Saturday, September 9, 2017

Determining OSPF.interface mtu byte sizes via a packet capture

When using OSPF, the need can arise to validate the OSPF-interface-value amongst   OSPF neighbors.

If md5 authentication is not deploy the OPSF database descriptor will carry the  OSPF_interface_MTU value in the clear. A tool like  tshark/wireshark will easily display that value.


In a proper OSPF topology all interfaces attached to the LAN would use the same value. By dumping the  OSPF packets you can easily find the  Interface MTU value and ospf neighbors that are not configured correctly.

By using  a packet.capture you can easily  gather statistics without login into numerous routes or devices  for gathering ospf show  collections

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

        /  \

Friday, September 1, 2017

securing mysql with SSL/TLS

With databases and application  servers, we find  that most org do NOT  deploy SSL/TLS encryption. This post will demo  how easy it's to  set a  mysql server up for   SSL/TLS. Most  DBAs I've  meet thinks;

  •  its hard to setup and configure
  •  are just plain lazy
  •  feels it's offer zero-security benefits
  •  or a combination of ALL thee above :)

You will need the following for the server;


You will need the following for the client(s);


1st here's my simplified  my.cnf cfg  ( this is very basic lean down conf )

bind-address = *

Now to check for SSL support you need to  show global variables and match on SSL. If your  successful upon a restart the  DISABLE will be ENABLE and SSL support will be included in the mysql server services

Now we can test for basic  access with the root account and by specifying  SSL;

To lock this down for just a  database user account, you will grant  ( them  )  permission and set  required SSL for that user(s).

And now compare a SSL and non_SSL  access 

If a user that's required  SSL tries without  SSL certificates ( he/she ) will  get a reject message similar to  the below;

Yes it's really that simple. 

In a real professional environment, you will craft unique client-certificates  & 1 per  users  and ensure that the user has secured and protected his  key via a passphrase. 

If you  want to revoke his access revoke the cert and  remove his access.

  For  the   mysql services ensure the mysql  user that runs the daemon can read the server-private-keyfile .... I seen this  issue being the #1 problem when setting up  mysql w/SSL-TLS. chown and chmod the permission  for the priv-key   and  just for the mysql-services account

Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

        /  \

Thursday, August 24, 2017

Get a caddy ( web server )

The needs typically arises sometime for a simple & lite-weight   http daemon. The caddy  webserver which is simple and very easily to manipulate  has  been available.

The cool thing about the caddy is; "  you can customize build it for your OSversion and defined  various plugins of interest  or required ".

Here's a macosx  build where I have selected 9 of the  available plugins. By hovering over each plugin you can get a summary  detail on what that plugin does.

Here's how to check what plugins you have installed in a build binary.

macbook:caddy kfelix$ sudo ./caddy -plugins
Server types:

Caddyfile loaders:

Other plugins:

 A simple caddy conf file can be crafted for  defined various webserver details and upon launch you can use  cUrl to validate

The above gives a simple example as to  what ou can do from defining   certificate+key or even  custom X headers.

The access.log follows the  simple  Apache Style

If your ever in a crunch and need a simple  webserver, do not over look caddyserver

Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

        /  \

Friday, August 18, 2017

FortiOS long vdom names

Long vdoms name is a feature support in the most current  FortiOS version. Previous you where limited to 11 characters in a vdom name.

Now the long vdom-name you can craft  extremely long names. Take these screen shots;

The negatives to long names; " if you ever downgrade to a older fortiOS version, this could cause problems.

Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

        /  \

Tuesday, August 15, 2017

howto validate that your fortigate AVprofile is working

When you have enabled AV ( AntiVirus ) scan enable on a fortigate, you should  test against any one of the EICAR  test files.

1st here's the default AV profile on a typical firewall.

When the  AVprofile has detected a  virus it will throw a similar  formatted log_message

You can test both HTTP and HTTPS when you have  ssl-inspection enabled.


Note, this is a sure way to  test that your ssl-inspection is also working  btw

If you have  NO ssl-inspection profile enable, the fortigate-firewall will let you  download the  EICAR  test.file over  a secure protocol like  HTTPs with no warning. Here's a source for  text and zip or double-zip files.

e.g ( with no ssl-inspection  the EICAR  test file  was downloaded )

Security  best practice mandate you should have AV enabled and  ssl-inspection profile for protecting local lan users if end-point  protection has not been installed.

Here's how a firewall policy will look like from the  CLI  & that's enabled for  AV-profile and with SSL inspections.

A feedback page will  be displayed  to the end-user who hit's the policy and a simple link provided  if he/she want to  investigate what and why  the content was blocked in regards to AV.

( https test EICAR  file  source )

If your using the fortigate as an explicit -proxy, please ensure you have AVprofiles in use and in  proxy-mode.


Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

        /  \

Friday, August 11, 2017

conserve mode FortiGates

Within in the Fortigate models, you have a conserve mode. This is a simple method that FortiOS triggers in order to try to  protect  the systems.

Almost all security profiles are handle in shared memory. Any time this memory is exhausted or nearly exhausted the  unit will go into  conserver mode and deactivate certain scan profiles.

You can easy check if your  unit is in conserve mode by the following diagnostic command;

diagnostic hardware sysinfo shm | grep conser

You can also review logs , if this event happens it will be recorded as a "critical" event .


Okay to  avoid this, we need to understand the following;

  • Combinations of AV-profile  scanning with  proxy/flow mode can cause havoc conserve-mode
  •  excess traffic and utm-function can cause  kernel conserve mode
  • it best to be aware of running  multiple  scan mode flow or proxy
  • Limit what fwpolicies have  AV-profiles
  • Upgrade the unit if it's under-size  and if repetitive  conserve-mode events happens

So to ensure you don't enter conserver mode you need to reduce logging-to-memory.

Various fortigate-models  uses a certain  % of the shared-memory or physical-memory thresholds  to determine when it goes into  conserve-mode . The FTNT support-team  can provide you these values upon request.

It's best to optimized the firewall just for the UTM features that you  required and disable all other utm and profiles from the firewall-policies.

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

        /  \

deleting the root vdom can't do it!

Working with various IT/Security outfits over the past few years and  with numerous  Sec-Engineers  to Directors, a lot of them get hung up over the vdom name of  "root". I've even  had  numerous  request for removing the root vdom or renaming it.

Image result for rolleyes

In one of my last encounter , they actually  had me open a ticket with  FTNT  & who the engineer made a wild claim that  he think it could be deleted.

In fact this is NOT true! Or I have yet to be proven wrong.

Here's some screenshot of a  wasted of time with "attempting" to remove the vdom name "root", after deleting all policies, creating a a new vdom, deleting any bindings to  root-vdom ( interfaces, admin-accounts,   dhcp-server , fortianalyzer, fortimanager , central-management  etc......)

So the conclusion;

1: the root-vdom  can not be deleted

2: it's just a name-vdom use it as-is or do use it

3: trying to rename vdom-root or deleting it,  is amounting to  trying to rename or deleting the   windowOS  system32 directory or the  unix "/"  directory 

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

        /  \