Lab 6.1 Port Forwarding and Jump Boxes - savannahc502/SavC-TechJournal-SEC350 GitHub Wiki

Lab Introduction & Caveat

I began this assignment after working on the assessment. This means that some of the VMs I was supposed to use for the assessment were decommissioned. I did some workarounds to meet the specifications of the lab.

Traveler WAN Routing

image

Since traveler-savannah is a Windows machine, I cannot run the Linux command ip route. Instead, I ran route print in the command prompt to show the current routes. These were configured via the firewall edge01-savannah nat translations. I was told not to disturb my current environment since it’s post assessment.

NAT Port Forwarding from Port 80 to NGINX

image

My nat destination rule 10 successfully allows for port forwarding from my traveler-savannah reaching the nginx-savannah VM via the firewall WAN address on eth0.

Log01 Replacing Jump on the DMZ

image

log01-savannah is on the DMZ network with the IP address 172.16.50.4/29 acting in place of the jump box. This works since log01-savannah is decommissioned, and jump is currently being used on the mgmt segment as the Wazuh manager. Log01-savannah is able to successfully curl its neighbor on the DMZ, nginx-savannah at 172.16.50.3.

log01 nmtui & wazuh netplan

I used nmtui to configure networking on log01-savannah

image

For an example of a netplan file, see my wazuh netplan file from the assessment.

Passwordless SSH from MGMT to NGINX

image

Since my jump box is being used as the wazuh manager on the mgmt segment, the passwordless ssh test didn’t make much sense. However, I still wanted to demonstrate my ability to create a passwordless ssh login. So, this screenshot shows a successful passwordless ssh login from the mgmt01-savannah box to ngnix-savannah.

My nat destination rule 20 for ssh to jump and WAN-to-DMZ rule 20 to allow 22/tcp from WAN to DMZ are in my firewall configs from the assessment.

Prior documentation on setting up passwordless SSH authentication can be found here.

Passwordless User

To make a passwordless user on Linux:

sudo useradd -m -d /home/savannah-jump -s /bin/bash savannah-jump
sudo mkdir /home/savannah-jump/.ssh
sudo chmod 700 /home/savannah-jump/.ssh
sudo chmod 600 /home/savannah-jump/.ssh/authorized_keys
sudo chown -R savannah-jump:savannah-jump /home/savannah-jump/.ssh

Wazuh Agents: Nginx and Log01

image

  • I have already connected my Wazuh Manager to a Debian box on the DMZ: my nginx VM.

image

  • If I were to setup Wazuh on a Windows machine (which my traveler is), then I would have to run the above command followed by Start-Service -Name "WazuhSvc." However, my current firewall rules would not allow for this.

image

  • I decided to also register my log01-savannah rpm VM since it is taking the place of my jump server, which the original lab wanted to be a Wazuh Agent.

Commands for Log01 Wazuh Agent install

Check if RPM or DEB:

dpkg --version
rpm --version

Agent Install on RPM:

curl -o wazuh-agent-4.7.5-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.7.5-1.x86.rpm && sudo WAZUH_Manager='172.16.200.10' WAZUH_AGENT_GROUP='linux' rpm -ihv wazuh-agent-4.7.5-1.x86_64.rpm

sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent