LFCE.3 Network and Host Security

Posted Jul 16, 2020 Updated Jan 23, 2024

By Grace L

17 min read

LFCE: Network and Host Security

[toc]

lab

server0: network change to bridge.

server0: 192.168.1.30 enp0s10 192.168.0.110 server1: 193.168.3.100 enp0s8 server2: 192.168.2.100/25 enp0s9

script: firewall.sh

  
firewall-cmd --permanent --change-interface=enp0s10 --zone=external
firewall-cmd --permanent --change-interface=enp0s8 --zone=internal
firewall-cmd --permanent --change-interface=enp0s9 --zone=internal

firewall-cmd --permanent --zone=external --add-masquerade

firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -s 192.168.2.0/25 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -s 192.168.3.0/24 -j ACCEPT

systemctl reload firewalld

Configuring Local and Remote Logging with rsyslog

server1: server-side

  
// show the package that syslog actually comes from.
$ rpmquery --all | grep rsyslog
rsyslog-8.37.0-13.el8.x86_64
rsyslog-relp-8.37.0-13.el8.x86_64
rsyslog-gnutls-8.37.0-13.el8.x86_64
rsyslog-gssapi-8.37.0-13.el8.x86_64

// start the service
systemctl status rsyslog

  
1. modify /etc/rsyslog.config configure file an restart the server
info: man/rsyslog.d

$ cat /etc/rsyslog.conf

... uncomment these
# Provides TCP syslog reception
# for remote syslog, send from one server to another
# for parameters see https://www.rsyslog.com/doc/imtcp.html
module(load="imtcp")              # needs to be done just once
input(type="imtcp" port="514")

#### RULES ####
# Log all kernel messages to the console.
# logging message from certain place, facility + priority = selector      file / devices = action

# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
# Log cron stuff
cron.*                                                  /var/log/cron
# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log



2. let firewell allow receive message on TCP 514

firewall-cmd --permanent --add-port 514/tcp
firewall-cmd --reload



3. setup SELinux for rsyslog

semanage port -a -t syslogd_port_t -p tcp 514

server2: client-side

  
1. modify /etc/rsyslog.config configure file an restart the server

# Remote Logging (we use TCP for reliable delivery)
# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
## @@=tcp @=udp
#Target="remote_host" Port="XXX" Protocol="tcp")
*.*  @@server1.demo.local:514


systemctl restart rsyslog

2. generate a log:

logger "Test Message"

server1: server-side

  
tail -f /var/log/messages
May 21 16:30:03 server2 server[14255]: Test Message

using remote syslogging, can have a centralized server for all logs

great for auditing and security to time correlate events, across multiple systems.
isn’t limited to just Linux systems as well.
Most network devices (firewalls, switches and routers), also have syslog capabilities. stream logs, from those devices, to logging hosts, for analysis. very, very powerful stuff.

lab2 - securing hosts and Services

iptables

server1:

stope and disable the firewalld

install and start the iptables

yum install iptables-services -y
systemctl start iptables

check the default rule

  
$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc



$ iptables -L -v -n           # with number
$ iptables -L --line-numbers  # with details


$ iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)   # default policy of accept
 pkts bytes target     prot opt in     out     source               destination
   27  5637 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
# allows all connections that have been previously allowed by rules further down in the chain. And it also allows any connections that are related.
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
#                            input adapter loop
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             state NEW tcp dpt:ssh
    6   402 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-host-prohibited
# sniiff, connect to any other port other than 22, simply reply "icmp-host-prohibited"

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 33 packets, 3644 bytes)
 pkts bytes target     prot opt in     out     source               destination

check the config file /etc/sysconfig/iptables"

直接修改这里没用

  
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter   # define the table
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

iptables -I INPUT -s 192.168.2.0/25 -j ACCEPT iptables -I INPUT -s 192.168.3.0/24 -j ACCEPT

iptables -I INPUT -s 192.168.3.100 -p tcp -m tcp –dport 22 -j ACCEPT

iptables -I FORWARD -s 192.168.3.0/24 -j ACCEPT iptables -I FORWARD -s 192.168.2.0/25 -j ACCEPT

define rules on runtime (delete new rule when finished)

  
# block traffic from specific network.
$ iptables -I INPUT -s 192.168.2.0/24 -j REJECT
# but all particular server on that subnet.
$ iptables -I INPUT -s 192.168.2.100 -p tcp -m tcp --dport 22 -j ACCEPT
# delete it
$ iptables -D INPUT 1
$ iptables -D FORWARD 4

$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  server2.demo.local   anywhere             tcp dpt:ssh
REJECT     all  --  192.168.2.0/24       anywhere             reject-with icmp-port-unreachable


$ iptable -F                  # temporary flush out rule
$ service iptables reload     # reload from config file
Redirecting to /bin/systemctl reload iptables.service
$ service iptables save       # save runtime config
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

TCP wrappers (centos not used)

  
# add hosts.deny
sshd : 192.168.2.
# add hosts.allow
sshd : 192.168.2.         # allow win
# change hosts.allow
sshd : 192.168.2. : DENY  # deny again

troubleshooting

netstat / ss: if port is open nmap: if remote port is open tcpdump / wireshark: responses from remote host

lab3 - securing hosts and Services

firewalld

/etc/firewalld/firewalld.conf - basic global config

/usr/lib/firewalld - default configuration files

zone configuration files
services configuration files

/etc/firewalld/ - system specific configuration files

  
1. reinstall the firewalld

$ systemctl disable iptables
$ systemctl stop iptables
$ systemctl enable firewalld
$ systemctl start firewalld

$ firewall-cmd --state
running


2. zone

$ firewall-cmd --get-zones
$ firewall-cmd --list-all-zones
$ firewall-cmd --zone=public --list-all
$ firewall-cmd --get-active-zones

# service
$ firewall-cmd --get-service
$ firewall-cmd --zone=public --list-services
$ firewall-cmd --zone=public --add-service=http

# port
$ firewall-cmd --list-ports
$ firewall-cmd --zone=public --remove-port=514/tcp
$ firewall-cmd --zone=public --add-port=514/tcp

# change zone for interface
$ firewall-cmd --change-interface=enp0s3 --zone=internal

firewall-cmd –zone=public –add-service=http –permanent firewall-cmd –zone=public –add-service=http

firewall-cmd –zone=public –add-service=ssh

config file

/usr/lib/firewalld/

  
$ ls /usr/lib/firewalld/  # the dir that contains all the config files
helpers  icmptypes  ipsets  services  zones

services: amanda-client.xml isns.xml rdp.xml amanda-k5-client.xml jenkins.xml redis-sentinel.xml amqps.xml kadmin.xml redis.xml amqp.xml kdeconnect.xml RH-Satellite-6.xml

$ cat /usr/lib/firewalld/services/ssh.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SSH</short>
  <description></description>
  <port protocol="tcp" port="22"/>
</service>

$ ls /usr/lib/firewalld/zones/ block.xml drop.xml home.xml libvirt.xml trusted.xml dmz.xml external.xml internal.xml public.xml work.xml

$ cat /usr/lib/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="cockpit"/>
</zone>

/etc/firewalld

# ls /etc/firewalld
firewalld.conf  icmptypes  lockdown-whitelist.xml  zones
helpers         ipsets     services

command

$ firewall-cmd --runtime-to-permanent   # store the runtime

GUI
1 $ firewall-config

NAT

server0:

  
$ firewall-cmd --zone=external --list-all
external
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

#                                       --add-forward-port = port=2233: proto=tcp: toport=22: toaddr=192.168.3.100
$ firewall-cmd --permanent --zone=external --add-forward-port=port=2223:proto=tcp:toport=22:toaddr=192.168.3.100
$ firewall-cmd --permanent --zone=external --add-forward-port=port=2222:proto=tcp:toport=22
$ firewall-cmd --zone=external --list-forward-port  # is permanent, not it runtime, need reload
$ firewall-cmd --reload
$ firewall-cmd --zone=external --list-forward-port
port=2223:proto=tcp:toport=22:toaddr=192.168.3.100
port=2222:proto=tcp:toport=22:toaddr=

mac terminal:

  
$ ssh server@192.168.1.30 -p 2223
[server@server1 ~]$ exit

$ ssh server@192.168.1.30 -p 2222
[server@server0 ~]$

lab4 - remote access

openSSH

/etc/ssh/sshd_config server /etc/ssh/ssh_config client

  
1. disable the key cache

$ ps -aux | grep gnome-key
server    2530  0.0  0.2 307120  6696 ?        Sl   May21   0:00 /usr/bin/gnome-keyring-daemon --daemonize --login
root     26226  0.0  0.0  12108  1100 pts/1    R+   21:57   0:00 grep --color=auto gnome-key
$ kill 2530



2. generate a public key

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/server/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): passwd
Enter same passphrase again:passwd or passwdssh
Your identification has been saved in /home/server/.ssh/id_rsa.
Your public key has been saved in /home/server/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:msvPScL5+EUYbEfrA6ALiQ7YcJI4UuMlkc+nUVC11Cw server@server1.demo.local
The key's randomart image is:
+---[RSA 3072]----+
|+o*oooo.oo.      |
|*B.= ..+Eoo.     |
|=.=o..  *.o      |
|o  .+... *       |
| .  .+  S +      |
|    .. + . .     |
|      * . .      |
|     . B o       |
|      +o*        |
+----[SHA256]-----+
$ ll .ssh/
-rw-------. 1 server server 2655 May 22 22:01 id_rsa      # identification, private key
-rw-r--r--. 1 server server  579 May 22 22:01 id_rsa.pub  # public key
-rw-r--r--. 1 server server  350 May 21 23:20 known_hosts

$ more id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAN4dOb39...
$ more id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJO7BA/zm6bFWZs0ShZCsS/AhRm4yVjvgY1+bRVe...



2. scp copy the public key to server:
$ ssh-copy-id -i id_rsa.pub server1.demo.local
$ ssh-copy-id -i id_rsa.pub server2.demo.local
#/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
#The authenticity of host 'server2.demo.local (192.168.2.100)' can't be established.
#ECDSA key fingerprint is SHA256:Q9hEc4ZwxWuH1Fd7FO55YpsPRRdwbbtPWbk0lWkMLqI.
#Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
#/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
#/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@server2.demo.local password:   # ask server passwd
Number of key(s) added: 1


3. login to the server, no longer ask user passwd but key passwd

ssh server@server2.demo.local
Enter key password:

lab5:

remote control: tools

transfer file securely via network.

ssh:
- scp: securely copy files
- scp file.txt server@server2.demo.local:destipath - execute remote pc: output is send back - tunneling TCP service - SOCKS proxy (client - [ssh server - Server])
SFTP

  
1. secure copy:
# copy file
$ scp file.txt server@server2.demo.local:~/
server@server2.demo.local's password:
file.txt                                    100%    6     1.8KB/s   00:00
# copy dir
$ scp -r ./demos/ server@server2.demo.local:~/
server@server2.demo.local's password:
1                                   100%    6     1.8KB/s   00:00
2                                   100%    6     1.8KB/s   00:00
3                                   100%    6     1.8KB/s   00:00



2. execute rcommand on remote pc

# command
$ ssh server@server2.demo.local ls
server@server2.demo.local's password:
Desktop
Documents
Downloads
file.txt
Music
Pictures
Public
Templates
Videos

# bash script
$ vi myhosts
server0.demo.local
server1.demo.local
server2.demo.local

$ vi remotecmd.sh
while read name
do
  ssh -l server $name -n "ps -aux --noheaders | sort -nrk 3 | head"
done < myhosts
# execute the command: take all of the output of ps, sort it by the third column (CPU), and then give the top 10.


$ sh remotecmd.sh  # can use public key login with no passwd
server@server0.demo.local's password:
server    2611  0.5 11.9 2945612 294332 tty2   Sl+  May22   7:35 /usr/bin/gnome-shell
root      2084  0.3  0.3 159480  9488 ?        Ss   12:19   0:00 sshd: server [priv]
server    7575  0.1 11.3 2985364 280268 tty2   Sl+  May22   1:32 /usr/lib64/firefox/firefox
...
server@server1.demo.local's password:
server    2611  0.5 11.9 2945612 294332 tty2   Sl+  May22   7:35 /usr/bin/gnome-shell
root      2084  0.3  0.3 159480  9488 ?        Ss   12:19   0:00 sshd: server [priv]
server    7575  0.1 11.3 2985364 280268 tty2   Sl+  May22   1:32 /usr/lib64/firefox/firefox
...
server@server2.demo.local's password:
root      5720  0.4  0.3 159480  9700 ?        Ss   12:19   0:00 sshd: server [priv]
server    2599  0.3 10.5 2901520 260392 tty2   Sl+  11:12   0:12 /usr/bin/gnome-shell
...

lab6:

configure SSH tunnel

server2:

install httpd
systemctl start httpd

create file:

echo "hello from server2" > /var/www/html.index.html
more /var/www/html.index.html

check firewelld ```py $ firewall-cmd –get-active-zones libvirt interfaces: virbr0 public interfaces: enp0s8

$ firewall-cmd –zone=public –list-all public (active) target: default icmp-block-inversion: no interfaces: enp0s8 sources: services: cockpit dhcpv6-client http ssh ports: 22/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

$ firewall-cmd –permanent –remove-service=http

server1:

```py
$ curl https://server2.demo.local
curl: (7) Failed to connect to server2.demo.local port 80: No route to host

$ ssh -L 8080:server2.demo.local:80 server2.demo.local
server@server2.demo.local's password:
[server@server2 ~]$

[server@server1 ~]$ curl https://localhost:8080
hello from server2

remote desktop control

X11

x11 forwarding, the program, x11 was executing on server2, but the display is been forward to server1. server2

  
1. install x11

$ dnf config-manager --enable PowerTools  # if yum cannot find x11
$ yum install xorg-x11-apps -y

2. display

$ xeyes

# solution
No protocol specified
xhost:  unable to open display ":0"
$ export DISPLAY=:0.0
or
change to normal user, not root.

VNC

server2:

  
1. install the vnc
$ yum install tigervnc-server -y



2. configure

$ sudo cp /usr/lib/systemd/system/vncserver@.service /etc/systemd/system/

$ sudo vi /etc/systemd/system/vncserver@.service
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/bin/vncserver_wrapper server %i
ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'

$ sudo systemctl daemon-reload


3. passwd
$ vncpasswd
Password:
Verify:


4. confirm the service
$ sudo systemctl start vncserver@:1.service
$ sudo systemctl status vncserver@:1.service

$ ss -lt4
State   Recv-Q   Send-Q        Local Address:Port         Peer Address:Port
LISTEN  0        5                   0.0.0.0:5901              0.0.0.0:*
LISTEN  0        128                 0.0.0.0:sunrpc            0.0.0.0:*
LISTEN  0        32            192.168.122.1:domain            0.0.0.0:*
LISTEN  0        128                 0.0.0.0:ssh               0.0.0.0:*
LISTEN  0        5                 127.0.0.1:ipp               0.0.0.0:*

server1: client

  
1. install
$ yum install tigervnc -y


2. to connect to unfirewall server.
$ vncviewer server2.demo.local:1


3. use ssh tunneling to firewelld server.
$ ssh -L 5901:server2.demo.local:5901 server2.demo.local -N
# not open a session, just open tunnel
# now start running
[control+z] # stop the processes
[1]+  Stopped                 ssh -L 5901:server2.demo.local:5901 server2.demo.local -N

$ bg    # background the tunnel, back and running, just a background task
[1]+ ssh -L 5901:server2.demo.local:5901 server2.demo.local -N &

$ vncviewer localhost:5901
# login with vnc passwd

solution

server 0 iptable vs firewelld