Lab 2.2: Syslog Organization on Log01 - squatchulator/Tech-Journal GitHub Wiki

Syslog Organization on Log01

Set up mgmt01

  • Put it on the LAN adapter
  • Configure network:
    • 172.16.150.10/24 : 172.16.150.2
  • Change password, make new sudo user
  • On Fw01:
configure
set nat source rule 20 description "NAT FROM LAN to WAN"
set nat source rule 20 outbound-interface eth0
set nat source rule 20 source address 172.16.150.0/24
set nat source rule 20 translation address masquerade
commit
save
set service dns forwarding listen-address 172.16.150.2
set service dns forwarding allow-from 172.16.150.0/24
set service dns forwarding system
commit
save
  • Install & configure chrome remote desktop on Mgmt01

Log Organization on Log01

  • in /etc/rsyslog.conf, reapply the following comments:
    • $ModLoad imudp
    • $UDPServerRun 514
    • $ModLoad imtcp
    • $InputTCPServerRun 514
  • Run sudo systemctl restart rsyslog

Custom rsyslog drop-in file

  • cd /etc/rsyslog.d/
  • sudo wget https://raw.githubusercontent.com/gmcyber/sec350-share/main/03-sec350.conf
  • cat 03-sec350.conf to ensure it works
  • sudo systemctl restart rsyslog
  • On Web01:
    • logger -t SEC350 Testing web01->log01 custom rsyslog configuration
  • On Log01 (AS ROOT):
    • `ls -lR --color /var/log/remote-syslog/
    • cat /var/log/remote-syslog/web01-yourname/YYYY.MM.DD.SEC350.log
  • On Web01:
    • sudo nano /etc/rsyslog.d/sec350-client.conf
      • Add the lines:
user.notice @172.16.50.5
authpriv.* @172.16.50.5

 - Run `sudo systemctl restart rsyslog`

Logging AUTH events

  • From Rw01:
  • From Mgmt01:
    • ssh [email protected]
    • sudo -i
    • cd /var/log/remote-syslog/web01-user/
    • cat YYYY.MM.DD.sshd.log
  • From Fw01:
    • set system syslog host 172.16.50.5 facility authpriv level info
    • commit
    • save
    • Logout and log back in to send auth logs.
  • From Mgmt01:
  • From Log01:
    • tree
    • cat /var/log/remote-syslog/fw01-user/YYYY.MM.DD.sshd.log | grep invalid

Other Helpful Inclusions

Generating an SSH Key Pair

  • Generate the key pair
    • ssh-keygen -t rsa -b 2048 -C "some_identifier_here"
    • Will generate the private key ~/.ssh/id_rsa and public keys ~/.ssh/id_rsa.pub
  • Copy the public key over to the server
    • ssh-copy-id user@server_ip
    • This will copy the public key to the file ~/.ssh/authorized_keys on the server.
  • On the server:
    • sudo nano /etc/ssh/sshd_config
    • Ensure PubkeyAuthentication is set to yes
    • Ensure PasswordAuthentication is set to no
    • Add or uncomment these lines as necessary
    • systemctl restart sshd
    • If you do not have ownership of the authorized_keys file:
      • chmod 700 ~/.ssh
      • chmod 600 ~/.ssh/authorized_keys

Changing a password in VyOS

  • configure
  • set system login user <user_here> authentication plaintext-password <new_password_here>
  • commit
  • save
  • exit
⚠️ **GitHub.com Fallback** ⚠️