Stuff I'm Up To

Technical Ramblings

Azure IPSec VPN Ups and Downs — January 31, 2018

Azure IPSec VPN Ups and Downs

Following our IPSec connection setup for Azure and the Juniper SRX we were seeing regular disconnections and a failure to re-establish a tunnel for extended period. This was very frustrating as about every 7 hours and 20 minutes we’d lose connection. We’d then have to restart the IPSec service on the SRX and it would come back up.

As our SRX is hosted inside another firewall the IPSec traffic is NAT’ed and we began to wonder if that was the problem.

So we did some log watching on the external firewall and grabbed some tcpdump information as the tunnel was down and saw nothing to indicate that packets were being dropped on the external firewall.

# tcpdump -nei any host [IP Address]

We monitored the internal and external IP’s and could see IPSec traffic.

Continue reading

Sophos Mobile Control EAS Proxy — January 25, 2018

Sophos Mobile Control EAS Proxy

Up until this week we’ve been able to get away with a very simple SMC installation that proxies Exchange ActiveSync (EAS) from the one server with the base Sophos Mobile Control program without using a Standalone EAS Proxy.

But now we’re moving towards Office 365 on the cloud the Microsoft ActiveSync gets messy. As we’re in a hybrid setup where we have most users mailboxes on an internal Exchange 2013 instance and only a few on Office 365 the EAS Proxy part of SMC needs to know about more than one server/service to proxy to.

Continue reading

Mysql Broken After Apt Upgrade — January 18, 2018

Mysql Broken After Apt Upgrade

My local install of mysql-community-server decided to fail today after applying some updates. I’m running Debian buster/sid so these kind of things are to be expected. But this was a totally new one to me.

Mysql failed to start so the update wouldn’t install.

Unpacking mysql-community-server (5.7.21-1debian9) ...
Setting up mysql-community-client (5.7.21-1debian9) ...
Setting up mysql-client (5.7.21-1debian9) ...
Processing triggers for systemd (236-3) ...
Processing triggers for man-db ( ...
Setting up mysql-community-server (5.7.21-1debian9) ...
Job for mysql.service failed because the control process exited with error code.
See "systemctl status mysql.service" and "journalctl -xe" for details.
invoke-rc.d: initscript mysql, action "start" failed.
● mysql.service - MySQL Community Server
   Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Thu 2018-01-18 08:54:36 GMT; 9ms ago
  Process: 11123 ExecStart=/usr/sbin/mysqld --daemonize --pid-file=/var/run/mysqld/ ^[[0;1;31m(code=exited, status=1/FAILURE)^[[0m
  Process: 11088 ExecStartPre=/usr/share/mysql/mysql-systemd-start pre (code=exited, status=0/SUCCESS)
dpkg: error processing package mysql-community-server (--configure):
 installed mysql-community-server package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
Log ended: 2018-01-18  08:54:36

Then in my syslog file I saw lots of activity constantly trying to start and failing.

Continue reading

Microsoft Azure and Juniper SRX — January 12, 2018

Microsoft Azure and Juniper SRX

We’re getting on the Microsoft Office 366 and band wagon. I’m not a Microsoft fan, and think it’s overpriced for the functionality we’ll actually use. This means we need to setup an IPSec VPN between the Juniper SRX and Azure.

Microsoft have a Github page with not just guidance, but specific configuration examples to help do this. Not just with Juniper, but a range of firewalls.

We’ve got some consultants in setting up the Azure side of the VPN and once I got into the portal I laughed at how much they were charging for turning on the VPN feature and setting a private key – that’s it! There’s very little control to be able to do anything else and if you want logs to see why things aren’t going to plan, you’d better rely on your own device for that.

After a couple of hours they’d written some PowerShell to gather some information that was stale because we’d already moved on past that particular error.

But that said, the Azure side just works. Get your device side right and do your debugging from there and let Azure sit and just do it’s thing. You have to assume that Azure just works.

Continue reading

Java Keystore Management — November 14, 2017

Java Keystore Management

keystore20explorer_256x256In the process of getting a new queue management system installed I discovered they’re using HTTP and not HTTPS. As part of out security process I had to recommend they change this to a HTTPS/SSL encrypted portal as it uses a logon process that would otherwise be in clear text.

The product is based on Wildfly and Java so they are progressing the deployment use Java keystores (JKS) and certificates. But as they pointed me to their installation guide I discovered they recommend the use of Keystore Explorer for managing the Java certificates.

So I downloaded it and have to say I’m impressed. It makes life so much easier when trying to manage certificates from Windows CA’s, OpenSSL and JKS. Definitely a valuable addition to my tool box. As it’s written in Java it’s available for Windows, Linux and fruit based systems.


Windows, Apache 2.4 and OpenSSL — September 22, 2017

Windows, Apache 2.4 and OpenSSL

In order to make Apache 2.4.27 compliant it needs the later version of OpenSSL v1.1.0. To get this you need to install the VC15 version. The VC11 etc. do not include the later OpenSSL and fail because they are compiled with v1.0.2

  Banner           : Apache/2.4.27 (Win64) OpenSSL/1.0.2l
  Reported version : 1.0.2l
  Fixed version    : 1.1.0

This is detailed in the 16 June 2017 change log, but is repeated here as a reminder to install vcredist_x64 for VC++ 2017 which is linked on the downloads page on Apache Lounge.


Apache 2.4 TRACE – Nessus plugin 11213 — September 21, 2017

Apache 2.4 TRACE – Nessus plugin 11213

Googling for how to close the vulnerability for the TRACE method on Apache 2.4 results in lots of responses that just use a rewrite rule to respond with a permission denied message.  Even the Nessus plugin output lists the rewrite fix. Nessus doesn’t use this for it’s scans, it carries out a HTTP call for OPTIONS and relies on the server telling it what methods are available.

RewriteEngine On 
RewriteRule .* - [F]

Whilst the rewrite rule may be a valid mitigation on Apache servers, the actual vulnerability warning won’t be removed from Nessus’ results.

If you’re using Apache 2.4 then there is a config TraceEnable directive that you should use to simply turn off the TRACE method.

Continue reading

SMB Insecurely Configured Service — August 17, 2017

SMB Insecurely Configured Service

For the first time today I ran into Nessus plugin ID 44676.

It highlighted an “insecurely configured Windows service”. This related to a Service Discretionary Access Control List (DACL), which is a whole bag of new to me.

The guidance shows how you can use the command line to show the DACL for the service it reported the issue with.

The following service has insecure group permissions:

Bacway Windows Service (BacwayService) :
– Authenticated Users: DC

More information is given here:

Continue reading

Windows Update KB4034681 (August Monthly Rollup) — August 9, 2017

Windows Update KB4034681 (August Monthly Rollup)

Four hours of swearing at servers, kicking switches and rebooting printers and terminals and all because of a Windows Update.

Our entire network uses 802.1X authentication with certificates and this morning I arrived in the office to find all the Teradici terminals and network printers were failing to authenticate properly.

We hadn’t changed anything in the NPS policies so has a certificate expired? The errors in the event logs were constant

Event ID 36887 – A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 42.

Continue reading

SRX SSH Ciphers, Algorithms & Key Exchange — July 31, 2017

SRX SSH Ciphers, Algorithms & Key Exchange

When doing a Nessus scan for the first time on the new SRX320 cluster it highlighted some weaknesses in the SSH protocol. This was due to arcfour, cbc and hmac being enabled by default.

So to remedy this we need to set the acceptable levels of ciphers etc.

Using the CLI a simple change to the config for the SSH service is required, under system services ssh.

# edit system services ssh
# set ciphers [ aes256-ctr "" "" ];
# set macs [ hmac-sha2-256 "" hmac-sha2-512 "" ];
# set key-exchange [ curve25519-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 group-exchange-sha2 ]

Commit the changes and rescan and all is good.

Continue reading

JunOS SRX too clever for it’s own good! — July 28, 2017

JunOS SRX too clever for it’s own good!

Today the planned migration from a Juniper ScreenOS SSG to a JunOS SRX didn’t quite go as smoothly as I’d have liked.

We spent many hours last night and this morning trying to figure out why numerous services that worked fine through the SSG firewall failed through the SRX. This despite me having triple checked the rule sets matched exactly from one system to the other.

We ended up making changes to connected systems to resolve the problems as workarounds but this was far from ideal. The eventual culprit turned out to be a default feature that is enabled on the SRX within the default application junos-dns-udp.

Continue reading

Squid Kerberos Nightmare — July 25, 2017

Squid Kerberos Nightmare

What a terrible sequence of events we suffered today. Took quite a bit of head scratching, log reading and plenty of Google fu to resolve.

We use Squid with an LDAP and authenticated lookup to establish if a user is a member of an AD group to allow them through the proxy. For some very strange reason the authentication and lookup began failing today.

Continue reading