| 
  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Assignment 3: Firewalls

Page history last edited by Patrick 1 week, 2 days ago

Overview

Your task is to create a set of firewall rules in Linux that implements specific access policies (described below).

 

Deliverables

  • A zip file (first.last.3.zip) that includes:
    • A firewall rule set in text format
    • Your log file (Actual file not a screenshot)
    • Screenshot of the results from iptables --list (Actual screenshot)
  • 1/2 page management summary back to Avenal, written in non-technical language, that provides an overview of what you were requested and what you did.

 

Scenario

Mr. Avenal was very pleased with your work conducting the network traffic analysis for the Reynholm subsidiary. After further review and the alarming activity which occurred over FTP and Telnet, the attempted exploit of the web server, and the suspect SSH traffic, Mr. Avenal, with the recommendation of Mr. Trenneman and Mr. Moss of Reynholm's IT division, would like to implement a new firewall policy that will restrict access to these services in the form of a shell script which can be used to deploy these policies at both organizations.

 

Tasks

To test your rules, you will need three source computers. You can set this up in a few ways, but two of your options are:

  1. Use/create three VMs: An Ubuntu server and two Desktop Linux installation. These will be referred to as Ubuntu and Mint, but you can use two of either.
    1. Video Here
    2. Update: No need to mess with the Virtual Network Editor. The VMs can remain on NAT as long as they are all on the same subnet.
  2. Use/create two VMs (Ubuntu server and another Linux), and use your host Windows/Mac as your third computer.
    1. Video Here

 

 

c) Install the appropriate services on the Server including:

 

  1. ssh server
    1. sudo aptitude install openssh-server
  2. telnet
    1. sudo aptitude install telnetd
  3. ftp
    1. sudo aptitude install vsftpd
  4. web
    1. sudo aptitude install apache2

 

If you do not have the Aptitude package manager, replace "aptitude" with "apt-get". Example: 'sudo aptitude install openssh-server' becomes' sudo apt-get install openssh-server '

 

d) Test that you can connect to each of the services.

 

Screenshot

Once finished with the assignment (rules are in place), I want you to run "sudo iptables --list" and take a screenshot of that terminal window. You may have to expand the window for it to include all of the rules. This is a graded deliverable and without it, you will not receive full credit for the rules.

 

Security Policy/Rules To Create

You are to create and apply a firewall rule set on your Ubuntu server and each rule should be commented.

 

Make sure to use variables for the IP addresses in your firewall. It's good practice and if I have to test one or more of your rules, I can replace the address in the variable.

 

Regardless of operating systems you choose to use, make sure you label your variables as Server, Ubuntu, and Mint appropriately as below. If those three variables are not used, you will lose some points.

 

For any packets you REJECT or DENY, those should be logged.  That means you'll need to modify the rule so that if the rule matches a DENY or REJECT a packet, that alert is written out to a log file.

 

For anything that says DENY below, I want a rule written which explicitly denies this action even if it would be covered by the default policy.

For example, #6 allows Ubuntu and Mint would be denied by default. Make sure you write a deny rule.

 

Your firewall should implement the following policies. The policies below are not in the order which they should be applied; put these rules in a reasonable order.

   1) Allow all loopback connections.

   2) Deny any connections from any IPs other than those on your local network

     Note: I realize the default INPUT policy effectively has this outcome, but I want a written rule for #2

   3) The firewall should be STATEFUL

   4) Allow echo-requests ONLY from computers on your network.

   5) Allow echo-replies ONLY to computers on your network.

   6) Allow ftp for the Ubuntu box ONLY (DENY Mint).

   7) DENY all telnet connections from Mint and Ubuntu.

     Note: I realize the default INPUT policy effectively has this outcome, but I want a written rule for #7 as well

   8) Allow ssh to the server for Mint box ONLY (DENY Ubuntu box).

   9) Allow web access (Apache) for the Mint box ONLY (DENY Ubuntu box).

 10) Default incoming policy should be DENY.

 11) Default outgoing policy should be ALLOW.

 12) Default forward policy should be DENY.

 13) Firewall should flush previously run rules.

 

Note that for deny rules, you will have to decide to use either REJECT or DROP and I want a comment justifying why you chose to use REJECT or DROP

 

Test your Rules

Setup your logging, then attempt to test the following:

  • Accessing the FTP service from Ubuntu and Mint
  • Accessing the telnet service from Ubuntu and Mint
  • Accessing the ssh service from Ubuntu and Mint
  • Accessing the Apache test page (web) from Ubuntu and Mint

 

Based on your firewall rules, some of your connections should be allowed and others denied. If logging is setup correctly, the denied packets will show up as being denied.

 

 

Setting Up Logging:

These rules have been used for logging, but that doesn’t mean you would use these exact rules; tailor your rules so they fit the assignment. In this instance, you would want to log any of the rules above that have a DENY in the description.

 

Logging Video

 

Useful sites on logging with rsyslog:

http://blog.stalkr.net/2009/10/logging-iptables-messages-with-rsyslog.html

https://blog.shadypixel.com/log-iptables-messages-to-a-separate-file-with-rsyslog/

http://www.thegeekstuff.com/2012/08/iptables-log-packets/

 

Further Setup for Logging:

Add to /etc/rsyslog.d/50-default.conf

  • “kern.warning                   -/var/log/iptables.log”

 

Restart rsyslog service (done every time you change the conf file)

  • “sudo service rsyslog restart”

 

To create iptables.log (if it doesn’t exist):

  • “sudo touch /var/log/iptables.log”
  • “sudo chown syslog:adm /var/log/iptables.log”
  • "sudo chmod  640 /var/log/iptables.log"

 

Add to bottom of your firewall ruleset:

  • iptables -N LOGGING
  • iptables -A INPUT -j LOGGING
  • iptables -A OUTPUT -j LOGGING
  • iptables -A LOGGING -j LOG --log-prefix "Dropped Packets: " --log-level 4
  • iptables -A LOGGING -j DROP
    • If you're having trouble, try removing the last line (the DROP line) above. It has sometimes caused problems recently which I am trying to isolate.

 

In the logs, I only want to see the logs relevant to those packets you have dropped/rejected rather than everything  You can extract just the dropped packets from iptables.log using the following (Do for all service packets to be dropped):

  • “grep “DPT=23” /var/log/iptables.log > ~/telnet.log”
  • “grep “DPT=21” /var/log/iptables.log > ~/ftp.log”
  • “grep “DPT=22” /var/log/iptables.log > ~/ssh.log”
  • Etc (you have three examples so you'll just have to construct the command to parse out the web traffic)

 

Place all of those logs in a single file:

  • “cat telnet.log ftp.log ssh.log web.log > ~/firstname.lastname.iptables.log”

 

Note:  Your log file should look something like what you see below:

 

Mar 13 21:11:02 U14 kernel: [47342.006375] IPTables-Dropped: IN=eth0 OUT= MAC=00:0c:29:e7:ba:35:00:0c:29:a2:e8:f7:08:00 SRC=192.168.10.128 DST=192.168.10.132 LEN=60 TOS=0x00 PREC=0x00 TTL=64 DF PROTO=TCP SPT=43397 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0

Mar 13 21:11:03 U14 kernel: [47343.007019] IPTables-Dropped: IN=eth0 OUT= MAC=00:0c:29:e7:ba:35:00:0c:29:a2:e8:f7:08:00 SRC=192.168.10.128 DST=192.168.10.132 LEN=60 TOS=0x00 PREC=0x00 TTL=64 DF PROTO=TCP SPT=43397 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0

Mar 13 21:11:05 U14 kernel: [47345.012606] IPTables-Dropped: IN=eth0 OUT= MAC=00:0c:29:e7:ba:35:00:0c:29:a2:e8:f7:08:00 SRC=192.168.10.128 DST=192.168.10.132 LEN=60 TOS=0x00 PREC=0x00 TTL=64 DF PROTO=TCP SPT=43397 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0

Mar 13 21:11:09 U14 kernel: [47349.025218] IPTables-Dropped: IN=eth0 OUT= MAC=00:0c:29:e7:ba:35:00:0c:29:a2:e8:f7:08:00 SRC=192.168.10.128 DST=192.168.10.132 LEN=60 TOS=0x00 PREC=0x00 TTL=64 DF PROTO=TCP SPT=43397 DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0

 

Note the first log entry above logs denied connections to DPT=21, which is FTP.  That’s what I will search for when grading your log file for each rule with a DENY.  If it’s not there, that means the rule was incorrect or wasn't tested.

Comments (0)

You don't have permission to comment on this page.