if you ever have to recover your root password …
boot> boot -s
Enter pathname of shell or RETURN for sh: [ENTER]
fsck -p /
fsck -p /usr
mount -uw /
mount /usr
passwd
and finally: reboot
need to run fsck ?
fsck /dev/sd1a
fsck -y /dev/sd1a
need do fix your fstab ?
boot -s
mount /usr
mount /
export TERM=vt100
/usr/bin/vi /etc/fstab
fix it !
sha256: 83b758be6c6353e12d4750d8df65d5531075e621a6918ec1c5688386f62e2ace
Run it at your own risk …
wget https://blog.stoege.net/scripts/smokeping_debian3.sh
chmod 700 smokeping_debian3.sh
./smokeping_debian3.sh
apt-get install borgbackup curl echoping fcgiwrap fping hping3 htop lynx mlocate mtr nginx rsync smokeping tmate tree tshark unzip vim vnstat wget zip
export MYSITENAME="smokeping.planet.world"
wget "https://github.com/vazhnov/smokeping_nginx/raw/master/best.conf"
sed -i -- s/smokeping\.example\.com/${MYSITENAME}/g best.conf
chown root: best.conf
mv best.conf /etc/nginx/sites-available/${MYSITENAME}.conf
ln -s "../sites-available/${MYSITENAME}.conf" "/etc/nginx/sites-enabled/${MYSITENAME}.conf"
nginx -t && systemctl restart nginx
mkdir -p /var/run/smokeping
cat << 'EOF' > /etc/smokeping/config.d/General
*** General ***
owner = Franz Musterer
contact = nospam@nomail.ch
mailhost = smtp-relay-host
# NOTE: do not put the Image Cache below cgi-bin
# since all files under cgi-bin will be executed ... this is not
# good for images.
cgiurl = http://somekping.planet/smokeping/smokeping.cgi
# specify this to get syslog logging
syslogfacility = local0
# each probe is now run in its own process
# disable this to revert to the old behaviour
# concurrentprobes = no
@include /etc/smokeping/config.d/pathnames
EOF
cat << 'EOF' > /etc/smokeping/config.d/Database
*** Database ***
step = 60
pings = 59
#step = 300
#pings = 20
# consfn mrhb steps total
AVERAGE 0.5 1 1008
AVERAGE 0.5 12 4320
MIN 0.5 12 4320
MAX 0.5 12 4320
AVERAGE 0.5 144 720
MAX 0.5 144 720
MIN 0.5 144 720
EOF
cat << 'EOF' > /etc/smokeping/config.d/Probes
*** Probes ***
+ FPing
binary = /usr/bin/fping
+ FPing6
binary = /usr/bin/fping
protocol = 6
+ EchoPingHttp
binary = /usr/bin/echoping
forks = 5
offset = 50%
step = 300
# The following variables can be overridden in each target section
accept_redirects = yes
extraopts =
ignore_cache = yes
ipversion = 4
pings = 5
port = 80
priority = 6
revalidate_data = no
timeout = 20
tos = 0xa0
url = /
waittime = 1
+EchoPingHttps
binary = /usr/bin/echoping
forks = 5
offset = 50%
step = 300
# The following variables can be overridden in each target section
accept_redirects = yes
extraopts =
ignore_cache = yes
ipversion = 4
pings = 5
port = 443
priority = 6
prot = 3443
revalidate_data = no
timeout = 20
tos = 0xa0
url = /
waittime = 1
+EchoPingDNS
binary = /usr/bin/echoping
forks = 5
offset = 50%
step = 300
# The following variables can be overridden in each target section
dns_request = google.com
dns_tcp = no
dns_type = A
extraopts =
ipversion = 4
pings = 5
plugin = /usr/lib/echoping/dns.so
pluginargs = -p
priority = 6
timeout = 1
tos = 0xa0
waittime = 1
EOF
cat << 'EOF' > /etc/smokeping/config.d/Targets
*** Targets ***
probe = FPing
menu = Top
title = Network Latency Grapher
remark = Welcome to the SmokePing website of xxx Company. Here you will learn all about the latency of our network.
+ Local
menu = Local
title = Local Network
++ LocalMachine
menu = Local Machine
title = This host
host = localhost
+ Inet
menu = Internet
title = some Hosts on the Net
probe = FPing
++ google
menu = google
title = google, 8.8.8.8
host = 8.8.8.8
++ switch
host = www.switch.ch
++ uzh
host = www.uzh.ch
++ blick
host = www.blick.ch
+ IPv4
menu = IPv4 Hosts
title = Hosts running IPv4
probe = FPing
++ multi
menu = MultiTarget
title = Multiple Targets
host = /IPv4/host1 \
/IPv4/host2 \
/IPv4/host3
++ host1
host = host1.planet
++ host2
host = host2.planet
++ host3
host = host3.planet
+ IPv6
menu = IPv6 Hosts
title = Hosts running IPv6
probe = FPing6
++ multi
menu = MultiTarget
title = Multiple Targets
host = /IPv6/host1 \
/IPv6/host2 \
/IPv6/host3
++ host1
host = host1.planet
++ host2
host = host2.planet
++ host3
host = host3.planet
+ HTTP
menu = HTTP
title = some HTTP Probes
probe = EchoPingHttp
++ google-com
host = www.google.com
++ uzh
host = www.uzh.ch
EOF
systemctl restart smokeping
with Dualstack, IPv4 and IPv6
Run it at your own risk …
wget https://blog.stoege.net/scripts/smokeping_debian2.sh
chmod 700 smokeping_debian2.sh
./smokeping_debian2.sh
root@smokeping:~# cat /etc/hostname
smokeping.planet
apt-get install apache2 borgbackup curl echoping fping hping3 htop ipcalc jq lftp lynx mlocate mtr nmap pwgen rsync sipcalc smokeping tmate tree tshark unzip vim vnstat wget zip
cd /etc/apache2/conf-enabled
ln -s ../conf-available/smokeping.conf .
a2enmod cgid
systemctl restart apache2
mkdir -p /var/run/smokeping
cat << 'EOF' > /etc/smokeping/config.d/General
*** General ***
owner = Franz Musterer
contact = nospam@nomail.ch
mailhost = smtp-relay-host
# NOTE: do not put the Image Cache below cgi-bin
# since all files under cgi-bin will be executed ... this is not
# good for images.
cgiurl = http://somekping.planet/smokeping/smokeping.cgi
# specify this to get syslog logging
syslogfacility = local0
# each probe is now run in its own process
# disable this to revert to the old behaviour
# concurrentprobes = no
@include /etc/smokeping/config.d/pathnames
EOF
cat << 'EOF' > /etc/smokeping/config.d/Database
*** Database ***
step = 60
pings = 59
#step = 300
#pings = 20
# consfn mrhb steps total
AVERAGE 0.5 1 1008
AVERAGE 0.5 12 4320
MIN 0.5 12 4320
MAX 0.5 12 4320
AVERAGE 0.5 144 720
MAX 0.5 144 720
MIN 0.5 144 720
EOF
cat << EOF > /etc/smokeping/config.d/Probes
*** Probes ***
+ FPing
binary = /usr/bin/fping
+ FPing6
binary = /usr/bin/fping
protocol = 6
+ EchoPingHttp
binary = /usr/bin/echoping
forks = 5
offset = 50%
step = 300
# The following variables can be overridden in each target section
accept_redirects = yes
extraopts =
ignore_cache = yes
ipversion = 4
pings = 5
port = 80
priority = 6
revalidate_data = no
timeout = 20
tos = 0xa0
url = /
waittime = 1
+EchoPingHttps
binary = /usr/bin/echoping
forks = 5
offset = 50%
step = 300
# The following variables can be overridden in each target section
accept_redirects = yes
extraopts =
ignore_cache = yes
ipversion = 4
pings = 5
port = 443
priority = 6
prot = 3443
revalidate_data = no
timeout = 20
tos = 0xa0
url = /
waittime = 1
+EchoPingDNS
binary = /usr/bin/echoping
forks = 5
offset = 50%
step = 300
# The following variables can be overridden in each target section
dns_request = google.com
dns_tcp = no
dns_type = A
extraopts =
ipversion = 4
pings = 5
plugin = /usr/lib/echoping/dns.so
pluginargs = -p
priority = 6
timeout = 1
tos = 0xa0
waittime = 1
EOF
cat << 'EOF' > /etc/smokeping/config.d/Targets
*** Targets ***
probe = FPing
menu = Top
title = Network Latency Grapher
remark = Welcome to the SmokePing website of xxx Company. Here you will learn all about the latency of our network.
+ Local
menu = Local
title = Local Network
++ LocalMachine
menu = Local Machine
title = This host
host = localhost
+ Inet
menu = Internet
title = some Hosts on the Net
probe = FPing
++ google
menu = google
title = google, 8.8.8.8
host = 8.8.8.8
++ switch
host = www.switch.ch
++ uzh
host = www.uzh.ch
++ blick
host = www.blick.ch
+ IPv4
menu = IPv4 Hosts
title = Hosts running IPv4
probe = FPing
++ multi
menu = MultiTarget
title = Multiple Targets
host = /IPv4/host1 \
/IPv4/host2 \
/IPv4/host3
++ host1
host = host1.planet
++ host2
host = host2.planet
++ host3
host = host3.planet
+ IPv6
menu = IPv6 Hosts
title = Hosts running IPv6
probe = FPing6
++ multi
menu = MultiTarget
title = Multiple Targets
host = /IPv6/host1 \
/IPv6/host2 \
/IPv6/host3
++ host1
host = host1.planet
++ host2
host = host2.planet
++ host3
host = host3.planet
+ HTTP
menu = HTTP
title = some HTTP Probes
probe = EchoPingHttp
++ google-com
host = www.google.com
++ uzh
host = www.uzh.ch
EOF
systemctl restart smokeping
some basics about JQ
cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[0:3]'
[
{
"val": 2.64,
"ack": 1,
"ts": 1607900404883,
"q": 0,
"user": "system.user.admin"
},
{
"val": 2.61,
"ack": 1,
"ts": 1607900410483,
"q": 0,
"user": "system.user.admin"
},
{
"val": 2.58,
"ack": 1,
"ts": 1607900416083,
"q": 0,
"user": "system.user.admin"
}
]
cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[0]'
{
"val": 2.64,
"ack": 1,
"ts": 1607900404883,
"q": 0,
"user": "system.user.admin"
}
cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[0] |.ts,.val'
1607900404883
2.64
cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[0] | (.ts |tostring) + ";" + (.val |tostring)'
"1607900404883;2.64"
cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[] | (.ts |tostring) + ";" + (.val |tostring)' |head -10
"1607900404883;2.64"
"1607900410483;2.61"
"1607900416083;2.58"
"1607900421739;2.62"
"1607900427335;2.62"
"1607900433003;2.57"
"1607900438543;2.72"
"1607900444131;2.67"
"1607900449791;2.6"
"1607900455383;2.55"
cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq '.[] |.ts,.val' |paste - - |head -10
1607900404883 2.64
1607900410483 2.61
1607900416083 2.58
1607900421739 2.62
1607900427335 2.62
1607900433003 2.57
1607900438543 2.72
1607900444131 2.67
1607900449791 2.6
1607900455383 2.55
cat history.shelly.0.SHEM-3#40F52000B661#1.Total.Current.json | jq -c '.[] | select (.val >= '50')'
{"val":52.55,"ack":1,"ts":1607907152399,"q":0,"user":"system.user.admin"}
{"val":52.54,"ack":1,"ts":1607907157975,"q":0,"user":"system.user.admin"}
{"val":52.53,"ack":1,"ts":1607907163639,"q":0,"user":"system.user.admin"}
{"val":52.5,"ack":1,"ts":1607907169220,"q":0,"user":"system.user.admin"}
{"val":52.49,"ack":1,"ts":1607907174863,"q":0,"user":"system.user.admin"}
{"val":52.53,"ack":1,"ts":1607907180639,"q":0,"user":"system.user.admin"}
...
dump networks from AS 3303
How to Setup an WG Tunnel between OpenBSD and OPNSense ? That’s quite simple …
pkg_add wireguard-tools--
wg genkey | tee privatekey | wg pubkey > publickey
r=$(openssl rand -base64 32)
remote_ip="1.2.3.4"
remote_net="192.168.0.0/24"
cat << 'EOF' > /etc/hostname.wg0
# WG Tunnel to OPNsense
wgkey ${r}
wgport 51820
wgpeer xxxxx - PUBLIC-KEY-OF-REMOTE-HOST - xxxxx= wgendpoint ${remote_ip} 51820 wgaip ${remote_net}
inet 10.0.0.1/24
!route add ${remote_net} 10.0.0.2
up
EOF
sh /etc/netstart wg0
ifconfig wg0
# skip on wg Interface
set skip on { lo0 wg0 }
# Wireguard
pass in log quick inet proto udp from ${remote_ip}/32 to (self) port 51820
Menu System -> Firmware -> Plugins -> Install Wireguard
Need a small and smart utility to manage you ssh keys under linux ? got some scripts and cronjobs which requires an local ssh key ? have a look at keychain !
depending on your OS …
macos$ brew install keychain
debian$ sudo apt-get install keychain
openbsd$ pkg_add keychain
freebsd$ pkg install keychain
$HOME/.bashrc $HOME/.bash_profile /etc/profile $HOME/.profile
cat << 'EOF' >> $HOME/.bashrc
# Keychain Startup
eval `keychain --eval id_ed25519`
EOF
$ keychain
$ ssh-add -L
cat << 'EOF' >> .profile
# Keychain Loaded ? Load and show Key ...
eval $(keychain --eval id_ed25519)
echo -e "loaded keys: `ssh-add -L |cut -c 1-12,77-`\n"
EOF
keychain --list
$ keychain --list-fp
Timeout for SSH Agent
OpenBSD has two new releases every year. historically, on 1. Mai and 1. November. With a few small execptions in the past Check Wikipedia
so, then latest OS appeared today: OpenBSD 6.8
sysupgrade -r
doas su -
mkdir /root/bin
ftp -o /root/bin/upgrade_to_68.sh https://blog.stoege.net/scripts/upgrade_to_68.sh
chmod 740 /root/bin/upgrade_to_68.sh
# /root/bin/upgrade_to_68.sh
# *** reboot ***
# /root/bin/upgrade_to_68.sh
# rm /root/bin/upgrade_to_68.sh
doas su -
mkdir /root/bin
cat << 'EOF' > /root/bin/upgrade_to_68.sh
#!/bin/sh
prepare () {
echo "let's upgrade to 6.8 ..."
rm -f /usr/lib/libperl.a
rm /usr/X11R6/lib/libxkbui.*
rm /usr/X11R6/lib/pkgconfig/xkbui.pc
rm /usr/X11R6/include/X11/extensions/XKBui.h
}
download() {
local _response=$(sysupgrade -n)
if [[ $_response == *reboot ]]; then
echo "\nInstalled! Let's reboot ...\n"
rm /home/_sysupgrade/{comp,xf,xs}*
else
echo "Nothing todo ..."
fi
}
install() {
reboot
}
postwork() {
echo "let's do some postwork after upgrade to 6.8 ..."
cd /dev
./MAKEDEV all
_boot=$(mount |awk -F'[/ ]' '/ on \/ / {print $3}')
installboot ${_boot%?}
sysmerge
fw_update
syspatch
pkg_add -Vu
pkg_delete -a
/usr/libexec/locate.updatedb &
}
# Main
local _ver=$(uname -r)
if [ "$_ver" == "6.7" ]; then
prepare
download
install
elif [ "$_ver" == "6.8" ]; then
postwork
fi
exit 0
EOF
chmod 740 /root/bin/upgrade_to_68.sh
# /root/bin/upgrade_to_68.sh
# *** reboot ***
# /root/bin/upgrade_to_68.sh
# rm /root/bin/upgrade_to_68.sh
you should do a few checks afterwards:
Assuming you have a Website with some higher load, higher demand for availability, or both of them. You can do the following:
+----------------+
| www |
+--------+-------+
|
+--------+--------+
| 136.244.113.129 | vio0
| Loadbalancer |
| 10.24.96.3 | vio1
+--------+--------+
|
+---------------------------------------+
| | |
| | |
+-------+-------+ +--------+-------+ +--------+-------+
| www1 | | www2 | | www3 |
| 10.24.96.4 | | 10.24.96.5 | | 10.24.96.6 |
+---------------+ +----------------+ +----------------+
You can run any Kind of Webserver you want. Apache, Nginx, Httpd, … here is the Config for Nginx on OpenBSD.
got a Server behing NAT / Firewall ? Need Shell access to … ?
user@server$ ssh -R 1234:localhost:22 my.public.jumpbox
ssh my.public.jumpbox
user@jumpbox$ ssh -p 1234 localhost
user@server$
and you’re in :)
sha256: 81b4dc1d84f9f8bcbf5060f382853759fffa1e5824e2ae98ad5508a082db5dfd
another component of OpenBSD is relayd. it’s an integrated Loadbalancer & Proxy Service, like F5, Nginx and Others. But just like other BSD Services, straight, simple and easy to use … wanna see … ?
Setup 4 VM’s, one Loadbalancer and 3 Webserver. The Webserver should server the same content, while the Loadbalancer checks if a Webserver is running and redirects traffic to the host or not.
the configuration on the loadbalancer is simple like that: