We will spend considerable time both implementing security controls and the means to monitor these controls. An understanding of logging and logging architecture is critical for continuous monitoring. We will start with traditional syslog servers and later we will leverage host based agents to report events of interest.
Set up mgmt01
mgmt01 is an xubuntu system that will be used to simplify remote management, giving you the ability to copy paste to your internal systems to include vyos.
Copy the correct code into the terminal of the remote host
it will ask you for a pin
It will show up in your remote access options
Deliverable 1. Using a chrome remote desktop session on mgmt01, ssh into your log01's named user account similar to the screenshot below. (Note, the session below uses ssh key authentication which you are welcome to configure). Provide a screenshot that shows your CRD session as well as your SSH login.
Make sure you are logged out of your host machine before attempting to connect via remote desktop. If you aren't the application will just keep ending the session.
run ssh-keygen
ssh-copy-id hanne@172.16.50.5
ssh hanne@172.16.40.5
Log01 - Log Organization
Having all of our remote logs stuffed into log01's /var/log/messages or /var/log/secure is not helpful. Remote logs should be segregated and ideally stored on reliable and redundant storage in a manner that supports dealing with discrete event types. We are going to store logs in a directory hierarchy in order to provide this organization.
Go back to the main /etc/rsyslog.conf on log01 and Make a custom "drop in" configuration file for sec350
Comment out the highlight parts below
Custom rsyslog drop in file
We are going to wget the code below into our log01 machine
This configuration file (03-sec350.conf) will dynamically create and name files based upon hostname, date and process name. Input over udp 514 is associated with the RemoteDevice ruleset which in turn uses the dynamic template configuration called “DynFile”.
Restart rsyslog and test
TROUBLESHOOTING: Web01 on the wrong network
After I added the drop in file, and ran the specified commands, the remote-syslog file wasn't being created.
I wasn't able to ping log from web or web from log. I did find that log was configured to the wrong subnet. I put it as /16 instead of /29, so that was a good catch, but wasn't the issue. I eventually looked back at the network diagram and realized I had placed web on LAN instead of DMZ and that solved my issue.
On Log01 systemctl restart rsyslog
On web01 type logger -t SEC350 Testing web01-log01 custom rsyslog configuration
On log01 ls --color -lR /var/log/remore-syslog/
you will see the web01 hostname appear in blue!
The red underlined is the file name that we specified in the drop-in folder
Modify the rsyslog client configuration on web01 so that authentication events are forwarded to our log server.
Go to web01
sudo nano /etc/rsyslog.d/sec350.conf
Input authpriv.*@172.16.50.5
Rw01 --> SSH --> web01
SSH into web01 from rw01, make sure you type the wrong password at least once, if you've enabled keybased authentication, passwords aren't really an issue so use an invalid user instead.
Deliverable 3. Login to log01 via mgmt01, Take a screenshot showing the failed login from your mgmt01 linux system.
ssh hanne@172.16.50.5
make sure to fail password attempt at least once!
sudo -i
cd /var/log/remote-syslog/web01-hanne/
cat 2025.02.03.sshd.log
You should be able to see the password fails!
Fw01: Logging Authorized Events
Change Vyos password
We are going to adjust the vyos configuration to send authentication messages from fw01 to log01. Note, VYOS does produce a ton of useless authentication message.
Go to mgmt and try to ssh to fw01 with invalid user (I chose steve)
Deliverable 4. Submit a screenshot showing the tree structure of log01 /var/log/remote-syslog directory as well as the contents of a failed login message from fw01.
TROUBLESHOOTING: Install the Tree command
I got an error indicating that YUM is not capable of accessing the base repository that it uses to find package information. The reason for this error message is that CentOS is depreciated and mirrors such as mirrorlist.centos.org are no longer being mainted or updated.
As a fix we go to sudo nano /etc/yum.repos.d/CentOS-Base.repo
Uncomment all lines that have http://mirrorlist.centos.org or http://mirror.centos.org
replace those lines with http://vault.centos.org
Delete the double == in front of any http
sudo yum update
Sudo yum install tree
The reason why replace the first url with the vault url works is because vault is an archive that stores older versions of CentOS and their packages after EOL. By replacing the URLs your telling yum to stop looking for active mirros and start pulling from the static archieve where CentOS 7 content is stored.
network:
version: 2
renderer: networkd
ethernets:
ens160: (make sure you change this)
addresses:
- 172.16.150.10/24 (this should be your IP address)
routes:
- to: default
via: 172.16.150.2 (this is your default gateway)
configure
//adds description to rule with ID of 20, the purpose will be translating traffic from the DMZ netowkr to the WAN interface
set nat source rule 20 description "NAT FROM LAN TO WAN"
//indicates that traffic leaving through interface eth0 will be affected by the rule
set nat source rule 20 outbound-interface eth0
//matches traffic originating from the 172.15.150.0/24 subnet (DMZ network)
set nat source rule 20 source address 172.16.150.0/24
//Masquerade dynamically translates the source IP address of traffic to the IP address assigned to the eth0 interface
set nat source rule 20 translation address masquerade
commit
save
configure
set service dns forwarding listen-address 172.16.150.2
set service dns forwarding allow-from 172.16.150.0/24
set service dns forwarding system
commit
save
