Lab 2.2: Syslog Organization on Lab on log01

We will spend considerable time both implementing security controls and the means to monitor these controls. An understanding of logging and logging architecture is critical for continuous monitoring. We will start with traditional syslog servers and later we will leverage host based agents to report events of interest.

Set up mgmt01

mgmt01 is an xubuntu system that will be used to simplify remote management, giving you the ability to copy paste to your internal systems to include vyos.

Put mgm01 on the LAN

Change default password

• passwd

Make new user (hanne)

• sudo adduser hanne

• sudo usermod -aG sudo hanne

set system hostname mgmt01-hanne

• sudo hostnamectl set-hostname mgmt01-hanne

Assign IP address (LAN/24 ---> 172.16.150.10)

• sudo nano /etc/netplan/99_config.yam

• Input code below:

network:
  version: 2
  renderer: networkd
  ethernets:
    ens160: (make sure you change this)
      addresses:
        - 172.16.150.10/24 (this should be your IP address)
      routes:
        - to: default
          via: 172.16.150.2 (this is your default gateway)

• sudo netplan apply

• ip a to check config

Configure NAT from LAN to WAN on fw01

configure
//adds description to rule with ID of 20, the purpose will be translating traffic from the DMZ netowkr to the WAN interface
set nat source rule 20 description "NAT FROM LAN TO WAN" 

//indicates that traffic leaving through interface eth0 will be affected by the rule
set nat source rule 20 outbound-interface eth0

//matches traffic originating from the 172.15.150.0/24 subnet (DMZ network)
set nat source rule 20 source address 172.16.150.0/24

//Masquerade dynamically translates the source IP address of traffic to the IP address assigned to the eth0 interface
set nat source rule 20 translation address masquerade 

commit 
save

Configure DNS forwarding

configure 
set service dns forwarding listen-address 172.16.150.2
set service dns forwarding allow-from 172.16.150.0/24
set service dns forwarding system 
commit 
save

Install Chrome Remote Desktop on mgmt01

• On your personal machine, go to https://remotedesktop.google.com/headless

  • Press Begin

  • Install the remote desktop package on the remote host (https://dl.google.com/linux/direct/chrome-remote-desktop_current_amd64.deb)

  • Press Authorize

  • Copy the correct code into the terminal of the remote host

    • it will ask you for a pin

  • It will show up in your remote access options

Deliverable 1. Using a chrome remote desktop session on mgmt01, ssh into your log01's named user account similar to the screenshot below. (Note, the session below uses ssh key authentication which you are welcome to configure). Provide a screenshot that shows your CRD session as well as your SSH login.

Make sure you are logged out of your host machine before attempting to connect via remote desktop. If you aren't the application will just keep ending the session.

• run ssh-keygen

• ssh-copy-id hanne@172.16.50.5

• ssh hanne@172.16.40.5

Log01 - Log Organization

Having all of our remote logs stuffed into log01's /var/log/messages or /var/log/secure is not helpful. Remote logs should be segregated and ideally stored on reliable and redundant storage in a manner that supports dealing with discrete event types. We are going to store logs in a directory hierarchy in order to provide this organization.

Go back to the main /etc/rsyslog.conf on log01 and Make a custom "drop in" configuration file for sec350

• Comment out the highlight parts below

Custom rsyslog drop in file

We are going to wget the code below into our log01 machine

module(load="imudp")
input(type="imudp" port="514" ruleset="RemoteDevice")
template(name="DynFile" type="string"
	string="/var/log/remote-syslog/%HOSTNAME%/%$YEAR%.%$MONTH%.%$DAY%.%PROGRAMNAME%.log"
)
ruleset(name="RemoteDevice"){
	action(type="omfile" dynaFile="DynFile")
}

• cd /etc/rsyslog.d

• wget https://raw.githubusercontent.com/gmcyber/sec350-share/main/03-sec350.conf

This configuration file (03-sec350.conf) will dynamically create and name files based upon hostname, date and process name. Input over udp 514 is associated with the RemoteDevice ruleset which in turn uses the dynamic template configuration called “DynFile”.

Restart rsyslog and test

TROUBLESHOOTING: Web01 on the wrong network

After I added the drop in file, and ran the specified commands, the remote-syslog file wasn't being created.

I wasn't able to ping log from web or web from log. I did find that log was configured to the wrong subnet. I put it as /16 instead of /29, so that was a good catch, but wasn't the issue. I eventually looked back at the network diagram and realized I had placed web on LAN instead of DMZ and that solved my issue.

• On Log01 systemctl restart rsyslog

• On web01 type logger -t SEC350 Testing web01-log01 custom rsyslog configuration

• On log01 ls --color -lR /var/log/remore-syslog/

  • you will see the web01 hostname appear in blue!

  • The red underlined is the file name that we specified in the drop-in folder

• sudo cat /var/log/remote-syslog/web01-hanne/2025.02.03.SEC350.log

Web01: Logging Authorized Events

Modify the rsyslog client configuration on web01 so that authentication events are forwarded to our log server.

• Go to web01

• sudo nano /etc/rsyslog.d/sec350.conf

  • Input authpriv.*@172.16.50.5

Rw01 --> SSH --> web01

SSH into web01 from rw01, make sure you type the wrong password at least once, if you've enabled keybased authentication, passwords aren't really an issue so use an invalid user instead.

Deliverable 3. Login to log01 via mgmt01, Take a screenshot showing the failed login from your mgmt01 linux system.

• ssh hanne@172.16.50.5

  • make sure to fail password attempt at least once!

• sudo -i

• cd /var/log/remote-syslog/web01-hanne/

• cat 2025.02.03.sshd.log

• You should be able to see the password fails!

Fw01: Logging Authorized Events

Change Vyos password

configure 
set system login user vyos authentication plaintext-password newpassword
commit
save 

//default user on vyos is vyos

We are going to adjust the vyos configuration to send authentication messages from fw01 to log01. Note, VYOS does produce a ton of useless authentication message.

configure 
set system syslog host 172.16.50.5 facility authpriv level info
comit
save

• Go to mgmt and try to ssh to fw01 with invalid user (I chose steve)

Deliverable 4. Submit a screenshot showing the tree structure of log01 /var/log/remote-syslog directory as well as the contents of a failed login message from fw01.

TROUBLESHOOTING: Install the Tree command

I got an error indicating that YUM is not capable of accessing the base repository that it uses to find package information. The reason for this error message is that CentOS is depreciated and mirrors such as mirrorlist.centos.org are no longer being mainted or updated.

• As a fix we go to sudo nano /etc/yum.repos.d/CentOS-Base.repo

• Uncomment all lines that have http://mirrorlist.centos.org or http://mirror.centos.org

• replace those lines with http://vault.centos.org

• Delete the double == in front of any http

• sudo yum update

• Sudo yum install tree

The reason why replace the first url with the vault url works is because vault is an archive that stores older versions of CentOS and their packages after EOL. By replacing the URLs your telling yum to stop looking for active mirros and start pulling from the static archieve where CentOS 7 content is stored.

I used this guide: https://www.tecmint.com/fix-cannot-find-a-valid-baseurl-for-repo/

Run of tree command and cat of sshd log showing failed ssh login attempts