Sophos Utm Ssh



Sophos UTM v9 comes with the tcpdump utility, which lets you run packet captures from the shell. This is great and all, but in order to look at those pcaps with Wireshark, you need to pipe to a file, copy the file, then run Wireshark against it. Annoying. All of it.

What if we could remotely capture packets over an SSH tunnel? YES… turns out it’s a bit tricky if you’re on Windows, and the authentication piece to get root access without having to do the loginuser first. How? Keep reading…

First, the necessary ingredients:

SshSophos utm ssh root passwordSophos Utm Ssh

The Sophos UTM Free Home Use firewall contains its own operating system and will overwrite all data on the computer during the installation process. Therefore, a separate, dedicated computer is needed, which will change into a fully functional security appliance. Just right for the spare PC you have sitting in the corner! Hi Yomar and welcome to the UTM Community! Yes, you must configure the password for loginuser on the 'Shell Access' tab of 'System Settings' so that you can login at the console. The only way to get to the command line directly as root is with an SSH key. The original question 12 years ago indicates that the poster was using root@ instead of root. Apr 26, 2013 Activate shell access and configure a root and a loginuser password: after this u can use PuTTY to connect to your UTM via loginuser (root has no direct access via SSH). Now you can change to user “root” by typing in “su -“.

  • Sophos UTM
  • Wireshark (or your favorite pcap application)
  • Putty suite (specifically Plink and PuttyGen)

To start, we’ll need to enable Shell Access, with public key authentication, and with Root access but only with SSH key.

We need to use PuttyGen to generate the key pair we’ll use for root authentication, so open it, Generate the key, then copy the Public Key into the Authorized Keys for root in the UTM, apply and save… and also Save private key to somewhere you’ll remember. We’ll need this for Plink.

There’s our new key…

Then run the actual magic using Plink. Take the following command as an example:

plink -ssh root@firewall.domain.com -i C:ssh-priv.ppk “tcpdump -s 0 -U -n -w – not port 22 and not host 192.168.0.1” | “C:Program FilesWiresharkWireshark.exe” -k -i –

Replace the SSH connection string for your actual firewall FQDN, the filename of ssh-priv.ppk for the location of your saved Private Key generated with PuttyGen, and the not host 192.168.0.1 with the IP address of the firewall from the interface you’re reaching it.

Wireshark will open and start showing packets. You can smile and jump now.

You can modify the tcpdump parameters to better match the capture, for example, using -i eth1 to capture a specific interface, or filter specific traffic… once you’re done, just close Wireshark and CTRL+C the command.

Note, if you’re doing this capture remotely over WAN or Internet, it will tunnel ALL packets over SSH, so it will take up a lot of bandwidth…

Have fun!!!

The ‘issue’ with HA configuration

When you set up High Availability (HA) on a Sophos UTM, you simply select the interface your UTMs are connected with as your ‘Sync NIC’, name your device (e.g. Node1), press apply then change the operation mode to Hot Standby (active-passive), like the below.

This is quick and easy to set up, but it’s also easy to forget future diagnostic information e.g. what if I need to get shell access to the SLAVE node? What is the IP address? How on earth are they communicating?

Behind the scenes both actually do get an IP address, more specifically an RFC 2544 address, which is an address space for special IPV4 benchmark testing, reserved by IANA ranging from 198.18.0.0 to 198.19.255.255.

In order to truly understand what we are doing we need to first SSH to our MASTER node.

First gain access to the master node

Sophos XG Firewall: How To Enable SSH Connection

Assuming you have shell access enabled on the MASTER, settings found below, this settings and credentials will replicate to the SLAVE node.

Continue to use your favourite utility for shell access, I’m going to use PuTTy in this example.

NOTE: If this is your first time SSHing into a UTM you need to keep in mind that you first need to log into the ‘loginuser’ before you can elevate your privileges to root (via the SU command).

Now SSH into the MASTER node, you don’t need to gain access to the root account, but if you want to then run the su command when you’re logged in as loginuser.

Now you’re logged into the shell of the MASTER node, we can finally get into the SLAVE node.

Gaining access to the slave node from the master node

There are two powerful commands at our arsenal that help us fully understand what is going on here.

ha_daemon –c status

This will show us the basic status of the HA setup, including the IP address of the MASTER and the IP address of the SLAVE which is assigned across the backup link.

Here we can see that the current mode is HA MASTER, because we are currently logged into the MASTER node.

ha_utils ssh

This is the most useful of commands as this will automatically find the SLAVE’s IP address and will attempt to login as the loginuser via SSH, which will prompt you for credentials.

Sophos Utm Ssh Key

Once you’re logged in, that’s it! You can now check it over.

It’s not often you’re going to need to gain sole access to the slave, being that all changes on the MASTER are replicated to the SLAVE, but on the off chance that you need to you know can have peace of mind that there is a way.

Stay in the loop

See Full List On Support.sophos.com

Our how-to guides, cyber security advice and productivity tips help businesses stay on track.

Sophos Utm Ssh Proxy

Related