System

SSH Audit

System

ssh-audit is a tool for ssh server auditing.

Features

SSH1 and SSH2 protocol server support;

grab banner, recognize device or software and operating system, detect compression;

gather key-exchange, host-key, encryption and message authentication code algorithms;

output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);

output algorithm recommendations (append or remove based on recognized software version);

output security information (related issues, assigned CVE list, etc);

analyze SSH version compatibility based on algorithm information;

OpenBSD with IPSEC -> GIF -> OSFP

Blog, System

Intro

Stage two Machines, puffy206 and puffy207 Both Maschines needs static IP Adresses

puffy206

Loopback & Gif

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.6/32
up
EOF

cat << 'EOF' > /etc/hostname.gif0
description "Point2Point Interface for OSPF"
mtu 1420
10.10.10.6 10.10.10.7 netmask 255.255.255.255
tunnel 192.168.108.206 192.168.108.207
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

Create Tunnel Endpoint

cat << 'EOF' > /etc/ipsec.conf
ike active esp transport from 192.168.108.206 to 192.168.108.207 peer 192.168.108.207 \
main auth "hmac-sha2-256" enc "aes-128" group modp3072 \
quick enc "aes-128-gcm" group modp3072 \
srcid 192.168.108.206 \
psk "my-tunnel-is-private"
EOF

chmod 600 /etc/ipsec.conf

Create ospfd.conf

cat << 'EOF' > /etc/ospfd.conf
# macros
id="192.168.108.206"

# global configuration
router-id id
fib-update yes
stub router yes
spf-delay 1
spf-holdtime 5

# areas
area 0.0.0.0 {
  interface gif0
  interface lo1 {}
}
EOF

chmod 600 /etc/ospfd.conf
rcctl enable ospfd

Reboot and Check

reboot
gnuwatch "ipsecctl -s all"

puffy207

Loopback & Gif

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.7/32
up
EOF

cat << 'EOF' > /etc/hostname.gif0
description "Point2Point Interface for OSPF"
mtu 1420
10.10.10.7 10.10.10.6 netmask 255.255.255.255
tunnel 192.168.108.207 192.168.108.206
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

Create Tunnel Endpoint

cat << 'EOF' > /etc/ipsec.conf
ike active esp transport from 192.168.108.207 to 192.168.108.206 peer 192.168.108.206 \
main auth "hmac-sha2-256" enc "aes-128" group modp3072 \
quick enc "aes-128-gcm" group modp3072 \
srcid 192.168.108.207 \
psk "my-tunnel-is-private"
EOF

chmod 600 /etc/ipsec.conf

Create ospfd.conf

cat << 'EOF' > /etc/ospfd.conf
# macros
id="192.168.108.207"

# global configuration
router-id $id
fib-update yes
stub router yes
spf-delay 1
spf-holdtime 5

# areas
area 0.0.0.0 {
  interface gif0
  interface lo1 {}
}
EOF

chmod 600 /etc/ospfd.conf
rcctl enable ospfd

Reboot and Check

reboot
gnuwatch "ipsecctl -s all"

Test

ifconfig gif
ipsecctl -s all
route -n show -inet
ospfctl show nei

Throughput Test

root@client2 ~# tcpbench 10.0.0.7
  elapsed_ms          bytes         mbps   bwidth
        1000        2801664       22.413  100.00%
Conn:   1 Mbps:       22.413 Peak Mbps:       22.413 Avg Mbps:       22.413
        2009        2775672       22.007  100.00%
Conn:   1 Mbps:       22.007 Peak Mbps:       22.413 Avg Mbps:       22.007
        3014        3173760       25.264  100.00%
Conn:   1 Mbps:       25.264 Peak Mbps:       25.264 Avg Mbps:       25.264
        4021        3192912       25.391  100.00%
Conn:   1 Mbps:       25.391 Peak Mbps:       25.391 Avg Mbps:       25.391
Any Comments ?

sha256: d27ad9e5808a63352b5e5070af2abd82a9924129b713f98d1d10d4f8a8085df4

IPSEC with OpenBSD

Blog, System

Intro

Stage a few Machines, puffy206 - 209 puffy206 has got a static ip, while puffy207 - 209 got dynamic ip addresses

Master, puffy206

Loopback

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.6/32
up
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

Create Tunnel Endpoint

cat << 'EOF' > /etc/ipsec.conf
ike dynamic esp tunnel from 10.0.0.6/32 to 10.0.0.7/32 peer any \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"

ike dynamic esp tunnel from 10.0.0.6/32 to 10.0.0.8/32 peer any \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"

ike dynamic esp tunnel from 10.0.0.6/32 to 10.0.0.8/32 peer any \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"
EOF
chmod 600 /etc/ipsec.conf

Reboot and Check

reboot
gnuwatch "ipsecctl -s all"

Slave, puffy207

Loopback

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.7/32
up
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

IPSEC

cat << 'EOF' > /etc/ipsec.conf
ike esp tunnel from 10.0.0.7/32 to 10.0.0.6/32 peer 192.168.108.206 \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"
EOF
chmod 600 /etc/ipsec.conf

Slave, puffy208

Loopback

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.8/32
up
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

IPSEC

cat << 'EOF' > /etc/ipsec.conf
ike esp tunnel from 10.0.0.8/32 to 10.0.0.6/32 peer 192.168.108.206 \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"
EOF
chmod 600 /etc/ipsec.conf

Slave, puffy209

Loopback

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.9/32
up
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

IPSEC

cat << 'EOF' > /etc/ipsec.conf
ike esp tunnel from 10.0.0.9/32 to 10.0.0.6/32 peer 192.168.108.206 \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"
EOF
chmod 600 /etc/ipsec.conf

Full IPSEC Example

cat /etc/ipsec.conf

#
# https://man.openbsd.org/ipsec.conf.5
# http://www.kernel-panic.it/openbsd/vpn/vpn3.html
# https://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/
#
# ike [mode] [encap] [tmode] [proto protocol] \
    # from src [port sport] [(srcnat)] to dst [port dport] \
    # [local localip] [peer remote] \
    # [mode auth algorithm enc algorithm group group] \
    # [quick auth algorithm enc algorithm group group] \
    # [srcid string] [dstid string] \
    # [psk string] [tag string]

# mode:   active (default), passive, dynamic
# encap:  esp (default), ah
# tmode:  tunnel (default), transport
# mode:   main (default), aggressive -> this is phase 1
# quick:  -> this is phase 2


# Var

local_gw    = "MEINE-PUBLIC-IP"
local_net   = "MEIN-NETZWERK/MASK"

auth1       = "hmac-sha1"       # hmac-sha1, hmac-sha2-256, hmac-sha2-384, hmac-sha2-512
enc1        = "aes-128"         # aes-128 (=aes), aes-192, aes-256, blowfish
group1      = "modp3072"        # modp768 (g1), modp1024 (g2), modp1536 (g5), modp2048 (g14), modp3072 (g15), modp4096 (g16), modp6144 (g17), modp8192 (g18), ... (g30)
time1       = "3600"            # in Seconds, or 10m, resp 12h

auth2       = "hmac-sha2-256"   # siehe oben
enc2        = "aes-128"         # siehe oben
group2      = "modp3072"        # siehe oben
time2       = "1200"            # siehe oben


# Tunnel to Remote

remote_gw   = "DEINE-PUBLIC-IP"
remote_net  = "DEIN-NETZWERK/MASK"
key         = "super-huper-secret-key""

ike dynamic esp tunnel from $local_net to $remote_net peer $remote_gw \
main    auth $auth1   enc $enc1   group $group1   lifetime $time1 \
quick   auth $auth2   enc $enc2   group $group2   lifetime $time2 \
srcid $local_gw \
psk $key

ike dynamic esp tunnel from $remote_net to $local_net peer $remote_gw \
main    auth $auth1   enc $enc1   group $group1   lifetime $time1 \
quick   auth $auth2   enc $enc2   group $group2   lifetime $time2 \
srcid $local_gw \
psk $key

Packetmischief

Proxmox

Blog, System

Running a Promox Cluster with CEPH.

Here a few Commands to figure out the Status of CEPH

ceph status
ceph osd status
pveceph lspools
ceph pg dump

Manual Backup

vzdump 777 --dumpdir /mnt/backup --mode snapshot

Manual Restore

qmrestore /mnt/backup/vzdump-qemu-777.vma 777

Proxmox Performance Overview

Intel Nuc I5, 32GB RAM, 500GB SSD

root@nuc:~# pveperf
CPU BOGOMIPS:      36799.44
REGEX/SECOND:      3927398
HD SIZE:           93.99 GB (/dev/mapper/pve-root)
BUFFERED READS:    522.34 MB/sec
AVERAGE SEEK TIME: 0.11 ms
FSYNCS/SECOND:     1588.49
DNS EXT:           49.40 ms
DNS INT:           0.65 ms (planet)

Remove Cluster Config

Source: Proxmox Forum

Migrate Packages from Host A to Host B

Blog, System

How to migrate all Packages

Got several Packages installed on Host A and you would like to migrate them to Host B ? That’s easy :)

Extract on Host A

pkg_info -mz | tee list
ansible--
bash--
...
vnstat--
wget--

scp list HostB:/tmp/

Import on Host B

doas pkg_add -l /tmp/list

Oneline

or you can simple do it in one line, although there are two commands. copy and install

Openbsd upgrade 6.6

Blog, System

OpenBSD 6.6 is released today. here is my upgrade procedure:

run sysmerge

reboot

run script:

#!/bin/sh

# be nice and verbose
e() {
  echo "\n$1 **"
}

e "** vars"
_mydir=$(pwd)

e "** build base urls"
_path_base=https://cdn.openbsd.org/pub/OpenBSD/6.6/amd64/
_path_pkg=https://cdn.openbsd.org/pub/OpenBSD/6.6/packages/amd64/
echo "_path_base: ${_path_base}"
echo "_path_pkg: ${_path_pkg}"

e "** make all devices"
cd /dev
./MAKEDEV all || exit 1

e "** cd /tmp"
cd /tmp

e "** install boot loader"
_boot=$(mount |awk -F'[/ ]' '/ on \/ / {print $3}')
installboot ${_boot%?}

e "** hash new Kernel"

 
Any Comments ?
 


sha256 -h /var/db/kernel.SHA256 /bsd

e "** export URL for pkg upgrade"
echo "export PKG_PATH=${_path_pkg}"
export PKG_PATH="${_path_pkg}"

e "** run sysmerge"
sysmerge

e "** run fw update"
fw_update -v

e "** run pkg update"
pkg_add -Vu

e "** index new man pages"
makewhatis

e "** Update Acme Client API"
sed -i s'/acme-v01.api.letsencrypt.org/acme-v02.api.letsencrypt.org/' /etc/acme-client.conf

e "** files to remove"
  rm -f /usr/share/man/man3p/carp.3p \
        /usr/share/man/man3p/Tie::ExtraHash.3p \
        /usr/share/man/man3p/Tie::StdHash.3p \
        /usr/share/man/man3p/Tie::StdScalar.3p \
        /usr/share/man/man3p/basename.3p \
        /usr/share/man/man3p/cluck.3p \
        /usr/share/man/man3p/confess.3p \
        /usr/share/man/man3p/croak.3p \
        /usr/share/man/man3p/dirname.3p \
        /usr/share/man/man3p/fileparse.3p \
        /usr/share/man/man3p/getopt.3p \
        /usr/share/man/man3p/getopts.3p \
        /usr/share/man/man3p/inet_aton.3p \
        /usr/share/man/man3p/inet_ntoa.3p \
        /usr/share/man/man3p/longmess.3p \
        /usr/share/man/man3p/look.3p \
        /usr/share/man/man3p/open2.3p \
        /usr/share/man/man3p/open3.3p \
        /usr/share/man/man3p/pod2usage.3p \
        /usr/share/man/man3p/podchecker.3p \
        /usr/share/man/man3p/podselect.3p \
        /usr/share/man/man3p/shortmess.3p \
        /usr/share/man/man3p/sockaddr_in.3p \
        /usr/share/man/man3p/sockaddr_un.3p \
        /usr/share/man/man3p/writemain.3p

  rm -f /usr/sbin/snmpctl \
        /usr/share/man/man8/snmpctl.8

  rm -f /usr/X11R6/lib/pkgconfig/libfs.pc \
        /usr/X11R6/include/X11/fonts/FSlib.h

  rm -rf  /usr/X11R6/share/doc/libFS

  rm -f /usr/X11R6/bin/xman \
        /usr/X11R6/lib/X11/xman.help \
        /usr/X11R6/man/man1/xman.1 \
        /usr/X11R6/share/X11/app-defaults/Xman

  rm -f /usr/X11R6/bin/xman \
        /usr/X11R6/lib/X11/xman.help \
        /usr/X11R6/man/man1/xman.1 \
        /usr/X11R6/share/X11/app-defaults/Xman \
        /usr/X11R6/lib/pkgconfig/libfs.pc \
        /usr/X11R6/lib/modules/v10002d.uc \
        /usr/X11R6/lib/modules/v20002d.uc \
        /usr/X11R6/lib/modules/drivers/ark_drv.la \
        /usr/X11R6/lib/modules/drivers/ark_drv.so \
        /usr/X11R6/lib/modules/drivers/chips_drv.la \
        /usr/X11R6/lib/modules/drivers/chips_drv.so \
        /usr/X11R6/lib/modules/drivers/glint_drv.la \
        /usr/X11R6/lib/modules/drivers/glint_drv.so \
        /usr/X11R6/lib/modules/drivers/i128_drv.la \
        /usr/X11R6/lib/modules/drivers/i128_drv.so \
        /usr/X11R6/lib/modules/drivers/neomagic_drv.la \
        /usr/X11R6/lib/modules/drivers/neomagic_drv.so \
        /usr/X11R6/lib/modules/drivers/rendition_drv.la \
        /usr/X11R6/lib/modules/drivers/rendition_drv.so \
        /usr/X11R6/lib/modules/drivers/s3_drv.la \
        /usr/X11R6/lib/modules/drivers/s3_drv.so \
        /usr/X11R6/lib/modules/drivers/s3virge_drv.la \
        /usr/X11R6/lib/modules/drivers/s3virge_drv.so \
        /usr/X11R6/lib/modules/drivers/sis_drv.la \
        /usr/X11R6/lib/modules/drivers/sis_drv.so \
        /usr/X11R6/lib/modules/drivers/tdfx_drv.la \
        /usr/X11R6/lib/modules/drivers/tdfx_drv.so \
        /usr/X11R6/lib/modules/drivers/trident_drv.la \
        /usr/X11R6/lib/modules/drivers/trident_drv.so \
        /usr/X11R6/lib/modules/drivers/tseng_drv.la \
        /usr/X11R6/lib/modules/drivers/tseng_drv.so \
        /usr/X11R6/man/man4/chips.4 \
        /usr/X11R6/man/man4/glint.4 \
        /usr/X11R6/man/man4/i128.4 \
        /usr/X11R6/man/man4/neomagic.4 \
        /usr/X11R6/man/man4/rendition.4 \
        /usr/X11R6/man/man4/s3.4 \
        /usr/X11R6/man/man4/s3virge.4 \
        /usr/X11R6/man/man4/sis.4 \
        /usr/X11R6/man/man4/tdfx.4 \
        /usr/X11R6/man/man4/trident.4 \
        /usr/X11R6/man/man4/tseng.4 \
        /usr/X11R6/man/man3/XkbAllocGeomOverlayKey.3

  rm -f /usr/X11R6/include/X11/fonts/FSlib.h \
        /usr/include/dev/ic/dwc_gmac_reg.h \
        /usr/include/dev/ic/dwc_gmac_var.h \
        /usr/include/llvm/Analysis/IndirectCallSiteVisitor.h \
        /usr/include/llvm/CodeGen/GCs.h \
        /usr/include/llvm/DebugInfo/PDB/Native/NativeBuiltinSymbol.h \
        /usr/include/llvm/DebugInfo/PDB/Native/NativeEnumSymbol.h \
        /usr/include/llvm/IR/TypeBuilder.h \
        /usr/include/llvm/Transforms/Utils/OrderedInstructions.h

  rm -f /usr/share/man/man1/clang++.1 \
        /usr/share/man/man1/clang-cpp.1 \
        /usr/share/man/man1/diagnostics.1 \
        /usr/share/man/man3/SipHash24.3 \
        /usr/share/man/man3/bitstring.3 \
        /usr/share/man/man3/byteorder.3 \
        /usr/share/man/man3/directory.3 \
        /usr/share/man/man3/ethers.3 \
        /usr/share/man/man3/exec.3 \
        /usr/share/man/man3/fts.3 \
        /usr/share/man/man3/getcap.3 \
        /usr/share/man/man3/inet_net.3 \
        /usr/share/man/man3/md5.3 \
        /usr/share/man/man3/pcap-filter.3 \
        /usr/share/man/man3/pcap.3 \
        /usr/share/man/man3/pwcache.3 \
        /usr/share/man/man3/resolver.3 \
        /usr/share/man/man3/rmd160.3 \
        /usr/share/man/man3/sha1.3 \
        /usr/share/man/man3/sha2.3 \
        /usr/share/man/man3/stdarg.3 \
        /usr/share/man/man3/uucplock.3 \
        /usr/share/man/man3/uuid.3 \
        /usr/share/man/man3/ypclnt.3 \
        /usr/share/man/man4/i386/vmm.4 \
        /usr/share/man/man4/macppc/openprom.4 \
        /usr/share/man/man4/sparc64/openprom.4

e "** remove myself"
cd ${_mydir}
rm $0

e "** done !"
Any Comments ?

sha256: 2bb8d98fff6c458bd85b32a50afb0c31b65a2cd8a0599fdc891b567334464552

OpenBSD 6.x Diskusage

Blog, System

How much Disk is used with Default Partitioning

puffy66# df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/sd0a     1005M   96.1M    858M    10%    /
/dev/sd0k      9.6G    2.0K    9.1G     0%    /home
/dev/sd0d      1.8G   12.0K    1.7G     0%    /tmp
/dev/sd0f      2.5G    955M    1.4G    39%    /usr
/dev/sd0g     1005M    202M    752M    21%    /usr/X11R6
/dev/sd0h      4.2G    218K    3.9G     0%    /usr/local
/dev/sd0j      5.8G    2.0K    5.5G     0%    /usr/obj
/dev/sd0i      1.7G    2.0K    1.6G     0%    /usr/src
/dev/sd0e      2.8G    5.9M    2.7G     0%    /var

Example with 32 GB

puffy66# df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/sd0a      3.9G   96.1M    3.6G     3%    /
/dev/sd0g      7.8G    2.0K    7.4G     0%    /home
/dev/sd0d      2.0G   12.0K    1.9G     0%    /tmp
/dev/sd0f      7.9G    1.1G    6.4G    15%    /usr
/dev/sd0e      7.9G    5.9M    7.5G     0%    /var

Partition Proposal for 16GB

/dev/sd0a 2G  /
/dev/sd0b 1G  swap
/dev/sd0d 1G  /tmp
/dev/sd0e 4G  /var
/dev/sd0f 4G  /usr
/dev/sd0g 4G  /home

Partition Proposal for 20GB

/dev/sd0a 2G  /
/dev/sd0b 1G  swap
/dev/sd0d 1G  /tmp
/dev/sd0e 6G  /var
/dev/sd0f 6G  /usr
/dev/sd0g 4G  /home

Partition Proposal for 32GB

/dev/sd0a 4G  /
/dev/sd0b 2G  swap
/dev/sd0d 2G  /tmp
/dev/sd0e 8G  /var
/dev/sd0f 8G  /usr
/dev/sd0g 8G  /home

Partition Proposal for 64GB

/dev/sd0a 4G  /
/dev/sd0b 2G  swap
/dev/sd0d 2G  /tmp
/dev/sd0e 8G  /var
/dev/sd0f 8G  /usr
/dev/sd0g 8G  /home
/dev/sd0h 32G /data

Templates APU 16GB

cat << 'EOF' > autodisklabel
/       2G
swap    0.5G
/tmp    1G
/usr    4G
/var    4G
/home   4G
EOF

Templates APU 120GB

cat << 'EOF' > autodisklabel
/       4G
swap    4G
/tmp    4G
/usr    8G
/var    8G
/home   16G
/data   64G
EOF

Quick and Dirty APU 120GB

a 4G /root
a 4G swap
a 4G /tmp
a 8G /usr
a 8G /home
a *  /var

-> which results in:

apu-120GB# df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/sd0a      3.9G   75.0M    3.6G     2%    /
/dev/sd0f      7.8G    2.0K    7.4G     0%    /home
/dev/sd0d      3.9G   16.0K    3.7G     0%    /tmp
/dev/sd0e      7.8G    1.2G    6.1G    17%    /usr
/dev/sd0g     81.1G    7.0M   77.1G     0%    /var
Any Comments ?

sha256: 8b0fa0f79f422c4d4ed8eb1ee67cda1d67470ff8aec34f18bb7715b6ea4291f0