Categories
Network Sophos Web

Set up Sophos UTM WAF with Let's Encrypt

This is a requested one, so will only sum up the important bits. The integrated web application firewall is very powerful. It allows you to host several web applications behind one IP. Both http and https are available. With the latter you can ise the built in LE integration. Try out this fast how-to to get started.

If you plan to use Let’s Encrypt, start by going to Certificate Management, Advanced, and tick Allow.

Allow Let’s Encrypt certificates

Next, create a certificate under Certificates.

Add Certificate
Name: Name of your certificate.
Method: Let's Encrypt
Interface: Where the certificate servers should connect to (WAN).
Domains: This can be one or several domains, the certificate can be used on multiple virtual webservers.

Go to Web Application Firewall, Real Webservers, and create a new server.

New Real Webserver
Name: Can be anything you want.
Host: Where your actual web server is.
Type: If the traffic is encrypted or not. It can safely be HTTP here, we will encrypt later.
Port: Port of your web service on the specified host.
Advanced: Leave default.

Save.

Go to Virtual Webserver and create new.

New Virtual Webserver
Name: Can be anything you want.
Interface: Where the traffic comes from (WAN).
Type: How you want the traffic to hit your WAF. Encrypted and redirect will redirect http to https.
Port: What you want to expose from the Internet.
Certificate: Your created certificate.
Domains: Check only the domains your want to associate with this web server.
Real Webserver: The real web server created earlier.
Firewall profile: Advanced features for a later time.
Theme: If you use Firewall profiles.
Advanced: Pass host header may be required by some web servers.

Save.

At this point you can enable the servers and be able to access your web application using the domain(s) used.

Categories
Server Software Ubuntu

Change hostname on Ubuntu 18.04 LTS

If you have Cloud cloud-ini installed you will have to edit

sudo nano /etc/cloud/cloud.cfg

to preserve your new hostname.

# This will cause the set+update hostname module to not operate (if true)
preserve_hostname: true

When that is done, run the rename command

sudo hostnamectl set-hostname new-hostname

Edit /etc/hosts so it corresponds with your new hostname

127.0.0.1   localhost
127.0.0.1   new-hostname

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

You can verify your changes by running

hostnamectl

At last, reboot and it should show the correct hostname.

Categories
Server Software Windows

Upgrade Windows edition with Dism

Have you downloaded the Evaluation ISO and want to make it real? Not a problem with Dism.

# Get current edition
C:\>Dism.exe /online /Get-CurrentEdition

# Get editions that you can upgrade to
C:\>Dism.exe /online /Get-TargetEditions

# Upgrade to desired edition
C:\>Dism.exe /online /Set-Edition:ServerStandard /AcceptEula /ProductKey:C3RCX-M6NRP-6CXC9-TW2F2-4RHYD

The above key is for Server 2016 Standard AVMA activation. You can find more keys for that here if you have Datacenter on your host.

Dism documentation: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-windows-edition-servicing-command-line-options

Categories
Server Software Ubuntu

Upgrade Landscape On Premises to 19.10

Another release goes by and I wanted to write a short one about upgrading this time. Be sure to have the latest Ubuntu update – when I write this that would be 18.04.3 LTS. And guys, always backup first!

sudo add-apt-repository -u ppa:landscape/19.10
sudo apt-get update
sudo apt-get dist-upgrade

Refresh your Landscape site when done and see the new version. If you want to clean up the old one run this (but not necessary).

sudo add-apt-repository --remove ppa:landscape/19.01

I wrote about installing Landscape here. And you can find the Landscape documentation here.

Categories
Network Software Web Windows

Update FreeDNS with PowerShell and Task Scheduler

After my long loved Raspberry Pi died I needed a new way to update a dynamic DNS. I recently discovered the Invoke-WebRequest cmdlet that lets you send an HTTP(S) request and parse pretty much whatever you get in return. My use for this is to keep a site-to-site VPN to my lab up and running.

# Change Path to desired log location and Uri to your Direct or Token URL from FreeDNS
$LogPath = "C:\Scripts\Update-FreeDNS.log"
$Uri = "http://sync.afraid.org/u/your_token/"

# No need to change this
Add-Content -Path $LogPath -Value "$(Get-Date) $(Invoke-WebRequest -Uri $Uri)"

Your log file will look something like this

11/13/2019 18:00:03 No IP change detected for your.dyn.dns with IP 28.100.14.108, skipping update
11/13/2019 19:00:03 No IP change detected for your.dyn.dns with IP 28.100.14.108, skipping update
11/13/2019 20:00:03 No IP change detected for your.dyn.dns with IP 28.100.14.108, skipping update

Save these files to somewhere that makes sense, for example C:\Scripts.

  • Open Task Scheduler select Task Scheduler Library to the left and click Create Task to the right
  • Name your task “Update-FreeDNS” or something else explaining
  • You have to check “Run whether user is logged on or not” so if you do not want your credentials to be saved, create a new user and change to that
  • On the trigger tab you can create a schedule that suits your needs. I use every hour, but this is totally up to you
  • Under actions click New and paste the following
Program/scripts: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Add arguments: "C:\Scripts\Update-FreeDNS.ps1"
  • At this point you are finished with the necessities, but feel free to click around to see if you need any more options
  • OK out and you will be asked for your password
  • Run the task on demand and see the result in the log file

As always, ask if anything is unclear.

Categories
Server Software Windows

How to safely clean up WinSxS

Windows Update may in some occasions not automatically clean up after it self. The fastest and safest way to do so is to run the following.

C:\>Dism.exe /online /Cleanup-Image /StartComponentCleanup

For more options and documentation you can read the source here;
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/clean-up-the-winsxs-folder

Categories
Server Software Windows

Server Manager in Windows Server Core

Just because I find my self googling this every other week I have to make a short post about it.

To launch Server Manager, simply log in and type

C:\>sconfig
Categories
Hardware Network Software Sophos

Sophos UTM

Yes! I have been looking forward to this one. In the following weeks I intend to publish a series of informative guides on Sophos UTM. My experience with XG is limited, but I have over five years of everyday configuration of the UTM.

My latest buy for the lab is a Sophos SG 330 which I plan to get working with a Home License. Lets see how it goes.

To be continued…

I have attached the brochures for anyone to see here, great read. 

Sophos SG Rev. 1

Sophos SG Rev. 2

Sophos SG Rev. 3

Sophos XG Rev. 3

Categories
Network Software

Using the UniFi line as wlan controller part two

As I started to use the new setup, I realized more and more that I needed access to my lab (outside of plain rdp), especially with my laptop and phone. I tried several ways to solve this. Without any knowledge about the USG I had to try and error for some time before I found a reasonable solution.

The best option would be to make site-to-to IPsec to make use of all my old rules, but I could not get that working what ever I did. The USG still routed the traffic to the lab through wan and not through the tunnel. Anyway, next up was straight up static routes. Which is some what successful.

But, and this is a big one. Since the UniFi Controller does not expose any NAT rules in the UI there is no way (yes there is) to disable masquerading whenever an packet is leaving the wan interface. I have read by now that there are ways to manually add rules, but I feel that is for next time.

I read up on this article about how the firewall in the USG works (IN/OUT/LOCAL) and made all the necessary rules and finished with a deny rule for the rest. At the lab end there is simply an allow rule from the USG’s address. I found posts from Ubnt officials from back i 2017 saying NAT will be exposed in the Controller any time. We’ll see. For now this is OK.

Please feel free if there is anything I should do differently about this setup (or anything else).

Categories
Software Ubuntu Web

Install Nginx Proxy Manager (npm)

As my self struggled to solve this, I shall help others.

Nginx Proxy Manager is a genius and powerful GUI to manage Nginx. It helps you create Proxy servers, redirects and certificates and control these options very smoothly.

I started with a plain install of Ubuntu Server 18.04 LTS and selected Docker under the install. The following code will help you get all the software up to speed and clean up afterwords.

sudo -s
apt update
apt upgrade
reboot
sudo -s
apt autoremove

Then it is time for NPM.

sudo -s
mkdir npm
cd npm

At this point I know you can to do clone/pull from Git, but I was eager to run this tool with the knowledge I had in the fastest possible way. With that, I used the example files and got going.

touch config.json
touch docker-compose.yml

Your npm-folder should look like this.

root@docker:~/npm# ls
config.json docker-compose.yml

Edit these settings to you liking (or don’t) and paste them in accordingly.

config.json

{
  "database": {
    "engine": "mysql",
    "host": "db",
    "name": "npm",
    "user": "npm",
    "password": "npm",
    "port": 3306
  }
}

docker-compose.yml

version: "3"
services:
  app:
    image: jc21/nginx-proxy-manager:latest
    restart: always
    ports:
      - 80:80
      - 81:81
      - 443:443
    volumes:
      - ./config.json:/app/config/production.json
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
    depends_on:
      - db
    environment:
    # if you want pretty colors in your docker logs:
    - FORCE_COLOR=1
  db:
    image: mariadb:latest
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: "npm"
      MYSQL_DATABASE: "npm"
      MYSQL_USER: "npm"
      MYSQL_PASSWORD: "npm"
    volumes:
      - ./data/mysql:/var/lib/mysql

While still in the directory run docker-compose to download and build the container.

docker-compose up -d

After a minute or two you should have a fully working manager for Nginx. Find your login at http://ip.or.name:81.

Default admin is
un: admin@example.com
pw: changeme

Please go read more at the developers site – https://github.com/jc21/nginx-proxy-manager – all credit goes to him.