Linux application security task

Hi,

According to the following output nginx is running on port 80

sudo: netstat: command not found
[root@stbkp01 ~]# ss -tnlp | grep LISTEN
LISTEN 0 511 *:80 : users:((“nginx”,pid=756,fd=6),(“nginx”,pid=755,fd=6),(“nginx”,pid=754,fd=6),(“nginx”,pid=753,fd=6),(“nginx”,pid=752,fd=6),(“nginx”,pid=751,fd=6),(“nginx”,pid=750,fd=6),(“nginx”,pid=749,fd=6),(“nginx”,pid=748,fd=6),(“nginx”,pid=747,fd=6),(“nginx”,pid=746,fd=6),(“nginx”,pid=745,fd=6),(“nginx”,pid=744,fd=6),(“nginx”,pid=743,fd=6),(“nginx”,pid=742,fd=6),(“nginx”,pid=741,fd=6),(“nginx”,pid=740,fd=6),(“nginx”,pid=739,fd=6),(“nginx”,pid=738,fd=6),(“nginx”,pid=737,fd=6),(“nginx”,pid=736,fd=6),(“nginx”,pid=735,fd=6),(“nginx”,pid=734,fd=6),(“nginx”,pid=733,fd=6),(“nginx”,pid=732,fd=6),(“nginx”,pid=731,fd=6),(“nginx”,pid=730,fd=6),(“nginx”,pid=729,fd=6),(“nginx”,pid=728,fd=6),(“nginx”,pid=727,fd=6),(“nginx”,pid=726,fd=6),(“nginx”,pid=725,fd=6),(“nginx”,pid=724,fd=6),(“nginx”,pid=723,fd=6),(“nginx”,pid=722,fd=6),(“nginx”,pid=721,fd=6),(“nginx”,pid=720,fd=6))
LISTEN 0 128 :22 : users:((“sshd”,pid=503,fd=3))
LISTEN 0 511 :6400 : users:((“httpd”,pid=689,fd=3),(“httpd”,pid=688,fd=3),(“httpd”,pid=687,fd=3),(“httpd”,pid=686,fd=3),(“httpd”,pid=685,fd=3),(“httpd”,pid=684,fd=3))
LISTEN 0 4096 127.0.0.11:39267 :
LISTEN 0 511 [::]:80 [::]: users:((“nginx”,pid=756,fd=7),(“nginx”,pid=755,fd=7),(“nginx”,pid=754,fd=7),(“nginx”,pid=753,fd=7),(“nginx”,pid=752,fd=7),(“nginx”,pid=751,fd=7),(“nginx”,pid=750,fd=7),(“nginx”,pid=749,fd=7),(“nginx”,pid=748,fd=7),(“nginx”,pid=747,fd=7),(“nginx”,pid=746,fd=7),(“nginx”,pid=745,fd=7),(“nginx”,pid=744,fd=7),(“nginx”,pid=743,fd=7),(“nginx”,pid=742,fd=7),(“nginx”,pid=741,fd=7),(“nginx”,pid=740,fd=7),(“nginx”,pid=739,fd=7),(“nginx”,pid=738,fd=7),(“nginx”,pid=737,fd=7),(“nginx”,pid=736,fd=7),(“nginx”,pid=735,fd=7),(“nginx”,pid=734,fd=7),(“nginx”,pid=733,fd=7),(“nginx”,pid=732,fd=7),(“nginx”,pid=731,fd=7),(“nginx”,pid=730,fd=7),(“nginx”,pid=729,fd=7),(“nginx”,pid=728,fd=7),(“nginx”,pid=727,fd=7),(“nginx”,pid=726,fd=7),(“nginx”,pid=725,fd=7),(“nginx”,pid=724,fd=7),(“nginx”,pid=723,fd=7),(“nginx”,pid=722,fd=7),(“nginx”,pid=721,fd=7),(“nginx”,pid=720,fd=7))
LISTEN 0 128 [::]:22 [::]: users:((“sshd”,pid=503,fd=4))
[root@stbkp01 ~]#
the Question asks for following :
We have a backup management application UI hosted on Nautilus's backup server in Stratos DC. That backup management application code is deployed under Apache on the backup server itself, and Nginx is running as a reverse proxy on the same server. Apache and Nginx ports are 6400 and 8094, respectively. We have iptables firewall installed on this server. Make the appropriate changes to fulfill the requirements mentioned below:

We want to open all incoming connections to Nginx’s port and block all incoming connections to Apache’s port. Also make sure rules are permanent.

It’s failing even after the right configuration.

What is your configuration?

Question:
We have a backup management application UI hosted on Nautilus's backup server in Stratos DC. That backup management application code is deployed under Apache on the backup server itself, and Nginx is running as a reverse proxy on the same server. Apache and Nginx ports are 8085 and 8097, respectively. We have iptables firewall installed on this server. Make the appropriate changes to fulfill the requirements mentioned below:

We want to open all incoming connections to Nginx’s port and block all incoming connections to Apache’s port. Also make sure rules are permanent.

Configuration steps:
thor@jumphost ~$ ssh clint@stbkp01
The authenticity of host ‘stbkp01 (172.16.238.16)’ can’t be established.
ED25519 key fingerprint is SHA256:zudJEkx6tlxW4YOCSjk/hkYYM1DRYNXLItWx/XTl1dk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘stbkp01’ (ED25519) to the list of known hosts.
clint@stbkp01’s password:
[clint@stbkp01 ~]$ sudo su -

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for clint:
[root@stbkp01 ~]# systemctl start iptables
[root@stbkp01 ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: active (exited) since Thu 2024-06-27 01:49:37 UTC; 9s ago
Process: 811 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 811 (code=exited, status=0/SUCCESS)

Jun 27 01:49:37 stbkp01.stratos.xfusioncorp.com systemd[1]: iptables.service c…
Jun 27 01:49:37 stbkp01.stratos.xfusioncorp.com systemd[1]: Starting IPv4 fire…
Jun 27 01:49:37 stbkp01.stratos.xfusioncorp.com systemd[811]: Executing: /usr/…
Jun 27 01:49:37 stbkp01.stratos.xfusioncorp.com iptables.init[811]: iptables: …
Jun 27 01:49:37 stbkp01.stratos.xfusioncorp.com systemd[1]: Child 811 belongs …
Jun 27 01:49:37 stbkp01.stratos.xfusioncorp.com systemd[1]: iptables.service: …
Jun 27 01:49:37 stbkp01.stratos.xfusioncorp.com systemd[1]: iptables.service c…
Jun 27 01:49:37 stbkp01.stratos.xfusioncorp.com systemd[1]: Job iptables.servi…
Jun 27 01:49:37 stbkp01.stratos.xfusioncorp.com systemd[1]: Started IPv4 firew…
Jun 27 01:49:37 stbkp01.stratos.xfusioncorp.com systemd[1]: iptables.service: …
Hint: Some lines were ellipsized, use -l to show in full.
[root@stbkp01 ~]# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@stbkp01 ~]# systemctl restart iptables
[root@stbkp01 ~]# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
2 ACCEPT icmp – anywhere anywhere
3 ACCEPT all – anywhere anywhere
4 ACCEPT tcp – anywhere anywhere state NEW tcp dpt:ssh
5 REJECT all – anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all – anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@stbkp01 ~]# iptables -A INPUT -p tcp --dport 8097 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
[root@stbkp01 ~]# iptables -A INPUT -p tcp --dport 8085 -m conntrack --ctstate NEW -j REJECT
[root@stbkp01 ~]# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
2 ACCEPT icmp – anywhere anywhere
3 ACCEPT all – anywhere anywhere
4 ACCEPT tcp – anywhere anywhere state NEW tcp dpt:ssh
5 REJECT all – anywhere anywhere reject-with icmp-host-prohibited
6 ACCEPT tcp – anywhere anywhere tcp dpt:sac ctstate NEW,ESTABLISHED
7 REJECT tcp – anywhere anywhere tcp dpt:8085 ctstate NEW reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all – anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@stbkp01 ~]#
[root@stbkp01 ~]# iptables -R INPUT 5 -p icmp -j REJECT
[root@stbkp01 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@stbkp01 ~]# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
2 ACCEPT icmp – anywhere anywhere
3 ACCEPT all – anywhere anywhere
4 ACCEPT tcp – anywhere anywhere state NEW tcp dpt:ssh
5 REJECT icmp – anywhere anywhere reject-with icmp-port-unreachable
6 ACCEPT tcp – anywhere anywhere tcp dpt:sac ctstate NEW,ESTABLISHED
7 REJECT tcp – anywhere anywhere tcp dpt:8085 ctstate NEW reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all – anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@stbkp01 ~]# exit
logout
[clint@stbkp01 ~]$ exit
logout
Connection to stbkp01 closed.
thor@jumphost ~$ telnet stbkp01 8085
Trying 172.16.238.16…
telnet: connect to address 172.16.238.16: Connection refused
thor@jumphost ~$ telnet stbkp01 8097
Trying 172.16.238.16…
telnet: connect to address 172.16.238.16: Connection refused
thor@jumphost ~$

Even though my task successfully passed, it should not have been since the default catchall comes first, all traffic would pass. I believe the rules should be first in the input chain. So I’m trying to figure out what the actual ask is here for the task!!