% ftp ds218plus
Connected to ds218plus.mydomain.com.
220 DS218Plus FTP server ready.
Name (ds218plus:j5): ftp
331 Guest login ok, send your email address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||55703|)
150 Opening BINARY mode data connection for 'file list'.
drwxrwxrwx 1 root root 4096 Sep 16 10:58 usbshare1
dr-xr-xr-x 1 root root 142 May 9 14:48 web
drwxr-xr-x 1 root root 38 Aug 18 22:21 docker
Whoa there! I should only see the directory for Anonymous FTP, not a list of shares. What’s more, I could download files from these directories even though they were never intended to be public.
The first step is disable advanced permissions on whichever directory you want to use for Anonymous FTP. In my case, the share was called ‘public’:
After doing that, I can manually select the share to use for Anonymous FTP:
Ran in to problems getting a VPN up and running between GCP and a FortiGate 60-E that was behind a NAT gateway (with ports udp/500 + udp/4500 forwarded). On the GCP side, these messages would show up in the logs:
remote host is behind NAT
generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
looking for peer configs matching GCP.VPN.GATEWAY.IP[%any]...203.0.113.77[192.168.1.1]
This error means that GCP connected to the Peer VPN gateway successfully, but it in the IKEv2 headers, it identified itself by the private IP rather than the expected public one. AWS is not picky about this, but with GCP, the Peer VPN gateway must identify itself by using the same external IP address of the NAT device.
Most vendors have long supported an option to manually override the IP address for such scenarios. In Cisco IOS or IOS-XE, this can be controlled in the IKEv2 profile with the identity local address option:
crypto ikev2 profile GCP_IKEV2_PROFILE
match address local interface GigabitEthernet1
identity local address MY.PUBLIC.IP.ADDRESS
authentication remote pre-share
authentication local pre-share
keyring local GCP_KEYRING
lifetime 36000
dpd 20 5 on-demand
!
With Palo Alto, this is configured in the IKE Gateway, Local Identification field:
For the sake of argument, we’ll say that CheckPoint uses the “Statically NATed IP” field to influence Local ID, although this doesn’t actually work.
Fortigate does offer “Local ID” field in version 6.4.6 and higher, under the Phase 1 proposal:
Seems nice and straightforward, but even after changing this setting, the VPN tunnel still won’t establish. Logs on the GCP end change slightly and now show this:
looking for peer configs matching GCP.VPN.GATEWAY.IP[%any]...203.0.113.77[203.0.113.77]
The private IP is no longer showing, so it seems the issue should be solved. Instead, GCP reports a “Peer not responding” message. The Fortigate actually reports Phase 1 success, waits a few seconds, and then starts the negotiation all over. So not very helpful.
I configured a test VPN between the FortiGate and a Palo Alto, which then gave a very specific and extremely useful error message:
IKE phase-1 negotiation is failed. When pre-shared key is used, peer-ID must be type IP address. Received type FQDN
Now this explains the problem! Even though the FortiGate is sending the correct IP address in the IKEv2 header, it’s being sent as the wrong identity type. The 5 identity types are listed in RFC 7815:
ID_IPV4_ADDR = 32 bit IPv4 address
ID_IPV6_ADDR = 128 bit IPv6 address
ID_FQDN = DNS hostname
ID_RFC822_ADDR = e-mail address
ID_KEY_ID = octet stream
If Fortigate were smart, it would either default to IPv4 address type or auto-determine this based on the text inputted in to the field. But it seems to simply default to FQDN. Oddly, there is a CLI option called “localid-type” under the Phase1-interface that clear is intended to provide this functionality:
FGT60E1234567890 # config vpn ipsec phase1-interface
FGT60E1234567890 (phase1-interface) # edit gcp
FGT60E1234567890 (gcp) # set localid-type
auto Select ID type automatically.
fqdn Use fully qualified domain name.
user-fqdn Use user fully qualified domain name.
keyid Use key-id string.
address Use local IP address.
But, similar to CheckPoint, it just doesn’t work, and can be considered a broken feature.
Since GCP does not support FQDN authentication, VPNs between GCP and FortiGates behind a NAT are not possible at this time.
Time to move Rancid to a newer VM again, this time it’s Ubuntu 20. Hit a snag when I tried a test clogin run:
$ clogin myrouter
Unable to negotiate with 1.2.3.4 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
OpenSSH removed SHA-1 from the defaults a while back, which makes sense since the migration to SHA-2 began several years ago. So looks like SSH is trying to use SHA-2 but the Cisco Router is defaulting to SHA-1, and something has to give in order for negotiation to succeed.
My first thought was to tell the Cisco router to use SHA-2, and this is possible for the MAC setting:
Router(config)#ip ssh server algorithm mac ?
hmac-sha1 HMAC-SHA1 (digest length = key length = 160 bits)
hmac-sha1-96 HMAC-SHA1-96 (digest length = 96 bits, key length = 160 bits)
hmac-sha2-256 HMAC-SHA2-256 (digest length = 256 bits, key length = 256 bits)
hmac-sha2-512 HMAC-SHA2-512 (digest length = 512 bits, key length = 512 bits
Router(config)#ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
Router(config)#do sh ip ssh | inc MAC
MAC Algorithms:hmac-sha2-256,hmac-sha2-512
But not for key exchange, which apparently only supports SHA-1:
Thus, the only option is to change the setting on the client. SSH has CLI options for Cipher and Mac:
-c : sets cipher (encryption) list.
-m: sets mac (authentication) list
But the option for Key Exchange can only be configured via the /etc/ssh/sshd_config file with this line:
KexAlgorithms +diffie-hellman-group14-sha1
I wanted to change the setting only for Rancid and not SSH in general, hoping that Cisco adds SHA-2 key exchange soon. I found out it is possible to set SSH options in the .cloginrc file. The solution is this:
By the way, I stayed away from diffie-hellman-group-exchange-sha1 as it’s considered insecure, whereas diffie-hellman-group14-sha1 was considered deprecated but still widely deployed and still “strong enough”, probably thanks to its 2048-bit key length.
Sidenote: this only affects Cisco IOS-XE devices. The Cisco ASA ships with this in the default configuration:
Note that certbot can only match virtual hosts that listen on port 80.
Run this command for Nginx:
sudo certbot certonly --nginx
Or for Apache:
sudo certbot certonly --apache
Certificates will get saved in /etc/letsencrypt/live on Linux, or /usr/local/etc/letsencrypt/live on FreeBSD
In each sub-directory, there will be 4 files created:
privkey.pem = The private key
cert.pem = The SSL certificate
fullchain.pem = SSL cert + Intermediate Cert chain. This format is required by NGINX and some other web servers
chain.pem = Just the intermediate cert
Here’s a Python script that will create a list of all directories with Let’s Encrypt certs:
#!/usr/bin/env python3
import sys, os
if "linux" in sys.platform:
src_dir = "/etc/letsencrypt/live"
if "freebsd" in sys.platform:
src_dir = "/usr/local/etc/letsencrypt/live"
sites = [ f.name for f in os.scandir(src_dir) if f.is_dir() ]
for site in sites:
if os.path.exists(src_dir + "/" + site + "/cert.pem"):
print("Letsencrypt certificate exists for site:", site)
By default, calls to the various Google Cloud APIs will resolve to a random Google-owned IP, and require outbound internet access, either via external IP, Cloud NAT, or 3rd party network appliance.
If outbound Internet is not required for the application, or not desired for security reasons, enabling Private Google Access allows VM instances to connect an internally routed prefix.
On the subnet, turn on Private Google Access via the radio button
By default, all egress traffic is permitted. If egress traffic is being denied deliberately, create a rule allowing egress traffic to destination 199.36.153.8/30, tcp ports 80 and 443
Create a Private DNS zone called googleapis.com, and apply it to any networks that will use Google Private Access.
In the DNS zone, create two entries:
An A record called ‘private’ that resolves to the following 4 IP addresses:
199.36.153.8
199.36.153.9
199.36.153.10
199.36.153.11
A wildcard record ‘*’ that points to hostname ‘private’
The zone will look like this once created.
Private Google Access should now be working. To test it, ping something.googleapis.com and it should resolve to one of those 4 IP addresses
ping www.googleapis.com
PING private.googleapis.com (199.36.153.9) 56(84) bytes of data.
As I explore different ways of doing Web programming in Python via different Frameworks, I kept finding the need to examine HTTP server variables, specifically the server hostname, path, and query string. The method to do this varies quite a bit by framework.
Layer 77 