π SEC 350 - tconklin-champlain/Tech-Journal GitHub Wiki
Quickly export firewall config π‘
show configuration commands | grep -v "syslog global\|ntp\|login\|console\|config\|hw-id\|loopback\|conntrack"
Network & Security Controls
Class Rules:
- Nice Teacher
- Donβt be late
- If you ghost 2 classes your dead
- Participate
π‘ Having trouble? Consider Nick! π‘ Chrome Remote Desktop Black Screen? Log out of vcenter you cannot be on both! π£ FUCKING DNS AGAIN it's 10.0.17.2!!!
| Server | Network | IP | OS |
|---|---|---|---|
| fw1-trisha | WAN | 10.0.17.112/24 | vyOS |
| - | DMZ | 172.16.50.2/29 | - |
| - | LAN | 172.16.150.2/24 | - |
| rw01-trisha | WAN | 10.0.17.12/24 | xubuntu |
| web01-trisha | DMZ | 172.16.50.3/29 | CentOS 7 |
| log01-trisha | MGMT | 172.16.200.10/28 | CentOS 7 |
| wks01-trisha | LAN | 172.16.150.50/24 | Windows 10 |
| fw-mgmt-trisha | LAN | 172.16.200.2/24 | vyOS |
| mgmt01-trisha | MGMT | 172.16.200.11/28 | Windows Server |
| jump-trisha | DMZ | 172.16.50.4/29 | Jump Box |
Jump Pass: Gl8&%dsA
Labs:
Routing and DMZ
π‘ Quick Tip: Easily change hostname in linux using the hostnamectl command
rw01 Setup
fw01 Setup
π‘ CONFIGURE COMMIT SAVE EXIT This will be used alot
Hostname
configure
set system host-name fw1-timothy
commit
save
exit
π‘ Always set a description on each interface
Networking
Deleting the old
Make sure to delete the current or previous network configs.
show interfaces
delete interfaces ethernet eth0 address dhcp
delete interfaces ethernet eth1 address dhcp
Setting the descriptions
configure
set interfaces ethernet eth0 description SEC350-WAN
commit
save
exit
Setting the interfaces
set interfaces ethernet ethX address IPADDRESS/MASK
Set route for gateway
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
commit
save
web01 Setup
Use nmtui and standard fair only new thing was using the /29 subnet for the DMZ network.
Configuring fw01 for NAT and DNS
configure
set nat source rule 10 description "NAT FROM DMZ to WAN"
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 172.16.50.0/29
set nat source rule 10 translation address masquerade
commit
save
configure
set service dns forwarding listen-address 172.16.50.2
set service dns forwarding allow-from 172.16.50.0/29
set service dns forwarding system
commit
save
π£π‘ Only worry about whats behind you in the network since it is on the DMZ the gateway and DNS is the DMZ!!!
π‘ If the network is consistently buggy check that nmtui is not set to automatic with manual additions!
log01 Setup
Testing httpd on web01 from rw01
π£π‘ There is a reason firewall-cmd's have used --permanent that will save you another hour of frustration in the future!!!
Configuring rsyslog on log01
- Edit the /etc/rsyslog.conf
- Uncomment the Provides UDP/TCP sections
- Restart the service
- Check if it worked with the command
netstat -tupan | grep 514
Configuring rsyslog on web01
- edit /etc/rsysylog.d/sec350.conf/
- add line user.notice @172.16.50.5
π‘the line in sec350.conf means: user=syslog facility notice=syslog priority @=UDP, @@ means TCP, so we are only going to send UDP 172.16.50.5=Remote Syslog Server
Syslog Organization on log01
How to change username and password on vyos
- Enter
configure set system login user [username] authentication plaintext-password [password]- commit and save!
π‘ REMEMBER restart the rsyslog service on web01 not log01!
Enabling ssh on vyos
How to activate authpriv on logs?
Drop in config
module(load="imudp")
input(type="imudp" port="514" ruleset="RemoteDevice")
template(name="DynFile" type="string"
string="/var/log/remote-syslog/%HOSTNAME%/%$YEAR%.%$MONTH%.%$DAY%.%PROGRAMNAME%.log"
)
ruleset(name="RemoteDevice"){
action(type="omfile" dynaFile="DynFile")
}
Wazuh
π‘ Wazuh takes a while to install so be sure to have other assignments you can do.
Installation
curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a
Firewall Rules
firewall-cmd --permanent --add-port={1515,1514,514,55000,443}/tcp && firewall-cmd --permanent --add-port=514/udp && firewall-cmd --reload
Wazuh Credentials
- username: admin
- password: eH5KE+txd2Exb88izO7aF9i*ALlFIVhS
Segmentation
Where to find logs?
Graylog
How to install?
Different ways of changing OS logs
IIS = Go into config and change settings, or use powershell command I couldnt find any more just rsyslog and linux we already did.
Lab 4.2 Network Firewalls 1
Updating vyOS builds:
add system image <URL TO ISO GOES HERE>- VyOS nightly Builds
Creating Firewall Examples
- WAN and DMZ
set zone-policy zone WAN interface eth0
set zone-policy zone DMZ interface eth1
set zone-policy zone LAN interface eth2
set firewall name WAN-to-DMZ default-action drop
set firewall name WAN-to-DMZ enable-default-log
set firewall name DMZ-to-WAN default-action drop
set firewall name DMZ-to-WAN enable-default-log
set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ
set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN
commit
save
Creating Firewall Rules
-WAN to DMZ
set firewall name WAN-to-DMZ rule 10 action accept
set firewall name WAN-to-DMZ rule 10 destination address 172.16.50.3
set firewall name WAN-to-DMZ rule 10 destination port 80
set firewall name WAN-to-DMZ rule 10 protocol tcp
set firewall name WAN-to-DMZ rule 10 description "Allow WAN Access to Web01 HTTP"
set firewall name WAN-to-DMZ rule 10 state established enable
-DMZ to LAN
set firewall name LAN-to-DMZ default-action drop
set firewall name LAN-to-DMZ enable-default-log
set firewall name DMZ-to-LAN default-action drop
set firewall name DMZ-to-LAN enable-default-log
set zone-policy zone DMZ from LAN firewall name LAN-to-DMZ
set zone-policy zone LAN from DMZ firewall name DMZ-to-LAN
π‘ Consider that you did not need to allow the communication back from LAN-TO-DMZ. Remember, UDP does not require a bidirectional connection. TCP, on the other hand, is a stateful connection-oriented protocol. Itβs all in that infamous handshake! π‘ MAKE SURE YOU ENABLE RULES
Logging Firewall Traffic
Enter this in both firewalls:
config
set system syslog host 172.16.200.10
set system syslog facility kern level debug
set system syslog port 1514
sudo systemctl restart rsyslog
commit
save
Allow ssh from mgmt01 to web server
set firewall name LAN-to-DMZ rule 15 action accept
set firewall name LAN-to-DMZ rule 15 description "Allow LAN access to web01 SSH"
set firewall name LAN-to-DMZ rule 15 destination address 172.16.50.3
set firewall name LAN-to-DMZ rule 15 destination port 22
set firewall name LAN-to-DMZ rule 15 protocol tcp
Create a DMZ-TO-WAN rule that allows web01 to log time
set firewall name DMZ-to-WAN rule 15 action accept
set firewall name DMZ-to-WAN rule 15 destination port 123
set firewall name DMZ-to-WAN rule 15 protocol udp
Standardizing Time
Simplest way to standardize SYSLOG
WAZUH WF
- Add rule to allow traffic back through WAN-to-DMZ
- Make temp rule to allow traffic from web server
- Use this command on web server
sudo yum install mod_security mod_security_crs install php php-common php-opcache php-mcrypt php-cli php-gd php-curl php-mysqlnd -y
- DELETE RULE 999
Telling Mod Security to ignore rule.
Go to /etc/httpd/conf.d/mod_security.conf
Copy into it
<locationmatch "/">
SecRuleRemoveByID 960017
</locationmatch>
Port Forwarding and Jump Boxes
Quickly remove a ip route
sudo ip route del 'IP ROUTE/X'sudo nm-connection-editorPasswordless login
sudo -i
adduser --disabled-password jump-trisha
mkdir /home/jump-trisha/.ssh
touch /home/jump-trisha/.ssh/authorized_keys
chown -R jump-trisha:jump-trisha /home/jump-trisha/.ssh
sudo chmod 700 /home/jump-trisha/.ssh
sudo chmod 600 /home/jump-trisha/.ssh/authorized_keys
Windows Logging
Windows Time Command
w32tm /config /syncfromflags:manual /manualpeerlist:pool.ntp.org
net stop w32time
net start w32time
w32tm /resync
w32tm /query /source
New PowerShell Commands to create a domain admin and install ADDS / DNS
$PASSWORD= ConvertTo-SecureString βAsPlainText -Force -String "password here"
New-ADUser -Name "tconklin" -Description "To Be Admin" -Enabled $true -AccountPassword $PASSWORD
Add-ADGroupMember -Identity "Domain Admins" -Member tconklin
---
install-WindowsFeature AD-Domain-Services -IncludeManagementTools
install-ADDSForest -DomainName timothy.local
Allow any connections on LAN to connect to mgmt01
set firewall name LAN-to-MGMT rule 15 action accept
set firewall name LAN-to-MGMT rule 15 description "Allow wks01 to initiate connection with mgmt"
set firewall name LAN-to-MGMT rule 15 destination address 172.16.200.11
set firewall name LAN-to-MGMT rule 15 protocol all
Sidecar Tutorial:
- Add new input select Beats
- Setup all that needs changed from default is name
- Go to system and sidecars and get your api key or generate it
mkdir C:\SEC-350
cd C:\SEC-350
wget https://github.com/Graylog2/collector-sidecar/releases/download/1.1.0/graylog_sidecar_installer_1.1.0-1.exe -o sidecar.exe
./sidecar.exe /S -SERVERURL=http://log01:9000/api -APITOKEN=yourapitoken
cd 'C:\Program Files\Graylog\sidecar\'
./graylog-sidecar.exe -service install
./graylog-sidecar.exe -service start
- Check that it is running
- Create a new collector by going to the node and selecting configuration
- pick a color and name it and in the code field enter this
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["log01:5044"]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
winlogbeat:
event_logs:
- name: Security
- Update it and then select administration and make sure your collector is running on the beats node.
- All set!