Router and VPN Security | TryHackMe Network Device Hardening

We covered OpenVPN security by configuring strong encryption cyphers, setting secure hashing for authentication and implementing Perfect Forward Secrecy. On the other end, we configured basic security settings for routers such as logging, firewall and traffic rules, port forwarding, SSH and changing default credentials. This was part of TryHackMe security engineer track, network device hardening.

Get COMPTIA Security+ Exam Notes

Room Answers

Video Transcript

The first one is about  hardening virtual private networks securing VPNs. And other task is network device hardening. We actually talk about hardening routers.
You know guys vpns Have both client side and server side. And most of you got mainly use VPN to just securing your access to the internet and connection to censored websites and other material that you may not be able to access using your you know, ISP settings, but more importantly VPNs of used to protect the privacy and security of the person who is using it. We all trust the VPN we’re using to some degree but there is more important aspect than the VPN itself, which is the VPN server. I mean the this the config it’s the favorite or the back side right there where the configuration lies. So that’s what we were talking about here.

Securing the configurations on the server side not on the client side. so the example is all over VPN server.Openvpn Server configurations are stored under /etc/openvpn.
We highlight the file server.conf and look at Key directives here.
in this file The first key directive is the cipher So using the server directive we decide or we configure the encryption algorithm. It’s very important to choose a very secure Cipher.
A secure Cipher is or an example of a secret server is aes256 CBC as , you know, it’s encryption algorithm and two five six indicates the length of the key or the length of the encryption key.

Now you may configure the encryption algorithm using this directive. You may also change the encryption algorithm altogether. It’s recommended to use always AES. That’s the first thing.
Here other thing is a directive auth so it controls the hashing algorithm used during the authentication process. So when a client or when you connect to a VPN server, you are actually authenticating using your account credentials during the process. There is a hashing process occurs. So You want to use strong caching algorithm? SHA512 is a good choice.

Another directive is tls-crypt  that enables the perfect forward secrecy PFS perfect forward secrecy where the session keys are randomized. So for every session or for every session right when you connect to the VPN server, there is a session key created right. Now this session key can either be randomized or be the same all the time. You want the session key to be randomized because if an attacker was even throbbing on the communication between you and the VPN server. If they are able to get hold of one key, they will be able to decrypt all of the packets.
So if session key is randomized you minimize a chances of this happening. Additionally here. We see other things such as the port configured for the VPN server the local IP address the protocol.

Now we head to network device security and specifically we will talk about router security using OpenWRT firmware

Okay. Now the first thing to do is to configure the general settings we go to system click on system. And here we load up the general configuration just as a Time the hostname The Zone the logging all of these configurations are important to be set up correctly because in the case of an incident or a Cyber attack you want the time to be correctly aligned with your time zone.
So here that I set as is we’re going to change these settings because they don’t belong to us. It also sync this with an entity server.

Login you want to log all of the packets? If you don’t have enough space you can forward the logs to a central logging server. Okay, a different machine where it hosts a program called syslog or program that uses this log to forward logs and you can store them there. Otherwise, you can sew them locally by specifying the director here and leave the basic level of logging to debug.

Alright, the next thing is to change the default credentials. You don’t want to leave your is only my password as admin admin or admin password. You want to change them here?
Additionally if you want to manage the router you want to look at access to the router and change configurations. You want to do that over a secure Channel. So we can either do that over https.
Okay, or preferably we do that over SSH because it allows you to to perform a granular maintenance.

To have granular control of over the router. He was specified the board and interface over which we’re going to specific we can access the router and we’re gonna save and apply also here if you have SSH keys. You generate a key in your comment line here ssh-keygen.

Next we go to Software.  We take a look at the packages and installed in the router we can update and install package from here.
I don’t know if it exists on other firmware’s but generally it might be there so startup and startup. We take a look at the scripts that are configured.
At the start of the when the router boots up. So basically here make sure the list here is the native list that comes predefined with the firmware because if an attacker was able to get access to the router, okay, they will install a script for persistence. So make sure you order these from time to time.

We can control the traffic flow in and out of the network through the firewall section.
Generally in a local network where there are no servers configured to be accessed from the Internet. It’s recommended disable the direction of the traffic that’s coming from the internet. For example. We have this direction land to one is allowed because you want the endpoints to access the internet. So allow the direction for land to one.
And this is bi-directional meaning when you send a request a website. The response from the upside will be accepted by this rule. So you don’t need to configure one to one now one-to-one is by default rejected wine to land. Sorry. It’s rejected by default and regular networks when when where they are. No servers hosted.
If you have a web server a public server. Such as maybe a game server. Okay, you want to configure this to allow one to learn? Okay so you can edit.
one and here input can accept and allowed as you can see one allow for the destination allow forward from source.

Port forwarding  So again, if you don’t have a public server running in your network, there is no need to configure when to land. Additionally. There is no need to configure port forwarding. But again, if you have a public server such as a game server in addition to allowing one to learn you want to configure port forwarding an example. Is this rule the THM_Port click on edit as you can see here. Let’s say there is a game server running on Port 902. on one of your machines and the game server uses 9001 port to receive traffic from the main server. So you want to configure a rule here port forward rule so that all traffic coming from the one or the internet on Port 9001 to be accepted or forwarded as you can see to the local network to a device on Port 9002.
If you have only one specific device or we want to accept traffic only to one specific device you change or specify its IP address.
Okay, traffic rules in traffic rules. We control the flow of the traffic like in details such as controlling the protocol and the ports allowed. Let’s take an example. So we have this rule name allow pink and it is are the configurations and the action is to accept. And it’s enabled let’s take a look at it. The name is allow ping. The protocol is ICMP. And that’s the direction as you can see we are accepting ICMP.

Video Walkthrough