search

Liblor / applied_sec_lab

Applied Security Laboratory - AS19
6 stars 1 forks source link

Add a firewall #71

Closed keyctl closed 4 years ago

keyctl commented 4 years ago

This pull request fixes #31.

One issue remains, and I'm not yet sure how to fix this in a nice way. aslld* will have the SSH port exposed to the public network, and this shall not remain for the final submission.

keyctl commented 4 years ago

I've tested issuing a certificate with this, and using it to login.

Apparently, the login was not performed because I forgot to log out. We have not yet merged this feature even.

Miro-H commented 4 years ago

I did nmap port scans of the first 10000 ports (sudo nmap -p 1-10000 -A -T5 172.17.0.61). The results seem to follow the ports specified in the ansible script. Sometimes there are less open ports (e.g. in the DB), probably because not all features are used (no Galera cluster).

Results: asldb01

Nmap scan report for asldb01 (172.17.0.31)
Host is up (0.00042s latency).
Not shown: 9996 filtered ports
PORT    STATE  SERVICE VERSION
53/tcp  closed domain
80/tcp  closed http
123/tcp closed ntp
443/tcp closed https

asllog01

Nmap scan report for asllog01 (172.17.0.61)
Host is up (0.00037s latency).
All 10000 scanned ports on asllog01 (172.17.0.61) are filtered
MAC Address: 08:00:27:E7:3B:DF (Oracle VirtualBox virtual NIC)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

aslweb01

Nmap scan report for aslweb01 (172.17.0.41)
Host is up (0.00044s latency).
Not shown: 9998 filtered ports
PORT    STATE SERVICE  VERSION
80/tcp  open  http     nginx 1.17.5
|_http-server-header: nginx/1.17.5
|_http-title: Did not follow redirect to https://aslweb01/
443/tcp open  ssl/http nginx 1.17.5
|_http-server-header: nginx/1.17.5
| http-title: Login | Applied Security Lab AS2019
|_Requested resource was https://aslweb01/Account/Login?ReturnUrl=%2F
| ssl-cert: Subject: commonName=aslweb01/organizationName=iMovies/stateOrProvinceName=Zurich/countryName=CH
| Subject Alternative Name: DNS:aslweb01.internal.imovies.ch, DNS:aslweb01, DNS:imovies.ch, DNS:www.imovies.ch
| Not valid before: 2019-11-15T21:06:33
|_Not valid after:  2021-11-14T21:06:33
MAC Address: 08:00:27:73:54:C2 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
Network Distance: 1 hop

aslld01

Nmap scan report for aslld01 (172.17.0.51)
Host is up (0.00050s latency).
Not shown: 9998 filtered ports
PORT    STATE SERVICE    VERSION
80/tcp  open  http-proxy HAProxy http proxy 1.3.1 or later
|_http-title: Site doesn't have a title (text/html).
443/tcp open  tcpwrapped
MAC Address: 08:00:27:C1:A2:C6 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Device: load balancer

aslans01

Nmap scan report for 172.17.0.11
Host is up (0.00049s latency).
All 10000 scanned ports on 172.17.0.11 are filtered
MAC Address: 08:00:27:05:46:8A (Oracle VirtualBox virtual NIC)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

aslcert01

Nmap scan report for aslcert01 (172.17.0.21)
Host is up (0.00052s latency).
Not shown: 9999 filtered ports
PORT    STATE SERVICE  VERSION
443/tcp open  ssl/http nginx 1.17.5
|_http-server-header: nginx/1.17.5
|_http-title: 400 No required SSL certificate was sent
| ssl-cert: Subject: commonName=aslcert01/organizationName=iMovies/stateOrProvinceName=Zurich/countryName=CH
| Subject Alternative Name: DNS:aslcert01.internal.imovies.ch, DNS:aslcert01
| Not valid before: 2019-11-15T21:06:32
|_Not valid after:  2021-11-14T21:06:32
MAC Address: 08:00:27:31:85:61 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
Network Distance: 1 hop
keyctl commented 4 years ago

I did nmap port scans of the first 10000 ports (sudo nmap -p 1-10000 -A -T5 172.17.0.61).

Where did you run it? You should only be able to see hosts in the network 172.16.0.*, not 172.17.0.* as that's a private network.

keyctl commented 4 years ago

For me, the initial make clean build hangs on

RUNNING HANDLER [nftables : Restart nftables] **********************************

Hm, that's strange, I didn't have this behaviour. I will run it again tomorrow, but this indicates that your SSH connection was blocked by the firewall. I assume you made a clean build using make clean build?

keyctl commented 4 years ago

I did nmap port scans of the first 10000 ports (sudo nmap -p 1-10000 -A -T5 172.17.0.61).

I hope this is not a incompatibility again, because afaik, I was not able to reach hosts in the private network.

Miro-H commented 4 years ago

I did nmap port scans of the first 10000 ports (sudo nmap -p 1-10000 -A -T5 172.17.0.61).

Where did you run it? You should only be able to see hosts in the network 172.16.0.*, not 172.17.0.* as that's a private network.

From the internal network (aslcert01 mostly). Sorry I should have mentioned that. I just wanted to see which ports are open.

keyctl commented 4 years ago

From the internal network (aslcert01 mostly). Sorry I should have mentioned that. I just wanted to see which ports are open.

Oh, alright. So that's in case the attacker already made it onto one of the servers. We could refine the firewall to strictly filter from which hosts to accept traffic, but that would have to be adjusted depending on our needs. Is it worth working on this?

Miro-H commented 4 years ago

From the internal network (aslcert01 mostly). Sorry I should have mentioned that. I just wanted to see which ports are open.

Oh, alright. So that's in case the attacker already made it onto one of the servers. We could refine the firewall to strictly filter from which hosts to accept traffic, but that would have to be adjusted depending on our needs. Is it worth working on this?

No, I think we did enough. Also, that would be very static and cumbersome to maintain.

keyctl commented 4 years ago

@Miro-H I've tested be7ce8d38469b599612642634ecc7b58474fe651 and it seems to work. I've successfully generated a certificate using the client machine, and confirmed that logging works. That tells me that the connection from aslweb* to aslcert* works, and also their connections to asldb*. It also means the load balancer works correctly. Then, the SSH connections internally seem to work (I've tested not all, but a bunch), and SSH access from my host works, too. The only thing I could not get to work was HTTPS, but I'm not sure what the cause is. Please check if this now works for you, then we can merge it.

keyctl commented 4 years ago

@Miro-H I got the HTTPS connections from my host working, I think it's a domain name issue. We have to tell our reviewers to add the hostname to their hosts file. I think this is good to merge.

Liblor commented 4 years ago

Just for the record, I finished testing the setup with two db servers and it worked fine :)

keyctl commented 4 years ago

Just for the record, I finished testing the setup with two db servers and it worked fine :)

Thank you!