IppSec/gist:137a9f8870bed2763048072f321073e5

## gistfile1.txt
Video: https://youtu.be/2OWtEymBQfA

1. Quick Assessment - Running Nessus and NMAP
-- Nessus primarily to see if it detects open KSQL (Spoiler: It doesn't)
-- NMAP to identify whatports are open

2. Seeing what is possible from an exposed KSQL/Kafka Port
-- Download and extract: https://github.com/Cyb3rWard0g/HELK/wiki/Deploy-KSQL-CLI-Locally
-- ./ksql http://172.16.10.10:8088
-- Run the commands:
---- show topics; # Get a listing of topics aka tables
---- print 'winlogbeat' from beginning; # Stream output from the winlogbeats topic

3. Locking down Ports: Many of these ports don't need to be accessed remotely
-- iptables -I DOCKER-USER -i ens33 -p tcp --dport <$ports> -j DROP
---- Nmap reports these ports as  filtered
-- ptables -I DOCKER-USER -i ens33 -p tcp --dport <$ports> -j REJECT --reject-with tcp-reset
---- Setting it to reject with TCP-RESET will have the ports behave as normal.

4. Setting up an Apache2 Reverse Proxy
-- apt install apache2
---- Apache Configuration:
	<IfModule mod_ssl.c>
			<VirtualHost _default_:443>
					ServerName helk

					SSLEngine on
					SSLProxyEngine On
					SSLProxyVerify none
					SSLProxyCheckPeerCN off
					SSLProxyCheckPeerName off
					SSLProxyCheckPeerExpire off
					SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
					SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

					ProxyRequests Off
					ProxyPreserveHost On
					ProxyPass / https://172.16.10.10/
					ProxyPassReverse / https://172.16.10.10/
			</VirtualHost>
	</IfModule>
-- use a2enmod to enable the modules: ssl, proxy, and proxy_http

6. Install ModSecurity
-- Enable base universe repository
-- apt install libapache2-mod-security2
-- Move the /etc/modsecurity/modsecurity.conf-recommended to /etc/modsecurity/modsecurity.conf
-- Add SecRuleEngine to the Apache Configuration to set modsecurity on
-- Access the RevProxy vis hostname and add application/x-ndjson to allowed content-types

7. Configure Apache to require client certificates (Mutual Authentication)
- Generate a CA.
-- openssl genrsa -aes256 -out ca.key 4096
-- openssl req -new -x509 -days 365 -key ca.key -out ca.crt
- Generate the Website Key
-- openssl req -newkey rsa:2048 -nodes -keyout helk.key -out helk.csr
-- openssl x509 -req -days 365 -in helk.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out helk.crt
- Generate My User Key
-- openssl req -newkey rsa:2048 -nodes -keyout ippsec.key -out ippsec.csr
-- openssl x509 -req -days 365 -in ippsec.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out ippsec.crt
-- openssl pkcs12 -export -out ippsec.pfx -inkey ippsec.key -in ippsec.crt

8. Apache Config
-- add: SSLCACertificateFile
-- SSLVerifyClient Require

9. Apache2's final configurations:
	<IfModule mod_ssl.c>
			<VirtualHost _default_:443>
					ServerName helk
					ErrorLog ${APACHE_LOG_DIR}/error.log
					CustomLog ${APACHE_LOG_DIR}/access.log combined
					SSLEngine on
					SSLProxyEngine on
					SSLProxyVerify none
					SSLProxyCheckPeerCN off
					SSLProxyCheckPeerName off
					SSLProxyCheckPeerExpire off
					SSLCertificateFile      /etc/ssl/certs/helk.crt
					SSLCertificateKeyFile /etc/ssl/private/helk.key
					SSLCACertificateFile /etc/ssl/certs/internal-ca.crt

					SecRuleEngine on

					ProxyRequests Off
					ProxyPreserveHost On
					ProxyPass / https://172.16.10.10/
					ProxyPassReverse / https://172.16.10.10/

					SSLVerifyClient Require
			</VirtualHost>
	</IfModule>

10. Lock down HELK
-- Use previous iptables rules to block 80/443
-- Allow the revproxy to talk to HELK: iptables -I DOCKER-USER -i ens33 -p tcp --dport 443 -s <RevProxy IP> -j ALLOW
-- Install iptables-persistent and run iptables-save to save the rules

11. Disable IPv6
-- Add the following lines to: /etc/sysctl.conf
---- net.ipv6.conf.all.disable_ipv6=1
---- net.ipv6.conf.default.disable_ipv6=1
-- Edit the lines in grup to add:
---- ipv6.disable=1 to "GRUB_CMDLINE_LINUX_DEFAULT" and "GRUB_CMDLINE_LINUX"
-- Save grub with update-grub

12. Reboot and test!
	Video: https://youtu.be/2OWtEymBQfA

	1. Quick Assessment - Running Nessus and NMAP
	-- Nessus primarily to see if it detects open KSQL (Spoiler: It doesn't)
	-- NMAP to identify whatports are open

	2. Seeing what is possible from an exposed KSQL/Kafka Port
	-- Download and extract: https://github.com/Cyb3rWard0g/HELK/wiki/Deploy-KSQL-CLI-Locally
	-- ./ksql http://172.16.10.10:8088
	-- Run the commands:
	---- show topics; # Get a listing of topics aka tables
	---- print 'winlogbeat' from beginning; # Stream output from the winlogbeats topic

	3. Locking down Ports: Many of these ports don't need to be accessed remotely
	-- iptables -I DOCKER-USER -i ens33 -p tcp --dport <$ports> -j DROP
	---- Nmap reports these ports as filtered
	-- ptables -I DOCKER-USER -i ens33 -p tcp --dport <$ports> -j REJECT --reject-with tcp-reset
	---- Setting it to reject with TCP-RESET will have the ports behave as normal.

	4. Setting up an Apache2 Reverse Proxy
	-- apt install apache2
	---- Apache Configuration:
	<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
	ServerName helk

	SSLEngine on
	SSLProxyEngine On
	SSLProxyVerify none
	SSLProxyCheckPeerCN off
	SSLProxyCheckPeerName off
	SSLProxyCheckPeerExpire off
	SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

	ProxyRequests Off
	ProxyPreserveHost On
	ProxyPass / https://172.16.10.10/
	ProxyPassReverse / https://172.16.10.10/
	</VirtualHost>
	</IfModule>
	-- use a2enmod to enable the modules: ssl, proxy, and proxy_http

	6. Install ModSecurity
	-- Enable base universe repository
	-- apt install libapache2-mod-security2
	-- Move the /etc/modsecurity/modsecurity.conf-recommended to /etc/modsecurity/modsecurity.conf
	-- Add SecRuleEngine to the Apache Configuration to set modsecurity on
	-- Access the RevProxy vis hostname and add application/x-ndjson to allowed content-types

	7. Configure Apache to require client certificates (Mutual Authentication)
	- Generate a CA.
	-- openssl genrsa -aes256 -out ca.key 4096
	-- openssl req -new -x509 -days 365 -key ca.key -out ca.crt
	- Generate the Website Key
	-- openssl req -newkey rsa:2048 -nodes -keyout helk.key -out helk.csr
	-- openssl x509 -req -days 365 -in helk.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out helk.crt
	- Generate My User Key
	-- openssl req -newkey rsa:2048 -nodes -keyout ippsec.key -out ippsec.csr
	-- openssl x509 -req -days 365 -in ippsec.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out ippsec.crt
	-- openssl pkcs12 -export -out ippsec.pfx -inkey ippsec.key -in ippsec.crt

	8. Apache Config
	-- add: SSLCACertificateFile
	-- SSLVerifyClient Require

	9. Apache2's final configurations:
	<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
	ServerName helk
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	SSLEngine on
	SSLProxyEngine on
	SSLProxyVerify none
	SSLProxyCheckPeerCN off
	SSLProxyCheckPeerName off
	SSLProxyCheckPeerExpire off
	SSLCertificateFile /etc/ssl/certs/helk.crt
	SSLCertificateKeyFile /etc/ssl/private/helk.key
	SSLCACertificateFile /etc/ssl/certs/internal-ca.crt

	SecRuleEngine on

	ProxyRequests Off
	ProxyPreserveHost On
	ProxyPass / https://172.16.10.10/
	ProxyPassReverse / https://172.16.10.10/

	SSLVerifyClient Require
	</VirtualHost>
	</IfModule>

	10. Lock down HELK
	-- Use previous iptables rules to block 80/443
	-- Allow the revproxy to talk to HELK: iptables -I DOCKER-USER -i ens33 -p tcp --dport 443 -s <RevProxy IP> -j ALLOW
	-- Install iptables-persistent and run iptables-save to save the rules

	11. Disable IPv6
	-- Add the following lines to: /etc/sysctl.conf
	---- net.ipv6.conf.all.disable_ipv6=1
	---- net.ipv6.conf.default.disable_ipv6=1
	-- Edit the lines in grup to add:
	---- ipv6.disable=1 to "GRUB_CMDLINE_LINUX_DEFAULT" and "GRUB_CMDLINE_LINUX"
	-- Save grub with update-grub

	12. Reboot and test!