Network

SSH - Legacy Devices

Intro

sometime, one have to access to old and legacy devices. they may do not support the current ciphers and key algorithms, so, we have to modify the “.ssh/config” File or provide some additional cli arguments.

If you have todo this regualary, you may wanna extend the current parameters with the legacy ones like this:

Backup old config

you never know ;)

mv /etc/ssh/ssh_config /etc/ssh/ssh_config-$(date "+%s")

Install Updated Version

you have to copy/paste as root

OpenBSD - Smokeping

How to Install Smokeping on OpenBSD

Requiremens

  • running Server with OpenBSD
  • Root Permission
  • FQDN with Cert

Install Software

pkg_add smokeping

Update Config

cat << 'EOF' >/etc/smokeping/config
*** General ***

owner    = YOUR NAME
contact  = YOUR@EMAIL.NET
mailhost = localhost
sendmail = /usr/sbin/sendmail
# NOTE: do not put the Image Cache below cgi-bin
# since all files under cgi-bin will be executed ... this is not
# good for images.
imgcache = /var/www/htdocs/smokeping/cache
imgurl   = cache
datadir  = /var/db/smokeping
piddir  = /var/run
cgiurl   = https://YOUR.URL.NET/smokeping/smokeping.cgi
smokemail = /etc/smokeping/smokemail
tmail = /etc/smokeping/tmail
# specify this to get syslog logging
syslogfacility = local0
# each probe is now run in its own process
# disable this to revert to the old behaviour
# concurrentprobes = no

*** Alerts ***
to = YOUR@EMAIL.NET
from = smokealert@localhost

+someloss
type = loss
# in percent
pattern = >0%,*12*,>0%,*12*,>0%
comment = loss 3 times  in a row

*** Database ***

step     = 300
pings    = 20

# consfn mrhb steps total

AVERAGE  0.5   1  28800
AVERAGE  0.5  12   9600
    MIN  0.5  12   9600
    MAX  0.5  12   9600
AVERAGE  0.5 144   2400
    MAX  0.5 144   2400
    MIN  0.5 144   2400

*** Presentation ***

template = /etc/smokeping/basepage.html

htmltitle = yes
graphborders = no

+ charts

menu = Charts
title = The most interesting destinations

++ stddev
sorter = StdDev(entries=>4)
title = Top Standard Deviation
menu = Std Deviation
format = Standard Deviation %f

++ max
sorter = Max(entries=>5)
title = Top Max Roundtrip Time
menu = by Max
format = Max Roundtrip Time %f seconds

++ loss
sorter = Loss(entries=>5)
title = Top Packet Loss
menu = Loss
format = Packets Lost %f

++ median
sorter = Median(entries=>5)
title = Top Median Roundtrip Time
menu = by Median
format = Median RTT %f seconds

+ overview 

width = 600
height = 50
range = 10h

+ detail

width = 600
height = 200
unison_tolerance = 2

"Last 3 Hours"    3h
"Last 30 Hours"   30h
"Last 10 Days"    10d
"Last 360 Days"   360d

#+ hierarchies
#++ owner
#title = Host Owner
#++ location
#title = Location

*** Probes ***

+ FPing

binary = /usr/local/sbin/fping

*** Targets ***

probe = FPing

menu = Top
title = Network Latency Grapher
remark = Welcome to the SmokePing

+ Remote
menu= Remote
title= Remote hosts

+ DNS
menu = DNS
title = DNS

++ cf
menu = 1.1.1.1
title = 1.1.1.1
host = 1.1.1.1

++ google
menu = 8.8.8.8
title = 8.8.8.8
host = 8.8.8.8

++ quad9
menu = 9.9.9.9
title = 9.9.9.9
host = 9.9.9.9
EOF

Create Folders

don’t like to set permission to 777. but it does not work without :(

Anycast IPv6 - YourSelf

How to Build your own AnyCast Network

you’re using anycast every day. all public resolvers (1.1.1.1, 8.8.8.8, 9.9.9.9) for example are anycast ip’s and hence, many servers distributed around the world which listen and announce the same ip address.

we can build a proof of concept, how to build such a network, for a few $.

Requirements

AS Number

Anycast heavily depends on BGP. So, you need a own AS Number. I got my for 15 CHF/Year from Securebit.ch. You should also keep in mind that you will not get any IPv4 addresses without buying them for the market. So, your Setup will be based on IPv6 only.

Anycast - Checker

When is an anycast ip an anycast ip ?

that’s a question i was asked recently. As LTNN (Long Term Networking Nerd), i’m aware of Unicast, Multicast, Broadcast and also Anycast. so, let’s have a look into this.

hint: this article is not about how to setup your own anycast network. this may follow soon ?!?

Terminologie

Unicast 1:1

Sending a message from one sender to one recipient

Multicast 1:many

Sending a message from one sender to multiple recipients

Smokeping on Docker

If you have Docker running somehwere … bring up your Smoke Instance within Seconds ;)

Smokeping

docker run --name smoke --restart always -d -p 80:80 linuxserver/smokeping

Show Containers

docker ps
docker-test:~# docker ps
CONTAINER ID   IMAGE                   COMMAND   CREATED         STATUS         PORTS                               NAMES
8f8b872ac1c3   linuxserver/smokeping   "/init"   6 minutes ago   Up 6 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp   smoke

Shell into Docker

docker exec -it smoke /bin/sh

Check Netstat

root@8f8b872ac1c3:/# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     406670 s
unix  2      [ ACC ]     STREAM     LISTENING     406078 /run/apache2/fcgidsock/137.0

Preview

Ubuntu 20.04 LTS & Netplan

Assume you got a fresh Machine with DHCP …

Ubuntu with DHCP Config

cat /etc/netplan/01-netcfg.yaml
# This is the network config written by 'subiquity'
network:
  ethernets:
    ens192:
      dhcp4: true
  version: 2

and you’d like to switch to Static IP, ask google how todo it an give try:

Static IP with Netplan

# This is the network config written by 'subiquity'
network:
  version: 2
  ethernets:
    ens192:
      addresses:
      - 1.2.3.4/24
      gateway4: 1.1.1.1
      nameservers:
        addresses:
        - 8.8.8.8
        - 8.8.4.4
        search:
        - world.net

then reboot … and the machine is gone. ok, not really gone, but from IP perspective definitly. it just reboots and come back without default gateway :(

OpenBGPD Looking Glass

BGP Looking Glass with OpenBSD

something I’ve wanted to do for a long time and never got around to it …

Just give a try, it’s public available: https://bgp.stoege.net/

Prerequisite

  • OpenBSD VM (at least 2G RAM)
  • Public IPv4 / IPv6
  • DNS Record / Static IP
  • Full BGP Feed (don’t worry, you can get it for free)

httpd config

OpenBSD got their own HTTP Daemon in Base System. Let’s enable and configure it.

MAC Converter

MAC Address Converter

We’re all dealing with MAC Addresses, some times … there are different formats on different systems. this little script convert it to all formats and you can choise the appropriate ones.

Example

$ maconvert aa:bb:cc:dd:ee:ff

aabbccddeeff
aa:bb:cc:dd:ee:ff
aa-bb-cc-dd-ee-ff
aabb.ccdd.eeff

Script

Copy/Paste will work on OpenBSD, Linux needs some small Modifications (as there is no doas for example …)

doas su -

cat << 'EOFSCRIPT' > /usr/local/bin/maconvert
#!/usr/bin/env bash

# v0.1, 2021, by Christian Henschel
# v0.2, 2021-12-29, Stöge -> add OpenBSD Support & install gawk if needed

if [ OpenBSD == $(uname -s) ]; then
  which gawk &>/dev/null || doas pkg_add gawk
  _awk=$(which gawk)
else
  _awk=$(which awk)
fi

if [ -z "$1" ]; then
  cat <<'EOF'

  no mac address entered, valid format are:

  cafedeadbeef
  cafe.dead.beef
  ca:fe:de:ad:be:ef
  ca-fe-de-ad-be-ef

EOF
  exit 1
else
  mac=$(echo $1 | sed -e 's/[.:-]//g')
  maccolon=$(echo $mac  | $_awk '{gsub(/..\B/,"&:")}1')
  macdash=$(echo $mac  | $_awk '{gsub(/..\B/,"&-")}1')
  macpoint=$(echo $mac | $_awk '{gsub(/....\B/,"&.")}1')
fi

cat <<EOF

  $mac
  $maccolon
  $macdash
  $macpoint

EOF
exit 0
EOFSCRIPT

doas chmod 755 /usr/local/bin/maconvert
maconvert

NJoy!

RPKI for Home Usage

Resource Public Key Infrastructure

you may know what RPKI is …

It’s a PKI Framework for improving Security for the Internet Routing Infrastructure based on BGP.

As a HomeUser or Small/Medium Size Company, you normally don’t have a Full BGP Table and multipe Upstream Providers. You have one Internet Router or Firewall and you get a Default Route from your ISP.

With OpenBGPD and the current rpki extensions, you “just” need a Full BGP Feed and then, you can filter all invalid ROA’s and keep your Routing (and Internet Access) more Secure.

Mint Vlan

How to configure a Vlan on Linux Mint ?

Wiki

Install vlan

sudo apt-get install vlan

Configuration

root@mint:~# sudo modprobe 8021q

root@mint:~# ifconfig
ens19: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.18.83  netmask 255.255.255.0  broadcast 10.10.18.255
        inet6 2001:db8:1:2:9506:5fcd:1c61:1279  prefixlen 64  scopeid 0x0<global>
        inet6 2001:db8:1:2:a9:c50b:1348:1ec6  prefixlen 64  scopeid 0x0<global>
        inet6 2001:db8:1:2:e064:b0ec:a08f:7fd8  prefixlen 64  scopeid 0x0<global>
        inet6 2001:db8:1:2:a015:7ec:eef0:1a75  prefixlen 64  scopeid 0x0<global>
        inet6 2001:db8:1:2:a028:b890:ffe8:5231  prefixlen 64  scopeid 0x0<global>
        inet6 2001:db8:1:2:c80:addb:1273:95d5  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::9cc2:b22d:cc15:2946  prefixlen 64  scopeid 0x20<link>
        ether 4e:e5:10:00:06:83  txqueuelen 1000  (Ethernet)
        RX packets 181  bytes 58337 (58.3 KB)
        RX errors 0  dropped 7  overruns 0  frame 0
        TX packets 271  bytes 48413 (48.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 138  bytes 13723 (13.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 138  bytes 13723 (13.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@mint:~# vconfig add ens19 158
Added VLAN with VID == 158 to IF -:ens18:-
root@mint:~#

root@mint:~# ip addr add 100.60.100.83/24 dev ens19.158
root@mint:~#

root@mint:~# ip link set up ens19.158
root@mint:~#

Make Permanent

sudo su -c 'echo "8021q" >> /etc/modules'

/etc/network/interfaces
auto ens19.158
iface ens19.158 inet static
    address 100.60.100.83
    netmask 255.255.255.0
    vlan-raw-device ens19.158
    up route add -net 10.0.0.0 netmask 255.0.0.0 gw 100.60.100.1

Any Comments ?

sha256: e69d61613b45307405014943049154d70c8cf140d2a3bcf5bbf7679fbefa798f