Page 8 of 9

SSH key based authentication secure and convenient or is it?

SSH key based authentication secure and convenient or is it? Well that seems really obvious that it is secure and convenient no passwords to be guessed and changed all the time, or that can be guessed logging on to servers much faster. But when done improperly it isn’t that safe and secure as it would seem.

The issue

When logging on to SSH servers using authentication agent forwarding for convenience so you could jump hosts using the same key. See nothing wrong with it?  Still seems all good and  secure? Well not that secure any more, as soon as convenience of the authentication agent forwarding comes to play a little issue arrises that a lot of people do not think about. Namely the key you used to authenticate to the server is now accessible to others on the server, not in the sense that they could copy it, but they can use it to authenticate to other servers where your key would be valid and that are accessible from that server. Although it requires escalated privileges to get access to it, it is still a problem. So where is this key located? It goes to the /tmp/ folder. As the following is an example from my test machine:

huxx@lnx:~# ls -la /tmp/

total 10

drwxrwxrwt 10 root     root     3072 Feb  1 01:00 .

drwxr-xr-x 23 root     root     4096 Jun  2  2015 ..

drwx------  2 huxx     huxx     1024 Feb  1 00:36 ssh-DhNiAzWTEV
huxx@lnx:~# ls -la /tmp/ssh-DhNiAzWTEV

total 4

drwx------  2 huxx huxx 1024 Feb  1 00:36 .

drwxrwxrwt 10 root root 3072 Feb  1 01:01 ..

srwxr-xr-x  1 huxx huxx    0 Feb  1 00:36 agent.18922

Is there a solution for it?

So is there a solution for the afore mentioned issue? Well luckily  Yes there is. There are SSH key agents out there that actually ask for your permission first before allowing access to the private key. For Windows one such solution would be to use the KeeAgent plugin for the password manager called KeePass it allows to set a password/confirmation to be prompted for every time someone/something tries to access the private key. The same combination will also work on macOS with a bit of work by porting the Windows application using mono for Mac and adding ssh-askpass script to the system. The exact solutions will be shown in followup posts to come.

Edit:
Solution for Windows users described here: https://www.huxxit.com/index.php/2018/02/02/safer-ssh-key-usage-windows-just-using-putty-pageant/

macOS FDE user management

When using FDE (full disk encryption) on a mac you might want to limit the users that actually can decrypt the disk. If that is the case then you might find the following commands interesting:

1) List the users able to decrypt the disk:

sudo fdesetup list

2) Remove a users ability to decrypt:

sudo fdesetup remove -user user.name

3) Add the user the ability to decrypt:

sudo fdesetup add -usertoadd user.name

CheckPoint Gaia embedded sic reset

If you happen to have a CheckPoint 1400 series firewall hooked up to your central management and for some reason need to reset the sic communication between the firewall and management then this command will help (it’s not the same as in the full blown Gaia OS):

set sic_init password Y0urS!cPassw0rd

In R77 getting the whole connections table in human readable format

When you need to get the connections table out in human readable format from your CheckPoint R7x firewall and get some sort of idea on how many connections there are between certain hosts and who have the most this line might help you.

fw tab -t connections -u -f|grep Direction|cut -d';' -f3,5-7|sort -n|uniq -c|sort -rn > connections`date +"%Y-%m-%dT%H-%M"`.txt

Depending on the connections table size it may take quite a bit of time and I would suggest doing in on the standby node not to spend the active devices CPU time on it.

CheckPoint R77 remove stale connections from connections table

In some cases operating systems while creating new connection might reuse the source port. That might cause problems in cases where the previous connection in the firewall hasn’t been closed yet. In other words you still have the same source/destination IP address:Port combination already in connection table and the firewall will drop it with the reason that it’s a SYN packet in a already existing connection.

To resolve that issue instead of just waiting for the connection to time out you can remove the connection from the connections table.  To do that you must log in to the firewall CLI and get the whole connections table in to a file, then generate the relevant delete commands. I wish it was easier, but CheckPoint keeps it’s connection table info in HEX and requires the delete command also to have the connection info in HEX.

So the procedure it self needs to be done in the “Expert Mode” and it goes as follows:
1) Get the connections table in to a file

[Expert@cplab]# fw tab -t connections -u > connections.txt

2) Generate delete commands for all the connections between the source and destination IP addresses:

[Expert@cplab]# IPA="192.168.1.55"; IPB="192.168.2.27"; IPAHEX=`printf '%02x' ${IPA//./ }`; IPBHEX=`printf '%02x' ${IPB//./ }`; grep "$IPAHEX" connections.txt | grep "$IPBHEX" | grep "^<0000000" | awk  '{print $1" "$2" "$3" "$4" "$5" "$6}'|sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' > delete_connections.sh

3) Run the script generated in the previous command. (I prefer using the -x flag to see the actual commands being run)

[Expert@cplab]# sh -x delete_connections.sh
+ fw tab -t connections -x -e 00000000,c0a80137,000002c8,c0a8021b,0000037c,00000011
Entry <00000000, c0a80137, 000002c8, c0a8021b, 0000037c, 00000011>
deleted from table connections

And after that all the connections between the selected 2 hosts should have been deleted. I you want to be more specific you can actually add also port numbers to the mix.

This post is based on the article found I at https://community.checkpoint.com/thread/6193-how-to-manually-delete-an-entry-from-the-connections-table and is just a reminder for my self so I wouldn’t have to go through the community and support sites looking for it.

CheckPoint SmartCenter log backup

One way to back up your CheckPoint firewall logs to an external host is to run a little script nightly in your SmartCenter using SFTP. The script uses all utilities already included in the CheckPoint Gaia installation.  To use it you need to generate a ssh key pair, have the public key on the authorized keys list on your backup host. It should also work similarly on R80 with minor changes to the path’s used in the script and cron command. (At least thats what a CP engineer at CPX said, haven’t had the time to test it out yet.)

The script it self:

 #!/bin/bash
 echo "Starting SmartCenter Firewall log backup script"
 /usr/bin/sftp -o identityfile=/home/*username*/.ssh/id_rsa *user*@backup.host >/tmp/backup.log<<end
 lcd /opt/CPsuite-R77/fw1/log
 cd logs
 put $(date --date='yesterday' +%Y-%m-%d)*
 quit
 end
 cat "/tmp/backup.log"
 echo "Backup script finished"

The cron command to run the backup script nightly:

5 0 * * * . /opt/CPshrd-R77/tmp/.CPprofile.sh && bash /home/*username*/log_backup.sh|/opt/CPsuite-R77/fw1/bin/sendmail -s "SmartCenter log backup output" -t your.mail.server -f username@yoursmartcenter.host youraddress@domain.host

As the above cron command suggests you need to have nightly log rotation turned on in your SmartCenter properties. Oh yea and if you don’t want an e-mail about the status of the backup. Well you can just comment the echo commands out of the script and replace the parts after | in the cron command with the regular send to /dev/null.

Reset a VPN tunnel in CheckPoint R77.30 or earlier

Some times VPN tunnels may require resetting, in CheckPoint firewalls that can be done by removing the IPSEC/IKE SA’s relating to that tunnel using the “vpn tu” command.
Basically to reset the VPN tunnel do the following:

  1. Log in to the firewall cli and open the vpn tunnel utility:
    cp> vpn tu
    
    **********     Select Option     **********
    
    (1) List all IKE SAs
    
    (2) List all IPsec SAs
    
    (3) List all IKE SAs for a given peer (GW) or user (Client)
    
    (4) List all IPsec SAs for a given peer (GW) or user (Client)
    
    (5) Delete all IPsec SAs for a given peer (GW)
    
    (6) Delete all IPsec SAs for a given User (Client)
    
    (7) Delete all IPsec+IKE SAs for a given peer (GW)
    
    (8) Delete all IPsec+IKE SAs for a given User (Client)
    
    (9) Delete all IPsec SAs for ALL peers and users
    
    (0) Delete all IPsec+IKE SAs for ALL peers and users
    
    (Q) Quit
  2. Press nr 7 on your keyboard,  insert peer GW IP address and press enter twice:
    *******************************************
    
    7
    
    Enter IP of peer (format: xxx.xxx.xxx.xxx): 123.123.123.123
    
    Hit <Enter> key to continue ...
  3. List the IPsec and IKE SAs to see if they have re-appeared for your GW (in some setups it may be required to try and access the VPN connection for the tunnel to be actually renegotiated)


		

Removing stubborn client connections on F5 BigIP

In F5 BigIP LTM devices to see the connections table there is the “tmsh show sys connection”  command which would print out the entire connection table. To get more specific results it has the following parameters available for filtering:

age connection-id cs-client-addr cs-client-port cs-server-addr cs-server-port protocol ss-client-addr ss-client-port ss-server-addr ss-server-port type

cs-* parameters are relating to the connections on the external side of your load balancer in F5 terms the client-side. To see a single clients connections to your device you could issue the following command:

tmsh show sys connection cs-client-addr 172.16.1.100

Which would produce the following output in my case:

Sys::Connections

172.16.1.100:12727  192.168.32.20:443  192.168.1.254:12727  192.168.1.10:443  tcp  213  (tmm: 0)  none

Total records returned: 1

The out put show’s that the client with the IP address 172.16.1.100 is connected to the Virtual Server running on the IP address 192.168.32.20 and port 443 and the connection it self has been sent’t to the back end server with the IP address 192.168.1.10.

Lets say you have disabled that node in your LB but the client is still connected to that server and want to remove the client’s connection so it would be sent to a new resource pool member you can remove the connection with the following command:

tmsh delete sys connection cs-client-addr 172.16.1.100 cs-server-addr 192.168.32.20 cs-server-port 443

You could get even more specific on the connection you want to delete based on the other parameters available like cs-client-port,etc that were mentioned in the beginning.

New server on the web…

So this site has been up for a few hours now and already there have been multiple scans on it. To be honest I was actually wondering how little time it would take for the first scans to arrive.  It took merely 15 minutes for my little web server to be found by some script that is already trying to get in through Basic HTTP authentication on it.
Just some example snippets from my log:

185.107.83.26 - admin [29/Jan/2018:01:21:55 +0200] "GET / HTTP/1.1" 401 2138 "https://84.50.132.89/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
185.107.83.26 - cisco [29/Jan/2018:01:21:45 +0200] "GET / HTTP/1.1" 401 682 "http://84.50.132.89/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
185.107.83.26 - root [29/Jan/2018:01:21:47 +0200] "GET / HTTP/1.1" 401 682 "http://84.50.132.89/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
185.107.83.26 - user [29/Jan/2018:01:21:47 +0200] "GET / HTTP/1.1" 401 682 "http://84.50.132.89/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
185.107.83.26 - supervisor [29/Jan/2018:01:21:59 +0200] "GET / HTTP/1.1" 401 2138 "https://84.50.132.89/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
185.107.83.26 - Cisco [29/Jan/2018:01:22:10 +0200] "GET / HTTP/1.1" 401 2138 "https://84.50.132.89/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
185.107.83.26 - enable [29/Jan/2018:01:22:13 +0200] "GET / HTTP/1.1" 401 2138 "https://84.50.132.89/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
185.107.83.26 - pnadmin [29/Jan/2018:01:22:13 +0200] "GET / HTTP/1.1" 401 2138 "https://84.50.132.89/" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"

It seems to be trying out all sorts of different default user names and password combinations.