Compare commits
8 Commits
secret_bra
...
3124e6977a
| Author | SHA1 | Date | |
|---|---|---|---|
|
3124e6977a | ||
|
|
330a08f01d | ||
|
|
9852a3f21b | ||
|
|
e407142f66 | ||
|
|
cd05757575 | ||
|
|
79be50b220 | ||
|
|
1f99e5d28a | ||
|
|
4e873db749 |
10
DMZ.sh
10
DMZ.sh
@@ -7,10 +7,10 @@ routerIp=23.214.219.254
|
|||||||
mask25=255.255.255.128
|
mask25=255.255.255.128
|
||||||
|
|
||||||
dns=23.214.219.130
|
dns=23.214.219.130
|
||||||
mail=23.214.219.131
|
mail=23.214.219.134
|
||||||
vpn_gw=23.214.219.132
|
vpn_gw=23.214.219.133
|
||||||
www=23.214.219.133
|
www=23.214.219.132
|
||||||
smtp=23.214.219.134
|
smtp=23.214.219.131
|
||||||
|
|
||||||
dnsPort=53
|
dnsPort=53
|
||||||
mailPort=888
|
mailPort=888
|
||||||
@@ -26,7 +26,7 @@ sudo systemctl enable iptables
|
|||||||
sudo iptables -F
|
sudo iptables -F
|
||||||
sudo ifconfig enp0s8 $ip netmask $mask25
|
sudo ifconfig enp0s8 $ip netmask $mask25
|
||||||
sudo ip route add 192.168.10.0/24 via $routerIp
|
sudo ip route add 192.168.10.0/24 via $routerIp
|
||||||
sudo add default gw $routerIp
|
sudo route add default gw $routerIp
|
||||||
# alias dos ips
|
# alias dos ips
|
||||||
sudo ip addr add $dns dev enp0s8
|
sudo ip addr add $dns dev enp0s8
|
||||||
sudo ip addr add $mail dev enp0s8
|
sudo ip addr add $mail dev enp0s8
|
||||||
|
|||||||
@@ -9,7 +9,7 @@ sudo systemctl disable firewalld
|
|||||||
sudo systemctl mask firewalld
|
sudo systemctl mask firewalld
|
||||||
sudo systemctl enable iptables
|
sudo systemctl enable iptables
|
||||||
sudo iptables -F
|
sudo iptables -F
|
||||||
sudo ifconfig enp0s8 $dn2 netmask $mask24
|
sudo ifconfig enp0s8 $dns2 netmask $mask24
|
||||||
sudo route add default gw $routerIp
|
sudo route add default gw $routerIp
|
||||||
sudo ip addr add $dns2 dev enp0s8
|
#sudo ip addr add $dns2 dev enp0s8
|
||||||
sudo ip addr add $eden dev enp0s8
|
sudo ip addr add $eden dev enp0s8
|
||||||
47
ROUTER.sh
47
ROUTER.sh
@@ -55,50 +55,45 @@ sudo iptables -A OUTPUT -o lo -j ACCEPT
|
|||||||
#sudo iptables -t nat -A POSTROUTING -i enp0s9 -o enp0s3 -j MASQUERADE #SUS
|
#sudo iptables -t nat -A POSTROUTING -i enp0s9 -o enp0s3 -j MASQUERADE #SUS
|
||||||
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #CAREFULL
|
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #CAREFULL
|
||||||
#DNS name resolution requests sent to outside servers and want a response:
|
#DNS name resolution requests sent to outside servers and want a response:
|
||||||
sudo iptables -A INPUT -i enp0s10 -p udp --sport 53 -j ACCEPT
|
sudo iptables -A INPUT -o enp0s10 -p udp --dport 53 -j ACCEPT
|
||||||
#SSH connections to the router system that originate from the inside and want an answer:
|
#SSH connections to the router system that originate from the inside and want an answer:
|
||||||
sudo iptables -A INPUT -i enp0s9 -p tcp --sport 22 -j ACCEPT #TESTED
|
sudo iptables -A INPUT -i enp0s9 -p tcp --dport 22 -j ACCEPT
|
||||||
sudo iptables -A INPUT -i enp0s8 -s 23.214.219.133 -p tcp --sport 22 -j ACCEPT #TESTED
|
sudo iptables -A INPUT -i enp0s8 -s 23.214.219.133 -p tcp --dport 22 -j ACCEPT
|
||||||
#The dns server should be able to resolve names using the internet (and others???)
|
#The dns server should be able to resolve names using the internet (and others???)
|
||||||
sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p udp --sport 53 -j ACCEPT #NEED to test !!
|
sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p udp --dport 53 -j ACCEPT
|
||||||
#The internal network should be able to send and recieve dns name resolutions to the dns server (1!)
|
#The internal network should be able to send and recieve dns name resolutions to the dns server (1!)
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.130 -p udp --sport 53 -j ACCEPT #CORRECT AND TESTED WILL ACTIVATE WHEN YOU SEND FROM ENP0S9 to ENP0S8
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.130 -p udp --dport 53 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #THIS IS IMPORTANT AND MIGHT FUCK US
|
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #THIS IS IMPORTANT AND MIGHT FUCK US
|
||||||
#The dns and dns2 servers should be able to synchronize the contents of DNS zones. (protocol tcp port 53)
|
#The dns and dns2 servers should be able to synchronize the contents of DNS zones. (protocol tcp port 53)
|
||||||
sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p tcp --sport 53 -j ACCEPT #NEED to test!
|
sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p tcp --dport 53 -j ACCEPT
|
||||||
#SMTP connections to the smtp server and returns
|
#SMTP connections to the smtp server and returns
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.131 -p tcp --sport 587 -j ACCEPT #TESTED
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.131 -p tcp --dport 587 -j ACCEPT
|
||||||
#sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 587 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
#sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 587 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
#POP and IMAP connections to the www server
|
#POP and IMAP connections to the www server
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --sport 143 -j ACCEPT #TESTED
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 143 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --sport 110 -j ACCEPT #TESTED
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 110 -j ACCEPT
|
||||||
#HTTP and HTTPS connectins
|
#HTTP and HTTPS connectins
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --sport 80 -j ACCEPT #TESTED THROUGH NETCAT
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 80 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --sport 443 -j ACCEPT #TESTED THROUGH NETCAT
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 443 -j ACCEPT
|
||||||
#sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
#sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
#OpenVPN connections to the vpn-gw server
|
#OpenVPN connections to the vpn-gw server
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -p udp --sport 1194 -j ACCEPT #NEDDS testing
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -p udp --dport 1194 -j ACCEPT
|
||||||
#sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p udp --dport 1194 -j ACCEPT
|
#sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p udp --dport 1194 -j ACCEPT
|
||||||
#VPN clients connected to the gateway vpn-gw ???? vpn should be able to acess ftp e datastore
|
#VPN clients connected to the gateway vpn-gw ???? vpn should be able to acess ftp e datastore
|
||||||
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.2 -j ACCEPT #NEDDS testing
|
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.2 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.3 -j ACCEPT #NEDDS testing
|
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.3 -j ACCEPT
|
||||||
#FTP da internet WORRIED ???
|
#FTP da internet WORRIED ???
|
||||||
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.2 -p tcp --sport 21 -j ACCEPT #Changed
|
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.2 -p tcp --dport 21 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 20 -j ACCEPT #MIGHT BE NEEDED
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 20 -j ACCEPT #MIGHT BE NEEDED
|
||||||
#SSH CONNECTIONS datastore server but only from eden or dn2 DNAT -s servers, and port and -d interface
|
#SSH CONNECTIONS datastore server but only from eden or dn2 DNAT -s servers, and port and -d interface
|
||||||
sudo iptables -t nat -A PREROUTING -s $dn2 -d 87.248.214.97 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
|
sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
|
||||||
sudo iptables -t nat -A PREROUTING -s $eden -d 87.248.214.97 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
|
sudo iptables -t nat -A PREROUTING -s $eden -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
|
||||||
sudo iptables -t nat -A PREROUTING -s $dn2 -d 87.248.214.97 -p tcp --sport 22 -j DNAT --to-destination 192.168.10.3
|
sudo iptables -t nat -A PREROUTING -i enp0s10 -p tcp --dport 21 -j DNAT --to-destination 192.168.10.2
|
||||||
sudo iptables -t nat -A PREROUTING -s $eden -d 87.248.214.97 -p tcp --sport 22 -j DNAT --to-destination 192.168.10.3
|
|
||||||
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --sport 22 -j ACCEPT #Need to check and make diferent ip addresses
|
|
||||||
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $eden -p tcp --sport 22 -j ACCEPT
|
|
||||||
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --dport 22 -j ACCEPT #Need to check and make diferent ip addresses
|
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --dport 22 -j ACCEPT #Need to check and make diferent ip addresses
|
||||||
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $eden -p tcp --dport 22 -j ACCEPT
|
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $eden -p tcp --dport 22 -j ACCEPT
|
||||||
#enp0s9 to internet DNS, http, https, ssh, FTP(SERVERS??????(WHO INVITED THIS GUY)) SNAT
|
#enp0s9 to internet DNS, http, https, ssh, FTP(SERVERS??????(WHO INVITED THIS GUY)) SNAT
|
||||||
sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o enp0s10 -j SNAT --to-source 87.248.214.97
|
sudo iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o enp0s10 -j SNAT --to-source 87.248.214.97
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p udp --sport 53 -j ACCEPT #TESTED
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p udp --dport 53 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 80 -j ACCEPT #TESTED
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 80 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 443 -j ACCEPT #TESTED
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 443 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 21 -j ACCEPT #MIGHT NOT BE ENOUGH
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 21 -j ACCEPT #MIGHT NOT BE ENOUGH
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 21 -j ACCEPT
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --dport 21 -j ACCEPT
|
||||||
BIN
relatorio.pdf
BIN
relatorio.pdf
Binary file not shown.
Binary file not shown.
@@ -4,7 +4,7 @@
|
|||||||
|
|
||||||
\title{Practical Assignment \#1}
|
\title{Practical Assignment \#1}
|
||||||
\author{
|
\author{
|
||||||
João Neto -- \\[1em]
|
João Neto -- 2023234004\\[1em]
|
||||||
Vasco Alves -- 2022228207
|
Vasco Alves -- 2022228207
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -14,16 +14,50 @@
|
|||||||
\newpage
|
\newpage
|
||||||
|
|
||||||
\section{Introduction}
|
\section{Introduction}
|
||||||
|
O objetivo principal deste trabalho era aprender IPTables e como configurar um com o Suricata um sistema de filtração e deteção de ataques. Para esse fim, foi simulado um sistema dividido em três redes e um router para conectar-las. As três redes são a DMZ (23.214.219.128/25, enp0s8), Internal network (192.168.10.0/24, enp0s9) e Internet (87.248.214.0/24, enp0s10).
|
||||||
|
As três redes tem varios serviços, o DMZ tem dns(23.214.219.130), mail(23.214.219.134), vpn-gw(23.214.219.133), www(23.214.219.132) e smpt(23.214.219.131). A Internal network tem ftp(192.168.10.2), datastore(192.168.10.3) e clientes (nos testes os clientes tem ip 192.168.10.4, mas está configurado para dar para qualquer edereço). Por fim a rede Internet tem dns2 (87.248.214.99) e eden (87.248.214.100), existe também outros serviços (87.248.214.98).
|
||||||
\section{Firewall}
|
\section{Firewall}
|
||||||
Sigmasigmaboy123
|
\subsection{Packet fileter without NAT}
|
||||||
\subsection{Packet fileter with NAT}
|
O policy que foi escolhido foi:
|
||||||
\subsection{Packet filtering without NAT}
|
iptables -P INPUT DROP
|
||||||
|
iptables -P FORWARD DROP
|
||||||
|
iptables -P OUTPUT ACCEPT
|
||||||
|
Foi escolhido porque é mais facil dar DROP a todos os pacotes que não foi criado regras do que criar uma regra de DROP para todos os protocolos e possibilidades, o OUTPUT ficou para ACCEPT porque não existe razão para dar DROP dos pacotes que estamos a enviar neste trabalho.
|
||||||
|
Para o router conseguir resolver DNS requests e para aceitar coneções SSH da rede interna ou da VPN gateway foi utilizado estes comandos:
|
||||||
|
sudo iptables -A INPUT -o enp0s10 -p udp --dport 53 -j ACCEPT
|
||||||
|
sudo iptables -A INPUT -i enp0s9 -p tcp --dport 22 -j ACCEPT
|
||||||
|
sudo iptables -A INPUT -i enp0s8 -s 23.214.219.133 -p tcp --dport 22 -j ACCEPT
|
||||||
|
Para conseguirmos a confirguração pedida entre redes foi utilizado estes commandos:
|
||||||
|
sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p udp --dport 53 -j ACCEPT
|
||||||
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.130 -p udp --dport 53 -j ACCEPT
|
||||||
|
sudo iptables -A FORWARD -i enp0s8 -o enp0s10 -s 23.214.219.130 -p tcp --dport 53 -j ACCEPT
|
||||||
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.131 -p tcp --dport 587 -j ACCEPT
|
||||||
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 143 -j ACCEPT
|
||||||
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.134 -p tcp --dport 110 -j ACCEPT
|
||||||
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 80 -j ACCEPT
|
||||||
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 443 -j ACCEPT
|
||||||
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -p udp --dport 1194 -j ACCEPT
|
||||||
|
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.2 -j ACCEPT
|
||||||
|
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -s 23.214.219.133 -d 192.168.10.3 -j ACCEPT
|
||||||
|
\subsection{Packet filtering with NAT}
|
||||||
|
Para conecções com origem/destino na internet foi utilizado DNAT/SNAT e iptables para "esconder" o ip para a internet que quer aceder a rede interna e iproutes para bloquear certos pacotes de entrar, para conseguir a configuração utilizamos estes comandos:
|
||||||
|
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.2 -p tcp --dport 21 -j ACCEPT
|
||||||
|
sudo iptables -A FORWARD -i enp0s9 -o enp0s10 -p tcp --sport 20 -j ACCEPT
|
||||||
|
sudo iptables -t nat -A PREROUTING -s $dns2 -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
|
||||||
|
sudo iptables -t nat -A PREROUTING -s $eden -p tcp --dport 22 -j DNAT --to-destination 192.168.10.3
|
||||||
|
sudo iptables -t nat -A PREROUTING -i enp0s10 -p tcp --dport 21 -j DNAT --to-destination 192.168.10.2
|
||||||
|
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $dns2 -p tcp --dport 22 -j ACCEPT
|
||||||
|
sudo iptables -A FORWARD -i enp0s10 -o enp0s9 -d 192.168.10.3 -s $eden -p tcp --dport 22 -j ACCEPT
|
||||||
\subsection{External Network}
|
\subsection{External Network}
|
||||||
\subsection{Internal Network}
|
\subsection{Internal Network}
|
||||||
|
|
||||||
\section{Intrusion Detection}
|
\section{Intrusion Detection}
|
||||||
|
Suricata rules:
|
||||||
|
drop tcp (dollar)EXTERNAL-NET any -> (dollar)HOME-NET any (msg:"ET"; flags:S; threshold:type both, track by-src, count 5, seconds 60; classtype:attempted-recon; sid:1000001; rev:1;)
|
||||||
|
drop tcp any any -> any 80 (msg:"SQL injection"; content:"union"; nocase; content:"select"; nocase; classtype:web-application-attack; sid:1000002; rev:1;)
|
||||||
|
drop tcp any any -> any 80 (msg:"SQl injection"; content:"'or 1=1"; nocase; classtype:web-application-attack; sid:1000003; rev:1;)
|
||||||
|
drop tcp any any -> any 80 (msg:"XSS"; content:"<script"; nocase; classtype:web-application-attack; sid:1000004; rev:1;)
|
||||||
|
|
||||||
\section{Conclusion}
|
\section{Conclusion}
|
||||||
|
Fuck we learned alot
|
||||||
\end{document}
|
\end{document}
|
||||||
|
|||||||
5
suricata.rules
Normal file
5
suricata.rules
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET"; flags:S; threshold:type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:1000001; rev:1;)
|
||||||
|
drop tcp any any -> any 80 (msg:"SQL injection"; content:"union"; nocase; content:"select"; nocase; classtype:web-application-attack; sid:1000002; rev:1;)
|
||||||
|
drop tcp any any -> any 80 (msg:"SQl injection"; content:"'or 1=1"; nocase; classtype:web-application-attack; sid:1000003; rev:1;)
|
||||||
|
drop tcp any any -> any 80 (msg:"XSS"; content:"<script"; nocase; classtype:web-application-attack; sid:1000004; rev:1;)
|
||||||
|
|
||||||
2242
suricata.yaml
Normal file
2242
suricata.yaml
Normal file
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user