>
    <meta charset="UTF-8"/>
    <title>Topi Kettunen</title>
  </head>
  <body>
    <h1>Welcome to topikettunen.me</h1>
    <p>See you at <a href="https://topikettunen.com">https://topikettunen.com</a></p>
  </body>
</html>

Next we need to make new virtual host file for this domain and direct its DocumentRoot to the directory I made above:

$ sudo emacs /etc/apache2/sites-available/topikettunen.me.conf
<VirtualHost *:80>
             ServerAdmin [email protected]
             ServerName	topikettunen.me
             ServerAlias www.topikettunen.me
             DocumentRoot /home/topi/topikettunen.me/public_html
             ErrorLog ${APACHE_LOG_DIR}/error.log
             CustomLog ${APACHE_LOG_DIR}/access.log combined
			 
			 <Directory /home/topi/topikettunen.me/public_html>
				 Require all granted
			 </Directory>
</VirtualHost>

Here you can see I give the Virtual Host its own ServerName and alias for it and also redirect its DocumentRoot to the directory we just made. I also assigned the ServerAdmin’s email to my own. We also allowed traffic to the directory we just made.

This grants all access coming to that folder. With that we should see our page online:

topikettunen.me

Installing Certbot

Certbot isn’t available straight from Ubuntu’s apt package manager, so we need to Personal Package Archive (PPA) so we can download it. PPAs are user made packages that can be handled and published as a apt-repository. These are available to anyone, so they can be insecure sometimes. So be very careful when working with PPAs. Blindly trusting PPAs can lead to bad situations. Certbot on the other hand is managed by EFF, so even though blind trust is often bad, I think we can trust this.

To add Certbot PPA use:

$ sudo add-apt-repository ppa:certbot/certbot

After that press RET to allow adding this repository. After that we need to update the package manager so it is able to find this new repository:

$ sudo apt-get update

Lastly we need to install the Certbot client by:

$ sudo apt-get install python-certbot-apache

There is also Certbot for Nginx (python-cerbot-nginx) if you happen to use that for web server, but since we are using Apache we install the package above. Now the Certbot should be ready to use.

Running Certbot

To run Certbot use:

$ sudo certbot --apache -d your-domain.com

E.g I ran the following command:

$ sudo certbot --apache -d topikettunen.me -d www.topikettunen.me

I ran certbot for my alias just in case.

After that it’ll ask for email address for lost key recoveries and different notices and you need to agree to terms of service. Then it asks you that if you want to redirect all traffic to HTTPS. It is often recommended to allow this, unless you have something on your site that requires HTTP connection.

After that your certification should be done. Certbot also prints link for you to test that certification. For example mine was:

.
.
.
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=topikettunen.me
https://www.ssllabs.com/ssltest/analyze.html?d=www.topikettunen.me
.
.
.

And you should also see secure connection sign on your browser when you go to your domain:

TLS

Resources