OpenBSD - Smokeping

Network, OpenBSD

How to Install Smokeping on OpenBSD

Requiremens

  • running Server with OpenBSD
  • Root Permission
  • FQDN with Cert

Install Software

pkg_add smokeping

Update Config

cat << 'EOF' >/etc/smokeping/config
*** General ***

owner    = YOUR NAME
contact  = YOUR@EMAIL.NET
mailhost = localhost
sendmail = /usr/sbin/sendmail
# NOTE: do not put the Image Cache below cgi-bin
# since all files under cgi-bin will be executed ... this is not
# good for images.
imgcache = /var/www/htdocs/smokeping/cache
imgurl   = cache
datadir  = /var/db/smokeping
piddir  = /var/run
cgiurl   = https://YOUR.URL.NET/smokeping/smokeping.cgi
smokemail = /etc/smokeping/smokemail
tmail = /etc/smokeping/tmail
# specify this to get syslog logging
syslogfacility = local0
# each probe is now run in its own process
# disable this to revert to the old behaviour
# concurrentprobes = no

*** Alerts ***
to = YOUR@EMAIL.NET
from = smokealert@localhost

+someloss
type = loss
# in percent
pattern = >0%,*12*,>0%,*12*,>0%
comment = loss 3 times  in a row

*** Database ***

step     = 300
pings    = 20

# consfn mrhb steps total

AVERAGE  0.5   1  28800
AVERAGE  0.5  12   9600
    MIN  0.5  12   9600
    MAX  0.5  12   9600
AVERAGE  0.5 144   2400
    MAX  0.5 144   2400
    MIN  0.5 144   2400

*** Presentation ***

template = /etc/smokeping/basepage.html

htmltitle = yes
graphborders = no

+ charts

menu = Charts
title = The most interesting destinations

++ stddev
sorter = StdDev(entries=>4)
title = Top Standard Deviation
menu = Std Deviation
format = Standard Deviation %f

++ max
sorter = Max(entries=>5)
title = Top Max Roundtrip Time
menu = by Max
format = Max Roundtrip Time %f seconds

++ loss
sorter = Loss(entries=>5)
title = Top Packet Loss
menu = Loss
format = Packets Lost %f

++ median
sorter = Median(entries=>5)
title = Top Median Roundtrip Time
menu = by Median
format = Median RTT %f seconds

+ overview 

width = 600
height = 50
range = 10h

+ detail

width = 600
height = 200
unison_tolerance = 2

"Last 3 Hours"    3h
"Last 30 Hours"   30h
"Last 10 Days"    10d
"Last 360 Days"   360d

#+ hierarchies
#++ owner
#title = Host Owner
#++ location
#title = Location

*** Probes ***

+ FPing

binary = /usr/local/sbin/fping

*** Targets ***

probe = FPing

menu = Top
title = Network Latency Grapher
remark = Welcome to the SmokePing

+ Remote
menu= Remote
title= Remote hosts

+ DNS
menu = DNS
title = DNS

++ cf
menu = 1.1.1.1
title = 1.1.1.1
host = 1.1.1.1

++ google
menu = 8.8.8.8
title = 8.8.8.8
host = 8.8.8.8

++ quad9
menu = 9.9.9.9
title = 9.9.9.9
host = 9.9.9.9
EOF

Create Folders

don’t like to set permission to 777. but it does not work without :(

Anycast IPv6 - YourSelf

Network

How to Build your own AnyCast Network

you’re using anycast every day. all public resolvers (1.1.1.1, 8.8.8.8, 9.9.9.9) for example are anycast ip’s and hence, many servers distributed around the world which listen and announce the same ip address.

we can build a proof of concept, how to build such a network, for a few $.

Requirements

AS Number

Anycast heavily depends on BGP. So, you need a own AS Number. I got my for 15 CHF/Year from Securebit.ch. You should also keep in mind that you will not get any IPv4 addresses without buying them for the market. So, your Setup will be based on IPv6 only.

Docker - IPv6

Linux, Docker

got Docker running with Traefik as ingress Loadbalancer ?

Just enable IPv6 like this.

daemon.json

cat << EOF > /etc/docker/daemon.json
{
  "ipv6": true,
  "fixed-cidr-v6": "2001:db8:1::/64"
}
EOF

Restart Services

systemctl reload docker

Check Netstat

# netstat -tulpen |grep docker
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          15788      977/docker-proxy    
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      0          17495      952/docker-proxy    
tcp6       0      0 :::80                   :::*                    LISTEN      0          15791      984/docker-proxy    
tcp6       0      0 :::443                  :::*                    LISTEN      0          15773      963/docker-proxy
Any Comments ?

sha256: 49c4ced1a834b70c143c7425e72ea72982f07f8d1a3e0a8fce9f08f14d3f7da6

OpenBSD - HTTPD CGI

OpenBSD

Let’s have a look a the old and simple “cgi-bin” stuff on OpenBSD. The Webserver is written by the OpenBSD Guys, and it runs in a chrooted environment.

switch to cgi-bin dir

cd /var/www/cgi-bin/

ip.cgi

create the file under /var/www/cgi-bin called ‘ip.cgi’

cat << 'EOG' > ip.cgi
#!/bin/sh
cat << EOF
Content-type: text/html

<html><head>
<title>IP: $REMOTE_ADDR</title>
</head><body>
<p>Your IP address is: $REMOTE_ADDR</p>
</body></html>
EOF
EOG

Set Owner & Permission

chmod 500 ip.cgi
chown www ip.cgi

as we have the command “cat” in the Script, we need to have this binary in the chrooted HTTP of OpenBSD as well.

OpenBSD - PHP 8.2

OpenBSD

Running PHP on OpenBSD

yes, i know … it’s not rocket science .. but why not make a short post so other (or myself) can have a quick look if needed ?

pkg_info -Q php
pkg_add php--%8.2
pkg_add php-sqlite3--%8.2
pkg_add php-curl--%8.2

Set TimeZone

and allow short open tags

sed -i s'#date.timezone = UTC.*#date.timezone = Europe/Zurich#'  /etc/php-8.2.ini
sed -i s'#short_open_tag = Off.*#short_open_tag = On#'  /etc/php-8.2.ini

Install all Modules

if needed .. does not make sense for me :(

Kuma - API

Categories

i like kuma. simple, flexibel, selfhosted, and open source. one thing i missed is an API for adding / modifing hosted services.

now, i found a webapi for kuma and gave a try.

pre-condition

  • you have some Maschine with Docker
  • you have traefik running, which can terminate TLS, handle Loadbalancing

docker-compose.yml

version: '3.3'

networks:
  traefik:
    external: true

volumes:
  uptime-kuma:
  api-db:

services:
  kuma:
    container_name: uptime-kuma
    image: louislam/uptime-kuma:1.19.6
    restart: always
    volumes:
      - uptime-kuma:/app/data
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.kuma.rule=Host(`kuma.your.domain`)"
      - "traefik.http.routers.kuma.tls=true"

  api:
    container_name: backend
    image: medaziz11/uptimekuma_restapi:latest
    restart: always
    volumes:
      - ./db:/db:rwx
    environment:
      - KUMA_SERVER=${KUMA_SERVER:-http://kuma:3001}
      - KUMA_USERNAME=xxxxxx
      - KUMA_PASSWORD=xxxxxx
      - ADMIN_PASSWORD=xxxxxx
      - SECRET_KEY=${SECRET_KEY:-xxxxxx}
    depends_on:
      - kuma
    networks:
      - traefik

Get Token

# API
token=$(http --form POST 127.0.0.1:8001/login/access-token 'username=xxxxxx' 'password=xxxxxx' |jq '.access_token')

List Monitors

$ http -A bearer -a $token 127.0.0.1:8001/monitors
HTTP/1.1 200 OK
content-length: 15
content-type: application/json
date: Mon, 17 Apr 2023 04:48:59 GMT
server: uvicorn

{
    "monitors": []
}

Add Service

$ http -A bearer -a $token 127.0.0.1:8001/monitors type=http name=compass url=https://www.compass-security.com


HTTP/1.1 200 OK
content-length: 43
content-type: application/json
date: Mon, 17 Apr 2023 05:07:02 GMT
server: uvicorn


{
    "monitorID": 5,
    "msg": "Added Successfully."
}

Check Monitoring

$ http -A bearer -a $token 127.0.0.1:8001/monitors |jq '.monitors |map({id, name, url, active, interval})'
[
  {
    "id": 1,
    "name": "https://www.stoege.net",
    "url": "https://www.stoege.net",
    "active": true,
    "interval": 60
  },
  ... snip ...
  {
    "id": 5,
    "name": "compass",
    "url": "https://www.compass-security.com",
    "active": true,
    "interval": 60
  }
]

that’s great !

Commento - Selfhosting Comment

Blog

Selfhosting Comment

some people mentioned that they can’t commment on some blogs. let’s change that, even there is not lot of feedback. i appreciate and read every comment and interaction with you, my readers.

poeple who knows me that i like todo most of the stuff self. so, i’d never buy a “service” for hosting some comments. i’ve got enough infrastructure running so i can host and operate it on my own.

Comment - Just a Test

Comment

… just some Tests with a Selfhosted Comment System …

Any Comments ?

sha256: fb36d5cc6b606ccda2b76801b8272a47f07c51c1bb6b4c12d81d7c91f46eb060

Anycast - Checker

Network

When is an anycast ip an anycast ip ?

that’s a question i was asked recently. As LTNN (Long Term Networking Nerd), i’m aware of Unicast, Multicast, Broadcast and also Anycast. so, let’s have a look into this.

hint: this article is not about how to setup your own anycast network. this may follow soon ?!?

Terminologie

Unicast 1:1

Sending a message from one sender to one recipient

Multicast 1:many

Sending a message from one sender to multiple recipients

OpenBSD 7.3

OpenBSD

OpenBSD 7.3 finally released.

Today, the 54th Release of OpenBSD was announced. The Upgrade Script is available here …

one cool thing to mention:

  • Added initial support in the installer for guided disk encryption for amd64, i386, riscv64 and sparc64.

Script

as root

cd /root
ftp https://blog.stoege.net/scripts/.helpers
ftp https://blog.stoege.net/scripts/upgrade_to_73.sh
chmod u+x upgrade_to_73.sh

Execute

./upgrade_to_73.sh
Any Comments ?

sha256: 000c2b0afa4739a87a7e921ec1fcfa4fb9113effd47e2f2456dfb2b66f65a34f