SEC350 Midterm - ConnorEast/Tech-Journal GitHub Wiki
The following boxes are going to be deleted prior to the assessment. If refrencing notes outside of this document confirm the following box information is not being used again [Caveat: Firewall default Gateways]
- RW01: -- IP:10.0.17.31 -- Default: 10.0.17.2
- FW01: -- 3 V-Network Adapter --
- WEB01: -- IP:172.16.50.3 -- Default: 172.16.50.3
The following boxes will be added to the network. Current IP space has not been specified. Check the IP space as assigned in the midterm itself. In each of the boxes respective sections implement the appropriate IP.
- Traveler: --> Windows 10 VM --> Default Gateway: 10.0.17.132 [WAN]
- Edge01: --> Vyos Firewall --> 3 V-Network Adapters for DFGW
- NGINX01: --> Ubuntu Linux VM --> Default Gateway: 172.16.50.2 [DMZ]
- DHCP01: --> Ubuntu Linux VM --> Default Gateway: 172.16.150.2 [LAN]
Created By Ina
Default Logon <--> User:vy0s ; Password:Ch@mpl@1n!22 ;
| Command: | Image / Appended Content |
|---|---|
| <-- Base Config --> | |
| configure | |
| set system name-server 10.0.17.2 | |
| set system host-name edge-east | |
| set protocol static route 0.0.0.0/0 next-hop 10.0.17.2 | |
| <-- Ethernet Setup --> | |
| set interfaces ethernet eth0 description Sec350-WAN | |
| set interfaces ethernet eth1 description Sec350-DMZ | |
| set interfaces ethernet eth2 description Sec350-LAN | |
| set interfaces ethernet eth0 address 10.0.17.132/24 | |
| set interfaces ethernet eth1 address 172.16.50.2/29 | |
| set interfaces ethernet eth1 address 172.16.150.2/24 | |
| <-- Setting up Nat Rules --> | |
| set protocols rip interface eth2 | |
| set protocols rip network 172.16.50.0/29 | |
| set nat source rule 10 description "Nat DMZ to WAN" | |
| set nat source rule 10 outbound-interface eth0 | |
| set nat source rule 10 source address 172.16.50.0/29 | |
| set nat source rule 10 translation address masquerade | |
| set nat source rule 20 description 'NAT FROM DMZ to WAN' | |
| set nat source rule 20 outbound-interface eth0 | |
| set nat source rule 20 source address 172.16.150.0/24 | |
| set nat source rule 20 translation address masquerade | |
| <-- DNS forwarding setup --> | |
| set service dns forwarding allow-from 172.16.50.0/29 | |
| set service dns forwarding allow-from 172.16.150.0/24 | |
| set service dns forwarding listen-address '172.16.50.2' | |
| set service dns forwarding listen-address '172.16.150.3' | |
| set service dns forwarding listen-address '172.16.150.2' | |
| set service dns forwarding system | |
| Commit | |
| Save | |
| <-- MGMT network Forwarding NAT --> | |
| configure | |
| set nat source rule 30 description "MGMT TO WAN" | |
| set nat source rule 30 outbound-interface eth0 | |
| set nat source rule 30 source address 172.16.200.0/28 | |
| set nat source rule 30 translation address masquerade | |
| set service dns forwarding listen-address 172.16.200.2 | |
Default Logon <--> User:champuser ; Password:Ch@mpl@1n!22 ;
| Command: | Image / Appended Content |
|---|---|
| <-- Networking configuration --> | |
| cd /etc/netplan | |
| vi 00-installer-config.yaml |
Insert the following:
|
| sudo netplan apply | |
| sudo hostnamectl set-hostname NGINX01-east | |
| <-- User Creation --> | |
| sudo add user connor | |
| sudo usermod -aG sudo connor | |
| passwd connor | |
| <-- ssh key user config --> | |
| sudo add user connor-jump | |
| sudo mkdir /home/connor-jump/.ssh | |
| sudo touch /home/connor-jump/.ssh/authorized_keys | |
| sudo chmod 700 /home/connor/.ssh | |
| sudo chmod 600 /home/connor/.ssh/authorized_keys | |
| sudo chown -R connor-jump:connor-jump /home/connor-jump/.ssh | |
| echo "connor-jump ALL=(ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/connor-jump | |
| <-- NGINX Installation --> | |
| sudo yum update | |
| sudo yum upgrade | |
| sudo yum install nginx php | |
| sudo systemctl status nginx | |
| <-- Web Page Creation --> | |
| rm /var/www/html/* | |
| vi /var/www/html/index.html | Make A special HTML page. |
| systemctl restart nginx | |
Default Logon <--> User:champuser ; Password:Ch@mpl@1n!22 ;
| Command: | Image / Appended Content |
|---|---|
| cd /etc/netplan | |
| vi 00-installer-config.yaml |
Insert the following:
|
| sudo netplan apply | |
| sudo hostnamectl set-hostname | |
| sudo netplan apply | |
| sudo hostnamectl set-hostname DHCP01-east | |
| sudo add user connor | |
| sudo usermod -aG sudo connor | |
| passwd connor | |
| sudo add user connor-jump | |
| sudo mkdir /home/connor-jump/.ssh | |
| sudo touch /home/connor-jump/.ssh/authorized_keys | |
| sudo chmod 700 /home/connor/.ssh | |
| sudo chmod 600 /home/connor/.ssh/authorized_keys | |
| sudo chown -R connor-jump:connor-jump /home/connor-jump/.ssh | |
| echo "connor-jump ALL=(ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/connor-jump | |
| <-- DHCP Installation & Setup --> | |
| sudo apt update | |
| sudo apt upgrade | |
| sudo apt install isc-dhcp-server | |
| sudo systemctl status isc-dhcp-server | |
| sudo vi /etc/dhcp/dhcpd.conf |
|
| ip a | locate ethernet header [ens18 or other] and note it down |
| sudo vi /etc/default/isc-dhcp-server |
|
| systemctl restart isc-dhcp-server | |
| systemctl status isc-dhcp-server | If this works go to the WKS01 device and change it to DHCP then use -ipconfig /release; -ipconfig /renew; |
| sudo dhcpd -t -cf /etc/dhcp/dhcpd.conf | Use this command for troubleshooting syntax |
| Command: | Image / Appended Content |
|---|---|
Default Logon <--> User:vy0s ; Password:Ch@mpl@1n!22 ;
| Command: | Image / Appended Content |
|---|---|
| <-- Port Forwarding NGINX--> | |
| configure | |
| set nat destination rule 10 inbound-interface eth0 | |
| set nat destination rule 10 translation address [INSERT NGNIX SERVER IP] | |
| set nat destination rule 10 translation port 80 | |
| set nat destination rule 10 protocol tcp | |
| set nat destination rule 10 description "HTTP>NGINX" | |
| set nat destination rule 10 source port 80 | |
| commit | |
| save | |
| <-- Zone Interfaces --> | |
| configure | |
| set zone-policy zone WAN interface eth0 | |
| set zone-policy zone DMZ interface eth1 | |
| set zone-policy zone LAN interface eth2 | |
| commit | |
| save | |
| <-- Firewall WAN-to-DMZ Setup --> | |
| configure | |
| set firewall name WAN-to-DMZ default-action drop | |
| set firewall name WAN-to-DMZ enable-default-log | |
| set firewall name WAN-to-DMZ rule 10 action 'accept' | |
| set firewall name WAN-to-DMZ rule 10 destination address '[INSERT NGNX SERVER IP]' | |
| set firewall name WAN-to-DMZ rule 10 destination port 80,443 | |
| set firewall name WAN-to-DMZ rule 10 protocol tcp | |
| set firewall name WAN-to-DMZ rule 10 description "access to web" | |
| set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ | |
| commit | |
| save | |
| <-- Firewall DMZ-to-WAN Setup --> | |
| configure | |
| set firewall name DMZ-to-WAN default-action drop | |
| set firewall name DMZ-to-WAN enable-default-log | |
| set firewall name DMZ-to-WAN rule 1 action accept | |
| set firewall name DMZ-to-WAN rule 1 state establish 'enable' | |
| set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN | |
| commit | |
| save | |
| <-- Firewall LAN-to-WAN Setup --> | |
| configure | |
| set firewall name LAN-to-WAN enable-default-log | |
| set firewall name LAN-to-WAN rule 1 action accept | |
| set zone-policy zone WAN from LAN firewall name LAN-to-WAN | |
| commit | |
| save | |
| <-- Firewall WAN-to-LAN Setup --> | |
| set firewall name WAN-to-LAN default-action drop | |
| set firewall name WAN-to-LAN enable-default-log | |
| set firewall name WAN-to-LAN rule 10 state established enable | |
| set firewall name WAN-to-LAN rule 10 action accept | |
| set firewall name WAN-to-LAN rule 10 state related enable | |
| set zone-policy zone LAN from WAN firewall name WAN-to-LAN | |
| commit | |
| save | |
| <-- Firewall LAN-to-DMZ Setup --> | |
| configure | |
| set firewall name LAN-to-DMZ default-action drop | |
| set firewall name LAN-to-DMZ enable-default-log | |
| set firewall name LAN-to-DMZ rule 10 action accept | |
| set firewall name LAN-to-DMZ rule 10 source address 172.16.150.0/24 | |
| set firewall name LAN-to-DMZ rule 10 destination address [INSERT NGNX SERVER IP] | |
| set firewall name LAN-to-DMZ rule 10 protocol tcp | |
| set firewall name LAN-to-DMZ rule 10 destination port 80,443 | |
| set firewall name LAN-to-DMZ rule 20 action accept | |
| set firewall name LAN-to-DMZ rule 20 source address [MGMT01-BOX IP] | |
| set firewall name LAN-to-DMZ rule 20 destination address 172.16.50.0/29 | |
| set firewall name LAN-to-DMZ rule 20 destination port 22 | |
| set firewall name LAN-to-DMZ rule 20 protocol tcp | |
| set firewall name LAN-to-DMZ rule 30 action accept | |
| set firewall name LAN-to-DMZ rule 30 destination address 172.16.50.4 | |
| set firewall name LAN-to-DMZ rule 30 destination port 1514, 1515 | |
| set firewall name LAN-to-DMZ rule 30 protocol tcp | |
| set firewall name LAN-to-DMZ rule 40 action accept | |
| set firewall name LAN-to-DMZ rule 40 destination address 172.16.50.4 | |
| set firewall name LAN-to-DMZ rule 40 destination port 443 | |
| set firewall name LAN-to-DMZ rule 40 protocol tcp | |
| set zone-policy zone DMZ from LAN firewall name LAN-to-DMZ | |
| commit | |
| save | |
| <-- Firewall DMZ-to-LAN Setup --> | |
| set firewall name DMZ-to-LAN default-action drop | |
| set firewall name DMZ-to-LAN enable-default-log | |
| set firewall name DMZ-to-LAN rule 1 action accept | |
| set firewall name DMZ-to-LAN rule 1 state establish enable | |
| set firewall name DMZ-to-LAN rule 1 state related enable | |
| set zone-policy zone LAN from DMZ firewall name DMZ-to-LAN | |
| commit | |
| save |
Command used: 'show configuration commands | grep -v "syslogglobal"|:ntp|:login|:console|:config|:hw-id|:loopback|:contrack'
set firewall name DMZ-to-LAN default-action 'drop'
set firewall name DMZ-to-LAN enable-default-log
set firewall name DMZ-to-LAN rule 1 action 'accept'
set firewall name DMZ-to-LAN rule 1 state established 'enable'
set firewall name DMZ-to-LAN rule 1 state related 'enable'
set firewall name DMZ-to-LAN rule 10 action 'accept'
set firewall name DMZ-to-LAN rule 10 destination address '172.16.200.10'
set firewall name DMZ-to-LAN rule 10 destination port '1514,1515'
set firewall name DMZ-to-LAN rule 10 protocol 'tcp'
set firewall name DMZ-to-WAN default-action 'drop'
set firewall name DMZ-to-WAN enable-default-log
set firewall name DMZ-to-WAN rule 1 action 'accept'
set firewall name DMZ-to-WAN rule 1 state established 'enable'
set firewall name DMZ-to-WAN rule 998 action 'accept'
set firewall name DMZ-to-WAN rule 998 description 'ssh to WAN'
set firewall name DMZ-to-WAN rule 998 disable
set firewall name DMZ-to-WAN rule 998 source address '172.16.50.4'
set firewall name DMZ-to-WAN rule 999 action 'accept'
set firewall name DMZ-to-WAN rule 999 disable
set firewall name DMZ-to-WAN rule 999 source address '172.16.50.3'
set firewall name LAN-to-DMZ default-action 'drop'
set firewall name LAN-to-DMZ enable-default-log
set firewall name LAN-to-DMZ rule 1 action 'accept'
set firewall name LAN-to-DMZ rule 1 state established 'enable'
set firewall name LAN-to-DMZ rule 10 action 'accept'
set firewall name LAN-to-DMZ rule 10 destination address '172.16.50.3'
set firewall name LAN-to-DMZ rule 10 destination port '80,443'
set firewall name LAN-to-DMZ rule 10 protocol 'tcp'
set firewall name LAN-to-DMZ rule 10 source address '172.16.150.0/24'
set firewall name LAN-to-DMZ rule 20 action 'accept'
set firewall name LAN-to-DMZ rule 20 destination address '172.16.50.0/29'
set firewall name LAN-to-DMZ rule 20 destination port '22'
set firewall name LAN-to-DMZ rule 20 protocol 'tcp'
set firewall name LAN-to-DMZ rule 20 source address '172.16.150.10'
set firewall name LAN-to-WAN default-action 'drop'
set firewall name LAN-to-WAN enable-default-log
set firewall name LAN-to-WAN rule 1 action 'accept'
set firewall name WAN-to-DMZ default-action 'drop'
set firewall name WAN-to-DMZ enable-default-log
set firewall name WAN-to-DMZ rule 1 action 'accept'
set firewall name WAN-to-DMZ rule 1 state established 'enable'
set firewall name WAN-to-DMZ rule 10 action 'accept'
set firewall name WAN-to-DMZ rule 10 description 'access to web'
set firewall name WAN-to-DMZ rule 10 destination address '172.16.50.3'
set firewall name WAN-to-DMZ rule 10 destination port '80'
set firewall name WAN-to-DMZ rule 10 protocol 'tcp'
set firewall name WAN-to-DMZ rule 20 action 'accept'
set firewall name WAN-to-DMZ rule 20 description '.ssh ability'
set firewall name WAN-to-DMZ rule 20 destination address '172.16.50.4'
set firewall name WAN-to-DMZ rule 20 destination port '22'
set firewall name WAN-to-DMZ rule 20 protocol 'tcp'
set firewall name WAN-to-LAN default-action 'drop'
set firewall name WAN-to-LAN enable-default-log
set firewall name WAN-to-LAN rule 10 action 'accept'
set firewall name WAN-to-LAN rule 10 state established 'enable'
set firewall name WAN-to-LAN rule 10 state related 'enable'
set interfaces ethernet eth0 address '10.0.17.132/24'
set interfaces ethernet eth0 description 'SEC350-WAN'
set interfaces ethernet eth0 hw-id '00:50:56:a1:3c:11'
set interfaces ethernet eth1 address '172.16.50.2/29'
set interfaces ethernet eth1 description 'DMZ'
set interfaces ethernet eth1 hw-id '00:50:56:a1:27:b5'
set interfaces ethernet eth2 address '172.16.150.2/24'
set interfaces ethernet eth2 description 'LAN'
set interfaces ethernet eth2 hw-id '00:50:56:a1:f5:40'
set interfaces loopback lo
set nat destination rule 10 description 'HTTP->WEB01'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '172.16.50.3'
set nat destination rule 10 translation port '80'
set nat destination rule 20 description 'ssh to jump'
set nat destination rule 20 destination port '22'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '172.16.50.4'
set nat destination rule 20 translation port '22'
set nat source rule 10 description 'NAT FROM DMZ to WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '172.16.50.0/29'
set nat source rule 10 translation address 'masquerade'
set nat source rule 20 description 'NAT FROM DMZ to WAN'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '172.16.150.0/24'
set nat source rule 20 translation address 'masquerade'
set protocols rip interface eth2
set protocols rip network '172.16.50.0/29'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '172.16.50.0/29'
set service dns forwarding allow-from '172.16.150.0/24'
set service dns forwarding listen-address '172.16.50.2'
set service dns forwarding listen-address '172.16.150.3'
set service dns forwarding listen-address '172.16.150.2'
set service dns forwarding system
set service ssh listen-address '172.16.150.2'
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'fw1-East'
set system login user vyos authentication encrypted-password '$YUTCBnIl7XuxPfv7$UQXsMiDLSJsDs9mPJ2PQ.9IjjMks5MrKu6IlQRJsS.VIvkYeQXFvupJVrZMTQFYjkbTkRshVAYECJS337kHAS/'
set system login user vyos authentication plaintext-password ''
set system name-server '10.0.17.2'
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set zone-policy zone DMZ from LAN firewall name 'LAN-to-DMZ'
set zone-policy zone DMZ from WAN firewall name 'WAN-to-DMZ'
set zone-policy zone DMZ interface 'eth1'
set zone-policy zone LAN from DMZ firewall name 'DMZ-to-LAN'
set zone-policy zone LAN from WAN firewall name 'WAN-to-LAN'
set zone-policy zone LAN interface 'eth2'
set zone-policy zone WAN from DMZ firewall name 'DMZ-to-WAN'
set zone-policy zone WAN from LAN firewall name 'LAN-to-WAN'
set zone-policy zone WAN interface 'eth0'