Version 4 - Historique - Openbsd apu - Aquilenet - L'atelier d'Aquilenet

1

sacha

> > {{\>toc}}

2

4

1

sacha

6

1

sacha

8

1

sacha

10

1

sacha

## Install an OpenBSD image

11

12

13

### Getting the OpenBSD image

14

15

The list of the mirrors is here: https://www.openbsd.org/ftp.html

16

Get the last version, here 6.5

17

18

~~~

19

wget ftp://ftp.irisa.fr/pub/mirrors/OpenBSD/6.5/amd64/install65.fs

20

~~~

21

22

### Write the image to an USB Key

23

24

My usb key is on /dev/sde

25

26

~~~

27

dd if=install65.fs of=/dev/sde bs=1M

28

~~~

29

30

### Boot USB & install

31

32

Select the tty output in 115200 on com0

33

34

~~~

35

SeaBIOS (version rel-1.12.0.1-0-g393dc9c)

36

37

Press F10 key now for boot menu

38

39

Booting from Hard Disk...

40

Using drive 0, partition 3.

41

Loading......

42

probing: pc0 com0 com1 com2 com3 mem[639K 1918M a20=on]

43

disk: hd0+ hd1+*

44

>> OpenBSD/amd64 BOOT 3.43

45

boot> stty com0 115200

46

boot> set tty com0

47

switching console to com>> OpenBSD/amd64 BOOT 3.43

48

boot>

49

~~~

50

51

Replying to answears

52

~~~

53

Welcome to the OpenBSD/amd64 6.5 installation program.

54

(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I

55

56

Terminal type? [vt220]

57

System hostname? (short form, e.g. 'foo') cerbere

58

Password for root account? (will not echo)

59

Password for root account? (again)

60

Start sshd(8) by default? [yes]

61

Change the default console to com0? [yes]

62

Available speeds are: 9600 19200 38400 57600 115200.

63

Which speed should com0 use? (or 'done') [115200]

64

Setup a user? (enter a lower-case loginname, or 'no') [no]

65

Since no user was setup, root logins via sshd(8) might be useful.

66

WARNING: root is targeted by password guessing attacks, pubkeys are safer.

67

Allow root ssh login? (yes, no, prohibit-password) [no] yes

68

69

Available disks are: sd0 sd1.

70

Which disk is the root disk? ('?' for details) [sd0]

71

No valid MBR or GPT.

72

Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]

73

~~~

74

75

80% /

76

10% swap

77

10% /var/log

78

79

### Configuration

80

81

82

#### /etc/sysctl.conf

83

84

~~~

85

net.inet.ip.forwarding=1

86

net.inet.gre.allow=1

87

88

~~~

89

90

#### /root/.profile

91

92

~~~

93

export PS1="\H|\t|:\w\\$"

94

95

umask 022

96

97

#export LS_OPTIONS='--color=auto'

98

alias ls='/usr/local/bin/colorls -G'

99

alias ll='ls -l'

100

alias l='ls -lA'

101

alias d="du --max-depth=1 -h"

102

#alias carp='ifconfig carp |grep -e "MASTER" -e "BACKUP" && ifconfig -g carp'

103

104

# Some more alias to avoid making mistakes:

105

alias rm='rm -i'

106

alias cp='cp -i'

107

alias mv='mv -i'

108

alias df='df -h'

109

alias b='echo "\n IP BLACKLISTED\n========================================================";pfctl -t BLACKLIST -T show;echo "\n TOP 10 states\n========================================================";pfctl -sS |sort -nrk4 |head -n 10 '

110

echo

111

echo "________________________________________________________________________"

112

echo

113

who

114

echo "________________________________________________________________________"

115

echo

116

last -n 20

117

echo "________________________________________________________________________"

118

echo

119

uptime

120

echo "________________________________________________________________________"

121

~~~

122

123

#### /home/sacha/.profile

124

125

~~~

126

# $OpenBSD: dot.profile,v 1.5 2018/02/02 02:29:54 yasuoka Exp $

127

128

# sh/ksh initialization

129

130

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games

131

export PATH HOME TERM

132

133

export PS1="\H|\t|:\w\\$"

134

135

alias ls='colorls -G'

136

alias ll='ls -l'

137

alias l='ls -lA'

138

alias d="du --max-depth=1 -h"

139

140

# Some more alias to avoid making mistakes:

141

alias rm='rm -i'

142

alias cp='cp -i'

143

alias mv='mv -i'

144

alias df='df -h'

145

146

echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"

147

echo

148

echo -n "     " && uname -a

149

echo

150

echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"

151

echo

152

153

echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"

154

echo && echo

155

156

157

~~~

158

159

#### /etc/ssh/sshd_config

160

161

~~~

162

Port 55555

163

PasswordAuthentication no

164

ChallengeResponseAuthentication no

165

~~~

166

167

+ Ajouter le réseau local sur em2 sour la forme 10.10.département/24

168

169

#### /etc/dhcpd.conf

170

171

En fonction du réseau local, exemple:

172

173

~~~

174

subnet 10.10.79.0 netmask 255.255.255.0 {

175

  range 10.10.79.100 10.10.79.199;

176

  default-lease-time 600;

177

  max-lease-time 7200;

178

  option subnet-mask 255.255.255.0;

179

  option broadcast-address 10.10.79.255;

180

  option routers 10.10.79.254;

181

  option domain-name-servers 10.10.79.254, 185.233.100.100;

182

  option domain-name "niort.rosedor.fr";

183

184

~~~

185

186

~~~

187

echo 'dhcpd_flags="em2"' >>/etc/rc.conf.local

188

~~~

189

190

191

#### /etc/resolv.conf

192

193

~~~

194

search brest.openlux.fr

195

nameserver 10.10.79.254

196

lookup file bind

197

~~~

198

199

200

#### /etc/ntpd.conf

201

202

~~~

203

# $OpenBSD: ntpd.conf,v 1.14 2015/07/15 20:28:37 ajacoutot Exp $

204

205

# See ntpd.conf(5) and /etc/examples/ntpd.conf

206

207

#listen on 172.16.1.254

208

servers fr.pool.ntp.org

209

210

~~~

211

212

#### boot sound

213

214

* Exemples:

215

216

~~~

217

echo -e "l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker

218

echo -e "<cd<a#~<a#>f" > /dev/speaker

219

echo "o2 AAA ml o2l8F P16 o3l16C o2 l4A  l8F o3P16l16C o2 l4A p4 o3 EEE ml l8F P16 o3l16C o2 l4A- l8F o3P16l16C o2 l4A"  > /dev/speaker

220

echo -e "ec" > /dev/speaker

221

echo -e "t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f.." > /dev/speaker

222

echo -e "<cd<a#~<a#>f" > /dev/speaker

223

echo -e "t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.">/dev/speaker

224

echo -e "t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8" > /dev/speaker

225

echo -e "olcega.a8f>cd2bgc.c8dee2" > /dev/speaker

226

echo -e "msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4" > /dev/speaker

227

echo -e "l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker

228

229

Beatles

230

"T255O3< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A F#A B A F# L1 E.< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A L2 F#.> L4 C# < L2 B A L1 B B L1 N0< < L2 A > > > L4 C# < L2 B > L2 C# < L2 A.> L4 C# < A B > L2 C#.< < L2 A > > > L4 C# < L2 B > C# < L2 A.L4 N0 A L2 B AL2 N0 > L2 C# < B A N0L4 F# A B E A B D A B A G# F# E"

231

232

sw

233

"t136 mn o3 l8 ddgfe-dc o2 b-ag o3 d2. l12 ddd l8 g4 p4 p2 p2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t136 mn o3 l8 p4 mn o2 l8 d4 e4.e o3c o2 bag l12 gab l8 a8. e16f+4d8. d e4.e o3 c o2 bag o3 d8.o2   a16 ml a4a4 mn d4 e4.e O3 c o2 bag l12 gaba8. e16 f+4 o3 d8. d16 l16   g8. fe-8. d c8. o2 b-a8. g o3 d2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 co2 b o3c l2 ml o2a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2ba ml l2 o3gdd mn l6 co2bo3c l2 ml o2a1a4 p4 mn l6 o3 mn ddd ml l1 gggg4 p4 p4 mn l12 dddg2"

234

235

236

237

Reveille: t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f..

238

Close Encounters: <cd<a#~<a#>f

239

Lord of the Dance (aka Simple Gifts): t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.

240

Loony Toons theme: t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8

241

standard villain's entrance music: mst200o2ola.l8bc.~a.~>l2d#

242

a trope from 'The Right Stuff' score by Bill Conti: olcega.a8f>cd2bgc.c8dee2

243

opening bars of Bach's Toccata and Fugue in D Minor": msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4

244

opening bars of the theme from Star Trek Classic: l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2

245

246

247

~~~

248

249

~~~

250

echo 'echo -e "<cd<a#~<a#>f" > /dev/speaker' >> /etc/rc.local

251

echo '"O3L30cO4L30cO5L30cO5L30g" > /dev/speaker' >> /etc/rc.local

252

~~~

253

254

#### Unbound

255

256

~~~

257

ln -s /var/unbound/etc/unbound.conf /etc/unbound.conf

258

~~~

259

260

~~~

261

# $OpenBSD: unbound.conf,v 1.14 2018/12/16 20:41:30 tim Exp $

262

263

server:

264

        interface: 127.0.0.1

265

        interface: 172.16.1.254

266

        #interface: 127.0.0.1@5353      # listen on alternative port

267

#       interface: ::1

268

        do-ip6: no

269

270

        # override the default "any" address to send queries; if multiple

271

        # addresses are available, they are used randomly to counter spoofing

272

        #outgoing-interface: 192.0.2.1

273

        #outgoing-interface: 2001:db8::53

274

275

        access-control: 0.0.0.0/0 refuse

276

        access-control: 127.0.0.0/8 allow

277

        access-control: 172.16.1.254/16 allow

278

        access-control: ::0/0 refuse

279

        access-control: ::1 allow

280

281

        hide-identity: yes

282

        hide-version: yes

283

284

        # Uncomment to enable DNSSEC validation.

285

286

        #auto-trust-anchor-file: "/var/unbound/db/root.key"

287

        #val-log-level: 2

288

289

        # Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains

290

        # https://tools.ietf.org/html/rfc8198

291

292

        #aggressive-nsec: yes

293

294

        # Serve zones authoritatively from Unbound to resolver clients.

295

        # Not for external service.

296

297

        #local-zone: "local." static

298

        #local-data: "mycomputer.local. IN A 192.0.2.51"

299

        #local-zone: "2.0.192.in-addr.arpa." static

300

        #local-data-ptr: "192.0.2.51 mycomputer.local"

301

302

        # UDP EDNS reassembly buffer advertised to peers. Default 4096.

303

        # May need lowering on broken networks with fragmentation/MTU issues,

304

        # particularly if validating DNSSEC.

305

306

        #edns-buffer-size: 1480

307

308

        # Use TCP for "forward-zone" requests. Useful if you are making

309

        # DNS requests over an SSH port forwarding.

310

311

        #tcp-upstream: yes

312

313

remote-control:

314

        control-enable: yes

315

        control-interface: /var/run/unbound.sock

316

317

# Use an upstream forwarder (recursive resolver) for some or all zones.

318

319

#forward-zone:

320

#       name: "."                               # use for ALL queries

321

#       forward-addr: 192.0.2.53                # example address only

322

#       forward-first: yes                      # try direct if forwarder fails

323

~~~

324

325

~~~

326

rcctl enable unbound

327

rcctl start unbound

328

~~~

329

330

#### Install Prometheus  node exporter

331

332

~~~

333

pkg_add go git gmake python-3.6 colorls gnuwatch mtr pftop curl bash

334

ln -s /usr/local/bin/python3 /usr/local/bin/python

335

cd /home/sacha

336

go get github.com/prometheus/node_exporter

337

cd /home/sacha/go/src/github.com/prometheus/node_exporter

338

gmake

339

mv node_exporter /usr/local/bin/

340

~~~

341

342

##### script de démarage: /etc/rc.d/node_exporter

343

344

~~~

345

vim /etc/login.conf

346

(...)

347

node_exporter:\

348

  :tc=daemon:

349

~~~

350

351

~~~

352

cap_mkdb /etc/login.conf

353

groupadd -g 2222 _node_exporter

354

useradd -u 2222 -g 2222 -c "Prometheus Node Exporter agent" -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter

355

~~~

356

357

* /etc/rc.d/node_exporter

358

359

~~~

360

#!/bin/sh

361

362

363

daemon="/usr/local/bin/node_exporter"

364

node_exporter_textfile_dir="/var/node_exporter"

365

daemon_flags="--collector.textfile.directory==${node_exporter_textfile_dir}"

366

daemon_user="_node_exporter"

367

daemon_group="_node_exporter"

368

369

. /etc/rc.d/rc.subr

370

371

pexp="${daemon}.*"

372

rc_bg=YES

373

rc_reload=NO

374

375

rc_pre() {

376

    if ! id ${daemon_user}; then

377

        groupadd _node_exporter

378

        useradd -g _node_exporter -c "Prometheus Node Exporter agent"\

379

        -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter

380

fi

381

    if [ ! -d ${node_exporter_textfile_dir} ]; then

382

        install \

383

            -d \

384

            -o ${daemon_user} \

385

            -g ${daemon_group} \

386

            -m 1755 \

387

            ${node_exporter_textfile_dir}

388

fi

389

390

391

rc_start() {

392

    ${rcexec} "${daemon} ${daemon_flags} < /dev/null 2>&1"

393

394

395

rc_cmd $1

396

~~~

397

398

399

~~~

400

chmod 0755 /etc/rc.d/node_exporter

401

chown root:wheel /etc/rc.d/node_exporter

402

403

rcctl enable node_exporter

404

rcctl start node_exporter

405

~~~

406

407

---

408

409

## Firewall

410

411

412

~~~

413

touch /etc/BLACKLIST

414

vi /etc/WHITELIST

415

~~~

416

417

418

### Standard: 1 ADSL

419

420

~~~

421

#######################################################

423

1

sacha

# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #

424

# V1.0 - 20190612                                     #

425

#######################################################

426

427

428

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

429

#               MACROS                  #

430

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

431

432

#-----------------------------------------#

433

#               Interfaces                #

434

#-----------------------------------------#

435

#=====----> ADSL

437

1

sacha

439

1

sacha

#=====----> LAN

440

LAN             = "em2"

441

LAN_VoIP        = "em3"

442

443

#-----------------------------------------#

444

#               Hosts                     #

445

#-----------------------------------------#

446

447

448

#-----------------------------------------#

449

#       W H I T E  L I S T                #

450

#-----------------------------------------#

451

table <WHITELIST> persist file "/etc/WHITELIST"

452

453

#-----------------------------------------#

454

#       B L A C K  L I S T                #

455

#-----------------------------------------#

456

table <BLACKLIST> counters persist file "/etc/BLACKLIST"

457

458

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

459

#               OPTIONS                 #

460

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

462

1

sacha

463

#set optimization aggressive

464

set block-policy drop

465

466

set skip on lo0

467

468

469

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

470

#               LOG                     #

471

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

472

match log all

473

474

475

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

476

#               NORMALISATION           #

477

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

478

479

# Nettoyer les paquets entrant

480

match in scrub (reassemble tcp random-id)

481

482

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

483

#                NAT                    #

484

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

486

1

sacha

487

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

488

#               FILTRAGE                #

489

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

490

block log all

491

492

#-----------------------------------------#

493

#               Anti-Flood                #

494

#-----------------------------------------#

495

#NOFLOOD ="synproxy state (source-track rule max-src-conn 500, max-src-conn-rate 50/10, overload <BLACKLIST> flush global)"

496

NOFLOOD ="keep state (source-track rule, max-src-states 100)"

497

498

block in log quick on $ADSL from no-route to any

499

block out log quick on $ADSL from no-route to any

500

block in log quick on $ADSL from any to 255.255.255.255

501

502

#-----------------------------------------#

503

#               Blacklists                #

504

#-----------------------------------------#

505

block in quick from <BLACKLIST>

506

507

block in log quick on $ADSL inet proto icmp from any to any icmp-type redir

508

block in log quick on $ADSL inet6 proto icmp6 from any to any icmp6-type redir

509

510

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

511

#               Anti-spoof                  #

512

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

513

antispoof log quick for $ADSL label "antispoof"

514

515

#---------------------------------------#

516

#               ICMP                    #

517

#---------------------------------------#

518

pass inet proto icmp all icmp-type { echorep, echoreq, timex, unreach }

519

520

#---------------------------------------#

521

#               Trace Route             #

522

#---------------------------------------#

523

pass in on { $LAN } proto udp from any to any port 33433 >< 33626 keep state

524

525

#---------------------------------------#

526

#               WHITELIST               #

527

#---------------------------------------#

528

pass in quick on $ADSL proto tcp from <WHITELIST> to any port 55555

529

530

#---------------------------------------#

531

#                 LAN                   #

532

#---------------------------------------#

533

534

#=====----> Firewall to Lan

535

pass out on $LAN inet to $LAN:network

536

537

538

#=====----> ssh LAN

539

pass in quick on $LAN proto tcp from $LAN:network to $LAN port 55555

540

#pass in quick proto tcp from any to port 55555

541

542

#=====----> dns

543

pass in quick on $LAN proto udp from $LAN:network to $LAN port 53

544

545

#=====----> dhcp

546

pass in quick on $LAN inet from $LAN:network to 255.255.255.255

547

548

#=====----> Permit Lan to output

549

pass in on $LAN inet from $LAN:network to any

550

551

pass out on $LAN inet from $LAN:network to any

552

553

554

#---------------------------------------#

555

#            ACCEPT OUTGOING            #

556

#---------------------------------------#

557

pass out on $ADSL

558

~~~

Projet

Général

Profil

Aquilenet

Openbsd apu » Historique » Version 4