Project 1 Network Redundancy - Oliver-Mustoe/Oliver-Mustoe-Tech-Journal GitHub Wiki

This page journals content related to SEC-440 project 1.

Table of contents:

I save my Vyos configs for this project according to my Vyos page.

Basic xubuntu-wan and Vyos1 setup

First I reset my password on xubuntu-wan with passwd in the terminal as the champuser user.

Then I made a "oliver.mustoe" user with the following commands and re-logged in as that user:

adduser olivermustoe
usermod -aG sudo olivermustoe

Then using "Network" > "Edit Connections" > I selected "Wired connection 1" and the gear icon to edit > then went into the "IPv4 Settings" > "Change the Method" to "Manual" and set the following settings AND PRESSED SAVE:

Then on vyos1 I logged in and set the vyos user password with:

configure
set system login user vyos authentication plaintext-password {SECURE_PASS}
commit 
save

Then I set the WAN IP in eth0 on vyos1 with:

configure
set interfaces ethernet eth0 address 10.0.17.26/24
commit
save

Then from xubuntu-wan I SSH'd into vyos1:

After this I exited the SSH session, and setup Google remote desktop on Xubuntu wan by:

  1. Opening Google chrome and signing into my champlain account

  2. Going to "remotedesktop.google.com/access" and clicking the blue download button under "Set up remote access"

4. Clicked the "Add to Chrome" button and accepted the popup

5. Then I set the name to "440-xubuntu-wan" and set a pin

After this is signed out of my olivermustoe account > opened up a remote desktop link on my main PC > accessed xubuntu-wan using my pin:

Here I would also set the hostname to "xubuntuwan-oliver":

sudo hostnamectl set-hostname "xubuntuwan-oliver"

Basic setup Reflection

This step was my first experience back at Champlain in the cyber classroom and felt like stretching old muscles. As you will see throughout this lab some things (especially Vyos related items) could have been put together and not done separately. This includes this step as I went back and forth between the xubuntu-wan setup and vyos1. I took time here to install chrome remote desktop as it was super important later, as with the Vyos commands I could easily copy and past between my reference page and the lab which made for a faster experience. Doing the basics was good, but it was time to setup the Vyos boxes.

Vyo1 setup

After the basic setup, I then restarted a SSH session from xubuntu-wan and ran the following commands to setup the LAn Ethernet adapter, gateway of last resort, and the name server.

configure  
set system host-name vyos1-oliver
set interfaces ethernet eth0 description ‘CYBER’
set interfaces ethernet eth1 address 10.0.5.2/24
set interfaces ethernet eth1 description ‘LAN’
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
commit

Then I created a 'olivermustoe' user"

configure
set system login user olivermustoe full-name "olivermustoe"
set system login user olivermustoe authentication plaintext-password ‘<PASSWORD_HERE>’
commit

Then I re-ssh'd as the user:

Vyo2 and OPT network segment setup

Then I setup vyos2 in the same way I setup vyos1 with the following commands (changes to ips and hostname compared to vyos1):

configure
set system login user vyos authentication plaintext-password {SECURE_PASS}
set interfaces ethernet eth0 address 10.0.17.86/24
set system host-name vyos2-oliver
set interfaces ethernet eth0 description ‘CYBER’
set interfaces ethernet eth1 address 10.0.5.3/24
set interfaces ethernet eth1 description ‘LAN’
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
set system login user olivermustoe full-name "olivermustoe"
set system login user olivermustoe authentication plaintext-password ‘<PASSWORD_HERE>’
commit

Then on vyos1 I setup the OPT interface:

configure
set interfaces ethernet eth2 description ‘OPT’
set interfaces ethernet eth2 address 10.0.6.2/24
commit

Then on vyos2 I setup the OPT interface:

configure
set interfaces ethernet eth2 description ‘OPT’
set interfaces ethernet eth2 address 10.0.6.3/24
commit

VRRP setup

Then I ran the following on both vyos boxes to enable vrrp for WAN, LAN, and OPT using my wan id/group name:

configure
set high-availability vrrp group wangroup16 vrid 166
set high-availability vrrp group wangroup16 interface eth0
set high-availability vrrp group wangroup16 address 10.0.17.116/24
set high-availability vrrp group langroup0 vrid 10
set high-availability vrrp group langroup0 interface eth1
set high-availability vrrp group langroup0 address  10.0.5.1/24
set high-availability vrrp group optgroup0 vrid 20
set high-availability vrrp group optgroup0 interface eth2
set high-availability vrrp group optgroup0 address  10.0.6.1/24
commit

NOTE: Recommended to also setup priority (see Vyos priority setting) but I did not set it up until the end of the lab, priority section also includes screenshot of what Vyos VRRP settings should look like.

Vyos priority setting

As the last thing in this lab I setup the priorites BUT as it shouldn't affect any of the next steps besides the virtual IPs always residing on 1 vyos box I have decided to put it here instead of at the end.

On vyo1 I set the priority to 200:

configure
set high-availability vrrp group wangroup16 priority 200
set high-availability vrrp group langroup0 priority 200
set high-availability vrrp group optgroup0 priority 200
commit

And I set the priority on vyo2 to 100:

configure
set high-availability vrrp group wangroup16 priority 100
set high-availability vrrp group langroup0 priority 100
set high-availability vrrp group optgroup0 priority 100
commit

Which would ensure that vyos1 would always have priority over vyo2 and would takeover the virtual IPs if it was to be restarted.

I would also save my Vyos configs for 9-6-23 according to my Vyos page.

Vyos setup reflection

I am doing a reflection on both boxes setups as they are effectively mirror reflections of one another. The setup was not hard as I have a strong reference page in my wiki and with chrome remote desktop I can create commands that work for 1 Vyos box > change some box specific details > copy it to the next box. I also setup VRRP in this step as I was around another student who set it up and it did not take them any time at all. Seeing this I looked at the docs and was able to very quickly do the same. I am glad I did, as Vyos configs I did during the lab would not have to be changed to accommodate VRRP. I did miss setting up priority here, which would cause me some minor pain later, but at the end of the lab I make sure to add this to the journal. I placed it before it happened chronologically as I felt that it should have happened here instead of at the end. Some other Vyos configuration is done in later steps to accommodate certain things (NAT and DNS) but for the most part both Vyos boxes down and it was time to start on the LAN.

Xubuntu-lan setup

On xubuntu-lan I took the same steps as xubuntu-wan:

  1. Set up a new sudo user "olivermustoe", changed champusers password

  2. Set the IP to the following:

  1. Set the hostname to "xubuntulan-oliver" in the same way I set it for xubuntu-wan

Then on each vyos I setup NAT and DNS forwarding:

configure
set nat source rule 10 description "LAN to CYBER"
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 10.0.5.0/24
set nat source rule 10 translation address masquerade
set service dns forwarding listen-address 10.0.5.1
set service dns forwarding allow-from 10.0.5.0/24
set service dns forwarding system 
commit

I would also add google remote desktop to my xubuntu-lan in the same way I did for the xubuntu-wan.

Web01 setup

I logged into web01 and using the nmtui command to setup my networking like the following under "Edit a connection" > the first and only connection available "ens192":

And I set the hostname the same way I did for xubuntu machines:

sudo hostnamectl set-hostname "xubuntuwan-oliver"

Then I made a user on web01 called olivermustoe:

adduser olivermustoe
usermod -aG wheel olivermustoe

And reset/disabled the root users password AS ROOT:

passwd
usermod -L root

As well in /etc/ssh/sshd_config I disabled root login by setting "PermitRootLogin" to "no:

Then I installed Apache web server and opened the firewall to port 80:

sudo yum update -y
sudo yum install httpd -y
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
sudo firewall-cmd --reload

Checked it with sudo firewall-cmd --list-all:

And as root, I configured /var/www/html/index.html like the following:

Then I started the Apache on web01 with the following command:

sudo systemctl start httpd
sudo systemctl status httpd
sudo systemctl enable httpd

Aswell I tested I could access it from my xubuntu-lan box:

NOTE: For the following port forwarding 1 vyos box must have MASTER of ALL of the VRRP assigned IPs OR setup priority earlier.

I then ON EACH VYOS MACHINE (vyos1 and vyos2) I setup port forwarding for port 80 as rule 10:

configure
set nat destination rule 10 destination address 10.0.17.116
set nat destination rule 10 destination port 80
set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 protocol tcp
set nat destination rule 10 translation address 10.0.5.100
set nat destination rule 10 translation port 80
set nat destination rule 10 description “Allow HTTP from WAN to web01-02”
commit

And then ON EACH VYOS MACHINE (vyos1 and vyos2) I setup port forwarding for port 22 as rule 20:

configure
set nat destination rule 20 destination address 10.0.17.116
set nat destination rule 20 destination port 22
set nat destination rule 20 inbound-interface eth0
set nat destination rule 20 protocol tcp
set nat destination rule 20 translation address 10.0.5.100
set nat destination rule 20 translation port 22
set nat destination rule 20 description "Allow SSH from WAN to web01-02"
commit

Then to enable 2MFA I used Google authentication. On web01 I first added the EPEL repo and installed Google's Pluggable Authentication Module (PAM):

sudo yum install epel-release -y
sudo yum install google-authenticator -y

Then, after installing the Google authenticator app on my phone I used the following command to start the initialization process (NOTE: This will be enabling MFA for the "olivermustoe" user):

google-authenticator

In here I selected the following options:

  1. "Do you want authentication tokens to be time-based?" set to y

  2. Set to update my .google_authenticator file

  3. "Do you want to disallow multiple uses of the same authentication > token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks" set to n

  4. Answered no to the time compensation

  5. Answered no to rate limiting

With these set I opened my Google authentication app and my .google_authenticator file and copied the first line into the App in the "Your key" section (made sure type of key was "Time based")

Then back on web01 I opened the /etc/pam.d/sshd file with sudo privileges and set the following:

auth required pam_google_authenticator.so

And then I edited /etc/ssh/sshd_config with sudo privileges with the following:

ChallengeResponseAuthentication yes

And then I restarted ssh with:

sudo systemctl restart sshd
sudo systemctl status sshd

With this set when I attempt to SSH into web01 I am met with a request for a verification code:

Then I on web01 edited /etc/ssh/sshd_config again and added the following:

AuthenticationMethods keyboard-interactive

And then I restarted ssh with:

sudo systemctl restart sshd
sudo systemctl status sshd

Therefore the only way to authenticate to web01 is with a password and a google-authenticator key.

LAN reflection

The LAN setup was not too bad in this lab. The xubuntu-lan didn't take much time at all since it was a copy of xubuntu-wan with different ips. The web01 setup was a fun return to Centos7 (RIP) and the Apache web server. Where it got good was the Google authenticator setup, which was surprisingly easy except for the fact that as can be seen in screenshots my vyos2 box was setup as the master for the WAN and vyos1 box was setup as master for the other boxes. This was a small fix (I just turned vyo2 off, let vyos1 become master, turned vyo2 back on) that can be more elegantly fixed with setting up VRRP priority as I did at the end of the lab.

Testing

NOTE: New incognito session was created per test

Vyos1 testing

Following show xubuntu-wan accessing web01 via the VRRP address and showing its arp of "10.0.17.116" while vyo2 is down:

Following show xubuntu-lan accessing the internet via a traceroute while vyo2 is down:

Vyos2 testing

Following show xubuntu-wan accessing web01 via the VRRP and showing its arp of "10.0.17.116" while vyo1 is down:

Following show xubuntu-lan accessing the internet via a traceroute while vyo1 is down:

Sources

https://www.thegeekdiary.com/centos-rhel-how-to-disable-root-login-or-root-access-on-a-system/

https://technologyrss.com/port-forward-using-vyos-router/

https://www.linuxfordevices.com/tutorials/linux/enable-disable-root-login-in-linux

https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-centos-7