Blog

sha256: 2b87a252a3d912530dd8c20df6bee7f6cbc4ede0074fdf217e318aab39d9736c

Bootstrap OpenBSD with Jail Partition

OpenBSD

Bootstrapping VM

This is similar to the previous Post, but with a small difference.

Here, we add an other Partition /jail with 2GB Size. On this Partition, we remove the nodev & nosuid Flag, so we can use this Partition as Root for some Jailed Users. And last but not least, we fireup a new VM, configure a Jailed User and make it Public Available …

VM with 20G Disk

*** Bootstrap OpenBSD 6.8 ***

Faces of OpenSource

Linux

i just like this Page … Faces of OpenSource.

Thanks for all the fish, guys !

Any Comments ?

sha256: 511dfaf2c20685d4fb80884557bf2efaf1ac7f234d02d25be20687d92cb6ad11

Tshark

Network

Tshark Basic Commands

tbd

Capture DNS on wg0 Interface, v4 & v6

tshark -nn -i wg0 -e ip.src -e ip6.src -e dns.qry.name -E separator=";" -T fields port 53

Ringbuffer

Capture Files, Rotate every 10MB, keep last 25 files

doas tshark -n -i em0 -w sniff -b filesize:10000 -b files:25

Ringbuffer with Autostop -> Time

Capture Files, Rotate every 10MB, keep last 25 files, Stop after 1h

doas tshark -n -i em0 -w sniff -b filesize:10000 -b files:25 -a duration:3600

Ringbuffer with Autostop -> Packets

Capture Files, Rotate every 10MB, keep last 25 files, Stop after 100000 Packets

Deploy VM's with Terraform in 10min

OpenBSD

Managing VM’s on Hetzner Cloud with Terraform

you may want to manage some vm in the cloud. webgui is nice, but a real nerd needs cli ;)

some notes how to get terraform running with OpenBSD.

add Packages (3min)

$ time doas pkg_add git gmake go terraform

3m18.62s real     0m19.53s user     0m07.73s system

set GO PATH

echo "GOPATH=$HOME/go" >> ~/.profile
echo "export GOPATH" >> ~/.profile
. ./.profile
echo $GOPATH

build terraform provider for hcloud (2min)

As the hcloud is not available for OpenBSD, we have to build it on our own.

Bootstrap OpenBSD

OpenBSD

Bootstrapping VM

It’s always good to have Templates. Isn’t it ? Sometime, with a lot of stuff preconfigured and installed. Sometimes, a fresh install without anything (except syspatches). Here a little Helper, how to Build a OpenBSD Template with 20GB, resp. 40GB Disk Size.

This stuff was tested on www.hetzner.de, so you should be able to reproduce it in a few minutes.

Costs: CX11,  1 CPU, 2 GB RAM, 20 GB Disk, 20TB Traffic -> 2.68 Euro/Month
Costs: CPX11, 2 CPU, 2 GB RAM, 40 GB Disk, 20TB Traffic -> 3.76 Euro/Month

If you create an Account, you can use my sponsor link and we both get “a few bucks” to play with …

RPKI for Home Usage

OpenBSD

Resource Public Key Infrastructure

you may know what RPKI is …

It’s a PKI Framework for improving Security for the Internet Routing Infrastructure based on BGP.

As a HomeUser or Small/Medium Size Company, you normally don’t have a Full BGP Table and multipe Upstream Providers. You have one Internet Router or Firewall and you get a Default Route from your ISP.

With OpenBGPD and the current rpki extensions, you “just” need a Full BGP Feed and then, you can filter all invalid ROA’s and keep your Routing (and Internet Access) more Secure.

Ruckus, Radius, Dynamic Vlan Assignment

Network

How to Dynamic Assign Vlans with Ruckus Unleashed and FreeRadius

Setup FreeRadius

pkg_add freeradius--%freeradius3

clients.conf

add your wlan ap

client ruckus {
	ipaddr		= 1.2.3.4/32
	secret		= das-sag-ich-dir-nicht
}

users.conf

add some users


# Admin to Admin Vlan (100)
admin Cleartext-Password := "das-sag-ich-dir-nicht"
  Tunnel-Type = 13,
  Tunnel-Medium-Type = 6,
  Tunnel-Private-Group-Id = "100"

# Guests to Guest Vlan (200)
guest Cleartext-Password := "das-sag-ich-nur-dem-gast"
  Tunnel-Type = 13,
  Tunnel-Medium-Type = 6,
  Tunnel-Private-Group-Id = "200"

/etc/raddb/sites-available/inner-tunnel

enable Vlan rewrite on line 336 (set to 1)

Update Checkmk

Linux

how to update checkmk

let’s assume you already have a running version of checkmk. You should install patches / updated every few month.

Main and Download URL’s

Main URL: https://checkmk.com/de/download?edition=cre&version=stable&dist=debian&os=bullseye

https://download.checkmk.com/checkmk/1.6.0p20/check-mk-raw-1.6.0p20_0.bullseye_amd64.deb

https://download.checkmk.com/checkmk/2.0.0p12/check-mk-raw-2.0.0p12_0.bullseye_amd64.deb

Download and Install Package

Login as Root

v="2.0.0p25"
cd /tmp
wget -O checkmk.deb "https://download.checkmk.com/checkmk/${v}/check-mk-raw-${v}_0.bullseye_amd64.deb"
gdebi checkmk.deb

Update Checkmk

Switch User …

su - mysite

.. Switch User and start Update

omd status
omd version
omd stop
omd update
omd start

Cleanup

exit
omd cleanup

Check Application

Open Browser, check News and Plugins

Vuln IOS XE 03.06.04

Security

Security posture via Cisco PSIRT OpenVuln API

Platform: iosxe

Version: 03.06.04.E

Advisory-ID Impact CVSS CVE Fixed with First Published
cisco-sa-info-disclosure-V4BmJBNF Cisco IOS and IOS XE Software Information Disclosure Vulnerability 5.5 CVE-2020-3477 2020-09-24T16:00:00
cisco-sa-ikev2-9p23Jj2a Cisco IOS and IOS XE Software Internet Key Exchange Version 2 Denial of Service Vulnerability 7.5 CVE-2020-3230 2020-06-03T16:00:00
cisco-sa-ssh-dos-Un22sd2A Cisco IOS and IOS XE Software Secure Shell Denial of Service Vulnerability 7.7 CVE-2020-3200 2020-06-03T16:00:00
cisco-sa-snmp-dos-USxSyTk5 Cisco IOS and IOS XE Software Simple Network Management Protocol Denial of Service Vulnerability 7.7 CVE-2020-3235 2020-06-03T16:00:00
cisco-sa-tcl-ace-C9KuVKmm Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability 6.7 CVE-2020-3204 2020-06-03T16:00:00
cisco-sa-iosxe-digsig-bypass-FYQ3bmVq Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability 6.8 CVE-2020-3209 2020-06-03T16:00:00
cisco-sa-sxp-68TEVzR Cisco IOS, IOS XE, and NX-OS Software Security Group Tag Exchange Protocol Denial of Service Vulnerability 6.8 CVE-2020-3228 2020-06-03T16:00:00
cisco-sa-20200108-ios-csrf Cisco IOS and Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability 8.8 CVE-2019-16009 2020-01-08T16:00:00
cisco-sa-20190925-tsec Cisco IOS and IOS XE Software Change of Authorization Denial of Service Vulnerability 6.8 CVE-2019-12669 2019-09-25T16:00:00
cisco-sa-20190925-http-client Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability 4.8 CVE-2019-12665 2019-09-25T16:00:00
cisco-sa-20190925-sbxss Cisco IOS and IOS XE Software Stored Banner Cross-Site Scripting Vulnerability 4.8 CVE-2019-12668 2019-09-25T16:00:00
cisco-sa-20160525-ipv6 Cisco Products IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability 5.8 CVE-2016-1409 2016-05-25T16:00:00
cisco-sa-20170629-snmp SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software 8.8 CVE-2017-6736 2017-06-29T16:00:00
cisco-sa-20170317-cmp Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability 9.8 CVE-2017-3881 2017-03-17T16:00:00
cisco-sa-20190327-ios-infoleak Cisco IOS and IOS XE Software Hot Standby Router Protocol Information Leak Vulnerability 4.3 CVE-2019-1761 2019-03-27T16:00:00
cisco-sa-20190327-cmp-dos Cisco IOS and IOS XE Software Cluster Management Protocol Denial of Service Vulnerability 7.4 CVE-2019-1746 2019-03-27T16:00:00
cisco-sa-20190327-ipsla-dos Cisco IOS and IOS XE Software IP Service Level Agreement Denial of Service Vulnerability 8.6 CVE-2019-1737 2019-03-27T16:00:00
cisco-sa-20190327-pnp-cert Cisco IOS and IOS XE Software Network Plug-and-Play Agent Certificate Validation Vulnerability 7.4 CVE-2019-1748 2019-03-27T16:00:00
cisco-sa-20190327-call-home-cert Cisco IOS and IOS XE Software Smart Call Home Certificate Validation Vulnerability 5.9 CVE-2019-1757 2019-03-27T16:00:00
cisco-sa-20190327-evss Cisco IOS XE Software Catalyst 4500 Cisco Discovery Protocol Denial of Service Vulnerability 7.4 CVE-2019-1750 2019-03-27T16:00:00
cisco-sa-20190109-tcp Cisco IOS and IOS XE Software TCP Denial of Service Vulnerability 6.8 CVE-2018-0282 2019-01-09T16:00:00
cisco-sa-20180926-cdp-dos Cisco IOS and IOS XE Software Cisco Discovery Protocol Denial of Service Vulnerability 7.4 CVE-2018-15373 2018-09-26T16:00:00
cisco-sa-20180926-cmp Cisco IOS and IOS XE Software Cluster Management Protocol Denial of Service Vulnerability 7.4 CVE-2018-0475 2018-09-26T16:00:00
cisco-sa-20180926-tacplus Cisco IOS and IOS XE Software TACACS+ Client Denial of Service Vulnerability 6.8 CVE-2018-15369 2018-09-26T16:00:00
cisco-sa-20180926-vtp Cisco IOS and IOS XE Software VLAN Trunking Protocol Denial of Service Vulnerability 4.3 CVE-2018-0197 2018-09-26T16:00:00
cisco-sa-20180926-errdisable Cisco IOS XE Software Errdisable Denial of Service Vulnerability 7.4 CVE-2018-0480 2018-09-26T16:00:00
cisco-sa-20180328-bfd Cisco IOS and IOS XE Software Bidirectional Forwarding Detection Denial of Service Vulnerability 8.6 CVE-2018-0155 2018-03-28T16:00:00
cisco-sa-20180328-smi Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability 8.6 CVE-2018-0156 2018-03-28T16:00:00
cisco-sa-20180328-smi2 Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability 9.8 CVE-2018-0171 2018-03-28T16:00:00
cisco-sa-20180328-lldp Cisco IOS, IOS XE, and IOS XR Software Link Layer Discovery Protocol Buffer Overflow Vulnerabilities 8.8 CVE-2018-0167 2018-03-28T16:00:00
cisco-sa-20180328-dhcpr3 Cisco IOS and IOS XE Software DHCP Version 4 Relay Denial of Service Vulnerability 8.6 CVE-2018-0174 2018-03-28T16:00:00
cisco-sa-20180328-dhcpr1 Cisco IOS and IOS XE Software DHCP Version 4 Relay Heap Overflow Denial of Service Vulnerability 8.6 CVE-2018-0172 2018-03-28T16:00:00
cisco-sa-20180328-dhcpr2 Cisco IOS and IOS XE Software DHCP Version 4 Relay Reply Denial of Service Vulnerability 8.6 CVE-2018-0173 2018-03-28T16:00:00
cisco-sa-20180328-ike-dos Cisco IOS and IOS XE Software Internet Key Exchange Version 1 Denial of Service Vulnerability 8.6 CVE-2018-0159 2018-03-28T16:00:00
cisco-sa-20180328-privesc1 Cisco IOS XE Software User EXEC Mode Root Shell Access Vulnerabilities 7.8 CVE-2018-0169 2018-03-28T16:00:00
cisco-sa-20170419-energywise Cisco IOS and IOS XE Software EnergyWise Denial of Service Vulnerabilities 8.6 CVE-2017-3860 2017-04-19T16:00:00
cisco-sa-20171103-bgp Cisco IOS XE Software Ethernet Virtual Private Network Border Gateway Protocol Denial of Service Vulnerability 6.8 CVE-2017-12319 2017-11-03T16:00:00
cisco-sa-20170927-ike Cisco IOS and IOS XE Software Internet Key Exchange Denial of Service Vulnerability 8.6 CVE-2017-12237 2017-09-27T16:00:00
cisco-sa-20170927-pnp Cisco IOS and IOS XE Software Plug-and-Play PKI API Certificate Validation Vulnerability 8.7 CVE-2017-12228 2017-09-27T16:00:00
cisco-sa-20170727-ospf Multiple Cisco Products OSPF LSA Manipulation Vulnerability 4.2 CVE-2017-6770 2017-07-27T16:00:00
cisco-sa-20170322-dhcpc Cisco IOS and IOS XE Software DHCP Client Denial of Service Vulnerability 8.6 CVE-2017-3864 2017-03-22T16:00:00
cisco-sa-20170322-webui Cisco IOS XE Software Web User Interface Denial of Service Vulnerability 8.6 CVE-2017-3856 2017-03-22T16:00:00
cisco-sa-20161115-iosxe Cisco IOS XE Software Directory Traversal Vulnerability 1.5 CVE-2016-6450 2016-11-15T16:00:00
cisco-sa-20160916-ikev1 IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products 7.8 CVE-2016-6415 2016-09-16T16:00:00
cisco-sa-20160928-aaados Cisco IOS and IOS XE Software AAA Login Denial of Service Vulnerability 7.1 CVE-2016-6393 2016-09-28T16:00:00
cisco-sa-20160928-dns Cisco IOS and IOS XE Software DNS Forwarder Denial of Service Vulnerability 8.3 CVE-2016-6380 2016-09-28T16:00:00
cisco-sa-20160928-ios-ikev1 Cisco IOS and IOS XE Software Internet Key Exchange Version 1 Fragmentation Denial of Service Vulnerability 7.1 CVE-2016-6381 2016-09-28T16:00:00
cisco-sa-20160928-msdp Cisco IOS and IOS XE Software Multicast Routing Denial of Service Vulnerabilities 7.8 CVE-2016-6382 2016-09-28T16:00:00
cisco-sa-20160928-smi Cisco IOS and IOS XE Software Smart Install Memory Leak Vulnerability 7.8 CVE-2016-6385 2016-09-28T16:00:00
cisco-sa-20160928-frag Cisco IOS XE Software IP Fragment Reassembly Denial of Service Vulnerability 7.8 CVE-2016-6386 2016-09-28T16:00:00
Any Comments ?

sha256: 6ab81f9b045a4de2e9b66ef802fe94d2210aa108290fb0c849696f5a7e99eac4

Vuln IOS XE 03.08.06

Security

Security posture via Cisco PSIRT OpenVuln API

Platform: iosxe

Version: 03.08.06.E

Advisory-ID Impact CVSS CVE Fixed with First Published
cisco-sa-info-disclosure-V4BmJBNF Cisco IOS and IOS XE Software Information Disclosure Vulnerability 5.5 CVE-2020-3477 2020-09-24T16:00:00
cisco-sa-ikev2-9p23Jj2a Cisco IOS and IOS XE Software Internet Key Exchange Version 2 Denial of Service Vulnerability 7.5 CVE-2020-3230 2020-06-03T16:00:00
cisco-sa-ssh-dos-Un22sd2A Cisco IOS and IOS XE Software Secure Shell Denial of Service Vulnerability 7.7 CVE-2020-3200 2020-06-03T16:00:00
cisco-sa-snmp-dos-USxSyTk5 Cisco IOS and IOS XE Software Simple Network Management Protocol Denial of Service Vulnerability 7.7 CVE-2020-3235 2020-06-03T16:00:00
cisco-sa-tcl-ace-C9KuVKmm Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability 6.7 CVE-2020-3204 2020-06-03T16:00:00
cisco-sa-iosxe-digsig-bypass-FYQ3bmVq Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability 6.8 CVE-2020-3209 2020-06-03T16:00:00
cisco-sa-priv-esc1-OKMKFRhV Cisco IOS XE Software Privilege Escalation Vulnerability 6.7 CVE-2020-3215 2020-06-03T16:00:00
cisco-sa-sxp-68TEVzR Cisco IOS, IOS XE, and NX-OS Software Security Group Tag Exchange Protocol Denial of Service Vulnerability 6.8 CVE-2020-3228 2020-06-03T16:00:00
cisco-sa-ios-nxos-onepk-rce-6Hhyt4dC Cisco IOS, IOS XE, IOS XR, and NX-OS Software One Platform Kit Remote Code Execution Vulnerability 8.8 CVE-2020-3217 2020-06-03T16:00:00
cisco-sa-20200108-ios-csrf Cisco IOS and Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability 8.8 CVE-2019-16009 2020-01-08T16:00:00
cisco-sa-20190925-tsec Cisco IOS and IOS XE Software Change of Authorization Denial of Service Vulnerability 6.8 CVE-2019-12669 2019-09-25T16:00:00
cisco-sa-20190925-http-client Cisco IOS and IOS XE Software HTTP Client Information Disclosure Vulnerability 4.8 CVE-2019-12665 2019-09-25T16:00:00
cisco-sa-20190925-sbxss Cisco IOS and IOS XE Software Stored Banner Cross-Site Scripting Vulnerability 4.8 CVE-2019-12668 2019-09-25T16:00:00
cisco-sa-20190925-vman Cisco NX-OS and IOS XE Software Virtual Service Image Signature Bypass Vulnerability 6.7 CVE-2019-12662 2019-09-25T16:00:00
cisco-sa-20190327-ios-infoleak Cisco IOS and IOS XE Software Hot Standby Router Protocol Information Leak Vulnerability 4.3 CVE-2019-1761 2019-03-27T16:00:00
cisco-sa-20190327-cmp-dos Cisco IOS and IOS XE Software Cluster Management Protocol Denial of Service Vulnerability 7.4 CVE-2019-1746 2019-03-27T16:00:00
cisco-sa-20190327-pnp-cert Cisco IOS and IOS XE Software Network Plug-and-Play Agent Certificate Validation Vulnerability 7.4 CVE-2019-1748 2019-03-27T16:00:00
cisco-sa-20190327-call-home-cert Cisco IOS and IOS XE Software Smart Call Home Certificate Validation Vulnerability 5.9 CVE-2019-1757 2019-03-27T16:00:00
cisco-sa-20190327-evss Cisco IOS XE Software Catalyst 4500 Cisco Discovery Protocol Denial of Service Vulnerability 7.4 CVE-2019-1750 2019-03-27T16:00:00
cisco-sa-20190109-tcp Cisco IOS and IOS XE Software TCP Denial of Service Vulnerability 6.8 CVE-2018-0282 2019-01-09T16:00:00
cisco-sa-20180926-cdp-dos Cisco IOS and IOS XE Software Cisco Discovery Protocol Denial of Service Vulnerability 7.4 CVE-2018-15373 2018-09-26T16:00:00
cisco-sa-20180926-pnp-memleak Cisco IOS and IOS XE Software Plug and Play Agent Memory Leak Vulnerability 6.8 CVE-2018-15377 2018-09-26T16:00:00
Any Comments ?

sha256: 197718c2b28d9ab55520a09e39a603e394e0401dea6a94a3752eeb18bec4f18a