Professional Documents
Culture Documents
Guió Alumnes ModulA CatSkill2021 - Documents de Google
Guió Alumnes ModulA CatSkill2021 - Documents de Google
nano/etc/iptables-rules.sh
posemlesreglesadintre
#lesprovem
/etc/iptables-rules.sh
percomprovarregles
iptables-nvL
-------------------------
.-RedirigireltransitquevinguidelaWANpelport80i443,capalservidordelaDMZ
#Totelquearribidel'exteriorivagialport809443elredirigimalamaquinadelaDMZ
iptables-tnat-APREROUTING-ienp0s3-ptcp--dport80-jDNAT--to10.0.6.2:80
iptables-tnat-APREROUTING-ienp0s3-ptcp--dport443-jDNAT--to10.0.6.2:443
.-Utilitzantlesiptablesconfigurarelrouterperquènomésespermetinlesconnexionsenelport
22desdelasubxarxadelaLAN.Lesaltresconnexionsseranrebutjades.
#Comentarlaliniasegüentqueestàalprincipidelfitxer
#iptables-PINPUTACCEPT
#Nomespermetrel'accessshdesdeslaLAN
#iptables-AINPUT-ptcp-s10.0.6.0/24--dport22-jACCEPT
#Taquemtotselsaccessosindesitjatsdesdequalsevolxarxaalport22
#Nota:0.0.0.0/0significa:qualsevolxarxa
#iptables-AINPUT-s0.0.0.0/0-ptcp--dport22-jREJECT
.-configuraelslogsdeliptablesperquècadavegadaqueescreiunaconnexióquediregistrada
enl'arxiu/var/log/iptables.log
#creeml'arxiudelogs
#configuremelsyslog
nano/etc/rsyslog.d/10-iptables.conf
:msg,contains,"[IPTABLES]:"-/var/log/iptables.log
&~
.-
SecuritzarelserveiwebdelservidordelaDMZ
configurarelhttps
cp/etc/apache2/sites-available/000-default.conf
/etc/apache2/sites-available/000-default.conf.old
cp/etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.old
a2enmodssl
a2enmodheaders
a2ensitedefault-ssl
crearelcertificatautosignat
pensslreq-x509-nodes-days365-newkeyrsa:2048-keyout
/etc/ssl/private/apache-selfsigned.key-out/etc/ssl/certs/apache-selfsigned.crt
CountryName(2lettercode)[AU]:ES
StateorProvinceName(fullname)[Some-State]:Girona
LocalityName(eg,city)[]:Girona
OrganizationName(eg,company)[InternetWidgitsPtyLtd]:InstitutMontilivi
OrganizationalUnitName(eg,section)[]:Informatica
CommonName(e.g.serverFQDNorYOURname)[]:dmz.catskill.cat
EmailAddress[]:ciber@catskill.cat
nano/etc/apache2/sites-available/default-ssl.conf
<VirtualHost*:443>
DocumentRoot/var/www/html
SSLEngineon
SSLCertificateFile/etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile/etc/ssl/private/apache-selfsigned.key
</VirtualHost>
a2ensitedefault-ssl.conf
https://192.168.1.100/
nano/etc/apache2/apache2.conf
ServerNamelocalhost
apache2ctlconfigtest
systemctlrestartapache2
.-redireccionarhttpahttps
nano/etc/apache2/sites-available/000-default.conf
<VirtualHost*:80>
edirect/https://192.168.1.100/
R
</VirtualHost>
apache2ctlconfigtest
systemctlrestartapache2
http://192.168.1.100/
.-OpenVPN
#
cp-r/usr/share/easy-rsa/etc/openvpn/
#SetupCertificateAuthority
cd/etc/openvpn/easy-rsa
mkdir/etc/openvpn/server/pki
mv/etc/openvpn/easy-rsa/vars.example/etc/openvpn/easy-rsa/vars
#editvarsandaddlinies
nano/etc/openvpn/easy-rsa/vars
set_varEASYRSA "$PWD"
set_varEASYRSA_PKI "$EASYRSA/pki"
set_varEASYRSA_DN "cn_only"
set_varEASYRSA_REQ_COUNTRY "ES"
set_varEASYRSA_REQ_PROVINCE "Girona"
set_varEASYRSA_REQ_CITY "Girona"
set_varEASYRSA_REQ_ORG "Catskill54CERTIFICATEAUTHORITY"
set_varEASYRSA_REQ_EMAIL "catskill54@catskill.cat"
set_varEASYRSA_REQ_OU "catskill54CA"
set_varEASYRSA_KEY_SIZE 2048
set_varEASYRSA_ALGO rsa
set_varEASYRSA_CA_EXPIRE 7500
set_varEASYRSA_CERT_EXPIRE 365
set_varEASYRSA_NS_SUPPORT "no"
set_varEASYRSA_NS_COMMENT "catskill54CERTIFICATEAUTHORITY"
set_varEASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_varEASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
set_varEASYRSA_DIGEST "sha256"
#inirpki
/etc/openvpn/easy-rsa/easyrsainit-pki
#posaryessipregunta
#createdPKIdiritisin:/etc/openvpn/easy-rsa/pki
#buildtheCAcertificates
/etc/openvpn/easy-rsa/easyrsabuild-ca
#posemelpass:catskill54
#sis'hadeportaraesborrarposaremyesalexecutar/etc/openvpn/easy-rsa/easyrsainit-pki
#GenerateServerCertificateFiles
/etc/openvpn/easy-rsa/easyrsagen-reqcatskillvpn-servernopass
posaremintroenCommonName(eg:youruser,host,orservername)[catskillvpn-server]:
#anarrepetinelspassosanteriorssidonaerrors
#SigntheServerKeyUsingCA
/etc/openvpn/easy-rsa/easyrsasign-reqservercatskillvpn-server
#posar yesielpasscatskill54
#verifythegeneratedcertificatefile
opensslverify-CAfilepki/ca.crtpki/issued/catskillvpn-server.crt
#generateastrongDiffie-Hellmankeytouseforthekeyexchange
/etc/openvpn/easy-rsa/easyrsagen-dh
#Aftercreatingallcertificatefiles,copythemtothedirectory/etc/openvpn/server/
cp/etc/openvpn/easy-rsa/pki/ca.crt/etc/openvpn/server/
cp/etc/openvpn/easy-rsa/pki/dh.pem/etc/openvpn/server/
cp/etc/openvpn/easy-rsa/pki/private/catskillvpn-server.key/etc/openvpn/server/
cp/etc/openvpn/easy-rsa/pki/issued/catskillvpn-server.crt/etc/openvpn/server/
#GenerateClientCertificateandKeyFile
/etc/openvpn/easy-rsa/easyrsagen-reqclientnopass
#posarintro
#signtheclientkeyusingyourCAcertificate
/etc/openvpn/easy-rsa/easyrsasign-reqclientclient
#posaryes
#posarcatskill54
#copyallclientcertificateandkeyfiletothedirectory/etc/openvpn/client/
mkdir/etc/openvpn/client/
cp/etc/openvpn/easy-rsa/pki/ca.crt/etc/openvpn/client/
cp/etc/openvpn/easy-rsa/pki/issued/client.crt/etc/openvpn/client/
cp/etc/openvpn/easy-rsa/pki/private/client.key/etc/openvpn/client/
#ConfigureOpenVPNServer
nano/etc/openvpn/server.conf
#posaradintre
port1194
protoudp
devtun
ca/etc/openvpn/server/ca.crt
cert/etc/openvpn/server/catskillvpn-server.crt
key/etc/openvpn/server/catskillvpn-server.key
dh/etc/openvpn/server/dh.pem
server10.0.8.0255.255.255.0
push"redirect-gatewaydef1"
push"dhcp-optionDNS208.67.222.222"
push"dhcp-optionDNS208.67.220.220"
duplicate-cn
cipherAES-256-CBC
tls-version-min1.2
tls-cipher
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:T
LS-DHE-RSA-WITH-AES-128-GCM-SHA$
authSHA512
auth-nocache
keepalive2060
persist-key
persist-tun
compresslz4
daemon
usernobody
groupnogroup
log-append/var/log/openvpn.log
verb3
#StartOpenVPNService
systemctlenableopenvpn@server
systemctlstartopenvpn@server
#StartOpenVPNService
systemctlstatusopenvpn@server
#checkthevpnnetworkinterface
ipashowtun0
#checklog
tail-f/var/log/openvpn.log
#GenerateClientConfiguration
nano/etc/openvpn/client/client.ovpn
client
devtun
protoudp
remote192.168.1.1001194
caca.crt
certclient.crt
keyclient.key
cipherAES-256-CBC
authSHA512
auth-nocache
tls-version-min1.2
tls-cipher
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:T
LS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retryinfinite
compresslz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb3
#configuremeliptables
nano/etc/iptables-rules.sh
#openvpn
iptables-IFORWARD-itun0-oenp0s3-s10.0.4.0/24-mconntrack--ctstateNEW-jACCEPT
iptables-IFORWARD-mconntrack--ctstateRELATED,ESTABLISHED-jACCEPT
#elMASQUERADEjaestafetad'abansiptables-tnat-IPOSTROUTING-oenp0s3-s
10.0.4.0/24-jMASQUERADE
#Totalacarpeta/etc/openvpn/client/s'hadepassaralclient
#alclients'had'instalarelprogramaOpenVPNConnect
icarregarl'arxiuclient.opvn
/etc/openvpn/client/
.-IDSambSNORT
Snortversio:2.9.7.0
#Revisarconfiguració
nano/etc/snort/snort.conf
ipvarHOME_NET[10.0.4.0/24,10.0.6.0/24]
#Listofportsyourunwebserverson
portvarHTTP_PORTS
[80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848
,5250,6988,7000,7001,7144,7145$
#ListofportsyouwanttolookforSSHconnectionson:
portvarSSH_PORTS22
varRULE_PATH/etc/snort/rules
varSO_RULE_PATH/etc/snort/so_rules
varPREPROC_RULE_PATH/etc/snort/preproc_rules
#sitespecificrules
include$RULE_PATH/local.rules
#pervalidarlaconfiguracio
snort-T-c/etc/snort/snort.conf
Lesreglesestana/etc/snort/rules/local.rules
Lesalertesesestarana/var/log/snort/alert
tail-f/var/log/snort/alert
Hihareglesfetesperferalarmasiesfanpings
nano/etc/snort/rules/local.rules
logicmp$EXTERNAL_NETany->$HOME_NETany(msg:"logICMPCatskills
test";sid:1000001;rev:001;)
alerticmp$EXTERNAL_NETany->$HOME_NETany(msg:"alertICMP
1";sid:1000002;rev:001;)
alerticmp$HOME_NETany->$EXTERNAL_NETany(msg:"alertICMP
2";sid:1000003;rev:001;)
alerticmpanyany->$HOME_NETany(msg:"ICMPtest";sid:10000001;rev:001;)
#Periniciariqueguardilesalertesinterficiedmzidelalan
snort-ienp0s8-usnort-gsnort-c/etc/snort/snort.conf-l/var/log/snort-Afull
#perpararhauriadeserCTR+Cperònofunciona,hemdefer-hoambunkilldelnumeroque
enshagisortit
alexecutarelsnort:ngpacketprocessing(pid=5344)
kill-95344
#Perdetectarsqlinjection
https://www.hackingarticles.in/detect-sql-injection-attack-using-snort-ids/
nano/etc/snort/rules/local.rules
#ReglaperdetectarSQLinjection.Busquemcometessimplesodobles
alerttcpanyany->any80(msg:"ErrorBasedSQLInjectionDetected";content:"%27";
sid:100000011;)
alerttcpanyany->any80(msg:"ErrorBasedSQLInjectionDetected";content:"22";
sid:100000012;)
#ReglaperdetectarSQLinjection.Busquemoperadors
alerttcpanyany->any80(msg:"ANDSQLInjectionDetected";content:"and";nocase;
sid:100000060;)
alerttcpanyany->any80(msg:"ORSQLInjectionDetected";content:"or";nocase;
sid:100000061;)
#ReglaperdetectarSQLinjection.Busquemencodeoperadors
alerttcpanyany->any80(msg:"ANDSQLInjectionDetected";content:"and";nocase;
sid:100000008;)
alerttcpanyany->any80(msg:"ORSQLInjectionDetected";content:"or";nocase;
sid:100000009;)
#PerprovocarSQLInjection
DVWA
http://192.168.1.100/DVWA/
Ambusernameipassword
admin
password
enhttp://192.168.1.100/DVWA/vulnerabilities/sqli/posar
'or'1'='1'
obéaltres
%'or'0'='0'
%'or0=0unionselectnull,version()#
%'or0=0unionselectnull,user()
#Reglaperdetectarconnexionsftpport21
alerttcp192.168.x.xany->$HOME_NET21(msg:FTPconnectionattempt;sid:1000002;
rev:1;)
.-ProxyInvers
EsfaràqueenelservidordelaDMZredirigeigicapaunservidordelaLAN
EnelservidordelaLAN
EnelservidorDMZ
a2enmodmod_proxy
afegirunaentradaaldirectorisites-available
nano/etc/apache2/sites-available/000-default.conf
a2ensite/etc/apache2/sites-available/000-default.conf
Afegirlesentrades
ProxyPass /intranet http://IP_LAN/
ProxyPassReverse /intranet http://IP_LAN/
Perprovars'accedeixdesdelaWANhttp://IP_WAN/intranet