Mandiant Interview Challenge
============================
[Website](http://mandiant.alancf.cc/)
[Slide](https://docs.google.com/presentation/d/1B08yv_hLtwZ7pX1ByX_tRSUiqRfzxIqFUgbKtL09ECc/)
High level overview
-------------------
The end goal is to host a multi-server web instance on a single machine instance focusing on
capturing any network issues on configuration and proof of traffic routing independently across
both interfaces. You will be creating a virtual machine using the Ubuntu 18.04-LTS offering in
Microsoft Azure's Marketplace utilizing two dedicated network interfaces with associated external
IPs; each hosting a unique (not shared) web-server and serving unique content.
Background
----------
Linux provides for unique routing challenges when using multiple interfaces on the same subnet
associated with external IPs and how requests are made in and out of the system. The goal of
this project is to demonstrate an understanding of the issues and how to work around them inside
the Azure environment.
Specifics
---------
Launch a Microsoft Azure virtual machine with multiple "physical" network interfaces and associated
public external IPs. When setting up the instance, the internal interfaces should reside in the same
virtual network on the same class-C subnet, utilizing the same gateway address. External IPs shall
not be load-balanced and should implement network security groups for access control (we can provide
you with the public IP addresses to add to the ACL during the presentation for us to check it on completion).
You may choose any web-server to host unique directories with unique content; make it as simple as
possible, feel free to make use of full setups like Python SimpleHTTPServer. To any outside user,
these two servers should appear as distinct hosts on the internet.
To demonstrate execution of these services and their communication, tcpdump will be run on the
Microsoft Azure host, demonstrating a simple GET request and the traffic flow. Show where the request
was made and routing information at both the MAC and IP level tracing back to each interface.
Output/Presentation
-------------------
For the presentation, looking for:
* Simple live demo
* Challenges faced during setup and verification
* Any design decisions or trade off made in the process
* How an implementation could be improved or scaled for production use
* Only expecting a few slides, you can talk to and any visualization that helps demonstrate the goal
and work in the project. Be prepared to answer questions related to the learning process and testing
methodologies used in construction of the project, how any solutions were identified and how these
solutions were implemented to achieve the desired outcomes defined above. Audience should be considered
reasonably technical but possibly new to Microsoft Azure and running multiple services on a single instance.
Parameters and limitations
--------------------------
* The Microsoft Azure virtual machine/size should be free service eligible
* The Microsoft Azure image used should be Ubuntu 18.04-LTS from Azure marketplace
* Limit access to the environment via properly implemented network security groups
* No purchased software should be used in the construction of this system
* No authentication or session management is necessary for this application as security group restrictions are sufficient
* A user interface OR API is sufficient for accessing the application
* Raw command output is sufficient for this project as no UI programming is expected
Create VMs on Azure portal
# Create Resource Group
# Create Virtual Networks
# Create Network Security Group
# Create Network Security Rules
# Create 2 Public IPs
# Create 2 NICs
# Create VM
Login to VM
chmod 400 VM1.pem
ssh azureuser@20.239.168.223
ssh azureuser@104.208.79.117 (unreachable at the moment)
System update
sudo apt update
sudo apt upgrade -y
Change ARP setting
# Change ARP setting, since I thought I met this issue in the past (Linux weak host model)
# https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/Documentation/networking/ip-sysctl.txt?h=v4.9#n1130
sudo echo "net.ipv4.conf.all.arp_ignore=1" >> /etc/sysctl.conf
sudo echo "net.ipv4.conf.all.arp_announce=2" >> /etc/sysctl.conf
sudo sysctl --system
sudo cat /proc/sys/net/ipv4/conf/all/arp_ignore
# 1
sudo cat /proc/sys/net/ipv4/conf/all/arp_announce
# 2
# Not working
# Check ARP table on another VM
ip neigh show
# All MAC address is 12:34:56:78:9a:bc
# Changing the ARP setting is meaningless (rollback), Azure already take care of this
Change rp_filter
# Check packets using ping and tcpdump
tcpdump -i eth0 -nn icmp -e
tcpdump -i eth1 -nn icmp -e
# 1 interface/IP looks good
# No return packets on an interface
# Change rp_filter
sudo echo "net.ipv4.conf.all.rp_filter=0" >> /etc/sysctl.conf
sudo echo "net.ipv4.conf.eth0.rp_filter=0" >> /etc/sysctl.conf
sudo echo "net.ipv4.conf.eth1.rp_filter=0" >> /etc/sysctl.conf
sudo sysctl --system
sudo cat /proc/sys/net/ipv4/conf/all/rp_filter
# 0
sudo cat /proc/sys/net/ipv4/conf/eth0/rp_filter
# 0
sudo cat /proc/sys/net/ipv4/conf/eth1/rp_filter
# 0
# Check packets using ping and tcpdump
tcpdump -i eth0 -nn icmp -e
tcpdump -i eth1 -nn icmp -e
# 1 interface/IP looks good
# Return packets on the wrong interface for the other IP
Change routing
# Check routing table
route -n
# Disable cloud-init first
sudo echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
sudo rm /etc/netplan/50-cloud-init.yaml
# Deploy new netplan
vi /etc/netplan/10-static.yaml
netplay try
# Check routing
route -n
# default via 10.0.0.1 dev eth1 proto static
# default via 10.0.0.1 dev eth0 proto static
# 10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.4
# 10.0.0.0/24 dev eth1 proto kernel scope link src 10.0.0.5
# Check ping
tcpdump -i eth0 -nn icmp -e
tcpdump -i eth1 -nn icmp -e
# Looks good!
# Set Apache HTTP server listen IP
echo "ServerName 10.0.0.5" >> /etc/apache2/apache2.conf
vi /etc/apache2/ports.conf
# Set Nginx default html page and listen IP
mv /etc/nginx/sites-enabled/default /etc/nginx/conf.d/default.conf
vi /etc/nginx/conf.d/default.conf
# Nginx auto-start after reboot
vi /lib/systemd/system/nginx.service
# Add in [Unit]
# Wants=network-online.target
# After=network-online.target
systemctl daemon-reload
systemctl restart apache2
systemctl enable nginx --now
Check Web server
# Web servers links above
ss -tulp |grep http
tcpdump -n -e tcp port 80 and not host 168.63.129.16 and not 169.254.169.254 -i eth0
tcpdump -n -e tcp port 80 and not host 168.63.129.16 and not 169.254.169.254 -i eth1
