Assessment Prep

Assessment Description: For the assessment, you will be given a 3 zone network to configure that consists of:

Network Diagram:

traveler: A WAN based road warrior user running Windows 10. (this replaces the linux rw01)

edge01: A vyOS Firewall with three interfaces (WAN, DMZ, LAN). You will need to add an interface using vCenter. (this replaces fw01)

nginx01: A DMZ based nginx web server running Ubuntu (this replaces web01 and apache)

dhcp01: A LAN based dhcp server running Ubuntu

---

Configs

Traveler

CONFIG

• IP: 10.0.17.15
• GATEWAY: 10.0.17.2
• SUBNET: 255.255.255.0
• DNS: 10.0.17.2

$Password = Read-Host -AsSecureString
New-LocalUser "david" -Password $Password -FullName "david" 
Add-LocalGroupMember -Group "Administrators" -Member "david"

Rename-Computer -NewName "traveler-david" -Restart

Keygen/sending to JUMP

ADMIN INSTALL OPENSSH

# Install OpenSSH , does not install if "ssh" folder exists
if (!(Test-Path "C:\ProgramData\ssh\ssh_host_rsa_key")) {
    Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
}


Start-Service sshd
Set-Service -Name sshd -StartupType Automatic

USER RUN

# Generate Keys
ssh-keygen.exe -f .\ssh-keys 

SFTP

sftp david@10.0.17.15:ssh-keys.pub
scp ssh-keys.pub david@172.16.50.4:travel.pub

ssh david@172.16.50.4 
sudo -i
cat /home/david/travel.pub >> /home/jump-david/.ssh/authorized_keys
END

Edge01-David

VMWare Config: adap1: WAN adap2: DMZ adap3: LAN

BASIC SET UP

set system host-name 'edge01-david'
set system name-server '10.0.17.2'

set system login user vyos authentication plaintext-password [PASS HERE]

Pulling config

wget -O  edgeconf "https://raw.githubusercontent.com/dthomsen116/SEC-350/main/edgefirewall"


configure
load edgeconf
commit
save

FIREWALL BACKUP

NAME: DMZ-2-LAN

default-action drop
enable-default-log

rule 1:
action accept
state establised enable

rule 10: 
action accept
desc: "wazuh comms w wazuhServ"
destination address 172.16.200.10
destination port 1514-1515
protocol tcp

NAME: DMZ-2-WAN

default-action drop
enable-default-log

rule 1:
action accept
state establised enable

NAME: LAN-2-DMZ

default-action drop
enable-default-log

rule 1:
action accept
state establised enable

rule 10: 
action accept
desc: "HTTP from LAN 2 NGINX"
destination address 172.16.50.3
destination port 80
protocol tcp

rule 20: 
action accept
desc: "ssh from mgmt01 2 DMZ"
destination address 172.16.50.0/29
destination port 22
protocol tcp
source address 172.16.150.10

NAME: LAN-2-WAN

default-action drop
enable-default-log

rule 1:
action accept
state establised enable

NAME: WAN-2-DMZ

default-action drop
enable-default-log

rule 1:
action accept
state establised enable

rule 10: 
action accept
desc: "HTTP from WAN 2 DMZ"
destination address 172.16.50.3
destination port 80
protocol tcp

rule 20: 
action accept
desc: "SSH from WAN 2 DMZ"
destination address 172.16.50.4
destination port 22
protocol tcp

NAME: WAN-2-LAN

default-action drop
enable-default-log

rule 1:
action accept
state establised enable

Interfaces

ethernet eth0

address 10.0.17.115/24
desc: WAN

ethernet eth1

address 172.16.50.2/29
desc: DMZ

ethernet eth2

address 172.16.150.2/24
desc: LAN

NAT

DESTINATION

rule 10:
desc: HTTP-2-NGINX
destination port 80 
inbound interface eth0
protocol tcp 
translation address 172.16.50.3
translation port 80

rule 20:
desc: WAN-2-JUMP
destination port 22 
inbound interface eth0
protocol tcp 
translation address 172.16.50.4
translation port 22

SOURCE

rule 10:
desc: NAT from DMZ-2-WAN
outbound interface eth0
source address 172.16.50.3
translation address masquerade

rule 20:
desc: NAT from LAN-2-WAN
outbound interface eth0
source address 172.16.150.0/24
translation address masquerade

rule 30:
desc: NAT from MGMT-2-WAN
outbound interface eth0
source address 172.16.200.0/28
translation address masquerade

Protocols

rip:
interface eth2
network 172.16.50.0/29

static:
route 0.0.0.0/0
next hop 10.0.17.2

SERVICE

dns:
forwarding allow-from 172.16.50.0/29
forwarding allow-from 172.16.150.0/24
forwarding listen-address 172.16.50.2
forwarding listen-address 172.16.150.2
forwarding system

ssh: 
listen address 172.16.150.2

ZONE POLICY

zone WAN:
from DMZ firewall name DMZ-2-WAN
from LAN firewall name LAN-2-WAN
interface eth0

zone DMZ:
from LAN firewall name LAN-2-DMZ
from WAN firewall name WAN-2-DMZ
interface eth1

zone LAN
from DMZ firewall name DMZ-2-LAN
from WAN firewall name WAN-2-LAN
interface eth2

NGINX

• IP: 172.16.50.3
• GATEWAY: 172.16.50.2
• SUBNET: 255.255.255.0
• DNS: 172.16.50.2

Example of a Netplan setup if necessary.

USERNAME/HOSTNAME etc.

sudo adduser david
sudo usermod -aG sudo david
sudo hostnamectl set-hostname nginx-david

NGINX

sudo apt install nginx -y

cd /var/www/html
vim index.html

davids custom page
:wq


sudo systemctl enable nginx
sudo systemctl start nginx
sudo systemctl status nginx

DHCP

sudo apt install isc-dhcp-server -y

#backup
cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.backup

vim /etc/dhcp/dhcpd.conf

subnet 172.16.150.0 netmask 255.255.255.0 {
    option routers 172.16.150.2;
    option subnet-mask 255.255.255.0;
    option domain-name-servers 172.16.150.2;
    range 172.16.150.100 172.16.150.150;
    default-lease-time 3600;
    max-lease-time 14400;
    }


systemctl enable dhcpd
systemctl start dhcpd

BACKUP

show configuration commands \| grep -v "syslog global\\|ntp\\|login\\|console\\|config\\|hw-id\\|loopback\\|conntrack"

Requirements

All Linux systems should have a named sudo or administrator user.

• useradd [user]

• passwd [user]

• usermod -aG sudo/wheel [user]

---

Hints

You do not need to work serially through this assessment, it is the end result that matters. If you are waiting for a reboot on traveler, then start configuring your other servers.

Get all communications working BEFORE creating zones and locking down the firewalls. It's terribly difficult to debug both services and network firewalls at the same time.

Make sure to link your firewalls to the appropriate From and To zones.

Make sure you have the correct netmask on all Linux systems.

--permanent flag on centos firewall configurations, reload after change.

Restart any service if you touch a configuration file (network, nginx, rsyslog, etc…).

Make sure you include the appropriate vsphere label on all deliverables where your name is not obvious in the console.

Check every VM's network settings to make sure they are on the correct segment.

Don't forget to look at /var/log/messages to debug firewall issues.

Do not try to use the default gateway address 10.0.17.2 as your WAN interface IP address as this will cause problems for other students and might be embarrassing.