Linux

Docker - Traefik - Wildcard Subdomain

Intro

I was wondering if you can have Wildcart Certs for certain Subdomain. Idea is to provide a Service with “myservice.auth.your.domain” which automatically requests Authentication, while the same Service “myservice.whitelist.your.domain” is reachable through some Whitelisted IP only.

As Traefik can Chain Middleware, but not implements some logic (If Whitelist -> ok, else do Basic Auth …), i have to build another solution.

let’s have a look

Prepare Folders

cd /your/traffic/rootfolder
mkdir -p config/dynamic

.env File

we need two variables, so let’s put them in the .env File

Docker - Traefik - Stripprefix

Strip Prefix

Let’s assume you have a URL “https://whoami.your.domain.de/removeme" and you wanna get rid of the “removeme” before passing the Request to the Webserver. Stripprefix is your friend …

docker-compose.yml

  whoami:
    image: containous/whoami
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/wegdamit,/removeme"
      - "traefik.http.routers.whoami.middlewares=test-stripprefix@docker"
      - "traefik.http.routers.whoami.rule=Host(`whoami.your.domain.de`)"
      - "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
      - "traefik.http.routers.whoami.tls=true"

Any Comments ?

sha256: 0620c0c2d7ae033f2536f6797a048772e52a09119367f4864f8bb2a754d2ea57

Fluent - Data Collector

Fluentd is an open-source data collector for a unified logging layer. Fluentd allows you to unify data collection and consumption for better use and understanding of data.

Docu

Install Ruby

pkg_add ruby-3.1.2
ln -sf /usr/local/bin/ruby31 /usr/local/bin/ruby
ln -sf /usr/local/bin/bundle31 /usr/local/bin/bundle
ln -sf /usr/local/bin/bundler31 /usr/local/bin/bundler
ln -sf /usr/local/bin/erb31 /usr/local/bin/erb
ln -sf /usr/local/bin/gem31 /usr/local/bin/gem
ln -sf /usr/local/bin/irb31 /usr/local/bin/irb
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/racc
ln -sf /usr/local/bin/rake31 /usr/local/bin/rake
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rbs
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdbg
ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdoc
ln -sf /usr/local/bin/ri31 /usr/local/bin/ri
ln -sf /usr/local/bin/typeprof31 /usr/local/bin/typeprof

Install Fluentd

gem install fluentd
ln -sf /usr/local/bin/fluentd31 /usr/local/bin/fluentd

Create Config

fluentd --setup /etc/fluent

Edit config

cat << 'EOF ' > /etc/fluent/fluent.conf
# fluent.conf

# Nginx Log
<source>
  @type tail
  format nginx
  path /var/log/nginx/blog.stoege.net.log
  pos_file /var/log/nginx-pos/blog.stoege.net.log
  time_key fluentd_time
  time_format %d/%b/%Y:%H:%M:%S %z
  tag nginx.access
</source>

# Output
<match nginx.access>
  @type file
  path /var/log/fluent/blog.stoege.net
</match>
EOF

Run

fluentd -c /etc/fluent/fluent.conf

Sample Data

tail -f /var/log/fluent/blog.stoege.net/buffer.b5e6e8e8ee14db5e3a401bb38f14a6de5.log
2022-08-23T15:54:58+02:00	nginx.access	{"remote":"114.119.135.215","host":"-","user":"-","time":"23/Aug/2022:15:54:58 +0200","method":"GET","path":"/tags/monitoring/","code":"200","size":"33684","referer":"https://blog.stoege.net/tags/vpn","agent":"Mozilla/5.0 (Linux; Android 7.0;) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; PetalBot;+https://webmaster.petalsearch.com/site/petalbot)","http_x_forwarded_for":"-"}
2022-08-23T15:55:42+02:00	nginx.access	{"remote":"147.182.168.107","host":"-","user":"-","time":"23/Aug/2022:15:55:41 +0200","method":"GET","path":"/index.xml","code":"304","size":"0","referer":"-","agent":"NewsBlur Feed Fetcher - 2 subscribers - https://www.newsblur.com/site/8313934/blog-stoege-net (\\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\\x22)","http_x_forwarded_for":"-"}
2022-08-23T15:55:42+02:00	nginx.access	{"remote":"147.182.168.107","host":"-","user":"-","time":"23/Aug/2022:15:55:42 +0200","method":"GET","path":"/","code":"200","size":"56891","referer":"-","agent":"NewsBlur Page Fetcher - 2 subscribers - https://www.newsblur.com/site/8313934/blog-stoege-net (\\x22Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15\\x22)","http_x_forwarded_for":"-"}

Any Comments ?

sha256: fb02e126f5e34e4be8630c5190e9af68d2c36e91e5c4d54a11f6b70a3be6563b

OpenSSH 2FA Google Auth

Let’s give a try with Alpine Linux, OpenSSH and 2FA with Google Authenticator.

add Packages

apk add openssh openssh-server-pam google-authenticator openssh-doc google-authenticator-doc libqrencode

Configure GoogleAuth

touch /etc/pam.d/sshd
ln /etc/pam.d/sshd /etc/pam.d/sshd.pam

cat << 'EOF' >> /etc/pam.d/sshd.pam
account   include     base-account

auth      required    pam_env.so
auth      required    pam_nologin.so  successok
auth      required    /lib/security/pam_google_authenticator.so   echo_verification_code grace_period=57600 nullok
auth      required    pam_unix.so   md5 sha512
EOF

update sshd_config

cat << 'EOF' >> /etc/ssh/sshd_config
PasswordAuthentication no
AuthenticationMethods any
UsePAM yes
EOF

Restart SSHD

service sshd restart

Setup User

su - USERNAME
google-authenticator

Response

Smokeping on Docker

If you have Docker running somehwere … bring up your Smoke Instance within Seconds ;)

Smokeping

docker run --name smoke --restart always -d -p 80:80 linuxserver/smokeping

Show Containers

docker ps
docker-test:~# docker ps
CONTAINER ID   IMAGE                   COMMAND   CREATED         STATUS         PORTS                               NAMES
8f8b872ac1c3   linuxserver/smokeping   "/init"   6 minutes ago   Up 6 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp   smoke

Shell into Docker

docker exec -it smoke /bin/sh

Check Netstat

root@8f8b872ac1c3:/# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     406670 s
unix  2      [ ACC ]     STREAM     LISTENING     406078 /run/apache2/fcgidsock/137.0

Preview

Alpine - OpenVM Tools

Running Alpine on ESX ? Install the Open VM Tools …

Install OpenVM Tools

apk add open-vm-tools
apk add open-vm-tools-guestinfo
apk add open-vm-tools-deploypkg

Start Service

rc-service open-vm-tools start

Autostart Service

rc-update add open-vm-tools boot

All in One

apk add open-vm-tools open-vm-tools-guestinfo open-vm-tools-deploypkg
rc-update add open-vm-tools boot
rc-service open-vm-tools start

Busybox Extras

add some tools (arch, dnsd, dumpleases, fakeidentd, ftpd, ftpget, ftpput, httpd, inetd, readahead, telnet, telnetd, tftp, tftpd, udhcpd)

apk add busybox-extras

List Packages

apk info -L busybox-extras
docker# apk info -L busybox-extras
busybox-extras-1.35.0-r15 contains:
bin/busybox-extras

Any Comments ?

sha256: 5ba2c46f793ad164b6cecb62f406791adf588c1e51f589dba71067fd60e38aea

Ubuntu 20.04 LTS & Netplan

Assume you got a fresh Machine with DHCP …

Ubuntu with DHCP Config

cat /etc/netplan/01-netcfg.yaml
# This is the network config written by 'subiquity'
network:
  ethernets:
    ens192:
      dhcp4: true
  version: 2

and you’d like to switch to Static IP, ask google how todo it an give try:

Static IP with Netplan

# This is the network config written by 'subiquity'
network:
  version: 2
  ethernets:
    ens192:
      addresses:
      - 1.2.3.4/24
      gateway4: 1.1.1.1
      nameservers:
        addresses:
        - 8.8.8.8
        - 8.8.4.4
        search:
        - world.net

then reboot … and the machine is gone. ok, not really gone, but from IP perspective definitly. it just reboots and come back without default gateway :(

Kubernetes Multi-Juicer

If you ever wanna run a Multiplayer OWASP Juice Shop CTF on your own, here are some Notes and Info for bloody beginners

References

Prerequisite

you’ve got

btw. all this commands should run on macOS. linux may needs some adjustments …

Checkmk 2.0 Beta

Install Notes

checkmk 2.0 (beta)

install debian 10.6
upgrade to 10.7
apt-get install dpkg-sig

scp check-mk-raw-2.0.0b1_0.buster_amd64.deb ip-of-host:/tmp/
wget https://checkmk.com/support/Check_MK-pubkey.gpg
gpg --keyserver keys.gnupg.net --recv-keys 434DAC48C4503261
gpg --armor --export 434DAC48C4503261 > Check_MK-pubkey.gpg
gpg --import Check_MK-pubkey.gpg

dpkg-sig --verify check-mk-raw-2.0.0b1_0.buster_amd64.deb

apt-get install gdebi-core
gdebi check-mk-raw-2.0.0b1_0.buster_amd64.deb

omd version
OMD - Open Monitoring Distribution Version 2.0.0b1.cre


omd create mysite
omd start mysite
http://ip-of-host/mysite/
cmkadmin


  The admin user for the web applications is cmkadmin with password: xXxXxXx
  For command line administration of the site, log in with 'omd su mysite'.
  After logging in, you can change the password for cmkadmin with 'htpasswd etc/htpasswd cmkadmin'.

Any Comments ?

sha256: 62f460939ccba74886d5b4c89ca6b9ab4afbd9e44c634b961c7b4d8dd572840b

Docker on OSX

Some Notes Based on this Video: https://www.youtube.com/watch?v=bhBSlnQcq2k

Download Docker

https://docs.docker.com/get-docker/

Download Nginx Image

https://hub.docker.com/_/nginx

docker pull nginx

Run Image

docker run nginx
docker run nginx:latest
docker run -d nginx:latest
docker run -d -p 80 nginx:latest
docker run -d -p 8080:80 nginx:latest
docker run -d -p 3000:80 -p 8080:80 nginx:latest

Access Webserver

mbp:~ stoege$ docker run -d -p 8080:80 nginx:latest
5c7a945caa59f14e35932f3d4470c9b9afc0307dac34e01947d41adbcdfda091

mbp:~ stoege$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS                  NAMES
5c7a945caa59        nginx:latest        "/docker-entrypoint.…"   About a minute ago   Up About a minute   0.0.0.0:8080->80/tcp   laughing_cartwright

open Brower http://localhost:8080 -> Welcome Page