Closed keyctl closed 4 years ago
I've tested issuing a certificate with this, and using it to login.
Apparently, the login was not performed because I forgot to log out. We have not yet merged this feature even.
I did nmap port scans of the first 10000 ports (sudo nmap -p 1-10000 -A -T5 172.17.0.61
). The results seem to follow the ports specified in the ansible script. Sometimes there are less open ports (e.g. in the DB), probably because not all features are used (no Galera cluster).
Results: asldb01
Nmap scan report for asldb01 (172.17.0.31)
Host is up (0.00042s latency).
Not shown: 9996 filtered ports
PORT STATE SERVICE VERSION
53/tcp closed domain
80/tcp closed http
123/tcp closed ntp
443/tcp closed https
asllog01
Nmap scan report for asllog01 (172.17.0.61)
Host is up (0.00037s latency).
All 10000 scanned ports on asllog01 (172.17.0.61) are filtered
MAC Address: 08:00:27:E7:3B:DF (Oracle VirtualBox virtual NIC)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
aslweb01
Nmap scan report for aslweb01 (172.17.0.41)
Host is up (0.00044s latency).
Not shown: 9998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.17.5
|_http-server-header: nginx/1.17.5
|_http-title: Did not follow redirect to https://aslweb01/
443/tcp open ssl/http nginx 1.17.5
|_http-server-header: nginx/1.17.5
| http-title: Login | Applied Security Lab AS2019
|_Requested resource was https://aslweb01/Account/Login?ReturnUrl=%2F
| ssl-cert: Subject: commonName=aslweb01/organizationName=iMovies/stateOrProvinceName=Zurich/countryName=CH
| Subject Alternative Name: DNS:aslweb01.internal.imovies.ch, DNS:aslweb01, DNS:imovies.ch, DNS:www.imovies.ch
| Not valid before: 2019-11-15T21:06:33
|_Not valid after: 2021-11-14T21:06:33
MAC Address: 08:00:27:73:54:C2 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
Network Distance: 1 hop
aslld01
Nmap scan report for aslld01 (172.17.0.51)
Host is up (0.00050s latency).
Not shown: 9998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http-proxy HAProxy http proxy 1.3.1 or later
|_http-title: Site doesn't have a title (text/html).
443/tcp open tcpwrapped
MAC Address: 08:00:27:C1:A2:C6 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Device: load balancer
aslans01
Nmap scan report for 172.17.0.11
Host is up (0.00049s latency).
All 10000 scanned ports on 172.17.0.11 are filtered
MAC Address: 08:00:27:05:46:8A (Oracle VirtualBox virtual NIC)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
aslcert01
Nmap scan report for aslcert01 (172.17.0.21)
Host is up (0.00052s latency).
Not shown: 9999 filtered ports
PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx 1.17.5
|_http-server-header: nginx/1.17.5
|_http-title: 400 No required SSL certificate was sent
| ssl-cert: Subject: commonName=aslcert01/organizationName=iMovies/stateOrProvinceName=Zurich/countryName=CH
| Subject Alternative Name: DNS:aslcert01.internal.imovies.ch, DNS:aslcert01
| Not valid before: 2019-11-15T21:06:32
|_Not valid after: 2021-11-14T21:06:32
MAC Address: 08:00:27:31:85:61 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
Network Distance: 1 hop
I did nmap port scans of the first 10000 ports (
sudo nmap -p 1-10000 -A -T5 172.17.0.61
).
Where did you run it? You should only be able to see hosts in the network 172.16.0.*
, not 172.17.0.*
as that's a private network.
For me, the initial
make clean build
hangs onRUNNING HANDLER [nftables : Restart nftables] **********************************
Hm, that's strange, I didn't have this behaviour. I will run it again tomorrow, but this indicates that your SSH connection was blocked by the firewall. I assume you made a clean build using make clean build
?
I did nmap port scans of the first 10000 ports (
sudo nmap -p 1-10000 -A -T5 172.17.0.61
).
I hope this is not a incompatibility again, because afaik, I was not able to reach hosts in the private network.
I did nmap port scans of the first 10000 ports (
sudo nmap -p 1-10000 -A -T5 172.17.0.61
).Where did you run it? You should only be able to see hosts in the network
172.16.0.*
, not172.17.0.*
as that's a private network.
From the internal network (aslcert01 mostly). Sorry I should have mentioned that. I just wanted to see which ports are open.
From the internal network (aslcert01 mostly). Sorry I should have mentioned that. I just wanted to see which ports are open.
Oh, alright. So that's in case the attacker already made it onto one of the servers. We could refine the firewall to strictly filter from which hosts to accept traffic, but that would have to be adjusted depending on our needs. Is it worth working on this?
From the internal network (aslcert01 mostly). Sorry I should have mentioned that. I just wanted to see which ports are open.
Oh, alright. So that's in case the attacker already made it onto one of the servers. We could refine the firewall to strictly filter from which hosts to accept traffic, but that would have to be adjusted depending on our needs. Is it worth working on this?
No, I think we did enough. Also, that would be very static and cumbersome to maintain.
@Miro-H I've tested be7ce8d38469b599612642634ecc7b58474fe651 and it seems to work. I've successfully generated a certificate using the client machine, and confirmed that logging works. That tells me that the connection from aslweb*
to aslcert*
works, and also their connections to asldb*
. It also means the load balancer works correctly.
Then, the SSH connections internally seem to work (I've tested not all, but a bunch), and SSH access from my host works, too. The only thing I could not get to work was HTTPS, but I'm not sure what the cause is.
Please check if this now works for you, then we can merge it.
@Miro-H I got the HTTPS connections from my host working, I think it's a domain name issue. We have to tell our reviewers to add the hostname to their hosts
file. I think this is good to merge.
Just for the record, I finished testing the setup with two db servers and it worked fine :)
Just for the record, I finished testing the setup with two db servers and it worked fine :)
Thank you!
This pull request fixes #31.
One issue remains, and I'm not yet sure how to fix this in a nice way.
aslld*
will have the SSH port exposed to the public network, and this shall not remain for the final submission.