Lessons
Start
Start learning
CodeGym /Courses /Docker SELF /Firewall Setup, SELinux, and Basic ACL Rules

Firewall Setup, SELinux, and Basic ACL Rules

Docker SELF
Level 5 , Lesson 5
Available

Firewall Setup, SELinux, and Basic ACL Rules

1. Step 1: Installing and Setting Up the Firewall

Hey there! Today we’re diving into some real-world practice and implementing everything you’ve learned about Linux security so far. We’ll set up the firewall, take a deep dive into SELinux, and explore how ACL makes file access management super convenient. Consider this lecture your "training playground." Time to put on those "security admin badges" and get started!

You already know a good firewall is like a bouncer at the door. It decides who gets in and who gets a "Not a chance!" response. Let’s start securing our system by limiting access to just SSH and HTTP services.

Working with UFW

  1. Check UFW status. Not installed? Let’s fix that!

    # Check UFW
sudo ufw status

    2. If the command says "firewall is inactive," we need to fix that.

  2. Install and enable UFW.

    # Installation (if needed)
sudo apt install ufw

# Enable the firewall
    sudo ufw enable

  3. Set up access. We want to allow only SSH (port 22) and HTTP (port 80), blocking everything else. The logic is simple: the server is not a three-star hotel for everyone.

    # Allow SSH
sudo ufw allow 22

# Allow HTTP
sudo ufw allow 80

# Check the rules
sudo ufw status

  4. Verification: After setting up, you should see something like this:

    Status: active
To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
80                         ALLOW       Anywhere
Java webinar

If you’re using iptables, the setup is a bit more complex, but the logic remains the same: create rules for SSH and HTTP, and block the rest.

2. Step 2: Working with SELinux

SELinux is like that strict teacher who keeps an eye on the behavior of files and users on your server. Its motto: "Trust, but verify." Let’s turn on SELinux and check how it works.

Enabling SELinux

  1. Check the current status:

    # Check if SELinux is enabled
sestatus

    If the mode shows disabled, you need to enable it via the configuration file.

  2. Enable SELinux via configuration:

    The SELinux settings file is located at /etc/selinux/config. Open it with a text editor (e.g., nano).

    sudo nano /etc/selinux/config

    Find the line:

    SELINUX=disabled

    Change it to:

    SELINUX=enforcing

    Save the changes and reboot the system for the changes to take effect:

    sudo reboot

  3. Check after reboot.

    After the server boots, check the SELinux status again:

    getenforce

    If the system responds with Enforcing, congrats, you’re now guarding the security front!

Example with SELinux and a Web Server

Let’s say you have a web server storing files in the /var/www/html directory. Let’s see how SELinux protects it.

  1. Check the file context: SELinux uses contexts to manage access. Let’s see what context the /var/www/html directory has.

    ls -Z /var/www/html

    Sample output:

    drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html

    If something’s off, you can temporarily change the context:

    sudo chcon -t httpd_sys_content_t /var/www/html

  2. Check the web server operation: After setting the context, check if your server is running and if there are no access errors.

3. Step 3: Managing Permissions with ACL

ACL (Access Control List) is like an "extra key" to handle access. When the standard rwx permissions aren't enough, ACL lets you fine-tune access for specific users.

Create a Test Directory

Let's make a directory called project_dir and set it up for access by two users: user1 and user2.

  1. Create the directory:

    sudo mkdir /project_dir

  2. Set permissions:

    Let's give user1 full access, and user2 read-only access:

    # Full access for user1
sudo setfacl -m u:user1:rwx /project_dir

# Read-only for user2
sudo setfacl -m u:user2:r-- /project_dir

  3. Check the ACL:

    # Check current permissions
getfacl /project_dir

    The output should show your settings:

    # file: /project_dir
user::rwx
user:user1:rwx
user:user2:r--

  4. Set default permissions:

    To make sure all new files in the directory inherit ACL permissions automatically, let's set them as default:

    sudo setfacl -d -m u:user1:rwx /project_dir
sudo setfacl -d -m u:user2:r-- /project_dir

4. Final Configuration Check

  1. Firewall:

    • Make sure SSH and HTTP ports are available, and the rest are blocked. Try connecting to the server via SSH and opening the website in the browser.

  2. SELinux:

    • Check file contexts to ensure SELinux is restricting access properly.

  3. ACL:

    • Log in as user1 and user2 and try reading and writing to a file in the /project_dir directory.

Practical Tasks

  1. Set up the firewall to allow only SSH and HTTP access.
  2. Enable SELinux in enforcing mode and make sure the web server works correctly.
  3. Set up ACL for the /project_dir directory so that user1 has full access, and user2 only has read access.
  4. Check active users in the system using the who command.

These exercises will help you cement your knowledge and understand how to apply it in practice. And remember: Linux security isn't just about configurations, but also about paying close attention to details. Good luck!

1
Task
Docker SELF, level 5, lesson 5
Locked
Firewall setup with UFW
Firewall setup with UFW
Open
1
Task
Docker SELF, level 5, lesson 5
Locked
Working with SELinux and file contexts
Working with SELinux and file contexts
Open
1
Task
Docker SELF, level 5, lesson 5
Locked
Managing Access Rights using ACL
Managing Access Rights using ACL
Open
1
Опрос
Working with Users in Linux,  5 уровень,  5 лекция
недоступен
Working with Users in Linux
Working with Users in Linux
Открыть
Comments
TO VIEW ALL COMMENTS OR TO MAKE A COMMENT,
GO TO FULL VERSION