Project 1‐SEC‐440‐Network Redundancy - lpcyber1/SEC440 GitHub Wiki

Requirements

  • Configure and Network the following systems; vyos01, vyos02, xubuntu-wan, xubuntu-lan, web01
  • Redundant WAN and LAN
  • The WAN interface on vyos1 and vyos2 should be redundant so that addressing a single IP address will route to whichever vyos router is currently active. Your redundant WAN interface should be configured to port forward http to web01 on the LAN.
  • ssh to web01 on the LAN, this should also be augmented with MFA and root SSH disabled.
  • Your LAN based systems should also have a redundant default gateway of 10.0.5.1 where either of the two routers providing gateway services can be taken offline without an interruption in service.
  • No vyos firewall zones or rules are required for Project 1.

Deliverable

Project 1 - Network Redundancy

Configuration

vyos01

set high-availability vrrp group langroup0 address 10.0.5.1/24
set high-availability vrrp group langroup0 interface 'eth1'
set high-availability vrrp group langroup0 vrid '10'
set high-availability vrrp group optgroup0 address 10.0.6.1/24
set high-availability vrrp group optgroup0 interface 'eth2'
set high-availability vrrp group optgroup0 vrid '20'
set high-availability vrrp group wangroup11 address 10.0.17.111/24
set high-availability vrrp group wangroup11 interface 'eth0'
set high-availability vrrp group wangroup11 vrid '161'
set interfaces ethernet eth0 address '10.0.17.21/24'
set interfaces ethernet eth0 description 'WAN INTERFACE'
set interfaces ethernet eth1 address '10.0.5.2/24'
set interfaces ethernet eth1 description 'LAN INTERFACE'
set interfaces ethernet eth2 address '10.0.6.2/24'
set interfaces ethernet eth2 description 'OPT INTERFACE'
set nat destination rule 10 description 'WEB01 HTTP'
set nat destination rule 10 destination address '10.0.17.111'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '10.0.5.100'
set nat destination rule 10 translation port '80'
set nat destination rule 20 description 'WEB01 SSH'
set nat destination rule 20 destination address '10.0.17.111'
set nat destination rule 20 destination port '22'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '10.0.5.100'
set nat destination rule 20 translation port '22'
set nat source rule 10 description 'NAT FROM LAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.0.5.0/24'
set nat source rule 10 translation address 'masquerade'
set nat source rule 20 description 'NAT FROM OPT'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '10.0.6.0/24'
set nat source rule 20 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '10.0.5.0/24'
set service dns forwarding allow-from '10.0.6.0/24'
set service dns forwarding listen-address '10.0.5.2'
set service dns forwarding listen-address '10.0.6.2'
set service dns forwarding listen-address '10.0.5.1'
set service dns forwarding listen-address '10.0.6.1'
set service dns forwarding listen-address '10.0.17.111'
set service dns forwarding system
set service ssh listen-address '0.0.0.0'
set system host-name 'vyos01-Liam'
set system name-server '10.0.17.2'

vyos02

set high-availability vrrp group langroup0 address 10.0.5.1/24
set high-availability vrrp group langroup0 interface 'eth1'
set high-availability vrrp group langroup0 vrid '10'
set high-availability vrrp group optgroup0 address 10.0.6.1/24
set high-availability vrrp group optgroup0 interface 'eth2'
set high-availability vrrp group optgroup0 vrid '20'
set high-availability vrrp group wangroup11 address 10.0.17.111/24
set high-availability vrrp group wangroup11 interface 'eth0'
set high-availability vrrp group wangroup11 vrid '161'
set interfaces ethernet eth0 address '10.0.17.81/24'
set interfaces ethernet eth0 description 'WAN INTERFACE'
set interfaces ethernet eth1 address '10.0.5.3/24'
set interfaces ethernet eth1 description 'LAN INTERFACE'
set interfaces ethernet eth2 address '10.0.6.3/24'
set interfaces ethernet eth2 description 'OPT INTERFACE'
set nat destination rule 10 description 'WEB01 HTTP'
set nat destination rule 10 destination address '10.0.17.111'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '10.0.5.100'
set nat destination rule 10 translation port '80'
set nat destination rule 20 description 'WEB01 SSH'
set nat destination rule 20 destination address '10.0.17.111'
set nat destination rule 20 destination port '22'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '10.0.5.100'
set nat destination rule 20 translation port '22'
set nat source rule 10 description 'NAT FROM LAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.0.5.0/24'
set nat source rule 10 translation address 'masquerade'
set nat source rule 20 description 'NAT FROM LAN'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '10.0.6.0/24'
set nat source rule 20 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '10.0.6.0/24'
set service dns forwarding allow-from '10.0.5.0/24'
set service dns forwarding listen-address '10.0.5.3'
set service dns forwarding listen-address '10.0.6.3'
set service dns forwarding listen-address '10.0.5.1'
set service dns forwarding listen-address '10.0.6.1'
set service dns forwarding listen-address '10.0.17.111'
set service dns forwarding system
set service ssh listen-address '0.0.0.0'
set system host-name 'vyos02-Liam'
set system login banner post-login 'welcome to vyos02-Liam'
set system name-server '10.0.17.2'

xubuntu-lan

image

  • Ran ssh-keygen and ssh-copy-id to web01

xubuntu-wan

image

web01

image

  • Set up a basic index.html page

image

  • Ran ssh-keygen and ssh-copy-id to my xubuntu-lan system

Setting up MFA for SSH

  • Followed this guide to set up MFA for ssh and the other to make SELinux

How To Set Up Multi-Factor Authentication for SSH on CentOS 8

Dual factor SSH: Google Authenticator, SElinux, and CentOS

  • Commands are;
  1. sudo yum search epel
  2. sudo yum install epel-release
  3. sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
  4. sudo yum install google-authenticator qrencode-libs
  5. google-authenticator A QR code will apear and you scan it with the app on your phone to add the device. It will also ask you a series of setup questions to which you should answer:

image

image

image

image

  1. Next run nano /etc/pam.d/sshd and add this line to your file

image

  1. If there isn't a /.ssh folder then you have to make one using

mkdir /home/${USER}/.ssh

  1. Then move google_authenticatior to that folder with

mv /home/${USER}/.google_authenticator /home/${USER}/.ssh/.google_authenticator

  1. Then restart sshd with sudo systemctl restart sshd

Lastly verify you can ssh into your VM using the code in the Google Authenticator

image