Transfer data throught the network

Question 1

What are the three profiles of Nginx through the ufw firewall?

Answer 1

1. Nginx HTTP: port 80, unencrypted web traffic.
2. Nginx HTTPS: port 443, TLS/SSL encrypted traffic.
3. Nginx Full: both Nginx HTTP and HTTPS.

Question 2

$ sudo ufw allow ‘[Nginx profile]’

Answer 2

Allow a specific Nginx profile through the ufw firewall.

Question 3

$ sudo ufw status

Answer 3

List the traffic allowed through ufw.

Question 4

What is the purpose of an init system like systemd?

Answer 4

To initialize the components that must be started after the Linux kernel is booted. it is also used to manage services and daemons for the server at any point while the system is running.

Question 5

$ sudo systemctl start [application]

Answer 5

Start a systemd service, executing instructions in the service’s unit file.

Question 6

$ sudo systemctl stop [application]

Answer 6

Stop a running systemd service.

Question 7

$ sudo systemctl restart [application]

Answer 7

Restart a systemd service.

Question 8

$ sudo systemctl reload [application]

Answer 8

Reload the application’s configuration files without restaring, if the application is able.

Question 9

$ sudo systemctl reload-or-restart [application]

Answer 9

If unsure about the service, try to reload it first. if not possible, restart it.

Question 10

$ sudo systemctl enable [application]

Answer 10

Start the service automatically at boot. This will create a symlink from the system’ s copy of the service file (/lib/systemd/system or /etc/systemd/system)) into the location on disk where systemd looks for autostart files (/etc/systemd/system/some_target.target.wants).

Question 11

$ sudo systemctl disable [application]

Answer 11

Disable a service from starting automatically at boot by removing its symlink.

Question 12

$ systemctl status [application]

Answer 12

Check the status of a service: state, cgroup hierarchy, first few log lines.

Question 13

What are the important directories and files for nginx?

Answer 13

/var/www/html/: actual web content. This can be changed by altering Nginx configuration files. /etc/nginx/: Nginx directory for configuration files. /etc/nginx/nginx.conf: global Nginx configuration file. /etc/nginx/sites-available/: directory where per-site “server blocks” can be stored. Nginx will not use the configuration files found here unless they are linked to the sites-enabled directory. /etc/nginx/sites-enabled/: directory where enabled per-site “server-blocks” are stored. /etcnginx/snippets/: this directory contains potentially repeatable configuration fragments that can be included elsewhere. /var/log/nginx/access.log: every request to the web server is recorded here unless asked otherwise. /var/log/nginx/error.log: any Nginx errors will be recorded here.

Question 14

What is the purpose of a host file, such as /etc/hosts?

Answer 14

It has the function to translate human-friendly hostnames into numeric protocol addresses called IP addresses, which uniquely identify and locate a host in an IP network. It can be used to personalized the hostname of the corresponding IP addresses.

Question 15

How to associate a domain to an Ip address in a host file?

Answer 15

Example: 127.0.0.1 mydomain (for IPv4) ::1 mydomain (for IPv6)

Question 16

$ sudo tail -f /var/log/nginx/access.log

Answer 16

Display the most recent logs of Nginx as they are appended.

Question 17

$ sudo ufw app list

Answer 17

List the application configirations that ufw knows how to work with.

Question 18

What is a server?

Answer 18

A computer connected to a network (intranet or extranet), offering a service. The principal differences with a personal computer is that:

1. It offers services.
2. There is no GUI.
3. It is always turned on.

Question 19

What is OpenSSH?

Answer 19

OpenSSH is a suite of security-related network-level utilities based on the Secure Shell (SSH) protocol, which help to secure network communications via the encryption of network traffic over multiple authentication methods and by providing secure tunneling capabilities.

Question 20

Install OpenSSH (client-side, NOT server-side).

Answer 20

sudo apt-get install openssh-client

Question 21

$ ssh-keygen -t rsa

Answer 21

Generate two SSH keys:

• Public: ~/.ssh/id_rsa.pub
• Private: ~/.ssh/id_rsa

Possibility to add a passphrase as an additional security to encrypt the private key.

Question 22

How to authorize a connection from local host to the remote host / server?

Answer 22

The public key from local host should be copied to the remote host and its path appended to the ~/.ssh/authorized_keys file.

Question 23

Get the public keys of any GitHub user.

Answer 23

$ curl https://github.com/<username>.keys</username>

Question 24

For what is the tar command line tool used?

Answer 24

To get together several files into one large file called archive.

Question 25

What is the difference between gzip, bzip2 and zip, rar?

Answer 25

• With gzip and bzip2, to compress several files into one archive, the user has to assemble the files together first (e.g. with tar) and then compress the archive.
• With zip and rar, the previous two-step process is done in one step.

Question 26

How to use tar to create an archive?

Answer 26

1. Get all files together under one directory ==> mkdir & mv
2. Create a tar archive: $ tar -cvf [name].tar [directory]

Question 27

What are common options for the tar command-line tool?

Answer 27

• -c: create an archive tar.
• -v: display operations details.
• -f: assemble the archive in a file.
• -t: list the files in ar archive.
• -r: append a file to an archive.
• -x: extract.

Question 28

Display the content of an archive with tar without extracting it.

Answer 28

$ tar -tf [tar_file]

Question 29

Add a file to an archive already created.

Answer 29

$ tar -rvf [tar_file] [file]

Question 30

Extract the files of an archive.

Answer 30

$ tar -xvf [tar_file]

Question 31

What is the difference between gzip and bzip2?

Answer 31

• gzip is more popular and faster than bzip2.
• bzip2 is less popular and compresses better than gzip.

Question 32

Archive and compress files in the same command with tar and gzip or bzip2.

Answer 32

• gzip: $ tar -zcvf [tar.gz_file] [directory]
• bzip2: $ tar -jcvf [tar.bz2_file] [directory]

Question 33

Extract and uncompress files in the same command with tar and gzip or bzip2.

Answer 33

• gzip: $ tar -zxvf [tar.gz_file] [directory]
• bzip2: $ tar -jxvf [tar.bz2_file] [directory]

Question 34

Compress and uncompress with gzip or bzip2.

Answer 34

• gzip:
  
  • $ gzip [tar_file]
  • $ gunzip [tar.gz_file]
• bzip2:
  
  • $ bzip2 [tar_file]
  • $ bunzip2 [tar.bz2_file]

Question 35

Display the content of a single compressed file.

Answer 35

$ zcat (/zmore/zless) [compressed_file]

Question 36

Compress, view or uncompress .zip files.

Answer 36

• Compress: $ zip -r [zip_file] [directory]
• View: $ unzip -l [zip_file]
• Uncompress: $ unzip [zip_file]

Question 37

Compress, view and uncompress .rar files.

Answer 37

• Compress: only possible via a proprietary software.
• View: $ unrar -l [rar_file]
• Uncompress: $ unrar [rar_file]

Question 38

What are the two encryption methods used by the SSH protocols?

Answer 38

1. Symmetric encryption:
   
   • A single key to encrypt and decrypt.
   • Con: all parties must know the key beforehand.
2. Asymmetric encryption:
   
   • A public key to encrypt and a private key to decrypt.
   • The public key can be safely transmitted over a clear network. The private key must be kept secret.
   • Asymmetric encryption is much slower (x100-1000) than symmetric encryption.

Question 39

What is the secure SSH tunnel?

Answer 39

1. First send the secret key for symmetric encryption via unsymmetric encryption (only during first exchange).
2. Then always use this symmetric encryption key for the rest of the exchanges.

Question 40

Transform own personal computer into a server with ssh protocol.

Answer 40

1. $ sudo apt-get install openssh-server (public and private keys are automatically created).
2. $ sudo /etc/init.d/ssh start (start the server)
3. $ sudo /etc/init.d/ssh stop (stop the server)

Question 41

Get our own computer’s public and local IPv4 (and IPv6) addresses?

Answer 41

• Public: https://www.whatismyip.com/
• Possibility to also local address with $ ifconfig

Question 42

Connect via SSH from a Linux machine.

Answer 42

• If using default port 22: $ ssh [username]@[IP/hostname]
• If using another port: $ ssh [username]@[IP/hostname] -p [port_number]
• Afterwards, you will be given a password promt if password authentication is setup, otherwise public/private key authentication is used. If successful, you will get the server fingerprint.

Question 43

What is a server fingerprint? What is it used for?

Answer 43

Unique number identifying the server. Used to detect machines that would like to imitate a server (but with a different fingerprint).

Question 44

What is the ~/.ssh/knwon_hosts file?

Answer 44

List of fingerprints known to your computer. It used to remember the identity of servers and detect frauders.

Question 45

What are the two authentications methods used to connect to a server?

Answer 45

1. Authentication via password.
2. Authentication via public and private keys of he client.

Question 46

Send the public key to a server.

Answer 46

• $ ssh-copy-id -i id_rsa.pub [username]@[IP/hostname]
• May add a specific port with $ … -p [port_number].
• The account password will be asked (NOT the private key passphrase).
• The public key is automatically added to ~/.ssh/authorized_keys

Question 47

Why launch the ssh agent ssh-add?

Answer 47

So that you do not have to enter the private key passphrase each time you connect to a server. The ssh agent remebers the private keys during your session.

Question 48

Download a file with wget.

Answer 48

$ wget [HTTP_or_FTP_address]

Question 49

Continue a stop download with wget.

Answer 49

$ wget -c [HTTP_or_FTP_address]

Note: the partial file should still be on disk.

Question 50

Download a file in background task with wget.

Answer 50

$ wget –background [HTTP_or_FTP_address]

Question 51

Securely copy (scp) a file from one computer to another.

Answer 51

• $ scp [origin] [destination]
• If a specific port is required: $ scp -P [port_number] [origin] [destination]
• Each of [origin] or [destination] can be written under the form [username]@[hostname]:[file_path]
• If no username or IP are given, scp will think the file is on your computer.

Question 52

What is FTP?

Answer 52

• FTP (File Transfer Protocol) is a protocol used to exchange files on a network.
• Used in two cases:
  
  • Public FTP server with anonymous mode e.g. when you click on a download link.
  • Private FTP server with autenticated mode.
• Can be done via command line or GUI software (e,g, FileZilla).

Question 53

Connect to a FTP server.

Answer 53

• $ ftp [FTP_address]
• A login will be asked. If publicserver : name is “anonymous” and password can be anything.
• Secure FTP: $ sftp [username]@[hostname]

Question 54

Transfer files when connected via FTP.

Answer 54

• $ put [local_file]: send a file to the server. Not possible with a public server.
• $ get [remote_file] : download a file from the server.

Question 55

Execute command on local host when connect to remote host via FTP.

Answer 55

Put “!” in front of every command e.g. $ !cd

Question 56

What is rsync?

Answer 56

rsync is a command line tool used to synchronize two directories, whether they are or not on the same machine. Mostly used for incremental backups by only copying changes from the previous state.

Question 57

Create a backup copy with rsync on the same computer. List possible options for the backup.

Answer 57

• On the same computer: $ rsync -arv [directory] [backup]
  
  • -a: keep all information about files, such as access rights, dates…
  • -r: backup sub-diectories.
  • -v: display information on the copy.
• To delete files in backup as well: $ rsync -arv –delete [directory] [backup]
• To create a backup for deleted files: $ rsync -arv –delete –backup –backup_dir=[absolute_backup_delete] [directory] [backup]
• Possibility to exclude directories from backup.

Question 58

Create a backup on a different machine with rsync.

Answer 58

• $ rsync -arv [origin] [destination]
• If specific port: $ rsync -arv [origin] [destination] -e “ssh -p [port_number]”
• [destination] has the form [username]@[hostname]:[path]

Question 59

Change the passphrase of your private SSH key, knowing the original passphrase.

Answer 59

$ ssh-keygen -p

Question 60

Display a SSH key fingerprint.

Answer 60

• $ ssh keygen -l
• You get: bit-length of key, fingerprint, account and host it was created for, algorithm used.

Question 61

How to avoid to enter SSH login each time we connect to a server?

Answer 61

1. $ vim ~/.ssh/config
2. Write in the following format:

Host [remote_alias]

HostName [remote_host]

Port [port_number]

Question 62

Two-way conversion of either hostname or IP address.

Answer 62

$ host [hostname] or $ host [IP_address]

Question 63

Know everything about a domain name (owner name, address, contact…).

Answer 63

$ whois [hostname]

Question 64

List a computer’s network interfaces.

Answer 64

• $ ifconfig
  
  • eth0/1/2… : connection via cable
  • lo: local loop ==> everything is sent back to the computer.
  • wlan0/1/2… : wireless connection.

Question 65

Activate or deactivate a computer’s network interface.

Answer 65

• $ ifconfig [interface] [switch]
  
  • [interface] can be eth0, lo, wlan0…
  • [switch] can be either up or down.

Question 66

Get information about the open connections of a computer. What are the various options?

Answer 66

• $ netstat [options]
• Options can be:
  
  • -u: display UDP connections.
  • -t: display TCP connections.
  • -a: display all connections no matter their state.
  • -n: display IP addresses and port numbers instead of hostnames.
  • -l: display (filter) connections with LISTEN state.
  • -s: display network statistics.

Question 67

What are the common states of the connections displayed by netstats?

Answer 67

• ESTABLISHED: connection was established with a remote computer.
• TIME_WAIT: connection is waiting processing of packets still on the network before closing.
• CLOSE_WAIT: the remote computer has closed the connection itself (timeout?).
• CLOSED: the connection is not used.
• CLOSING: connection is closing but all data were not yet sent.
• LISTEN: listening to coming connections.

Question 68

What is ufw?

Answer 68

ufw provides a user friendly way to configure the iptables firewall.

Question 69

What is iptables?

Answer 69

Default firewall on Linux. Possibility to filter IP addresses, which ports can connect to your computer, and which ports your computer can connect to. In general the technique is to block all ports than allow a few.

Question 70

List all rules of the iptables firewall.

Answer 70

• $ iptables -L
  
  • Chain INPUT: incoming traffic.
  • Chain FORWARD: redirection of traffic.
  • Chain OUTPUT: outgoing traffic.

Question 71

Reset iptables traffic rules.

Answer 71

$ iptables -F

Question 72

What does a iptables rule looks like?

Answer 72

• target: usually ACCEPT, otherwise DROP.
• prot: the protocol used, like tcp, udp, icmp (ping requests).
• source: source IP. For INPUT, it is the remote computer connecting to you.
• destination: destination IP. For OUTPUT, is the the remote computer you are connecting to.
• Last column (no name): display port in letters after “:”. Display numeric port with -n option.

Question 73

What are the two general network policies of iptables for each type of rule?

Answer 73

• policy ACCEPT: all connections accepted except those defined by DROP rules.
• policy DROP: all connections ignored except those defined by ACCEPT rules.