Category: Security

Ansible Tower – Custom Credentials Type

Post author By charlieroot
Post date May 27, 2020

Within playbooks you occasionally connect to external applications or services, in my case Zabbix and ServiceNow. Because I also need login details and do not want to leave this plain text in playbooks, I use a 'Custom Credentials Type'. The advantage of this is that I can use the login details within a playbook (as a macro) and they are stored encrypted in Ansible Tower.

I first create a new credential type by defining the fields it will have and how these will be passed to my playbook. Credential types consist of two parts – “inputs” and “injectors“.

Inputs:
define the value types that are used for this credential – such as a username, a password, a token, or any other identifier that’s part of the credential.
Injectors:
describe how these credentials are exposed for Ansible (or us) to use – this can be Ansible extra variables, environment variables, or templated file content.

Both these configurations are specified as YAML or as JSON. In my case, the new credential type is called "ServiceNow" and i’m providing the instance, username and password as part of this credential type:

fields:
  - id: instance
    type: string
    label: ServiceNow Instance
  - id: username
    type: string
    label: ServiceNow Username
  - id: password
    type: string
    label: ServiceNow password
    secret: true
required:
  - instance
  - username
  - password

Then in the Injector configuration:

extra_vars:
  snow_instance: '{{ instance }}'
  snow_password: '{{ password }}'
  snow_username: '{{ username }}'

Now go to Credentials and add a new one, selecting "ServiceNow" as Credential Type:

Thats it! When you link this credential to your host, or playbook, you can use this credentials from within your playbook!

Tags Ansible, ServiceNow, zabbix

Linux Networking Security

Ubuntu 18.04 – OpenVPN Server in less then 5 minutes

Post author By charlieroot
Post date December 1, 2019

OpenVPN provides flexible VPN solutions to secure your data communications, whether it's for Internet privacy, remote access for employees, securing IoT, or for networking Cloud data centers. Our VPN Server software solution can be deployed on-premises using standard servers or virtual appliances, or on the cloud.

Prepare your system

Make sure all latests packages and updates have been installed:

$ sudo apt update
$ sudo apt upgrade
$ sudo apt dist-upgrade

Download and run installation script

$ wget https://git.io/vpn -O openvpn-install.sh
$ sudo chmod +x openvpn-install.sh
$ sudo ./openvpn-install.sh

The script will ask you some questions for it's basic configuration.
- When your IP address is asked, choose your WAN (public) address
- When protocol is asked, i recommend default UDP
- Port can be anything you want, i normally keep default
- When asked, pick 1.1.1.1 as your DNS server as this is one of the fastest currently online.

After this the installation will go ahead and inform you when it's done. You can verify if OpenVPN is running or not:

$ sudo systemctl status openvpn@server # <--- get server status

You can start or stop OpenVPN with the following commands:

$ sudo systemctl stop openvpn@server # <--- stop server
$ sudo systemctl start openvpn@server # <--- start server

Client configuration

At the end of the installation you whould see a message like this:

Your client configuration is available at: /root/bontekoe.ovpn

As i am using Linux (Ubuntu) on my laptop, i can simply copy that ovpn file to my computer using scp.

$ sudo scp root@88.99.189.27:/root/bontekoe.ovpn /etc/openvpn/client.conf

This should be enough to connect! Check if everything is working by running:

$ sudo openvpn --client --config /etc/openvpn/client.conf

Now, by opening another terminal you should be able to ping 10.8.0.1 (the VPN host).

If you are running windows, there is a client here.

Linux Networking Security

SSH Tunnel to watch Netflix

Post author By charlieroot
Post date July 17, 2019
No Comments on SSH Tunnel to watch Netflix

I often use a 'hopping server' when connecting to clients, that means i need to login twice each time. To make my life easier i sometimes use an SSH tunnel so i can connect to clients directly.

SSH Tunnel can also be usefull when your office blocks netflix 😉

Local Port Forwarding

This will allow you to access remote servers direcly from your local computer. Let's assume you want to use RDP (3389) to a clients hosts (10.0.1.1) and your hopping server is 'hopping.server'

ssh -L 6000:10.0.1.1:3389 wieger@hopping.server

Now you can open Remote Desktop and connect to 'localhost:6000', directing you through the tunnel!

Remote Port Forwarding

This will make your local service/port acccessible from a remote host. Sometimes i use this to keep a 'backdoor' and login remotely (home or whatever).

Let's say you want to make a webapplication (TCP 443) availible at port 6000 on the remote SSH server

ssh -R 6000:localhost:443 wieger@bontekoe.technology

Now you should be able to connect to port 6000 on the remote host (bontekoe.technology)

Dynamic Forwarding (Proxy)

This is ideal for people who want to use the internet safely/anonymous or for offices where Netflix is blocked 😉

Use a remote server to tunnel all web traffic (eg. home server), connect through SSH to it using the -D flag

ssh -D 6000 wieger@bontekoe.technology

Now open up your browser settings, navigate to the connection properties and enter a Proxy server (manually using SOCKS). Use 127.0.0.1 as host and 6000 as port. The tunnel will remain open as long as you are connected through SSH.

Tags ssh

Security

Encrypt email with PGP

One of the most popular methods to encrypt messages is PGP, which is a cryptography system quite widespread on the Internet. Using PGP we can encrypt a message end-to-end. There are many tools that can help, i use Gpg4Win (Free tool, works with Outlook).

Download Gpg4win here.

Once the download is finished, fire up the installer. It's pretty much next-next finish. Optionally you can select "browser integration" during the installation process.

After the installation open it for the first time and click "New Key Pair", it will request your name and e-mail address. Hit "Create" so start the generation process. Also, it will ask a password to secure the private key. Once done, it will tell you "Key pair successfuly created" - you are good to go.

To access your public key, right click anywhere on the bar where it lists your name and email address. Select the option in the drop-down menu that says Export. Save the file somewhere, you can share this with other people you want to safely communicate with.

Now it’s time to find your private key. You will need it to decrypt messages that you receive. Right click on the bar where your certificate is displayed, then select Export Secret Keys. Save this file in a safe location!

In order to communicate safely with somebody you will have to import their public key in to Kleopatra. To search for someone’s public key, click on the Lookup on Server and simply search for e-mailaddresses. Found the person you were looking for? Right click and hit "Import". It will ask for confirmation, if correct hit Yes.

Here comes the magic. Open up Outlook and create a new email. In the top bar you will find a new header ("GpgOl"). Add the person you just imported in the "TO" field, add some content in the email and hit "Encrypt". If required, select the certicate that matches the recipient and hit "OK". Now you will see the message completely crypted.

For receiving a crypted email it's very simple, go to the top bar (GpgOL) and hit Decrypt. Remember, you must have this persons public key imported.

Tags pgp