Project 1 Network Redundancy - LouisNajdek/sec440 GitHub Wiki
Project Demo Video
Reflections
I had never configured MFA, and it wasn't as bad as I thought it'd be to set up. I will definitely be using this feature on any system I set up in the future after seeing it's ease of use. I had to get back into the swing of setting up the vyos firewalls which caused some slow downs and re-reading of documentation, but overall I didn't have much issue. I understood the assignment to be setting up a redundant network through vrrp, and testing to make sure that it functions correctly.
Configurations
Vyos1 Configurations
config
set interfaces ethernet eth0 address IP_ADDRESS
set interfaces ethernet eth0 description sec440-wan
set interfaces ethernet eth1 address IP_ADDRESS
set interfaces ethernet eth1 description sec440-lan
set protocols static route 0.0.0.0/0 next-hop IP_ADDRESS
set system name-server IP_ADDRESS
set nat source rule 10 description NAT FROM LAN TO DMZ`
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address LAN_NETWORK_ADDRESS
set nat source rule 10 translation address masquerade
set dns forwarding listen address LAN_IP_ADDRESS
set service dns forwarding allow-from LAN_NETWORK-ADDRESS
set high-availability vrrp group Vyos vrid 10
set high-availability vrrp group Vyos interface eth0
set high-availability vrrp group Vyos virtual-address VIRTUAL_IP_ADDRESS
set high-availability vrrp group Vyos priority 100
set high-availability vrrp group VyosLAN vrid 10
set high-availability vrrp group VyosLAN interface eth0
set high-availability vrrp group VyosLAN virtual-address VIRTUAL_IP_ADDRESS
set nat destination rule 10 description port forwarding http from wan to web01
set nat destination rule 10 destination port 80
set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 protocol tcp
set nat destination rule 10 translation address IP_ADDRESS_OF_WEBSERVER
set nat destination rule 10 description port forwarding ssh from wan to web01
set nat destination rule 10 destination port 22
set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 protocol tcp
set nat destination rule 10 translation address IP_ADDRESS_OF_WEBSERVER
Vyos2 Configurations
config
set interfaces ethernet eth0 address IP_ADDRESS
set interfaces ethernet eth0 description sec440-wan
set interfaces ethernet eth1 address IP_ADDRESS
set interfaces ethernet eth1 description sec440-lan
set protocols static route 0.0.0.0/0 next-hop IP_ADDRESS
set system name-server IP_ADDRESS
set nat source rule 10 description NAT FROM LAN TO DMZ`
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address LAN_NETWORK_ADDRESS
set nat source rule 10 translation address masquerade
set dns forwarding listen address LAN_IP_ADDRESS
set service dns forwarding allow-from LAN_NETWORK-ADDRESS
set high-availability vrrp group Vyos vrid 10
set high-availability vrrp group Vyos interface eth0
set high-availability vrrp group Vyos virtual-address VIRTUAL_IP_ADDRESS
set high-availability vrrp group Vyos priority 100
set high-availability vrrp group VyosLAN vrid 10
set high-availability vrrp group VyosLAN interface eth0
set high-availability vrrp group VyosLAN virtual-address VIRTUAL_IP_ADDRESS
Web01 SSH
Find the line in /etc/ssh/sshd_config and edit the line
PermitRootLogin yes
to read
PermitRootLogin no
Web01 MFA
I followed an online tutorial to do this (found here). The instructions were as follows
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install google-authenticator
google-authenticator
edit file /etc/pam.d/sshd
add line
auth required pam_google_authenticator.so
edit the ssh config file
vi /etc/ssh/sshd_config
Enable 2 factor challenge response authentication by updating to this line
ChallengeResponseAuthentication yes
restart sshd