LINUX UNIT 3

1. What are firewalls? How it protects the server? (NOV 2018)

➖
Ans:
A firewall in Linux is a security system designed to monitor and control incoming and outgoing network

➖
traffic based on predefined rules.
It acts as a barrier between a trusted internal network and untrusted external networks, such as the

➖
internet.
Firewalls are a critical part of securing Linux systems and can be configured to filter traffic based on

➖
factors such as IP addresses, ports, and protocols.

➖
Common features are:

➖
Filtering: Allow/block traffic based on IP, port, or protocol.

➖
NAT (Network Address Translation): Forward traffic from one network to another.

➖
Logging: Record and log traffic details for analysis.

➖
Custom Rules: Users can define their own rules tailored to specific needs.
A firewall protects a Linux server by acting as a security barrier that filters and manages incoming and
outgoing traffic.
1. Blocking Unauthorized Access
2. Limiting Exposure of Services
3. Preventing Brute Force Attacks
4. Controlling Outbound Traffic
5. Mitigating Distributed Denial-of-Service (DDoS) Attacks
6. Preventing Malware Propagation
7. Logging and Monitoring Traffic

2. What are tables, chains, and rules? List common elements of rule. (NOV 2018)

➖
Ans:

➖
Netfilter firewall is built using Tables which is use to stipulate the specific functionality of the firewall.

➖
The filter table is used for it along with NAT table.
A table contains 'chains' which consists of a set of rules that is sequentially processed for each packet

➖
that enters the firewall until it finds a match.
The default strategy is "exit on match," which means that the firewall looks no further once the first rule

➖
that matches for a specific packet is found.
The following chains are used in the filter table:
● INPUT It is used to process incoming packets.
● OUTPUT It is used to process outgoing packets.
● FORWARD This is used for those packets which don't have process on their firewall as

➖
destination and also it is used on routers.
Among the above chains, a server administrator should know how to use INPUT and OUTPUT
whereas FORWARD chain configuring is not as important as it is for routers only.

➖
Common elements are:
Modules
A module is an optional element that can be used in a rule.
Modules offer enhancements to the Netfilter firewall.
They do that by loading a specific kernel module that adds functionality.

➖
A very common module in iptables rules is the state module, which looks at the state of a packet
Interface
On a server with multiple network cards, it makes sense to apply rules to specific interfaces only.
However, if one is configuring firewall on a typical server with one network card only, then can safely omit

➖
the interface specification.
IP Address
Rule is specified to allow or deny access to specific IP addresses or IP network addresses.
For example, if anyone in a school, might want to differentiate between a safe internal network, which
contains users who typically can be trusted, such as internal staff, and an unsafe internal network that is

➖
used by the students.
Protocol
Rules mostly allow or deny access to specific ports which are connected to either TCP or UDP protocol.
Therefore, if anyone wants to state a specific port, then also need to indicate the protocol that is to be

➖
used.
Target
It is a compulsory component of rule as it specifies what needs to be done with a matching packet.
ACCEPT, DROP, REJECT, and LOG are the most important targets which can be used amongst the
different targets.

3. Write a short note on Certificate Authority. (NOV 2018)

➖
Ans:

➖
The use of public/private keys is a great improvement in Internet security.

➖
A CA (Certificate Authority) is used to guarantee the authenticity of a public key.
The role of the CA is to sign PKI certificates.

➖
The Trusted Root

➖
If you want to create your own CA, make sure the users who use it can trust it.
This can be achieved by having certificates signed by certain and commonly known Certificate

➖
Authority.
As public keys of such common CAs are available in almost all client applications, the CA that uses it

➖
will be accepted easily.
But for this one has to pay the certain amount of money to the CAs for signing the certificates and it
can be avoided by self-signing the certificates
Key Functions of a CA:
Issuing Certificates: Validates an entity (e.g., server or user) and issues a certificate that binds a public
key to the entity's identity.
Revoking Certificates: Maintains a Certificate Revocation List (CRL) for invalidated certificates.
Trust Management: Acts as a trusted third party, enabling secure communications.

4. What is NFS? What are advantages and disadvantages of NFS? (NOV 2018)

➖
Ans:

➖
NFS is the most common method use to share file across linux and linux network

➖
It is distributed file system that enables local access to remote disk and file system

➖
NFS operation is totally transparent to client using Remote File System (RFS)

➖
Providing that we should have the appropriate network connection
You can access file and directories that are physically located on another system or even in different
city or country using standard linux commands

➖
Advantage:
NFS allows central storage of files that can be accessed by multiple clients. This simplifies file

➖
management and backups
Files and directories on remote systems appear to users as if they are part of the local file system,

➖
providing transparent access.

➖
Modern NFS versions support features like failover and redundancy to improve reliability and uptime
Reduces the need for large storage on every client machine since storage can be centralized on a
server
DisAdvantage:
➖File access over a network is generally slower compared to local file access due to network latency
➖Without proper configuration, NFS can expose sensitive data to unauthorized access.
and bandwidth constraints.

➖The central NFS server can become a bottleneck or single point of failure if not set up with
➖In the event of a network outage or server failure, clients may lose access to critical files.
redundancy.

5. Write steps to set up a Samba server with example. (APR 2019)

Ans:
1. Yum install Samba*
2. Service smb restart
3. mkdir gd/reports
4. cd /reports
5. cat>r1 ^d
6. cat>r2 ^d
7. chmod 777 r1 r2
8. chmod uts r1 r2
9. chmod 777 /reports
10. chmod uts /reports
11. nano /etc / samba / sambaconf
…………Come to end of file
12. [reports]
comment= reports folder shared
path= /reports
browsable= yes
writable= yes
Public= yes
^XY
13. service smb restart
14. test parm
15. useradd macd
16. smbpasswd -a macd

6. What is IP masquerading? How is it enabled? How is port forwarding used in

combination with IP masquerading? (APRIL 2023)
Ans:

➖
IP Masquerading:

➖
In IP masquerading, you can configure a server to connect your local network to the Internet.

➖
In this configuration, IP addresses from the private address ranges are used on the private network.
These addresses cannot communicate on the Internet, but they will be translated to the public IP

➖
address on the interface that faces the Internet.

➖
This process is known as IP masquerading, also referred to as Network Address Translation (NAT).
The major benefit of using masquerading is that with just one public IP address, you can connect

➖
many devices on the private network to the Internet.
IP masquerading is commonly used in home and corporate networks

➖
How to enable:

➖
To enable masquerading, you need to select the public interface.
Once this interface is masqueraded, all packets are rewritten with the IP address of the public

➖
interface as the source address.
To trace the packet back to its original sender, the NAT router maintains a NAT table.
➖ A port address is used to trace every connection in this NAT table.
➖Once a reply to the packet comes back and has to be forwarded by the NAT router to the originating
host, it will use the NAT table to find the address of the host from which the packet is originating, and it
forwards the packet.

➖
Port forwarding:
You can use port forwarding in combination with masquerading which allows assigning a port on the
public interface of the NAT router and forwarding everything that comes in on that port to a specific host

➖
and port on the private network.
To add port forwarding select port forwarding from system-config-firewall and click on Add and select

➖
the interface and port want to make available.
After the port specification one need to assign a destination and to do that one can choose between
forwarding to a local port (a port on the masquerading router itself) or can forward packets to a specific IP
address and port on that node.

7. What is GPG? How is it used to create and transfer keys? How are files encrypted with
GPG? (APRIL 2023

➖
Ans:
GNU Privacy Guard (GPG), also known as GnuPG, is a free and open-source implementation of the

➖
OpenPGP standard.
It is used for encrypting and signing data and communications, providing a high level of security in a

➖
Linux or Unix-like system.
GPG is widely used for securing email, files, and software distributions by creating digital signatures

➖
and encrypting information.
Once public/private key pair is created, signing request is also asked by genkey.

➖
Create key
To create a key pair, you have to use gpg-gen-key which executes in an interactive interface asking

➖
questions about the identity of the user who is going to use the key.
gpg --gen-key.gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.

➖
Key Transfer:
key transfer in GPG involves sharing public keys so that others can encrypt messages to you or verify

➖
your digital signatures. Here’s how it works:

➖
Generate your key pair using gpg --full-generate-key.

➖
Export your public key with gpg --armor --export [email protected] and share it with others.
Import public keys from others using gpg --import key file.asc to encrypt messages for them or verify

➖
their signatures.
Upload keys to a key server to make them publicly available: gpg --send-keys --keyserver

➖
keyserver-url your-key-id.
Verify and sign others' keys to build trust in a "web of trust"

➖
File Encrypted:

➖
GPG is commonly used to encrypt files. The base command to do this is easy gpg-e yourfile.
The gpg command will next ask for a user ID. This is the ID o the user to which you want to send the

➖
encrypted file.
Using GPG to encrypt a file

➖
gpg -e hosts

➖
The receiver of the encrypted file can decrypt it by using the command gpg
To send it to a new file, make sure to use redirection when specifying the targe file

8. State the steps to setup a firewall that allows SSH packets. (NOV 2022)
Ans:
1. Check if firewalld is running
First, ensure that firewalld is active on your system. You can check its status with the following command:
sudo systemctl status firewalld
If it's not running, start it with:
sudo systemctl start firewalld
To enable it to start at boot time
sudo systemctl enable firewalld
2. Allow SSH service through the firewall
The default service for SSH in firewalld is predefined. To allow SSH connections (on port 22 by default),
use the following command:
sudo firewall-cmd --zone=public --add-service=ssh --permanent
--zone=public: Specifies the zone where the rule will be applied (public is the default zone).
--add-service=ssh: Adds the predefined SSH service.
--permanent: Makes the change persistent across reboots.
3. Reload the firewall to apply changes
After adding the rule, reload the firewall to apply the changes:
sudo firewall-cmd --reload
4. Verify the rule
To verify that SSH is allowed, run:
sudo firewall-cmd --zone=public --list-all
5. Check if port 22 is open
sudo firewall-cmd --zone=public --query-port=22/tcp
If the response is yes, then port 22 is open for SSH connections.

9. What is NAT? Give steps to Configure NAT . (NOV 2019)

➖
Ans:
Network Address Translation (NAT) is common techniques that can be used on routers to have nodes

➖
on the private network go out with one registered IP address on the public network.
You can use NAT for three purposes:
a) To modify source IP address to the IP address of the firewall before it is sent to the Internet and to
achieve this target should be MASQUERADE
b) To modify the source IP address of a specific host to the IP address of the firewall before it is sent to
the Internet and to achieve this target should be SNAT.
c) To redirect traffic that is sent to a specific IP address and port on the public IP address to an IP

➖
address and port on the private network and to achieve this target should be DNAT.

➖
It demonstrates what is happening while a packet is being sent and processed by the NAT router.
In this packet, you can read a summary of DNAT, which allows you to make a port on the private
network available for the Internet.
Steps:
Ensure firewalld is running:
sudo systemctl start firewalld
sudo systemctl enable firewalld
Enable Masquerading (NAT): Allow NAT (masquerading) for the public zone:
sudo firewall-cmd --zone=public --add-masquerade --permanent
Reload firewalld to apply changes:
sudo firewall-cmd --reload
Verify the NAT configuration: Check the active configuration:
sudo firewall-cmd --zone=public --list-all

10. List the steps to encrypt, share and decrypt files using GPG. (NOV 2022)
Ans:
1. Install GPG
sudo dnf install gnupg
2. Generate Your GPG Key Pair
gpg --full-generate-key
3. Export Your Public Key (for Sharing)
gpg --armor --export [email protected] > public-key.asc
4. Import the Recipient's Public Key (for Decrypting)
gpg --import recipient-public-key.asc
5. Encrypt a File
gpg --encrypt --recipient [email protected] file.txt
6. Share the Encrypted File
Send the encrypted file (file.txt.gpg) to the recipient.
7. Decrypt a File
gpg --decrypt file.txt.gpg