Blog

sha256: 2b87a252a3d912530dd8c20df6bee7f6cbc4ede0074fdf217e318aab39d9736c

Nginx with Client Certificate

OpenBSD, Security

NGINX with Client Certificates

root@debian:/etc/nginx/sites-available#
server {
  listen 80;
  listen [::]:80;

  server_name host198.planet;
  root /var/www/host198.planet;

  access_log /var/log/nginx/host198.planet;
  index index.html;

  location / {
    try_files $uri $uri/ =404;
  }
}

server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name host198.planet;
  root /var/www/host198.planet;

  ssl_certificate /etc/ssl/private/fullchain.crt;
  ssl_certificate_key /etc/ssl/private/host198.planet.key;

  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers HIGH:!aNULL:!MD5;

  ssl_client_certificate /etc/ssl/private/ca.crt;
  ssl_verify_client optional;

  access_log /var/log/nginx/host198.planet;
  index index.html;

  #location / {
  #        try_files $uri $uri/ =404;
  #}
  location / {
    # if the client-side certificate failed to authenticate, show a 403
    # message to the client
    if ($ssl_client_verify != SUCCESS) {
      return 403;
    }
  }
}
Any Comments ?

sha256: dbf64919ee3864f77b78f71f2b4b70d6794d96dd3dbbe1ae9ce3442cda571c26

Proxmox

Linux

Running a Promox Cluster with CEPH.

Here a few Commands to figure out the Status of CEPH

ceph status
ceph osd status
pveceph lspools
ceph pg dump

Manual Backup

vzdump 777 --dumpdir /mnt/backup --mode snapshot

Manual Restore

qmrestore /mnt/backup/vzdump-qemu-777.vma 777

Proxmox Performance Overview

Intel Nuc I5, 32GB RAM, 500GB SSD

root@nuc:~# pveperf
CPU BOGOMIPS:      36799.44
REGEX/SECOND:      3927398
HD SIZE:           93.99 GB (/dev/mapper/pve-root)
BUFFERED READS:    522.34 MB/sec
AVERAGE SEEK TIME: 0.11 ms
FSYNCS/SECOND:     1588.49
DNS EXT:           49.40 ms
DNS INT:           0.65 ms (planet)

Remove Cluster Config

Source: Proxmox Forum

Rancid

OpenBSD

Voraussetzungen

  • login mit ssh und key auf den switch
  • braucht ein “enable” command ohne passwort, um in den enable mode zu gelangen

install Rancid

pkg_add rancid

Update Config

vim /etc/rancid/rancid.conf

RCSSYS=git; export RCSSYS
LIST_OF_GROUPS="switches"; export LIST_OF_GROUPS

Switch User

su - _rancid

.cloginrc

cat << 'EOF' >> .cloginrc
add user        * backupuser
add password    * passwort enablepasswort
add method      * ssh
EOF
chmod 600 .cloginrc

Build Env & Directories

rancid-cvs

Router.db

switch1;cisco;up
switch2;cisco;up
switch3;cisco;up
switch4;cisco;up
switch5;cisco;up

Update clogin File

needed ???

Dhcpcd

OpenBSD

IPv6 Client mit OpenBSD

Stateless Autoconfig

ifconfig vether0 slaacd

falls der Router im RA ein “Managed Address Configuration: Set” schickt, muss der Client eine DHCPv6 Anfrage an den DHCPv6 Server schicken. OpenBSD hat das im Base System nicht drin, drum installieren wird den Client

pkg_add dhcpcd

umweg ~# cat /etc/dhcpcd.conf
ipv6only
noipv6rs
duid
persistent
option rapid_commit
require dhcp_server_identifier

# disable running any hooks; not typically required for simple DHCPv6-PD setup
script ""

# List interfaces explicitly so that dhcpcd doesn't touch others
allowinterfaces vether0

interface vether0
        # the following two lines tell dhcpcd to do router solicitation
        # itself. don't use them if using "inet6 autoconf" (slaacd)
        ipv6rs
        ia_na 1

und last but not least den Service enablen und restarten

Ed25519

Security

like ssh and secure keys ?

Generate Secure Key

ssh-keygen -o -a 100 -t ed25519 -C "MyFamousComment"
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)"
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname) at $(date \"+%Y-%m-%d\")"
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname) at $(date \"+%Y-%m-%d %H:%M\")"

What’s ed25519 ?

Wikipedia about Curve25519

2^{{255}}-19

Distribute Key

ssh-copy-id user@remotehost

Connect to Remote

Connect to Remove without Agent Forwarding (use this unless you know what you’re dooing …)

ssh -a remotehost

Connect with Agent Forwarding

or if you need Agent Forwarding

Update_hugo

OpenBSD

how to update hugo

you can use ports (pkg_add hugo) and get the lastest stable hugo package based on OpenBSD release cycles (2 x year), or grab the latest binary from github and put it on your machine.

Releases: https://github.com/gohugoio/hugo/releases

cd /tmp
ftp https://github.com/gohugoio/hugo/releases/download/v0.62.0/hugo_0.62.0_OpenBSD-64bit.tar.gz
tar xfz hugo_0.62.0_OpenBSD-64bit.tar.gz
doas mv hugo /usr/local/bin/

or find latest automatically

doas su -
cd /tmp/
u=$(lynx -dump -listonly https://github.com/gohugoio/hugo/releases/latest |grep "OpenBSD-64bit" |sed 's/.*https/https/')
f=$(echo $u |sed 's/.*\///')
ftp $u
tar xfz $f
doas mv hugo /usr/local/bin/
rm $f

or extract automatically

Migrate Packages from Host A to Host B

OpenBSD

How to migrate all Packages

Got several Packages installed on Host A and you would like to migrate them to Host B ? That’s easy :)

Extract on Host A

pkg_info -mz | tee list
ansible--
bash--
...
vnstat--
wget--

scp list HostB:/tmp/

Import on Host B

doas pkg_add -l /tmp/list

Oneline

or you can simple do it in one line, although there are two commands. copy and install

Scamper

OpenBSD

Install

doas pkg_add scamper

Scamper

umweg ~# scamper -c "trace -M" -i 8.8.8.8
traceroute from 130.60.xx.xx to 8.8.8.8
 1  130.60.xx.xx 0.418 ms [mtu: 1500]
 2  130.60.xx.xx 0.411 ms [mtu: 1500]
 3  10.1.1.209  1.658 ms [mtu: 1500]
 4  10.1.0.54  2.284 ms [mtu: 1500]
 5  10.20.128.37  0.848 ms [mtu: 1500]
 6  192.41.136.65  0.994 ms [mtu: 1500]
 7  192.41.136.1  0.774 ms [mtu: 1500]
 8  72.14.195.4  1.491 ms [mtu: 1500]
 9  74.125.243.161  2.975 ms [mtu: 1500]
10  172.253.50.23  2.530 ms [mtu: 1500]
11  8.8.8.8  1.901 ms [mtu: 1500]

Source

https://www.caida.org/tools/measurement/scamper/

Dig Dns Whois

Blog

whois egal.com

user@erde$ whois egal.com
   Domain Name: EGAL.COM
   Registry Domain ID: 1979745_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.name.com
   Registrar URL: http://www.name.com
   Updated Date: 2019-09-25T20:43:47Z
   Creation Date: 1996-03-25T05:00:00Z
   Registry Expiry Date: 2022-03-26T04:00:00Z
   Registrar: Name.com, Inc.
   Registrar IANA ID: 625
   Registrar Abuse Contact Email: [email protected]
   Registrar Abuse Contact Phone: 7202492374
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Name Server: NS1CNY.NAME.COM
   Name Server: NS2KRY.NAME.COM
   Name Server: NS3DKZ.NAME.COM
   Name Server: NS4BHT.NAME.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2019-10-28T12:57:34Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: EGAL.COM
Registry Domain ID: 1979745_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.name.com
Registrar URL: http://www.name.com
Updated Date: 2019-09-25T20:43:47Z
Creation Date: 1996-03-25T05:00:00Z
Registrar Registration Expiration Date: 2022-03-26T04:00:00Z
Registrar: Name.com, Inc.
Registrar IANA ID: 625
Reseller:
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: Domain Manager
Registrant Organization: Affordable Webhosting, Inc., Customers
Registrant Street: PO Box 1508
Registrant City: Manzanita
Registrant State/Province: OR
Registrant Postal Code: 97130-1508
Registrant Country: US
Registrant Phone: +1.8773593385
Registrant Email: [email protected]
Registry Admin ID: Not Available From Registry
Admin Name: Domain Manager
Admin Organization: Affordable Webhosting, Inc., Customers
Admin Street: PO Box 1508
Admin City: Manzanita
Admin State/Province: OR
Admin Postal Code: 97130-1508
Admin Country: US
Admin Phone: +1.8773593385
Admin Email: [email protected]
Registry Tech ID: Not Available From Registry
Tech Name: Domain Manager
Tech Organization: Affordable Webhosting, Inc., Customers
Tech Street: PO Box 1508
Tech City: Manzanita
Tech State/Province: OR
Tech Postal Code: 97130-1508
Tech Country: US
Tech Phone: +1.8773593385
Tech Email: [email protected]
Name Server: ns1cny.name.com
Name Server: ns2kry.name.com
Name Server: ns3dkz.name.com
Name Server: ns4bht.name.com
DNSSEC: unSigned
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.7203101849
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2019-10-28T12:57:49Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

dig egal.com

user@erde$ dig egal.com

; <<>> DiG 9.4.2-P2 <<>> egal.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40487
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;egal.com.                      IN      A

;; ANSWER SECTION:
egal.com.               185     IN      A       75.126.102.240

;; Query time: 0 msec
;; SERVER: 192.168.108.211#53(192.168.108.211)
;; WHEN: Mon Oct 28 13:59:27 2019
;; MSG SIZE  rcvd: 42

dig -t SOA egal.com

user@erde$ dig -t SOA egal.com

; <<>> DiG 9.4.2-P2 <<>> -t SOA egal.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8267
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;egal.com.                      IN      SOA

;; ANSWER SECTION:
egal.com.               300     IN      SOA     ns1cny.name.com. support.name.com. 1571875200 10800 3600 604800 3600

;; Query time: 246 msec
;; SERVER: 192.168.108.211#53(192.168.108.211)
;; WHEN: Mon Oct 28 14:00:11 2019
;; MSG SIZE  rcvd: 82

dig -t SOA @ns1cny.name.com egal.com

user@erde$ dig -t SOA @ns1cny.name.com. egal.com.

; <<>> DiG 9.4.2-P2 <<>> -t SOA @ns1cny.name.com. egal.com.
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13194
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;egal.com.                      IN      SOA

;; ANSWER SECTION:
egal.com.               300     IN      SOA     ns1cny.name.com. support.name.com. 1571875200 10800 3600 604800 3600

;; Query time: 31 msec
;; SERVER: 162.88.61.47#53(162.88.61.47)
;; WHEN: Mon Oct 28 14:01:25 2019
;; MSG SIZE  rcvd: 82

dig +trace @8.8.8.8 egal.com

user@erde$ dig +trace egal.com

; <<>> DiG 9.4.2-P2 <<>> +trace egal.com
;; global options:  printcmd
;; Received 17 bytes from 192.168.108.211#53(192.168.108.211) in 1 ms

user@erde$ dig +trace @8.8.8.8 egal.com

; <<>> DiG 9.4.2-P2 <<>> +trace @8.8.8.8 egal.com
; (1 server found)
;; global options:  printcmd
.                       12203   IN      NS      a.root-servers.net.
.                       12203   IN      NS      b.root-servers.net.
.                       12203   IN      NS      c.root-servers.net.
.                       12203   IN      NS      d.root-servers.net.
.                       12203   IN      NS      e.root-servers.net.
.                       12203   IN      NS      f.root-servers.net.
.                       12203   IN      NS      g.root-servers.net.
.                       12203   IN      NS      h.root-servers.net.
.                       12203   IN      NS      i.root-servers.net.
.                       12203   IN      NS      j.root-servers.net.
.                       12203   IN      NS      k.root-servers.net.
.                       12203   IN      NS      l.root-servers.net.
.                       12203   IN      NS      m.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 9 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
;; Received 486 bytes from 198.97.190.53#53(h.root-servers.net) in 116 ms

egal.com.               172800  IN      NS      ns1cny.name.com.
egal.com.               172800  IN      NS      ns2kry.name.com.
egal.com.               172800  IN      NS      ns3dkz.name.com.
egal.com.               172800  IN      NS      ns4bht.name.com.
;; Received 291 bytes from 192.35.51.30#53(f.gtld-servers.net) in 17 ms

egal.com.               300     IN      A       75.126.102.240
;; Received 42 bytes from 162.88.61.49#53(ns3dkz.name.com) in 23 ms

Dig +noall +answer

user@erde$ dig +noall +answer egal.com
egal.com.		267	IN	A	75.126.102.240

Reverse Lookup

user@erde$ dig +noall +answer +short -x 8.8.8.8
dns.google.

getent

user@erde$ getent hosts egal.com
75.126.102.240                          egal.com

Long vs Short

IPv4 Long

user@erde$ dig A dns.google

; <<>> dig 9.10.8-P1 <<>> A dns.google
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57107
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dns.google.			IN	A

;; ANSWER SECTION:
dns.google.		169	IN	A	8.8.4.4
dns.google.		169	IN	A	8.8.8.8

;; Query time: 0 msec
;; SERVER: 213.133.98.98#53(213.133.98.98)
;; WHEN: Tue May 18 19:25:15 CEST 2021
;; MSG SIZE  rcvd: 71

IPv4 Short

user@erde$ dig A dns.google +short
8.8.8.8
8.8.4.4

IPv6 Long

user@erde$ dig AAAA dns.google

; <<>> dig 9.10.8-P1 <<>> AAAA dns.google
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39920
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dns.google.			IN	AAAA

;; ANSWER SECTION:
dns.google.		606	IN	AAAA	2001:4860:4860::8888
dns.google.		606	IN	AAAA	2001:4860:4860::8844

;; Query time: 0 msec
;; SERVER: 213.133.98.98#53(213.133.98.98)
;; WHEN: Tue May 18 19:25:23 CEST 2021
;; MSG SIZE  rcvd: 95

IPv6 Short

user@erde$ dig AAAA dns.google +short
2001:4860:4860::8844
2001:4860:4860::8888
Any Comments ?

sha256: 8fab0f8e6ec050002d9ed0890062d2139691794613d0229b9d12bdfa5bc65db0

OpenBSD APU Serial Console

OpenBSD

How to Access APU “B” from APU “A” via Serial Console (USB to Serial Device)

APU “A”

Connect USBtoSerial Adapter

Connect to Serial Console on APU “B”

APU “B”

/etc/ttys
tty00 "/usr/libexec/getty std.115200" vt220  on secure

APU “A”

cu -s 115200 -l /dev/tty00

cu -s 115200 -l /dev/cuaU0 (8 Port USB2Serial Device)

-> you have now Console Access to APU “B”

Hardware

https://www.amazon.de/LogiLink-AU0033-USB-Adapter-Serial/dp/B00BBXHOAY USB Serial Adapter

Any Comments ?

sha256: 28cee1e19429893ed3a288609d580ce28305a3c80961771d3a495403af3cf3c5