Commit 04685d4b authored by Clark's avatar Clark
Browse files

Adding everything... will recreate this repo for Grand Reopening

parent f7477b5a
This diff is collapsed.
# -*- org-confirm-babel-evaluate: nil -*-
#+TITLE: Bastion Host
#+DATE: 11/5/2019
#+TAGS: :blog:guides:opnsense:firewall:bastion:pcengines:apu:
#+DESCRIPTION:
#+PROPERTY: header-args :cache yes
#+BEGIN_VERSE
This post describes how to setup a Bastion host using OPNsense OS on PC Engines APU hardware.
#+END_VERSE
* Overview
This device will serve as a perimeter router and firewall specified in the below diagram.
#+begin_src plantuml :file img/Bastion_Host.svg
' Specifying aesthetics
skinparam backgroundColor #FFF
skinparam shadowing false
skinparam defaultFontColor #404040
skinparam defaultFontSize 24
skinparam linetype polyline
skinparam frame {
backgroundColor #FEFECE
borderColor #53485C
}
skinparam node {
backgroundColor #FEFECE
borderColor #53485C
}
skinparam rectangle {
backgroundColor<< Public Zone >> #FFE5E5
borderColor<< Public Zone >> #FF4C4C
backgroundColor<< DMZ >> #FFF6E5
borderColor<< DMZ >> #FFC04C
backgroundColor<< Private Zone >> #E5F2E5
borderColor<< Private Zone >> #46A64C
borderColor<< OpenNet >> #FF7F7F
backgroundColor<< OpenNet >> #FFF
borderThickness<< OpenNet >> 8
borderColor<< FastNet >> #FFD27F
borderThickness<< FastNet >> 8
borderColor<< FreeNet >> #7FBF7F
borderThickness<< FreeNet >> 8
}
skinparam control {
borderColor #53485C
}
skinparam component {
borderColor #53485C
}
skinparam cloud {
borderColor #53485C
}
skinparam package {
backgroundColor AliceBlue
borderColor #53485C
}
' Define the network components
rectangle << Public Zone >> {
cloud Internet {
control "0.0.0.0/0" as 0.0.0.0
}
database "<b>Modem" as Modem
}
control "172.31.0.1/32" as 172.31.0.1_32
node "<b>Bastion Host</b>\n\
Router & Firewall\n\
OS: [[https://opnsense.org/ OPNsense]]\n\
[[https://www.pcengines.ch/apu2e4.htm PC Engines APU.2E4]]" as Bastion
rectangle << DMZ >> {
database "<b>Switch" as Switch
control "172.22.132.0/29" as 172.22.132.0_29
}
rectangle << Private Zone >> {
control "172.27.0.0/30" as 172.27.0.0_30
node "<b>Internal Firewall" as Firewall
}
' Define the network connections
'left to right direction
0.0.0.0 -[thickness=3,#53485C]right- Modem
Modem -[thickness=3,#53485C]- 172.31.0.1_32
Bastion -[thickness=3,#53485C]left- 172.31.0.1_32 : 172.31.0.1
Bastion -[thickness=3,#53485C]down- 172.27.0.0_30 : 172.27.0.1
172.27.0.0_30 -[thickness=3,#53485C]left- Firewall
Bastion -[thickness=3,#53485C]up- 172.22.132.0_29 : 172.22.132.1
172.22.132.0_29 -[thickness=3,#53485C]right- Switch
#+end_src
#+RESULTS[088952ba84a786da42ca6ab765fef344e3f6c6fe]:
[[file:img/Bastion_Host.svg]]
_Procedure_:
1) Flash the OPNsense OS to an mSATA drive
2) Mount the mSATA on the APU board
3) Attach a remote session using a null modem cable
4) Configure the OPNsense OS
** Prerequisites
Hardware is required to host the operating system. I've chosen to go with [[https://www.pcengines.ch/apu2e4.htm][PC Engines APU 2E4]] board. There are multiple storage options on the APU boards - I've chosen to utilize the mSATA bus to attach a storage drive.
Since the PC Engines APU boards lack a display adapter, the best option to send commands to the APU board is via the serial port. A =null modem cable= is required to send commands to the APU via the serial port.
* Flash OPNsense to mSATA
Download the OPNsense amd64 serial console image and validate the checksum against those posted on the [[https://opnsense.org/download/][OPNsense Download page]]. The below =wget= downloads the latest image (20.1 as of this writing) from the dns-root.de mirror.
#+begin_example sh
wget --https-only --secure-protocol=PFS https://mirror.dns-root.de/opnsense/releases/20.1/OPNsense-20.1-OpenSSL-nano-amd64.img.bz2
sha256sum OPNsense-20.1-OpenSSL-nano-amd64.img.bz2
#+end_example
Attach an mSATA drive to the machine with the OPNsense image, and flash the image to the disk. Here, my mSATA is mounted on =/dev/sda=
#+begin_example sh
bzip2 -d OPNsense-20.1-OpenSSL-nano-amd64.img.bz2
# First I format the disk and ensure all bits are zero (this takes long)
sudo dd if=/dev/zero of=/dev/sda status=progress
sudo dd if=OPNsense-20.1-OpenSSL-nano-amd64.img of=/dev/sda status=progress
# Eject the mSATA drive
sudo eject /dev/sda
#+end_example
After ejecting the mSATA from the machine, physically attach it to the PC Engines APU mSATA connector. Do not power it on yet.
* OPNsense Configuration
In order to configure the OPNsense OS, I need to connect to the serial console on the APU from my host. I use =minicom= for this purpose.
** Minicom Configuration
I've had more success with *minicom* over *screen* for connecting to the serial console on the APU. Install using =sudo apt install minicom=.
Unless other USB devices are mounted, the APU will likely appear on =/dev/ttyUSB0=. In order to send keys from the remote host to the APU, I disable /Hardware Flow Control/ in the *minicom* /Serial port setup/ using =sudo minicom -s=. I save the below setup to my defaults.
[[file:img/Minicom_Default_Setup.png]]
Thereafter, start a *minicom* session simply using =sudo minicom=. It's a good idea to perform a loopback test before attaching to the APU by inserting a paperclip in pins 2 and 3 on the serial adapter. After doing so, I can verify send keys are echoed in the *minicom* console. This is the first troubleshooting step to attempt if having problems connecting to the serial console.
When needing to exit =minicom=, I use the key combination: =CTRL-A Z= to access special commands, then =X= to exit.
** OPNsense Installation
Before powering on the APU, ensure each of the NICs are plugged in and connect to the serial port to the remote host, and create a *minicom* session using =sudo minicom=. Then power on the APU. Immediately some BIOS messages should appear in the *minicom* console, and then the GNU Grub bootloader with automatically appear.
The OPNsense initial boot will take *long*, especially the /super-block backups/ if you have a large mSATA drive. It's safe to walk away and come back to the login screen - then OPNsense will automatically assign the NICs, incorrectly. You'll have to login and reassign them. Chose /not/ to configure VLANs. Then assign the interfaces as follows:
| Zone | Interface |
|------+-----------|
| WAN | igb2 |
| LAN | igb0 |
| OPT1 | igb1 |
Wait for initial installation to complete.
* TODO OPNsense Configuration
Login with the username =root= and password =opnsense=. Enter option =2= to set interface IP address.
Configure the LAN interface as follows:
| Option | Configuration |
|------------------------------+---------------|
| Configure via DHCP | n |
| LAN IPv4 Address | 172.27.0.1 |
| LAN IPv4 subnet bit count | 30 |
| LAN upstream gateway address | none |
| Configure IPv6 via WAN/DHCP | n |
| LAN IPv6 Address | none |
| Enable DHCP server on LAN | y |
| start address of IPv4 | 172.27.0.2 |
| end address of IPv4 | 172.27.0.254 |
| revert to HTTP? | n |
Configure the OPT1 interface as follows:
| Option | Configuration |
|-------------------------------+---------------|
| Configure via DHCP | n |
| OPT1 IPv4 Address | 172.22.132.1 |
| OPT1 IPv4 subnet bit count | 29 |
| OPT1 upstream gateway address | none |
| Configure IPv6 via WAN/DHCP | n |
| OPT1 IPv6 Address | none |
| Enable DHCP server on OPT1 | n |
| start address of IPv4 | 172.27.0.2 |
| end address of IPv4 | 172.27.0.254 |
| revert to HTTP? | n |
Thereafter, the OPNsense Web GUI will be accessible at https://172.27.0.1 from the LAN zone with the default firewall settings.
** TODO Access Control
- Setup CA
- Setup users with certs
- Setup TOTP Auth server
** TODO Firmware
- Updates
- Checks
- Audit: Security and Health
*** Update BIOS
I deployed v4.11.0.6, from https://pcengines.github.io/#mr-34
From a minicom session, login as root. Then run below, one step at a time.
#+BEGIN_SRC sh
curl -O https://3mdeb.com/open-source-firmware/pcengines/apu2/apu2_v4.11.0.6.rom
pkg install -y flashrom
flashrom -w apu2_v4.11.0.6.rom -p internal:boardmismatch=force
#+END_SRC
Then reboot the router.
** TODO Basic Networking
*** DNS
Unbound DNS is the default DNS service. Enable DNSSec in the general settings at https://172.27.0.1/services_unbound.php. In the advanced settings at https://172.27.0.1/services_unbound_advanced.php, I enable the following flags and options:
| Key | Value |
|--------------------------+---------|
| Hide Identity | Enabled |
| Hide Version | Enabled |
| Prefetch Support | Enabled |
| Prefetch DNS Key Support | Enabled |
| Harden DNSSEC data | Enabled |
| Log leve verbosity | Level 4 |
| Extended statistics | Enabled |
| Log Queries | Enabled |
I use defaults for the rest of the Unbound DNS config.
*** DHCP
- DHCP
*** Firewalls
*** Proxy
**
# -*- org-confirm-babel-evaluate: nil -*-
#+TITLE: Internal Firewall
#+DATE: 11/5/2019
#+TAGS: :blog:guides:ipfire:firewall:pcengines:apu:
#+DESCRIPTION:
#+PROPERTY: header-args :cache yes
#+BEGIN_VERSE
This post describes how to bootstrap an Internal Firewall on the IPFire OS using PC Engines APU hardware.
#+END_VERSE
* Overview
This device will serve as the Internal Firewall specified in the below diagram. The device will be used primarily for traffic shaping, and to segment a secure private zone away from a lower-latency zone which may also include guests.
#+begin_src plantuml :file img/Internal_Firewall.svg
' Specifying aesthetics
skinparam backgroundColor #FFF
skinparam shadowing false
skinparam defaultFontColor #404040
skinparam defaultFontSize 24
skinparam linetype polyline
skinparam frame {
backgroundColor #FEFECE
borderColor #53485C
}
skinparam node {
backgroundColor #FEFECE
borderColor #53485C
}
skinparam rectangle {
backgroundColor<< Public Zone >> #FFE5E5
borderColor<< Public Zone >> #FF4C4C
backgroundColor<< DMZ >> #FFF6E5
borderColor<< DMZ >> #FFC04C
backgroundColor<< Private Zone >> #E5F2E5
borderColor<< Private Zone >> #46A64C
borderColor<< OpenNet >> #FF7F7F
backgroundColor<< OpenNet >> #FFF
borderThickness<< OpenNet >> 8
borderColor<< FastNet >> #FFD27F
borderThickness<< FastNet >> 8
borderColor<< FreeNet >> #7FBF7F
borderThickness<< FreeNet >> 8
}
skinparam control {
borderColor #53485C
}
skinparam component {
borderColor #53485C
}
skinparam cloud {
borderColor #53485C
}
skinparam package {
backgroundColor AliceBlue
borderColor #53485C
}
' Define the network components
rectangle << OpenNet >> {
node "<b>Bastion Host</b>" as Bastion
}
rectangle << Private Zone >> {
control "172.27.0.0/30" as 172.27.0.0_30
node "<b>Internal Firewall \n\
OS: [[https://www.ipfire.org IPFire]]\n\
[[https://www.pcengines.ch/apu2e4.htm PC Engines APU.2E4]]" as Firewall
rectangle << FreeNet >> {
control "172.22.133.128/25" as 172.22.133.128_25
database "<b>Tor Bridge</b>" as Tor_Bridge
}
rectangle << FastNet >> {
control "172.22.133.0/25" as 172.22.133.0_25
database "<b>Orbi WiFi Bridge</b>" as Orbi_Bridge
}
}
' Define the network connections
'left to right direction
Bastion -[thickness=3,#53485C]left- 172.27.0.0_30 : 172.27.0.1
172.27.0.0_30 -[thickness=3,#53485C]left- Firewall : 172.27.0.2
Firewall -[thickness=3,#53485C]down- 172.22.133.128_25 : 172.22.133.254
172.22.133.128_25 -[thickness=3,#53485C]right- Tor_Bridge
Firewall -[thickness=3,#53485C]up- 172.22.133.0_25 : 172.22.133.2
172.22.133.0_25 -[thickness=3,#53485C]right- Orbi_Bridge
#+end_src
#+RESULTS[a8401dfa1771fbc5ac7adf98ba6b29ba81f0cfc8]:
[[file:img/Internal_Firewall.svg]]
_Procedure_:
1) Flash the IPFire OS to an mSATA drive
2) Mount the mSATA on the APU board
3) Attach a remote session using a null modem cable
4) Configure the IPFire OS
** Prerequisites
Hardware is required to host the operating system. I've chosen to go with [[https://www.pcengines.ch/apu2e4.htm][PC Engines APU 2E4]] board. There are multiple storage options on the APU boards - I've chosen to utilize the mSATA bus to attach a storage drive.
Since the PC Engines APU boards lack a display adapter, the best option to send commands to the APU board is via the serial port. A =null modem cable= is required to send commands to the APU via the serial port.
* Flash IPFire to mSATA
Download the IPFire headless image and validate the checksum against those posted on the [[https://www.ipfire.org/download/ipfire-2.25-core141][IPFire 2.25 Download page]]. As of this writing, 2.25 is the latest build. Future releases should be reflected at https://www.ipfire.org/download.
#+begin_example sh
wget --https-only --secure-protocol=PFS https://downloads.ipfire.org/releases/ipfire-2.x/2.25-core141/ipfire-2.25.2gb-ext4.x86_64-full-core141.img.xz
sha256sum ipfire-2.25.2gb-ext4.x86_64-full-core141.img.xz
#+end_example
Attach an mSATA drive to the machine with the IPFire image, and flash the image to the disk. Here, my mSATA is mounted on =/dev/sda=
#+begin_example sh
unxz -v ipfire-2.25.2gb-ext4.x86_64-full-core141.img.xz
# First I format the disk and ensure all bits are zero (this takes long)
sudo dd if=/dev/zero of=/dev/sda status=progress
sudo dd if=ipfire-2.25.2gb-ext4.x86_64-full-core141.img of=/dev/sda status=progress
# Eject the mSATA drive
sudo eject /dev/sda
#+end_example
After ejecting the mSATA from the machine, physically attach it to the PC Engines APU mSATA connector. Do not power it on yet.
* IPFire Configuration
In order to configure the IPFire OS, I need to connect to the serial console on the APU from my host. I use =minicom= for this purpose.
** Minicom Configuration
I've had more success with *minicom* over *screen* for connecting to the serial console on the APU. Install using =sudo apt install minicom=.
Unless other USB devices are mounted, the APU will likely appear on =/dev/ttyUSB0=. In order to send keys from the remote host to the APU, I disable /Hardware Flow Control/ in the *minicom* /Serial port setup/ using =sudo minicom -s=. I save the below setup to my defaults.
[[file:img/Minicom_Default_Setup.png]]
Thereafter, start a *minicom* session simply using =sudo minicom=. It's a good idea to perform a loopback test before attaching to the APU by inserting a paperclip in pins 2 and 3 on the serial adapter. After doing so, I can verify send keys are echoed in the *minicom* console. This is the first troubleshooting step to attempt if having problems connecting to the serial console.
When needing to exit =minicom=, I use the key combination: =CTRL-A Z= to access special commands, then =X= to exit.
** IPFire Installation
Before powering on the APU, connect to the serial port to the remote host, and create a *minicom* session using =sudo minicom=. Then power on the APU. Immediately some BIOS messages should appear in the *minicom* console, and then the GNU Grub bootloader with automatically appear. There should be three options, select *IPFire* over the /Serial Console/.
[[file:img/Bootloader_IPFire_Serial.png]]
Wait patiently for initialization, potentially including a reboot. After reboot, if the /Serial Console/ option is not present, select the normal *IPFire* GRUB entry.
Proceed with installation. The serial console display requires a discerning eye, because the cursor location is ambiguous. It's not difficult to determine where the cursor is by using arrow keys and tab to experiment. For example, in the below screenshot, I've actually selected =us=, although you could not tell this by observing the screenshot alone, without having scrolled around first.
[[file:blog.bytecache.io/content/Bare-Metal/img/Serial_Console_Quirk.png]]
The [[https://wiki.ipfire.org/installation][IPFire Installation Handbook]] is very helpful for additional context and guidance while going through the installation steps (particularly the network setup step).
By convention, I set the APU interfaces to *IPFire* /zones/ as follows.
| IPFire Zone | APU Interface |
|-------------+-----------------|
| Green | [higher bytes]4 |
| Orange | [higher bytes]5 |
| Red | [higher bytes]6 |
After logging in, to gracefully shutdown the device, use =shutdown -h now=. Do /not/ shutdown by removing the power supply. The APU is powered down once all the lights are off - then it is safe to remove the power supply.
* TODO IPFire Configuration
Access the IPFire UI at https://172.22.133.254:444 by default, using the credentials specified during installation.
** TODO Add SSH key to ~/.ssh/config, yada yada
This diff is collapsed.
# -*- org-confirm-babel-evaluate: nil -*-
#+TITLE: Security Server
#+DATE: 12/6/2019
#+TAGS: :debian:docker:wazuh:openvas:arachnia:siem:vm:hids:dast:
#+DESCRIPTION:
#+PROPERTY: header-args :cache yes
#+BEGIN_VERSE
*Objectives:*
Bootstrap a server to host the following:
- OpenVAS Vulnerability Scanner
- Arachnia Web Application Scanner
- Wazuh HIDS
This asset need be able to reach all other assets on the environment (outbound).
#+END_VERSE
* Debian 10 Images
:PROPERTIES:
:CUSTOM_ID: Debian_10_Images
:END:
[[https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/][Current and official Debian ISO files]].
[[https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/current-live/amd64/iso-hybrid/][Current Debian ISO files including non-free firmware]].
I always roll with the *xfce* images. Install Debian 10 to bare metal using a flashed USB drive. Assuming an attached flash USB drive is identified as =/dev/sda= (verify using =lsblk=), flash the ISO to the USB drive using the following.
#+begin_src sh
# First I format the disk and ensure all bits are zero
sudo dd if=/dev/zero of=/dev/sda status=progress
sudo dd if=~/debian-live-10.2.0-amd64-xfce+nonfree.iso of=/dev/sda status=progress
#+end_src
Insert the USB, then boot from the flashed drive and proceed with installation. My default username is =user=.
* Sudo User Account
:PROPERTIES:
:CUSTOM_ID: Sudo_User_Account
:END:
Login as =user=. Then get *root*, once and nevermore, using =su -=. Grant sudo rights to =user=, then login again.
#+BEGIN_SRC sh
usermod -aG sudo user && \
exit
#+END_SRC
Logout and in to receive sudo privileges on the =user= account.
#+BEGIN_SRC sh
xfce4-session-logout -l
#+END_SRC
* Tor Package Management
:PROPERTIES:
:CUSTOM_ID: Tor_Package_Management
:END:
For privacy, I use Debian's onion services to download packages from official repositories. First though, this requires installing =tor= and =apt-transport-tor=.
First run =sudo test= to escalate privileges.
#+begin_src sh
sudo apt update && \
sudo apt upgrade -y && \
sudo apt install -y tor apt-transport-tor && \
sudo rm /etc/apt/sources.list && \
sudo bash -c 'cat <<EOT >> /etc/apt/sources.list
# Debian 10, Buster!
# Repos over TOR:
deb tor+http://vwakviie2ienjx6t.onion/debian buster main
deb-src tor+http://vwakviie2ienjx6t.onion/debian buster main
deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security buster/updates main
deb-src tor+http://sgvtcaew4bxjd7ln.onion/debian-security buster/updates main
deb tor+http://vwakviie2ienjx6t.onion/debian buster-updates main
deb-src tor+http://vwakviie2ienjx6t.onion/debian buster-updates main
EOT' && \
sudo apt update
#+end_src
Thereafter, I download a few based utilities over tor.
#+BEGIN_SRC sh
sudo apt install -y net-tools curl vim unzip apt-transport-https software-properties-common autoconf libtool \
lynis flashrom xscreensaver yubikey-manager yubikey-personalization-gui keepassxc nextcloud-desktop
#+END_SRC
* Enable Firewalls
:PROPERTIES:
:CUSTOM_ID: Enable_Firewalls
:END:
First, login to the server from the host.
#+BEGIN_SRC sh
ssh root@<IPv4 address>
#+END_SRC
Install firewall and sudo packages.
#+BEGIN_SRC sh
# Download firewall and sudo package
sudo apt update
sudo apt install -y ufw sudo openssh-server
#+END_SRC
Apply firewall rules.
#+BEGIN_SRC sh
#Enable firewalls
ufw allow SSH
ufw allow 2222
ufw allow WWW
ufw allow 8080
ufw allow 514
ufw allow 1514
ufw allow 1515
ufw allow 55000
ufw allow 4567
ufw --force enable
# Change SSH port to 2222, so containers can use port 22
sed -i -e "s|^#Port 22|Port 2222|" /etc/ssh/sshd_config
systemctl restart sshd.service
# Create a new user, named admin.
adduser admin
#+END_SRC
After going through the prompts, grant sudo privileges to the new user and logout.
#+BEGIN_SRC sh
# Grant sudo privileges.
usermod -aG sudo admin
logout
#+END_SRC
=ssh= is now only available on port 2222. Login again from the host and escalate privileges before proceeding.
#+BEGIN_SRC sh
ssh -p 2222 admin@<IPv4 address>
sudo -i
#+END_SRC