Version 5 - Historique - Openbsd apu - Aquilenet - L'atelier d'Aquilenet

1

sacha

> > {{\>toc}}

2

4

1

sacha

6

1

sacha

8

1

sacha

10

1

sacha

## Install an OpenBSD image

11

12

13

### Getting the OpenBSD image

14

15

The list of the mirrors is here: https://www.openbsd.org/ftp.html

16

Get the last version, here 6.5

17

18

~~~

19

wget ftp://ftp.irisa.fr/pub/mirrors/OpenBSD/6.5/amd64/install65.fs

20

~~~

21

22

### Write the image to an USB Key

23

24

My usb key is on /dev/sde

25

26

~~~

27

dd if=install65.fs of=/dev/sde bs=1M

28

~~~

29

30

### Boot USB & install

31

32

Select the tty output in 115200 on com0

33

34

~~~

35

SeaBIOS (version rel-1.12.0.1-0-g393dc9c)

36

37

Press F10 key now for boot menu

38

39

Booting from Hard Disk...

40

Using drive 0, partition 3.

41

Loading......

42

probing: pc0 com0 com1 com2 com3 mem[639K 1918M a20=on]

43

disk: hd0+ hd1+*

44

>> OpenBSD/amd64 BOOT 3.43

45

boot> stty com0 115200

46

boot> set tty com0

47

switching console to com>> OpenBSD/amd64 BOOT 3.43

48

boot>

49

~~~

50

51

Replying to answears

52

~~~

53

Welcome to the OpenBSD/amd64 6.5 installation program.

54

(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I

55

56

Terminal type? [vt220]

57

System hostname? (short form, e.g. 'foo') cerbere

58

Password for root account? (will not echo)

59

Password for root account? (again)

60

Start sshd(8) by default? [yes]

61

Change the default console to com0? [yes]

62

Available speeds are: 9600 19200 38400 57600 115200.

63

Which speed should com0 use? (or 'done') [115200]

64

Setup a user? (enter a lower-case loginname, or 'no') [no]

65

Since no user was setup, root logins via sshd(8) might be useful.

66

WARNING: root is targeted by password guessing attacks, pubkeys are safer.

67

Allow root ssh login? (yes, no, prohibit-password) [no] yes

68

69

Available disks are: sd0 sd1.

70

Which disk is the root disk? ('?' for details) [sd0]

71

No valid MBR or GPT.

72

Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]

73

~~~

74

75

80% /

76

10% swap

77

10% /var/log

78

79

### Configuration

80

81

82

#### /etc/sysctl.conf

83

84

~~~

85

net.inet.ip.forwarding=1

86

net.inet.gre.allow=1

87

88

~~~

89

90

#### /root/.profile

91

92

~~~

93

export PS1="\H|\t|:\w\\$"

94

95

umask 022

96

97

#export LS_OPTIONS='--color=auto'

98

alias ls='/usr/local/bin/colorls -G'

99

alias ll='ls -l'

100

alias l='ls -lA'

101

alias d="du --max-depth=1 -h"

102

#alias carp='ifconfig carp |grep -e "MASTER" -e "BACKUP" && ifconfig -g carp'

103

104

# Some more alias to avoid making mistakes:

105

alias rm='rm -i'

106

alias cp='cp -i'

107

alias mv='mv -i'

108

alias df='df -h'

109

alias b='echo "\n IP BLACKLISTED\n========================================================";pfctl -t BLACKLIST -T show;echo "\n TOP 10 states\n========================================================";pfctl -sS |sort -nrk4 |head -n 10 '

110

echo

111

echo "________________________________________________________________________"

112

echo

113

who

114

echo "________________________________________________________________________"

115

echo

116

last -n 20

117

echo "________________________________________________________________________"

118

echo

119

uptime

120

echo "________________________________________________________________________"

121

~~~

122

123

#### /home/sacha/.profile

124

125

~~~

126

# $OpenBSD: dot.profile,v 1.5 2018/02/02 02:29:54 yasuoka Exp $

127

128

# sh/ksh initialization

129

130

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games

131

export PATH HOME TERM

132

133

export PS1="\H|\t|:\w\\$"

134

135

alias ls='colorls -G'

136

alias ll='ls -l'

137

alias l='ls -lA'

138

alias d="du --max-depth=1 -h"

139

140

# Some more alias to avoid making mistakes:

141

alias rm='rm -i'

142

alias cp='cp -i'

143

alias mv='mv -i'

144

alias df='df -h'

145

146

echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"

147

echo

148

echo -n "     " && uname -a

149

echo

150

echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"

151

echo

152

153

echo " _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _"

154

echo && echo

155

156

157

~~~

158

159

#### /etc/ssh/sshd_config

160

161

~~~

162

Port 55555

163

PasswordAuthentication no

164

ChallengeResponseAuthentication no

165

~~~

166

167

+ Ajouter le réseau local sur em2 sour la forme 10.10.département/24

168

169

#### /etc/dhcpd.conf

170

171

En fonction du réseau local, exemple:

172

173

~~~

174

subnet 10.10.79.0 netmask 255.255.255.0 {

175

  range 10.10.79.100 10.10.79.199;

176

  default-lease-time 600;

177

  max-lease-time 7200;

178

  option subnet-mask 255.255.255.0;

179

  option broadcast-address 10.10.79.255;

180

  option routers 10.10.79.254;

181

  option domain-name-servers 10.10.79.254, 185.233.100.100;

182

  option domain-name "niort.rosedor.fr";

183

184

~~~

185

186

~~~

187

echo 'dhcpd_flags="em2"' >>/etc/rc.conf.local

188

~~~

189

190

191

#### /etc/resolv.conf

192

193

~~~

194

search brest.openlux.fr

195

nameserver 10.10.79.254

196

lookup file bind

197

~~~

198

199

200

#### /etc/ntpd.conf

201

202

~~~

203

# $OpenBSD: ntpd.conf,v 1.14 2015/07/15 20:28:37 ajacoutot Exp $

204

205

# See ntpd.conf(5) and /etc/examples/ntpd.conf

206

207

#listen on 172.16.1.254

208

servers fr.pool.ntp.org

209

210

~~~

211

213

1

sacha

214

* Exemples:

215

216

~~~

217

echo -e "l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker

218

echo -e "<cd<a#~<a#>f" > /dev/speaker

219

echo "o2 AAA ml o2l8F P16 o3l16C o2 l4A  l8F o3P16l16C o2 l4A p4 o3 EEE ml l8F P16 o3l16C o2 l4A- l8F o3P16l16C o2 l4A"  > /dev/speaker

220

echo -e "ec" > /dev/speaker

221

echo -e "t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f.." > /dev/speaker

222

echo -e "<cd<a#~<a#>f" > /dev/speaker

223

echo -e "t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.">/dev/speaker

224

echo -e "t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8" > /dev/speaker

225

echo -e "olcega.a8f>cd2bgc.c8dee2" > /dev/speaker

226

echo -e "msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4" > /dev/speaker

227

echo -e "l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2" > /dev/speaker

228

229

Beatles

230

"T255O3< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A F#A B A F# L1 E.< < L2 A > > > L4 C# < A B > L2 C#.L2 N0 L4 C# < L2 B A L2 F#.> L4 C# < L2 B A L1 B B L1 N0< < L2 A > > > L4 C# < L2 B > L2 C# < L2 A.> L4 C# < A B > L2 C#.< < L2 A > > > L4 C# < L2 B > C# < L2 A.L4 N0 A L2 B AL2 N0 > L2 C# < B A N0L4 F# A B E A B D A B A G# F# E"

231

232

sw

233

"t136 mn o3 l8 ddgfe-dc o2 b-ag o3 d2. l12 ddd l8 g4 p4 p2 p2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 c o2 b o3 c l2 ml o2 a1a4 p4 mn t136 mn o3 l8 p4 mn o2 l8 d4 e4.e o3c o2 bag l12 gab l8 a8. e16f+4d8. d e4.e o3 c o2 bag o3 d8.o2   a16 ml a4a4 mn d4 e4.e O3 c o2 bag l12 gaba8. e16 f+4 o3 d8. d16 l16   g8. fe-8. d c8. o2 b-a8. g o3 d2 t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2 ba ml l2 o3 gdd mn l6 co2 b o3c l2 ml o2a1a4 p4 mn t236 l6 o2 ddd l2 ml g o3 dd mn l6 c o2 ba l2 o3 ml gdd mn l6 c o2ba ml l2 o3gdd mn l6 co2bo3c l2 ml o2a1a4 p4 mn l6 o3 mn ddd ml l1 gggg4 p4 p4 mn l12 dddg2"

234

235

Reveille: t255l8c.f.afc~c.f.afc~c.f.afc.f.a..f.~c.f.afc~c.f.afc~c.f.afc~c.f..

236

Close Encounters: <cd<a#~<a#>f

237

Lord of the Dance (aka Simple Gifts): t240<cfcfgagaa#b#>dc<a#a.~fg.gaa#.agagegc.~cfcfgagaa#b#>dc<a#a.~fg.gga.agfgfgf.

238

Loony Toons theme: t255cf8f8edc<a>~cf8f8edd#e~ce8cdce8cd.<a>c8c8c#def8af8

239

standard villain's entrance music: mst200o2ola.l8bc.~a.~>l2d#

240

a trope from 'The Right Stuff' score by Bill Conti: olcega.a8f>cd2bgc.c8dee2

241

opening bars of Bach's Toccata and Fugue in D Minor": msl16oldcd4mll8pcb-agf+4.g4p4<msl16dcd4mll8pa.a+f+4p16g4

242

opening bars of the theme from Star Trek Classic: l2b.f+.p16a.c+.p l4mn<b.>e8a2mspg+e8c+f+8b2

243

244

245

~~~

246

248

1

sacha

~~~

249

echo 'echo -e "<cd<a#~<a#>f" > /dev/speaker' >> /etc/rc.local

250

echo '"O3L30cO4L30cO5L30cO5L30g" > /dev/speaker' >> /etc/rc.local

251

~~~

252

253

#### Unbound

254

257

1

sacha

~~~

258

ln -s /var/unbound/etc/unbound.conf /etc/unbound.conf

259

~~~

260

261

~~~

262

# $OpenBSD: unbound.conf,v 1.14 2018/12/16 20:41:30 tim Exp $

263

264

server:

265

        interface: 127.0.0.1

266

        interface: 172.16.1.254

267

        #interface: 127.0.0.1@5353      # listen on alternative port

268

#       interface: ::1

269

        do-ip6: no

270

271

        # override the default "any" address to send queries; if multiple

272

        # addresses are available, they are used randomly to counter spoofing

273

        #outgoing-interface: 192.0.2.1

274

        #outgoing-interface: 2001:db8::53

275

276

        access-control: 0.0.0.0/0 refuse

277

        access-control: 127.0.0.0/8 allow

278

        access-control: 172.16.1.254/16 allow

279

        access-control: ::0/0 refuse

280

        access-control: ::1 allow

281

282

        hide-identity: yes

283

        hide-version: yes

284

285

        # Uncomment to enable DNSSEC validation.

286

287

        #auto-trust-anchor-file: "/var/unbound/db/root.key"

288

        #val-log-level: 2

289

290

        # Uncomment to synthesize NXDOMAINs from DNSSEC NSEC chains

291

        # https://tools.ietf.org/html/rfc8198

292

293

        #aggressive-nsec: yes

294

295

        # Serve zones authoritatively from Unbound to resolver clients.

296

        # Not for external service.

297

298

        #local-zone: "local." static

299

        #local-data: "mycomputer.local. IN A 192.0.2.51"

300

        #local-zone: "2.0.192.in-addr.arpa." static

301

        #local-data-ptr: "192.0.2.51 mycomputer.local"

302

303

        # UDP EDNS reassembly buffer advertised to peers. Default 4096.

304

        # May need lowering on broken networks with fragmentation/MTU issues,

305

        # particularly if validating DNSSEC.

306

307

        #edns-buffer-size: 1480

308

309

        # Use TCP for "forward-zone" requests. Useful if you are making

310

        # DNS requests over an SSH port forwarding.

311

312

        #tcp-upstream: yes

313

314

remote-control:

315

        control-enable: yes

316

        control-interface: /var/run/unbound.sock

317

318

# Use an upstream forwarder (recursive resolver) for some or all zones.

319

320

#forward-zone:

321

#       name: "."                               # use for ALL queries

322

#       forward-addr: 192.0.2.53                # example address only

323

#       forward-first: yes                      # try direct if forwarder fails

324

~~~

325

326

~~~

327

rcctl enable unbound

328

rcctl start unbound

329

~~~

330

331

#### Install Prometheus  node exporter

332

333

~~~

334

pkg_add go git gmake python-3.6 colorls gnuwatch mtr pftop curl bash

335

ln -s /usr/local/bin/python3 /usr/local/bin/python

336

cd /home/sacha

337

go get github.com/prometheus/node_exporter

338

cd /home/sacha/go/src/github.com/prometheus/node_exporter

339

gmake

340

mv node_exporter /usr/local/bin/

341

~~~

342

343

##### script de démarage: /etc/rc.d/node_exporter

344

345

~~~

346

vim /etc/login.conf

347

(...)

348

node_exporter:\

349

  :tc=daemon:

350

~~~

351

352

~~~

353

cap_mkdb /etc/login.conf

354

groupadd -g 2222 _node_exporter

355

useradd -u 2222 -g 2222 -c "Prometheus Node Exporter agent" -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter

356

~~~

357

358

* /etc/rc.d/node_exporter

359

360

~~~

361

#!/bin/sh

362

363

364

daemon="/usr/local/bin/node_exporter"

365

node_exporter_textfile_dir="/var/node_exporter"

366

daemon_flags="--collector.textfile.directory==${node_exporter_textfile_dir}"

367

daemon_user="_node_exporter"

368

daemon_group="_node_exporter"

369

370

. /etc/rc.d/rc.subr

371

372

pexp="${daemon}.*"

373

rc_bg=YES

374

rc_reload=NO

375

376

rc_pre() {

377

    if ! id ${daemon_user}; then

378

        groupadd _node_exporter

379

        useradd -g _node_exporter -c "Prometheus Node Exporter agent"\

380

        -d /var/empty -s /sbin/nologin -L node_exporter _node_exporter

381

fi

382

    if [ ! -d ${node_exporter_textfile_dir} ]; then

383

        install \

384

            -d \

385

            -o ${daemon_user} \

386

            -g ${daemon_group} \

387

            -m 1755 \

388

            ${node_exporter_textfile_dir}

389

fi

390

391

392

rc_start() {

393

    ${rcexec} "${daemon} ${daemon_flags} < /dev/null 2>&1"

394

395

396

rc_cmd $1

397

~~~

398

399

400

~~~

401

chmod 0755 /etc/rc.d/node_exporter

402

chown root:wheel /etc/rc.d/node_exporter

403

404

rcctl enable node_exporter

405

rcctl start node_exporter

406

~~~

407

408

---

409

410

## Firewall

411

412

413

~~~

414

touch /etc/BLACKLIST

415

vi /etc/WHITELIST

416

~~~

417

418

419

### Standard: 1 ADSL

420

421

~~~

422

#######################################################

424

1

sacha

# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- #

425

# V1.0 - 20190612                                     #

426

#######################################################

427

428

429

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

430

#               MACROS                  #

431

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

432

433

#-----------------------------------------#

434

#               Interfaces                #

435

#-----------------------------------------#

436

#=====----> ADSL

438

1

sacha

440

1

sacha

#=====----> LAN

441

LAN             = "em2"

442

LAN_VoIP        = "em3"

443

444

#-----------------------------------------#

445

#               Hosts                     #

446

#-----------------------------------------#

447

448

449

#-----------------------------------------#

450

#       W H I T E  L I S T                #

451

#-----------------------------------------#

452

table <WHITELIST> persist file "/etc/WHITELIST"

453

454

#-----------------------------------------#

455

#       B L A C K  L I S T                #

456

#-----------------------------------------#

457

table <BLACKLIST> counters persist file "/etc/BLACKLIST"

458

459

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

460

#               OPTIONS                 #

461

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

463

1

sacha

464

#set optimization aggressive

465

set block-policy drop

466

467

set skip on lo0

468

469

470

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

471

#               LOG                     #

472

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

473

match log all

474

475

476

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

477

#               NORMALISATION           #

478

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

479

480

# Nettoyer les paquets entrant

481

match in scrub (reassemble tcp random-id)

482

483

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

484

#                NAT                    #

485

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

487

1

sacha

488

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

489

#               FILTRAGE                #

490

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

491

block log all

492

493

#-----------------------------------------#

494

#               Anti-Flood                #

495

#-----------------------------------------#

496

#NOFLOOD ="synproxy state (source-track rule max-src-conn 500, max-src-conn-rate 50/10, overload <BLACKLIST> flush global)"

497

NOFLOOD ="keep state (source-track rule, max-src-states 100)"

498

499

block in log quick on $ADSL from no-route to any

500

block out log quick on $ADSL from no-route to any

501

block in log quick on $ADSL from any to 255.255.255.255

502

503

#-----------------------------------------#

504

#               Blacklists                #

505

#-----------------------------------------#

506

block in quick from <BLACKLIST>

507

508

block in log quick on $ADSL inet proto icmp from any to any icmp-type redir

509

block in log quick on $ADSL inet6 proto icmp6 from any to any icmp6-type redir

510

511

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

512

#               Anti-spoof                  #

513

#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

514

antispoof log quick for $ADSL label "antispoof"

515

516

#---------------------------------------#

517

#               ICMP                    #

518

#---------------------------------------#

519

pass inet proto icmp all icmp-type { echorep, echoreq, timex, unreach }

520

521

#---------------------------------------#

522

#               Trace Route             #

523

#---------------------------------------#

524

pass in on { $LAN } proto udp from any to any port 33433 >< 33626 keep state

525

526

#---------------------------------------#

527

#               WHITELIST               #

528

#---------------------------------------#

529

pass in quick on $ADSL proto tcp from <WHITELIST> to any port 55555

530

531

#---------------------------------------#

532

#                 LAN                   #

533

#---------------------------------------#

534

535

#=====----> Firewall to Lan

536

pass out on $LAN inet to $LAN:network

537

538

539

#=====----> ssh LAN

540

pass in quick on $LAN proto tcp from $LAN:network to $LAN port 55555

541

#pass in quick proto tcp from any to port 55555

542

543

#=====----> dns

544

pass in quick on $LAN proto udp from $LAN:network to $LAN port 53

545

546

#=====----> dhcp

547

pass in quick on $LAN inet from $LAN:network to 255.255.255.255

548

549

#=====----> Permit Lan to output

550

pass in on $LAN inet from $LAN:network to any

551

552

pass out on $LAN inet from $LAN:network to any

553

554

555

#---------------------------------------#

556

#            ACCEPT OUTGOING            #

557

#---------------------------------------#

558

pass out on $ADSL

559

~~~

Projet

Général

Profil

Aquilenet

Openbsd apu » Historique » Version 5