OpenBSD - NTopNG

NTOPNG with Self Signed Cert

ntopng is a network traffic probe that provides 360° Network visibility, with its ability to gather traffic information from traffic mirrors, Netflow exporters, SNMP devices, Firewall logs, Intrusion Detection systems.

package

as root

pkg_add ntopng

Cert

To use HTTPS on the built-in web server, create /etc/ssl/ntopng-cert.pem containing both the private key and certificate in the same file and make this readable by the _ntopng user. Use the -W flag to listen on HTTPS.

Debian 12

Debian 12 is here !

you may find some of my Posts about Debian useful

Upgrade Script

assuming you have Debian 11.x running

cat << 'EOF' > /root/upgrade_to_v12.sh
#!/usr/bin/env bash

# set Version
sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list
sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list.d/*

# Update
apt-get -y update
apt-get -y upgrade
apt-get -y dist-upgrade
apt autoclean
apt autoremove
apt --purge autoremove

# you may add/update -> /etc/apt/sources.list
# deb http://security.debian.org/debian-security/ bookworm-security main
# deb-src http://security.debian.org/debian-security/ bookworm-security main

exit 0
EOF

chmod u+x /root/upgrade_to_v12.sh

Run

run the script and wait a few minutes …

OpenBSD - Terraform

Terraform OpenBSD & Vultr

doas pkg_add git gmake go terraform

cat << EOF

# Go, $(date)
export PATH=$PATH:$(go env GOPATH)/bin
export GOPATH=$(go env GOPATH)
EOF

mkdir -p $GOPATH/src/github.com/vultr; cd $GOPATH/src/github.com/vultr
git clone git@github.com:vultr/terraform-provider-vultr.git

cd $GOPATH/src/github.com/vultr/terraform-provider-vultr
gmake build

main.tf

cat << 'EOF' > main.tf
terraform {
  required_providers {
    vultr = {
      source = "vultr/vultr"
      version = "2.12.1"
    }
  }
}

resource "vultr_instance" "web" {
  count = 2
  plan  = "vc2-1c-1gb"
  region = "fra"
  hostname = "web-${count.index+1}"
  label = "web-${count.index+1}"
}
EOF

Init, Plan, Apply

export TF_VULTR_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

terraform init
terraform plan
terraform apply

main.tf

5 Servers in 5 Regions, each of them has got a uniqe name and the authorized_key file adjusted …

Docker - Swarm

Setup

Let’s assume we have 3 Nodes in a Docker Swarm Setup.

  • Tick
  • Trick
  • Track

Track is the Leader/Manager. All Machines runs Debian 12.0 (RC, as it is not yet released)

Show Nodes

docker node ls
root@track:~# docker node ls
ID                            HOSTNAME    STATUS    AVAILABILITY   MANAGER STATUS   ENGINE VERSION
b2zvkc374v08q2rpocljhkg5n     tick        Ready     Active                          23.0.2
khom3cx05bxqxktjq1k5j16gk *   track       Ready     Active         Leader           23.0.2
lq53s6mhuzvqrehks0j68sr3e     trick       Ready     Active                          23.0.2

Create Simple Service

Run a simple Docker service that uses an alpine-based filesystem, and isolates a ping to 8.8.8.8

OpenBSD - Rclone

WebDAV Server

need a little WebDAV Server ? Selfhosting your Password DB ?

pkg

pkg_add rclone
mkdir -p /rclone/webdav

run

rclone serve webdav /your/root/folder --addr YOUR_PUBLIC_IP:PORT \
  --key /etc/ssl/certs/your.private.key \
  --cert /etc/ssl/certs/your.public.cer \
  --user someuser \
  --pass somepass

Browser

browse to https://your_public_ip:port

  • user: someuser
  • pass: somepass

done !

htpasswd

got some Users and wanna put them in the htaccess file ? be carefull as these users all share the same folder !

cd /rclone
touch htpasswd
htpasswd htpasswd tick
htpasswd htpasswd trick
htpasswd htpasswd track
chmod 600 htpasswd

Dashboard

do you like dashboars ? it’s also included, have a look …

NextCloud - OpenBSD 7.3

NextCloud on OpenBSD 7.3

some install notes …

  • Powerup Fresh VM
  • Upgrade to 7.3 Beta (7.3 is not yet released)

pkg_info nextcloud

pkg_info -Q nextcloud -D snap
nextcloud-23.0.12p0
nextcloud-24.0.10
nextcloud-25.0.4
nextcloudclient-3.7.4

adding 25.0.4

pkg_add -D snap nextcloud 
quirks-6.121 signed on 2023-03-21T18:57:42Z
Ambiguous: choose package for nextcloud
a	0: <None>
	1: nextcloud-23.0.12p0
	2: nextcloud-24.0.10
	3: nextcloud-25.0.4
Your choice: 3

installed:

  • php-8.1
  • lot of stuff

got some readme

...
nextcloud-25.0.4:gd-2.3.3: ok
nextcloud-25.0.4:php-gd-8.1.16: ok
nextcloud-25.0.4:icu4c-72.1v0: ok
nextcloud-25.0.4:icu4c-wwwdata-72.1v0: ok
nextcloud-25.0.4:php-intl-8.1.16: ok
nextcloud-25.0.4:php-curl-8.1.16p0: ok
nextcloud-25.0.4:pecl81-redis-5.3.7p0: ok
nextcloud-25.0.4: ok
Running tags: ok
The following new rcscripts were installed: /etc/rc.d/php81_fpm
See rcctl(8) for details.
New and changed readme(s):
	/usr/local/share/doc/pkg-readmes/femail-chroot
	/usr/local/share/doc/pkg-readmes/nextcloud
	/usr/local/share/doc/pkg-readmes/php-8.1

readme is for loosers, right ? so, let’s have a look …

Ciphey

Ciphey

Fully automated decryption/decoding/cracking tool using natural language processing & artificial intelligence, along with some common sense.

Source: https://github.com/Ciphey/Ciphey

Run in Docker

encoding=$(echo -n "hello world" |base64); docker run -it --rm remnux/ciphey ${encoding}

Result

Possible plaintext: 'hello world' (y/N): y
╭─────────────────────────────────╮
│ Formats used:                   │
│    base64                       │
│    utf8Plaintext: "hello world"╰─────────────────────────────────╯

Supported Ciphers

Ciphey currently supports 51 encryptions, encodings, compression methods, and hashes.

https://github.com/Ciphey/Ciphey/wiki/Supported-Ciphers


Any Comments ?

sha256: a33eac04129d4cf6bedce35c8b38c6f395a68fcf0a3e4ad7285caa6f249de7eb

OpenBSD - OpenSMTPD

Running a Mailserver on OpenBSD …

Source

Requirements

  • OpenBSD VM
  • Public IP & FQDN
  • no Portfilter from Hoster
  • root permission

Packages

pkg_add opensmtpd-extras opensmtpd-filter-rspamd dovecot dovecot-pigeonhole redis rspamd-- opensmtpd-filter-senderscore

FQDN

export host="hostname"
export domain="domain.tld"
export fqdn="${host}.${domain}"

httpd.conf

f="/etc/httpd.conf"; test -f ${f} && cp ${f} "${f}-$(date +'%s')"

cat << EOF > ${f}
# added $(date)
server "${fqdn}" {
  listen on * port 80
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}
EOF
chown root:wheel ${f}; chmod 644 ${f}

pf.conf

allow Certain Ports for Any

OpenBSD - Rainloop

Source

how to add a nice WebInterface to an existing Mailserver

Vars

export fqdn="your.server.de"

add pkg

PHP Version ? I took 8.1

pkg_add \
  curl-- \
  php--%8.1 \
  php-curl--%8.1 \
  php-pdo_sqlite--%8.1 \
  php-zip--%8.1 \
  pecl81-mcrypt \
  unzip-- \
  zip--

Cert

Assume you already have a TLS Cert, you can skip this one

php

cd /etc/php-8.1.sample/
cp * /etc/php-8.1/

size

sed -i 's/^upload_max_filesize.*/upload_max_filesize = 25M/' /etc/php-8.1.ini 
sed -i 's/^post_max_size.*/post_max_size = 29M/' /etc/php-8.1.ini 

httpd

cat << EOF > /etc/httpd.conf

server "${fqdn}" {
    listen on * port 80
    block return 302 "https://\$SERVER_NAME\$REQUEST_URI"
}

server "${fqdn}" {
    listen on * tls port 443
    tls {
      certificate "/etc/ssl/${fqdn}.fullchain.pem"
      key         "/etc/ssl/private/${fqdn}.key"
    }
    hsts {
      max-age 31556952
      preload
    }
    log {
      access  "${fqdn}-access.log"
      error   "${fqdn}-error.log"
    }

    root "/htdocs/rainloop"
    directory index index.php

    # Value below is 25MB in bytes. 1MB = 1048576 bytes
    connection max request body 26214400

    # security
    location "*/.git*"              { block }

    ## app specific (ref: https://www.rainloop.net/docs/permissions/ )
    location "/data/*"              { block }

    # robots.txt
    location "/robots.txt"          { pass }

    location "/*.php" {
        fastcgi socket "/run/php-fpm.sock"
    }
}
EOF

enable & start

rcctl enable httpd php81_fpm
rcctl restart httpd php81_fpm

Prepare Rainloop

mkdir /var/www/htdocs/rainloop
cd /var/www/htdocs/rainloop

Get Rainloop #1

curl -sL https://repository.rainloop.net/installer.php | php-8.1
chown -R www data

Get Rainloop #2

ftp https://www.rainloop.net/repository/webmail/rainloop-latest.zip
unzip rainloop-latest.zip
chown -R www data

allow resolv.conf

test -d /var/www/etc || mkdir -p /var/www/etc
test -f /var/www/etc/resolv.conf || cp /etc/resolv.conf /var/www/etc/resolv.conf

Admin Interface

-> user admin:12345

Docker - Keycloak

KeyCloak

Keycloak is an open source identity and access management solution.

Requirements:

  • Linux Host with Docker & Docker Compose

  • Public IP Adress & FQDN Entry

  • Port 80/443 open from any

docker-compose.yml

version: "3.7"

services:    
  sso:
    image: quay.io/keycloak/keycloak:21.0
    container_name: "keycloak"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./keycloak.conf:/opt/keycloak/conf/keycloak.conf
    command:
      - start-dev
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=XxXxXxXxXxXxXx
      - PROXY_ADDRESS_FORWARDING=true
      - VIRTUAL_HOST=keycloak.your.domain.de
      - VIRTUAL_PORT=8080
      - LETSENCRYPT_HOST=keycloak.your.domain.de
    networks:
      - internal

  database:
    image: postgres:13
    container_name: "postgres"
    environment:
      - POSTGRES_USER=keycloak
      - POSTGRES_DATABASE=keycloak
      - POSTGRES_PASSWORD=XxXxXxXxXxXxXx
    volumes:
      - postgres_data:/var/lib/postgresql/data
    networks:
      - internal

  proxy:
    image: nginxproxy/nginx-proxy
    container_name: "nginx"
    ports:
      - "443:443"
      - "80:80"
    volumes:
      - conf:/etc/nginx/conf.d
      - vhost:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      - certs:/etc/nginx/certs
      - /var/run/docker.sock:/tmp/docker.sock:ro
    networks:
      - internal

  acme-companion:
    image: nginxproxy/acme-companion
    container_name: "acme-proxy"
    environment:
      - DEFAULT_EMAIL=<mail@your.domain.de>
    volumes_from:
      - proxy
    volumes:
      - certs:/etc/nginx/certs
      - acme:/etc/acme.sh
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - internal

networks:
  internal:
    driver: bridge
    driver_opts:
      com.docker.network.driver.mtu: 1450

volumes:
  postgres_data:
  conf:
  vhost:
  html:
  certs:
  acme:

keycloak.conf

proxy=edge
db=postgres
db-url-host=postgres
db-user=keycloak
db-password=XxXxXxXxXxXxXxXx
db-database=keycloak
db-schema=public
hostname-strict=false
http-enabled=true

Up, Up, Up

docker compose up -d; docker compose logs -f

Any Comments ?

sha256: ae07bb4c0d896a00d456ec5e725109a85a45a165400d0e64a44e9bf46adda5a6