Closed nyameko closed 1 week ago
zsanda1
commented
1 week ago Hi Team @lisabeeaan @thinker-bell @JCheney20 @Ghost-3342
As week 3 is ending, I am just checking in under week 3 tasks, hopefully your exams are still going well. Please don't hesitate to ask any questions should you have any.
Remember to @ me when you need me to attend to something so that I can get a notification and I will do the same.
All the best
mukize
commented
1 week ago Hi @zsanda1. Please see deliverables below for the week 3 tasks.
Nftables ruleset:
table inet firewall {
set allowed_tcp_dports {
type inet_service
elements = { ssh, http, https }
}
set allowed_udp_dports {
type inet_service
elements = { http, https, 53 }
}
chain input {
type filter hook input priority filter; policy drop;
ct state vmap {established: accept, related: accept, invalid: drop }
iif lo accept
meta l4proto icmp accept
ct state new tcp dport @allowed_tcp_dports accept
ct state new udp dport @allowed_udp_dports accept
reject with icmpx port-unreachable
}
}Dnsmasq configuration:
user=dnsmasq
group=dnsmasq
interface=eth0
conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorigCompute node /etc/resolv.conf:
nameserver 10.100.50.172Head node /etc/resolv.conf:
nameserver 8.8.8.8Head node /etc/hosts:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.100.50.224 compute_nodeHead node tcp ports listening:
Scanning head nodes tcp ports {80, 111, 22} from the compute node:
nyameko
commented
1 week ago Excellent work Team!
~I need you to also complete these additional tasks:~
route all network traffic via the head node.~
Never mind, I see that the above was already done in previous week.
In your documentation and write-up, please ensure that you explain forward, input and output chains when describe behavior / implementation of your firewall and nftables rules.
Keep up the good work.
Topics: Secure the cloud infrastructure by configuring firewall rules and setting up DNS on the head node for routing and traffic control.
Tasks:
Configure the head node’s firewall:
Only allow inbound traffic on necessary ports (e.g., SSH, web ports).
Restrict outbound traffic from the compute node to flow only through the head node.
Configure the firewall to drop any other traffic by default (deny-all policy) to ensure maximum security.
Install and configure DNS on the head node:
Ensure that the head node handles name resolution requests from the compute node.
Set up DNS entries for internal communication between the head node and compute node (e.g., map the static IP addresses to meaningful hostnames).
Test name resolution from the compute node to verify that DNS queries are being processed by the head node.
Test firewall configurations to ensure that only the required traffic is permitted:
Try to access blocked services from the compute node to confirm they are denied.
Test the allowed services to ensure they function correctly (e.g., SSH and job scheduling).
Test the DNS configuration to ensure the compute node can resolve the head node’s hostname and any other necessary internal DNS entries.
Implement additional security hardening measures:
SSH key-based authentication only (disable password logins).
Limiting login attempts or enabling
fail2banto prevent brute force attacks.Disable any unnecessary services on both nodes to reduce attack surfaces.
Deliverable:
iptables,nftablesrules or cloud security group settings).