Tag: OpenBSD
Absolute OpenBSD 2nd Edition is here!!!
by Brian Hershey on May.20, 2013, under Computer Stuff, OpenBSD
Michael Lucas has done it again. In documenting arguably one of the driest topics on the planet, Mr. Lucas manages to add fun, trivia, and extremely useful knowledge of the OpenBSD team’s latest OS offering to an already excellent book. I read the first one 10 years ago or so, and this one is even better. The updated information on ProPolice, W^X, and the new PF features makes this book a no-brainer for *any* UNIX admin looking to add some extra security to his network, as well as a hobbyist who may be thinking of learning the ways of the shell.
As far as I’m concerned, chapters 21 and 22 were well worth the purchase price alone. If ANY member of the Princeton Area OpenBSD User’s Group would like to read this book, let me know, and I can get you a copy. My only request is that you post what you think of the book on this thread, so the fine folks at No Starch Press can see it, as they were kind enough to get us this advanced copy!
Mr. Lucas has auctioned the first (signed) copy to directly benefit the OpenBSD Project! Take a look here:
http://blather.michaelwlucas.com/archives/1646
The URL for the auction was here:
http://www.ebay.com/itm/Absolute-OpenBSD-2nd-Ed-by-Michael-Lucas-Special-signed-first-copy-printed-/200913454300?
HUGE thanks goes to Jessica Miller of No Starch Press for supplying us with an advanced copy! Thank You! It was a great book! :)
The Russian Federation CIDR blocks are now allowed access to CryptedNets.org
by Brian Hershey on Feb.22, 2009, under General Info, Networking
Sorry for the drastic measure, but I’ve only got about 1mb up and 1mb down, and I hate to be used by anyone as a DDoS reflector. My DNS server no longer allows queries for the root nameservers, (thx again, Kiter) and the block list has been cleared. The entire world may now freely access this site, though I’m not sure what for, save for some comic relief, and sparsely located golden nuggets of networking knowledge.
If you *do* happen to be reading this, just drop a comment to say “hey”.
You don’t even need to register…
It won’t hurt a bit…
Any interest in an OpenBSD how-to?
by Brian Hershey on Dec.06, 2008, under OpenBSD
I started writing an OpenBSD how-to regarding an all-in-one appliance solution some time ago.. (around the 3.4-RELEASE)
It started to seem really redundant, as OpenBSD is so thoroughly documented.
Is there any interest in seeing something like that?
I was thinking of something that could be used as your firewall, mail server, web server, as well as a VPN/DNS/DHCP/SSH/SFTP/FTP server.
We’ll set it up wiki-style, allowing edits.
So, any takers? Those asking questions and offering feedback will be encouraged to post…
OpenBSD pf and Voice over IP
by Brian Hershey on Feb.08, 2006, under OpenBSD
Background
In a typical home network, a NAT device hides a number of internal devices behind a single globally addressable IP address within the network provider’s IP space. While VOIP is readily available to end consumers via the SIP protocol, SIP isn’t directly usable behind a NAT device.
Most VOIP providers utilize what is called a “media proxy”, a set of servers that exist to assist with this issue by redirecting media streams from consumers to the VOIP provider’s SIP servers. This workaround introduces two problems: The media proxies need to have ample bandwidth and low latency, but also end up disallowing more than one SIP device per customer IP address.
To allow for a home network based multi-line multi-device SIP setup, media proxy use is not possible. Instead, the home network NAT device should be configured to redirect SIP control and media streams to the appropriate IP phones within the home network. Packet filter from OpenBSD can fulfill that role. You could also run a local PBX or SIP router, but that solution adds moving parts and is beyond the scope of this note.
Phone configuration
This configuration has been tested with the Cisco 7960 phone.
Do not use NAT proxy or outbound_proxy. Define each call appearance with its distinct SIP proxy information, and the same control port of 5060/udp can be used for all. The STUN phone feature should be enabled, although some commercial SIP proxies can function without it.
pf Configuration
pf(4) uses /etc/pf.conf as its configuration file. Here is a basic subset of a ruleset that also uses ALTQ to guarantee bandwidth to the voice uplink, since upload bandwidth is usually restricted.
While packet queueing is not always necessary, the occasional voice quality degradation associated with link bandwidth being unavailable is undesirable. It is a very useful capability to have at your disposal and allows for reliable, superior to PSTN voice quality.
# Return error codes for ports that are blocked. Allows faster error recovery
set block-policy return
# udp session timeout should be equal to or larger than your smallest SIP registration
# timer timeout. For a typical SIP timeout of 300 seconds, this should suffice.
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
# definitions
int_if = "fxp0"
ext_if = "fxp1"
int_net = "192.168.1.0/24"
ipphone1 = "192.168.1.18"
ipphone2 = "192.168.1.19"
# enable CBQ queueing on the external interface. Define 3 queues
altq on $ext_if cbq bandwidth 1000Kb queue { q_voice, q_pri, q_std }
queue q_voice bandwidth 192Kb priority 7 cbq(borrow)
queue q_pri bandwidth 50% priority 6 cbq(borrow)
queue q_std bandwidth 80% priority 1 cbq(default borrow)
# One translation line per IP phone. static-port is necessary to make pf retain the UDP
# ephemeral port, so that the remote SIP proxy knows what session we belong to
nat on $ext_if proto udp from $ipphone1 to any -> ($ext_if) static-port
nat on $ext_if proto udp from $ipphone2 to any -> ($ext_if) static-port
# Generic NAT rule for all internal network devices
nat on $ext_if from $int_net to any -> ($ext_if)
# Allow external SIP control traffic
pass in quick on $ext_if proto udp from any to any port 5060 keep state
# Allow media traffic, place in voice queue (guaranteed b/w)
# This assumes standard media stream configuration with a Cisco IP phone. Modify as
# necessary.
pass out quick on $ext_if proto udp from $ext_if to any port 16384:32768
tos 0xb8 queue q_voice keep state
# Outgoing traffic creates state entries
pass out quick on $ext_if proto { tcp, udp, icmp } all keep state
block in log all
Troubleshooting and verification
To verify that the implementation works as expected, a media stream should be setup from the internal network, NATted and forwarded to the external SIP gateway. Source and destination ports for control traffic (destination port 5060) and media traffic (varies) should remain unchanged by the gateway. Now, your phones should work
To verify correct packet prioritization, saturate the uplink with a large upload and attempt to use the IP phone at the same time. The IP phone traffic should get mapped to the high priority queue and voice quality should be good at the remote end. Because of ample download bandwidth, queueing is usually not needed and regular packet forwarding is sufficient.
- Check status of queues: pfctl -s queue -v
- Flush state table: pfctl -F state (queue tagging persists with state entries)
- Check firewall rule hit count: pfctl -s rules -v
OpenSSL certificate conversion PKCS#12 PEM
by Brian Hershey on Feb.04, 2006, under OpenBSD
Convert a certificate from PEM format (.pem) to PKCS12 format (.p12)
To use a certificate for authentication or for encryption/decryption, you have to import it into your program’s certificate manager. The program could be a web browser, email client, or even something like a hard-coded encryption/decryption routine run from a script. Different programs, browsers, and mail clients require this certificate in differing formats. At some point, you will need to convert a certificate, unles you *love* spending all of your extra cash on commercial certificates.
Here’s the openssl command to convert your certificate from a PEM format to a PKCS12 format:
$ openssl pkcs12 -export
-out <em>file_name.p12</em>
-name "<em>My certificate</em>"
-inkey ~/.ssl/userkey.pem
-in ~/.ssl/usercert.pem
## Options Explanation ##
-out : The filename of your new certificate file in PKCS12 format.
-name : An arbitrary text name to differentiate this certificate from others.
-inkey : The path and the name of the file containing your private key
-in : The path and the name of the file containing your certificate.
Convert a certificate from PKCS12 format (.p12) to PEM format (.pem)
- To export just your private key to ~/.ssl/userkey.pem…
$ openssl pkcs12 -nocerts -in cert.p12 -out ~/.ssl/userkey.pem
- To export only your certificate to ~/.ssl/usercert.pem…
$ openssl pkcs12 -clcerts -nokeys -in cert.p12 -out ~/.ssl/usercert.pem
-in cert.p12 : the path and filename of your certificate in PKCS12 format.
Change the passphrase of the private key
$ openssl rsa -in ~/.ssl/userkey.pem -des3
Where ~/.ssl/userkey.pem is your private key
The openssl command will prompt for:
1. your old password
2. your new password
3. verification of your new password
Installing an OpenBSD VirtualPC on a Mac
by Brian Hershey on Jan.22, 2006, under Mac OSX, OpenBSD
The following directions are for OpenBSD and Virtual PC on the Macintosh, and assume familiarity with the installation and use of both. Note that if you have OpenBSD CDs, you may boot off the i386 CD to perform the installation. Please refer to either the OpenBSD/i386 installation documentation or the Virtual PC documentation in case of questions, as documenting the installation of either is beyond the scope of this document.
- Grab(buy) the latest OpenBSD release. (there’s a link on the Links page)
- Create a Virtual PC hard disk image file of the size you want your OpenBSD hard disk to be, at least a gigabyte if you want to unpack the source tree and have a usable system. However, you can get away with a hard disk as small as 300MB or so for a complete installation.
- Change the VirtualPC partition to use a fixed file size on your local disk. You *CANNOT* use a dynamically re-sizable partition. The only drawback to this is that a 10gb partition takes up 10gb, even if most of it is empty space. OpenBSD does not like dynamically resizing partitions, and installing OpenBSD on one of these will hang while extracting base3x.tgz. (or it will hang on misc3x.tgz if it makes it through base3x.tgz)
- Capture your OpenBSD CD or the cd38.iso image to the VirtualPC’s cdrom drive.
- Start up the VirtualPC, and boot to the captured CD image.
- Perform OpenBSD install as usual.
- Shut down the virtual machine with halt… Welcome to OpenBSD: The proactively secure Unix-like operating system.
Using Multiple Pre-Shared Keys with OpenBSD ISAKMPD
by Brian Hershey on Jan.02, 2006, under OpenBSD
Having an Open Source IPSec VPN into the office is nifty. It usually also means others will want to appreciate it’s niftiness… (and use your bandwidth to check their Exchange calendars). So, do you want 30 or so other users out there with their perpetually un-locked, spyware and virus-vulnerable XtraPenetrable laptops, holding the only pre-shared key to your VPN? Of course not. (you really don’t). So, implement one pre-shared key per user, or one key per group, depending on your policy of access revocation.
We really like OpenBSD around here, and may sound like men with a hammer thinking everything is a nail, but it really does do *everything* well as far as we use it. So here’s the setup.
First, you must create the config files for ISAKMPD.
$ sudo touch /etc/isakmpd/isakmpd.conf
$ sudo touch /etc/isakmpd/isakmpd.policy
Then, turn on the AH and ESP protocols by editing the /etc/sysctl.conf.
net.inet.esp.enable=1 # 0=Disable the ESP IPsec protocol
net.inet.ah.enable=1 # 0=Disable the AH IPsec protocol
Or, just do it from the shell-
$ sudo su
# sysctl -w net.inet.esp.enable=1
# sysctl -w net.inet.ah.enable=1
Now, we’ll set up a basic road-warrior configuration in /etc/isakmpd/isakmpd.conf .
Here’s an example.
Next, we’ll set up the multiple pre-shared keys in the policy file.
Here’s another example.
After we edit these files, you’ll need to change the permissions on them.
$ sudo su
# chmod 0500 /etc/isakmpd/isakmpd.conf /etc/isakmpd/isakmpd.policy
Now allow the VPN traffic through your packet filter-
Here’s another example.
Apply the new packet filter configuration:
# pfctl -f /etc/pf.conf -F all -d -e
Fire up ISAKMPD in debug mode so you can see any incoming connections
$ sudo su
# isakmpd -d -DA=75
Once your road-warrior connects successfully, kill the debug mode ISAKMPD and start it in normal daemon mode.
$ sudo su
# pkill -9 isakmpd && isakmpd
Now, connect a road-warrior machine to the outside of your firewall, and check for your security associations.
$ sudo su
# ipsecadm show
If you have a valid VPN connection, you should see something like this:
sadb_dump: satype esp vers 2 len 40 seq 0 pid 0
sa: spi 0x80655c1b auth hmac-sha1 enc 3des-cbc
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 0 add 1136234418 first 0
lifetime_soft: alloc 0 bytes 0 add 0 first 0
lifetime_hard: alloc 0 bytes 0 add 28800 first 0
address_src: 192.168.245.2
address_dst: 192.168.209.2
identity_src: type prefix id 0: 192.168.245.2/32
identity_dst: type prefix id 0: 192.168.209.2/32
key_auth: bits 160: 9dfde94cd9708d6a995a4d238
key_encrypt: bits 192: 3bc2f3f7f0fbce8a12ae73966c5
sadb_dump: satype esp vers 2 len 40 seq 0 pid 0
sa: spi 0x895dcf4b auth hmac-sha1 enc 3des-cbc
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 0 add 1136261627 first 0
lifetime_soft: alloc 0 bytes 0 add 25920 first 0
lifetime_hard: alloc 0 bytes 0 add 28800 first 0
addres_src: 192.168.245.2
addres_dst: 192.168.209.2
identity_src: type prefix id 0: 192.168.245.2/32
identity_dst: type prefix id 0: 192.168.209.2/32
key_auth: bits 160: 9d8c52703983b1497b655a9
key_encrypt: bits 192: 39875c4b8fd77ec740f37da27d
You can also check the VPN connections with netstat-
$ sudo su
# netstat -rn
Should output something like this-
Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
192.168.0/24 0 192.168.10/24 0 0 192.168.245.2/50/use/in
192.168.10/24 0 192.168.0/24 0 0 192.168.209.2/50/require/out
I realise this is short, (I wasn’t paid to write this book) ;) so please feel free to post any questions or comments.
RoundCube Webmail is BEAUTIFUL!
by Brian Hershey on Nov.30, 2005, under OpenBSD
I have a fully functional Postfix server running Apache and MySQL.
As RoundCube’s webmail requires IMAP, I also installed the Dovecot IMAP server from the OpenBSD ports tree. Then, I unzipped RoundCube’s webmail package to my webroot, and in 5 minutes it was running and working properly on an OpenBSD-3.8-STABLE server. Check it out at RoundCube’s website.
This is a must-have webmail interface. (even tho it’s kinda RedHat-ish, I still like it!)
Plus, it’s completely skinnable with XHTML and CSS2.
OpenBSD 3.7 to 3.8 upgrade is *simple*
by Brian Hershey on Nov.06, 2005, under OpenBSD
I’ve just spent a few days out of town, and realised upon my return, that OpenBSD 3.8 has been released! yay!
I chose to use the “Upgrade without install media”,
not cause I couldn’t access the machine, but I can’t stand being in the server closet, standing there, installing something. waiting…
I should be able to supply the media, manually overwrite the system files, and re-boot to my new OS. (from the couch ; ) Well, now I can. (and I did!)
So, to begin, I verified that my 3.7-STABLE install was running all necessary patches, then followed this document found on OpenBSD’s site regarding upgrading from OpenBSD 3.7 to 3.8. It worked flawlessly, and now my dmesg happily reports:
OpenBSD 3.8 (PRINCETON) #0: Sun Nov 6 01:17:15 CST 2005 root@cryptednets.org:/usr/src/sys/arch/i386/compile/PRINCETON cpu0: Intel Pentium III ("GenuineIntel" 686-class, 128KB L2 cache) 565 MHz real mem = 132489216 (129384K) avail mem = 114262016 (111584K)
Need a cross-platform Unix command cribsheet?
by Brian Hershey on Oct.28, 2005, under OpenBSD
Here it is!
These UNIX Commands will help out if you need to log in to a foreign system,
and pkg_info just doesn’t work for you!
Thanks Unixguide! Who knew that ” instfix -i ” shows all installed patches on AIX? (not me)