Little Keep Alive

… mit freundlicher genehmigung von Kumpel Marc :)

keepalive.sh

#!/usr/bin/env bash

FILE="$HOME/scripts/excuses"

# Linux or BSD ? nf points to the right binary
which numfmt > /dev/null 2>&1 && nf=$(which numfmt) || nf=$(which gnumfmt);

# Linux or BSD ? gs points to the right binary
which shuf > /dev/null 2>&1 && gs=$(which shuf) || gs=$(which gshuf);

if [ ! -e "$FILE" ]; then
    echo ""
    echo "$FILE does not exist"
    echo "##############################################"
    command -v curl >/dev/null 2>&1 || { echo >&2 "Holy cow! You don't even have curl, get lost!"; echo ""; exit 1; }
    mkdir -p $HOME/scripts/
    curl -o $FILE https://pages.cs.wisc.edu/~ballard/bofh/excuses
    echo "##############################################"
fi

keep () {
 clear;
 echo "If you are reading this..." &&  echo  "Congratulations, you are alive."
 echo ""
 echo "You are stuck on the following planet:" `hostname`
 echo "It has been" `date +%s | $nf --g` "seconds since January 1st 1970, this is quite a while..."
 echo ""; echo "Your current excuse is:"; $gs -n 1 $HOME/scripts/excuses
}

while :
do
 keep
 sleep 30
done

Testrun

./keepalive.sh
If you are reading this...
Congratulations, you are alive.

You are stuck on the following planet: puffy201.planet
It has been 1658870361 seconds since January 1st 1970, this is quite a while...

Your current excuse is:
Power Company having EMP problems with their reactor

sha256: 5de0afbcacd56dbcaede593a6f243a3f46e4d94754683646d57e00f3c7840eca

Requirement

• Webserver http
• Webserver https
• Protected Folder https://egal.com/protected with Client Certificate

/etc/httpd.conf

# $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $

server "*" {
  listen on * port 8080
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}

/etc/nginx/nginx.conf

# Take note of http://wiki.nginx.org/Pitfalls

#user  www;
worker_processes  1;

#load_module "modules/ngx_stream_module.so";

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
#error_log  syslog:server=unix:/dev/log,severity=notice;

#pid        logs/nginx.pid;

worker_rlimit_nofile 1024;
events {
    worker_connections  800;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    index         index.html index.htm;

    #access_log  logs/access.log  main;

    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server_tokens off;

    server {
        listen       80;
        listen       [::]:80;
        server_name  localhost;
        root         /var/www/htdocs;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root  /var/www/htdocs;
        }
    }


    # HTTPS server
    server {
        listen       443 ssl;
        server_name  localhost;
        root         /var/www/htdocs;

        ssl_certificate      /etc/ssl/puffy201.planet.crt;
        ssl_certificate_key  /etc/ssl/private/puffy201.planet.key;

        ssl_session_timeout  5m;
        ssl_session_cache    shared:SSL:1m;

        ssl_ciphers  HIGH:!aNULL:!MD5:!RC4;
        ssl_prefer_server_ciphers   on;

        ssl_client_certificate /etc/ssl/root_ca.crt;
        ssl_verify_client optional;


    location /secure
    {
        if ($ssl_client_verify != SUCCESS) {
             return 403;
        }

        proxy_pass  http://127.0.0.1:8080;

        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

        ### Set headers ####
        proxy_headers_hash_max_size 51200;
        proxy_headers_hash_bucket_size 6400;
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;

        proxy_redirect     off;
    }

    location /
    {
        proxy_pass  http://127.0.0.1:8080;

        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

        ### Set headers ####
        proxy_headers_hash_max_size 51200;
        proxy_headers_hash_bucket_size 6400;
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;

        proxy_redirect     off;
      }
    }
}

sha256: 66399e64ba490e0bdaa65dac27a679891a89c1a99ae57055b73fb3839cb2ee76

NGINX with Client Certificates

root@debian:/etc/nginx/sites-available#
server {
  listen 80;
  listen [::]:80;

  server_name host198.planet;
  root /var/www/host198.planet;

  access_log /var/log/nginx/host198.planet;
  index index.html;

  location / {
    try_files $uri $uri/ =404;
  }
}

server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name host198.planet;
  root /var/www/host198.planet;

  ssl_certificate /etc/ssl/private/fullchain.crt;
  ssl_certificate_key /etc/ssl/private/host198.planet.key;

  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers HIGH:!aNULL:!MD5;

  ssl_client_certificate /etc/ssl/private/ca.crt;
  ssl_verify_client optional;

  access_log /var/log/nginx/host198.planet;
  index index.html;

  #location / {
  #        try_files $uri $uri/ =404;
  #}
  location / {
    # if the client-side certificate failed to authenticate, show a 403
    # message to the client
    if ($ssl_client_verify != SUCCESS) {
      return 403;
    }
  }
}

sha256: dbf64919ee3864f77b78f71f2b4b70d6794d96dd3dbbe1ae9ce3442cda571c26

Voraussetzungen

• login mit ssh und key auf den switch
• braucht ein “enable” command ohne passwort, um in den enable mode zu gelangen

install Rancid

pkg_add rancid

Update Config

vim /etc/rancid/rancid.conf

RCSSYS=git; export RCSSYS
LIST_OF_GROUPS="switches"; export LIST_OF_GROUPS

Switch User

su - _rancid 

.cloginrc

cat << 'EOF' >> .cloginrc
add user        * backupuser
add password    * passwort enablepasswort
add method      * ssh
EOF
chmod 600 .cloginrc

Build Env & Directories

rancid-cvs

Router.db

switch1;cisco;up
switch2;cisco;up
switch3;cisco;up
switch4;cisco;up
switch5;cisco;up

Update clogin File

needed ???

IPv6 Client mit OpenBSD

Stateless Autoconfig

ifconfig vether0 slaacd

falls der Router im RA ein “Managed Address Configuration: Set” schickt, muss der Client eine DHCPv6 Anfrage an den DHCPv6 Server schicken. OpenBSD hat das im Base System nicht drin, drum installieren wird den Client

pkg_add dhcpcd

umweg ~# cat /etc/dhcpcd.conf
ipv6only
noipv6rs
duid
persistent
option rapid_commit
require dhcp_server_identifier

# disable running any hooks; not typically required for simple DHCPv6-PD setup
script ""

# List interfaces explicitly so that dhcpcd doesn't touch others
allowinterfaces vether0

interface vether0
        # the following two lines tell dhcpcd to do router solicitation
        # itself. don't use them if using "inet6 autoconf" (slaacd)
        ipv6rs
        ia_na 1

und last but not least den Service enablen und restarten

how to update hugo

you can use ports (pkg_add hugo) and get the lastest stable hugo package based on OpenBSD release cycles (2 x year), or grab the latest binary from github and put it on your machine.

Releases: https://github.com/gohugoio/hugo/releases

cd /tmp
ftp https://github.com/gohugoio/hugo/releases/download/v0.62.0/hugo_0.62.0_OpenBSD-64bit.tar.gz
tar xfz hugo_0.62.0_OpenBSD-64bit.tar.gz
doas mv hugo /usr/local/bin/

or find latest automatically

doas su -
cd /tmp/
u=$(lynx -dump -listonly https://github.com/gohugoio/hugo/releases/latest |grep "OpenBSD-64bit" |sed 's/.*https/https/')
f=$(echo $u |sed 's/.*\///')
ftp $u
tar xfz $f
doas mv hugo /usr/local/bin/
rm $f

or extract automatically

How to migrate all Packages

Got several Packages installed on Host A and you would like to migrate them to Host B ? That’s easy :)

Extract on Host A

pkg_info -mz | tee list
ansible--
bash--
...
vnstat--
wget--

scp list HostB:/tmp/

Import on Host B

doas pkg_add -l /tmp/list

Oneline

or you can simple do it in one line, although there are two commands. copy and install

Install

doas pkg_add scamper

Scamper

umweg ~# scamper -c "trace -M" -i 8.8.8.8
traceroute from 130.60.xx.xx to 8.8.8.8
 1  130.60.xx.xx 0.418 ms [mtu: 1500]
 2  130.60.xx.xx 0.411 ms [mtu: 1500]
 3  10.1.1.209  1.658 ms [mtu: 1500]
 4  10.1.0.54  2.284 ms [mtu: 1500]
 5  10.20.128.37  0.848 ms [mtu: 1500]
 6  192.41.136.65  0.994 ms [mtu: 1500]
 7  192.41.136.1  0.774 ms [mtu: 1500]
 8  72.14.195.4  1.491 ms [mtu: 1500]
 9  74.125.243.161  2.975 ms [mtu: 1500]
10  172.253.50.23  2.530 ms [mtu: 1500]
11  8.8.8.8  1.901 ms [mtu: 1500]

Source

https://www.caida.org/tools/measurement/scamper/

How to Access APU “B” from APU “A” via Serial Console (USB to Serial Device)

APU “A”

Connect USBtoSerial Adapter

Connect to Serial Console on APU “B”

APU “B”

/etc/ttys
tty00 "/usr/libexec/getty std.115200" vt220  on secure

APU “A”

cu -s 115200 -l /dev/tty00

cu -s 115200 -l /dev/cuaU0 (8 Port USB2Serial Device)

-> you have now Console Access to APU “B”

Hardware

https://www.amazon.de/LogiLink-AU0033-USB-Adapter-Serial/dp/B00BBXHOAY

sha256: 28cee1e19429893ed3a288609d580ce28305a3c80961771d3a495403af3cf3c5

OpenBSD 6.6 is released today. here is my upgrade procedure:

run sysmerge

reboot

run script:

#!/bin/sh

# be nice and verbose
e() {
  echo "\n$1 **"
}

e "** vars"
_mydir=$(pwd)

e "** build base urls"
_path_base=https://cdn.openbsd.org/pub/OpenBSD/6.6/amd64/
_path_pkg=https://cdn.openbsd.org/pub/OpenBSD/6.6/packages/amd64/
echo "_path_base: ${_path_base}"
echo "_path_pkg: ${_path_pkg}"

e "** make all devices"
cd /dev
./MAKEDEV all || exit 1

e "** cd /tmp"
cd /tmp

e "** install boot loader"
_boot=$(mount |awk -F'[/ ]' '/ on \/ / {print $3}')
installboot ${_boot%?}

e "** hash new Kernel"

 
Any Comments ?
 


sha256 -h /var/db/kernel.SHA256 /bsd

e "** export URL for pkg upgrade"
echo "export PKG_PATH=${_path_pkg}"
export PKG_PATH="${_path_pkg}"

e "** run sysmerge"
sysmerge

e "** run fw update"
fw_update -v

e "** run pkg update"
pkg_add -Vu

e "** index new man pages"
makewhatis

e "** Update Acme Client API"
sed -i s'/acme-v01.api.letsencrypt.org/acme-v02.api.letsencrypt.org/' /etc/acme-client.conf

e "** files to remove"
  rm -f /usr/share/man/man3p/carp.3p \
        /usr/share/man/man3p/Tie::ExtraHash.3p \
        /usr/share/man/man3p/Tie::StdHash.3p \
        /usr/share/man/man3p/Tie::StdScalar.3p \
        /usr/share/man/man3p/basename.3p \
        /usr/share/man/man3p/cluck.3p \
        /usr/share/man/man3p/confess.3p \
        /usr/share/man/man3p/croak.3p \
        /usr/share/man/man3p/dirname.3p \
        /usr/share/man/man3p/fileparse.3p \
        /usr/share/man/man3p/getopt.3p \
        /usr/share/man/man3p/getopts.3p \
        /usr/share/man/man3p/inet_aton.3p \
        /usr/share/man/man3p/inet_ntoa.3p \
        /usr/share/man/man3p/longmess.3p \
        /usr/share/man/man3p/look.3p \
        /usr/share/man/man3p/open2.3p \
        /usr/share/man/man3p/open3.3p \
        /usr/share/man/man3p/pod2usage.3p \
        /usr/share/man/man3p/podchecker.3p \
        /usr/share/man/man3p/podselect.3p \
        /usr/share/man/man3p/shortmess.3p \
        /usr/share/man/man3p/sockaddr_in.3p \
        /usr/share/man/man3p/sockaddr_un.3p \
        /usr/share/man/man3p/writemain.3p

  rm -f /usr/sbin/snmpctl \
        /usr/share/man/man8/snmpctl.8

  rm -f /usr/X11R6/lib/pkgconfig/libfs.pc \
        /usr/X11R6/include/X11/fonts/FSlib.h

  rm -rf  /usr/X11R6/share/doc/libFS

  rm -f /usr/X11R6/bin/xman \
        /usr/X11R6/lib/X11/xman.help \
        /usr/X11R6/man/man1/xman.1 \
        /usr/X11R6/share/X11/app-defaults/Xman

  rm -f /usr/X11R6/bin/xman \
        /usr/X11R6/lib/X11/xman.help \
        /usr/X11R6/man/man1/xman.1 \
        /usr/X11R6/share/X11/app-defaults/Xman \
        /usr/X11R6/lib/pkgconfig/libfs.pc \
        /usr/X11R6/lib/modules/v10002d.uc \
        /usr/X11R6/lib/modules/v20002d.uc \
        /usr/X11R6/lib/modules/drivers/ark_drv.la \
        /usr/X11R6/lib/modules/drivers/ark_drv.so \
        /usr/X11R6/lib/modules/drivers/chips_drv.la \
        /usr/X11R6/lib/modules/drivers/chips_drv.so \
        /usr/X11R6/lib/modules/drivers/glint_drv.la \
        /usr/X11R6/lib/modules/drivers/glint_drv.so \
        /usr/X11R6/lib/modules/drivers/i128_drv.la \
        /usr/X11R6/lib/modules/drivers/i128_drv.so \
        /usr/X11R6/lib/modules/drivers/neomagic_drv.la \
        /usr/X11R6/lib/modules/drivers/neomagic_drv.so \
        /usr/X11R6/lib/modules/drivers/rendition_drv.la \
        /usr/X11R6/lib/modules/drivers/rendition_drv.so \
        /usr/X11R6/lib/modules/drivers/s3_drv.la \
        /usr/X11R6/lib/modules/drivers/s3_drv.so \
        /usr/X11R6/lib/modules/drivers/s3virge_drv.la \
        /usr/X11R6/lib/modules/drivers/s3virge_drv.so \
        /usr/X11R6/lib/modules/drivers/sis_drv.la \
        /usr/X11R6/lib/modules/drivers/sis_drv.so \
        /usr/X11R6/lib/modules/drivers/tdfx_drv.la \
        /usr/X11R6/lib/modules/drivers/tdfx_drv.so \
        /usr/X11R6/lib/modules/drivers/trident_drv.la \
        /usr/X11R6/lib/modules/drivers/trident_drv.so \
        /usr/X11R6/lib/modules/drivers/tseng_drv.la \
        /usr/X11R6/lib/modules/drivers/tseng_drv.so \
        /usr/X11R6/man/man4/chips.4 \
        /usr/X11R6/man/man4/glint.4 \
        /usr/X11R6/man/man4/i128.4 \
        /usr/X11R6/man/man4/neomagic.4 \
        /usr/X11R6/man/man4/rendition.4 \
        /usr/X11R6/man/man4/s3.4 \
        /usr/X11R6/man/man4/s3virge.4 \
        /usr/X11R6/man/man4/sis.4 \
        /usr/X11R6/man/man4/tdfx.4 \
        /usr/X11R6/man/man4/trident.4 \
        /usr/X11R6/man/man4/tseng.4 \
        /usr/X11R6/man/man3/XkbAllocGeomOverlayKey.3

  rm -f /usr/X11R6/include/X11/fonts/FSlib.h \
        /usr/include/dev/ic/dwc_gmac_reg.h \
        /usr/include/dev/ic/dwc_gmac_var.h \
        /usr/include/llvm/Analysis/IndirectCallSiteVisitor.h \
        /usr/include/llvm/CodeGen/GCs.h \
        /usr/include/llvm/DebugInfo/PDB/Native/NativeBuiltinSymbol.h \
        /usr/include/llvm/DebugInfo/PDB/Native/NativeEnumSymbol.h \
        /usr/include/llvm/IR/TypeBuilder.h \
        /usr/include/llvm/Transforms/Utils/OrderedInstructions.h

  rm -f /usr/share/man/man1/clang++.1 \
        /usr/share/man/man1/clang-cpp.1 \
        /usr/share/man/man1/diagnostics.1 \
        /usr/share/man/man3/SipHash24.3 \
        /usr/share/man/man3/bitstring.3 \
        /usr/share/man/man3/byteorder.3 \
        /usr/share/man/man3/directory.3 \
        /usr/share/man/man3/ethers.3 \
        /usr/share/man/man3/exec.3 \
        /usr/share/man/man3/fts.3 \
        /usr/share/man/man3/getcap.3 \
        /usr/share/man/man3/inet_net.3 \
        /usr/share/man/man3/md5.3 \
        /usr/share/man/man3/pcap-filter.3 \
        /usr/share/man/man3/pcap.3 \
        /usr/share/man/man3/pwcache.3 \
        /usr/share/man/man3/resolver.3 \
        /usr/share/man/man3/rmd160.3 \
        /usr/share/man/man3/sha1.3 \
        /usr/share/man/man3/sha2.3 \
        /usr/share/man/man3/stdarg.3 \
        /usr/share/man/man3/uucplock.3 \
        /usr/share/man/man3/uuid.3 \
        /usr/share/man/man3/ypclnt.3 \
        /usr/share/man/man4/i386/vmm.4 \
        /usr/share/man/man4/macppc/openprom.4 \
        /usr/share/man/man4/sparc64/openprom.4

e "** remove myself"
cd ${_mydir}
rm $0

e "** done !"

sha256: 2bb8d98fff6c458bd85b32a50afb0c31b65a2cd8a0599fdc891b567334464552