COIT13146 - System and Network Administration Week 07 - Firewall This week, we look at the types of security threats, the common security problems faced by a system administrator and the measures that we need to take to counter security threats. NOTE: This week we begin using tools that, if used inappropriately, could put us in breach of network policy and procedures. We must only perform network scans etc. on networks that we have full permission to do so on. It is recommended that all scans etc. should only be performed on our own private networks. The University accepts no responsibility for students who use tools inappropriately or without full consent of the network owner or operator. Summary Software we need to install * John the Ripper - "a tool to find weak passwords of your users". Chapters we need to read * 22 - Security Tasks Readings Read the recommended chapter before attempting the assessment items. IptablesHowTo - (help.ubuntu.com/community/IptablesHowTo) - "if you want to do a few basic things". This may help when it comes to developing iptable rules. We will be installing Snort and OSSEC in later chapters, so we need to know and understand their purpose. Installation procedures will be provided - some differ from those provided in the textbook. Assessment 1. Perform a complete update of your systems software. Submit a list of any updates that occur. 2. Submit the output of the "chage" list command for your username - explain the details shown in the listing and highlight any obvious problems with the default password aging configuration. 3. Run an "nmap -sT" scan of your server, from your server. Run an "nmap" scan of your host computer (i.e. the one running VirtualBox). You will have to find its IP address first. You may have to use "nmap -PN". Try "-sT" first and read the response, often nmap will prompt you with alternate scan settings. Submit the nmap scans of both your server and host computer and describe the nmap flags used and each service detected. 4. Run an "nmap -sV -O" scan of your host computer, from your server. Submit and summarise the output. [Note: This scan can take a little while to complete.] 5. Install "John the Ripper" (john). Before running it, login to your system as kellye (the user created earlier - the password used was "bushr@ng3r") and change the password to "password" and logout. Now run "john" against your /etc/shadow file. Report the results including how long it took. Change kellye's password to "computer" and run "john" again. Report the results including how long it took. Now change kellye's password back to "bushr@ng3r" - if you've got lots of spare time on your computer you could try "john" again, but don't expect a speedy result... 6. Create a gateway server that has two NICs - one using a "Bridged Adapter" connected externally to the Internet configured to use DHCP, the other using an "Internal Network" adapter configured manually. Create an internal server with one NIC using an "Internal Network" adapter. Make sure the Internal Network for both has the same name in VirtualBox. Configure the system so all of the internal traffic goes via the gateway. Refer to the "Making a Gateway" document for help. Provide output that shows the internal server accessing the Internet through the gateway server (traceroute). Include a well labelled diagram of your network. 7. Note that a complete working firewall configuration file can be found at the end of this document - you will need to make adjustments/changes to match your configuration. a) Extend the firewall rules to allow HTTP and SSH connections to go directly to an internal server (userv1) through the gateway server. Limit all other incoming traffic. Test your configuration by accessing the default lighttpd server page running on the internal server and connect to the internal server, through the gateway, using PuTTY. Submit your firewall rules/script. Provide 'proof' that it works with screen dumps of your Web and SSH access. Ensure you are connecting to the internal server, not the gateway, by checking the IP address in the PuTTY session and the default lighttp PHP page display that includes the variable '_SERVER["SERVER_ADDR"]'. b) Allow an SSH connection to the gateway server from the inside only - test it by logging into the internal server (from outside), and then, from the internal server, login to the gateway (using ssh). Once logged into the gateway, you should not be able to ping/access any external or internal hosts - try pinging the internal server and cqu.edu.au. Submit a screen dump showing the results. c) Also enable loopback on the gateway, and the ability to ping the gateway from the internal network only. Submit a screen dump showing the successful ping. d) No restrictions on outgoing traffic should be applied - test using elinks from your internal server to www.cqu.edu.au. Submit a screen dump of elinks. e) Enable logging of attempts that are rejected by the firewall - provide a sample of the log. f) Use nmap to 'attack' the gateway and show that only the required ports are available - submit your 'attack' output from nmap with a brief description of what it is showing. Notes: * Submit all answers etc. as a single Word document zipped up as week07.zip.   Sample Firewall ruleset: #!/bin/sh # # FILE: startfw # # PURPOSE: Clear and set NAT, port forward and firewall iptables rules. # # AUTHOR: Myles Greber # DATE: 23-02-2012 # VERISON: 0.2 # # USAGE: startfw # # MODIFIED: 23-02-2012 # Renamed script startfw from buildfw. Added configurable # gateway IP address variable ${GATEWAY_IP}. # # NOTES: This script assumes the following configuration: # gateway: # eth0 - ${GATEWAY_IP} - external (dhcp) - defined below. # eth1 - 192.168.12.254 - internal (static) # internal server: # eth0 - 192.168.12.1 (static) # ################################################################################ # Configurable gateway IP address. GATEWAY_IP=192.168.1.10 # Flush all iptables rules from the packet matching tables. iptables -t filter -F iptables -t nat -F iptables -t mangle -F iptables -t raw -F # Reset the built-in chain policies to accept all traffic. iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # Drop all packets coming in to and forwarded by the gateway. iptables -P INPUT DROP iptables -P FORWARD DROP # Allow all connections through the firewall that originate from within. iptables -A FORWARD -i eth1 -p ALL -j ACCEPT # Allow incoming responses to internal host requests. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable NAT on outgoing interface. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ${GATEWAY_IP} # Allow ssh (22), http (80) and https (443) connections through to the internal server (userv1). iptables -A FORWARD -d 192.168.12.1 -p tcp --dport 22 -j ACCEPT iptables -A FORWARD -d 192.168.12.1 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -d 192.168.12.1 -p tcp --dport 443 -j ACCEPT # Allow ssh (22), http (80) and https (443) connections through NAT (port forward) to internal server (userv1). iptables -t nat -A PREROUTING -p tcp -i eth0 -d ${GATEWAY_IP} --dport 22 -j DNAT --to 192.168.12.1:22 iptables -t nat -A PREROUTING -p tcp -i eth0 -d ${GATEWAY_IP} --dport 80 -j DNAT --to 192.168.12.1:80 iptables -t nat -A PREROUTING -p tcp -i eth0 -d ${GATEWAY_IP} --dport 443 -j DNAT --to 192.168.12.1:443 # Allow ssh (22) connections to the gateway from the internal network. iptables -A INPUT -i eth1 -d 192.168.12.254 -p tcp --dport 22 -j ACCEPT # Allow loopback on the gateway. iptables -A INPUT -i lo -d 127.0.0.1 -p ALL -j ACCEPT # Allow gateway to be ping'd from within. iptables -A INPUT -i eth1 -d 192.168.12.254 -p icmp --icmp-type 8 -j ACCEPT # Allow SSH connections to the external IP address of the gateway for testing. #iptables -A INPUT -i eth0 -d ${GATEWAY_IP} -p tcp --dport 22 -j ACCEPT # Enable logging. iptables -A INPUT -i eth0 -j LOG iptables -A FORWARD -i eth0 -j LOG