NDD430 Assignment – Checkpoint 3

Step One – Setting Up SSH

Usually SSH comes pre-installed on Debian. In case SSH is not installed:

1. Log in as root

   [[email protected] ~]$ su -

2. Update the package list and upgrade the server if not done in the previous check point:

   [[email protected] ~]$ apt-get update -y && apt-get upgrdae -y

3. Install the openssh-server package:

   [email protected]:~# apt-get install openssh-server
   Reading package lists... Done
   Building dependency tree       
   Reading state information... Done
   Suggested packages:
     ssh-askpass rssh molly-guard ufw monkeysphere
   The following NEW packages will be installed:
     openssh-server
   0 upgraded, 1 newly installed, 0 to remove and 32 not upgraded.
   Need to get 331 kB of archives.
   After this operation, 973 kB of additional disk space will be used.
   Get:1 http://deb.debian.org/debian/ oldstable/main openssh-server amd64 1:6.7p1-5+deb8u4 [331 kB]
   Fetched 331 kB in 0s (1,446 kB/s)  
   Preconfiguring packages ...
   Selecting previously unselected package openssh-server.
   (Reading database ... 171919 files and directories currently installed.)
   Preparing to unpack .../openssh-server_1%3a6.7p1-5+deb8u4_amd64.deb ...
   Unpacking openssh-server (1:6.7p1-5+deb8u4) ...
   Processing triggers for systemd (215-17+deb8u7) ...
   Processing triggers for man-db (2.7.0.2-5) ...
   Setting up openssh-server (1:6.7p1-5+deb8u4) ...
   

4. Change port to 2323/4242 for Router & Linux Server respectively:

   [email protected]:~# nano /etc/ssh/sshd_config
   
   # Package generated configuration file
   # See the sshd_config(5) manpage for details
   
   # What ports, IPs and protocols we listen for
   Port 2323
   
   
   ...
   

5. Enable and Start openssh:

   [email protected]:~# systemctl start ssh

   [email protected]:~# systemctl enable ssh
   Synchronizing state for ssh.service with sysvinit using update-rc.d...
   Executing /usr/sbin/update-rc.d ssh defaults
   Executing /usr/sbin/update-rc.d ssh enable
   

Step 2 – Installing & Setting up FTP

In this step we will be using Filezilla Server as an FTP Server.

1. Go to FileZilla-Project and Download FileZilla Server
2. Install it; Click Next through all screens and leave everything as default.

Click to open GIF in Full Size

Configuring FileZilla Server and Adding Users

1. Launch FileZilla Server
2. Click Edit > Settings
3. Click Passive Mode Settings
4. Tick the Custom Port Range and fill both boxes with 20 as port
5. Click Ok
6. Click Edit > Users
7. In the Right Pane under Users Click Add
8. In the popup Enter the Username and click OK
9. Highlight the Created user and Check the Box Password in the Middle pane
10. Type in use password and Click Ok
11. In the Shared Folders Page Click Add in The Middle Pane
12. Browse To previously created Folder or Create a new Folder and Click Ok
13. Click Set as home dir and Click Ok

Click the gif to open in Full size

Step 3 – Installing & Setting up MySQL

Before installing MySQL we need to install .Net Framework 4.5.2 to run the MySQL installer.

1. Download the .NET Framework 4.5.2 from Microsoft
2. Run it and Wait for it to Extract Filles
3. Agree to terms and Install.
4. When Installed Restart the VM

Click to open GIF in Full Size

Now we also need to Uninstall and Install a couple more things to install the Actual MySQL server.

1. Uninstall Visual C++ 2015 and Restart
2. Update Windows Server using the Update tool From Microsoft.  Download tool; Run it and Restart.
3. Download and Install Visual C++ 2015 and restart

Installing MySQL Community installer

1. Go to MySQL to download the MySQL Community installer
2. Install and Open the MySQL installer
3. Agree to terms and Click Next
4. Leave Setup Type as Developer Default and Click Next
5. Keep clicking Next
6. On The Requirements Page If you see requirement for something other then Connector For Python make sure you have followed the previous steps
7. Click next and Click yes for the pop up stating requirements have not been satisfied
8. On installation page Click Execute, wait for it to install and then Next
9. Keep clicking Next until Accounts and Roles
10. Enter MySQL root password and Click Next
11. Click Next and then Execute
12. Wait for the installer to apply configuration and Click Next
13. Enter root password and click Next
14. Click Execute and then Next
15. Click Finish

Click to open GIF in Full Size

Creating Database and users in MySQL

1. Launch MySQL Workbench
2. Click on Local Instance MySQL Router to login
3. In the left pane under Schema Right Click and Create Scheme
4. Enter Schema name and click Apply
5. In the pop up window click Apply and then Finish
6. In the left pane under Schema Double Click the newly created scheme
7. Right Click Tables and Create new tables as desired
8. In top Menu click Server > Users and Privileges
9. Click Add Account at the bottom of User Accounts Pane
10. In the right pane type in new username and password and click Apply
11. Click the tab Schema Privileges to assign privileges
12. Click Add Entry and choose Database/Schema you want the user to gain privileges for and click ok
13. In Object Rights Choose what privileges you want to give the user. Check SELECT for read only privilege.
14. Click Apply

Step 4 – Installing & Setting up hMail

For our mail server, hMail will be used to deliver mail. But, before installing we need to install .NET framework 3.5 to run the hmail server.

1. Open up server manager
2. Click Manage > Add Roles and Features
3. In the pop up window click Next until Features Page
4. Check the box against .Net Framework 3.5 Features
5. Click Next
6. At the bottom click Specify an alternate source path
7. Enter C:/Sources/SxS/ and click OK
8. Click Install

Click on GIF to open in a new tab

hMail Server Installation:

1. Go to hMail Server and download
2. Run the installer
3. Agree to terms
4. Leave Everything as Deufalt
5. Enter Password for hMail admin
6. Install

Configure hMail:

1. Start hMailServer Administrator.
2. Click Connect
3. Enter password and Click OK
4. Click Add Domain
5. Enter the name of your domain and click Save.
6. Click Add account > add a new email account.
7. Go to Settings > Protocols > SMTP and choose the Delivery of email tab.
8. In the Host name setting, enterwinsrv.domain.com

Adding Users:

1. Click Domains in the right pane
2. Click your domain
3. Click Accounts > Add
4. In the address field type in username
5. Enter password
6. Click OK

Click on GIF to open in a new tab

Using the previous checkpoint add an MX Record for winsrv.domain.com for mail server to receive and send mail.

Step 5 – Securing the Router with Iptables

Securing the router so only our network can send traffic through it.

#!/bin/bash
#Flush iptables
iptables -F

#Set the policy to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#Create the appropriate logging Chains
iptables -N INPUT-ACCEPT
iptables -N INPUT-DROP
iptables -N OUTPUT-ACCEPT
iptables -N OUTPUT-DROP
iptables -N FORWARD-ACCEPT
iptables -N FORWARD-DROP

#Rules for INPUT-ACCEPT chain
iptables -A INPUT-ACCEPT -j LOG --log-prefix "INPUT-ACCEPTED"
iptables -A INPUT-ACCEPT -j ACCEPT

#Rules for INPUT-DROP chain
iptables -A INPUT-DROP -j LOG --log-prefix "INPUT-DROPPED"
iptables -A INPUT-DROP -j DROP

#Rules for OUPUT-ACCEPT chain
iptables -A OUTPUT-ACCEPT -j LOG --log-prefix "OUTPUT-ACCEPTED"
iptables -A OUTPUT-ACCEPT -j ACCEPT

#Rules for OUTPUT-DROP chain
iptables -A OUTPUT-DROP -j LOG --log-prefix "OUTPUT-DROPPED"
iptables -A OUTPUT-DROP -j DROP

#Rules for FORWARD-ACCEPT chain
iptables -A FORWARD-ACCEPT -j LOG --log-prefix "FORWARD-ACCEPTED"
iptables -A FORWARD-ACCEPT -j ACCEPT

#Rules for FORWARD-DROP chain
iptables -A FORWARD-DROP -j LOG --log-prefix "FORWARD-DROPPED"
iptables -A FORWARD-DROP -j DROP

#SSH/SCP to Router
iptables -A INPUT -p tcp -s 195.165.8.0/26 --dport 2323 -m state --state NEW,ESTABLISHED,RELATED -j INPUT-ACCEPT
iptables -A OUTPUT -p tcp -d 195.165.8.0/26 --sport 2323 -m state --state ESTABLISHED,RELATED -j OUTPUT-ACCEPT

#SSH/SCP to Server
iptables -A FORWARD -p tcp -s 195.165.8.0/26 --dport 4242 -m state --state NEW,ESTABLISHED,RELATED -j FORWARD-ACCEPT
iptables -A FORWARD -p tcp -d 195.165.8.0/26 --sport 4242 -m state --state ESTABLISHED,RELATED -j FORWARD-ACCEPT

#IIS 
iptables -A FORWARD -p tcp -s 195.165.8.0/26 --dport 9393 -m state --state NEW,ESTABLISHED,RELATED -j FORWARD-ACCEPT
iptables -A FORWARD -p tcp -d 195.165.8.0/26 --sport 9393 -m state --state ESTABLISHED,RELATED -j FORWARD-ACCEPT

#Apache 
iptables -A FORWARD -p tcp -s 195.165.8.0/26 --dport 8383 -m state --state NEW,ESTABLISHED,RELATED -j FORWARD-ACCEPT
iptables -A FORWARD -p tcp -d 195.165.8.0/26 --sport 8383 -m state --state ESTABLISHED,RELATED -j FORWARD-ACCEPT

#MySQL 
iptables -A FORWARD -p tcp -s 195.165.8.0/26 --dport 3306 -m state --state NEW,ESTABLISHED,RELATED -j FORWARD-ACCEPT
iptables -A FORWARD -p tcp -d 195.165.8.0/26 --sport 3306 -m state --state ESTABLISHED,RELATED -j FORWARD-ACCEPT

#HMAIL IMAP
iptables -A FORWARD -p tcp -s 195.165.8.0/26 --dport 143 -m state --state NEW,ESTABLISHED,RELATED -j FORWARD-ACCEPT
iptables -A FORWARD -p tcp -d 195.165.8.0/26 --sport 143 -m state --state ESTABLISHED,RELATED -j FORWARD-ACCEPT

#HMAIL SMTP 
iptables -A FORWARD -p tcp -s 195.165.8.0/26 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j FORWARD-ACCEPT
iptables -A FORWARD -p tcp -d 195.165.8.0/26 --sport 25 -m state --state ESTABLISHED,RELATED -j FORWARD-ACCEPT

#DNS
iptables -A FORWARD -p tcp -s 195.165.8.0/26 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j FORWARD-ACCEPT
iptables -A FORWARD -p tcp -d 195.165.8.0/26 --sport 53 -m state --state ESTABLISHED,RELATED -j FORWARD-ACCEPT
iptables -A FORWARD -p udp -s 195.165.8.0/26 --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j FORWARD-ACCEPT
iptables -A FORWARD -p udp -d 195.165.8.0/26 --sport 53 -m state --state ESTABLISHED,RELATED -j FORWARD-ACCEPT
 
#DHCP
iptables -A INPUT -p udp --dport 67:68 -m state --stateNEW,ESTABLISHED,RELATED -j INPUT-ACCEPT 
iptables -A OUTPUT -p udp --sport 67:68 -m state --stateNEW,ESTABLISHED,RELATED -j OUTPUT-ACCEPT
iptables -A FORWARD -p udp --dport 67:68 -m state --stateNEW,ESTABLISHED,RELATED -j FORWARD-ACCEPT
iptables -A FORWARD -p udp --sport 67:68 -m state --stateESTABLISHED,RELATED -j FORWARD-ACCEPT

#FTP UNENCRYPTED
iptables -A FORWARD -p tcp -s 195.165.8.0/26 --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j FORWARD-ACCEPT
iptables -A FORWARD -p tcp -d 195.165.8.0/26 --sport 21 -m state --state ESTABLISHED,RELATED -j FORWARD-ACCEPT
iptables -A FORWARD -p tcp -s 195.165.8.0/26 --dport 20 -m state --state NEW,ESTABLISHED,RELATED -j FORWARD-ACCEPT
iptables -A FORWARD -p tcp -d 195.165.8.0/26 --sport 20 -m state --state ESTABLISHED,RELATED -j FORWARD-ACCEPT