Project 1 - ELK Stack Project
The files in this repository were used to configure the network depicted below.
These files have been tested and used to generate a live ELK deployment on Azure. They can be used to either recreate the entire deployment pictured above. Alternatively, select portions of the YAML file may be used to install only certain pieces of it, such as Filebeat.
- elk.yml.
This document contains the following details:
- Description of the Topology
- Access Policies
- ELK Configuration
- Beats in Use
- Machines Being Monitored
- How to Use the Ansible Build
The main purpose of this network is to expose a load-balanced and monitored instance of DVWA, the D*mn Vulnerable Web Application.
Load balancing ensures that the application will be highly available, in addition to restricting inbound access to the network.
- The load balancers prevent any unauthorized traffic reaching the application.
- The advantage of the jumpbox is that they add a layer of security to the web servers and keep it from being exposed to the public.
Integrating an ELK server allows users to easily monitor the vulnerable VMs for changes to the data and system logs.
- The filebeat watches for any log data.
- The Metricbeat records the metric data from target servers.
The configuration details of each machine may be found below:
| Name | Function | IP Address | Operating System |
|---|---|---|---|
| Jump Box | Gateway | 10.0.0.4 | Linux (ubuntu 18.04) |
| Web 1 | Webserver | 10.0.0.5 | Linux (ubuntu 18.04) |
| Web 2 | Webserver | 10.0.0.6 | Linux (ubuntu 18.04) |
| Web 3 | Webserver | 10.0.0.8 | Linux (ubuntu 18.04) |
| ELK VM | Elk | 10.1.0.5 | Linux (ubuntu 18.04) |
The machines on the internal network are not exposed to the public Internet.
Only the JumpBox machine can accept connections from the Internet. Access to this machine is only allowed from the following IP addresses:
- 104.42.155.0
Machines within the network can only be accessed by the JumpBox VM.
- The machine that will allow me access will be the JumpBox VM.
- Public IP: 104.42.155.0
- Private IP: 10.1.0.5
A summary of the access policies in place can be found in the table below:
| Name | Publicly Accessible | Allowed IP Addresses |
|---|---|---|
| Jump Box | Yes | 104.42.155.0 |
| Web 1 | No | RedTeamLB 13.64.62.16 |
| Web 2 | No | RedTeamLB 13.64.62.16 |
| Web 3 | No | RedTeamLB 13.64.62.16 |
| ELK VM | Yes with Kibana (HTTP) | 20.121.7.192:5601 |
Ansible was used to automate configuration of the ELK machine. No configuration was performed manually, which is advantageous because you are able to create and edit the configurations to each of the virtual machines that are associated with it.
The playbook implements the following tasks:
- Install docker.io – installs the docker code to the server
- Install pip3 – it facilitates by allowing supplementary docker modules to be installed
- Install docker python module – allows PIP to install the docker component modules
- Use more memory – in order to increase the memory, this will allow the server to increase its memory
- Download and launch a docker elk container – downloads the ELK docker container and allows the ports to be established
The following screenshot displays the result of running docker ps after successfully configuring the ELK instance:
This ELK server is configured to monitor the following machines:
- 10.0.0.4
- 10.0.0.5
- 10.0.0.6
- 10.0.0.8
- 10.1.0.5
We have installed the following Beats on these machines:
- Filebeat and metricbeat were installed on Web 1, Web 2, Web 3, and ELK.
These Beats allow us to collect the following information from each machine:
- Filebeats monitors log data and will forward those logs to Elasticserach or Logstash to be indexed.
- Metricbeat monitors for any information in the file system that has been compromised.
In order to use the playbook, you will need to have an Ansible control node already configured. Assuming that you have such a control node provisioned:
SSH into the control node and follow the steps below:
- Copy the elk.yml to /etc/ansible/elk.yml
- Update the host file to include ELK VM private IP -Run the playbook and navigate to http://20.121.7.192:5601/app/kibana to check that the installation worked as expected
- Run the playbook on a specific machine use ansible-playbook /etc/ansible/elk.yml
- To install Filebeat on a specific machine: curl https://gist.githubusercontent.com/slape/5cc350109583af6cbe577bbcc0710c93/raw/eca603b72586fbe148c11f9c87bf96a63cb25760/Filebeat >> /etc/ansible/filebeat-config.yml
- Nano filebeat-config.yml
- Under output.elasticserach change the IP address to your ELK VM private IP address with port 9200
- Under setup.kibana change to the IP address to your ELK VM private IP address with port 5601
- The URL you will need to navigate to in order to check that the ELK server is running is http://20.121.7.192:5601/app/kibana
Sample web log data from Kibana:
In the last 7 days, 224 visitors were located in India.
In the last 24 hours, 59 of the visitors were from China and were using Mac OSX.
In the last 2 days, what 11.111% of visitors received 404 errors and 0% had 503 errors.
In the last 7 days, China produced the majority of the traffic on the website and the time of day that had the most traffic was from 9:00 am - 10:00 am.
These are the types of downloaded files that have been identified for the last 7 days:
- gz: These files are compressed files and can be opened with GNU zip.
- css: These files are used to formaout the layout of an entire website.
- zip: These files do not take much storage space and can compress one or more files together.
- deb: This file is a Debian Software Package file and is used to install apps on Linux.
- rpm: This file is a Red Hat Software Package file and it stores installation packages on Linux.
- What is strange in this activity is that on March 28th, it looks like there is one vistor that is using a unusual amount of bytes compared to all of the other usages.
Below is the timestamp for this event:
The file that was downloaded was a zip file.
The country that this activity originated from was India and the HTTP response code 200 OK, were encountered by this visitor.
- The source IP address of this activity is 184.167.34.105.
- The geo coordinates of this activity are {"lat": 36.38559583, "lon": -97.27721083}.
- The IOS was the machine running source
- The full URL that was accessed was https://artifacts.elastic.co/downloads/apm-server/apm-server-6.3.2-windows-x86.zip.
- The website that the visitor's traffic originated from was Facebook.
- The user was downloading a linux package.
- I do not believe that it's malicious. The file maybe to install or update a file. What was suspicious was the referral link was from Facebook. I believe that it might not be in compliance due to the fact that it came from Facebook.