Proxies and python

 Okay I've been working in a role that has me neck up and engaged with end users mainly developers that are using proxies. So traffic to the internet is controlled by calling up an explicit proxy. 

What I've been finding out, their code needs to set and call the proxy when making the callout.

# sample python code with certification error disable

import requests

import ssl

proxies = {
           'http': 'http://172.16.23.1:80',
           'https': 'http://172.16.23.1:80'
              }

ssl._create_default_https_context = ssl._create_unverified_context

url = 'https://login.microsoft.com'
response = requests.get(url, proxies=proxies )
print(response)

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

Fortigate Explicit proxy for SSH

lately, in my day job I'm doing a lot of proxy diagnostics and work mainly with Bluecoat. I want to show you how we can set a ssh proxy within a FortiGate

1st

The generic cfg is required;

# it's important that you have an interface set for explicit proxy and ssh-client needs to be able to reach it and the proxy-server port

config system interface

    edit "wan2"

        set vdom "root"

        set ip 209.xxxxx.2 255.255.255.0

        set allowaccess ping https ssh snmp

        set type physical

        set explicit-web-proxy enable

        set alias "internet uplink #2 XO "

        set role wan

        set snmp-index 4

    next

end

Here's a basic proxy-cfg

config web-proxy explicit

    set status enable

    set ftp-over-http enable

    set http-incoming-port 3128

    set https-incoming-port 3128

    set pac-file-server-status enable

    set pac-file-server-port 7888

    set pac-file-name "myorgproxy.pac"

end

Here's a simple proxy-cfg rule

# the proxy rule must say "ssh" in order to proxy ssh

config firewall proxy-policy

    edit 1

        set uuid 17517cfa-e15d-51ee-e807-fe331ad5ba2d

        set name "ssh out demo socpuppets"

        set proxy ssh

        set dstintf "upg-zone-wan2"

        set srcaddr "all"

        set dstaddr "all"

        set action accept

        set schedule "always"

        set logtraffic all

        set utm-status enable

    next

end

Now in unix/linux/macSOX you need to set your ssh client up to use the proxy and send a CONNECT. The simplest way is to define a .ssh/config file

e.g

 

.ssh/config

Host lg.homenoc.ad.jp

    ProxyCommand          nc -X connect -x 209.xxx.xxx.2:3128 %h %p

    ServerAliveInterval   15

Host route-server.ip.att.net

    ProxyCommand          nc -X connect -x 209.xxx.xxx.2:3128 %h %p

    ServerAliveInterval   15

 

Now let's look at some diagnostic output 

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

Postman integration into bitbucket

Here's a quick demo of how we can back up our PostMan Collections into bitbucket

The 1st things you will need to have a repository and project-define

Next, navigate to https://bitbucket.org/account/settings/ and create a app password

ensure you set permission for read and write

record the generated app-password you will need that later on in postman

In postman, you will need to open the workspace +integrations and select the option backup to bitbucket

The next steps are straightforward, you will select the repository/collection/etc....

Once you have it all functional, just make changes in the collection and verify within bitbucket under the repository and commits

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

Random usernames generation

When I left the US military, I worked as a contractor for IBM. One thing that I realized was;

•     my username was a random user
•     you could not reasonably figure out a person's username based on their givenname
•     targeting by brute-forcing of one's  passwords is next to impossible

So in the current temperature, a lot of ORGs are deploying an admin account

e.g Ken Felix would have

   kfelix@example.com

    and

   kfelix.admin@example.com

   or 

   adm.kfelix@example.com

The problem with the last 2, they resemble my name. A better approach would have a username that could not reasonably derived by knowing the individual "Ken Felix"

e.g 

 eng09lk3@example.com

or

 sedawkdaddy@example.com

Here lays the problem, it would be harder for you to remember these usernames, and for sure the former two.

By using a random username you can easily determine when a brute-force & when you see login-failures such as admin@example.com , sales@example.com or ithelp@example.com

A decade back, I worked with a group from Canada that was looking at a one-time username ( OTU ) . These were short-lived usernames that were crafted for limited access. The ideal was for the system where an engineer would need access to execute maybe a handful of jobs and not need access to said system for maybe 2-10-12 months later. They still had a low-privilege account, but for the sudo/su/admin function, OTU+OTP was generated and once used, destroyed.

Think of the movie series Mission Impossible

This concept was briefly considered but a certificate-based access with revocation was easier to manage.

With certificate based you could have multiple certificate+passphrases for a wide range of systems. These same certificates could be used for browser webUI access. If anyone is compromised, a certificate revocation will be issued. If you wanted to limit the time-for-use, you sign the certificates with a short expiration ( i.e 1week vs 1 year ) 

So keep in mind that username+password is the combination and success for security. If one knows the username, they have part of the account to be cracked.

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

Fortigate as a explicit proxy v7.2.x

In this post, we will explore explicit proxy setup and diagnostics in v7.2 since it has some simple changes

• this is non-authentication proxy
• I have the proxy client ranges limited to a single PC for this blog posting
• http/https  
• port 3128 

Okay let's enable proxy on an SDWAN interface and globally 

config system interface

    edit "wan2"

        set vdom "root"

        set ip 20.14.20.2 255.255.255.240

        set allowaccess ping  

        set type physical

        set explicit-web-proxy enable

        set alias "internet2 XO"

        set role wan

        set snmp-index 4

    next

end

and

config web-proxy explicit

    set status enable

    set ftp-over-http enable

    set http-incoming-port 3128

    set https-incoming-port 3128

    set pac-file-server-status enable

    set pac-file-server-port 7888

    set pac-file-name "socpuppetproxyaccessconf"

end

Now for our policy creation, the fortiOS uses proxy-policy 

config firewall proxy-policy

    edit 1

        set proxy explicit-web

        set dstintf "upg-zone-wan2"

        set srcaddr "HOME_PC"

        set dstaddr "all"

        set service "webproxy"

        set action accept

        set schedule "always"

        set logtraffic all

    next

end

Diagnostics tips

If you are getting timeout , any by using the "diag sniffer packet any "port 3128"  you see no packets, your problem is way before the proxy. Fix your local issues 1st. 

This is most likely a local firewall, downstream firewall/filters, or filtering. Also ensure the client has the right proxy IP and port#.

Helpful diagnostics cmds

diagnose wad stats common.ses_stats

diag wad worker policy # p_id:xxxx ( the xxxx would be your policy id )

diag wad session list 

diag wad debug enable all # this will generate a lot of messages

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \