czwartek, 6 lutego 2020

IPSec policy via plain old setkey

In old days I sometimes used IPSec keying (PSK) via manual rules (no IKE at all). I needed sample config for some PoC stuff. So for "future" use: On one side:
#!/usr/sbin/setkey -f
flush;
spdflush;
add IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 esp 0x1000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";
add IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 esp 0x2000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";

spdadd 100.100.0.0/16 100.64.0.0/16  any -P in  ipsec esp/tunnel/IP1.IP1.IP1.IP1-IP2.IP2.IP2.IP2/require;
spdadd 100.64.0.0/16  100.100.0.0/16 any -P out ipsec esp/tunnel/IP2.IP2.IP2.IP2-IP1.IP1.IP1.IP1/require;
On other side:
#!/usr/sbin/setkey -f
flush;
spdflush;
add IP1.IP1.IP1.IP1 IP2.IP2.IP2.IP2 esp 0x1000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";
add IP2.IP2.IP2.IP2 IP1.IP1.IP1.IP1 esp 0x2000 -m tunnel -E blowfish-cbc "<32 chars>" -A hmac-sha1 "<20 chars>";

spdadd 100.100.0.0/16 100.64.0.0/16  any -P out ipsec esp/tunnel/IP1.IP1.IP1.IP1-IP2.IP2.IP2.IP2/require;
spdadd 100.64.0.0/16  100.100.0.0/16 any -P in  ipsec esp/tunnel/IP2.IP2.IP2.IP2-IP1.IP1.IP1.IP1/require;
Change spdadd policy direction only.

piątek, 24 stycznia 2020

What is my IP? DNS way...

What is my IP via custom DNS server:
dig @ip.socha.it tell-me-my-ip +short
Other use cases
dig @ip.socha.it ip +short
dig @ip.nauka.ga ip +short
dig @ip.automatus.cf ip +short

dig @ip.socha.it ip TXT +short 
dig @ip.socha.it ip TXT +short +tcp

What is my IP? The nginx way...

Pure nginx solution ;)
curl -sf ip.socha.it
or
curl -sf ip.socha.it/eol

Nginx configuration:
server {
        listen 80;
        server_name ip.socha.it;
        default_type "text/plain";
        location /eol {
          return 200 "$remote_addr\n";
        }
        location / {
          return 200 $remote_addr;
        }
}

niedziela, 19 stycznia 2020

Traefik v2 - private docker repository

It's time to migrate from Traefik v1 to Traefik v2.

Sample project based on docker-compose service definition: priavate docker registry.

Quick setup
curl -sf automatus.cf/private-registry | bash

Or step by step.

  • Install docker & docker-compose
  • Create required directories
    mkdir registry
    cd registry
    mkdir {auth,default}
    
  • Create docker-compose.yml file:
    version: '3'
    
    services:
      gateway:
        image: traefik:2.1
        restart: always
        command: 
          - "--providers.docker"
          - "--providers.docker.exposedbydefault=false"
          - "--entrypoints.http.address=:80"
          - "--entrypoints.https.address=:443"
          - "--certificatesResolvers.le.acme.httpchallenge=true"
          - "--certificatesResolvers.le.acme.httpchallenge.entryPoint=http"
          - "--certificatesResolvers.le.acme.storage=/acme/acme.json"
         #- "--api.insecure=true"
         #- "--certificatesResolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
        ports:
          - 80:80
          - 443:443
          # API
          #- 8080:8080
        volumes:
          - /var/run/docker.sock:/var/run/docker.sock
          - acme:/acme
          - ./auth:/auth
    
      registry:
        restart: always
        image: registry:2
        environment:
          REGISTRY_HTTP_SECRET: change-me
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.http.rule=Host(`hostname-change-me`)" 
          - "traefik.http.routers.http.entrypoints=http"
          - "traefik.http.routers.https.rule=Host(`hostname-change-me`)" 
          - "traefik.http.routers.https.entrypoints=https"
          - "traefik.http.routers.https.tls=true"
          - "traefik.http.routers.https.tls.certresolver=le"
          - "traefik.http.middlewares.server-header.headers.customresponseheaders.server=docker-registry"
          - "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
          - "traefik.http.middlewares.auth.basicauth.usersFile=/auth/passwd"
          - "traefik.http.middlewares.auth.basicauth.realm=REGISTRY"
          - "traefik.http.routers.http.middlewares=redirect,server-header"
          - "traefik.http.routers.https.middlewares=server-header,auth"
        volumes:
          - registry:/var/lib/registry
    
      # Catch-all default vhost
      default:
        image: nginx:stable
        restart: always
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.default.rule=HostRegexp(`{default:.*}`)" 
          - "traefik.http.routers.default.entrypoints=http"
          - "traefik.http.routers.default.priority=1"
          - "traefik.http.routers.default.middlewares=server-header"
        volumes:
          - ./default/default.conf:/etc/nginx/conf.d/default.conf
    
    volumes:
      acme:
      registry:
    
    # vim: set tabstop=2 shiftwidth=2 expandtab autoindent indentexpr= nosmartindent : 
    
  • Create default/default.conf file:
    server { 
       listen 80 default_server; 
       return 204;
    }
    
  • Create user and passwrd for registry access:
    htpasswd -c auth/passwd username >auth/passwd
    #or
    docker run --rm -it httpd:alpine htpasswd >auth/passwd
    
  • Start project
    docker-compose up -d
    
  • piątek, 25 stycznia 2019

    PowerShell - podpisywanie skryptów (self-signed cert)

      
    
    # Genracja CA
    # {hex}30030101FF => ASN.1 BasicConstraints: CA:TRUE
    # $asn1=([System.Security.Cryptography.X509Certificates.X509BasicConstraintsExtension]::new($true, $flase, 0,$true)).RawData
    # $asn1 | Format-Hex -Encoding Ascii
    
    $ca_params =@{ 
       "Type"              = "Custom";
       "Subject"           = "CN=Local CA";
       "FriendlyName"      = "Local CA";
       "KeyAlgorithm"      = "RSA";
       "KeyLength"         = 2048;
       "KeyUsage"          = "CertSign";
       "TextExtension"     = @("2.5.29.19={critical}{hex}30030101FF");
       "NotAfter"          = ((Get-Date).AddYears(10)); 
       "CertStoreLocation" = "Cert:\CurrentUser\My";
    }
    
    $root=New-SelfSignedCertificate @ca_params 
    $root.ToString()
    
    $cert_params =@{ 
       "Signer"            = $root;
       "Type"              = "CodeSigningCert";
       "Subject"           = "CN=Robert Socha";
       "FriendlyName"      = "Robert Socha CS";
       "KeyAlgorithm"      = "RSA";
       "KeyLength"         = 2048;
       "KeyUsage"          = "DigitalSignature";
       "NotAfter"          = ((Get-Date).AddYears(10)); 
       "CertStoreLocation" = "Cert:\CurrentUser\My";
    }
    
    # Generacja certyfikatu do podpisywania kodu
    $code=New-SelfSignedCertificate @cert_params
    $code.ToString()
    
    # Export certifkatu CA do zaufanych
    $ca_file = [System.IO.Path]::GetTempFileName()
    Export-Certificate -Type CERT -Cert $root -FilePath $ca_file -Force
    Import-Certificate -CertStoreLocation Cert:\CurrentUser\Root -FilePath $ca_file
    
    # Export certyfikatu podpisującego do zaufanych dostawców kodu
    Export-Certificate -Type CERT -Cert $code -FilePath $ca_file -Force
    Import-Certificate -CertStoreLocation Cert:\CurrentUser\TrustedPublisher -FilePath $ca_file
    Remove-Item $ca_file
    
    # $code=(Get-ChildItem cert:\CurrentUser\my -CodeSigningCert)[0]
    
    # Skrypt do podpisania
    'Write-Host "Hello, World!"' >.\sign_me.ps1
    
    # https:/go.microsoft.com/fwlink/?LinkID=135170
    Set-ExecutionPolicy -ExecutionPolicy AllSigned -Scope CurrentUser -Force
    
    # Wartość domyślna dla wersji kliencikich Windows
    # Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser  -Force
    
    Set-AuthenticodeSignature .\sign_me.ps1 $code
    
    .\sign_me.ps1
    
    GIST

    Time-Stamp Protocol (RFC 3161) + openssl

    Serwery TSP:


      
    # Plik z danymi:
    echo "Hello, World!" >data.txt
    
    # Tworzenie zapytania
    openssl ts -query -data data.txt -no_nonce -sha512 -out data.tsq  
    openssl ts -query -in data.tsq -text
    
        
    Version: 1
    Hash Algorithm: sha512
    Message data:
        0000 - 92 16 18 bc 6d 9f 80 59-43 7c 5e 03 97 b1 3f 97   ....m..YC|^...?.
        0010 - 3a b7 c7 a7 b8 1f 0c a3-1b 70 bf 44 8f d8 00 a4   :........p.D....
        0020 - 60 b6 7e fd a0 02 00 88-bc 97 bf 7d 9d a9 7a 9e   `.~........}..z.
        0030 - 2c e7 b2 0d 46 e0 66 46-2e c4 4c f6 02 84 f9 a7   ,...F.fF..L.....
    Policy OID: unspecified
    Nonce: unspecified
    Certificate required: no
    Extensions:
    
      
    # Zapytanie z żądaniem certyfikatu podpisującego
    openssl ts -query -data data.txt -no_nonce -sha512 -cert -out data-cert.tsq
    openssl ts -query -in data-cert.tsq -text
    
        
    Version: 1
    Hash Algorithm: sha512
    Message data:
        0000 - 92 16 18 bc 6d 9f 80 59-43 7c 5e 03 97 b1 3f 97   ....m..YC|^...?.
        0010 - 3a b7 c7 a7 b8 1f 0c a3-1b 70 bf 44 8f d8 00 a4   :........p.D....
        0020 - 60 b6 7e fd a0 02 00 88-bc 97 bf 7d 9d a9 7a 9e   `.~........}..z.
        0030 - 2c e7 b2 0d 46 e0 66 46-2e c4 4c f6 02 84 f9 a7   ,...F.fF..L.....
    Policy OID: unspecified
    Nonce: unspecified
    Certificate required: yes
    Extensions:
    
      
    # Wysyłanie zapytania do serwera 
    curl -s -H "Content-Type: application/timestamp-query" \
         --data-binary @data.tsq  \
         http://time.certum.pl -o data.tsr
    curl -s -H "Content-Type: application/timestamp-query" \
         --data-binary @data-cert.tsq  \
         http://time.certum.pl -o data-cert.tsr
    
    # Lub wykorzystując tsget
    # Może być konieczna instalacja bindingów curla dla perla: apt-get install libwww-curl-perl
    /usr/lib/ssl/misc/tsget -h http://time.certum.pl/ -e .tsr -v data.tsr data-cert.tsq
     #> data.tsr: sending request, reply received, ./data.tsr written.
     #> data-cert.tsq: sending request, reply received, ./data-cert.tsr written.
    
    # Informację na temat odpowiedzi
    openssl ts -reply -in data.tsr -text
    
    Plik odpowiedzi. Dla pliku data-cert.tsr wygląda tak samo (różni się tylko rozmiar pliku)
        
    Status info:
    Status: Granted.
    Status description: unspecified
    Failure info: unspecified
    
    TST info:
    Version: 1
    Policy OID: 1.2.616.1.113527.2.5.1.11
    Hash Algorithm: sha512
    Message data:
        0000 - 92 16 18 bc 6d 9f 80 59-43 7c 5e 03 97 b1 3f 97   ....m..YC|^...?.
        0010 - 3a b7 c7 a7 b8 1f 0c a3-1b 70 bf 44 8f d8 00 a4   :........p.D....
        0020 - 60 b6 7e fd a0 02 00 88-bc 97 bf 7d 9d a9 7a 9e   `.~........}..z.
        0030 - 2c e7 b2 0d 46 e0 66 46-2e c4 4c f6 02 84 f9 a7   ,...F.fF..L.....
    Serial number: 0x038D7EAE927662
    Time stamp: Jan 25 00:17:48 2019 GMT
    Accuracy: 0x01 seconds, unspecified millis, unspecified micros
    Ordering: no
    Nonce: unspecified
    TSA: DirName:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum EV TSA SHA2
    Extensions:
    
    Pobieramy certyfikaty CA i pośredni (wymagany dla pliku data.tsr) z tej strony: https://www.certum.pl/pl/wsparcie/cert_wiedza_zaswiadczenia_klucze_certum/
     
    wget https://www.certum.pl/CTNCA.pem 
    wget https://www.certum.pl/pl/upload_module/wysiwyg/zaswiadczenia/Certum_EV_TSA_SHA2/TSA-SHA2.pem
    
    # Weryfikacja
    # Odpowiedź z certyfikatem klucza podpisującego
    openssl ts -verify -data data.txt -in data-cert.tsr -CAfile CTNCA.pem
    # Odpowiedź bez certyfikatów
    openssl ts -verify -data data.txt -in data.tsr -CAfile CTNCA.pem -untrusted TSA-SHA2.pem
    

    man openssl ts
    man openssl tsget

    wtorek, 19 kwietnia 2016

    CenOS 7 i bonding

    Setup: /etc/modules-load.d/bonding.conf:
    bonding
    
    /etc/modprobe.d/bonding.conf:
    options bonding max_bonds=0
    
    /etc/sysconfig/network-scripts/ifcfg-host0:
    NAME="host0"
    DEVICE="host0"
    NM_CONTROLLED=no
    ONBOOT=yes
    USERCTL=no
    TYPE=Ethernet
    BOOTPROTO=none
    BONDING_OPTS="mode=802.3ad lacp_rate=slow miimon=250 xmit_hash_policy=layer2+3"
    DEFROUTE=yes
    IPV4_FAILURE_FATAL=no
    IPV6INIT=no
    IPADDR=192.168.1.1
    PREFIX=31
    GATEWAY=192.168.1.0
    
    /etc/sysconfig/network-scripts/ifcfg-eno1:
    NAME=eno1
    DEVICE=eno1
    TYPE=Ethernet
    USERCTL=no
    SLAVE=yes
    MASTER=host0
    BOOTPROTO=none
    ONBOOT=yes
    NM_CONTROLLED=no
    
    /etc/sysconfig/network-scripts/ifcfg-eno2:
    NAME=eno2
    DEVICE=eno2
    TYPE=Ethernet
    USERCTL=no
    SLAVE=yes
    MASTER=host0
    BOOTPROTO=none
    ONBOOT=yes
    NM_CONTROLLED=no