Project 1: Network Redundancy - squatchulator/Tech-Journal GitHub Wiki
- Update net adapters + boot VMs
- VyOS VyOS1 Commands
configure
set system host-name vyos1-miles
set interfaces ethernet eth0 address 10.0.17.12/24
set interfaces ethernet eth0 description SEC440-WAN
set interfaces ethernet eth1 address 10.0.5.2/24
set interfaces ethernet eth1 description MILES-LAN
set interfaces ethernet eth2 address 10.0.6.2/24
set interfaces ethernet eth2 description MILES-OPT
set nat destination rule 10 description "Allow HTTP to LAN"
set nat destination rule 10 destination address 10.0.17.102
set nat destination rule 10 destination port 80
set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 protocol tcp
set nat destination rule 10 translation address 10.0.5.100
set nat destination rule 10 translation port 80
set nat destination rule 20 description "Allow SSH to LAN"
set nat destination rule 20 destination address 10.0.17.102
set nat destination rule 20 destination port 22
set nat destination rule 20 inbound-interface eth0
set nat destination rule 20 protocol tcp
set nat destination rule 20 translation address 10.0.5.100
set nat destination rule 20 translation port 22
set nat source rule 10 description 'Allow NAT from LAN to WAN'
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 10.0.5.0/24
set nat source rule 10 translation address masquerade
set service dns forwarding allow-from 10.0.5.0/24
set service dns forwarding listen-address 10.0.5.1
set service dns forwarding system
set service ssh listen-address 0.0.0.0
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
set high-availability vrrp group wangroup2 vrid 152
set high-availability vrrp group wangroup2 interface eth0
set high-availability vrrp group wangroup2 address 10.0.17.102/24
set high-availability vrrp group wangroup2 priority 200
set high-availability vrrp group langroup0 vrid 10
set high-availability vrrp group langroup0 interface eth1
set high-availability vrrp group langroup0 address 10.0.5.1/24
set high-availability vrrp group langroup0 priority 200
set high-availability vrrp group optgroup0 vrid 20
set high-availability vrrp group optgroup0 interface eth2
set high-availability vrrp group optgroup0 address 10.0.6.1/24
set high-availability vrrp group optgroup0 priority 200
commit
save
VyOS2 Commands
configure
set system host-name vyos2-miles
set interfaces ethernet eth0 10.0.17.72/24
set interfaces ethernet eth0 description SEC440-WAN
set interfaces ethernet eth1 10.0.5.3/24
set interfaces ethernet eth1 description MILES-LAN
set interfaces ethernet eth2 10.0.6.3/24
set interfaces ethernet eth2 description MILES-OPT
set nat destination rule 10 description "Allow HTTP to LAN"
set nat destination rule 10 destination address 10.0.17.102
set nat destination rule 10 destination port 80
set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 protocol tcp
set nat destination rule 10 translation address 10.0.5.100
set nat destination rule 10 translation port 80
set nat destination rule 20 description "Allow SSH to LAN"
set nat destination rule 20 destination address 10.0.17.102
set nat destination rule 20 destination port 22
set nat destination rule 20 inbound-interface eth0
set nat destination rule 20 protocol tcp
set nat destination rule 20 translation address 10.0.5.100
set nat destination rule 20 translation port 22
set nat source rule 10 description 'Allow NAT from LAN to WAN'
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 10.0.5.0/24
set nat source rule 10 translation address masquerade
set service dns forwarding allow-from 10.0.5.0/24
set service dns forwarding listen-address 10.0.5.1
set service dns forwarding system
set service ssh listen-address 0.0.0.0
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
set high-availability vrrp group wangroup2 vrid 152
set high-availability vrrp group wangroup2 interface eth0
set high-availability vrrp group wangroup2 address 10.0.17.102/24
set high-availability vrrp group wangroup2 priority 100
set high-availability vrrp group langroup0 vrid 10
set high-availability vrrp group langroup0 interface eth1
set high-availability vrrp group langroup0 address 10.0.5.1/24
set high-availability vrrp group langroup0 priority 100
set high-availability vrrp group optgroup0 vrid 20
set high-availability vrrp group optgroup0 interface eth2
set high-availability vrrp group optgroup0 address 10.0.6.1/24
set high-availability vrrp group optgroup0 priority 100
commit
save
- Workstations
- First things first, log into the box and create a new privileged user (reminder: use the wheel group on centos!). Rename the box to web01-firstname.
- Boot the VM, and run
nmtuito change the network settings. Set the IP configuration to manual. Correspond the networking information with the diagram above. Gateway and DNS is 10.0.5.1. - Make sure to also install httpd and run it as well. Will need to use firewall-cmd to permanently add port 80 on Web01 as well.
- Now we need to install MFA for SSH on this box. Run the following commands from this guide:
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum install google-authenticator
google-authenticator
(say yes to time-based tokens)
- Emergency codes are:
- 50337011
- 51801320
- 14903169
- 43963623
- 32223180
(say yes to updating auth file)
(say yes to disallow duplicate tokens)
(say no for additional token time)
(say yes to rate-limiting)
sudo nano /etc/pam.d/sshd
# Append this line to the bottom of the file:
auth required pam_google_authenticator.so nullok
# Save and close
sudo nano /etc/ssh/sshd_config
# Look for ChallengeResponseAuthentication line.
# Comment out the 'no' line and add a copy of it but with 'yes' instead.
# Save and close
sudo systemctl restart sshd.service
- Boot the VM and log into champuser. Run
sudo adduser <new user>and go through the user creation process. Then, runsudo usermod -aG sudo <new user>. Now, log out and log into your new account. Runsudo deluser champuser` to delete the default user. You may need to kill a process in order to do so. - Go to networking and enter the networking information associated with this box. The gateway and DNS will just be
10.0.17.2, but you have a unique IP for this box. - You should be able to ping google via hostname if everything works properly.
- Set up networking with diagram above using 10.0.5.1 as the gateway and DNS server.
- Make sure to set up a new user and delete the old one as well! This is good practice.