Skip to main content

Christmas Cyber Range Crisis

 Well, the jolly ol' man has arrived and now we're on the verge of a brand-new year. If it is one thing I am thankful for this year is the ability to have patience, especially in this latest segment of my home lab! Why you may ask? Well, let's start from December 27th to now so I can lay down what happened....

It was a cold December afternoon and I was getting ready to put together my brand new server rack given to me by my lovely wife Tamara Pryor. As I was doing so, I shut down the Proxmox VM that was running my cyber range with no problems, as well as the server itself. All was hunky-dory, as I begin building and installing my server rack ensuring that everything was in place and done properly. It wasn't until I plugged the sucker back in that I realized something was off....

Article content

It was at this exact moment that my heart sank into my stomach, as I realized that weeks worth of effort was now gone. I looked in my backups, checked my checkpoints, even tried to see if maybe perhaps the .VHDX was moved by some Christmas miracle- no dice. At this point, I felt my blood pressure start to go up and my watch told me to do some breathing exercises. This did not happen. I had no other choice to rebuild my ENTIRE cyber range from scratch. So now, you get to see what has been done since the last post!

Using Pomerium for an Access Proxy

The first thing I did after getting my Proxmox VM with the essentials from my last post back online was getting Pomerium up and running as well. For those of you who do not know what Pomerium is, the Pomerium service is an access proxy that allows for you to be able to authenticate users and give them access to on-premise services that would traditionally require a VPN. Because I don't want to give users VPN access, I wanted an open-source way that a user can authenticate with Entra and then access a portal with the things they need. Enter: Pomerium!

Pomerium comes as a docker image that can be installed onto any machine that supports docker. In this case I installed it onto a Ubuntu Server VM with the following commands:

Install Docker

This will allow you to install the dependencies required to use the docker image:

sudo apt update
sudo apt install -y docker.io docker-compose git
sudo systemctl enable docker --now

Create the Pomerium directory

Now, create your Pomerium directory that the docker image will go into:

mkdir -p ~/pomerium
cd ~/pomerium

Create your DOCKER-COMPOSE.YAML file

This is what docker will use to pull what it needs from Pomerium to run it locally:

version: "3.8"

services:
  pomerium:
    image: pomerium/pomerium:latest
    container_name: pomerium
    volumes:
      - ./config.yaml:/pomerium/config.yaml:ro
      - ./certs:/pomerium/certs:ro
    ports:
      - "443:443"
    restart: unless-stopped

Create an Entra App Registration (for Pomerium Authenticate)

In the Azure Portal:

  1. Go to Microsoft Entra ID
  2. Select App registrations
  3. Click New registration
  4. Name it: Pomerium Authenticate
  5. Supported account types: Accounts in this organizational directory only
  6. Redirect URI (Web): https://authenticate.domain.com/oauth2/callback
  7. Ensure that you set the API permissions to allow for: openid, email, profile, and offline_access. Grant admin consent.

Create a new subdirectory called CONFIG

In this subdirectory, we'll add the configuration file we need so that Pomerium knows where to authenticate and redirect:

mkdir config

Create your CONFIG.YAML file

The CONFIG.YAML file contains the information from your app registration

address: ":443"
insecure_server: false

authenticate_service_url: "https://authenticate.domain.com"
authorize_service_url: "https://authorize.domain.com"

idp_provider: "azure"
idp_client_id: "YOUR_ENTRA_CLIENT_ID"
idp_client_secret: "YOUR_ENTRA_CLIENT_SECRET"
idp_tenant: "YOUR_TENANT_ID"

routes:
  - from: <insert URL here>
    to: <insert URL here>
    tls_skip_verify: true
    allow_public_unauthenticated_access: false

Build and Test

Finally, we can begin the build! If all goes well, you should be able to navigate to the destination you placed in the routes section of the CONFIG.YAML file. If not however, try running the build again with debugging enabled to see if there are any snags:

cd ~/pomerium
sudo docker-compose up -d

The end result will allow the user to sign-in using your custom domain and bring them to the login portal for Microsoft Online (which authenticates them against your app registration):

Article content

Custom HTML Landing Page in Pomerium

I ran a daemon in the background on my Pomerium server to host an HTTP server that can be connected to using Pomerium. The reasoning for this was because I didn't want users navigating to the Proxmox server web GUI directly- rather, I wanted to make an interface of my own that will give them some preset options that I specify:

Article content

The other reason for this is for security. I want to prevent as much lateral movement as possible, so this creates a layer of protection as it gives users only one way to access the interfaces they require. If they try to access the interfaces outside of the portal, they will not be able to, requiring them to use the portal each time. This is especially effective because I can also monitor who is using what and adjust the tools based on what users are utilizing the most.

The Big Lesson

In the end of it all, I learned something very valuable; shutting down gracefully isn't always graceful. If you're going to take ANYTHING offline, make sure that you backup what you can. Or, you can end up like me scrambling to fix what I broke. Nonetheless, the next portion is getting the SIEMs up and running, isolation from the rest of the network now that I have a switch that can do VLAN tagging, and then creating our first NPC's with GHOSTS.

Until next time folks, here's a full picture of my homelab (now in it's rack)!

Article content

Labels:

test

Using Power Automate to Update Contact Information

 We've all been there- you have a large organization who has out-of-date contact information. What do you do? You could go around to each department and ask them nicely to update their information, or send out an org-wide email prompting people to do so. However, this is tedious and oftentimes a pointless task. By the time you update one department, you're running to fix another. What if you could put the power back in the department's hands to do so? This is a struggle I faced recently as I was trying to find was I could conjure up some updated contact information for each department. As I did my research, I found that I was not alone in this endeavour as it seems that many IT professionals would love to make this process a little bit less painful. With this in mind, I introduce to you my latest flow! This flow will allow you to encourage users to update their contact information, without the overhead that comes with manual effort. In addition to this, this flow utilizes t...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part One

Happy June folks! I come to you with another post, but this time I wanted to change it up and show you something else I have just finished working on. As a SysAdmin, one of the most common issues we run into is managing licenses. Working at a post-secondary institution makes this an even greater challenge, as you have both students, staff and faculty constantly coming as well as going. Managing to keep up with this constant change can introduce great administrative overhead which takes away time from important upkeep of other systems and initiatives. You may also notice this same issue in large corporations or in other government organizations. To help combat this, I wanted to create a flow that can do the following: Get the user and their licenses Determine their last sign-in and the date Conditional to determine if the user is past the "cutoff" date Remove the user from a group where the license is assigned The only problem with doing this is that Power Automate does not ha...
Read more

Using Custom Connectors and Microsoft Graph API's to Manage Licenses in Power Automate - Part Two

Hello again! Didn't I promise you that I'd be back to wrap this up? Well, here I am to give you the second tidbit of information that you need to get this started. If you haven't already, take a look at my previous post where I go into depth about creating a custom connector in Power Automate to retrieve the latest sign-in and also gather the user's licenses. Now that we have the custom connector ready, we can now get into the meat n' potatoes of this series. In this post, I will show you the flow that makes this possible and how you can use the custom connector you have created to tie it all together! Hope you enjoy. Understanding the Logic Before we can begin creating the flow, we should first understand how the flow will work. I designed this to flow to be triggered manually, but you may want to schedule it or use another trigger. The trigger will depend on your organization's policies, so please adjust accordingly. Once triggered, the flow will use the Entra...
Read more