Extra Credit Deliverables
Extra credit deliverables showcase.
2FA
We used Twilio to send the SMS messages.
After logging in, a code is sent the phone number that the user put during registration.
Entering the code on the website.
After entering the correct code, the user is redirected to the website.
Nagios
We used Nagios to monitor our Prod systems to check whether they are online, monitor their resource utilization, and check if certain services were running. The deliverable is just the dashboard page showing that our systems are being monitored.
192.168.195.36 is the Deployment VM’s Prod address. localhost is the Nagios VM, which is being accessed by the Deployment VM.
OpenVAS
If we could generate a security report/audit for our Prod cluster, we got the point.
This is the report for the CVE scan done on the Prod network.
192.168.195.207 is the Backend VM. Port 5693 is the Nagios Cross Agent Platform (NCPA) monitoring port. This may be a false positive because all Prod VMs configured Nagios the same exact way, however the report is only showing this message for the Backend VM.
This is the report for the OpenVAS default scan (using the full and very deep option)
At the time, the DMZ VM (192.168.195.39) also had the Apache installed and the webserver setup, so the webserver and DMZ VMs may get the same vulnerabilities listed in the report.
This is an interesting message. If you take a look at the repository for the project, you will notice that .coveralls.yml does contain a repo token, so this is a security issue. Ideally, .coveralls.yml should be included in .gitignore or the token should be set as an environment variable.
However, there are some tokens hardcoded into the webserver files, and OpenVAS did not detect those.
Another interesting message is that sensitive information is being transmitted in plaintext, with a QOD of 80. This is a false positive because SSL is set up on the webserver VM, and we can see that traffic is indeed encrypted from the Wireshark demonstration
