OPNsense Security Device Build

    Just back from a security conference. The major themes of the conference were passwords suck, phishing, policies, and solutions. The conference was great, good food and lots of information taken from the talks.

    Scene

    All this security talk got me to thinking about my own setup, a very old Cisco ASA and Cisco Wireless Router pair meets, but doesn’t give much visibility in to the network, and the number of exploits for this hardware / software must be longer than my arm at this point, so time to upgrade.

    Cisco ASA needs to be replaced because it’s software isn’t current, and protecting against newer attacks isn’t possible. Cisco E4200 has to be replaced because it doesn’t support newer Wi-Fi standards.

    Build

    This post and some that follow will be about a security device build I have ongoing. The journey begins at picking a hardware platform, which there are a lot to choose from. I wanted to keep close to router-style as possible, so I opt for a board with no VGA or other display technologies and had a serial port (yes, RS232).

    Bought a bundle that contains board, case, and power adapter. Basically, the only part required is storage, this can be an SD card or USB flash drive. I will be using mSATA drive for log storage (/var). The board I have has three mPCIe slots, but only one will work with mSATA drives, it’s label accordingly.

    APU2D4 (Without SD and SSD)
    Dec 8, 2018 · Filed in: OPNsense
    Reading Time: 5 minute(s)

    Amazon EC2 SSH Public Keys via IAM Service

    There will come a day when we can provision users and provide the necessary authorization to required enterprise resources with easy, but until that day comes there will be hacks like this one.

    This is very much Proof of Concept (PoC), I have not tested this beyond my network, and there would be a lot of angles to consider with any type of deployment, security (sanitization and additional logic), IAM SSH Public Keys were designed for CodeCommit, and other unknowns.

    My first attempt was to create a PAM module that would authenticate SSH users via aws-sdk-cpp libraries, accessing the API using instance profile / EC2 IAM roles, allowing EC2 instances to obtain credentials to access the information. This seemed like a good route, but trying to hack a PAM module together that would be portable enough for distribution would be a challenge, static versions of aws-sdk-cpp, etc. I will revisit this in the future, but for now, I will move on.

    On my second attempt, I create a Bash script that would produce the correct output for SSH AuthorizedKeysCommand directive using SSH public keys from AWS IAM service via awscli. As the EC2 instance can utilize the instance profile role via aws command. This didn’t come without headaches, permission issues, etc.

    Jan 26, 2017 · Filed in: AWS, EC2, IAM
    Reading Time: 4 minute(s)

    Troubleshooting VMware ESXi iSCSI Connections from CLI

    Troubleshooting iSCSI connections… we have all been there, at the data center or your desk trying to solve some dead path issue. I like to drop back to the CLI for this task as it’s much easier to get the information out of VMware for troubleshooting purposes, and the Web clients don’t always have the most current information, without requiring a refresh.

    First, let’s get a physical layout of the land we are dealing with on this host.

    [root@esxi:~] esxcfg-nics -l
Name    PCI          Driver      Link Speed     Duplex MAC Address       MTU   
vmnic0  0000:01:00.0 tg3         Up   1000Mbps  Full   b8:2a:72:dc:2d:e8 1500
vmnic1  0000:01:00.1 tg3         Up   1000Mbps  Full   b8:2a:72:dc:2d:e9 1500
vmnic2  0000:02:00.0 tg3         Up   1000Mbps  Full   b8:2a:72:dc:2d:ea 9000
vmnic3  0000:02:00.1 tg3         Up   1000Mbps  Full   b8:2a:72:dc:2d:eb 9000
vmnic4  0000:05:00.0 tg3         Up   1000Mbps  Full   00:0a:f7:64:54:9c 1500
vmnic5  0000:05:00.1 tg3         Up   1000Mbps  Full   00:0a:f7:64:54:9d 1500
vmnic6  0000:05:00.2 tg3         Up   1000Mbps  Full   00:0a:f7:64:54:9e 9000
vmnic7  0000:05:00.3 tg3         Up   1000Mbps  Full   00:0a:f7:64:54:9f 9000
[root@esxi:~]
    Sep 1, 2016 · Filed in: ESXi, iSCSI
    Reading Time: 3 minute(s)

    VMware vSphere ESXi iSCSI Walk

    Recently I found myself having to perform a walk of physical connections of some ESXi hosts and two (2) QNAP storage arrays being used for storage of VMware Virtual Machines (VM). The idea was to remove the Network Port Binding from two (2) of the four (4) iSCSI VMK adapters, move the adapters to the destination switch.

    The first step was to remove the two (2) VMK adapters network bindings from the ESXi host, forcing the iSCSI traffic to the remaining two (2) VMK adapters that are still binding.

    ESXi iSCSI Network Port Binding
    Aug 5, 2016 · Filed in: ESXi, iSCSI
    Reading Time: 2 minute(s)