Blog - www.stockersolutions.net

How to Enable Remote Control for Unbound

Setup Remote Control

doas unbound-control-setup

$ doas unbound-control-setup
setup in directory /var/unbound/etc
Generating RSA private key, 3072 bit long modulus
..................................++++
..................................++++
e is 010001 (0x65537)
Generating RSA private key, 3072 bit long modulus
........................................++++
........................................++++
e is 010001 (0x65537)
Signature ok
subject=/CN=unbound-control
Getting CA Private Key
removing artifacts
Setup success. Certificates created. Enable in unbound.conf file to use

Enable in unbound.conf

/var/unbound/etc/unbound.conf

Let’s give a try with Alpine Linux, OpenSSH and 2FA with Google Authenticator.

add Packages

apk add openssh openssh-server-pam google-authenticator openssh-doc google-authenticator-doc libqrencode

Configure GoogleAuth

touch /etc/pam.d/sshd
ln /etc/pam.d/sshd /etc/pam.d/sshd.pam

cat << 'EOF' >> /etc/pam.d/sshd.pam
account   include     base-account

auth      required    pam_env.so
auth      required    pam_nologin.so  successok
auth      required    /lib/security/pam_google_authenticator.so   echo_verification_code grace_period=57600 nullok
auth      required    pam_unix.so   md5 sha512
EOF

update sshd_config

cat << 'EOF' >> /etc/ssh/sshd_config
PasswordAuthentication no
AuthenticationMethods any
UsePAM yes
EOF

Restart SSHD

service sshd restart

Setup User

su - USERNAME
google-authenticator

Response

stumpled upon some thing cool, htmlq! It’s like jq, but for HTML.

Installation Rust

htmlq need rust. so, let’s install rust first.

doas pkg_add rust

Add Link to Path

cat << 'EOF' |doas tee -a /etc/profile
# Rust/Cargo
export PATH=$PATH:/root/.cargo/bin

EOF
. /etc/profile

Install HTMLQ

doas cargo install htmlq

some Examples

Extract Links

curl -s https://www.openbsd.org | htmlq --attribute href a |head

Example

user@nixbox$ curl -s https://www.openbsd.org | htmlq --attribute href a |head
goals.html
plat.html
security.html
crypto.html
events.html
innovations.html
faq/faq4.html#Download
anoncvs.html
https://cvsweb.openbsd.org/
https://github.com/openbsd

Extract complete links URL

curl --silent https://www.nytimes.com | htmlq a --attribute href -b https://www.nytimes.com

Example

Intro

I stumbled across an old Cisco box in the basement. I thought i might have some fun (or frust?) with the aging Device. The Hardware still works fine, right ? And what about the Software ? Let’s give a try !

Hardware

show version

Cisco 1841 (revision 7.0) with 352256K/40960K bytes of memory.
Processor board ID FCZ1234757Y
6 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
125184K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Software

dir flash

there are a few Weeks until OpenBSD 7.2 will get released. Anyhow, running current is a good way to get a “preview” what’s in the pipeline and will come soon.

one of the painpoint was update packages on OpenBSD. Not because it was difficult, but it took quite a lot of time. Specially, when you run a bunch of machines in different networks.

Version and Time consumption

sysctl kern.version
pkg_info |wc -l
time pkg_add -Vu

OpenBSD 7.1 - Box 1

root@puffy202 RD:0 /bin# sysctl kern.version
kern.version=OpenBSD 7.1 (GENERIC.MP) #3: Sun May 15 10:27:01 MDT 2022

root@puffy202 RD:0 /bin# pkg_info |wc -l
     188

root@puffy202 RD:0 /bin# time pkg_add -Vu

    2m07.46s real     0m14.82s user     0m09.70s system

OpenBSD 7.1 - Box 2

root@puffy203 RD:0 # sysctl kern.version
kern.version=OpenBSD 7.1 (GENERIC.MP) #3: Sun May 15 10:27:01 MDT 2022

root@puffy203 RD:0 # pkg_info |wc -l
     214

root@puffy203 RD:0 # time pkg_add -Vu

    2m17.13s real     0m43.37s user     0m28.07s system

OpenBSD 7.2-Beta - Box 3

root@puffy204-current RD:0 # sysctl kern.version
kern.version=OpenBSD 7.2-beta (GENERIC.MP) #650: Tue Jul 26 08:30:28 MDT 2022

root@puffy204-current RD:0 # pkg_info |wc -l
     206

root@puffy204-current RD:0 # time pkg_add -Vu

    0m09.65s real     0m07.92s user     0m00.31s system

Did you see the difference ?

If you have Docker running somehwere … bring up your Smoke Instance within Seconds ;)

Smokeping

docker run --name smoke --restart always -d -p 80:80 linuxserver/smokeping

Show Containers

docker ps

docker-test:~# docker ps
CONTAINER ID   IMAGE                   COMMAND   CREATED         STATUS         PORTS                               NAMES
8f8b872ac1c3   linuxserver/smokeping   "/init"   6 minutes ago   Up 6 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp   smoke

Shell into Docker

docker exec -it smoke /bin/sh

Check Netstat

root@8f8b872ac1c3:/# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     406670 s
unix  2      [ ACC ]     STREAM     LISTENING     406078 /run/apache2/fcgidsock/137.0

Preview

Running Alpine on ESX ? Install the Open VM Tools …

Install OpenVM Tools

apk add open-vm-tools
apk add open-vm-tools-guestinfo
apk add open-vm-tools-deploypkg

Start Service

rc-service open-vm-tools start

Autostart Service

rc-update add open-vm-tools boot

All in One

apk add open-vm-tools open-vm-tools-guestinfo open-vm-tools-deploypkg
rc-update add open-vm-tools boot
rc-service open-vm-tools start

Busybox Extras

add some tools (arch, dnsd, dumpleases, fakeidentd, ftpd, ftpget, ftpput, httpd, inetd, readahead, telnet, telnetd, tftp, tftpd, udhcpd)

apk add busybox-extras

List Packages

apk info -L busybox-extras

docker# apk info -L busybox-extras
busybox-extras-1.35.0-r15 contains:
bin/busybox-extras

Any Comments ?

sha256: 5ba2c46f793ad164b6cecb62f406791adf588c1e51f589dba71067fd60e38aea

let’s play a bit with Redis. A In-Memory Data Store for Caching, Streaming, Message Broker

https://redis.io/

Install

doas rcctl add redis
doas rcctl enable redis
doas rcctl restart redis

Package Summary

what did we got installed ?

doas pkg_info -L redis

$ doas pkg_info -L redis
Information for inst:redis-6.2.7
Files:
/etc/rc.d/redis
/usr/local/bin/redis-benchmark
/usr/local/bin/redis-check-aof
/usr/local/bin/redis-check-rdb
/usr/local/bin/redis-cli
/usr/local/bin/redis-sentinel
/usr/local/bin/redis-server
/usr/local/share/examples/redis/redis.conf
/usr/local/share/examples/redis/sentinel.conf

A Server, a Client, a configuration File, …

Keep Alive

send a ping …

https://github.com/Bratela/openbsd

Install Ruby

Install Ruby and set Symlinks

doas su -
pkg_add ruby-3.1.2
ln -sf /usr/local/bin/ruby31 /usr/local/bin/ruby
ln -sf /usr/local/bin/bundle31 /usr/local/bin/bundle
ln -sf /usr/local/bin/bundler31 /usr/local/bin/bundler
ln -sf /usr/local/bin/erb31 /usr/local/bin/erb
ln -sf /usr/local/bin/gem31 /usr/local/bin/gem
ln -sf /usr/local/bin/irb31 /usr/local/bin/irb
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/racc
ln -sf /usr/local/bin/rake31 /usr/local/bin/rake
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rbs
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdbg
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdoc
ln -sf /usr/local/bin/ri31 /usr/local/bin/ri
ln -sf /usr/local/bin/typeprof31 /usr/local/bin/typeprof

Install Nokogiri

pkg_add ruby31-nokogiri-1.13.1p0

Install Rails

pkg_add ruby-3.1.2

Install Rails

gem install --user-install rails

Any Comments ?

sha256: 8fe9d1423773886605a4b9cddc3e9e14a274f9431f7839274f5a2b6d7370f9f8

Assume you got a fresh Machine with DHCP …

Ubuntu with DHCP Config

cat /etc/netplan/01-netcfg.yaml
# This is the network config written by 'subiquity'
network:
  ethernets:
    ens192:
      dhcp4: true
  version: 2

and you’d like to switch to Static IP, ask google how todo it an give try:

Static IP with Netplan

# This is the network config written by 'subiquity'
network:
  version: 2
  ethernets:
    ens192:
      addresses:
      - 1.2.3.4/24
      gateway4: 1.1.1.1
      nameservers:
        addresses:
        - 8.8.8.8
        - 8.8.4.4
        search:
        - world.net

then reboot … and the machine is gone. ok, not really gone, but from IP perspective definitly. it just reboots and come back without default gateway :(