7: Firewalls on Linux

What You Need for This Project

A computer with VirtualBox

Task 1: Select Team Roles

Each team needs a Manager, a Writer, a Researcher and one or more Technicians.

The Manager is responsible for ensuring that all the tasks are completed correctly and on time, by delegating tasks to the other team members, monitoring their progress, and reallocating resources as neeed.

The Writer records the important actions performed by the team and prepares a Report for the client.

The Researcher searches the Web to find out information about the target and any other information the team needs.

The Technicians scan and attack the target, keeping notes of what they have done.

Task 2: Prepare Target

Download this OVA file:

p7firelin.ova 1.41 GB (1,401,362,432 bytes)

Import it into VirtualBox.

This virtual appliance contains one Linux server as shown below.

You can SSH into it at the "NAT IP" with the username student and a password of student.

Task 3: Understand the Situation

In a Web browser, open this page:

http://ad.samsclass.info/botlist.htm

Note these facts, as shown below.

Your server is connected to my server via a VPN with an address in the 10.8.0.0/24 subnet
Your server has ports 22 and 80 open
Your server has port 81 closed
Your server can perform DNS resolutions and PINGs to external servers
Your server is PWNED, sending beacons to the C&C server

The purpose of this project is to deny the attackers control of your server, while continuing to provide service to real users, using only a firewall.

Using ufw

Ubuntu includes "ufw" -- the Uncomplicated Firewall.

On your server, via SSH, execute this command to see your firewall status.

sudo ufw status

The firewall is inactive, as shown below.

Let's block all incoming traffic except these three ports:

22 -- used for SSH
3000 -- used by my scoring server
3001 -- used by my scoring server

Execute these commands:

sudo ufw allow 22 sudo ufw allow 3000 sudo ufw allow 3001 sudo ufw enable

Enter y to proceed.

The firewall becomes active, as shown below.

Refresh the scoring webpage. After a minute or so, it should change, as shown below.

Ports 80 and 81 are now filtered, but your box is still PWNED, because you have not filtered outgoing traffic.

Task 4: Block Outgoing Traffic

To block all outgoing connections, which is usually the correct rule for a server, execute this command:

sudo ufw reset sudo ufw deny out to any sudo ufw enable

This blocks beacons, but also prevents PING and DNS requests from the server, as shown below.

It also lets SYNs come in on unused ports, such as port 81, which will allow bind shells.

Task 5: Properly Secure your Server

Adjust your firewall to allow only this traffic:

Incoming connections to 22, 80, 3000, and 3001
Outgoing ping and dns

When you get it right, you should see this:

Task 6: Report Findings

Write up a brief report describing what you did, and present it at the end of class. Add the best solutions to your Blue Team Guide for competitions.

References

UFW
UFW Essentials: Common Firewall Rules and Commands
ufw blocking apt
ufw firewall outgoing deny w/before.rules unable to outgoing traceroute

Posted 10-5-18