CSC 175 Post-Installation Linux Assignment. Due in one Week. Setting up a Secure Web Server on Your Linux "Box" You will find on our web page a link to the "underground web". This and subsequent links are only accessible from within our "secret" network. The only exception is thincrust, which is accessible from outside as https://96.57.41.74 (default https port 443) In order to join the underground web, you need to set up a secure web server and disable the regular, unencrypted and unauthenticated web service. To install the apache web server on ubuntu, do the following (in sudo mode) apt-get install apache2 This both installs and starts the webserver. You can test your sever by installing lynx, which is a text-based web browser (apt-get install lynx) and (G)oto https://localhost To change the web page, edit the index.html file inside the directory /var/www/html/ and make sure it's readable (chmod og+r). But a regular web server is not very interesting. To protect your users from all the nasty people out there, you need the "https" protocol, which runs http under the "secure socket layer" (that's right, yet another layer of abstraction!) Security is provided in two forms. First, data is encrypted so nobody can see your packets using something like wireshark/ethereal. Secondly, you can obtain a certificate of authenticity from an authorized source. These security measures rely on a public key encryption system (such as RSA), which requires you to first generate an encryption key. We will explore the theoretical side of encryption later in the course. For now, do the following (assuming you've already installed the openssh server during installation, otherwise apt-get install openssh-server): a2enmod ssl service apache2 restart The apache2 configuration files are in /etc/apache2. We need to first make a subdirector for the ssl authentication keys and certificates. mkdir /etc/apache2/ssl Obtain a certificate of authentication. Normally, you'll need to contact one of the authorized certificate providers such as Symantec (see http://www.symantec.com/ssl-certificates/ and ignore the funny fact that this site is not itself a secure one). However, they will only sell certificates to important people, and you're a nobody (sorry). Thus you will have to create a "self-signed" certificate: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt This will give you a .key and a .crt file, which is your certificate, good for 365 days. When viewing the website, you'll get a warning from your web browser that the certificate can't be authenticated, which of course is what happens with self-signed certificates. Edit the file /etc/apache2/sites-available/default-ssl.conf (make a backup copy first in case you mess up) Find the line that says: and make sure what follows reads something like: ServerAdmin webmaster@localhost ServerName thincrust.secret.hofstra.edu:443 DocumentRoot /var/www/html Edit /etc/apache2/ports.conf, and comment out/delete the line "Listen 80" This disables the regular http server. do the following to enable your secure web server: a2ensite default-ssl service apache2 reload 7. Verify that it's working. Create an index.html in /var/www/html/ that serves a picture of your favorite food (or whatever you think best represents your group's aspirations). The URL for your server is https://yourip. I will make your web server accessible externally through port 194xy, where xy are the last digits in you IP. For example, if you're 10.1.0.4, your web server will be accessible through port 19404. 10.1.0.12 will be accessible through port 19412. Be warned: do not configure these ports on your server: this mapping is done on deepdish. Your https servers should only run on port 443. Your apache server should start automatically upon reboot. To check its status: service apache2 status. you can also do service apache2 stop/start. You can check the status of all services with: service --status-all