Tag Archives: Security

Using ChatGPT AI to learn PowerShell

ChatGPT is an AI chatbot system launched by OpenAI in November 2022. This is a great tool to help me understand more about PowerShell. Below are a couple of examples that I have used the tool to learn more PowerShell.

Can you show me top 10 commands in PowerShell?

Can you rewrite the script below?

$Hosts = Get-Content "C:\Scripts\servers.txt"
$Ports = '443'
ForEach ($HOSTLINE in $hosts) {
$status = Test-NetConnection $HOSTLINE -Port $ports -WarningAction SilentlyContinue
if ($status.tcpTestSucceeded -eq $True){
    Write-Output "$HOSTLINE is reachable"
}
else{
    Write-Output "$HOSTLINE is unreachable"  
}
}

Tell me an example for using foreach-object parallel with PowerShell remoting?

Does foreach-object parallel use multithreading?

Is there a limitation of foreach-object parallel?

Show me an example to use foreach-object parallel to check CPU usage in remote machines?

Can you rewrite the script below?

$inputpath = get-content "/var/log/auth.log"
#$inputpath = get-content "/Users/tungle/Downloads/auth.log.txt"
$regex = "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"
$output = $inputpath | Select-String -Pattern $regex -AllMatches | Select-String "failed password for root" | % { $_.Matches } | % { $_.Value } `
| Group-Object |  Select-Object Name, Count | Where-Object {$_.Count -gt 20}
ForEach($line in $output){
        $IP = $line.Name
        $result = Invoke-RestMethod -Method Get -Uri http://ip-api.com/json/$IP
        # Sleep a second 
        Start-Sleep 1
    	#Write-Output $_count
        $myObject = [PSCustomObject]@{
        	Count = $line.Count
		"IPAddress" = $line.Name
            	#IP = $result.query
            	Country = $result.Country
}
    $myObject
}

ChatGPT – Here is a rewritten version of the script you provided:

# Set the file path for the log file
$logFilePath = "/var/log/auth.log"

# Read the log file and store the contents in a variable
$logContent = Get-Content -Path $logFilePath

# Set the regular expression for extracting IP addresses
$ipRegex = "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"

# Extract all of the IP addresses from the log file
$ipAddresses = $logContent | Select-String -Pattern $ipRegex -AllMatches | Select-Object -Expand Matches | Select-Object -Expand Value

# Group the IP addresses by count
$ipCounts = $ipAddresses | Group-Object | Select-Object Name, Count

# Filter the list to include only IP addresses that have failed login attempts more than 20 times
$filteredIpCounts = $ipCounts | Where-Object {$_.Count -gt 20}

# Loop through each IP address
foreach ($ipCount in $filteredIpCounts) {
    # Get the IP address and the number of failed login attempts
    $ip = $ipCount.Name
    $count = $ipCount.Count

    # Make a request to the IP address API to get information about the IP address
    $ipInfo = Invoke-RestMethod -Method Get -Uri "http://ip-api.com/json/$ip"

    # Sleep for a second to avoid making too many requests in a short period of time
    Start-Sleep 1

    # Create a custom object with the IP address, country, and number of failed login attempts
    $result = [PSCustomObject]@{
        "IPAddress" = $ip
        Country = $ipInfo.Country
        Count = $count
    }

    # Output the result
    $result
}

The script was provided by ChatGPT did not work as my script. However, the script is clear and easier to understand. So, I only do a small change in the script to make it work.

PS /tmp> cat ./chatgpt.PS1                          
# Set the file path for the log file
$logFilePath = "/var/log/auth.log"

# Read the log file and store the contents in a variable
$logContent = Get-Content -Path $logFilePath

# Set the regular expression for extracting IP addresses
$ipRegex = "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"

# Extract all of the IP addresses from the log file
$ipAddresses = $logContent | Select-String -Pattern $ipRegex -AllMatches | Select-String "failed password for root" | Select-Object -Expand Matches | Select-Object -Expand Value

# Group the IP addresses by count
$ipCounts = $ipAddresses | Group-Object | Select-Object Name, Count

# Filter the list to include only IP addresses that have failed login attempts more than 20 times
$filteredIpCounts = $ipCounts | Where-Object {$_.Count -gt 20}

# Loop through each IP address
foreach ($ipCount in $filteredIpCounts) {
    # Get the IP address and the number of failed login attempts
    $ip = $ipCount.Name
    $count = $ipCount.Count

    # Make a request to the IP address API to get information about the IP address
    $ipInfo = Invoke-RestMethod -Method Get -Uri "http://ip-api.com/json/$ip"

    # Sleep for a second to avoid making too many requests in a short period of time
    Start-Sleep 1

    # Create a custom object with the IP address, country, and number of failed login attempts
    $result = [PSCustomObject]@{
        "IPAddress" = $ip
        Country = $ipInfo.Country
        Count = $count
    }

    # Output the result
    $result
}
./chatgpt.PS1 | Sort-Object Count -Descending
./show-attacker.PS1 | Sort-Object Count -Descending

Count the number of failed root login in Linux server by IP address via PowerShell

Using (e)grep, cut, awk, sed to extract specific information in Linux logs is one of the daily tasks of Linux system administrator. 

grep "Failed" '/var/log/auth.log' | grep -v root | awk -F 'from ' '{ print $2} ' | awk '{print $1}' | sort | uniq -c | sort -nr | while read COUNT IP

However, in this article, I want to demonstrate how to use PowerShell to extract the number of failed root login in Linux server.

Download the /var/log/auth.log example file via github (https://github.com/elastic/examples/blob/master/Machine%20Learning/Security%20Analytics%20Recipes/suspicious_login_activity/data/auth.log)

Save it under Downloads directory. Querying the content of the file via Get-content command.

$inputpath = get-content "/Users/tungle/Downloads/auth.log"

Now, I want to explain how to use PowerShell to extract specific information in the log file. If the number of failed attempts is greater than the LIMIT, then it will display count number, IP address, and Geolocation of the IP address.

Firstly, we need to know a format of the IP address via PowerShell regex.

$regex = "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"

Filtering all lines are matched the regex format of the IP address in auth.log file.

$output = $inputpath | Select-String -Pattern $regex -AllMatches

Selecting all lines are matched “failed password for root”.

$output = $inputpath | Select-String -Pattern $regex -AllMatches | Select-String "failed password for root"

Following the MS link, I use matches method to populate the returned MatchCollection object (https://learn.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.matches?view=netframework-4.7.2). % is an alias of foreach-object.

$output = $inputpath | Select-String -Pattern $regex -AllMatches | Select-String "failed password for root" | % { $_.Matches }

Next, getting IP addresses of the failed login in the log file. 

$output = $inputpath | Select-String -Pattern $regex -AllMatches | Select-String "failed password for root" | % { $_.Matches } | % { $_.Value }

Group the IP address property together.

$output = $inputpath | Select-String -Pattern $regex -AllMatches | Select-String "failed password for root" | % { $_.Matches } | % { $_.Value } `
| Group-Object

Check if the number of failed attempts is greater than the LIMIT (>10 failed login attempts).

$output = $inputpath | Select-String -Pattern $regex -AllMatches | Select-String "failed password for root" | % { $_.Matches } | % { $_.Value } `
                    | Group-Object |  Select-Object Name, Count | Where-Object { $_.Count -gt 10 }

Using the PS script block below to detect attempted IP address, count, and country. Basically, the script will check all lines in the $output variable above and output the top IP address and county attempts.

ForEach($line in $output){
    $IP = $line.Name
    #$IP
    # Query Geolocaltion of the IP addresses via free API
    $result = Invoke-RestMethod -Method Get -Uri http://ip-api.com/json/$IP
    # Create a PSCustomObject to save Count, IP address and Country attempts 
    $myObject = [PSCustomObject]@{
                Count = $line.Count
                "IP Address" = $line.Name
                #IP = $result.query
                Country = $result.Country
}
$myObject
}

Below is a PS script block to check the failed root attempts.

$inputpath = get-content "/Users/tungle/Downloads/auth.log"
#$regex = ‘\b\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\b’
$regex = "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"
#$inputpath | Select-String -Pattern $regex -AllMatches | Select-String "failed password for root"
#$inputpath | Select-String -Pattern $regex -AllMatches | Select-String "failed password for root" | % { $_.Matches }
$output = $inputpath | Select-String -Pattern $regex -AllMatches | Select-String "failed password for root" | % { $_.Matches } | % { $_.Value } `
                    | Group-Object |  Select-Object Name, Count | Where-Object { $_.Count -gt 10 }
ForEach($line in $output){
    $IP = $line.Name
    #$IP
    $result = Invoke-RestMethod -Method Get -Uri http://ip-api.com/json/$IP
    # Create a PSCustomObject to save Count, IP address and Country attempts 
    $myObject = [PSCustomObject]@{
                Count = $line.Count
                "IP Address" = $line.Name
                #IP = $result.query
                Country = $result.Country
}
$myObject
}

This is a PS script (show-attacker.PS1) to run in a cloud-based Linux virtual machine.

$inputpath = get-content "/var/log/auth.log"
#$inputpath = get-content "/Users/tungle/Downloads/auth.log.txt"
$regex = "\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"
$output = $inputpath | Select-String -Pattern $regex -AllMatches | Select-String "failed password for root" | % { $_.Matches } | % { $_.Value } `
| Group-Object |  Select-Object Name, Count | Where-Object {$_.Count -gt 20}
ForEach($line in $output){
        $IP = $line.Name
        $result = Invoke-RestMethod -Method Get -Uri http://ip-api.com/json/$IP
        # Sleep a second 
        Start-Sleep 1
    	#Write-Output $_count
        $myObject = [PSCustomObject]@{
        	Count = $line.Count
		"IPAddress" = $line.Name
            	#IP = $result.query
            	Country = $result.Country
}
    $myObject
}

Run the script in Linux server.

./show-attacker.PS1 | Sort-Object Count -Descending

Finally, we can extract specific information of authentication logs in Linux server by using PowerShell.

Set up VPN IPSEC site-to-site between Palo Alto in AWS and FortiGate in premises

This is a diagram that I have used for this lab.

Understanding on deploying Palo Alto instance in AWS is necessary for this lab (https://tungle.ca/?p=3979).

On PA, Configure a tunnel.

Add a new static route into PA Virtual Route to allow traffic from the Private subnet to a LAN subnet in FortiGate.

Create IKE Crypto.
Create IPSEC Crypto.
Create an IKE Gateway.

Create an IPSEC tunnel.

Create PA-LAN and FG-LAN network.
Create both Security rules to allow traffic from PA-LAN to FG-LAN and vice versa.
Back to AWS – Route tables. Add a new static route on the Private Route.

Add 192.168.10.0/24 into the routes and select “Private Interface” on the target.

Move on to FortiGate.

Configure interfaces.

Configure default routes on FG.

Configure IPSEC VPN on FG.

Create a FG-LAN and PA-LAN address.
Set up a new static route to allow traffic from FG-LAN subnet in FG to PA-LAN subnet in AWS.
Create Security Polices to allow traffic from FG-LAN to PA-LAN and vice versa.
Setup IP address on Kali machine.

Ping from Kali machine to Windows instance (10.0.3.134).

Ping from Windows instance to Kali machine (192.168.10.2).

Check Security Policy status.
The FortiGate IPSEC tunnel is UP.

Back to Palo Alto in AWS. We can see the traffic from PA-LAN to FG-LAN and vice versa.

The Palo Alto IPSEC tunnel is UP.

Send Palo Alto logs on-prem to Splunk on AWS via VPN site-to-site

This is a diagram that I have used to deploy this lab.

We need to deploy a VPN site to site between Palo Alto on-prem and AWS.

On AWS.

On Palo Alto.

Pings Splunk instance (10.0.0.110) via ethernet 1/2 interface.

The VPN site-to-site tunnel is up in Palo Alto.

Set up a new Windows 2016 instance with 4 GB memory to run Splunk Enterprise on AWS.

RDP to the instance and install Splunk Enterprise. Then, add Splunk for Palo Alto on this instance.

Configure Splunk to get Palo Alto logs via UDP port 514.

Check the UDP 514 port is running on the Splunk instance.

Go to Palo Alto, and configure Syslog to send logs to Splunk.

By default, Palo Alto uses a management interface to send logs. We need to change the interface to allow Palo Alto to send logs via ethernet1/2 (LAN interface).

Log on PA console, type configure, and the command below to change the interface to send logs.

set deviceconfig system route service syslog source interface e1/2

Also, we can go to Device – Setup – Service Route Configuration – Syslog. Configure the source interface and source IP address like the following screenshot.

Configure Syslog on Palo Alto.

IP address: 10.0.0.110 (Splunk instance)

Port: 514 UDP

Log off and enter the wrong password on Palo Alto. Log back into Palo Alto to generate logs to send to Splunk.

We can see “failed authentication log” events have been generated on Splunk.

Set up VPN site-to-site between FortiGate on-prem and AWS. Send FortiGate logs to Splunk on AWS

This is a diagram that I have used for this demonstration.

Create your VPC.

Create a private subnet.

Create a new Internet Gateway and attach it to your VPC.

Create a new route to 0.0.0.0/0 to your Internet gateway.

Create a new Customer gateway with the public IP address of FortiGate.

Create a new Virtual Private Gateway and attach it to your VPC.

Create a new VPN site-to-site.

Click Download Configuration to configure on your FortiGate.

Log into FortiGate.

Interfaces.

Copies these commands and pastes them into FortiGate. Notes the set “mtu 1427” and set “mtu-override enable” does not available on FortiGate 6.2

Back to AWS and launch a new Linux VM instance. This machine is used to test VPN site-to-site.

Configure a new static route to allow LAN subnets on AWS to access LAN subnets on FortiGate.

On FortiGate, configure a new static route to AWS LAN subnets.

Configure access rules to allow FortiGate LAN subnets to communicate with AWS LAN subnets.

Pings from Kali machine to the Linux VM instance on AWS.

The IPSEC tunnel in FortiGate is up.

Back to AWS, the VPN tunnel is up.

Launches a new Windows 2016 VM instance to install Splunk.

On Security Group, add a couple of rules to allow ICMP and all traffic on FortiGate LAN subnets to access this instance.

RDP to Windows instance and disable Firewall to send logs from FortiGate.

Download Splunk Enterprise for Windows and install it into this instance.

Install FortiGate App for Splunk and Fortinet FortiGate Add on Splunk.

Click on the Settings tab and configure Splunk to get FortiGate logs. Select new Local UDP.

Enter 514 on the port setting. Be default, FortiGate is using UDP port 514 to send log to Syslog.

Select: fgt_log

App Context: Fortinet FortiGate App for Splunk

Method: IP

Index: Default

Check the UDP 514 port is running in the instance.

Back to FortiGate, configure Fortigate to send logs to Splunk on AWS. Enter the IP address of Splunk on the IP Address setting, and click choose All for “Event Logging” and “Local Logging”. Then, click Apply.

Log out of FortiGate and log back in to generate logs. If we may not see FortiGate logs on Splunk, we need to type the commands below to change the source-ip address to send log from using the “management interface” to using the LAN interface “172.16.1.254”

config log syslogd setting
    set status enable
    set mode udp
    set port 514
    set server "10.0.0.48"
    set source-ip "172.16.1.254"
end

Also, enable PING Access, HTTP, and HTTPS on tunnel 1 interface of FortiGate.

Splunk is able to ping the FortiGate LAN interface.

Back to the Splunk instance, now we are able to see logs from FortiGate.

Deploy VPN IPSEC site-to-site between FortiGate on-prem and AWS

This is a topology that is used to deploy this lab.

+ Configure FortiGate on AWS.

Create a new VPC with a CIDR network is 10.0.0.0/16. Then, create both Lab Public subnet and :ab Private subnet on AWS.

Create a new Internet gateway and attach to your VPC.

Create route tables.

Add a new route to the public Route table.

Associate the public subnet to the Public Route table.

Go to EC2 and create a new FortiGate instance.

Create a new private interface for FortiGate.

Attach the interface to FortiGate.

Disable “Source and destination check” on both Public and Private FortiGate interfaces.

Create a new Elastic IP address and assign it to your FortiGate instance.

Assign the Elastic IP address to public FortiGate interface.

Access FortiGate management interface.

Add a new route on a Private Route table to the Private FortiGate interface.

Create a new Windows instance on AWS.

Security Group.

Modify Windows Security Group to allow ICMP traffic.

Configure VPN site to site.

There are two routes that have been automatically created on FortiGate on the static routes setting.

+ Configure FortiGate on-prem.

Configure a default route on FortiGate.

Configure VPN site to site between both FortiGate.

+ Pings a Windows instance on AWS from a machine on FortiGate on-prem. Remember to access RDP to the machine and disable Windows Firewall to allow ICMP traffic from on-prem to that machine.

The IPSEC tunnel is up.

Pings from Windows instance on AWS to a computer on FortiGate LAN subnet on-prem.

The IPSEC tunnel on-prem is up.

+ Configure SSLVPN portal on FortiGate on AWS.

Deploying FortiGate on Amazon AWS

Diagram.

Below are a couple of steps to deploy Fortinet on AWS.

Create a new VPC.

Create a public subnet.

Create a private subnet.

Create an Internet gateway.

Attach the gateway to your VPC.

Edit Route table, change default Route table to Private Route Table.

Create a Public Route Table.

Edit the route and route all traffic to Internet Gateway.

Link Lab Public Subnet to Public Route Table.

Create a new key pair.

Go to EC2, and deploy Fortinet on AWS.

Select your VPC, the subnet belongs to Lab Public Subnet. Also Auto-assign Public IP is Enable.

Security Group.

Go to Network interfaces. Change the interface to Fortinet Public Subnet.

Create a new Fortinet Private subnet.

Attach this network interface to Fortinet EC2.

Create a new Elastic IP address.

Change to Fortinet EIP.

Associate this Elastic IP address to Fortinet EC2.

Now, Fortinet has two interfaces. One is Private, and another one is Public.

Access Fortinet via the Internet.

Login to Fortinet.

Change password to login to Fortinet.

Edit interfaces.

WAN interface.

LAN interface.

Edit Security Group to allow to ping Fortinet.

Disable Source and Destination Check on “Fortinet Private subnet”.

Now, change the route to route private subnet traffic via Fortinet Private subnet interface.

Create a new Windows 2016 VM EC2. The machine is belonged to “Lab private Subnet”.

Create a new Windows Security Group to allow HTTP and RDP traffic.

Back to Fortinet to configure FIrewall Policy to allow traffic from Fortinet Private subnet to access the Internet.

Configure port forwarding to allow traffic.

Allow inbound traffic from WAN to this machine.

Try to access the machine.

Sniffer traffic on Fortinet.

Modify the Security group to allow RDP.

Load private key to decrypt Windows password.

Access RDP to Windows 2016 instance on AWS.

Now we can see the RDP traffic via Fortinet.

diagnose sniffer packet port1 "port 3389"

The Windows machine is able to access the Internet.

Implementing a customized Palo Alto lab

This is a topology that I have used in this lab.

+ Set up IPSEC site to site between both PAs.

+ Configure Switch support multiple VLANs.

+ Configure DHCP service to multiple VLANs.

+ Configure DNAT on PA2 (192.168.20.1) to NAT to Webserver on Kali (192.168.30.2), then change to configure DNAT on PA2 (192.168.20.1:8888) to NAT to Webserver on Kali (192.168.30.2:80).

+ Configure DNAT on PA2 to SSH server on 192.168.40.2:22, and change (192.168.20.1:2222) to NAT to SSH server on Kali (192.168.40.2:22).

+ Configure DNAT to allow traffic from the Internet to the local Web server (DNAT).

+ Configure SNAT to allow Trust on PA1 to access the Internet.

+ Ban on accessing pdf files, and block on accessing to tungle.ca domain (URF filtering).

+ Set up Global Protect on Windows and Kali machines. Then, we are able to access the local network on the Global Protect VPN connection.

+ Enable Zone Protection on e1/3 to prevent DoS on this zone.

+ Set up Captive Portal on Trust interface on PA1.

Configure the basic switch for support of multiple VLANs.

Configure PA1.

Configure DHCP.

Check client on the local network has received IP address from DHCP Pool for VLAN30, VLAN40, and VLAN50.

Webterm2 on PA2.

Configure tunnel 1 for IPSEC site to site from PA1 to PA2.

Configure tunnel 12 for Remote VPN via GlobalProtect.

Setup IPSEC tunnel on PA1.

Configure default route to route traffic to the Internet.

Configure another route to allow traffic from the local network on PA1 to access the local network on PA2.

Configure access rules to allow traffic from the local network on PA1 to access the local network on PA2 and the Internet.

Configure SNAT to allow traffic from the Trust zone to the Internet.

Setup IKETunnel on PA2.

Set up IPSEC tunnel on PA2.

Configure default route from Local network on PA1 to the local network on PA1 via IPSEC tunnel 1.

Create access rules to allow traffic from the local network on PA2 to the local network on PA1

Test IPSEC site to site.

Access Apache website on VLAN 30 (service apache2 start).

The IPSEC tunnel is up.

Configure DNAT on PA2 to allow port 8888 to be translated to port 80 on the Apache Web server.

SSH 2222 to 22.

Create a Security Policy.

Access Apache2.

And SSH via 2222.

+ Set up GlobalProtect on PA1.

Enable User Authentication on Internet interface for GP.

Create a new user/password.

Set IP Pool for Global Protect VPN.

Create a new Security Rule to allow traffic from Global Protect to local networks.

Access Global Protec VPN on Windows machine.

Set up GlobalProtect on Kali. Search to download Global Protect VPN on Google.

Creating a VPN tunnel via GlobalProtect.

+ Block TungBlog on PA1.

+ Setup Captive Portal on PA1.

+ Ban PDF on PA1.

+ Configure DNAT on PA1.

+ Configure Zone Protection on PA1.

Scan ports by using Nmap tool.

Scanned port traffic has been blocked by PA1.

+ NAT port 9999 to port 7777 on 10.10.10.1 (PA1), then NAT again from port 7777 to 192.168.30.2:80 on Web Server.

PA1:

Implementing OpenVPN server on Debian 10

Below is a lab topology to use to implement the OpenVPN solution on Debian 10.

In this lab, we need to make sure clients on the Internet are able to create secure OpenVPN connections to the OpenVPN server. Also, the OpenVPN client is able to access inside the network beside the VPN tunnel (LAMP subnet: 192.168.131.0/24), and still access the Internet. Moreover, the Split tunneling feature should be used to make sure only traffic is related to accessing the LAMP subnet will be routed via the OpenVPN tunnel. All other traffic will use a public network adapter (Internet).

IP addresses of Debian OpenVPN server.

Access SSH from LinuxMint to easy to copy and paste commands.

Upgrade Debian’s machine.

apt-get update -y
apt-get upgrade -y

+ Enable IP Forwarding

Edit the file /etc/sysctl.conf and add the line below at the end of the file.

net.ipv4.ip_forward = 1

+ Enable proxy_arp for arp entry to appear on the OpenVPN server.

echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp

+ Add a line below into /etc/sysctl.conf to make it permanent.

net.ipv4.conf.all.proxy_arp=1

Run the following command to make the changes work.

sysctl -p

+ Install OpenVPN server.

apt-get install openvpn -y

Copy the easy-rsa directory from /usr/share directory to /etc/openvpn directory.for managing SSL certificates.

cp -r /usr/share/easy-rsa /etc/openvpn/

+ Set up Certificate Authority (CA)

cd /etc/openvpn/easy-rsa
nano vars
#Add information below to the file.
set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "CANADA"
set_var EASYRSA_REQ_PROVINCE    "BC"
set_var EASYRSA_REQ_CITY        "Vancouver"
set_var EASYRSA_REQ_ORG         "BCIT Student"
set_var EASYRSA_REQ_EMAIL	"admin@newhorizon.ca"
set_var EASYRSA_REQ_OU          "BCIT Student"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE	7500
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_NS_SUPPORT	"no"
set_var EASYRSA_NS_COMMENT	"BCIT Student CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST          "sha256"

 Run the following command to initiate your own PKI.

./easyrsa init-pki

Build the CA certificates.

./easyrsa build-ca

+ Generate Server Certificate Files.

./easyrsa gen-req tung-server nopass

+ Sign the public key of the Server Using Root CA.

./easyrsa sign-req server tung-server

Verify cert.

openssl verify -CAfile pki/ca.crt pki/issued/tung-server.crt

+ Create a strong Diffie-Hellman key to use for the key exchange

./easyrsa gen-dh

After creating all certificate files, copy them to the /etc/openvpn/server/ directory.

cp pki/ca.crt /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
cp pki/private/tung-server.key /etc/openvpn/server/
cp pki/issued/tung-server.crt /etc/openvpn/server/

+ Generate Client Certificate and Key File

./easyrsa gen-req client nopass

Next, sign the client key using your CA certificate.

./easyrsa sign-req client client

Next, copy all client certificate and key file to the /etc/openvpn/client/ directory

cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/

+ Configure OpenVPN Server

nano /etc/openvpn/server.conf
#---
root@debian10new:~# cat /etc/openvpn/server.conf 
port 1194
proto udp
# USE TCP
#port 4443
#proto tcp-server
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/tung-server.crt
key /etc/openvpn/server/tung-server.key
dh /etc/openvpn/server/dh.pem
# OpenVPN tunnel IP address range
server 172.16.1.0 255.255.255.0
# server 192.168.131.0 255.255.255.0
# route all traffic via OpenVPN
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
#disable compress lz4 because of error on OpenVPN client
#compress lz4
daemon
user nobody
group nogroup
log-append /var/log/openvpn.log
verb 3
root@debian10new:~# 
#---

+ Start OpenVPN service.

systemctl start openvpn@server
systemctl enable openvpn@server
systemctl status openvpn@server

Show OpenVPN tunnel.

ip a show tun0

+ Generate client configuration.

nano /etc/openvpn/client/client.ovpn
#---
client
dev tun
# USE UDP
proto udp
remote 10.0.0.52 1194

# USE TCP
#proto tcp-server
# Public IP address on OpenVPN is 10.0.0.52
#remote 10.0.0.52 4443
ca ca.crt
cert client.crt
key client.key
#remote-cert-tls server
cipher AES-256-CBC
# Below lines is important to allow OpenVPN is still accessing the Internet when making OpenVPN session.
# Split tunneling on OpenVPN
# https://forums.openvpn.net/viewtopic.php?t=8229
route-nopull
# the LAN subnet that you need to access via VPN tunnel
route 192.168.131.0 255.255.255.0 vpn_gateway
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
#compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
#---

+ Configure routing using UFW.

By default, the UFW firewall is not installed in Debian 10.

apt-get install ufw -y

Configure UFW to accept the forwarded packets.

nano /etc/default/ufw
# Change the following line:

DEFAULT_FORWARD_POLICY="ACCEPT"
nano /etc/ufw/before.rules

Note: Replace ens3 with the name of your public network interface in Debian OpenVPN server is ens35.

Allow the default OpenVPN port 1194 and OpenSSH. Then, reload the UFW firewall.

ufw allow 1194/udp
ufw allow OpenSSH
ufw disable
ufw enable

+ Connect OpenVPN from a client.

Install OpenVPN from the Kali machine.

apt-get install openvpn -y

On the client machine, run the command below to download all the client configuration files.

# public-vpn-server-ip: is 10.0.0.52
scp -r root@public-vpn-server-ip:/etc/openvpn/client .

Check OpenVPN tunnel.

On OpenVPN client.

ping 8.8.8.8 (Internet)

ping 192.168.131.134 (OpenVPN gw tunnel)

ping 192.168.131.128 (LAMP server behind OpenVPN server)

We can see split tunneling is working well on OpenVPN.

Access LAMP server.

On Debian OpenVPN server.

Check routing table on OpenVPN server.

Check OpenVPN logs on the OpenVPN server.

Monitor traffic on the OpenVPN server. OpenVPN traffic is using port 1194 UDP. OpenVPN traffic is encrypted using this tunnel.

Implementing open-source Wazuh SIEM

Wazuh is a free, open-source, and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response, and compliance.

Below is a topology to implement Wazuh solution.

Below are a couple of steps in this lab.

  • Install Wazuh on LinuxMint
  • Configure Agentless on LAMP server
  • Install Agent on WordPress

+ Install Wazuh on LinuxMint 20.

Following Wazuh link below to install it into LinuxMint 20

https://documentation.wazuh.com/current/installation-guide/open-distro/distributed-deployment/step-by-step-installation/index.html

Login to Wazuh management interface.

+ Using a link below to Configure Agentless monitoring on Wazuh.

https://documentation.wazuh.com/current/user-manual/capabilities/agentless-monitoring/how-it-works.html

To set up that method of access, firstly you need to create ssh keys for the user ossec which is the account the agentless scripts run.

sudo -u ossec ssh-keygen

Copy SSH public key to Debian server that you want to monitor via agentless.

Using the add the option will specify a new device to be added to the manager. “NOPASS” may be entered as the password to use public-key authentication rather than using a password.

Back to Wazuh management interface and add the code below into ossec.conf file to monitor Linux servers with any changes on /bin / etc and /sbin directory.

<agentless>
  <type>ssh_integrity_check_linux</type>
  <frequency>3600</frequency>
  <host>root@192.168.5.41</host>
  <state>periodic</state>
  <arguments>/bin /etc/ /sbin</arguments>
</agentless>

Create a new file under /etc/tung and tung1 user. Security events have been generated on Wazuh from Debian server.

/var/ossec/bin/wazuh-control restart

Wazuh Security Dashboard.

+ Install Wazuh agent on Debian server.

Follow the link below to install Wazuh agent.

https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-linux.html

# Add the Wazuh repository
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
# Add the repository:
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
# Update the package information:
apt-get update
# Deploy a Wazuh agent
WAZUH_MANAGER="192.168.5.34" apt-get install wazuh-agent
# Enable and start Wazuh
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent

Wazuh agent on Windows machine.