Blog

Intro

I never used the Fulldisk Encryption Feature as there was no need for. It doesn’t make sense for Hosted VM’s, as you have to enter the Passphrase at every boot at the Console. So, it’s a pain and still possible to intercept on the Hosters Infrastructure. Disk Encryption does not make sense at home, as all my Devices remains at home (and hopefully never got stolen). It would make sense on a Notebook, but i’m more the Apple Fanboy when it comes to portable Machines. And there, we have FileVault which basically does the same. However, i’d like to give a try with a Test VM. There are plenty of instructions how to setup up, i just tried one and made some notes as usual.

how to build json from cli

we all like json, do we ? https://kellyjonbrazil.github.io/jc/docs/parsers/ping

add package

doas pkg_add jc

try ping

openbsd-box # ping -c 3 1.1.1.1 |jc --ping -p 2>/dev/null
{
  "destination_ip": "1.1.1.1",
  "data_bytes": 56,
  "pattern": null,
  "destination": "1.1.1.1",
  "packets_transmitted": 3,
  "packets_received": 3,
  "packet_loss_percent": 0.0,
  "duplicates": 0,
  "round_trip_ms_min": 9.219,
  "round_trip_ms_avg": 9.826,
  "round_trip_ms_max": 10.158,
  "round_trip_ms_stddev": 0.43,
  "responses": [
    {
      "type": "reply",
      "bytes": 64,
      "response_ip": "1.1.1.1",
      "icmp_seq": 0,
      "ttl": 59,
      "time_ms": 10.158,
      "duplicate": false
    },
    {
      "type": "reply",
      "bytes": 64,
      "response_ip": "1.1.1.1",
      "icmp_seq": 1,
      "ttl": 59,
      "time_ms": 9.219,
      "duplicate": false
    },
    {
      "type": "reply",
      "bytes": 64,
      "response_ip": "1.1.1.1",
      "icmp_seq": 2,
      "ttl": 59,
      "time_ms": 10.101,
      "duplicate": false
    }
  ]
}

Compatible platforms: linux, darwin, freebsd -> had to redirect the stderr to /dev/null because OpenBSD is not (yet) supported officially…

Enable Logging for Unbound

update unbound.conf

/var/unbound/etc/unbound.conf

server:
    logfile: /log/unbound.log
    verbosity: 1
    log-queries: yes
...

create folder/logfile

log=/var/unbound/log/unbound.log
doas mkdir /var/unbound/log/
touch $log
chmod 660 $log
chown _unbound:_unbound $log

restart service

doas rcctl restart unbound

tail logfile

tail -f /var/unbound/log/unbound.log

# tail -f /var/unbound/log/unbound.log
[1660208341] unbound[3279:0] notice: init module 0: validator
[1660208341] unbound[3279:0] notice: init module 1: iterator
[1660208341] unbound[3279:0] info: start of service (unbound 1.15.0).
[1660208344] unbound[3279:0] info: xxx.xxx.xxx.xxx time.euro.apple.com. A IN
[1660208344] unbound[3279:0] info: xxx.xxx.xxx.xxx time.euro.apple.com. AAAA IN

sha256: 2a8843dffec0d8bbd8ff1b2ab4748600dfc57ba00bd87707e1f505c849b89fa3

How to Enable Remote Control for Unbound

Setup Remote Control

doas unbound-control-setup

$ doas unbound-control-setup
setup in directory /var/unbound/etc
Generating RSA private key, 3072 bit long modulus
..................................++++
..................................++++
e is 010001 (0x65537)
Generating RSA private key, 3072 bit long modulus
........................................++++
........................................++++
e is 010001 (0x65537)
Signature ok
subject=/CN=unbound-control
Getting CA Private Key
removing artifacts
Setup success. Certificates created. Enable in unbound.conf file to use

Enable in unbound.conf

/var/unbound/etc/unbound.conf

Let’s give a try with Alpine Linux, OpenSSH and 2FA with Google Authenticator.

add Packages

apk add openssh openssh-server-pam google-authenticator openssh-doc google-authenticator-doc libqrencode

Configure GoogleAuth

touch /etc/pam.d/sshd
ln /etc/pam.d/sshd /etc/pam.d/sshd.pam

cat << 'EOF' >> /etc/pam.d/sshd.pam
account   include     base-account

auth      required    pam_env.so
auth      required    pam_nologin.so  successok
auth      required    /lib/security/pam_google_authenticator.so   echo_verification_code grace_period=57600 nullok
auth      required    pam_unix.so   md5 sha512
EOF

update sshd_config

cat << 'EOF' >> /etc/ssh/sshd_config
PasswordAuthentication no
AuthenticationMethods any
UsePAM yes
EOF

Restart SSHD

service sshd restart

Setup User

su - USERNAME
google-authenticator

Response

stumpled upon some thing cool, htmlq! It’s like jq, but for HTML.

Installation Rust

htmlq need rust. so, let’s install rust first.

doas pkg_add rust

Add Link to Path

cat << 'EOF' |doas tee -a /etc/profile
# Rust/Cargo
export PATH=$PATH:/root/.cargo/bin

EOF
. /etc/profile

Install HTMLQ

doas cargo install htmlq

some Examples

Extract Links

curl -s https://www.openbsd.org | htmlq --attribute href a |head

Example

user@nixbox$ curl -s https://www.openbsd.org | htmlq --attribute href a |head
goals.html
plat.html
security.html
crypto.html
events.html
innovations.html
faq/faq4.html#Download
anoncvs.html
https://cvsweb.openbsd.org/
https://github.com/openbsd

Extract complete links URL

curl --silent https://www.nytimes.com | htmlq a --attribute href -b https://www.nytimes.com

Example

Intro

I stumbled across an old Cisco box in the basement. I thought i might have some fun (or frust?) with the aging Device. The Hardware still works fine, right ? And what about the Software ? Let’s give a try !

Hardware

show version

Cisco 1841 (revision 7.0) with 352256K/40960K bytes of memory.
Processor board ID FCZ1234757Y
6 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
125184K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Software

dir flash

there are a few Weeks until OpenBSD 7.2 will get released. Anyhow, running current is a good way to get a “preview” what’s in the pipeline and will come soon.

one of the painpoint was update packages on OpenBSD. Not because it was difficult, but it took quite a lot of time. Specially, when you run a bunch of machines in different networks.

Version and Time consumption

sysctl kern.version
pkg_info |wc -l
time pkg_add -Vu

OpenBSD 7.1 - Box 1

root@puffy202 RD:0 /bin# sysctl kern.version
kern.version=OpenBSD 7.1 (GENERIC.MP) #3: Sun May 15 10:27:01 MDT 2022

root@puffy202 RD:0 /bin# pkg_info |wc -l
     188

root@puffy202 RD:0 /bin# time pkg_add -Vu

    2m07.46s real     0m14.82s user     0m09.70s system

OpenBSD 7.1 - Box 2

root@puffy203 RD:0 # sysctl kern.version
kern.version=OpenBSD 7.1 (GENERIC.MP) #3: Sun May 15 10:27:01 MDT 2022

root@puffy203 RD:0 # pkg_info |wc -l
     214

root@puffy203 RD:0 # time pkg_add -Vu

    2m17.13s real     0m43.37s user     0m28.07s system

OpenBSD 7.2-Beta - Box 3

root@puffy204-current RD:0 # sysctl kern.version
kern.version=OpenBSD 7.2-beta (GENERIC.MP) #650: Tue Jul 26 08:30:28 MDT 2022

root@puffy204-current RD:0 # pkg_info |wc -l
     206

root@puffy204-current RD:0 # time pkg_add -Vu

    0m09.65s real     0m07.92s user     0m00.31s system

Did you see the difference ?

If you have Docker running somehwere … bring up your Smoke Instance within Seconds ;)

Smokeping

docker run --name smoke --restart always -d -p 80:80 linuxserver/smokeping

Show Containers

docker ps

docker-test:~# docker ps
CONTAINER ID   IMAGE                   COMMAND   CREATED         STATUS         PORTS                               NAMES
8f8b872ac1c3   linuxserver/smokeping   "/init"   6 minutes ago   Up 6 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp   smoke

Shell into Docker

docker exec -it smoke /bin/sh

Check Netstat

root@8f8b872ac1c3:/# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     406670 s
unix  2      [ ACC ]     STREAM     LISTENING     406078 /run/apache2/fcgidsock/137.0

Preview

Running Alpine on ESX ? Install the Open VM Tools …

Install OpenVM Tools

apk add open-vm-tools
apk add open-vm-tools-guestinfo
apk add open-vm-tools-deploypkg

Start Service

rc-service open-vm-tools start

Autostart Service

rc-update add open-vm-tools boot

All in One

apk add open-vm-tools open-vm-tools-guestinfo open-vm-tools-deploypkg
rc-update add open-vm-tools boot
rc-service open-vm-tools start

Busybox Extras

add some tools (arch, dnsd, dumpleases, fakeidentd, ftpd, ftpget, ftpput, httpd, inetd, readahead, telnet, telnetd, tftp, tftpd, udhcpd)

apk add busybox-extras

List Packages

apk info -L busybox-extras

docker# apk info -L busybox-extras
busybox-extras-1.35.0-r15 contains:
bin/busybox-extras

sha256: 5ba2c46f793ad164b6cecb62f406791adf588c1e51f589dba71067fd60e38aea