Linux

Strip Prefix

Let’s assume you have a URL “https://whoami.your.domain.de/removeme" and you wanna get rid of the “removeme” before passing the Request to the Webserver. Stripprefix is your friend …

docker-compose.yml

  whoami:
    image: containous/whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/wegdamit,/removeme"
      - "traefik.http.routers.whoami.middlewares=test-stripprefix@docker"
      - "traefik.http.routers.whoami.rule=Host(`whoami.your.domain.de`)"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
      - "traefik.http.routers.whoami.tls=true"

Any Comments ?

sha256: 0620c0c2d7ae033f2536f6797a048772e52a09119367f4864f8bb2a754d2ea57

Fluentd is an open-source data collector for a unified logging layer. Fluentd allows you to unify data collection and consumption for better use and understanding of data.

Docu

Install Ruby

pkg_add ruby-3.1.2

Set Symlinks

ln -sf /usr/local/bin/ruby31 /usr/local/bin/ruby
ln -sf /usr/local/bin/bundle31 /usr/local/bin/bundle
ln -sf /usr/local/bin/bundler31 /usr/local/bin/bundler
ln -sf /usr/local/bin/erb31 /usr/local/bin/erb
ln -sf /usr/local/bin/gem31 /usr/local/bin/gem
ln -sf /usr/local/bin/irb31 /usr/local/bin/irb
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/racc
ln -sf /usr/local/bin/rake31 /usr/local/bin/rake
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rbs
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdbg
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdoc
ln -sf /usr/local/bin/ri31 /usr/local/bin/ri
ln -sf /usr/local/bin/typeprof31 /usr/local/bin/typeprof

Install Fluentd

gem install fluentd

more Symlinks

ln -sf /usr/local/bin/fluentd31 /usr/local/bin/fluentd

Create Config

fluentd --setup /etc/fluent

Edit config

cat << 'EOF ' > /etc/fluent/fluent.conf
# fluent.conf

# Nginx Log
<source>
  @type tail
  format nginx
  path /var/log/nginx/blog.stoege.net.log
  pos_file /var/log/nginx-pos/blog.stoege.net.log
  time_key fluentd_time
  time_format %d/%b/%Y:%H:%M:%S %z
  tag nginx.access
</source>

# Output
<match nginx.access>
  @type file
  path /var/log/fluent/blog.stoege.net
</match>
EOF

Run

fluentd -c /etc/fluent/fluent.conf

Sample Data

tail -f /var/log/fluent/blog.stoege.net/buffer.b5e6e8e8ee14db5e3a401bb38f14a6de5.log
2022-08-23T15:54:58+02:00	nginx.access	{"remote":"114.119.135.215","host":"-","user":"-","time":"23/Aug/2022:15:54:58 +0200","method":"GET","path":"/tags/monitoring/","code":"200","size":"33684","referer":"https://blog.stoege.net/tags/vpn","agent":"Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+https://webmaster.petalsearch.com/site/petalbot)","http_x_forwarded_for":"-"}
2022-08-23T15:55:42+02:00	nginx.access	{"remote":"147.182.168.107","host":"-","user":"-","time":"23/Aug/2022:15:55:41 +0200","method":"GET","path":"/index.xml","code":"304","size":"0","referer":"-","agent":"NewsBlur Feed Fetcher - 2 subscribers - https://www.newsblur.com/site/8313934/blog-stoege-net (\\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\\x22)","http_x_forwarded_for":"-"}
2022-08-23T15:55:42+02:00	nginx.access	{"remote":"147.182.168.107","host":"-","user":"-","time":"23/Aug/2022:15:55:42 +0200","method":"GET","path":"/","code":"200","size":"56891","referer":"-","agent":"NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8313934/blog-stoege-net (\\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\\x22)","http_x_forwarded_for":"-"}

Any Comments ?

sha256: fb02e126f5e34e4be8630c5190e9af68d2c36e91e5c4d54a11f6b70a3be6563b

Let’s give a try with Alpine Linux, OpenSSH and 2FA with Google Authenticator.

add Packages

apk add openssh openssh-server-pam google-authenticator openssh-doc google-authenticator-doc libqrencode

Configure GoogleAuth

touch /etc/pam.d/sshd
ln /etc/pam.d/sshd /etc/pam.d/sshd.pam

cat << 'EOF' >> /etc/pam.d/sshd.pam
account   include     base-account

auth      required    pam_env.so
auth      required    pam_nologin.so  successok
auth      required    /lib/security/pam_google_authenticator.so   echo_verification_code grace_period=57600 nullok
auth      required    pam_unix.so   md5 sha512
EOF

update sshd_config

cat << 'EOF' >> /etc/ssh/sshd_config
PasswordAuthentication no
AuthenticationMethods any
UsePAM yes
EOF

Restart SSHD

service sshd restart

Setup User

su - USERNAME
google-authenticator

Response

If you have Docker running somehwere … bring up your Smoke Instance within Seconds ;)

Smokeping

docker run --name smoke --restart always -d -p 80:80 linuxserver/smokeping

Show Containers

docker ps

docker-test:~# docker ps
CONTAINER ID   IMAGE                   COMMAND   CREATED         STATUS         PORTS                               NAMES
8f8b872ac1c3   linuxserver/smokeping   "/init"   6 minutes ago   Up 6 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp   smoke

Shell into Docker

docker exec -it smoke /bin/sh

Check Netstat

root@8f8b872ac1c3:/# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     406670 s
unix  2      [ ACC ]     STREAM     LISTENING     406078 /run/apache2/fcgidsock/137.0

Preview

Running Alpine on ESX ? Install the Open VM Tools …

Install OpenVM Tools

apk add open-vm-tools
apk add open-vm-tools-guestinfo
apk add open-vm-tools-deploypkg

Start Service

rc-service open-vm-tools start

Autostart Service

rc-update add open-vm-tools boot

All in One

apk add open-vm-tools open-vm-tools-guestinfo open-vm-tools-deploypkg
rc-update add open-vm-tools boot
rc-service open-vm-tools start

Busybox Extras

add some tools (arch, dnsd, dumpleases, fakeidentd, ftpd, ftpget, ftpput, httpd, inetd, readahead, telnet, telnetd, tftp, tftpd, udhcpd)

apk add busybox-extras

List Packages

apk info -L busybox-extras

docker# apk info -L busybox-extras
busybox-extras-1.35.0-r15 contains:
bin/busybox-extras

Any Comments ?

sha256: 5ba2c46f793ad164b6cecb62f406791adf588c1e51f589dba71067fd60e38aea

Assume you got a fresh Machine with DHCP …

Ubuntu with DHCP Config

cat /etc/netplan/01-netcfg.yaml
# This is the network config written by 'subiquity'
network:
  ethernets:
    ens192:
      dhcp4: true
  version: 2

and you’d like to switch to Static IP, ask google how todo it an give try:

Static IP with Netplan

# This is the network config written by 'subiquity'
network:
  version: 2
  ethernets:
    ens192:
      addresses:
      - 1.2.3.4/24
      gateway4: 1.1.1.1
      nameservers:
        addresses:
        - 8.8.8.8
        - 8.8.4.4
        search:
        - world.net

then reboot … and the machine is gone. ok, not really gone, but from IP perspective definitly. it just reboots and come back without default gateway :(

If you ever wanna run a Multiplayer OWASP Juice Shop CTF on your own, here are some Notes and Info for bloody beginners

References

Prerequisite

you’ve got

a Digital Ocean Account (or some other Cloud Provider)
a spare domain and set the NS of DigitalOcean
Digital Ocean CMD Line Tools installed and configured
helm tools (kubernetes package manager -> brew install helm)
some budget (~2 CHF/Day)
30min for Setup

btw. all this commands should run on macOS. linux may needs some adjustments …

Install Notes

checkmk 2.0 (beta)

install debian 10.6
upgrade to 10.7
apt-get install dpkg-sig

scp check-mk-raw-2.0.0b1_0.buster_amd64.deb ip-of-host:/tmp/
wget https://checkmk.com/support/Check_MK-pubkey.gpg
gpg --keyserver keys.gnupg.net --recv-keys 434DAC48C4503261
gpg --armor --export 434DAC48C4503261 > Check_MK-pubkey.gpg
gpg --import Check_MK-pubkey.gpg

dpkg-sig --verify check-mk-raw-2.0.0b1_0.buster_amd64.deb

apt-get install gdebi-core
gdebi check-mk-raw-2.0.0b1_0.buster_amd64.deb

omd version
OMD - Open Monitoring Distribution Version 2.0.0b1.cre


omd create mysite
omd start mysite
http://ip-of-host/mysite/
cmkadmin


  The admin user for the web applications is cmkadmin with password: xXxXxXx
  For command line administration of the site, log in with 'omd su mysite'.
  After logging in, you can change the password for cmkadmin with 'htpasswd etc/htpasswd cmkadmin'.

Any Comments ?

sha256: 62f460939ccba74886d5b4c89ca6b9ab4afbd9e44c634b961c7b4d8dd572840b

Some Notes Based on this Video: https://www.youtube.com/watch?v=bhBSlnQcq2k

Download Docker

https://docs.docker.com/get-docker/

Download Nginx Image

https://hub.docker.com/_/nginx

docker pull nginx

Run Image

docker run nginx
docker run nginx:latest
docker run -d nginx:latest
docker run -d -p 80 nginx:latest
docker run -d -p 8080:80 nginx:latest
docker run -d -p 3000:80 -p 8080:80 nginx:latest

Access Webserver

mbp:~ stoege$ docker run -d -p 8080:80 nginx:latest
5c7a945caa59f14e35932f3d4470c9b9afc0307dac34e01947d41adbcdfda091

mbp:~ stoege$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS                  NAMES
5c7a945caa59        nginx:latest        "/docker-entrypoint.…"   About a minute ago   Up About a minute   0.0.0.0:8080->80/tcp   laughing_cartwright

open Brower http://localhost:8080 -> Welcome Page

debian on apu

boot

menu -> tab

-> debian-installer/i386/linux vga=788 initrd=debian-installer/i386/initrd.gz — console=ttyS0,115200

enter

space

:)

english

country switzerland

nic0

hostname apu005

domain planet

mirror ch -> ftp.ch.debian.org

root password

Partitioning: entire Disk & LVM

Separate /home /var /tmp

survey no

soft: standard system utilities & ssh server

grub yes

braucht ca. 30min !

automated

https://www.debian.org/releases/stable/amd64/apbs02.en.html https://www.debian.org/releases/buster/example-preseed.txt

Packages

apt-get -y install net-tools git htop

Reboot

geht 40 Sekunden

Any Comments ?

sha256: de990ff6c33196dbecc6d133f0fc29686ded54fa7357d30e7dc36a59f0368eb0