gistfile1.txt

Video: https://youtu.be/2OWtEymBQfA

1. Quick Assessment - Running Nessus and NMAP
-- Nessus primarily to see if it detects open KSQL (Spoiler: It doesn't)
-- NMAP to identify whatports are open

2. Seeing what is possible from an exposed KSQL/Kafka Port
-- Download and extract: https://github.com/Cyb3rWard0g/HELK/wiki/Deploy-KSQL-CLI-Locally
-- ./ksql http://172.16.10.10:8088
-- Run the commands:
---- show topics; # Get a listing of topics aka tables
---- print 'winlogbeat' from beginning; # Stream output from the winlogbeats topic

3. Locking down Ports: Many of these ports don't need to be accessed remotely
-- iptables -I DOCKER-USER -i ens33 -p tcp --dport <$ports> -j DROP
---- Nmap reports these ports as  filtered
-- ptables -I DOCKER-USER -i ens33 -p tcp --dport <$ports> -j REJECT --reject-with tcp-reset
---- Setting it to reject with TCP-RESET will have the ports behave as normal.

4. Setting up an Apache2 Reverse Proxy
-- apt install apache2
---- Apache Configuration:
	<IfModule mod_ssl.c>
			<VirtualHost _default_:443>
					ServerName helk

					SSLEngine on
					SSLProxyEngine On
					SSLProxyVerify none
					SSLProxyCheckPeerCN off
					SSLProxyCheckPeerName off
					SSLProxyCheckPeerExpire off
					SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
					SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

					ProxyRequests Off
					ProxyPreserveHost On
					ProxyPass / https://172.16.10.10/
					ProxyPassReverse / https://172.16.10.10/
			</VirtualHost>
	</IfModule>
-- use a2enmod to enable the modules: ssl, proxy, and proxy_http

6. Install ModSecurity
-- Enable base universe repository
-- apt install libapache2-mod-security2
-- Move the /etc/modsecurity/modsecurity.conf-recommended to /etc/modsecurity/modsecurity.conf
-- Add SecRuleEngine to the Apache Configuration to set modsecurity on
-- Access the RevProxy vis hostname and add application/x-ndjson to allowed content-types

7. Configure Apache to require client certificates (Mutual Authentication)
- Generate a CA.
-- openssl genrsa -aes256 -out ca.key 4096
-- openssl req -new -x509 -days 365 -key ca.key -out ca.crt
- Generate the Website Key
-- openssl req -newkey rsa:2048 -nodes -keyout helk.key -out helk.csr
-- openssl x509 -req -days 365 -in helk.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out helk.crt
- Generate My User Key
-- openssl req -newkey rsa:2048 -nodes -keyout ippsec.key -out ippsec.csr
-- openssl x509 -req -days 365 -in ippsec.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out ippsec.crt
-- openssl pkcs12 -export -out ippsec.pfx -inkey ippsec.key -in ippsec.crt

8. Apache Config
-- add: SSLCACertificateFile
-- SSLVerifyClient Require

9. Apache2's final configurations:
	<IfModule mod_ssl.c>
			<VirtualHost _default_:443>
					ServerName helk
					ErrorLog ${APACHE_LOG_DIR}/error.log
					CustomLog ${APACHE_LOG_DIR}/access.log combined
					SSLEngine on
					SSLProxyEngine on
					SSLProxyVerify none
					SSLProxyCheckPeerCN off
					SSLProxyCheckPeerName off
					SSLProxyCheckPeerExpire off
					SSLCertificateFile      /etc/ssl/certs/helk.crt
					SSLCertificateKeyFile /etc/ssl/private/helk.key
					SSLCACertificateFile /etc/ssl/certs/internal-ca.crt

					SecRuleEngine on

					ProxyRequests Off
					ProxyPreserveHost On
					ProxyPass / https://172.16.10.10/
					ProxyPassReverse / https://172.16.10.10/

					SSLVerifyClient Require
			</VirtualHost>
	</IfModule>

10. Lock down HELK
-- Use previous iptables rules to block 80/443
-- Allow the revproxy to talk to HELK: iptables -I DOCKER-USER -i ens33 -p tcp --dport 443 -s <RevProxy IP> -j ALLOW
-- Install iptables-persistent and run iptables-save to save the rules

11. Disable IPv6
-- Add the following lines to: /etc/sysctl.conf
---- net.ipv6.conf.all.disable_ipv6=1
---- net.ipv6.conf.default.disable_ipv6=1
-- Edit the lines in grup to add:
---- ipv6.disable=1 to "GRUB_CMDLINE_LINUX_DEFAULT" and "GRUB_CMDLINE_LINUX"
-- Save grub with update-grub

12. Reboot and test!