Saturday, August 19, 2017

Mikrotik RouterOS 6.40.1 (stable) L2TP/IPSEC VPN with iPhone/iPad IOS 10 and/or Mac OS X 10.12.6+

This is a very brief guide explaining how to make this 'just work' so that your Apple iPad/iPhone devices can reach your Mikrotik router via a L2TP/IPSEC VPN.  There are 7 distinct steps required inside the Mikrotik, and basically three steps on OSX and only 3 as well on an iPhone/iPad.  This configuration will also work with Android 6.0.1.  We'll start with the Mikrotik:


--------------------
Step 1: define the VPN IP pool by clicking on IP -> Pool -> Pools -> Add New

Enter the name of your pool: ipsec
Enter the Addresses of your pool: 10.0.10.2-10.0.10.99 (ensure this does not overlap with another network attached to the mikrotik!)
Next Pool: none


Click on Apply, then OK.  Your new VPN pool should now be shown in the list.
--------------------
Step 2: create a new ppp profile by clicking on PPP -> Profiles -> Add New

Name: ipsec
Local Address: 10.0.10.1 (ensure this is in the same subnet as what you've defined above)
Remote Address: ipsec (the name of the pool you defined above)
DNS Server: 10.0.10.1 (the same address as your local address)
Change TCP MSS: yes
Use UPnP: default
Use MPLS: default
Use Compression: default
Use Encryption: yes
Only One: default


Click on Apply, then OK.  Your new profile should now be shown in the list.
--------------------
Step 3: create a new user by clicking on PPP -> Secrets -> Add New

Enabled: Yes
Name: johnsmith
Password: smitty1234
Service: l2tp
Profile: ipsec (the name of the profile you defined above)


Click on Apply, then OK.  Your new username should now be shown in the list. Repeat as necessary for additional users.
--------------------
Step 4: enable the L2TP server by clicking on PPP -> L2TP Server

Enabled: Yes
Max MTU: 1460
Max MRU: 1460
Keepalive Timeout: 30
Default Profile: ipsec (the name of the profile you defined above)
Authentication: mschap2 (all others disabled)
Use IPsec: yes
IPsec Secret: homeipsecsecret
Caller ID Type: ip address
One Session Per Host:
Allow Fast Path:


Click on Apply, then OK.
--------------------
Step 5: modify the default IPsec proposal by clicking on IP -> IPsec -> Proposals -> Default

Enabled: Yes
Name: l2tp-ipsec
Auth. Algorithms: sha1
Encr. Algorithms: aes-256-cbc
PFS Group: modp1024


--------------------
Step 6: create a new IPsec peer entry by clicking on IP -> IPsec -> Peers -> Add New

Enabled: Yes
Address: 0.0.0.0/0
Auth. Method: pre shared key
Exchange Mode: main l2tp
Passive: No
Secret: homeipsecsecret (same as defined under PPP -> L2TP Server)
Policy Template Group: default
Send Initial Contact: Yes
NAT Traversal: Yes
My ID Type: auto
Generate Policy: port override
Lifetype: 1d 00:00:00
DPD Interval: 2s
DPD Maximum Failures: 5
Proposal Check: obey
Compatibility Options: skip peer id validation
Hash Algorithm: sha256
Encryption Algorithm: aes-256
DH Group: modp1024


--------------------
Step 7: enter the required firewall rules by clicking on IP -> Firewall -> Add New

Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: ipsec-ah

Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: ipsec-esp

Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 500


Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 1701

Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 4500


You should have five firewall rules added once completed.
--------------------
Now go to your Mac System Preferences -> Network -> and click on the '+' symbol.  If it is grayed out, click on the clock and enter your administrator password.

Interface: VPN
VPN Type: L2TP over IPSec
Service Name: VPN (Home Router)

Click "+"

Configuration: Default
Server Address: (your router WAN address or DNS)
Account Name: johnsmith

Click Authentication Settings...

Click Authentication Settings:
User Password: smitty1234

Machine Authentication:
Shared Secret: homeipsecsecret
Group Name: (blank)

Click OK.

Click Advanced, then under Session Options, check the following:
Disconnect when switching user accounts
Disconnect when user logs out
Send all traffic over VPN connection (provides a 0.0.0.0/0 route via the VPN!)

Click OK. Click Connect.

Enjoy!

Wednesday, April 5, 2017

Puppet Server 2.7.x + Puppet Agent 4.10.x + Foreman 1.15 on CentOS 7


This is really more for my notes after digging through all the various misconfigured puppet versions available. The documentation over on theforeman.org is really all that is required to bring up a puppet server 2.7.x + puppet agent 4.10 + Foreman 1.15 on CentOS 7.3.1611.

  1. Install CentOS Minimal: I provisioned the vm with 4G RAM/40G disk drive/4 core CPU
  2. Install the latest OS updates
    # yum -y update
  3. Install the puppet repository and its accompanying packages
    # yum -y install http://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
    # yum -y install puppetserver puppetdb
  4. Install the epel-release repository
    # yum -y install epel-release
  5. Install theforeman repository
    # yum -y install https://yum.theforeman.org/releases/latest/el7/x86_64/foreman-release.rpm
  6. Install theforeman's installer package
    # yum -y install foreman-installer
  7. Kick off the foreman installer and wait a few minutes -- it will "just work" when it's finished!
    # foreman-installer
    # puppet agent --test

A few notes on upgrading foreman! It's vastly easier to set a version number in
/etc/yum/tfmver, i.e. '1.15' and then reference that in the /etc/yum.repos.d/foreman.repo and foreman-plugins.repo, for example:

[foreman]
name=Foreman $tfmvers - $basearch
baseurl=http://yum.theforeman.org/releases/$tfmvers/el7/$basearch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-foreman

[foreman-plugins]
name=Foreman plugins $tfmvers - $basearch
baseurl=http://yum.theforeman.org/plugins/$tfmvers/el7/$basearch
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-foreman


Thus, when upgrading, you can simply echo '1.15' > /etc/yum/tfmvers and then yum update.  It's also possible to use 'latest' or 'nightly' if you're diligent about your updates.


Upgrading Foreman
First select the version you'd like to upgrade to.  Foreman upgrades are linear, meaning that you must upgrade incrementally.  So, if you have 1.11 installed, and wish to move to 1.15, you'll need to go to 1.12 first, then from 1.12 to 1.13, then from 1.13 to 1.14, then finally from 1.14 to 1.15.  Sorry, those are the breaks - stay on top of your upgrades (at least monthly, approximately) and you can simply use 'latest' and never have to worry about it!
# echo '1.15' > /etc/yum/vars/tfmvers

-or-
# echo 'latest' > /etc/yum/vars/tfmvers

Clean the yum repository caches
# yum clean all


Stop the foreman, foreman-proxy and httpd services
# systemctl stop foreman foreman-proxy httpd


Trigger a foreman upgrade via yum
# yum upgrade tfm\* ruby\* foreman\* puppet\*


Run the migrate and seed rakes, then clear cache and sessions
# foreman-rake db:migrate
# foreman-rake db:seed
# foreman-rake tmp:cache:clear
# foreman-rake tmp:sessions:clear

Or for those of you who prefer one-liners..


# for i in db:migrate db:seed tmp:cache:clear tmp:sessions:clear; do foreman-rake $i; done

Restart your instance of foreman
# systemctl start foreman foreman-proxy httpd

That's really all there is to it -- happy provisioning!

Friday, February 24, 2017

Securing Mac OSX 10.12.6 Sierra's OpenSSH Server / Client

I was tasked with a more formal chore of securing a few other alternate systems so I thought I'd look at what OSX 10.12.6 has done in the way of OpenSSH versioning as well as its default configuration.  I was impressed, it's actually not bad!  In fact, as if it weren't obvious, I'm a huge fan (and supporter) of OpenBSD's efforts.  Note that the version compiled in 10.12.6 is actually utilizing OpenBSD's LibreSSL instead of OpenSSL 1.x.bug.ridden.rubbish.  I'm not sure when this happened, but that's a very progressive decision for such a huge vendor to make.  As of this writing, the latest version of OpenSSH is 7.5p1 -- OSX Sierra is at 7.4p1 - well done, Apple!

A few commands to get started that are important.

To get the entire default configuration:

qmp:~ root# sshd -T


To get the ssh (and sshd) version:

qmp:~ root# ssh -V
OpenSSH_7.4p1, LibreSSL 2.5.0

To get the supported cipher list:

qmp:~ root# ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

To get the supported key exchange algorithms:

qmp:~ root# ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org

To get the supported MACs:

qmp:~ root# ssh -Q mac 
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com

Here is my suggested configuration as of this writing if you plan to continue using keyboard/password authentication, but ideally you should be using public/private keys and set 'passwordauthentication no'.  This is a STRICT configuration that will likely decline most older clients.  You've been advised!

qmp:~ root# cat /etc/ssh/sshd_config

port 22
protocol 2
addressfamily inet
listenaddress 127.0.0.1:22
usepam yes
serverkeybits 2048
logingracetime 30
keyregenerationinterval 3600
x11displayoffset 10
maxauthtries 6
maxsessions 10
clientaliveinterval 0
clientalivecountmax 3
streamlocalbindmask 0177
permitrootlogin no
ignorerhosts yes
ignoreuserknownhosts no
rhostsrsaauthentication no
hostbasedauthentication no
hostbasedusesnamefrompacketonly no
rsaauthentication no
pubkeyauthentication yes
kerberosauthentication no
kerberosorlocalpasswd yes
kerberosticketcleanup yes
gssapiauthentication no
gssapicleanupcredentials yes
passwordauthentication yes
kbdinteractiveauthentication yes
challengeresponseauthentication yes
printmotd yes
printlastlog yes
x11forwarding no
x11uselocalhost yes
permittty yes
permituserrc yes
strictmodes yes
tcpkeepalive yes
permitemptypasswords no
permituserenvironment no
uselogin no
compression delayed
gatewayports no
usedns no
allowtcpforwarding no
allowagentforwarding no
allowstreamlocalforwarding no
streamlocalbindunlink no
useprivilegeseparation sandbox
fingerprinthash SHA512
pidfile /var/run/sshd.pid
xauthlocation xauth
ciphers chacha20-poly1305@openssh.com
macs hmac-sha2-512-etm@openssh.com
versionaddendum none
kexalgorithms curve25519-sha256@libssh.org
hostbasedacceptedkeytypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
hostkeyalgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
pubkeyacceptedkeytypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
loglevel INFO
syslogfacility AUTH
authorizedkeysfile .ssh/authorized_keys
hostkey /etc/ssh/ssh_host_ed25519_key
acceptenv LANG
acceptenv LC_*
authenticationmethods any
subsystem sftp /usr/libexec/sftp-server
maxstartups 10:30:100
permittunnel no
ipqos lowdelay throughput
rekeylimit 0 0
permitopen 127.0.0.1:1

If you're going to use the AES128-GCM@OPENSSH.COM and AES256-GCM@OPENSSH.COM ciphers, you might consider filtering your /etc/ssh/moduli to remove anything < 4095 bits. You'll be left with about 118 entries.

Happy hardening!

Monday, February 13, 2017

OpenBSD 6.1 L2TP over IPSEC VPN - Android 6.0.1, IOS, OS X Sierra, Windows {x,y.z}



Here's exactly what's required to make OpenBSD 6.1 act as a L2TP over IPSEC server, since I've been asked about a thousand times... or twice, whatever.

Edit /etc/ipsec.conf:

wan_ipv4 = 172.16.172.16
ike passive esp transport \
  proto udp from $wan_ipv4 to any port 1701 \
  main auth "hmac-sha2-256" enc "aes-256" group modp1024 \
  quick auth "hmac-sha2-256" enc "aes-256" group modp1024 \
  psk "4de16a6f8fff9b311a18de90868f7808"


That's a pretty nasty PSK to bang out on a mobile, but you get the idea. Set your external IP accordingly.



Assuming you'll be forwarding via pf.conf, edit /etc/sysctl.conf:

net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
net.pipex.enable=1


If you don't plan to reboot to ensure that changes will survive with some persistence, you'll need to manually sysctl the above entries if you haven't done so already.



Add a user to /etc/npppd/npppd-users:

mickeymouse:\
:password=81bc62b1d74cfdd523f89a0e15d7753ef936bd1f:




Edit /etc/npppd/npppd.conf for your network configuration:

authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}

tunnel L2TP protocol l2tp {
listen on 0.0.0.0
listen on ::
}

ipcp IPCP {
pool-address 172.16.173.2-172.16.173.254
dns-servers 8.8.8.8
}

interface pppx0 address 172.16.173.1 ipcp IPCP

bind tunnel from L2TP authenticated by LOCAL to pppx0




Edit /etc/rc.conf.local to ensure the respective daemons start at boot:

isakmpd_flags=""
ipsec=YES
ipsec_rules=/etc/ipsec.conf
npppd_flags=""



Edit /etc/isakmpd/isakmpd.policy to workaround Android 6.0.1 SHA stupidities:

Authorizer: "POLICY"
Comment: This is test
Licensees: "passphrase:4de16a6f8fff9b311a18de90868f7808"
conditions: app_domain == "IPsec policy" && doi == "ipsec" && esp_present == "yes" && (esp_auth_alg == "hmac-md5" || esp_auth_alg == "hmac-sha") -> "true";


Be sure the passphrase: matches what's in /etc/ipsec.conf!



Lastly, set permissions and fire up the respective daemons:

# chmod 600 /etc/isakmpd/isakmpd.policy /etc/ipsec.conf /etc/npppd/npppd-users /etc/npppd/npppd.conf
# /sbin/isakmpd
# /sbin/ipsecctl -f /etc/ipsec.conf
# /usr/sbin/npppd

The rest is simply configuring the settings in your Android/IOS phone, OSX or Windows.


Enjoy!

Upgrading iLO3 Firmware on HP DL380 G7 1.88



Just a few notes while upgrading my DL360, DL380, or DL580 G7 to the latest iLO3 firmware, 1.88 as of this writing..
  1. HP, if you're listening, simply make the .bin file available, i.e. ilo3_188.bin, for upgrade; do we really have to unzip the .exe file to extract it from your archive?
  2. Disable the HP post logo in the BIOS, life will be easier to configure iLO from there.
  3. You can't upgrade from iLO3 to iLO4 on a G7.. yet.
  4. If your version of iLO3 is prior to 1.28, you must upgrade to 1.28 before moving to 1.88!
  5. If you'd like to ssh (using their horribly insecure hostkey, kex, cipher and mac - lol) into your iLO3 server, try the following command:

ssh -o HostKeyAlgorithms=ssh-dss -o KexAlgorithms=diffie-hellman-group14-sha1 -o Ciphers=aes128-ctr -o MACs=hmac-sha1 username@your_ilo_ip


That's all for now!

Follow-up, shasums for the relevant files: the cp029101.exe is the x64 version, both contain the same ilo3_188.bin, grab it from the following url (if that still works). For whatever it's worth, as of 08/12/2017, version 1.88 is still the latest version of ilo3 for the HP Proliant G7 series.

http://h20564.www2.hpe.com/hpsc/swd/public/detail?sp4ts.oid=4091432&swItemId=MTX_3ef65d13406a41de97e6a75a3c&swEnvOid=4168


$ shasum -a 256 *
f417ba0f624ef7fdd8ee5f2db7101c719618f3c7bc5e6b2b2b8f863c5b35d12f  cp029100.exe
fb87e8c72c23d040a78f4c42b84612913d35c1cb6edc9668ff3236a3197d3b74  cp029101.exe
$ unzip cp029100.exe ilo*.bin
Archive:  cp029100.exe
  inflating: ilo3_188.bin            
$ shasum -a 256 *
f417ba0f624ef7fdd8ee5f2db7101c719618f3c7bc5e6b2b2b8f863c5b35d12f  cp029100.exe
fb87e8c72c23d040a78f4c42b84612913d35c1cb6edc9668ff3236a3197d3b74  cp029101.exe
145f6042eecdb50df27bbd4484ad9228808a2206c94097b5d83e8018532250b9  ilo3_188.bin

A few good sites to find firmware files: 
http://pingtool.org/latest-hp-ilo-firmwares/
https://github.com/seveas/python-hpilo/blob/master/firmware.conf