Security – Ryan Schulze

WiFi SSIDs on different VLANs

January 27, 2019January 27, 2019Ryannetwork, security, vlan, wifi

Taking a different direction here and trying out a more HowTo style post. I thought I’d do a quick write-up covering WiFi SSIDs on multiple VLANs, something that might be useful in a home setup, separating SSIDs better from one another. While I usually prefer the CLI, a lot of the devices mentioned here only (or mainly) use a web GUI for configuration management, so this posting will include a lot more screenshots than my usual postings. This posting won’t contain anything exciting for people who run and support networks professionally (mostly just a “so what options are available on SOHO hardware?”), and may even be overly simple and assume settings you wouldn’t do in a professional setup. But it is useful for homelab enthusiasts looking to build a more complex setup than “everything on the same VLAN/network” or trying to figure out “how do I use VLANs, give me an example”.

Ubiquiti and Netgear have some reasonable priced network gear that I’ve written about in the past that behave decent in home networks. For out little setup today we will have a WiFi access point with multiple SSIDs, two switches, and a firewall/router. We will be focusing on the configuration of the WiFi Access Point (UniFi AP) , the two Netgear switches (GS105Ev2 / GS108Ev3) and the Ubiquiti Router (Edgerouter X).

Our goal is to have two SSIDs on the access point, one for the “normal” devices (VLAN 1), and one for separate devices (VLAN 178). Since the router to VLAN 178 is on a different switch than the access point we also need to trunk both VLANs across the network. Another way of looking at it, is that we are expanding Subnet/VLAN 178 into our network (but limiting it to the WiFi Access points). 178 doesn’t hold any special meaning, you can use any VLAN number you want, just chose 178 because the subnet in this test setup was 10.0.178.0/24.

Here is a diagram of our test setup:

VLAN 1: The management and main client VLAN
VLAN 178: Subnet 178, 2nd WiFi network

Netgear 1

Port 1: Connection to Netgear 2
Port 5: Access Point

Netgear 2

Port 1: Connection to Netgear 1
Port 8: Edgerouter

Edgerouter

eth0: Connection to Subnet 178
eth1: Connection to Netgear 2

Wireless Configuration

In the UniFi controller go to Settings->Wireless Networks either create a new network or edit an existing one. If you go into the advanced options area, you will find the VLAN setting for that SSID. Activating the option and setting a value means the access point will tag all packets from that SSID to the specified VLAN number.

In the network overview below we see that packets from one network are tagged with VLAN 178, and packets from the other network are untagged (the switch configuration will take care of deciding which VLAN untagged packets are part of).

Netgear Configuration

The Netgear devices only have a VLAN 1 defined by default, so the first step will be to add VLAN 178 to both of them. Enable Advanced 802.1q (VLAN->802.1Q->Advanced->VLAN Configuration), enter the VLAN ID 178 in the box and click on “Add” at the top.

Now let’s move on to the VLAN Membership configuration. To switch settings, just click on the port and it will switch from tagged->untagged->none.

Netgear 1 device

For VLAN 1 we want port 1 to be (T)agged since it is the trunk to the next switch, and all other ports (U)ntagged since they will be dealing with untagged VLAN 1 traffic. The PVID will also be set to 1 for all ports.

For VLAN 178 we want port 1 to be (T)agged since it is the trunk to the next switch, port 5 (T)agged since it is the connection to the access point, and all other ports “none” since none of those ports are part of VLAN 178.

VLAN overview after changing all the settings:

For this scenario it is sane to leave the Port PVID configuration to PVID 1 on all ports. You could change a port to 178 if you are expecting untagged traffic on that port that needs to be in VLAN 178.

Netgear 2 device

Similar configuration as the first switch so I’ll skip the screenshots. Port 1 is the connection to the Netgear 1 device, port 8 is connected to the Edgerouter.

- all ports PVID 1
- VLAN 1 Tagged port 1 and 8, all other ports untagged
- VLAN 178 Tagged port 1 and 8, all other ports none

Edgerouter Configuration:

Make sure the interface switch0 spans all ports you want to use VLANs on. Add the two VLANs 1 and 178. They should show up in the list as switch0.1 and switch0.178, and you can apply firewall rules to these interfaces to restrict traffic if you are doing any routing between the two networks.
We will want to tag everything from Subnet 178 as VLAN 178 on the interface connected to that network (eth0 in our setup), and allow VLAN 178 on the outgoing interface (eth1 in our setup). The Edgerouter doesn’t need us to specifically allow VLANs already set by the PVID, only additional VLANs need to be specified in the vid field.

Where to go from here?

You could put servers or virtual machines in their own subnet/VLAN and then use a firewall to restrict access between the different networks.

Adding more Access Points is straightforward, UniFi automatically applies the wireless configuration to all Access Points it manages, so all you need to do is take care of the switch port configuration.

Strict-Transport-Security

March 18, 2018April 3, 2018Ryan

I finally got around to setting the Strict-Transport-Security header on all my HTTPS websites. The current age is set to 1 month and I’ll gradually up that to 6 months if no problems pop up.

In case anyone is curious, I terminate SSL on a haproxy, which then sends requests to various backends (containers on the same physical server). This makes it really easy to deal with Let’s Encrypt (just need one agent/script installed on the haproxy host that deals with all incoming /.well-known/acme-challenge/ requests), and I can keep all HTTPS settings central and don’t have to worry about configuration creep or any settings falling through the cracks for oddball subdomains.

How to use ansible to scan for Spectre/Meltdown vulnerable hosts

February 1, 2018February 1, 2018Ryanmeltdown, spectre

First of all head on over to github and download a spectre-meltdown-checker that supports JSON output. Now all we need is a ansible playbook that calls that script:

- name: Run Spectre/Meltdown checker on hosts
  hosts: all
  gather_facts: false
  tasks:
    - script: tools/spectre-meltdown-checker.sh --batch json --live
      register: spectre_output
      failed_when: false

    - set_fact: 
        spectre_json: "{{ spectre_output.stdout|from_json }}"

    - name: Output vulnerability status
      debug: 
        msg: "Vulnerable to {{ item.NAME }} - {{ item.INFOS }}"
      with_items: "{{ spectre_json }}"
      failed_when: item.VULNERABLE
      when: item.VULNERABLE

- name: Run Spectre/Meltdown checker on hosts

hosts: all

gather_facts: false

tasks:

- script: tools/spectre-meltdown-checker.sh --batch json --live

failed_when: false

- set_fact:

spectre_json: "{{ spectre_output.stdout|from_json }}"

- name: Output vulnerability status

debug:

msg: "Vulnerable to {{ item.NAME }} - {{ item.INFOS }}"

with_items: "{{ spectre_json }}"

failed_when: item.VULNERABLE

when: item.VULNERABLE

Important is to adjust the path to spectre-meltdown-checker.sh in the script: task (the path is relative to wherever your playboook file is). Adapt to your needs however you want. It is basically just feeding the output of the script into the from_json filter, storing it in a variable and then iterating over the result via with_items.

Example output:

(vulnerable to CVE-2017-5715 since Intel retracted their microcode updates and haven’t released new ones yet)

Adding CVE information to Nmap scans

January 19, 2018January 19, 2018Ryannmap, security

Last week I stumbled across a nice nmap script that adds CVE information from https://vulners.com/ to the results of nmap scans. Since it relies on version information from services it requires you scan the host with -sV

Example: nmap -sV --script vulners host

The github repository is https://github.com/vulnersCom/nmap-vulners/
You can add the script to your nmap installation with dir=/usr/share/nmap/scripts/ ; curl -ksL https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse >> ${dir}vulners.nse && chmod 0644 ${dir}vulners.nse
(or wherever your nmap script directory is, e.g. /usr/local/share/nmap/scripts/ ).

API for Troy Hunts passwords list

August 14, 2017August 14, 2017RyanAPI, passwords

TL;DR version: https://github.com/ryanschulze/password-check-api

So NIST updated their recommendations on passwords/authentication a few weeks ago. And while a lot of the reporting was about how password complexity was removed in favor of password length, one point I found intriguing was the suggestion to check if a users password falls into one of these categories:

Passwords obtained from previous breach corpuses.
Dictionary words.
Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
Context-specific words, such as the name of the service, the username, and derivatives thereof.

Troy Hunt, the guy behind https://haveibeenpwned.com, deals with a lot of data breaches and made 320 Million passwords from breaches available (at the time of this posting) to help people with checking if passwords that were part of a data breach.

I threw together a small API that can make the data from Troy Hunt easily query-able (or any list of SHA1 hashes for that matter). This can be useful if you have multiple systems that want to query the data, or if you want the data on a separate system.

It’s nothing special, a MySQL backend, a Webserver and an API application using the Slim framework. It’s also stupid fast because there is nothing fancy or special about it. Since it uses a well documented framework it is also easy to change/extend/adjust to your specific requirements.