Easy and lightweight jails with BastilleBSD

HowTo create jails with Bastille

TDLR of https://github.com/BastilleBSD/bastille

Bastille is a very lightweight jail/container management for FreeBSD and HardenedBSD

install bastille

Bastille is very active so make shure you switch to latest pkg mirror

change pkg mirror to “latest”

vim /etc/pkg/FreeBSD.conf
FreeBSD: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}

enable bastille

sysrc bastille_enable=YES

create virtual network bridge

sysrc cloned_interfaces+=lo1
sysrc ifconfig_lo1_name="bastille0"
service netif cloneup

edit /etc/pf.conf (add the lines without #)

#ext_if="em0"

#set block-policy return
#scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)

#block in all
#pass out quick modulate state
#antispoof for $ext_if inet
#pass in inet proto tcp from any to any port ssh flags S/SA keep state

add ZFS support (check zpool with “zpool list”)

sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_enable=YES
sysrc -f /usr/local/etc/bastille/bastille.conf bastille_zfs_zpool=zroot #check with "zpool list"

bootstrap and create jail

bastille bootstrap 12.1-RELEASE
bastille create testjail 12.1-RELEASE 192.168.0.50
bastille start

install packages and login

bastille pkg install vim-console tmux
bastille console testjail

Have fun!

(c) Christer Edwards <github.com/BastilleBSD> (c) Sven R <github.com/hackacad>

Secure Elasticsearch without X-Pack or SSL/TLS

HowTo Secure Elasticsearch using spiped on FreeBSD, Debian and CentOS

Spiped makes it really easy to secure connections between clients and Elasticsearch databases.

Keep in mind that the symmetric key (once compromised) can be used to intercept/mitm all connections.

ESpiped

install spiped

FreeBSD

pkg install spiped

Debian/Ubuntu

apt install spiped

CentOS

edit /etc/yum.repos.d/spiped.repo

[lsde-spiped]
name=Copr repo for spiped owned by lsde
baseurl=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/epel-7-$basearch/
type=rpm-md
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/pubkey.gpg
repo_gpgcheck=0
enabled=1
enabled_metadata=1

install spiped

[lsde-spiped]
yum clean all
yum install spiped

generate symmetric encryption key

dd if=/dev/urandom of=/root/espiped.key bs=32 count=1

and copy the key file onto every client

run spiped on Elasticsearch database server

Spiped will listen on port 19200 and forward traffic to 9200 (TCP forwarding must be enabled)

spiped -d -s '[0.0.0.0]:19200' -t '[127.0.0.1]:9200' -k /root/espiped.key

run spiped on client

Spiped will listen on port 9200 and forward to the Elasticsearch DBS port 19200

spiped -e -s '[127.0.0.1]:9200' -t 192.168.0.10:19200 -k /root/espiped.key

Install Redmine 3.4 on FreeBSD 11.2 with Apache, Passenger and MySQL

Install Redmine 3.4 on FreeBSD 11.2 with Apache 2.4 Passenger 6.x, Ruby 2.4 and MySQL 5.6

TLDR for Redmine on FreeBSD 11.2

install redmine and a bunch of dependencies

UPDATE 2019/03/11 redmine pkg is currently not available on quaterly mirror (make sure you use latest branch in /etc/pkg/FreeBSD.conf)

pkg install redmine apache24 mysql56-server mysql56-client rubygem-passenger-apache
vim /usr/local/etc/apache24/httpd.conf

add the following lines to your httpd.conf or Inlcudes/redmine.conf

LoadModule passenger_module /usr/local/lib/ruby/gems/2.4/gems/passenger-6.0.0/buildout/apache2/mod_passenger.so
PassengerRoot /usr/local/lib/ruby/gems/2.4/gems/passenger-6.0.0
PassengerRuby /usr/local/bin/ruby24

#to use ssl uncomment the following lines and set Listen port to 443
#LoadModule ssl_module libexec/apache24/mod_ssl.so
#SSLEngine on
#SSLCertificateFile "/usr/local/etc/apache24/YOUR_SSL.crt"
#SSLCertificateKeyFile "/usr/local/etc/apache24/YOUR_SSL.key"

RailsEnv production
PassengerDefaultUser www
DocumentRoot /usr/local/www/redmine/public/
<Directory "/usr/local/www/redmine/public/">
    Allow from all
    Options -MultiViews
    Require all granted
</Directory>

enable the MySQL server

sysrc mysql_enable=YES
service mysql-server start
mysql -u root

If the authorization fails, check MySQL installation docs for FreeBSD (you might need to use the /root/.mysql_secret for -p option)

CREATE DATABASE redmine CHARACTER SET utf8;
#CREATE DATABASE redmine_dev CHARACTER SET utf8;
#CREATE DATABASE redmine_test CHARACTER SET utf8;

CREATE USER 'redmine'@'localhost' IDENTIFIED BY 'YourRedminePassword';

GRANT ALL PRIVILEGES ON redmine.* TO 'redmine'@'localhost';
#GRANT ALL PRIVILEGES ON redmine_dev.* TO 'redmine'@'localhost';
#GRANT ALL PRIVILEGES ON redmine_test.* TO 'redmine'@'localhost';
FLUSH PRIVILEGES;

configure the database connector

vim /usr/local/www/redmine/config/database.yml
production:
  adapter: mysql2
  database: redmine
  host: localhost
  username: redmine
  password: YourRedminePassword
  encoding: utf8

test:
  adapter: mysql2
  database: redmine_test
  host: localhost
  username: redmine
  password: YourRedminePassword
  encoding: utf8

development:
  adapter: mysql2
  database: redmine_dev
  host: localhost
  username: redmine
  password: YourRedminePassword
  encoding: utf8

do some magic ruby $#!+ and set permissions

cd /usr/local/www/redmine/
bundle install --without development test
bundle exec rake generate_secret_token
setenv RAILS_ENV production
setenv REDMINE_LANG en
bundle exec rake db:migrate
bundle exec rake redmine:load_default_data
mkdir -p tmp tmp/pdf public/plugin_assets
chown -R www:www files log tmp public/plugin_assets
chmod -R 755 files log tmp public/plugin_assets
find files log tmp public/plugin_assets -type f -exec chmod -x {} +

for testing: spawn ruby webserver

bundle exec rails server webrick -e production

for production: enable and start apache24

sysrc apache24_enable=YES
service apache24 start

Post Installation

Please make sure you set a password for mysql root, disable remote login (mysq_secure_installation) etc. (I dont’t want write to install guide #362672 so just look at HowToForge)

Logstash 5 not starting on FreeBSD

Logstash services failes on FreeBSD (11.x)

No errors shown in logfile, just INFO outputs

[2018-11-06T12:24:56,663][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[2018-11-06T12:24:56,664][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}

Did you add procfs/fdesc in /etc/fstab?

did you add:

vim /etc/fstab
fdesc   /dev/fd      fdescfs       rw    0    0
proc    /proc        procfs        rw    0    0
mount -a

Saltstack (2018) fails to start after OS upgrade

If your Salt Minion fails to start with

[salt.utils.process:754 ][ERROR   ][5542] An un-handled exception from the multiprocessing process 'SignalHandlingMultiprocessingProcess-1:59' was caught:
Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/salt/utils/process.py", line 747, in _run
    return self._original_run()
[...]
  File "/usr/lib/python3.5/asyncio/base_events.py", line 411, in run_forever
    'Cannot run the event loop while another loop is running')
RuntimeError: Cannot run the event loop while another loop is running

You might be running Tornado version 5+

How to fix it?

pip3 uninstall tornado
pip3 install tornado==4.5.3

Run Elasticsearch 6.x on FreeBSD

Monitoring Feature is currently broken on FreeBSD

Hot to fix it?

vim /usr/local/etc/elasticsearch/elasticsearch.yml:

add:

xpack.reporting.enabled: False

Run Elasticsearch 6.x in a FreeBSD Jail

If you try to run Elasticsearch in a Jail without an external IP address you might get an error like:

No up-and-running loopback addresses found, got [name:lo1 (lo1)]

How to solve it?

you need to bind your Elasticsearch to your Loopback address:

/usr/local/etc/elasticsearch/elasticsearch.yml:
network.host: 10.10.10.2

Shared object "libdl.so.1" not found

If you see the following error after pkg upgrade or pkg install {anypackge}

Shared object "libdl.so.1" not found

Your FreeBSD version might be outdated. This currently happens on FreeBSD 11.1 if you use the latest/qarterly pkg mirror.

How to fix it?

freebsd-update -upgrade -r 11.2-RELEASE
reboot
freebsd-update install
pkg update && pkg upgrade

pw: user 'username' disappeared during update 

pw: user 'username' disappeared during update

How to fix it?

/usr/sbin/pwd_mkdb -p /etc/master.passwd

Hi there!

Another sysadmin blog?

Not exactly.

This is not blog about another guy’s private life nobody cares of.

This page ist just to share the snippets I’d been maintaining in my private Wiki.