Project 1 ‐ Network Redundancy - jacobwilliams100/sec-440 GitHub Wiki

Configuring vyos01 and vyos02

Plugging in interfaces image

Configuring hostname and IP addresses image

image

repeat settings across vyos1&2

DNS on vyos

set service dns forwarding allow-from 10.0.5.0/24

set service dns forwarding listen-address 10.0.5.1

set service dns forwarding listen-address 10.0.5.2

set service dns forwarding listen-address 10.0.5.3

Your dns settings should look like this

show service dns

image

Repeat for vyos02

image

Configuring web01 (CentOS)

Plugging in Interface

image

Setting up IP

image

make new sudo user:

sudo adduser jake

sudo passwd jake

sudo usermod -aG wheel jake

su jake

Setting up provisional web server

sudo yum update

sudo yum install httpd

systemctl start httpd

systemctl enable httpd

Open ports in firewall

firewall-cmd --zone=public --add-port=80/tcp

firewall-cmd --zone=public --add-port=22/tcp (for SSH)

systemctl restart httpd

systemctl status httpd

image

Configuring xubuntu-wan (xubuntu)

image

Configuring xubuntu-lan (xubuntu)

Plugging in interface

image

image

Setting up port forwarding on VyOS

Between LAN and WAN

Inbound Rule

set nat source rule 10 description "lan to wan"

set nat source rule 10 outbound-interface eth0

set nat source rule 10 address 10.0.5.0/24

set nat source rule 10 translation address masquerade

Outbound Rule

For HTTP...

set nat destination rule 20 description "wan to lan on port 80"

set nat destination rule 20 inbound-interface eth0

set nat destination rule 20 destination port 80

set nat destination rule 20 protocol tcp

set nat destination rule 20 translation address 10.0.5.100

set nat destination rule 20 translation port 80

And for SSH...

set nat destination rule 30 description "WAN to SSH Web"

set nat destination rule 30 inbound-interface eth0

set nat destination rule 30 destination port 22

set nat destination rule 30 protocol tcp

set nat destination rule 30 translation address 10.0.5.100

set nat destination rule 30 translation port 22

Don't forget

commit

save

This is what your nat rules page should look like

show nat

image

image

High Availability / VRRP

configure

set high-availability vrrp group wan vrid 10

set high-availability vrrp group wan interface eth0

set high-availability vrrp group wan address 10.0.17.107/24

set high-availability vrrp group lan vrid 20

set high-availability vrrp group lan interface eth1

set high-availability vrrp group lan address 10.0.5.1/24

set high-availability vrrp group opt vrid 30

set high-availability vrrp group opt interface eth2

set high-availability vrrp group opt address 10.0.6.1/24

commit

save

Repeat steps on vyos 1&2

Priority

on vyos1...

set high-availability vrrp group wan priority 200

set high-availability vrrp group lan priority 200

set high-availability vrrp group opt priority 200

on vyos2...

set high-availability vrrp group wan priority 100

set high-availability vrrp group lan priority 100

set high-availability vrrp group opt priority 100

This will give vyos priority in handling the virtual IP traffic when it is active. vyos2 will be used as a backup.

this is what your vrrp settings should look like:

show high-availability

image

MFA for web01 SSH

We will use google Authenticator

sudo yum update

sudo yum install epel-release -y

This will update the repo so it can find authenticator. Might take a while.

sudo yum install google-authenticator

google-authenticator

time-based: yes

Scan the QR code using the Google Authenticator mobile app on your phone to add it to authenticator

image

then enter the code it displays.

update ~/.google_authenticator: yes

multiple uses of the same authentication token: yes

time-skew compensation: no

rate-limiting: no

Now we need to modify a configuration file.

sudo nano /etc/pam.d/sshd

add the following line to the bottom of the file, save and quit

auth required pam_google_authenticator.so

image

We must edit one more configuration file.

sudo nano /etc/ssh/sshd_config

comment out ChallengeResponseAuthentication no and uncomment out ChallengeResponseAuthentication yes

image

change PermitRootLogon to no

image

Then save and quit

systemctl restart sshd

image

Reflection

This project was really challenging for me. Because I am taking this course without taking SEC-350 first, there are a lot of gaps in my knowledge. The first few steps like assigning interfaces and IP settings were simple enough because I had done this in previous courses. However, I have never touched VyOS before, and had to learn everything about that system from scratch. Professor Ali's assistance was essential in setting up port forwarding because I could not even figure out where to start with that. But once I got the first few pieces working, everything else started to make more sense and I found it easier to figure out subsequent parts like VRRP and Priority. Google Authenticator caused me some trouble too, I didn't know what settings to change. But I figured it out with a bit of troubleshooting and asking classmates questions. Despite the difficulties, I learned an enormous amount from completing this project, and I feel more confident going into the next project. I feel capable of succeeding in this course.

Video link

https://drive.google.com/file/d/1A3X5vu0b7v-szs3dLvItsoFseeOIQjGZ/view?usp=sharing