SEC350 Final

VCENT BROKE NON STOP: it made it so i had to rebuild software on a vm multiple times, both henery and I had a bug where keyboard inputs were not registered, along with multiple vm crashes and masive instability

New Sudo user CentOS

adduser sammy

usermod -aG wheel sammy

su - sammy

sudo command_to_run

New Sudo user Ubuntu

adduser sammy

usermod -aG sudo sammy

su - sammy

sudo command_to_run

PiHole

curl -sSL https://install.pi-hole.net | bash

Click next through all prompts expect

-select cloud flare as dns provider

select all block lists

record admin password

auth,atuhpriv.* @11.1.1.3.10:1514:rsyslog_syslogProtocol123Format

FW

set service dns forwarding allow-from '11.1.1.0/24'

set service dns forwarding allow-from '11.1.2.0/24'

set service dns forwarding allow-from '11.1.3.0/24'

set service dns forwarding listen-address 11.1.1.2

set service dns forwarding listen-address 11.1.2.2

set service dns forwarding listen-address 11.1.3.2

set service dns forwarding system

set system syslog host 11.1.3.10 facility authpriv level info

PF

1 set interfaces
-wan -em0
lan -em2
opt1-em1
opt2-em3

-2 set int ip

1-wan
no dhcp
10.0.17.105
24
10.0.17.2

2 set int ip

2-lan
11.1.2.2
24

2 set int ip

3 opt1
11.1.1.2
24

2 set int ip

4 opt2
11.1.3.2
24

Logging

cd /etc/rsyslog.d.conf

wget https://raw.githubusercontent.com/gmcyber/sec350-share/main/03-sec350.conf

systemctl restart rsyslog

VPN

set interfaces wireguard wg0 address '10.0.99.1/24'

set interfaces wireguard wg0 peer traveler-yourname allowed-ips '10.0.99.100/32'

set interfaces wireguard wg0 peer traveler-yourname public-key traveler-key-goes-here

set interfaces wireguard wg0 port '51820'

run generate pki wireguard key-pair install interface wg0

rdp

in server manager local server rdp enable

Firewall Rules

vyos@FW-gru:~$ show configuration commands

set firewall name DMZ-LAN default-action 'drop'

set firewall name DMZ-LAN enable-default-log

set firewall name DMZ-LAN rule 1 action 'accept'

set firewall name DMZ-LAN rule 1 state established 'enable'

set firewall name DMZ-MGMT default-action 'drop'

set firewall name DMZ-MGMT enable-default-log

set firewall name DMZ-MGMT rule 10 action 'accept'

set firewall name DMZ-MGMT rule 10 destination address '11.1.3.10'

set firewall name DMZ-MGMT rule 10 destination port '1514'

set firewall name DMZ-MGMT rule 10 protocol 'udp'

set firewall name DMZ-MGMT rule 20 action 'accept'

set firewall name DMZ-MGMT rule 20 destination address '11.1.3.3'

set firewall name DMZ-MGMT rule 20 destination port '53'

set firewall name DMZ-MGMT rule 20 protocol 'tcp_udp'

set firewall name DMZ-WAN default-action 'drop'

set firewall name DMZ-WAN enable-default-log

set firewall name DMZ-WAN rule 1 action 'accept'

set firewall name DMZ-WAN rule 1 state established 'enable'

set firewall name LAN-DMZ default-action 'drop'

set firewall name LAN-DMZ enable-default-log

set firewall name LAN-DMZ rule 1 action 'accept'

set firewall name LAN-DMZ rule 1 state established 'enable'

set firewall name LAN-DMZ rule 10 action 'accept'

set firewall name LAN-DMZ rule 10 description 'Allow LAN access to NGINX web page'

set firewall name LAN-DMZ rule 10 destination address '11.1.1.5'

set firewall name LAN-DMZ rule 10 destination port '80'

set firewall name LAN-DMZ rule 10 protocol 'tcp'

set firewall name LAN-MGMT default-action 'drop'

set firewall name LAN-MGMT enable-default-log

set firewall name LAN-MGMT rule 10 action 'accept'

set firewall name LAN-MGMT rule 10 destination address '11.1.3.10'

set firewall name LAN-MGMT rule 10 destination port '53,1514'

set firewall name LAN-MGMT rule 10 protocol 'tcp_udp'

set firewall name LAN-MGMT rule 20 action 'accept'

set firewall name LAN-MGMT rule 20 destination address '11.1.3.10'

set firewall name LAN-MGMT rule 20 destination port '1514'

set firewall name LAN-MGMT rule 20 protocol 'udp'

set firewall name LAN-MGMT rule 30 action 'accept'

set firewall name LAN-MGMT rule 30 destination address '11.1.3.3'

set firewall name LAN-MGMT rule 30 destination port '53'

set firewall name LAN-MGMT rule 30 protocol 'tcp_udp'

set firewall name LAN-WAN default-action 'drop'

set firewall name LAN-WAN enable-default-log

set firewall name LAN-WAN rule 1 action 'accept'

set firewall name MGMT-DMZ default-action 'drop'

set firewall name MGMT-DMZ enable-default-log

set firewall name MGMT-DMZ rule 10 action 'accept'

set firewall name MGMT-DMZ rule 10 state established 'enable'

set firewall name MGMT-DMZ rule 20 action 'accept'

set firewall name MGMT-LAN default-action 'drop'

set firewall name MGMT-LAN enable-default-log

set firewall name MGMT-LAN rule 10 action 'accept'

set firewall name MGMT-LAN rule 10 state established 'enable'

set firewall name MGMT-WAN default-action 'drop'

set firewall name MGMT-WAN enable-default-log

set firewall name MGMT-WAN rule 1 action 'accept'

set firewall name MGMT-WAN rule 10 action 'accept'

set firewall name WAN-DMZ enable-default-log

set firewall name WAN-DMZ rule 10 action 'accept'

set firewall name WAN-DMZ rule 10 description 'Allow traveler to access NGINX web page'

set firewall name WAN-DMZ rule 10 destination address '11.1.1.5'

set firewall name WAN-DMZ rule 10 destination port '80'

set firewall name WAN-DMZ rule 10 protocol 'tcp'

set firewall name WAN-LAN default-action 'drop'

set firewall name WAN-LAN enable-default-log

set firewall name WAN-LAN rule 10 action 'accept'

set firewall name WAN-LAN rule 10 state established 'enable'

set firewall name WAN-MGMT default-action 'drop'

set firewall name WAN-MGMT enable-default-log

set firewall name WAN-MGMT rule 10 action 'accept'

set firewall name WAN-MGMT rule 10 state established 'enable'

set interfaces ethernet eth0 address 'dhcp'

set interfaces ethernet eth0 address '10.0.17.106/24'

set interfaces ethernet eth0 description 'WAN'

set interfaces ethernet eth0 hw-id '00:50:56:b3:f1:eb'

set interfaces ethernet eth1 address '11.1.1.2/24'

set interfaces ethernet eth1 description 'DMZ'

set interfaces ethernet eth1 hw-id '00:50:56:b3:0b:7c'

set interfaces ethernet eth2 address '11.1.2.2/24'

set interfaces ethernet eth2 description 'LAN'

set interfaces ethernet eth2 hw-id '00:50:56:b3:31:44'

set interfaces ethernet eth3 address '11.1.3.2/24'

set interfaces ethernet eth3 description 'MGMT'

set interfaces ethernet eth3 hw-id '00:50:56:b3:08:31'

set interfaces loopback lo

set interfaces wireguard wg0 address '10.0.99.1/24'

set interfaces wireguard wg0 peer traveler-group6 allowed-ips '10.0.99.100/32'

set interfaces wireguard wg0 peer traveler-group6 public-key 'fkUzUTn+SBV8YAnE0W4v3Gl+2QKCNR4MTRm+p7nXPXE='

set interfaces wireguard wg0 port '51820'

set interfaces wireguard wg0 private-key '2J4ZmbqANNUYYsS62rDVUD2HGp4/wYzIG/09ep81S3s='

set nat source rule 10 description 'NAT from MGMT to WAN'

set nat source rule 10 outbound-interface 'eth0'

set nat source rule 10 source address '11.1.3.0/24'

set nat source rule 10 translation address 'masquerade'

set nat source rule 20 description 'NAT from DMZ to WAN'

set nat source rule 20 outbound-interface 'eth0'

set nat source rule 20 source address '11.1.1.0/24'

set nat source rule 20 translation address 'masquerade'

set protocols static route 0.0.0.0/0 next-hop 10.0.17.2

set service dns forwarding allow-from '11.1.1.0/24'

set service dns forwarding allow-from '11.1.2.0/24'

set service dns forwarding allow-from '11.1.3.0/24'

set service dns forwarding listen-address '11.11.1.2'

set service dns forwarding listen-address '11.11.2.2'

set service dns forwarding listen-address '11.11.3.2'

set service dns forwarding system

set service ssh listen-address '0.0.0.0'

set system config-management commit-revisions '100'

set system conntrack modules ftp

set system conntrack modules h323

set system conntrack modules nfs

set system conntrack modules pptp

set system conntrack modules sip

set system conntrack modules sqlnet

set system conntrack modules tftp

set system console

set system host-name 'FW-gru'

set system login user vyos authentication encrypted-password ********

set system name-server '11.1.3.3'

set system ntp server time1.vyos.net

set system ntp server time2.vyos.net

set system ntp server time3.vyos.net

set system syslog global facility all level 'info'

set system syslog global facility protocols level 'debug'

set system syslog host 11.1.3.10 facility authpriv level 'info'

set zone-policy zone DMZ from LAN firewall name 'LAN-DMZ'

set zone-policy zone DMZ from MGMT firewall name 'MGMT-DMZ'

set zone-policy zone DMZ from WAN firewall name 'WAN-DMZ'

set zone-policy zone DMZ interface 'eth1'

set zone-policy zone LAN from DMZ firewall name 'DMZ-LAN'

set zone-policy zone LAN from MGMT firewall name 'LAN-MGMT'

set zone-policy zone LAN from WAN firewall name 'WAN-LAN'

set zone-policy zone LAN interface 'eth2'

set zone-policy zone MGMT from DMZ firewall name 'DMZ-MGMT'

set zone-policy zone MGMT from LAN firewall name 'MGMT-LAN'

set zone-policy zone MGMT from WAN firewall name 'WAN-MGMT'

set zone-policy zone MGMT interface 'eth3'

set zone-policy zone WAN from DMZ firewall name 'DMZ-WAN'

set zone-policy zone WAN from LAN firewall name 'LAN-WAN'

set zone-policy zone WAN from MGMT firewall name 'MGMT-WAN'

set zone-policy zone WAN interface 'eth0'

Henery's documentation

https://drive.google.com/file/d/1zrkbL4ps1MI1B2LISGLH_rJEZswlyuDR/view?usp=sharing

Page updated

Google Sites

Report abuse