Lab 2: Linux refresher and

automation with bash scripts

The goal of this Lab is to familiarize ourselves with the main Linux
commands and tools that we will use.

We will cover the following:

1. Create a folder structure using basic Linux commands

2. Working with package manager on CentOS based VM
3. Connecting to Amazon EC2 from your local environment using custom
SSH key.
4. Create a service on EC2 instance
5. Linux Networking – Troubleshooting Webserver connectivity
6. Securely connect to Amazon EC2 with AWS SSM Session Manager

Submission requirements:
 Submit screenshots with functionality of tasks 2, 3, 4, 5.
 Submit screenshot that verifies your identity

STYLE: SEN-Footer 1
Task 1: Create a folder structure using basic
Linux commands

In your CLoud9 environment, create the basic folder structure below.

Assume that your home directory is /home/student.

mkdir -p Fall/October

mkdir -p Fall/November

mkdir -p Summer/July

mkdir -p Summer/August

touch Fall/October/October_28.txt

cat Fall/October/October_28.txt

vim Fall/October/October_28.txt

STYLE: SEN-Footer 2
Task 2: Working with the Linux package
manager

In your Cloud9 environment, install the latest docker package and make
sure the docker service is running when the VM is restarted.

1.
Find out if this is a Debian or an RMP distribution. What is the version
of this distribution? What chip manufacturer and architecture?

Version uname –r

Manufacturer uname –m

Distro cat /etc/*release

2.
Find all the repos available on Cloud9 VM

All repos ls /etc/yum.repos.d

Print the details of the cat

specific repo /etc/yum.repos.d/hashicorp.repo

3. What version of docker package is installed on Cloud9 VM?

STYLE: SEN-Footer 3
 Using YUM yum info docker

4.
Identify the package that provides traceroute command

Using YUM yum -q whatprovides traceroute

yum provides scp

5.
Is the docker package installed? If yes, uninstall the existing docker
package and re-install it

Is a docker installed? rpm –q docker

Uninstall docker sudo rpm –e docker; rpm –q

docker

Re-install docker sudo yum install docker -y

6.
Try running docker commands. Does it work? Use systemctl
commands to start and enable docker daemon

Is docker running? sudo docker ps

Start docker sudo systemctl s tart docker

Verify docker is running sudo systemctl status docker

STYLE: SEN-Footer 4
 Make sure docker is sudo systemctl enable docker
running after reboot

Task 3: Connecting to Amazon EC2 from

Cloud9 environment using custom SSH key

1. Create a new SSH key pair in your Cloud9 environment with

commands below

Create SSH key pair ssh-keygen -t rsa -f ~/.ssh/week2

locally, press Enter
when asked for the pass
phrase
Create AWS Key Pair aws ec2 import-key-pair --key-name
from your local key pair "week2" --public-key-material
file://~/.ssh/week2.pub

Verify the key was aws ec2 describe-key-pairs

created

2. Create Amazon EC2 instance with ingress on port 22 with the

instructions from Lab1, Task 5. Grant access to Amazon Cloud 9
public IPs.

# Create an EC2 instance that uses that Key pair

STYLE: SEN-Footer 5
 aws ec2 run-instances --image-id
resolve:ssm:/aws/service/ami-amazon-linux-latest/amzn2-ami-
hvm-x86_64-gp2 --instance-type t2.micro --key-name week2

Note: if you are getting SSM access error please run the command below:

aws ec2 run-instances --image-id --instance-type t2.micro

--key-name week2

# Create the security group for admin traffic (ssh)

aws ec2 create-security-group --group-name acs730-week2-sg

--description "Security Group for Admin Traffic"

# Authorize SSH and PING access to the public IP ranges of

Cloud9 service in us-east-1 region. Install jq in your
Cloud9 environment

# Install jq

sudo yum install jq -y

# Download IP ranges

wget https://ip-ranges.amazonaws.com/ip-ranges.json

# Get all the IP ranges for CLOUD9 environment

jq '.prefixes[] | select(.service=="CLOUD9")|
select(.region=="us-east-1")' < ip-ranges.json

STYLE: SEN-Footer 6
 aws ec2 authorize-security-group-ingress --group-name
acs730-week2-sg --ip-permissions
IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges=[{CidrIp=35.1
72.155.192/27},{CidrIp=35.172.155.96/27}]
IpProtocol=icmp,FromPort=-1,ToPort=-
1,IpRanges=[{CidrIp=35.172.155.192/27},
{CidrIp=35.172.155.96/27}]

export INSTANCE_ID=i-039846ca048ac228a

export SG_ID=sg-03c8aacfc095f4070

aws ec2 modify-instance-attribute --instance-id $

{INSTANCE_ID} --groups ${SG_ID}

3. Verify the instance was created successfully

aws ec2 describe-instances --query

'Reservations[*].Instances[*].[InstanceId,
KeyName,PublicDnsName,PublicIpAddress, State.Name]' --
filters Name=instance-state-name,Values=running --output
table

4. Verify network connectivity to port 22 of the provisioned instance

using its public DNS

Can we resolve the nslookup ec2-54-161-142-

DNS? 127.compute-1.amazonaws.com

dig ec2-54-161-142-127.compute-
1.amazonaws.com

STYLE: SEN-Footer 7
 Is the local link up? ip link

Is the remote server sudo yum install telnet

responding?

telnet ec2-54-161-142-127.compute-
1.amazonaws.com 22

Note the IP address returned by DNS lookups. Why is it

different from the IP address in the EC2 public DNS name?

5. The username ec2-user is pre-provisioned by AWS when the CentOS

based EC2 instance is created. Attempt connecting the EC2 using
your local Linux user and ec2-user.

Find out your local whoami

username

id

Try connecting to the ssh ec2-user@ec2-54-161-142-

EC2 instance 127.compute-1.amazonaws.com -i
~/.ssh/week2
Did it work?

ssh ec2-user@ec2-54-161-142-
Let's debug 127.compute-1.amazonaws.com -i
~/.ssh/week2 -vvv

STYLE: SEN-Footer 8
 6. Cloud 9 environment connects to our EC2 instance using its private IP
address. Let’s fix our security group.

# Revoke previously defined access rule

aws ec2 revoke-security-group-ingress --group-name acs730-

week2-sg --ip-permissions
IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges=[{CidrIp=35.1
72.155.192/27},{CidrIp=35.172.155.96/27}]
IpProtocol=icmp,FromPort=-1,ToPort=-
1,IpRanges=[{CidrIp=35.172.155.192/27},
{CidrIp=35.172.155.96/27}]

# Create new inbound rules to allow traffic from a private

IP of Cloud 9 instance

aws ec2 authorize-security-group-ingress --group-name

acs730-week2-sg --ip-permissions
IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges=[{CidrIp=<Pri
vate IP of Cloud9 instance>/32}] IpProtocol=icmp,FromPort=-
1,ToPort=-1,IpRanges=[{CidrIp=<Private IP of Cloud9
instance>/32}]

Task 4: (OPTIONAL)Create a Linux service on

AWS EC2

1. Create a bash script called run_docker.sh in your Cloud9 IDE.

The content of the script is below. You can find this script in the Lab2
folder.

STYLE: SEN-Footer 9
 #!/bin/bash

sudo yum update -y

sudo yum install docker -y

sudo systemctl enable docker.service

sudo systemctl enable containerd.service

sudo systemctl start docker

sudo systemctl status docker

sudo usermod -aG docker ${USER}

sudo docker run hello-world

Make sure the file was created

2. Copy the script to the EC2 instance

scp -i ~/.ssh/week2 run_docker.sh ec2-user@ec2-44-201-108-

170.compute-1.amazonaws.com:/home/ec2-user

3. Log into EC2 instance

ssh [email protected] -i
~/.ssh/week2

4.

STYLE: SEN-Footer 10
 5. Create a new folder ~/myscript and move the run_docker.sh to this
folder. Grant ec2-user execution permissions on this script.

mkdir ~/myscript

v mv ~/run_docker.sh ~/myscript/

chmod u+x ~/myscript/run_docker.sh

6. Execute the script

~/myscript/run_docker.sh

7. Update run_docker.sh to run containerized web server Nginx.

sudo -i

mv /home/ec2-user/myscript/run_docker.sh /usr/bin/

vi /usr/bin/run_docker.sh

STYLE: SEN-Footer 11
 Update the last line in the script.

#!/bin/bash

sudo yum update -y

sudo yum install docker -y

sudo systemctl enable docker.service

sudo systemctl enable containerd.service

sudo systemctl start docker

sudo systemctl status docker

sudo usermod -aG docker ${USER}

sudo docker run -d -p 80:80 nginx

8. Create a Linux service that executes run_docker.sh script.

vi /etc/systemd/system/run_docker.service

The service definition is below.

[Unit]

Description=Hello Nginx with Docker container

After=network.target

StartLimitIntervalSec=0

[Service]

Type=simple

Restart=always

STYLE: SEN-Footer 12
 RestartSec=1

User=ec2-user

ExecStart=/usr/bin/run_docker.sh

[Install]

WantedBy=multi-user.target

Reload the daemon the ensure all service definitions have been
updated.

systemctl daemon-reload

Start the service and enable the service. Make sure to run these
commands as ec2-user.

exit

sudo systemctl start run_docker

sudo systemctl status run_docker

sudo systemctl enable run_docker

STYLE: SEN-Footer 13
 9. Debug the issues with your service using journalctl

sudo journalctl -u run_docker

10. Create a new Linux user, grant same permissions as the existing
ec2-user. Does this user have a sudo permissions?

# ec2-user groups

groups

# add week2 user

sudo useradd week2

# week2 user’s groups

groups week2

sudo usermod -a -G wheel week2

# does this user have sudo permissions?

sudo visudo

11. Make sure nginx web server is running

curl localhost:80

STYLE: SEN-Footer 14
Task 5: (OPTIONAL) Linux Networking -
Troubleshooting web server connectivity

1. Send HTTP request to the Nginx webserver running on your EC2 from
your Cloud9 environment

curl http://ec2-44-201-108-170.compute-1.amazonaws.com/ -v

2. Let’s troubleshoot

 Local link is up, run in Cloud 9:

ip link

STYLE: SEN-Footer 15
  DNS is resolving, run in Cloud 9:

nslookup google.com

 There is network connectivity, run on Cloud9 and EC2:

ping google.com, traceroute 8.8.8.8

 Remote server- make sure web server is running, run on EC2:

netstat –an| grep 80 | grep -i LISTEN

 Remote link is up, run on EC2:

ip link

What is the problem?

Task 6: (OPTIONAL) Securely connect to

Amazon EC2 with AWS SSM Session Manager

Opening port 22 to the world is a security concern and is not considered the
best practice by AWS. Moreover, user activities on the EC2 performed by
user connected via SSH are not reflected by any of the AWS logs making
forensics often impossible is the local logs are deleted by the malicious
actor.

AWS provides us with an alternative approach to start a shell session on an

EC2 instance.

STYLE: SEN-Footer 16
We can use AWS SSM Session manager for this purpose.

Pre-requisites:

1. IAM Instance profile with sufficient permissions associated with the

EC2 instance
2. AWS SSM agent running on the VM
3. AWS Academy IAM user has sufficient permission to connect to to
Amazon EC2 with AWS Session manager

1. Assign IAM Instance profile to Amazon EC2 Instance we provisioned

Run the command below to list instance profiles pre-provisioned by

AWS Academy. You would have created them by yourself in the real
environment.

aws iam list-instance-profiles

The profile we need it called LabInstanceProfile

STYLE: SEN-Footer 17
 Run the command below to associate the instance profile with EC2
instance.

aws ec2 associate-iam-instance-profile --instance-id $

{INSTANCE_ID} --iam-instance-profile
Name=LabInstanceProfile

STYLE: SEN-Footer 18
 Important Security Improvement: all the
processes running on EC2 instance can now
call AWS API without any credentials stored
locally on the VM.

2. Make sure AWS SSM agent is running on the instance

We can verify that AWS SSM agent is running on EC2 instance in two
ways:

a. Looking at the EC2 initialization log

b. Open secure Shell into EC2 instance as per Task 5 and query
systemctl tool. We will explore this option in Week 2 Lab.

Open AWS Management Console, go to EC2 console, select the

provisioned instance.

Click on Actions => Monitor and Troubleshoot => Get system Log.

STYLE: SEN-Footer 19
 This is the log that captures all the services initialized as part of Linux
OS boot up process.

See if you can find ssm-agent initialization reflected in the log.

3. AWS Academy IAM user has sufficient permission to connect to

Amazon EC2 with AWS Session manager

Open your Cloud9 environment and find out the chip type that is used
by Cloud9 VM.

uname –m

This is Intel 64 bit architecture.

STYLE: SEN-Footer 20
 Install the ssm package for your VM architecture.

curl "https://s3.amazonaws.com/session-
manager-downloads/plugin/latest/linux_64bit/session-manager-
plugin.rpm" -o "session-manager-plugin.rpm"

sudo yum install -y session-manager-plugin.rpm

Run the commands below to connect to the instance via AWS SSM
session manager:

export INSTANCE_ID=[Id of your instance]

aws ssm start-session --target "${INSTANCE_ID}"

Important Security Improvement: we

can remove ingress rule for port 22 and the
connection will still work. You have logged
into your EC2 instance without the use of
SSH key pair!

STYLE: SEN-Footer 21