COIT13146 System and Network Administration

COIT13146 - System and Network Administration

Week 07 - Firewall

This week, we look at security threats, common security problems

faced by a system administrator and the measures that can be taken
to counter security threats.

IMPORTANT: In this Unit, you begin using tools that, if used

inappropriately, could put you in breach of network policy and
procedures. You must only perform network scans etc on networks
that you have full permission to do so on. It is recommended that
all scans etc should only be performed on your own private
networks. The University accepts no responsibility for students
who use tools inappropriately or without full consent of the
network owner or operator.

Summary

Software we need to install

* John the Ripper - "a tool to find weak passwords of your users".

Chapters we need to read

* 22 - Security

Tasks

Readings

Read the recommended chapter before attempting the assessment

items. Do not ignore the material on Snort and OSSEC we will be
installing those next week.

Week 07 vt117 [1]

COIT13146 System and Network Administration

IptablesHowTo - (help.ubuntu.com/community/IptablesHowTo) - "if

you want to do a few basic things". This may help when it comes
to developing iptable rules.

We will build a VM that will house our Firewall hence well call
it our Gateway VM.

Assessment

1. Run the "chage" list command for your username. Briefly discuss
any obvious problems with using the default password aging
configuration. What values would you recommend for a normal user
working in a large company?

2. Run an "nmap -sT" scan of your server, from your server. Then
run an "nmap" scan of your host computer (i.e. the one running
VirtualBox). You will have to find its IP address first. You may
have to use "nmap -PN". Try "-sT" first and read the response,
often nmap will prompt you with alternate scan settings.

Describe the nmap flags available, including the ones used above
and discuss the information obtained from the output of your scan.
Include a screenshot of your nmap commands output.

3. Run an update on your system packages, then install "John the

Ripper"(john). Login to your system as kellye (the user created
earlier - the password used was "bushr@ng3r"). Then run a series
of tests as follows:

a) Logged in as kellye, change the password to password and

then run "john" against the /etc/shadow file. Comment on the
results including how long it took.

b) Next, change kellye's password to "computer" and run

"john" again. Comment on the results including how long it
took.

c) Finally change kellye's password back to "bushr@ng3r" and

run "john" again. Comment on the result including how long
you waited. (hint: no need to wait beyond 10 minutes). What
conclusion can we make about password security based on these
tests?

Week 07 vt117 [2]

COIT13146 System and Network Administration

4. We now make use of the ability of VirtualBox to add additional

virtual network cards (NICs). Create a VM server named Gateway
that has two NICs - one using a "Bridged Adapter" connected
externally to the Internet configured to use DHCP, the other using
an "Internal Network" adapter configured manually.

At this point, turn to the "Making a Gateway" document and follow

the instructions and information very carefully. When you have
completed that, return here to continue.

We will use the internal server userv1 that was created last week.
Make sure the Internal Network in userv1 and Gateway both have the
same name in VirtualBox. Configure the system so all of the
internal traffic goes via the gateway.

a) Provide traceroute output that shows the internal server

accessing the Internet through the gateway server.
b) Develop a well-labelled diagram of your network. Present
this as a graphic embedded in your submission Word document.

Warning: Do not submit diagrams as separate files created

from other programs in their native format (e.g. Visio, Cade
etc) as we may not be able to open them. Diagrams developed
with such third-party software submitted separately that
cannot be opened by us may be marked zero. If you use such
software, you must import the diagram into Word for
submitting.

5. A complete working firewall configuration file (iptables) can

be found at the end of this document - you simply need to make
adjustments/changes to match your configuration, e.g. your IP
addresses, server names etc. Also adjust author name and date.

a) Extend the firewall rules to allow HTTP and SSH connections

to go directly to an internal server (userv1) through the gateway
server. Limit all other incoming traffic.

Test your configuration by accessing the default lighttpd server

page running on userv1. You do this by connecting to Userv1
through the gateway, via PuTTY.

Submit your firewall rules/script. Provide 'proof' that it works

with screen dumps of your Web and SSH access. Ensure you are
connecting to the internal server, not the gateway, by checking
the IP address in the PuTTY session and the default lighttp PHP
page display that includes the variable '_SERVER["SERVER_ADDR"]'.

Week 07 vt117 [3]

COIT13146 System and Network Administration

b) Allow an SSH connection to the gateway server from the inside

only - test it by logging into the internal server (from outside),
and then, from the internal server, login to the gateway (using
ssh). Once logged into the gateway, you should not be able to
ping/access any external or internal hosts - try pinging the
internal server and cqu.edu.au. Submit a screen dump showing the
results.

c) Enable loopback on the gateway, and the ability to ping the

gateway from the internal network only. Submit a screen dump
showing the successful ping.

d) There should be no restrictions on outgoing traffic test

this by using elinks from your internal server to
www.monash.edu.au. (note: do not use cqu.edu.au since you already
have a screenshot of that one from week-3!). Submit a screen dump
of elinks with the monash university site displaying.

e) Enable logging of attempts that are rejected by the firewall

- provide a sample of the log.

f) 'Attack' the gateway by trying to do an nmap on it, and

show that only the required ports are available - submit your
'attack' output from nmap with a brief description of what it is
showing.

How to submit:

Include all answers etc. in a single Word document zipped up as

week07.zip. Its due in Week 10.

Week 07 vt117 [4]

COIT13146 System and Network Administration

Sample Firewall ruleset:

#!/bin/sh
#
# FILE: startfw
#
# PURPOSE: Clear and set NAT, port forward and firewall iptables rules.
#
# AUTHOR: Myles Greber
# DATE: 23-02-2012
# VERISON: 0.2
#
# USAGE: startfw
#
# MODIFIED: 23-02-2012
# Renamed script startfw from buildfw. Added configurable
# gateway IP address variable ${GATEWAY_IP}.
#
# NOTES: This script assumes the following configuration:
# gateway:
# eth0 - ${GATEWAY_IP} - external (dhcp) - defined below.
# eth1 - 192.168.12.254 - internal (static)
# internal server:
# eth0 - 192.168.12.1 (static)
#
################################################################################

# Configurable gateway IP address.

GATEWAY_IP=192.168.1.10

# Flush all iptables rules from the packet matching tables.

iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F

# Reset the built-in chain policies to accept all traffic.

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Drop all packets coming in to and forwarded by the gateway.

iptables -P INPUT DROP
iptables -P FORWARD DROP

# Allow all connections through the firewall that originate from within.
iptables -A FORWARD -i eth1 -p ALL -j ACCEPT
# Allow incoming responses to internal host requests.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable NAT on outgoing interface.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ${GATEWAY_IP}

# Allow ssh (22), http (80) and https (443) connections through to the internal server (userv1).
iptables -A FORWARD -d 192.168.12.1 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -d 192.168.12.1 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 192.168.12.1 -p tcp --dport 443 -j ACCEPT

# Allow ssh (22), http (80) and https (443) connections through NAT (port forward) to internal server (userv1).
iptables -t nat -A PREROUTING -p tcp -i eth0 -d ${GATEWAY_IP} --dport 22 -j DNAT --to 192.168.12.1:22
iptables -t nat -A PREROUTING -p tcp -i eth0 -d ${GATEWAY_IP} --dport 80 -j DNAT --to 192.168.12.1:80
iptables -t nat -A PREROUTING -p tcp -i eth0 -d ${GATEWAY_IP} --dport 443 -j DNAT --to 192.168.12.1:443

# Allow ssh (22) connections to the gateway from the internal network.
iptables -A INPUT -i eth1 -d 192.168.12.254 -p tcp --dport 22 -j ACCEPT

# Allow loopback on the gateway.

iptables -A INPUT -i lo -d 127.0.0.1 -p ALL -j ACCEPT

# Allow gateway to be ping'd from within.

iptables -A INPUT -i eth1 -d 192.168.12.254 -p icmp --icmp-type 8 -j ACCEPT

# Allow SSH connections to the external IP address of the gateway for testing.
#iptables -A INPUT -i eth0 -d ${GATEWAY_IP} -p tcp --dport 22 -j ACCEPT

# Enable logging.
iptables -A INPUT -i eth0 -j LOG
iptables -A FORWARD -i eth0 -j LOG

Week 07 vt117 [5]