Trying to setup a Mimecast Sync Engine Application on Prem out the Box comes up with 

“validation failed: invalid mimecast user or insufficient permissions”

This is because by default 2fa is enabled on all Accounts created in Mimecast , you need create a new Authentication Profile and Disable 2fa on this , then assign it to that user group and bind it all together with a Profile

 

GD Star Rating
loading...
GD Star Rating
loading...

Fortigate Logging

Flow Trace

Now I will show a flow trace from my computer to 4.2.2.2

diagnose debug reset 
diagnose debug flow filter saddr 10.22.22.122 
diagnose debug flow filter daddr 10.100.1.1 
diagnose debug flow show function-name enable
diagnose debug enable 
diagnose debug flow trace start 100  #display the next 100 packets, after that, disable the flow: 

When complete, you can disable manually with

diagnose debug disable

2020-04-23_12-14-48

 

The output, it will show you what interface the connection came in on, because of the function-name enable you will see NAT, Routing, etc, IPS, offloading to NPU and SPUs, etc.

Sessions

You can also see the sessions using the following commands

diagnose sys session filter clear
diagnose sys session filter dst 4.2.2.2
diagnose sys session filter dport 53
diagnose sys session list           #show the session table with the filter just set

Use the filter that work for you from a source or destination as well as ports

2020-04-23_12-22-53

 

With this filter, you can clear the sessions based on the filter you created by issuing the diagnose sys session clear NOTE: Without the filter in place, you will clear ALL sessions on the FortiGate.  It is always a good habit to run diag sys session filter ? to list the filter you have configured.

Packet Capture

You can either use the GUI or the CLI to run packet captures.

diagnose sniffer packet any 'host 8.8.8.8' 4 4 l 
diagnose sniffer packet any 'host 8.8.8.8 and dst port 53' 4 10 a 
diagnose sniffer packet wan1 'dst port (80 or 443)' 2 50 l 

The verbosity is controlled by the following:

verbose:
1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
count: number of packets
time-format:
a: UTC time
l: local time

You can use the GUI by going to Network then Packet Capture then Create

2020-04-23_12-36-04

GD Star Rating
loading...
GD Star Rating
loading...

Speeds

Disable low Data Rates

To turn off rates 1, 2, 5.5, and 11, you go into the CLI on the FortiGate and use the following:

config wireless-controller vap
      edit <vap_name>
              set rates-11a 12-basic 18 24 36 48 54
             set rates-11bg 12-basic 18 24 36 48 54
       end

Channels

Avoid 80+ MHz wide channels in 5GHz and only use 20 MHz channels in 2.4GHz. There are use cases for wider channels, but there is not enough spectrum available today for proper channel reuse in an enterprise deployment or a multitenant environment. You will end up with CCI and ACI (co-channel and adjacent channel interference).

Use the Widest Channel Available

Check your counteries DFS Channels – That means these have special rules and have to coexist with things like weather radar and military functions. When an AP detects a “hit” on DFS it has to change to a non-DFS channel for a specified time in order to free up that spectrum. In some places DFS is nearly unusable because of so many DFS hits. In many cases DFS is usable and frees up spectrum. This allows more channels which also means the potential for using 40 MHz wide channels because you have less chance of CCI and ACI.

 No 802.11b Devices = SGI (Short Guard Interval) On , otherwise Off. Use of 11b clients necessitates use of low (non-OFDM) data rates, which forces the use and ripple of protection mechanisms (e.g. RTS/CTS and CTS-to-Self)

Reduce SSID’s and Split Networks using Authentication methods ( Radius -> Corporate , Guest to Guest )

GD Star Rating
loading...
GD Star Rating
loading...

As Google is decommissioning their Google Play Music service you have to transfer to YouTubeMusic

Upon selecting the Transfer link I got 

YouTube channel you’re currently using isn’t supported for the Google Play Music transfer.

This is because my Youtube was a brand account

You can move your Brand account to a Google account so that all your music history data is there: https://support.google.com/youtube/answer/3056283?hl=en

if you go to your advanced account settings: http://youtube.com/account_advanced

And choose

After this it will let you transfer

GD Star Rating
loading...
GD Star Rating
loading...

Trying to deploy a MAM policy and the Teams app asked to sign into the Intune Portal App which would not let the user.

  1. Uninstall Intune app (Company Policy)
  2. Clear Android Settings | Accounts of all work accounts, including any reference to my personal MS account
  3. When opening Teams, rather than saying “switch accounts”, I just logged in using my personal account (the username for which was pre-filled)
  4. I added the Teams account to the Teams app – prompting the flow of:
    1. Installing the Intune app
    2. Granting device administrator privileges (including giving access to Contacts!)
    3. Getting the message that there is no administrator policy (or some such thing)
    4. Adding a PIN to Teams
  5. Getting back to Teams and signing out of my personal account

This seemed to have worked. I went on to test whether the security worked.

  1. Anything I downloaded to my device I couldn’t open (format incorrect)
  2. I could view stuff in Teams but I couldn’t open it on a native app.

 

GD Star Rating
loading...
GD Star Rating
loading...

Recently got a second-hand washing machine, upon running through a test wash, the Hot water ran , but never shut off which could have flooded the area.

A washing machine has two inlet valves, one for the hot water and one for cold water. The water inlets on this obviously fails to closed position when shut off ( or it would of started to fill up when I turned the tap on ) but the electronics could not shut the valve to off when needed to only let a certain amount of water in. 

You can swap inlet valves yourself with a screwdriver and pliers and they cost around 20USD delivered, you can find them on eBay for the right model Make sure you get the right one , hot and cold water inlets are different

GD Star Rating
loading...
GD Star Rating
loading...

SSL 64-bit Block Size Cipher Suites Supported ( 3DES -CBCSHA Ciphers, RC4-MD5, RC4-SHA ) 

Legacy block ciphers having a block size of 64 bits are affected by a vulnerability, known as SWEET32. A man-in-the-middle attacker who has sufficient resources can exploit this
vulnerability via “birthday” attack By misusing the SWEET32 vulnerability, an attacker can send in a large volume of dummy data and get blocks of ciphertext that matches
that of the organisation.
Attack Process
1. The attacker sniffs all data sent to your customer (external user).
2. The attacker sends dummy data to your server until a key used for a customer matches the attacker’ssession key.
3. Once there’s a match, sensitive data can be decrypted by determining how the key was chosen.

Fix

 https://gallery.technet.microsoft.com/Solve-SWEET32-Birthday-d2df9cf1

And

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56

“Enabled”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168

“Enabled”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128

“Enabled”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128

“Enabled”=dword:00000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128

“Enabled”=dword:00000000

Server Version Disclosure

Default or misconfigured web servers often disclose the version at multiple locations like HTTP response headers, and at error pages. Attackers can perform banner-grabbing against the webserver by using netcat or telnet, which reveals the webserver, version, and operating system.

On IIS 7

Using the Registry key.

Create a DWORD entry called DisableServerHeader in the following Registry key and set the value to 1.

HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

On IIS 6 

2) 1. Install URLScan (this is a free tool available from Microsoft)
2. Open the URLScan.ini file with a text editor. The file is usually located in the
%WINDIR%System32InetsrvURLscan directory.
3. Search for the key RemoveServerHeader, which by default, is set to 0. Set the value to 1 in order to
remove the Server header.

SSLv3, TLS 1.0 protocols

If Poodle SSLv3 is enabled on any website, then it is vulnerable to a poodlebleed attack. The remote service accepts connections encrypted using SSL 3.0. These versions of SSL reportedly suffer from several cryptographic flaws.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]
“Enabled”=dword:00000000

Disable SSL V2

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
“Enabled”=dword:00000000

Webserver HTTP Header Internal IP Disclosure

A string matching an internal IPv4 address was found on this page. This may disclose information about the IP addressing scheme of the internal network. This information can be used to conduct further targeted attacks. Internal IP addresses are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. This may also affect other web servers, web applications, web proxies, load balancers, and a variety of misconfigurations related to redirection.

IIS 7.0

appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:”remote.server.domain.com”  /commit:apphost

IIS 6.0

To prevent internal IP address disclosure, take the following steps.
1. Open a command prompt and change the current directory to c:\inetpub\adminscripts or to where the adminscripts can be found.
2. Run the commands
adsutil set w3svc/UseHostName True
net stop iisadmin /y
net start w3svc
This will cause the IIS server to use the machine’s hostname rather than its IP address.

If running the above on IIS 7 you will get : 

ErrNumber: -2147463162 (0x80005006)
Error Trying To SET the Property: UseHostName

SSL/TLS DiffieHellman Modulus <=1024 Bits (Logjam)

Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols, including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. The current Modulus being used is a weak one and can be exploited by a determined hacker. Update to DHE-2048 Bits

Fix
Make sure that you have KB 3174644 installed on the affected server.
Run Regedit on the affected server
Navigate to the following Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\KeyExchangeAlgorithms
Create a new sub key named Diffie-Hellman (if it didn´t already exists)
Inside that create a new DWORD called “ServerMinKeyBitLength” with the value “00000800” (for 2048 bit)

GD Star Rating
loading...
GD Star Rating
loading...

Problem Description:

  1. [FSM:FAILED]: Cap the power consumption of chassis 1(FSM:sam:dme:EquipmentChassisPowerCap). Remote-Invocation-Error: Error in setting power cap budget-MC Error(-5): Error Executing Command
  2. Warning: there are pending management I/O errors on one or more devices, failover may not complete.

UCS-FI-M-6324

UCSM:Package-Vers: 3.1(3a)A

Action Taken:

+ Tried changing the power cap policy from Chassis level to blade level and back to chassis level, fault did not clear.

 

Rebooted FI-IOM B, all faults are cleared.

GD Star Rating
loading...
GD Star Rating
loading...