Firewall

COIT20266 Systems Security Administration
Week 07 [1]
COIT20266 – Systems Security Administration
Week 07 – Firewall
This week, we look at the types of security threats, the common
security problems faced by a system administrator and the measures
that we need to take to counter security threats.
NOTE: This week we begin using tools that, if used
inappropriately, could put us in breach of network policy and
procedures. We must only perform network scans etc. on networks
that we have full permission to do so on. It is recommended that
all scans etc. should only be performed on our own private
networks. The University accepts no responsibility for students
who use tools inappropriately or without full consent of the
network owner or operator.
Summary
Software we need to install
* John the Ripper – “a tool to find weak passwords of your users”.
Chapters we need to read
* 22 – Security
Tasks
Readings
Read the recommended chapter before attempting the assessment
items.
IptablesHowTo – (
help.ubuntu.com/community/IptablesHowTo) – “if
you want to do a few basic things”. This may help when it comes
to developing iptable rules.

COIT20266 Systems Security Administration
Week 07 [2]
We will be installing Snort and OSSEC in later chapters, so we
need to know and understand their purpose. Installation
procedures will be provided – some differ from those provided in
the textbook.
Assessment
1. Perform a complete update of your systems software. Submit a
list of any updates that occur.
2. Submit the output of the “
chage” list command for your
username.
Explain the details shown in the listing, identifying any obvious
problems with the default password aging configuration.
3. Run an “
nmap -sT” scan of your server, from your server. Then
run an “nmap” scan of your host computer (i.e. the one running
VirtualBox). You will have to find its IP address first. You may
have to use “
nmap -PN“. Try “-sT” first and read the response,
often nmap will prompt you with alternate scan settings.
Submit the nmap scans of both your server and host computer and
describe the nmap flags used and each service detected.
4. Run an “
nmap -sV -O” scan of your host computer, from your
server. Submit and summarise the output. [Note: This scan can
take a little while to complete.]
5. Install “John the Ripper” (john). Before running it, login to
your system as kellye (the user created earlier – the password
used was “[email protected]”) and change the password to “password” and
logout. Run a series of tests:
a) Run “john” against your /etc/shadow file. Comment on the
results including how long it took.
b) Next, change kellye’s password to “computer” and run “john”
again. Comment on the results including how long it took.
c) Finally change kellye’s password back to “[email protected]” and run
“john” again. Comment on the result including how long you waited.
(hint: no need to wait beyond 10 minutes).

COIT20266 Systems Security Administration
Week 07 [3]
6. Create a gateway server VM that has two NICs – one using a
“Bridged Adapter” connected externally to the Internet configured
to use DHCP, the other using an “Internal Network” adapter
configured manually.
Next create an internal server (this can be userv1) with one NIC
using an “Internal Network” adapter. Make sure the Internal
Network for both has the same name in VirtualBox. Configure the
system so all of the internal traffic goes via the gateway. Refer
to the
“Making a Gateway” document for help.
Provide output that shows the internal server accessing the
Internet through the gateway server (traceroute).
Include a well labelled diagram of your network. Present this as
a drawing embedded in your submission Word document or as a .JPG
file. Do not submit diagrams created from other programs in their
native format (e.g. Visio, Cade etc)as we may not be able to open
them.
7. Note that a complete working firewall configuration file can be
found at the end of this document – you will need to make
adjustments/changes to match your configuration.
a) Extend the firewall rules to allow HTTP and SSH connections
to go directly to an internal server (userv1) through the gateway
server. Limit all other incoming traffic.
Test your configuration by accessing the default lighttpd server
page running on userv1. You do this by connecting to Userv1
through the gateway, via PuTTY.
Submit your firewall rules/script. Provide ‘proof’ that it works
with screen dumps of your Web and SSH access. Ensure you are
connecting to the internal server, not the gateway, by checking
the IP address in the PuTTY session and the default lighttp PHP
page display that includes the variable ‘_SERVER[“SERVER_ADDR”]’.
b) Allow an SSH connection to the gateway server from the inside
only – test it by logging into the internal server (from outside),
and then, from the internal server, login to the gateway (using
ssh). Once logged into the gateway, you should not be able to
ping/access any external or internal hosts – try pinging the
internal server and cqu.edu.au. Submit a screen dump showing the
results.
c) Also enable loopback on the gateway, and the ability to ping
the gateway from the internal network only. Submit a screen dump
showing the successful ping.

COIT20266 Systems Security Administration
Week 07 [4]
d) No restrictions on outgoing traffic should be applied – test
using elinks from your internal server to www.cqu.edu.au. Submit
a screen dump of elinks.
e) Enable logging of attempts that are rejected by the firewall
– provide a sample of the log.
f) Use nmap to ‘attack’ the gateway and show that only the
required ports are available – submit your ‘attack’ output from
nmap with a brief description of what it is showing.
How to submit:
Include all answers etc. in a single Word document zipped up as
week07.zip. Don’t submit it yet – it’s not due till Week 10.
Weeks 6,7,8 and 9 need to be submitted together and all are due in
Week-10. At that time you should zip up your weeks 6,7,8 and 9
zip files as
Week6789.zip and submit it.
COIT20266 Systems Security Administration
Week 07 [5]
Sample Firewall ruleset:
#!/bin/sh
#
# FILE: startfw
#
# PURPOSE: Clear and set NAT, port forward and firewall iptables rules.
#
# AUTHOR: Myles Greber
# DATE: 23-02-2012
# VERISON: 0.2
#
# USAGE: startfw
#
# MODIFIED: 23-02-2012
# Renamed script startfw from buildfw. Added configurable
# gateway IP address variable ${GATEWAY_IP}.
#
# NOTES: This script assumes the following configuration:
# gateway:
# eth0 – ${GATEWAY_IP} – external (dhcp) – defined below.
# eth1 – 192.168.12.254 – internal (static)
# internal server:
# eth0 – 192.168.12.1 (static)
#
################################################################################
# Configurable gateway IP address.
GATEWAY_IP=192.168.1.10
# Flush all iptables rules from the packet matching tables.
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -t raw -F
# Reset the built-in chain policies to accept all traffic.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Drop all packets coming in to and forwarded by the gateway.
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Allow all connections through the firewall that originate from within.
iptables -A FORWARD -i eth1 -p ALL -j ACCEPT
# Allow incoming responses to internal host requests.
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
# Enable NAT on outgoing interface.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth0 -j SNAT –to ${GATEWAY_IP}
# Allow ssh (22), http (80) and https (443) connections through to the internal server (userv1).
iptables -A FORWARD -d 192.168.12.1 -p tcp –dport 22 -j ACCEPT
iptables -A FORWARD -d 192.168.12.1 -p tcp –dport 80 -j ACCEPT
iptables -A FORWARD -d 192.168.12.1 -p tcp –dport 443 -j ACCEPT
# Allow ssh (22), http (80) and https (443) connections through NAT (port forward) to internal server (userv1).
iptables -t nat -A PREROUTING -p tcp -i eth0 -d ${GATEWAY_IP} –dport 22 -j DNAT –to 192.168.12.1:22
iptables -t nat -A PREROUTING -p tcp -i eth0 -d ${GATEWAY_IP} –dport 80 -j DNAT –to 192.168.12.1:80
iptables -t nat -A PREROUTING -p tcp -i eth0 -d ${GATEWAY_IP} –dport 443 -j DNAT –to 192.168.12.1:443
# Allow ssh (22) connections to the gateway from the internal network.
iptables -A INPUT -i eth1 -d 192.168.12.254 -p tcp –dport 22 -j ACCEPT
# Allow loopback on the gateway.
iptables -A INPUT -i lo -d 127.0.0.1 -p ALL -j ACCEPT
# Allow gateway to be ping’d from within.
iptables -A INPUT -i eth1 -d 192.168.12.254 -p icmp –icmp-type 8 -j ACCEPT
# Allow SSH connections to the external IP address of the gateway for testing.
#iptables -A INPUT -i eth0 -d ${GATEWAY_IP} -p tcp –dport 22 -j ACCEPT
# Enable logging.
iptables -A INPUT -i eth0 -j LOG
iptables -A FORWARD -i eth0 -j LOG