Python networking expert needed

sajhal-1
IT369Session4.pptx
Home>Computer Science homework help>Python networking expert needed

IT 369: Session 4

Web Application Security

Linux, Apache, MySQL, and Python (LAMP)!

Career and Resume Opportunities

Will post a separate Resume Video this week, which would be best if you reviewed prior to asking for resume review.

Feel free to connect with my network on LinkedIn (slewis27@gmu.edu)

Job Interview Q&A

Question from interviewer: Tell me something you’ve done that included a software application, or a database, or securing those?

Possible Answer: In IT369, we installed Linux, Apache, MySQL, and Python. Then we built a small sample application and then secured the framework. We applied cybersecurity frameworks like CIS20, OWASP, and STIGs to secure various attack surfaces. Finally, we installed Kali Linux and performed surveillance and penetration testing against the environment to further secure it. <bam!>

Critical thinking: how does this exposure help you as a cybersecurity professional?

Critical Thinking

Facts are needed, but learning is more important.

And the most important skill is Critical Thinking.

There are a hundred ways to solve most problems.

Think critically about the trade-offs, find the optimal path, and work hard to achieve it.

Today is no exception...

Housekeeping: Midterm

Midterm covers:

Labs 1 through 4

Book Chapters 1, 3, 4, 7, 9, 11

Class Lectures 1 through 6

Midterm format: Typically, tests will include some combination of multiple choice, short answer, and an essay question (around 100-300 words that test your comprehension of a class topic).

This semester, the essay questions are removed, in lieu of the less stressful Critical Analysis Journals. So, Multiple Choice & Short Answer make up the Midterm.

Short answer is typically under a dozen words.

If I ask for three things, answer with three things.

Housekeeping: Today & Lab #3

Today’s class is session #4, and will focus on building a LAMP stack so that we may build a web application.

If you’ve already done the Lab ahead of time, slides 12-30 will appear as a repeat.

However, getting the lab to work is only part of the challenge. Understanding HOW and WHY the multiple components work together is:

Key to understanding data and application security

Required for a perfect score on the midterm

Vital to any career in technology

So what are we doing this week?

In order to show data and application security in action, and to deliver on our goal of providing lots of hands-on opportunities, we will be doing a lot this week.

Do not panic. All the steps are clear, and listed out in the lab slides. If you hit a snag, read the error message. If you need to look some items up, do so.

The app we build this week is TINY.

It is important that you understand each step, so that when we get to the point of increasing security, you understand the mechanics of what makes up a software application. Do not just whip through the slides and copy-and-paste your way to finish line, or the test will bring you tears and sadness.

Why not use a framework or preinstalled software?

If you use a service like web hosting or AWS, they will likely have a simple “click here” approach that provisions everything you need.

This is great, but we’re going to install all the components ourselves, because it's not that hard and we learn something valuable from seeing and touching the individual pieces.

Plus, the commands you’ll be forced to use will help you better expand your Linux skills and build security in each component!

You should be adding fun things to your resume this semester, and today’s collection is no exception.

Web App Frameworks and Market Share

Web App Frameworks

Many alternatives exist to extend (Java, Oracle, etc.)

Nginx is #2

Microsoft IIS + SQL Server is #3

All follow a similar pathway

Open Source, Especially Apache

Apache ecosystem contains hundreds of major products such as:

Hadoop, Kafka (big data)

Ant, Maven (testing and build management)

Cloudstack

Syncope (Identity Management)

Spark (Machine Learning)

Lucene (Doc search, index, high-volume traffic)

ApacheCon is held annually in the Fall

hundreds of tracks, speakers, registration is $0-20 https://www.apachecon.com/acah2021/ https://www.apachecon.com/acah2021/tracks/

So what are we doing this week?

We will be installing a LAMP stack. LAMP stands for Linux, Apache, MySQL, and either PHP, Perl, or Python. We will be using Python.

The bolded commands throughout this presentation are intended to be run from the Terminal command line interface

Package Installers

We will be using the built-in package installer apt-get and you should get to know it. apt is a newer and simpler version, btw.

We will also use pip, which is a program that merely finds and installs software for you.

Although frameworks exist to streamline some of this, today’s lesson will have us installing many pieces manually, so follow along.

If you should encounter a problem, let me know, but it is ultimately your responsibility to get this to work, much like you would in a job within the IT industry. Google for help, and you may have to solve particular challenges related to your laptop, OS, settings that are unique to you, disk space, conflicts, etc.

This should work well if you have a clean Ubuntu instance to work with. If you have cloned your instance, you have a safe “sandbox.”

Getting Up To Date

Because your installation of Ubuntu might not be fully patched up, let’s start there. Ubuntu comes from Debian, which has apt-get and apt (Advanced Package Tool)

sudo apt-get update (same as) sudo apt update

this command will pull down all the updates you need for installed packages

sudo moves you into super user (do this as super user = sudo)

Now, let’s upgrade what we just pulled down:

sudo apt-get upgrade

You may have to respond Y)es to get it to complete, and it may take a few minutes to complete all the updates

Python 3 vs. Python 2

Since Python 2 is often the default in Linux distributions, we’ll start by making Python 3 our default. Python 2 has been deprecated, but is still widely available.

Check python version: python --version

You will likely get an error saying that python doesn’t exist, but python3 does. We want both to work, so...

Now we’ll create a symbolic link to python 3: sudo ln -s /usr/bin/python3 /usr/bin/python

This will capture any “python” command and ensure it goes to python 3

To test, re-run python --version and you should see the correct answer (python 3.8.2 or later)

Install Pip

Pip is a package installer and will help you throughout this and other labs.

sudo apt install python3-pip

This will install a simple tool that will allow you to better use python tools and packages later on.

As with all installs, Ubuntu will likely ask you to approve the use of additional space for this new tool, with a simple “y” response.

It may take a few minutes

Install MySQL

MySQL is a very popular database. MariaDB is the open source fork from it. (To use MySQL in production environments does cost.)

sudo apt install mysql-server

When this completes...

sudo mysql_secure_installation

Select whatever strength of password you like, but respond to other prompts with y to maximize security.

This will help remove hackable components and ensure password protection is in place. You may wish to select a LOW security password for testing, but write it down or remember it. You can choose to enforce some of the suggestions or we can do that later. TEST db might be helpful to some of you.

Let’s Increase Security...

These commands will help us work around the problem:

$> sudo mysql

mysql> select user, authentication_string, plugin, host from mysql.user;

mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'NewPassword'; (NewPassword is one that you make up)

mysql> flush privileges (then, repeat select statement from above)

mysql> exit

sudo mysql (should fail)

mysql -u root -p (should work normally)

More help: https://www.digitalocean.com/community/tutorials/how-to-install-mysql-on-ubuntu-18-04

Connect Python and MySQL Easily

PyMySQL is a connector utility to allow Python to easily connect to MySQL and to enforce transactional integrity

Run the following to help you connect from Python to MySQL:

sudo pip3 install pymysql

Install Apache Webserver

The world’s most popular web server, and it’s free!

sudo apt install apache2

To test this, you should be able to open a browser, point it to http://localhost/ and get a page indicating that it works!

Let’s play with that for a second:

cd /var/www/html

look at contents

sudo nano index.html (what happens if you don’t sudo this command?)

(exit nano with CTRL-X as shown at the bottom of the page)

Play with the Apache Webserver

Let’s see how Apache would install a simple hello world web page, if you’ve never done that before.

In the html directory, sudo nano hw.html

type Hello World, it’s me, <yournamehere>!

Then from your browser, point to http://localhost/hw.html and see if it comes up.

Why does this work when we put in no official HTML tags??

Stretch Goal: Create a resume.html file that you create yourself, outlining your resume. Use HTML tags (minimal ones should suffice)

Create Apache Test Directory

Create a test directory:

sudo mkdir /var/www/test

Register Python with Apache, enable multi-processing module and allow CGI scripts to run

sudo a2dismod mpm_event

sudo a2enmod mpm_prefork cgi

You will have to restart apache using sudo systemctl restart apache2

TEST by rechecking your localhost call in browser. Fix problems that might have been caused by sloppy command entry on this page.

Make some apache modifications

sudo nano /etc/apache2/sites-enabled/000-default.conf

You are now in the nano editor. Simple, easy, and commands listed on the bottom as CTRL+? key strokes.

Add the following right after the first line, which reads “<VirtualHost *:80\>” using tabs for indentation, not just spaces

<Directory /var/www/test>

Options +ExecCGI

DirectoryIndex index.py

</Directory>

AddHandler cgi-script .py [note the space!]

Further configure Apache:

Prior steps told Apache to work from the test directory, that it contains executables, that index.py is the default.

Now go to the part of the document that reads “DocumentRoot /var/www/html” and change the characters “html” to be “test” so the result looks like:

DocumentRoot /var/www/test

Result Should look like this:

<VirtualHost *:80>

<Directory /var/www/test>

Options +ExecCGI

DirectoryIndex index.py

</Directory>

AddHandler cgi-script .py

DocumentRoot /var/www/test

Further configure Apache:

Save (CTRL-o) and Exit (CTRL-x)

Restart apache to effect those changes as follows:

sudo systemctl restart apache2

now, retry the http://localhost from browser, and you’ll see change

Now let’s have some real fun!

First let’s create a database:

mysql -u root -p

this will prompt you for the password you gave it during install.

Your prompt should now indicate you’re in MySQL and will change from a standard terminal prompt (“$”) to “mysql>”

Create the database

mysql> CREATE DATABASE yoga;

Switch to use that database:

mysql> USE yoga

MySQL

Let’s create a table and add some values:

mysql> create table instructors (id INT, name VARCHAR(20));

Insert some records:

mysql> insert into instructors values (1, ‘Erin’);

mysql> insert into instructors values (2, ‘Caroline’);

mysql> insert into instructors values (3, ‘<your name here>’);

test your table: mysql> select * from instructors;

exit mysql by pressing CTRL+D or typing quit

And now let’s connect all the dots!

This next part is longer, so i’ve put the source code up on Blackboard under Course Content >> Scripts >> Yoga1.txt

Copy that content and paste it into the file called /var/www/test/index.py (MANY have trouble with copy-and-paste)

Alternatively you can just type it in, or copy it from the slide, as I’ll list it all on the next slides (make sure you sudo nano index.py)

Make this file executable!

sudo chmod 755 /var/www/test/index.py

Remember to copy/paste from NOTEPAD, not the slides!

index.py

#!/usr/bin/python

# Debug mode on

import cgitb

cgitb.enable()

#Print html headers

print (“Content-Type: text/html\n\n”)

#Connect to the db

import pymysql

con = pymysql.connect(

db=’yoga’,

user=’root’,

passwd=’yourpassword’,

host=’localhost’)

#print contents

try:

with con.cursor() as cur:

cur.execute(“Select * from instructors”)

rows = cur.fetchall()

for row in rows:

print(f’{row[0]} {row[1]}’)

finally:

con.close()

Connect all the dots!

Make this file executable!

sudo chmod 755 /var/www/test/index.py

Best to simply type in the commands, as copy/paste from NOTEPAD often introduces errant characters. Definitely do not copy and paste from the slides as they contain special characters!

Exit Criteria: Test our work

test at O/S level: python index.py

if errors, correct there first

See the on-screen error

View the log using tail /var/log/apache2/error.log

if you successfully get data, test using browser: http://localhost

if errors, see log: tail /var/log/apache2/error.log

if continued errors, review code snippets provided on Blackboard Discussion Board “Lab Support”

if you cannot debug using existing support and threads, post a new thread so all of us can support one another

What does success look like?

So what just happened?

When we pointed a browser to http://localhost, we used Apache to handle our request, which by default went to our Python script, which executed a select of rows of data from MySQL

Deliverables & Next Steps

Create a single file submission containing a screen shot of your application running in your browser. The web page data MUST contain YOUR full name to receive credit.

Review the steps to understand how we installed the various components, how we updated our installation using apt and apt-get, how we built a small database, how we inserted data, how we created a simple web program, and, how that resulted in the working web page pulling data.

Stretch Goals

Consider doing some digging into the ways in which Apache Webserver can serve up different types of files.

Consider digging deeper into the various components, such as MySQL and Python to become better versed in their technologies, which will help you at job interviews, even for non-developer jobs.

Look into the vast library of Apache projects that would be good to know about. Just knowing they exist will help a conversation in a job interview or where you’re considering technology stacks.

Consider where some vulnerabilities exist, and how we might secure and quantify our technology stack to make it suitable for production.