Pangnet.net

Last modified by Yu Pang Law on 2022/12/14 10:31

Reference for past research

Jan 24 2023

Compiling Custom Kernel

  1. Update FreeBSD to latest patch
    freebsd-update fetch
    freebsd-update install
  2. Install git
    pkg install git
  3. Updating source file
    git clone -o freebsd https://git.FreeBSD.org/src.git /usr/src
    cd /usr/src
    git checkout stable/13
  4. prepare custom kernel file
    mkdir /root/kernels
    cd /usr/src/sys/amd64/conf
    cp GENERIC /root/kernels/MYKERNEL
    ln -s /root/kernels/MYKERNEL

    depends on your CPU architecture, config file location may be different. For usual, Intel/AMD CPU, it will be amd64

  5. add/remove options in the MYKERNEL file
  6. Compile and install MYKERNEL, then reboot
    cd /usr/src
    make buildkernel KERNCONF=MYKERNEL
    make installkernel KERNCONF=MYKERNEL
    reboot
  7. Check if MYKERNEL is installed correctly
    uname -a
    If correct, it should show MYKERNEL

Jan 02 2023

Configuring Unbound for whole network

  1. Install and config unbound as usual. For basic, remote set up check unbound remote resolver setup
  2. Install bgpq4
  3. Generate prefix list filter for your AS or AS SET
    bgpq4 -4A -h whois.radb.net -F 'access-control: %n/%l allow\n' AS-SET > /usr/local/etc/unbound/prefix.txt
  4. Edit unbound.conf, under server:, add
    include: /usr/local/etc/unbound/prefix.txt
  5. Set up cron job to update prefix list and restart unbound periodically
dns-record.png

CloudFlare Add new domain (DNS only)

  1. 登入CloudFlare 帐号, 点击添加站点
  2. 输入域名, 点击"添加站点"
    add-site.png
  3. 点选"Free", 然后点击"继续"
    plan.png
  4. 等待"快速扫瞄"完成
  5. 删掉没用的DNS记录, 确认DNS 记录没错误, 关停代理状态. 然后点击"继续"
    注意DNS 记录的*, 代表所有子域名
    dns-record.png
  6. 记录CloudFlare"名称服务器". 然后点击"完全, 检查名称服务器"
    DNS-server.png
  7. 点击"以后完成"

Dec 14 2022

Drupal Update with Drush

  1. cd to Drupal installation Directory
  1. Backup Drupal
    drush archive-dump
  2. Check Drupal Update and get the list of modules that have update
    drush ups
    {{code}}
    1. Set Drupal Website to maintenance mode
    {{code}}
    drush sset system.maintenance_mode 1
    {{code}}
    1. Clear Drupal Cache
    {{code}}
    drush cr
    {{/code}}
    1. Update Drupal and press "Y" when asked
    {{code}}
    drush up drupal
    {{/code}}
    1. Update Drupal Database
    {{code}}
    drush updb
    {{/code}}
    1. Update Drupal modules
    {{code}}
    drush up XXXX XXXX
    {{/code}}
    where XXXX is the module name (the string inside the bracket in step 2)

    1. Set Drupal Website back to live mode
    {{code}}
    drush sset system.maintenance_mode 0
    {{/code}}
    1. Clear Drupal Cache Again
    {{code}}
    drush cr
    {{/code}}

Dec 14 2022

Running Custom php script within Drupal Directory

By default, Drupal will not allow running of any other PHP scripts within Drupal directory. It will return "403 Forbidden", if anybody trying to access the PHP scripts.

To by pass this constraint, we will need to add 2 lines in .htaccess.htaccess is in Drupal root directory.

  1. Open .htaccess with a text editor
  1. Find the section below:
      RewriteCond %{REQUEST_FILENAME} !-f
      
    RewriteCond %{REQUEST_FILENAME} !-d
      
    RewriteCond %{REQUEST_URI} !=/favicon.ico
      
    RewriteRule ^ index.php [L]

      Before RewriteRule, add
    RewriteCond %{REQUEST_URI} !script
    where "script" is the directory name or file name of your custom php script.

 3. Find the section below:
  RewriteCond %{REQUEST_URI} !/core/[^/]*\.php$
  
RewriteCond %{REQUEST_URI} !/core/modules/system/tests/https?.php
  
RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics.php$
  
RewriteRule "^(.+/.*|autoload)\.php($|/)" - [F]

  Before RewriteRule, add
RewriteCond %{REQUEST_URI} !script
where "script" is the directory name or file name of your custom php script.

4. Save the file and exit.

5. You will need to add the lines back every time you upgrade Drupal.

What does the changes mean?

RewriteCond means the condition for the RewriteRule to execute.

So, by adding a "RewriteCond %{REQUEST_URI} !script", we add a new condition that tells the web server to skip this rule, if the URI has the word "script" in it. So, the "script" directory or file will no longer be managed by Drupal.

See how it works:

https://worria.com/script/trace.php

https://worria.com/

*not Drupal anymore

Dec 14 2022

Cacti Graph no data randomly for some graphs

Symptom
cacti_blank.png

Cause:

Data Collector reachs max run time (polling interval). Remaining SNMP data will not be collected.

Solution:

1. Use spine instead of cmd.php

2. Increase "Processes" and "Threads" setting under "Data Collection" --> "Data Collectors"

Recommend Setting for

"Processes" = 2 * no. Of Cores available

"Threads" = 10 - 15

Dec 14 2022

Common Fastnetmon Command

commitUpdate Changes
show hostgroup <name>List hostgroup <name>, if there is no <name>, List all hostgroups available
set hostgroup <name> ban_for_bandwidth <enable/disable>enable/ disable IP blackhole for hostgroup <name>
set hostgroup <name> networks <XXX.XXX.XXX.0/XX>Add IP prefix to hostgroup <name>
set hostgroup <name> threshold XXXset bandwidth thresold for hostgroup <name>
show blackhole <XXX.XXX.XXX.XXX>list blackhole <XXX.XXX.XXX.XXX>. If no IP provided, list all blackholed IPs
set blackhole <XXX.XXX.XXX.XXX>manual add blackhole IP
delete blackhole <ID-string>Delete blackhole with blackhole ID. Blackhole ID can be found by "show blackhole"
show ip_hostgroup <XXX.XXX.XXX.XXX>Find the hostgroup that the IP belongs to

set bgp <bgp_name>

set bgp <bgp_name> local_asn <XXXXX>

set bgp <bgp_name> remote_as <XXXXX>

set bgp <bgp_name> local_address <XXXXX>

set bgp <bgp_name> remote_address <XXXXX>

set bgp <bgp_name> multihop <enable/disable>

set bgp <bgp_name> ipv4_unicast <enable/disable>

set bgp <bgp_name> active <enable/disable>

Add a new BGP connection. Can be used to advertise blackhole and also receiving routes.

Dec 14 2022

Using FreeRadius for Supermicro IPMI

  1. Create a new FreeRadius Virtual site for Supermicro IPMI (without enabling SQL support)

FreeRadius With SQL

  1. Edit /usr/local/etc/raddb/dictionary and add a new attribute
    ATTRIBUTE IPMI-radius  26 octets
    3. Edit /usr/local/etc/raddb/policy.d/foo and add
    foo {
         update reply {
           # Vendor-Specific = "H=4"
           &Attr-26 = 0x483D34
         }
    }

    0x483D34 is Hex Code for String "H=4"

If you need other type of permission (e.g. H=3) just change the string to hex code.

  1. Edit /usr/local/etc/raddb/users and add the following user
    ipmiAdmin Cleartext-Password := "Any-password"
              IPMI-radius += "0x483d34"

    You can replace ipmiAdmin and authorization type.
  1. Restart FreeRadius
  1. Login to Supermicro IPMI and enable Radius support.

Dec 14 2022

Install OpenVPN on FreeBSD system

  1. Update Port Collection
    portsnap fetch update
    if it is the first time,
    portsnap fetch extract
  2. Install OpenSSL
    cd /usr/ports/security/openssl
    make install clean
  3. Edit /etc/make.conf, and add
    DEFAULT_VERSIONS+=ssl=openssl
  4. Install OpenVPN, easyrsa
    cd /usr/ports/security/easy-rsa
    make install clean
    cd /usr/ports/security/openvpn
    make install clean
  5. Create Configuration directory and copy sample configuration file
    mkdir -p /usr/local/etc/openvpn/easy-rsa
    mkdir /usr/local/etc/openvpn/server
    cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/server/
    cp -r /usr/local/share/easy-rsa/* /usr/local/etc/openvpn/easy-rsa/
  6. Edit  /usr/local/etc/openvpn/easy-rsa/vars and set your information for SSL
    set_var EASYRSA_REQ_COUNTRY     "HK"
    set_var EASYRSA_REQ_PROVINCE    "Kowloon"
    set_var EASYRSA_REQ_CITY        "San Po Kong"
    set_var EASYRSA_REQ_ORG         "Laws Cloud Infrastructure Limited"
    set_var EASYRSA_REQ_EMAIL       "demo@example.com"
    set_var EASYRSA_REQ_OU          "VPN Department"
    set_var EASYRSA_KEY_SIZE 2048
    set_var EASYRSA_CA_EXPIRE 3650
    set_var EASYRSA_CERT_EXPIRE 3650
  7. Initialize PKI
    cd /usr/local/etc/openvpn/easy-rsa
    sh ./easyrsa.real init-pki
  8. Build CA Certificate, key, certificate file
    sh ./easyrsa.real build-ca
    sh ./easyrsa.real build-server-full server nopass
    sh ./easyrsa.real build-client-full client nopass
    sh ./easyrsa.real gen-dh
    openvpn --genkey --secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key
    cp -r /usr/local/etc/openvpn/easy-rsa/pki/{ca.crt,dh.pem,ta.key,issued,private} /usr/local/etc/openvpn/server/
  1. Edit /usr/local/etc/openvpn/server/server.conf
    port 1194
    proto udp
    dev tun
    ca /usr/local/etc/openvpn/server/ca.crt
    cert /usr/local/etc/openvpn/server/issued/server.crt
    key /usr/local/etc/openvpn/server/private/server.key  # This file should be kept secret
    dh /usr/local/etc/openvpn/server/dh.pem
    topology subnet
    server 192.168.101.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "redirect-gateway def1 bypass-dhcp"
    push "dhcp-option DNS 208.67.222.222"
    push "dhcp-option DNS 208.67.220.220"
    duplicate-cn
    keepalive 10 120
    tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is secret
    cipher AES-256-CBC
    compress lz4-v2
    push "compress lz4-v2"
    ;comp-lzo
    max-clients 100
    user nobody
    group nobody
    persist-key
    persist-tun
    status /var/log/openvpn/openvpn-status.log
    log-append  /var/log/openvpn/openvpn.log
    verb 3
    explicit-exit-notify 1
    auth sha512
    remote-cert-tls client
  2. Create log directory
    mkdir /var/log/openvpn/
  3. Edit /etc/rc.conf and enable OpenVPN
    firewall_enable="YES"
    firewall_type="open"
    gateway_enable="YES"
    natd_enable="YES"
    natd_interface="em1"
    natd_flags="-dynamic -m"
    openvpn_enable=YES
    openvpn_configfile="/usr/local/etc/openvpn/server/server.conf"

      **em1 is the outgoing network adapter. If you are not sure, check the line that bind your IP
    ifconfig_em1="inet 10.10.10.10 netmask 255.255.255.0"
    Network adapter name is the string after ifconfig_ (and before = )
  1. Set up client ovpn profile
    client
    tls-client
    pull
    dev tun
    proto udp
    remote IP-address-of-your-VPN 1194
    resolv-retry infinite
    nobind
    dhcp-option DNS 1.1.1.1
    user nobody
    group nogroup
    persist-key
    persist-tun
    key-direction 1
    tls-auth ta.key 1
    compress
    verb 3
    auth SHA512
    remote-cert-tls server
    <ca>
    content of /usr/local/etc/openvpn/server/ca.crt
    </ca>
    <cert>
    content of /usr/local/etc/openvpn/server/issued/client.crt
    </cert>
    <key>
    content of /usr/local/etc/openvpn/server/private/client.key
    </key>
    <tls-auth>
    content of /usr/local/etc/openvpn/server/ta.key
    </tls-auth>
    key-direction 1

Optional: (Enable Radius Authen)

  1. Install OpenVPN Radius Plugin
    cd /usr/ports/security/openvpn-auth-radius
    make install clean
  2. Copy Sample plugin configure to OpenVPN configuration directory
    cp /usr/local/share/examples/openvpn-auth-radius/radiusplugin.cnf /usr/local/etc/openvpn/server
  3. Edit /usr/local/etc/openvpn/server/radiusplugin.cnf. Find OpenVPNConfig and set to
    OpenVPNConfig=/usr/local/etc/openvpn/server/server.conf
    and bottom, find server { and change the port, IP and secret phase to
    server
    {
     # The UDP port for radius accounting.
    acctport=1813
     # The UDP port for radius authentication.
    authport=1812
     # The name or ip address of the radius server.
    name=IP-or-hostname.of.your.radius
     # How many times should the plugin send the if there is no response?
    retry=1
     # How long should the plugin wait for a response?
    wait=1
     # The shared secret.
    sharedsecret=secret-phase-for-free-radius
    }
  4. Edit Openvpn config file (server.conf). Add the following to the end of file
    plugin /usr/local/lib/radiusplugin.so /usr/local/etc/openvpn/server/radiusplugin.cnf
  5. Edit Client ovpn file and add the following line
    auth-user-pass

Dec 14 2022

FreeRadius enable Virtual site with SQL

  1. Create MySQL/ Postgresql Database and user
  2. import FreeRadius database schema in
    /usr/local/etc/raddb/mods-config/sql/main/mysql/schema.sql
    /usr/local/etc/raddb/mods-config/sql/main/postgresql/schema.sql
  3. edit sql configuration file and fill in database details
    /usr/local/etc/raddb/mods-enabled/sql

     server = "hostname-here"
     port = 3306
     login = "database-login-here"
     password = "password-here"
     radius_db = "database-name-here"
  4. if more than one database (for different application), copy the whole section, add an instance name and change the database details:
    sql {
    to
    sql instance1 {
  5. copy "default" configuration file to "virtual1" (or any name)
  6. Edit "virtual1" file. and make the following changes
    1. Change the virtual site name:
      server default {
      to
      server virtual1 {
    2. Change the port number
      port = 55555
    3. enable sql,
      find the following line
      #      sql
      and change to
      instance1
      "instance1" is the sql instance name added in step 4
  7. Add a client for this virtual host
    /usr/local/etc/raddb/clients.conf
    client your-device {
           ipaddr = 192.168.0.0/24
           secret = secretPhrase
           virtual_server = virtual1
    }

    your-device is profile name

ipaddr is IP address (or IP address range) for your device(s). If more than 1, need to use "|" to separate
secret is the passphrase to use the radius service
virtual_server is the virtual site name used in step 5.

  1. add user into the database
    insert into radusergroup (username, groupname, priority) VALUES ('username','groupname', 1);
    insert into radcheck (username, attribute, op, value) VALUES ('username', 'Cleartext-Password', ':=', 'password');
    {{code}}
    9. Restart radiusd
Tags:
 
Copyrighted by Pangnet.net