MFA in Office 365, not talkin’ bout Azure

Microsoft is frustratingly vague about support for basic MFA in all Office 365 offerings. They have these lists of feature support across different packages, which go into great detail and yet don’t include basic MFA. Maybe this post will get up in the rankings so others don’t have to spin their wheels looking for an answer.

My results for licenses that have basic MFA include:

  • F1
  • Business Premium
  • E1
  • E3
  • E5

I have not tested Business Essentials or Exchange Online licenses yet. However, I do have an old Exchange Online Kiosk account and it appears to allow enabling it.

In fact, when I try to enable MFA there does not appear to be a restriction based on license type. Let me know your results!

OpenVAS on the Raspberry Pi 4 works really well!

I’ve been trying to set up OpenVAS on a tiny PC like the RPi lately. Based on this post: https://dayne.broderson.org/2018/05/24/RPi_Vulnerability_Scanner.html

I wasn’t expecting much success. And that’s what I found. It wasn’t really usable. I saw the TinkerBoard and the extra performance and RPi compatibility and thought that might be a good thing to try. I was never able to get a working mix of software on the Tinker. The repositories aren’t quite the same and some of the necessary packages, OpenVAS in particular, are not maintained.

Then the RPi4 was announced. I knew this might be the ticket to making this work. 4GB of RAM!!! Unfortunately, the 4GB model isn’t available yet, as far as I can tell. I decided to wait. Then I found out my sometimes partner in crime, Steve, had ordered a pair of 2GB models. Of course, I asked if I could borrow one.

I’m happy to report that the install is simple and it was able to scan my /24 that averages about 75 IP’s in about 3 hours! I didn’t modify anything performance related and didn’t have any of the problems that Dayne referenced.

I do need to sort through a few logistic issues to make this functional in the way I’m thinking. For one thing, I want to run this headless. No problem, except OpenVAS (specifically the GSA web management) is finicky about identifying the IP address it’s listening on. So far I have to manually set it and haven’t figured out how to make it work with 0.0.0.0. I’ll find a way. I also had a problem with the management interface failing due to memory starvation. I think. The scan will continue to run, so it’s not a showstopper. I’m hoping the 4GB will help with that. I also think it’ll be helpful to throw some heatsinks on. It seemed to get pretty hot.

Without further pre-amble, the steps I took. This is very similar to Dayne’s post with a few exceptions:

sudo apt update
sudo apt upgrade
sudo apt autoremove //habit for me
sudo apt-get install openvas
sudo openvas-setup //this took a good hour, maybe more, to run. Lots of errors, but it seems to have been ok.
sudo openvas-start

This is the part I haven’t sorted out yet. You need to update the service config files to reflect something other than 127.0.0.1. I tried 0.0.0.0 and was unsuccessful. When I changed it to the DHCP IP address it worked. I don’t see this as being a good solution as I intend on using this in different environments. Regardless, here are the commands until I can sort out the right answer:

sudo nano /lib/systemd/system/greenbone-security-assistant.service
sudo systemctl daemon-reload
sudo service greenbone-security-assistant restart

sudo nano /lib/systemd/system/openvas-manager.service
sudo systemctl daemon-reload
sudo service greenbone-security-assistant restart
sudo service openvas-manager restart
sudo service openvas-scanner restart

And my GS service line that I edited in the above command:
ExecStart=/usr/sbin/gsad –foreground –listen=0.0.0.0 –port=9392 –mlisten=0.0.0.0 –mport=9390 –allow-header-host=192.168.169.198

The –allow-header-host is the problem I need to fix. I’ll update as I make improvements. One of my goals is to attach a small LCD that will display the IP address.

OpenVAS for simple vulnerability scanning

I’ve been looking for a simple security vulnerability scanning tool for a while now. OpenVAS looked promising in the past, but I always had trouble getting it to work. I decided to work through it this weekend and figure out what I was doing wrong. In a nutshell, here it is:

GSM Community Edition and lagging OpenVAS Plugin Feed

The bottom line is that the free community version doesn’t update the feed except for daily. Per the link, you can manually force it at the initial setup and then wait about 30 minutes for the feed to download. This is what I did and now I have an excellent scanner! I also now have a list of things to fix on my home network. 🙂

Ubiquiti USG site to site VPN with a single controller

Quick note about how to make this work. If you want to have two Unifi Security Gateways connect to a single controller at one location, you need to open up a couple of ports. Specifically, 8080 and 8443 need to be open to the controller. I strongly suggest you make sure you have a fixed IP at the remote side and you lock down the ACL (port forward) to only allow traffic to 8080 and 8443 from that remote public IP. Once you have that in place, you can have the remote USG be adopted by the controller’s public IP. Be sure to add it to a different site.

After adoption is successful in the controller, turning on the site to site VPN is trivial. In Networks you create a new network. Select Site-to-site VPN from the “home” site network configuration. You should see the new remote site listed at the bottom. Simple as that.

More vSphere and VT-d, some success but not for long

I made another attempt at using VT-d for my cameras by going with Zoneminder under Linux. This actually worked and seemed to work ok but I really dislike Zoneminder! I tried Motion and kMotion instead and the good news is it works…for longer. I’m still having problems with kernel crashes after a day or two. It’s encouraging but I’m not sure I want to fuss with it anymore. Maybe I’ll try Zoneminder one more time just in case the kernel wants to behave.

vSphere and VT-d not so rosy

Actually, it works but with limitations. No shock there. It turns out the PV-149 CCTV capture card I’m trying to pass through presents each channel as a separate Video and Audio device. What that means is I end up with 8 PCI devices that need to be extended. I’m running into a problem that might be specific to VMWare or VT-d where I can’t passthrough more than 6 PCI devices. This isn’t too big a deal as I don’t use the audio channels but I’m worried now that the missing audio is causing some BSOD’s. I’m still investigating.

Otherwise, vSphere is running pretty nice.

Cisco ASA Standby device “copy TFTP” syntax

That’s a mouthful. I’ve been having a hard time figuring out how to successfully transfer images to the Standby ASA’s flash from the Active’s CLI. Finally figured it out. Here’s the syntax:

failover exec standby copy /noconfirm tftp://{ip address}/{file name} disk0:/{file name}

Without the /noconfirm it’ll fail. You also need a standby ip address on the interface facing the tftp server and I haven’t confirmed this but I think it might also need to be on the same subnet. I’m still having some trouble with a situation where the standby ASA would have to reach another subnet.

iPhone VPN and Cisco IOS, Part2

I previously posted about some luck I had getting IPSEC VPN to work from my iPhone to my IOS router/firewall. That post is now kind of useless because the source blog disappeared about a year ago. So, in order to make this useful again I’m posting my full IOS code (obfuscated for obvious reasons). Change the IP addresses and the group name and password and you should be good to go. This uses the new(ish) method in IOS of zone based firewall. It’s overly complex and really hard to parse for anything remotely complicated but it’s what I’m working with. You’ll notice I used the SDM for most of the config. Yep, I’m lame and I’m not afraid to admit it. All of that zone config typing would have been a pain in the butt! Also, be sure to use a pool that is different from your “inside” subnet. Won’t work otherwise. Also, it should be obvious but this config uses local users so you need to add at least one of those.

Keep in mind this will all change when iPhone OS4 comes out as it’s supposed to support SSL VPN’s. Finally. The IPSEC works perfectly fine for now though. I’ve not tested this on my iPad yet since I haven’t had it out of the house…and it’s not a 3G model. Don’t see why it wouldn’t work though.

And now the code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization network sdm_vpn_group_ml_2 local

crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2

crypto isakmp client configuration group mygroupname
 key something_goes_here
 dns 192.168.x.x
 pool SDM_POOL_2
 include-local-lan
 netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group mygroupname
   client authentication list sdm_vpn_xauth_ml_2
   isakmp authorization list sdm_vpn_group_ml_2
   client configuration address respond
   virtual-template 2

crypto ipsec transform-set aes-transform esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set transform-set aes-transform
 set isakmp-profile sdm-ike-profile-1

class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC

policy-map type inspect sdm-permit
 class type inspect SDM_EASY_VPN_SERVER_PT
  pass
 class class-default

zone security ezvpn-zone

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination dmz-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn1 source dmz-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip

interface Virtual-Template2 type tunnel
 ip unnumbered FastEthernet0
 zone-member security ezvpn-zone
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1

ip local pool SDM_POOL_2 192.168.y.y 192.168.y.z

ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any