Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- know-how:firewall [2021/09/21 14:48] – [roadworker mfa - multiple factor auth] cc
+++ know-how:firewall [2024/06/27 13:29] (aktuell) – [internal dns zone] cc
@@ Zeile 1: / Zeile 1: @@
+~~ODT~~
 FIXME
 ====== Features ======
@@ Zeile 923: / Zeile 924: @@
 exit $?
+</code>
+  * **/etc/openvpn/roadworker-auth/totp_auth.sh**
+  * TOTP Check mit **oathtool**
+<code>
+#!/bin/bash
+function bailout ()
+{
+  echo $1
+  exit 1
+}
+AUTH_USERNAME="$username"
+AUTH_PASSWORD="$password"
+AUTH_TOTP_SECRET="/etc/openvpn/roadworker-auth/totp/$AUTH_USERNAME"
+[[ $AUTH_USERNAME == "" || $AUTH_USERNAME == " " ]] &&  AUTH_USERNAME="---"
+[[ $AUTH_PASSWORD == "" || $AUTH_USERNAME == " " ]] &&  AUTH_PASSWORD="---"
+echo $AUTH_USERNAME | grep -P -q "^[A-Za-z0-9\.]+$"
+#2021-09-21 cc: Somehow malformed
+[[ $? != 0 ]] && bailout "Username malformed"
+#2021-09-21 cc: Somehow not 6 digits
+echo $AUTH_PASSWORD | grep -P -q "^[0-9]{6}$"
+[[ $? != 0 ]] && bailout "Digits malformed"
+#2021-09-21 cc: This is tricky , if there's no secret file - it hasn't been created yet so auth succeeds
+[[ ! -f $AUTH_TOTP_SECRET ]] && exit 0
+TOTP_SEED=$(cat $AUTH_TOTP_SECRET)
+DIGIT_CODE=$(oathtool -b --totp $TOTP_SEED)
+#env > /tmp/debug
+#echo "u: -$AUTH_USERNAME-" >> /tmp/debug
+#echo "p: -$AUTH_PASSWORD-" >> /tmp/debug
+#echo "c: -$DIGIT_CODE" >> /tmp/debug
+[[ $DIGIT_CODE == $AUTH_PASSWORD ]] && exit 0
+exit 1
+</code>
+  * Um für bestimmten User **TOTP zu aktivieren**
+<code>
+pwgen -0 -s -1 16 > /etc/openvpn/roadworker-auth/totp/username
+</code>
+  * Dieser TOTP Seed , der nun unter **/etc/openvpn/roadworker-auth/totp/username** zB: **ABCABCBABCBCDFFG** muss dem entsprechenden User **sicher** übermittelt werden zB: über Signal/Whatsapp - er kann ihn zB: im **Google Authenticator** als eigenen Eintrag hinzufügen
+  * Variante um bei bestehender zertifikatsbasierender Authentifizierung OTP zu aktivieren:
+  * **für bestimmtes Gerät d.h. Zertifikat ** wird es obligatorisch und User können zum Zertifikat spezifiziert werden
+  * **/etc/openvpn/roadworker-cert/roadworker-cert.conf**
+<code>
+...
+auth-user-pass-verify /etc/openvpn/roadworker-cert/totp_auth.sh via-env
+auth-user-pass-optional
+script-security 3
+....
+</code>
+  * **/etc/openvpn/roadworker-cert/totp_auth.sh**
+<code>
+#!/bin/bash
+function bailout ()
+{
+	  echo $1
+	  echo $1 | logger -t totp
+	    exit 1
+    }
+    AUTH_USERNAME="$username"
+    AUTH_PASSWORD="$password"
+    AUTH_COMMON_NAME="$common_name"
+    AUTH_TOTP_ROOT_SECRET="/etc/openvpn/roadworker-cert/totp/"
+    AUTH_TOTP_SECRET="$AUTH_TOTP_ROOT_SECRET/$AUTH_COMMON_NAME/$AUTH_USERNAME"
+    #2021-10-14 cc: Certificate required
+    echo $common_name | grep -P -q "^[A-Za-z0-9\.\-]+$"
+    [[ $? != 0 ]] && bailout "Common certificate Name malformed"
+    #2021-10-14 cc: IF directory with common name does not exist OTP is not activated
+    [[ ! -d "$AUTH_TOTP_ROOT_SECRET/$AUTH_COMMON_NAME" ]] && exit 0
+    echo $AUTH_USERNAME | grep -P -q "^[A-Za-z0-9\.]+$"
+    #2021-09-21 cc: Somehow malformed
+    [[ $? != 0 ]] && bailout "Username malformed"
+    #2021-09-21 cc: Somehow not 6 digits
+    echo $AUTH_PASSWORD | grep -P -q "^[0-9]{6}$"
+    [[ $? != 0 ]] && bailout "Digits malformed"
+    #2021-09-21 cc: This is tricky , if there's no secret file - it has been created yet so auth succeeds
+    #2021-10-14 cc: If common_name root path exists there must be a file for the user
+    [[ ! -f $AUTH_TOTP_SECRET ]] && bailout "TOTP Secret not found - is needed"
+    TOTP_SEED=$(cat $AUTH_TOTP_SECRET)
+    DIGIT_CODE=$(oathtool -b --totp $TOTP_SEED)
+    #env > /tmp/debug
+    #echo "u: -$AUTH_USERNAME-" >> /tmp/debug
+    #echo "p: -$AUTH_PASSWORD-" >> /tmp/debug
+    #echo "c: -$DIGIT_CODE" >> /tmp/debug
+    [[ $DIGIT_CODE == $AUTH_PASSWORD ]] && exit 0
+    exit 1
 </code>
 ===== roadworker openvpn wake on lan (wol) trigger =====
@@ Zeile 1011: / Zeile 1141: @@
 </code>
+====== unbound ======
+  * Rekursiver DNS Resolver der DNSSEC validiert und auch dns over tls unterstützt
+===== troubleshoot =====
+  * Wenns immer wieder dnssec troubles gibt / und keiner aktiv DNS spoofing betreibt :)
+  * siehe **https://www.nlnetlabs.nl/documentation/unbound/howto-turnoff-dnssec/** / ** https://utcc.utoronto.ca/~cks/space/blog/sysadmin/UnboundNoDNSSEC **
+<code>
+. Permissive mode
+Does not actually turn off dnssec, but stops the resolver from withholding bogus answers from clients. Resolution may be slow due to validation failures but can still proceed. Add to the unbound.conf file:
+server:
+    val-permissive-mode: yes
+. Remove trust anchors
+If you remove the trust-anchor definitions from the unbound.conf file, DNSSEC is not used for those domains. Related options:
+server:
+    # trust-anchor-file:
+    # auto-trust-anchor-file:
+    # trust-anchor:
+    # trusted-keys-file:
+. Disable the validator module
+This also disables validation for other domains. In the unbound.conf file:
+server:
+    module-config: "iterator"
+. Stop a broken chain of trust
+To work around a broken chain of trust use a temporary item until the proper DS or DNSKEY records are published, put in the unbound.conf file:
+server:
+    domain-insecure: "example"
+</code>
+===== internal dns zone =====
+  * zB: wenn intern ein AD Server benutzt wird für interne Domäne
+<code>
+server:
+..
+..
+    #2024-02-11 cc: if pannoniait.intern was used by a e.g. windows ad server
+    private-domain: pannoniait.intern
+    domain-insecure: pannoniait.intern
+..
+..
+#2024-02-11 cc: If pannoniait.intern was used e.g. by windows ad server
+forward-zone:
+   name: pannoniait.intern
+   forward-addr: IP_DNS_SERVER
+</code>
+===== dns over tls =====
+  * führt zu massiven DNS Performanceeinbruch FIXME performance + prefetch usw.
+<code>
+server:
+..
+..
+    #2024-02-11 cc: The debian place where the bundle can be found
+    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
+..
+..
+forward-zone:
+    name: "."
+    forward-addr: 9.9.9.9@853#dns.quad9.net
+    forward-addr: 149.112.112.112@853#dns.quad9.net
+    forward-tls-upstream: yes
+..
+..
+</code>
+====== Traffic Shaping - tc ======
+  * FIXME - Großteil "man" Seiten https://wiki.archlinux.org/title/Advanced_traffic_control / https://tldp.org/en/Traffic-Control-HOWTO/ar01s06.html
+  * FIXME - PLAYGROUND - für bestimmten Traffic Bandbreite insgesamt einschränken , damit zB: ein Pool von Adressen eingeschränkt werden kann wie zB: Windows Updates :) entweder über iptables Markierungen oder über ipset Matches
+<code>
+#!/bin/sh -x
+# Maximum allowed downlink. Set to 90% of the achievable downlink in mbit
+DOWNLINK=60
+# Interface facing the Internet
+EXTDEV=wlp2s0
+# Load IFB, all other modules all loaded automatically
+modprobe ifb
+ip link set dev ifb0 down
+# Clear old queuing disciplines (qdisc) on the interfaces and the MANGLE table
+tc qdisc del dev $EXTDEV root    2> /dev/null > /dev/null
+tc qdisc del dev $EXTDEV ingress 2> /dev/null > /dev/null
+tc qdisc del dev ifb0 root       2> /dev/null > /dev/null
+tc qdisc del dev ifb0 ingress    2> /dev/null > /dev/null
+iptables -t mangle -F
+# appending "stop" (without quotes) after the name of the script stops here.
+if [ "$1" = "stop" ]
+then
+        echo "Shaping removed on $EXTDEV."
+        exit
+fi
+ip link set dev ifb0 up
+# HTB classes on IFB with rate limiting - default class 3:30
+tc qdisc add dev ifb0 root handle 3: htb default 30
+tc class add dev ifb0 parent 3:3 classid 3:30 htb rate 60mbit ceil 60mbit
+tc class add dev ifb0 parent 3:3 classid 3:33 htb rate 10mbit ceil 10mbit
+# Packets marked with "2" on IFB flow through class 3:33
+tc filter add dev ifb0 parent 3:0 protocol ip handle 2 fw flowid 3:33
+# Martin Devera, author of HTB, then recommends SFQ for beneath these classes:
+tc qdisc add dev ifb0 parent 3:30 handle 30: sfq perturb 10
+tc qdisc add dev ifb0 parent 3:33 handle 33: sfq perturb 10
+#https://speed.hetzner.de/1GB.bin
+iptables -t mangle -A PREROUTING -s 88.198.248.254 -j MARK --set-mark 2
+iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
+# Forward all ingress traffic on internet interface to the IFB device
+tc qdisc add dev $EXTDEV ingress handle ffff:
+tc filter add dev $EXTDEV parent ffff: protocol ip \
+        u32 match u32 0 0 \
+        action connmark \
+        action mirred egress redirect dev ifb0 \
+        flowid ffff:1
+# Kein markieren mehr der Pakete / iptables fällt weg über ipset
+# root@mrWhiteGhost:/home/urnilxfgbez/Desktop# ipset create slowdown hash:ip
+#root@mrWhiteGhost:/home/urnilxfgbez/Desktop# tc filter add dev ifb0 parent 3:0 protocol ip basic match 'ipset(slowdown src,dst)' flowid 3:33
+#
+#
+#
+#
+#root@mrWhiteGhost:/tmp# tc -s class show dev ifb0
+#class htb 3:33 root prio 0 rate 10Mbit ceil 10Mbit burst 1600b cburst 1600b
+# Sent 28375626 bytes 20582 pkt (dropped 0, overlimits 20488 requeues 0)
+# backlog 0b 0p requeues 0
+# lended: 20582 borrowed: 0 giants: 0
+# tokens: -16889 ctokens: -16889
+#
+#class htb 3:30 root prio 0 rate 60Mbit ceil 60Mbit burst 1590b cburst 1590b
+# Sent 1760229 bytes 3364 pkt (dropped 0, overlimits 884 requeues 0)
+# backlog 0b 0p requeues 0
+# lended: 3364 borrowed: 0 giants: 0
+# tokens: 3125 ctokens: 3125
+exit 0
+</code>
 ====== GeoIP - iptables matches ======
@@ Zeile 1145: / Zeile 1448: @@
    976 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country CN,RS  LOG flags 0 level 4
 </code>
+====== GeoIP - map-geoip.sh ======
+  * GeoIP Lookup aus vorhandenen Logfiles / kann auch gepiped werden um vorher relevante Auszüge rauszugreppen
+  * **map-geoip.sh**
+<code>
+#!/bin/bash
+# cmd: foo=$(mmdblookup -f /usr/local/share/ip-db/dbip-country-lite.mmdb  -i 192.168.0.1 country iso_code 2>/dev/null)
+# https://download.db-ip.com/free/dbip-country-lite-2022-03.mmdb.gz
+PATH_LOGS="/var/log/fw.log.1"
+PATH_GEODB="/usr/local/share/ip-db/dbip-country-lite.mmdb"
+function bailout
+{
+        echo -e "$1" >&2
+	echo -e "\nUsage: $0 [LOGFILE_FIREWALLS]"
+	exit 2
+}
+function lookup_geo
+{
+	mmdblookup -f $PATH_GEODB  -i $1 country iso_code 2>/dev/null | grep -o -P "\"[a-zA-Z]{2}\"" | tr -d "\""
+}
+function lookup_ip
+{
+    echo $1 | grep -o -P "$2(([0-9]{1,3}\.)){3}[0-9]{1,3}"
+}
+[[ -r $PATH_GEODB ]] || bailout "Cannot read geodb database: $PATH_GEODB"
+[[ -r "$1" ]] && PATH_LOGS="$1"
+[[ $1 == "-" ]] && PATH_LOGS="-"
+[[ -r $PATH_LOGS || $PATH_LOGS == "-"  ]] || bailout "Cannot read path logs: $PATH_LOGS"
+which mmdblookup >/dev/null || bailout "Cannot find mmdblookup please install\n"
+IFS=$'\n'
+while read foo ;
+do
+        LOG_SUFFIX=""
+	SRC_IP=""
+	DST_IP=""
+	SRC_IP=$(lookup_ip $foo "SRC=" |tr -d "SRC=")
+	DST_IP=$(lookup_ip $foo "DST=" | tr -d "DST=" )
+	#echo "SRC: $SRC_IP"
+	#echo "DST: $DST_IP"
+	if [ ${#SRC_IP} -gt 0 ] && [ ${#DST_IP} -gt 0 ]
+	then
+		SRC_GEO=$(lookup_geo $SRC_IP)
+		DST_GEO=$(lookup_geo $DST_IP)
+                [[ -z $SRC_GEO  ]] && SRC_GEO="00"
+		[[ -z $DST_GEO ]] && DST_GEO="00"
+		LOG_SUFFIX="SRC_GEO=$SRC_GEO DST_GEO=$DST_GEO"
+		echo "$foo$LOG_SUFFIX"
+	fi
+done < <(zcat -f $PATH_LOGS )
+</code>
 ====== WEB Module ======
+===== Blocks - Multi - IPSET =====
+  * In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können
+  *  www-data muss dnsmasq neu starten können zB: visudo -> www-data  ALL=(ALL)NOPASSWD:/usr/sbin/service dnsmasq restart / und die entsprechenden Berechtigungen für das Set File besitzen unter /etc/dnsmasq.d/ipset-foo.conf
+  * **Achtung:** Wenn es eine Vielzahl an Sets gibt die mit dnsmasq befüllt werden sollen muss auf die dnsmasq Syntax geachtet werden **ipset=/hostname/set1/set2/set3** und nicht jeweils eine extra Datei für set1, set2, set3
+  * **merge-ipsets.sh**
+<code>
+#!/bin/bash
+function bailout
+{
+        echo -e "$1" >&2
+        exit 2
+}
+which dnsmasq >/dev/null || bailout "Cannot find dnsmasq binary"
+LOCATION_DNSMASQS="/etc/dnsmasq.conf /etc/dnsmasq.d/*"
+TMP_LOCATION=$(mktemp)
+FINAL_LOCATION="/etc/dnsmasq.d/ipset-master.conf"
+if [ ! -w $FINAL_LOCATION ]
+then
+	rm $TMP_LOCATION
+	bailout "FAIL: Final config file: $FINAL_LOCATION cannot be written to "
+fi
+grep -h  "^ipset=" $LOCATION_DNSMASQS  | cut -d"/" -f"2" | sort | uniq -c  | while read hosts ;
+do
+	nr_matches=$(echo $hosts | awk '{print $1}')
+	host_entry=$(echo $hosts | awk '{print $2}')
+        if (($nr_matches > 1 ))  &&  [ -n $host_entry ] ;
+	then
+                 build_entry="ipset=/$host_entry"
+		 while read found_sets
+		 do
+			 build_entry+="/$found_sets"
+		 done <<< $(grep -h "^ipset=/$host_entry/" $LOCATION_DNSMASQS | cut -d"/" -f 3- | tr "/" "\n" | sort | uniq )
+		echo $build_entry >> $TMP_LOCATION
+                echo $build_entry
+	fi
+done
+filesize_tmp=$(stat -c %s $TMP_LOCATION)
+if [ $filesize_tmp == "0" ]
+then
+rm $TMP_LOCATION
+echo "No double ipsets found in $LOCATION_DNSMASQS"
+exit 0
+fi
+cmp -s $TMP_LOCATION $FINAL_LOCATION
+compare_ret="$?"
+if [ $compare_ret == "0" ]
+then
+	rm $TMP_LOCATION
+        echo "Current ipsets have already been merged"
+	exit 0
+fi
+dnsmasq --test --conf-file=$TMP_LOCATION
+ipset_tests="$?"
+if [ $ipset_tests != "0" ]
+then
+	rm $TMP_LOCATION
+	bailout "FAIL: Malformed config file: $TMP_LOCATION"
+fi
+#2022-02-21 cc: Keep Ownership intact
+cat $TMP_LOCATION > $FINAL_LOCATION
+rm $TMP_LOCATION
+systemctl reload dnsmasq || bailout "FAIL: Cannot reload dnsmasq"
+exit 0
+</code>
+  * {{ :know-how:ipset-master.zip |}}
 ===== Blocks - IPSET =====
   * In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können
-  *  www-data muss dnsmasq neu starten können zB: visudo -> www-data  ALL=(ALL)NOPASSWD:/usr/sbin/service dnsmasq restart
+  *  www-data muss dnsmasq neu starten können zB: visudo -> www-data  ALL=(ALL)NOPASSWD:/usr/sbin/service dnsmasq restart / und die entsprechenden Berechtigungen für das Set File besitzen unter /etc/dnsmasq.d/ipset-foo.conf
   * {{ :know-how:blocked-ipset.zip |}}