SEC 350 Assessment Prep - DefiantCoder/Tech-Journals GitHub Wiki
Firewall Config fw01
- Deliverable 1 fw config code
show configuration commands | grep -v "syslog global\|ntp\|login\|console\|config\|hw-id\|loopback\|conntrack"
set firewall name DMZ-toWAN rule 1 action 'accept'
set firewall name DMZ-toWAN rule 1 state established 'enable'
set firewall name DMZ-to-LAN default-action 'drop'
set firewall name DMZ-to-LAN enable-default-log
set firewall name DMZ-to-LAN rule 1 action 'accept'
set firewall name DMZ-to-LAN rule 1 state established 'enable'
set firewall name DMZ-to-LAN rule 10 action 'accept'
set firewall name DMZ-to-LAN rule 10 description 'wazuh agent communications with wazuh server'
set firewall name DMZ-to-LAN rule 10 destination address '172.16.200.10'
set firewall name DMZ-to-LAN rule 10 destination port '1514,1515'
set firewall name DMZ-to-LAN rule 10 protocol 'tcp'
set firewall name DMZ-to-WAN default-action 'drop'
set firewall name DMZ-to-WAN enable-default-log
set firewall name DMZ-to-WAN rule 1 action 'accept'
set firewall name DMZ-to-WAN rule 1 state established 'enable'
set firewall name DMZ-to-WAN rule 999 action 'accept'
set firewall name DMZ-to-WAN rule 999 source address '172.16.50.3'
set firewall name LAN-toDMZ rule 10 action 'accept'
set firewall name LAN-toDMZ rule 10 destination port '22'
set firewall name LAN-toDMZ rule 10 protocol 'tcp'
set firewall name LAN-to-DMZ default-action 'drop'
set firewall name LAN-to-DMZ enable-default-log
set firewall name LAN-to-DMZ rule 1 action 'accept'
set firewall name LAN-to-DMZ rule 1 state established 'enable'
set firewall name LAN-to-DMZ rule 10 action 'accept'
set firewall name LAN-to-DMZ rule 10 description 'Allow LAN access to web01'
set firewall name LAN-to-DMZ rule 10 destination address '172.16.50.3'
set firewall name LAN-to-DMZ rule 10 destination port '80'
set firewall name LAN-to-DMZ rule 10 protocol 'tcp'
set firewall name LAN-to-DMZ rule 20 action 'accept'
set firewall name LAN-to-DMZ rule 20 description 'allow from mgmt'
set firewall name LAN-to-DMZ rule 20 destination address '172.16.50.0/29'
set firewall name LAN-to-DMZ rule 20 destination port '22'
set firewall name LAN-to-DMZ rule 20 protocol 'tcp'
set firewall name LAN-to-DMZ rule 20 source address '172.16.150.10'
set firewall name LAN-to-WAN default-action 'drop'
set firewall name LAN-to-WAN enable-default-log
set firewall name LAN-to-WAN rule 1 action 'accept'
set firewall name WAN-to_DMZ default-action 'drop'
set firewall name WAN-to_DMZ enable-default-log
set firewall name WAN-to-DMZ default-action 'drop'
set firewall name WAN-to-DMZ enable-default-log
set firewall name WAN-to-DMZ rule 1 action 'accept'
set firewall name WAN-to-DMZ rule 1 state established 'enable'
set firewall name WAN-to-DMZ rule 10 action 'accept'
set firewall name WAN-to-DMZ rule 10 description 'Allow HTTP from WAN to DMZ'
set firewall name WAN-to-DMZ rule 10 destination address '172.16.50.3'
set firewall name WAN-to-DMZ rule 10 destination port '80'
set firewall name WAN-to-DMZ rule 10 protocol 'tcp'
set firewall name WAN-to-DMZ rule 20 action 'accept'
set firewall name WAN-to-DMZ rule 20 description 'Allow ssh into jump'
set firewall name WAN-to-DMZ rule 20 destination address '172.16.50.4'
set firewall name WAN-to-DMZ rule 20 destination port '22'
set firewall name WAN-to-DMZ rule 20 protocol 'tcp'
set firewall name WAN-to-DMZ rule 30 action 'accept'
set firewall name WAN-to-DMZ rule 30 description 'Allow WAN to ssh into jump'
set firewall name WAN-to-DMZ rule 30 destination address '172.16.50.4'
set firewall name WAN-to-DMZ rule 30 destination port '22'
set firewall name WAN-to-DMZ rule 30 protocol 'tcp'
set firewall name WAN-to-DMZ rule 999 action 'accept'
set firewall name WAN-to-DMZ rule 999 description 'Allow web01 traffic to WAN'
set firewall name WAN-to-DMZ rule 999 source address '172.16.50.3'
set firewall name WAN-to-LAN default-action 'drop'
set firewall name WAN-to-LAN enable-default-log
set firewall name WAN-to-LAN rule 1 action 'accept'
set interfaces ethernet eth0 address '10.0.17.112/24'
set interfaces ethernet eth0 description 'SEC350-WAN'
set interfaces ethernet eth1 address '172.16.50.2/29'
set interfaces ethernet eth1 description 'ADAM-DMZ'
set interfaces ethernet eth2 address '172.16.150.2/24'
set interfaces ethernet eth2 description 'ADAM-LAN'
set nat destination rule 10 description 'HTTP->WEB01'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '172.16.50.3'
set nat destination rule 10 translation port '80'
set nat destination rule 20 description 'SSH to jump'
set nat destination rule 20 destination port '22'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '172.16.50.4'
set nat destination rule 20 translation port '22'
set nat source rule 10 description 'NAT FROM DMZ to WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '172.16.50.0/29'
set nat source rule 10 translation address 'masquerade'
set nat source rule 20 description 'NAT FROM LAN to WAN'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '172.16.150.0/24'
set nat source rule 20 translation address 'masquerade'
set nat source rule 30 description 'NAT FROM MGMT to WAN'
set nat source rule 30 outbound-interface 'eth0'
set nat source rule 30 source address '172.16.200.0/28'
set nat source rule 30 translation address 'masquerade'
set protocols rip interface eth2
set protocols rip network '172.16.50.0/29'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '172.16.50.0/29'
set service dns forwarding allow-from '172.16.150.0/24'
set service dns forwarding listen-address '172.16.50.2'
set service dns forwarding listen-address '172.16.150.2'
set service dns forwarding system
set service ssh listen-address '172.16.150.2'
set system host-name 'fw01-adam'
set system name-server '10.0.17.2'
set zone-policy zone DMZ from LAN firewall name 'LAN-to-DMZ'
set zone-policy zone DMZ from WAN firewall name 'WAN-to-DMZ'
set zone-policy zone DMZ interface 'eth1'
set zone-policy zone LAN from DMZ firewall name 'DMZ-to-LAN'
set zone-policy zone LAN from WAN firewall name 'WAN-to-LAN'
set zone-policy zone LAN interface 'eth2'
set zone-policy zone WAN from DMZ firewall name 'DMZ-to-WAN'
set zone-policy zone WAN from LAN firewall name 'LAN-to-WAN'
set zone-policy zone WAN interface 'eth0'
- Deliverable 2
set service ssh listen-address '0.0.0.0'
set interfaces ethernet eth0 address '10.0.17.112/24'
wget -O vyos_config "https://raw.githubusercontent.com/ChampPG/Tech-Journals/main/SEC-350/Assessment%20Prep/vyos_config"
scp vyos_config [email protected]:
configure
load vyos_config
commit
save
set system host-name 'edge01-adam'
set system name-server '10.0.17.2'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service ssh listen-address '0.0.0.0'
set system login user vyos authentication plaintext-password <Password>
# Leave out this line till the end...
del service ssh listen-address '0.0.0.0'
set service ssh listen-address '172.16.150.2'
set interfaces ethernet eth0 address '10.0.17.112/24'
set interfaces ethernet eth0 description 'SEC350-WAN'
set interfaces ethernet eth1 address '172.16.50.2/29'
set interfaces ethernet eth1 description 'ADAM-DMZ'
set interfaces ethernet eth2 address '172.16.150.2/24'
set interfaces ethernet eth2 description 'ADAM-LAN'
set zone-policy zone DMZ from LAN firewall name 'LAN-to-DMZ'
set zone-policy zone DMZ from WAN firewall name 'WAN-to-DMZ'
set zone-policy zone DMZ interface 'eth1'
set zone-policy zone LAN from DMZ firewall name 'DMZ-to-LAN'
set zone-policy zone LAN from WAN firewall name 'WAN-to-LAN'
set zone-policy zone LAN interface 'eth2'
set zone-policy zone WAN from DMZ firewall name 'DMZ-to-WAN'
set zone-policy zone WAN from LAN firewall name 'LAN-to-WAN'
set zone-policy zone WAN interface 'eth0'
set service dns forwarding allow-from '172.16.150.0/24'
set service dns forwarding listen-address '172.16.50.2'
set service dns forwarding listen-address '172.16.150.2'
set service dns forwarding system
set service dns forwarding allow-from '172.16.50.0/29'
set service dns forwarding allow-from '172.16.150.0/24'
set service dns forwarding listen-address '172.16.50.2'
set service dns forwarding listen-address '172.16.150.2'
set service dns forwarding system
set service dns forwarding allow-from '172.16.50.0/29'
set protocols rip interface eth2
set protocols rip network '172.16.50.0/29'
set nat source rule 10 description 'NAT FROM DMZ to WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '172.16.50.0/29'
set nat source rule 10 translation address 'masquerade'
set nat source rule 30 description 'NAT FROM MGMT to WAN'
set nat source rule 30 outbound-interface 'eth0'
set nat source rule 30 source address '172.16.200.0/28'
set nat source rule 30 translation address 'masquerade'
set nat source rule 20 description 'NAT FROM LAN to WAN'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '172.16.150.0/24'
set nat source rule 20 translation address 'masquerade'
set nat destination rule 10 description 'WAN HTTP to NGINX'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '172.16.50.3'
set nat destination rule 10 translation port '80'
set nat destination rule 20 description 'WAN to JUMP'
set nat destination rule 20 destination port '22'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '172.16.50.4'
set nat destination rule 20 translation port '22'
set firewall name DMZ-to-LAN default-action 'drop'
set firewall name DMZ-to-LAN enable-default-log
ash
set firewall name DMZ-to-LAN rule 1 action 'accept'
set firewall name DMZ-to-LAN rule 1 state established 'enable'
set firewall name DMZ-to-LAN rule 10 action 'accept'
set firewall name DMZ-to-LAN rule 10 description 'wazuh agent communications with wazuh server'
set firewall name DMZ-to-LAN rule 10 destination address '172.16.200.10'
set firewall name DMZ-to-LAN rule 10 destination port '1514-1515'
set firewall name DMZ-to-LAN rule 10 protocol 'tcp'
set firewall name DMZ-to-WAN default-action 'drop'
set firewall name DMZ-to-WAN enable-default-log
set firewall name DMZ-to-WAN rule 1 action 'accept'
set firewall name DMZ-to-WAN rule 1 state established 'enable'
########## Only use line below if NGINX needs network
set firewall name DMZ-to-WAN rule 999 action 'accept'
set firewall name DMZ-to-WAN rule 999 source address '172.16.50.3'
set firewall name LAN-to-DMZ default-action 'drop'
set firewall name LAN-to-DMZ enable-default-log
set firewall name LAN-to-DMZ rule 1 action 'accept'
set firewall name LAN-to-DMZ rule 1 state established 'enable'
set firewall name LAN-to-DMZ rule 10 action 'accept'
set firewall name LAN-to-DMZ rule 10 description 'Allow HTTP from LAN to NGINX'
set firewall name LAN-to-DMZ rule 10 destination address '172.16.50.3'
set firewall name LAN-to-DMZ rule 10 destination port '80'
set firewall name LAN-to-DMZ rule 10 protocol 'tcp'
set firewall name LAN-to-DMZ rule 20 action 'accept'
set firewall name LAN-to-DMZ rule 20 description 'ssh from mgmt01 to DMZ'
set firewall name LAN-to-DMZ rule 20 destination address '172.16.50.0/29'
set firewall name LAN-to-DMZ rule 20 destination port '22'
set firewall name LAN-to-DMZ rule 20 protocol 'tcp'
set firewall name LAN-to-DMZ rule 20 source address '172.16.150.10'
set firewall name LAN-to-WAN default-action 'drop'
set firewall name LAN-to-WAN enable-default-log
set firewall name LAN-to-WAN rule 1 action 'accept'
set firewall name WAN-to-LAN default-action 'drop'
set firewall name WAN-to-LAN enable-default-log
set firewall name WAN-to-LAN rule 1 action 'accept'
set firewall name WAN-to-LAN rule 1 state established 'enable'
set firewall name WAN-to-DMZ default-action 'drop'
set firewall name WAN-to-DMZ enable-default-log
set firewall name WAN-to-DMZ rule 1 action 'accept'
set firewall name WAN-to-DMZ rule 1 state established 'enable'
set firewall name WAN-to-DMZ rule 10 action 'accept'
set firewall name WAN-to-DMZ rule 10 description 'Allow HTTP from WAN to DMZ'
set firewall name WAN-to-DMZ rule 10 destination address '172.16.50.3'
set firewall name WAN-to-DMZ rule 10 destination port '80'
set firewall name WAN-to-DMZ rule 10 protocol 'tcp'
set firewall name WAN-to-DMZ rule 20 action 'accept'
set firewall name WAN-to-DMZ rule 20 description 'Allow SSH from WAN to DMZ'
set firewall name WAN-to-DMZ rule 20 destination address '172.16.50.4'
set firewall name WAN-to-DMZ rule 20 destination port '22'
set firewall name WAN-to-DMZ rule 20 protocol 'tcp'
$Password = Read-Host -AsSecureString
New-LocalUser "adam" -Password $Password -FullName "adam" -Description "Hello"
Add-LocalGroupMember -Group "Administrators" -Member "adam"
Rename-Computer -NewName "traveler-adam" -Restart
#SET Network
# look at what the ifIndex is
Get-Netadapter
New-NetIPAddress -InterfaceIndex <IfIndex> -IPAddress 10.0.17.12 -PrefixLength 24 -DefaultGateway 10.0.17.2
-
IP: 19.9.17.12
- Subnet /24
- Default Gateway: 10.0.17.2
- DNS: 10.0.17.2
-
Run as Admin:
# Install OpenSSH , does not install if "ssh" folder exists
if (!(Test-Path "C:\ProgramData\ssh\ssh_host_rsa_key")) {
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
}
# Start now and on startup
Start-Service sshd
Set-Service -Name sshd -StartupType Automatic
- Run as User:
# Generate Keys
ssh-keygen.exe -f .\ssh-keys
- MGMT pass keys to jump
#!/bin/bash
WINDOWSUSER="adam"
WINDOWSIP="10.0.17.12"
JUMPUSER="adam-jump"
JUMPIP="172.16.50.4"
sftp $WINDOWSUSER@$WINDOWSIP:ssh-keys.pub
scp ssh-keys.pub adam@$JUMPIP:travel.pub
ssh adam@$JUMPIP <<END
sudo -i
cat /home/adam/travel.pub >> /home/$JUMPUSER/.ssh/authorized_keys
END
sudo adduser adam
sudo usermod -aG sudo adam
sudo hostnamectl set-hostname nginx-adam
sudo reboot
sudo deluser champuser
#Set Networking
# If nmtui
nmtui
#Address = 172.16.50.3
#Gateway = 172.16.50.2
#DNS Server = 172.16.50.2
# If Netplan
/bin/cat << EOM >/etc/netplan/00-installer-config.yaml
network:
ethernets:
<adapter>:
addresses: [172.16.50.3/29]
gateway4: 172.16.50.2
namerservers:
addresses: [172.16.50.2]
version: 2
EOM
sudo netplan try
sudo apt update
sudo apt install nginx -y
cd /var/www/html
touch index.html
/bin/cat << EOM >index.html
Adam L nginx
EOM
sudo systemctl enable nginx
sudo systemctl start nginx
sudo systemctl status nginx
- MGMT
scp wazuh-agent-4.3.10.deb [email protected]:
On NGINX
sudo WAZUH_MAsudo WAZUH_MANAGER='172.16.200.10' WAZUH_AGENT_GROUP='linux' dpkg -i ./wazuh-agent-4.3.10.deb
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
sudo adduser adam
sudo usermod -aG sudo adam
sudo hostnamectl set-hostname dhcp-adam
sudo reboot
sudo deluser champuser
#Set Networking
# If nmtui
nmtui
#Address = 172.16.150.5
#Gateway = 172.16.150.2
#DNS Server = 172.16.150.2
# If Netplan
/bin/cat << EOM >/etc/netplan/00-installer-config.yaml
network:
ethernets:
<adapter>:
addresses: [172.16.150.5/24]
gateway4: 172.16.150.2
namerservers:
addresses: [172.16.150.2]
version: 2
EOM
sudo netplan try
sudo apt update
sudo apt install isc-dhcp-server -y
cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.backup
FILE="/etc/dhcp/dhcpd.conf"
/bin/cat << EOM >$FILE
subnet 172.16.150.0 netmask 255.255.255.0 {
option routers 172.16.150.2;
option subnet-mask 255.255.255.0;
option domain-name-servers 172.16.150.2;
range 172.16.150.100 172.16.150.150;
default-lease-time 3600;
max-lease-time 14400;
}
EOM
systemctl enable isc-dhcp-server
systemctl start isc-dhcp-server
systemctl status isc-dhcp-server
- MGMT
scp wazuh-agent-4.3.10.deb [email protected]:
- NGINX
sudo WAZUH_MAsudo WAZUH_MANAGER='172.16.200.10' WAZUH_AGENT_GROUP='linux' dpkg -i ./wazuh-agent-4.3.10.deb
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
- For the assessment, you will be given a 3 zone network to configure that consists of:
- traveler. A WAN based road warrior user running Windows 10. (this replaces the linux rw01)
- edge01. A vyOS Firewall with three interfaces (WAN, DMZ, LAN). You will need to add an interface using vCenter. (this replaces fw01)
- nginx01. A DMZ based nginx web server running Ubuntu (this replaces web01 and apache)
- dhcp01. A LAN based dhcp server running Ubuntu
- All systems should have an accurate hostname.
- All Linux systems should have a named sudo or administrator user.
- The two new ubuntu systems do not have a host firewall enabled, this is ok (for now)
- wks1, mgmt01 should be able to surf the internet.
- wks1, mgmt01 should be able to navigate to nginx01
- mgmt01 should be able to ssh to nginx01
- nginx01 and dhcp01 should have wazuh agents installed and be able to connect to wazuh
- nginx01 should have a custom web page (practice this on jump)
- traveler should be able to get to nginx01's custom test page by navigating to edge01's WAN IP address.
- traveler should be able to perform ssh keybased authentication with jump. Traveler is a Windows box, but ssh on powershell is nearly exactly the same as * linux to include key generation. You will need to add a new public key to authorized_keys.
- dhcp01 should serve a pool of dhcp addresses to the LAN from .100 to .150.
- WKS1 should use dhcp addressing