Skip to content

jevellangelo/cybersecurity-project1

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
Ansible
Ansible
 
 
Diagrams
Diagrams
 
 
Linux
Linux
 
 
README.md
README.md
 
 

Repository files navigation

Cybersecurity Bootcamp - ELK Stack Deployment

Automated ELK Stack Deployment

The files in this repository were used to configure the network depicted below.

Cloud Architecture

These files have been tested and used to generate a live ELK deployment on Azure. They can be used to either recreate the entire deployment pictured above. Alternatively, select portions of the playbook files located in the roles directory may be used to install only certain pieces of it, such as Filebeat.

This document contains the following details:

  • Description of the Topology
  • Access Policies
  • ELK Configuration
    • Beats in Use
    • Machines Being Monitored
  • How to Use the Ansible Build

Description of the Topology

The main purpose of this network is to expose a load-balanced and monitored instance of DVWA, the D*mn Vulnerable Web Application.

Load balancing ensures that the application will be highly available, in addition to restricting access to the network.

  • TODO: What aspect of security do load balancers protect? What is the advantage of a jump box?
    • Load balancers defends an organization against distributed denial-of-service (DDoS) attacks. A jumpbox on the other hand allows admins to connect to a secure machine before launching and administrative task. Jump boxes are also used as an origination point to connect to other servers or untrusted environments.

Integrating an ELK server allows users to easily monitor the vulnerable VMs for changes to the logs and system traffic.

  • TODO: What does Filebeat watch for?
    • Filebeat monitors the log files or locations that you specify, collects log events, and forwards them to the ELK server
  • TODO: What does Metricbeat record?
    • Metricbeat takes the metrics and statistics that it collects and shipes them to the ELK server

The configuration details of each machine may be found below. Note: Use the Markdown Table Generator to add/remove values from the table.

Name Function IP Address Operating System
Jump Box Gateway and Ansible Provisioner 10.0.0.4 Linux (Ubuntu 18.04 LTS)
Web-1 DVWA Web Server 10.0.0.5 Linux (Ubuntu 18.04 LTS)
Web-2 DVWA Web Server 10.0.0.6 Linux (Ubuntu 18.04 LTS)
ELK Server Aggregate Logs 10.1.0.4 Linux (Ubuntu 18.04 LTS)

Access Policies

The machines on the internal network are not exposed to the public Internet.

Only the Jump Box and ELK virtual machines can accept connections from the Internet. Access to this machine is only allowed from the following IP addresses:

  • TODO: Add whitelisted IP addresses
    • Home Public IP Address

Machines within the network can only be accessed by Ansible docker container in the Jump Box.

  • TODO: Which machine did you allow to access your ELK VM? What was its IP address?
    • The ELK VM can only be accessed via SSH from the Jump Box Ansible docker container and via HTTP through port 5601.

A summary of the access policies in place can be found in the table below.

Name Publicly Accessible Allow IP Addresses
Jump Box Yes via SSH Home Public IP address
Web-1 Yes via Load Balancer JumpBox IP and Load Balancer Public IP
Web-2 Yes via Load Balancer JumpBox IP and Load Balancer Public IP
ELK Server No JumpBox IP

Elk Configuration

Ansible was used to automate configuration of the ELK machine. No configuration was performed manually, which is advantageous because...

  • TODO: What is the main advantage of automating configuration with Ansible?
    • The main advantage of Ansible is that it does not require an agent.

The playbook implements the following tasks:

  • TODO: In 3-5 bullets, explain the steps of the ELK installation play. E.g., install Docker; download image; etc.
    • Create new Virtual Network
    • Create new ELK VM
    • Download and configure the container
    • Launch and expose the container through published ports
    • Create firewall rules in NSG to allow traffic over port 5601

The following screenshot displays the result of running docker ps after successfully configuring the ELK instance.

ELK Docker PS

Target Machines & Beats

This ELK server is configured to monitor the following machines:

  • TODO: List the IP addresses of the machines you are monitoring
    • Web-1 10.0.0.5
    • Web-2 10.0.0.6

We have installed the following Beats on these machines:

  • TODO: Specify which Beats you successfully installed
    • Filebeat
    • Metricbeat

These Beats allow us to collect the following information from each machine:

  • TODO: In 1-2 sentences, explain what kind of data each beat collects, and provide 1 example of what you expect to see. E.g., Winlogbeat collects Windows logs, which we use to track user logon events, etc.
    • Filebeat monitors the log files or locations that you specify, collects log events, and forwards them to the ELK server. Metricbeat takes the metrics and statistics that it collects and shipes them to the ELK server

Using the Playbook

In order to use the playbook, you will need to have an Ansible control node already configured. Assuming you have such a control node provisioned:

SSH into the control node and follow the steps below:

  • Copy the Filebeat configuration file from your Ansible container to your WebVM's where you just installed Filebeat
  • Update the hosts file to include the IP address of the target ELK server.
  • Run the playbook, and navigate to http://[ELK-IP-Address]:5601 to check that the installation worked as expected.

TODO: Answer the following questions to fill in the blanks:

  • Which file is the playbook? Where do you copy it?

  • Which file do you update to make Ansible run the playbook on a specific machine? How do I specify which machine to install the ELK server on versus which to install Filebeat on?

    • /etc/ansible/hosts
    • Specify on the playbook which group of servers in the hosts file that the playbook will run on

  • _Which URL do you navigate to in order to check that the ELK server is running?

    • http://[ELK-Public-IP-Address]:5601

  • As a Bonus, provide the specific commands the user will need to run to download the playbook, update the files, etc.

    • ssh -i ~/.ssh/id_rsa azdmin@[JumpBoxPublicIP]
    • sudo docker container ls -a
    • sudo docker start [container name]
    • sudo docker attach [container name]
    • cd /etc/ansible
    • ansible-playbook install-elk.yaml
    • cd /etc/ansible/roles
    • ansible-playbook filebeat-playbook.yml
    • ansible-playbook metricbeat-playbook.yml

About

GitHub Fundamentals and Project 13 Submission

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages