Tuesday, July 16, 2024

Fortigate Explicit proxy for SSH

lately, in my day job I'm doing a lot of proxy diagnostics and work mainly with Bluecoat. I want to show you how we can set a ssh proxy within a FortiGate

1st

The generic cfg is required;

# it's important that you have an interface set for explicit proxy and ssh-client needs to be able to reach it and the proxy-server port

config system interface

    edit "wan2"

        set vdom "root"

        set ip 209.xxxxx.2 255.255.255.0

        set allowaccess ping https ssh snmp

        set type physical

        set explicit-web-proxy enable

        set alias "internet uplink #2 XO "

        set role wan

        set snmp-index 4

    next

end


Here's a basic proxy-cfg


config web-proxy explicit

    set status enable

    set ftp-over-http enable

    set http-incoming-port 3128

    set https-incoming-port 3128

    set pac-file-server-status enable

    set pac-file-server-port 7888

    set pac-file-name "myorgproxy.pac"

end



Here's a simple proxy-cfg rule


# the proxy rule must say "ssh" in order to proxy ssh


config firewall proxy-policy

    edit 1

        set uuid 17517cfa-e15d-51ee-e807-fe331ad5ba2d

        set name "ssh out demo socpuppets"

        set proxy ssh

        set dstintf "upg-zone-wan2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set logtraffic all

        set utm-status enable

    next

end



Now in unix/linux/macSOX you need to set your ssh client up to use the proxy and send a CONNECT. The simplest way is to define a .ssh/config file



e.g

 

.ssh/config


Host lg.homenoc.ad.jp

    ProxyCommand          nc -X connect -x 209.xxx.xxx.2:3128 %h %p

    ServerAliveInterval   15


Host route-server.ip.att.net

    ProxyCommand          nc -X connect -x 209.xxx.xxx.2:3128 %h %p

    ServerAliveInterval   15


 

Now let's look at some diagnostic output 







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \




Tuesday, June 4, 2024

Postman integration into bitbucket

Here's a quick demo of how we can back up our PostMan Collections into bitbucket

The 1st things you will need to have a repository and project-define

Next, navigate to https://bitbucket.org/account/settings/ and create a app password







ensure you set permission for read and write


record the generated app-password you will need that later on in postman




In postman, you will need to open the workspace +integrations and select the option backup to bitbucket








The next steps are straightforward, you will select the repository/collection/etc....

Once you have it all functional, just make changes in the collection and verify within bitbucket under the repository and commits






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Tuesday, April 30, 2024

Random usernames generation

When I left the US military, I worked as a contractor for IBM. One thing that I realized was;

  •     my username was a random user
  •     you could not reasonably figure out a person's username based on their givenname
  •     targeting by brute-forcing of one's  passwords is next to impossible

So in the current temperature, a lot of ORGs are deploying an admin account

e.g Ken Felix would have

   kfelix@example.com

    and

   kfelix.admin@example.com

   or 

   adm.kfelix@example.com


The problem with the last 2, they resemble my name. A better approach would have a username that could not reasonably derived by knowing the individual "Ken Felix"


e.g 

 eng09lk3@example.com

or

 sedawkdaddy@example.com


Here lays the problem, it would be harder for you to remember these usernames, and for sure the former two.

By using a random username you can easily determine when a brute-force & when you see login-failures such as admin@example.com , sales@example.com or ithelp@example.com

A decade back, I worked with a group from Canada that was looking at a one-time username ( OTU ) . These were short-lived usernames that were crafted for limited access. The ideal was for the system where an engineer would need access to execute maybe a handful of jobs and not need access to said system for maybe 2-10-12 months later. They still had a low-privilege account, but for the sudo/su/admin function, OTU+OTP was generated and once used, destroyed.

Think of the movie series Mission Impossible



This concept was briefly considered but a certificate-based access with revocation was easier to manage.

With certificate based you could have multiple certificate+passphrases for a wide range of systems. These same certificates could be used for browser webUI access. If anyone is compromised, a certificate revocation will be issued. If you wanted to limit the time-for-use, you sign the certificates with a short expiration ( i.e 1week vs 1 year ) 

So keep in mind that username+password is the combination and success for security. If one knows the username, they have part of the account to be cracked.




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \





Wednesday, March 13, 2024

Fortigate as a explicit proxy v7.2.x

In this post, we will explore explicit proxy setup and diagnostics in v7.2 since it has some simple changes

  • this is non-authentication proxy
  • I have the proxy client ranges limited to a single PC for this blog posting
  • http/https  
  • port 3128 

Okay let's enable proxy on an SDWAN interface and globally 

config system interface

    edit "wan2"

        set vdom "root"

        set ip 20.14.20.2 255.255.255.240

        set allowaccess ping  

        set type physical

        set explicit-web-proxy enable

        set alias "internet2 XO"

        set role wan

        set snmp-index 4

    next

end


and


config web-proxy explicit

    set status enable

    set ftp-over-http enable

    set http-incoming-port 3128

    set https-incoming-port 3128

    set pac-file-server-status enable

    set pac-file-server-port 7888

    set pac-file-name "socpuppetproxyaccessconf"

end



Now for our policy creation, the fortiOS uses proxy-policy 


config firewall proxy-policy

    edit 1

        set proxy explicit-web

        set dstintf "upg-zone-wan2"

        set srcaddr "HOME_PC"

        set dstaddr "all"

        set service "webproxy"

        set action accept

        set schedule "always"

        set logtraffic all

    next

end



Diagnostics tips


If you are getting timeout , any by using the "diag sniffer packet any "port 3128"  you see no packets, your problem is way before the proxy. Fix your local issues 1st. 

This is most likely a local firewall, downstream firewall/filters, or filtering. Also ensure the client has the right proxy IP and port#.


Helpful diagnostics cmds

diagnose wad stats common.ses_stats

diag wad worker policy # p_id:xxxx ( the xxxx would be your policy id )

diag wad session list 

diag wad debug enable all # this will generate a lot of messages





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \