Lab 11 2 AWS VPC NACLs - nicolas-tullio/Tech-Journal GitHub Wiki

Deliverables

Take Screenshots (2) showing Public Instance webpage from workstation browser on port 80 and 8080

Curl from Private instance to Public Instance webpage on port 80 and 8080

cosmosweb FTP banner from Private Instance

Blocked port 8080 to Public Instance Web from your workstation

Successful port 8080 curl from Private Instance

Blocked/Timed out nc on port 21 from Private Instance to cosmosweb.champlain.edu

Public NACL rules

Private NACL rules

Steps

You should set up two instances on your Public subnet - one will be a Jump Box-Bastion Host, the other we will use as a web server

SSH into the instance to be web server

ssh -i nicolas.pem [email protected]

Install apache

sudo yum install httpd

Create a text file as /var/www/html/index.html and out your name, class name, and other identifying info (this will be the home page)

Edit /etc/httpd/conf/httpd.conf - find "Listen 80" and add a new line that says "Listen 8080" so that your server will listen on both ports

Should look like:

Listen 80
Listen 8080

Start the httpd service

sudo systemctl start httpd

Jump Box

SSH into your public instance to be used as a Bastion Host

Make sure you can ssh into the other Public Instance from the NAT Instance

Make sure you can ssh into the Private instance from the NAT Instance

Security Groups Update

Public-Web instance should allow port 80 and 8080 inbound and all outbound

Public-Bastion should allow SSH inbound from All and all outbound

Private-Instance should allow SSH Inbound from all and all traffic outbound

NOTE: MAKE SURE TO ASSIGN GROUPS

Test access to your web server, should be able to access

Webpage from workstation browser on port 80 and 8080

Curl from Private instance on port 80 and 8080

Test FTP access from Private instance

Run "nc cosmosweb.champlain.edu 21" from terminal
This opens a direct TCP/21 socket to the FTP server
Take Screenshot of banner

NACLs

In VPC console, create 2 NACLs (Public and Private)

Public Subnet:

Allow Internet access to port 80 on your Public Instance (web server)
Allow Private Subnet access to port 8080 on your Public Instance (web server)
Block Internet access to port 8080 on your Public Instance (web server)
Allow all other inbound access
Allow outbound Internet access

Private Subnet:

Allow inbound SSH to your Private Instance from your Bastion-Jump Box Only
Allow all other inbound access
Block outbound access to FTP (port 21) from Private subnet
Allow all other outbound access from the Private subnet

Lab 11 2 AWS VPC NACLs - nicolas-tullio/Tech-Journal GitHub Wiki

Deliverables

Take Screenshots (2) showing Public Instance webpage from workstation browser on port 80 and 8080

Curl from Private instance to Public Instance webpage on port 80 and 8080

cosmosweb FTP banner from Private Instance

Blocked port 8080 to Public Instance Web from your workstation

Successful port 8080 curl from Private Instance

Blocked/Timed out nc on port 21 from Private Instance to cosmosweb.champlain.edu

Public NACL rules

Private NACL rules

Steps

You should set up two instances on your Public subnet - one will be a Jump Box-Bastion Host, the other we will use as a web server

SSH into the instance to be web server

Install apache

Create a text file as /var/www/html/index.html and out your name, class name, and other identifying info (this will be the home page)

Edit /etc/httpd/conf/httpd.conf - find "Listen 80" and add a new line that says "Listen 8080" so that your server will listen on both ports

Start the httpd service

Jump Box

SSH into your public instance to be used as a Bastion Host

Make sure you can ssh into the other Public Instance from the NAT Instance

Make sure you can ssh into the Private instance from the NAT Instance

Security Groups Update

Public-Web instance should allow port 80 and 8080 inbound and all outbound

Public-Bastion should allow SSH inbound from All and all outbound

Private-Instance should allow SSH Inbound from all and all traffic outbound

Test access to your web server, should be able to access

Test FTP access from Private instance

NACLs

In VPC console, create 2 NACLs (Public and Private)

Public Subnet:

Private Subnet:

Update subnet associations for new NACLs