Project 1 SEC440 - 5huckle/OFFICIALTECHJOURNAL GitHub Wiki

Deliverables

Week 1

  • During class on week 1 attempt to get xubuntu-wan, vyos1, web01, and xubuntu-lan routing through vyos and the internet.
  • Make sure to grab and commit copies of your vyos configuration as you go
  • Build out the structure of you tech journal this week and reflect on week 1
  • During week 1 get port forwarding to work and get 2fa installed on web01

Week 2

  • During week 2 get your redundant vrrp working (clients should likely have all three inside router ips listed in DNS) (10.0.5.1,10.0.5.2,10.0.5.3)
  • Produce a professional demo that touches all bases
  • Commit any changes to your vyos configs to git and reflect on your project

SETUP

VYOS 1 & 2

Routing and DNS forwarding

For these tasks, I went with my old notes from my Sec350 Vyos Page. I followed the instructions there, substituting the IP addresses on the page for my own correct IP addresses.

I repeated once more to set up the LAN network.

VRRP

To setup VRRP on Vyos 1 (and 2), I used the following commands:

  • set high-availability vrrp group langroup10 vrid 160
  • set high-availability vrrp group langroup10 interface eth0
  • set high-availability vrrp group langroup10 address 10.0.17.110/24
  • set high-availability vrrp group langroup10 priority 200
  • set high-availability vrrp group wangroup10 vrid 160
  • set high-availability vrrp group wangroup10 interface eth0
  • set high-availability vrrp group wangroup10 address 10.0.17.110/24
  • set high-availability vrrp group wangroup10 priority 200

For Vyos 2 I did the same, replacing the appropriate IPs. I also made the priority of Vyos 2 100 instead of 200

WEB01

For web01, I needed to break into the root account using single user boot mode. It was a very simple process actually, I just followed this guide

I used nmtui to set up networking and set the system hostname.

  • IP:10.0.5.100/24
  • Default Gateway:10.0.5.2
  • DNS:10.0.5.2

image

At this point, I would consider this set up. However I was facing up to 77% packet loss, and I was informed that this meant there was probably an issue.

The fix to this issue was to add a host based firewall rule allowing icmp into the system.

2FA

For two factor authentication, I followed this guide for every single thing they said.

Tests

  1. From WAN, using arp, determine the real firewall host behind your virtual IP
  2. From xubuntu-lan, determine active firewall using tracepath 10.0.17.2
  3. Active WAN and LAN firewalls should be either vyos 1 or 2.
  4. Kill the active firewall (it should be vyos1 or vyos2 for the active WAN/LAN connections
  5. Port forwarding should work from WAN to a virtual IP that fronts a team of vyos firewalls ->Web01 5a. http (2 points) 5b. ssh (2 points) 5c. with MFA (1 point)
  6. xubuntu-lan should still be able to route to the internet (3 points)
  7. tracepath/traceroute from xubuntu-lan should show the first hop as the redundant firewall.