Entries Tagged as 'Security'

FortiClient can’t connect over dail-up VPN to remote site

After upgrading from 5.2.x or 5.4.x to 5.6.2 it is possible that FortiClient VPN connected clients can not access a remote site over VPN anymore from the FortiGate that they are connecting to.
The local LAN is accessible, but the remote LAN is not.

It seems there is a routing issue in the 5.6.2 OS. If you do

# execute traceroute <ip-address>

you will see the first IP adres beeing an IP address that is not defined in the Dail-up FortiGate.

You must add a static route at the remote site with the IP range of the IPsec client IP adresses.

With

# diagnose sniffer packet <interface> 'host <ip adress>'

you must see a ping request and reply on both the source FortiGate and the remote FortiGate.

Stop DHCP INFORM flooding

Background

Windows 7 among others ask for proxy settings using DHCP. The issue is that they do not stop asking until they have received an answer. This results in that the log contains a lot information about these requests, an example can be found below.

2017:07:30-00:12:03 firewall-1 dhcpd: DHCPINFORM from 192.168.188.213 via eth3
2017:07:30-00:12:03 firewall-1 dhcpd: DHCPACK to 192.168.188.213 (00:50:56:ab:38:53) via eth3

2017:07:30-00:14:03 firewall-1 dhcpd: DHCPACK to 192.168.188.213 (00:50:56:ab:38:53) via eth3
2017:07:30-00:14:03 firewall-1 dhcpd: DHCPINFORM from 192.168.188.213 via eth4

Add the following option to the DHCP server:

dhcp-option=252,"\n"

Initial setup FortiGate VM

config system interface
  edit port1
    set ip 192.168.0.100 255.255.255.0
    append allowaccess http
end

config router static 
  edit 1 
    set device port1 
    set gateway
end

Fortigate get Update Status via CLI

To get the update from a FortiGate via the CLI:

get sys perf stat

FortiGate Access Slave in HA mode

To change from the Primary to the Secondary Fortigate:

execute ha manage 1

 

To change from the Secondary to the Primary:

execute ha manage 0

 

Sophos HA Slaves stuck in Syning.

Step 1: Login to master node, su to root
Step 2: Open a new ssh window, login to master again, su to root
Step 3: On 2nd window, enter: ha_utils ssh
Step 4: In the 2nd window, login to slave as loginuser, then su to root
Step 5: On both ssh windows, enter: killall repctl
Step 6: On both ssh windows, enter: /etc/init.d/postgresql92 rebuild
Step 7: After database rebuilds, enter on both ssh windows: repctl

Now reboot the slave.

NOTE: You’ll loose reporting data for the passed time.

Change Switch Mode to Interface Mode in Fortigate

There are 3 steps involved in this process.

  1. Complete the prerequisites
  2. Change the mode from Switch mode to interface mode
  3. Configure the network and allow access to a particular network port.

FGxxxxxxxxxxxxxx # config system global
FGxxxxxxxxxxxxxx # set internalswitch-mode interface
FGxxxxxxxxxxxxxx # end
Changing switch mode will reboot the system!
Do you want to continue? (y/n) y

FGxxxxxxxxxxxxxx #

Rename default admin account in Fortinet appliances

A good practice to enhance firewall security is to rename the default administrator account of the box. On Fortigate, default administrator username is admin. If you leave your admin as ‘admin’, then the leftover part of the brute-force password cracking is just a piece of cake.

 This tutorial is to show you know to rename default ‘admin’ of a Fortinet box (FortiMail, FortiGate Firewall,…)

You need to finish these steps within command line mode. The best way to manage Fortinet devices is using SSH or Serial terminal. If you need help of how to connect to a Fortinet box using Serial terminal, click here.

Fortinet will prevent you from changing your currently logged in account. I assume that you are logged in under the default “admin”. You could not rename “admin” to “yourname” if you are logging under “admin”, it’s reasonable, isn’t it?

  • So, the first step is to create a new administrator account.
  • Next step is to login using the new account.
  • Final step is from the new account, execute the rename command to change “admin” to something else.

Create new administrator account on Fortinet

Do these steps while you are already in privilege mode (logged in as “admin”):

CUSTOMER_FW01# config system admin
 CUSTOMER_FW01(admin) # edit newadmin
 new entry ‘newadmin’ added

CUSTOMER_FW01(newadmin) # set password Myn3w-password
CUSTOMER_FW01(newadmin) # set accprofile super_admin
CUSTOMER_FW01(newadmin) # end
CUSTOMER_FW01# exit
 Auto backup config …
 login.c-__config

CUSTOMER_FW01login: newadmin
 Password: **************
 Welcome !

CUSTOMER_FW01#

Rename Fortinet default “admin”

To rename your Fortinet default “admin”, follow these steps:

CUSTOMER_FW01 # config system admin
CUSTOMER_FW01 (admin) # rename admin to nimda
CUSTOMER_FW01 (admin) #

Nmap Cheat Sheet

Nmap Target Selection

Scan a single IP nmap 192.168.10.1
Scan a host nmap www.testhost.com
Scan a range of IPs nmap 192.168.10.1-20
Scan a subnet nmap 192.168.10.0/24
Scan targets from a text file nmap -iL list-of-ips.txt

Nmap Port Selection

Scan a single Port nmap -p 22 192.168.10.1
Scan a range of ports nmap -p 1-100 192.168.10.1
Scan 100 most common ports (Fast) nmap -F 192.168.10.1
Scan all 65535 ports nmap -p- 192.168.10.1

Nmap Port Scan types

Scan using TCP connect nmap -sT 192.168.10.1
Scan using TCP SYN scan (default) nmap -sS 192.168.10.1
Scan UDP ports nmap -sU -p 123,161,162 192.168.10.1
Scan selected ports – ignore discovery nmap -Pn -F 192.168.10.1

Service and OS Detection

Detect OS and Services nmap -A 192.168.10.1
Standard service detection nmap -sV 192.168.10.1
More aggressive Service Detection nmap -sV –version-intensity 5 192.168.10.1
Lighter banner grabbing detection nmap -sV –version-intensity 0 192.168.10.1

Nmap Output Formats

Save default output to file nmap -oN outputfile.txt 192.168.10.1
Save results as XML nmap -oX outputfile.xml 192.168.10.1
Save results in a format for grep nmap -oG outputfile.txt 192.168.10.1
Save in all formats nmap -oA outputfile 192.168.10.1

Digging deeper with NSE Scripts

Scan using default safe scripts nmap -sV -sC 192.168.10.1
Get help for a script nmap –script-help=ssl-heartbleed
Scan using a specific NSE script nmap -sV -p 443 –script=ssl-heartbleed.nse 192.168.10.1
Scan with a set of scripts nmap -sV –script=smb* 192.168.10.1

A scan to search for DDOS reflection UDP services

Scan for UDP DDOS reflectors nmap –sU –A –PN –n –pU:19,53,123,161
–script=ntp-monlist,dns-recursion,snmp-sysdescr 192.168.10.0/24

HTTP Service Information

Gather page titles from HTTP services nmap –script=http-title 192.168.10.0/24
Get HTTP headers of web services nmap –script=http-headers 192.168.10.0/24
Find web apps from known paths nmap –script=http-enum 192.168.10.0/24

Detect Heartbleed SSL Vulnerability

Heartbleed Testing nmap -sV -p 443 –script=ssl-heartbleed 192.168.10.0/24

IP Address information

Find Information about IP address nmap –script=asn-query,whois,ip-geolocation-maxmind 192.168.10.0/24

 

Secure SSH with Google Authenticator Two-Factor Authentication on CentOS 7

First of all we will install the open source Google Authenticator PAM module by executing the following command on the shell.

# yum install google-authenticator
# google-authenticator

The next step is to change some files which we will start by first changing /etc/pam.d/sshd. Add the following line to the top:

auth required pam_google_authenticator.so

auth required pam_google_authenticator.so
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth

Additional you could also add folowing line. This makes it possible to logon localy without verify code:

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf

Contect of /etc/security/access-local.conf:

# Google Authenticator can be skipped on local network
+ : ALL : 192.168.1.0/24
+ : ALL : LOCAL
- : ALL : ALL

Change the next file which is /etc/ssh/sshd_config. Add the following line in the file and if its already placed then change the parameter to “yes”:

ChallengeResponseAuthentication yes

Now restart the service of ssh by the following command:

# service sshd restart