Sophos UTM v9 comes with the tcpdump utility, which lets you run packet captures from the shell. This is great and all, but in order to look at those pcaps with Wireshark, you need to pipe to a file, copy the file, then run Wireshark against it. Annoying. All of it.
Open Putty SSH on the Windows client. Type the host name or IP address of the UTM in the Session tab. Select the SSH tab on the left site and click on Tunnels. Mark the Local ports accept connections from other hosts under the Port forwarding heading. As per this thread V18 has 15 min. Idle timeout for SSH sessions set for non specific security reasons. As likely most, if not all, IT professionals I always have my workstation locked, unless being right in front of it. Therefore there is no such security feature needed, instead is is very disrupting as it may disconnect a session half way through a configuration or troubleshooting. The Sophos Outbound Gateway is built using an AWS Linux AMI, and as such needs to be periodically updated using the Yum package management utility. This can be done by following the steps in the official AWS KB on updating Linux instances, or by using the following steps which explain how to access OGW with the UTM Controller.
What if we could remotely capture packets over an SSH tunnel? YES… turns out it’s a bit tricky if you’re on Windows, and the authentication piece to get root access without having to do the loginuser first. How? Keep reading…
First, the necessary ingredients:
- Sophos UTM
- Wireshark (or your favorite pcap application)
- Putty suite (specifically Plink and PuttyGen)
To start, we’ll need to enable Shell Access, with public key authentication, and with Root access but only with SSH key.
We need to use PuttyGen to generate the key pair we’ll use for root authentication, so open it, Generate the key, then copy the Public Key into the Authorized Keys for root in the UTM, apply and save… and also Save private key to somewhere you’ll remember. We’ll need this for Plink.
There’s our new key…
Then run the actual magic using Plink. Take the following command as an example:
plink -ssh root@firewall.domain.com -i C:ssh-priv.ppk “tcpdump -s 0 -U -n -w – not port 22 and not host 192.168.0.1” | “C:Program FilesWiresharkWireshark.exe” -k -i –
Replace the SSH connection string for your actual firewall FQDN, the filename of ssh-priv.ppk for the location of your saved Private Key generated with PuttyGen, and the not host 192.168.0.1 with the IP address of the firewall from the interface you’re reaching it.
Wireshark will open and start showing packets. You can smile and jump now.
You can modify the tcpdump parameters to better match the capture, for example, using -i eth1 to capture a specific interface, or filter specific traffic… once you’re done, just close Wireshark and CTRL+C the command.
Note, if you’re doing this capture remotely over WAN or Internet, it will tunnel ALL packets over SSH, so it will take up a lot of bandwidth…
Sophos Utm Ssh Access Denied
Have fun!!!