Saturday, August 19, 2017

Mikrotik RouterOS 6.40.1 (stable) L2TP/IPSEC VPN with iPhone/iPad IOS 10 and/or Mac OS X 10.12.6+

This is a very brief guide explaining how to make this 'just work' so that your Apple iPad/iPhone devices can reach your Mikrotik router via a L2TP/IPSEC VPN.  There are 7 distinct steps required inside the Mikrotik, and basically three steps on OSX and only 3 as well on an iPhone/iPad.  This configuration will also work with Android 6.0.1.  We'll start with the Mikrotik:


--------------------
Step 1: define the VPN IP pool by clicking on IP -> Pool -> Pools -> Add New

Enter the name of your pool: ipsec
Enter the Addresses of your pool: 10.0.10.2-10.0.10.99 (ensure this does not overlap with another network attached to the mikrotik!)
Next Pool: none


Click on Apply, then OK.  Your new VPN pool should now be shown in the list.
--------------------
Step 2: create a new ppp profile by clicking on PPP -> Profiles -> Add New

Name: ipsec
Local Address: 10.0.10.1 (ensure this is in the same subnet as what you've defined above)
Remote Address: ipsec (the name of the pool you defined above)
DNS Server: 10.0.10.1 (the same address as your local address)
Change TCP MSS: yes
Use UPnP: default
Use MPLS: default
Use Compression: default
Use Encryption: yes
Only One: default


Click on Apply, then OK.  Your new profile should now be shown in the list.
--------------------
Step 3: create a new user by clicking on PPP -> Secrets -> Add New

Enabled: Yes
Name: johnsmith
Password: smitty1234
Service: l2tp
Profile: ipsec (the name of the profile you defined above)


Click on Apply, then OK.  Your new username should now be shown in the list. Repeat as necessary for additional users.
--------------------
Step 4: enable the L2TP server by clicking on PPP -> L2TP Server

Enabled: Yes
Max MTU: 1460
Max MRU: 1460
Keepalive Timeout: 30
Default Profile: ipsec (the name of the profile you defined above)
Authentication: mschap2 (all others disabled)
Use IPsec: yes
IPsec Secret: homeipsecsecret
Caller ID Type: ip address
One Session Per Host:
Allow Fast Path:


Click on Apply, then OK.
--------------------
Step 5: modify the default IPsec proposal by clicking on IP -> IPsec -> Proposals -> Default

Enabled: Yes
Name: l2tp-ipsec
Auth. Algorithms: sha1
Encr. Algorithms: aes-256-cbc
PFS Group: modp1024


--------------------
Step 6: create a new IPsec peer entry by clicking on IP -> IPsec -> Peers -> Add New

Enabled: Yes
Address: 0.0.0.0/0
Auth. Method: pre shared key
Exchange Mode: main l2tp
Passive: No
Secret: homeipsecsecret (same as defined under PPP -> L2TP Server)
Policy Template Group: default
Send Initial Contact: Yes
NAT Traversal: Yes
My ID Type: auto
Generate Policy: port override
Lifetype: 1d 00:00:00
DPD Interval: 2s
DPD Maximum Failures: 5
Proposal Check: obey
Compatibility Options: skip peer id validation
Hash Algorithm: sha256
Encryption Algorithm: aes-256
DH Group: modp1024


--------------------
Step 7: enter the required firewall rules by clicking on IP -> Firewall -> Add New

Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: ipsec-ah

Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: ipsec-esp

Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 500


Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 1701

Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 4500


You should have five firewall rules added once completed.
--------------------
Now go to your Mac System Preferences -> Network -> and click on the '+' symbol.  If it is grayed out, click on the clock and enter your administrator password.

Interface: VPN
VPN Type: L2TP over IPSec
Service Name: VPN (Home Router)

Click "+"

Configuration: Default
Server Address: (your router WAN address or DNS)
Account Name: johnsmith

Click Authentication Settings...

Click Authentication Settings:
User Password: smitty1234

Machine Authentication:
Shared Secret: homeipsecsecret
Group Name: (blank)

Click OK.

Click Advanced, then under Session Options, check the following:
Disconnect when switching user accounts
Disconnect when user logs out
Send all traffic over VPN connection (provides a 0.0.0.0/0 route via the VPN!)

Click OK. Click Connect.

Enjoy!

Wednesday, April 5, 2017

Puppet Server 2.7.x + Puppet Agent 4.10.x + Foreman 1.15 on CentOS 7


This is really more for my notes after digging through all the various misconfigured puppet versions available. The documentation over on theforeman.org is really all that is required to bring up a puppet server 2.7.x + puppet agent 4.10 + Foreman 1.15 on CentOS 7.3.1611.

  1. Install CentOS Minimal: I provisioned the vm with 4G RAM/40G disk drive/4 core CPU
  2. Install the latest OS updates
    # yum -y update
  3. Install the puppet repository and its accompanying packages
    # yum -y install http://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
    # yum -y install puppetserver puppetdb
  4. Install the epel-release repository
    # yum -y install epel-release
  5. Install theforeman repository
    # yum -y install https://yum.theforeman.org/releases/latest/el7/x86_64/foreman-release.rpm
  6. Install theforeman's installer package
    # yum -y install foreman-installer
  7. Kick off the foreman installer and wait a few minutes -- it will "just work" when it's finished!
    # foreman-installer
    # puppet agent --test

A few notes on upgrading foreman! It's vastly easier to set a version number in
/etc/yum/tfmver, i.e. '1.15' and then reference that in the /etc/yum.repos.d/foreman.repo and foreman-plugins.repo, for example:

[foreman]
name=Foreman $tfmvers - $basearch
baseurl=http://yum.theforeman.org/releases/$tfmvers/el7/$basearch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-foreman

[foreman-plugins]
name=Foreman plugins $tfmvers - $basearch
baseurl=http://yum.theforeman.org/plugins/$tfmvers/el7/$basearch
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-foreman


Thus, when upgrading, you can simply echo '1.15' > /etc/yum/tfmvers and then yum update.  It's also possible to use 'latest' or 'nightly' if you're diligent about your updates.


Upgrading Foreman
First select the version you'd like to upgrade to.  Foreman upgrades are linear, meaning that you must upgrade incrementally.  So, if you have 1.11 installed, and wish to move to 1.15, you'll need to go to 1.12 first, then from 1.12 to 1.13, then from 1.13 to 1.14, then finally from 1.14 to 1.15.  Sorry, those are the breaks - stay on top of your upgrades (at least monthly, approximately) and you can simply use 'latest' and never have to worry about it!
# echo '1.15' > /etc/yum/vars/tfmvers

-or-
# echo 'latest' > /etc/yum/vars/tfmvers

Clean the yum repository caches
# yum clean all


Stop the foreman, foreman-proxy and httpd services
# systemctl stop foreman foreman-proxy httpd


Trigger a foreman upgrade via yum
# yum upgrade tfm\* ruby\* foreman\* puppet\*


Run the migrate and seed rakes, then clear cache and sessions
# foreman-rake db:migrate
# foreman-rake db:seed
# foreman-rake tmp:cache:clear
# foreman-rake tmp:sessions:clear

Or for those of you who prefer one-liners..


# for i in db:migrate db:seed tmp:cache:clear tmp:sessions:clear; do foreman-rake $i; done

Restart your instance of foreman
# systemctl start foreman foreman-proxy httpd

That's really all there is to it -- happy provisioning!

Friday, February 24, 2017

Securing Mac OSX 10.12.6 Sierra's OpenSSH Server / Client

I was tasked with a more formal chore of securing a few other alternate systems so I thought I'd look at what OSX 10.12.6 has done in the way of OpenSSH versioning as well as its default configuration.  I was impressed, it's actually not bad!  In fact, as if it weren't obvious, I'm a huge fan (and supporter) of OpenBSD's efforts.  Note that the version compiled in 10.12.6 is actually utilizing OpenBSD's LibreSSL instead of OpenSSL 1.x.bug.ridden.rubbish.  I'm not sure when this happened, but that's a very progressive decision for such a huge vendor to make.  As of this writing, the latest version of OpenSSH is 7.5p1 -- OSX Sierra is at 7.4p1 - well done, Apple!

A few commands to get started that are important.

To get the entire default configuration:

qmp:~ root# sshd -T


To get the ssh (and sshd) version:

qmp:~ root# ssh -V
OpenSSH_7.4p1, LibreSSL 2.5.0

To get the supported cipher list:

qmp:~ root# ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

To get the supported key exchange algorithms:

qmp:~ root# ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org

To get the supported MACs:

qmp:~ root# ssh -Q mac 
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com

Here is my suggested configuration as of this writing if you plan to continue using keyboard/password authentication, but ideally you should be using public/private keys and set 'passwordauthentication no'.  This is a STRICT configuration that will likely decline most older clients.  You've been advised!

qmp:~ root# cat /etc/ssh/sshd_config

port 22
protocol 2
addressfamily inet
listenaddress 127.0.0.1:22
usepam yes
serverkeybits 2048
logingracetime 30
keyregenerationinterval 3600
x11displayoffset 10
maxauthtries 6
maxsessions 10
clientaliveinterval 0
clientalivecountmax 3
streamlocalbindmask 0177
permitrootlogin no
ignorerhosts yes
ignoreuserknownhosts no
rhostsrsaauthentication no
hostbasedauthentication no
hostbasedusesnamefrompacketonly no
rsaauthentication no
pubkeyauthentication yes
kerberosauthentication no
kerberosorlocalpasswd yes
kerberosticketcleanup yes
gssapiauthentication no
gssapicleanupcredentials yes
passwordauthentication yes
kbdinteractiveauthentication yes
challengeresponseauthentication yes
printmotd yes
printlastlog yes
x11forwarding no
x11uselocalhost yes
permittty yes
permituserrc yes
strictmodes yes
tcpkeepalive yes
permitemptypasswords no
permituserenvironment no
uselogin no
compression delayed
gatewayports no
usedns no
allowtcpforwarding no
allowagentforwarding no
allowstreamlocalforwarding no
streamlocalbindunlink no
useprivilegeseparation sandbox
fingerprinthash SHA512
pidfile /var/run/sshd.pid
xauthlocation xauth
ciphers chacha20-poly1305@openssh.com
macs hmac-sha2-512-etm@openssh.com
versionaddendum none
kexalgorithms curve25519-sha256@libssh.org
hostbasedacceptedkeytypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
hostkeyalgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
pubkeyacceptedkeytypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
loglevel INFO
syslogfacility AUTH
authorizedkeysfile .ssh/authorized_keys
hostkey /etc/ssh/ssh_host_ed25519_key
acceptenv LANG
acceptenv LC_*
authenticationmethods any
subsystem sftp /usr/libexec/sftp-server
maxstartups 10:30:100
permittunnel no
ipqos lowdelay throughput
rekeylimit 0 0
permitopen 127.0.0.1:1

If you're going to use the AES128-GCM@OPENSSH.COM and AES256-GCM@OPENSSH.COM ciphers, you might consider filtering your /etc/ssh/moduli to remove anything < 4095 bits. You'll be left with about 118 entries.

Happy hardening!