How to create a FreeBSD pkg mirror using bastille and poudriere

This a short how-to for creating a FreeBSD pkg mirror using BastilleBSD and Poudriere. on the jail host: Bastille is very active so make sure you switch to latest pkg mirror change pkg mirror to “latest” vim /etc/pkg/FreeBSD.conf FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/share/keys/pkg", enabled: yes } enable bastille sysrc bastille_enable=YES create virtual network bridge sysrc cloned_interfaces+=lo1 sysrc ifconfig_lo1_name="bastille0" service netif cloneup Create the following pf. [Read More]

Add password authentication to Elasticsearch 7.10 on FreeBSD 12.2

If you want/need to add password authentication to your FreeBSD Elasticsearch cluster (this should work on any FreeBSD with elasticsearch7) TLDR; (again) Add the following lines to your /usr/local/etc/elasticsearch/elasticsearch.yml: xpack.security.enabled: true xpack.security.transport.ssl.enabled: true and restart elasticsearch. service elasticsearch restart Make sure curl is installed: pkg install curl Link the installed Java into the bundled directory (this is neither recommended nor supported but it does the trick) mkdir -p /usr/local/lib/elasticsearch/jdk/bin ln -s /usr/local/bin/java /usr/local/lib/elasticsearch/jdk/bin/java And run the password setup utility (this might take up to 2 minutes) [Read More]

How to secure your Saltstack Salt Master using spiped

This is a short how-to for securing Saltstack communication via spiped. (most of it is based on the how-to I wrote on securing Elasticsearch with spiped) At first: install spiped FreeBSD pkg install spiped Debian/Ubuntu apt install spiped CentOS (fo those who haven’t migrated yet) vim /etc/yum.repos.d/spiped.repo [lsde-spiped] name=spiped repo baseurl=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/epel-7-$basearch/ type=rpm-md skip_if_unavailable=True gpgcheck=1 gpgkey=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/pubkey.gpg repo_gpgcheck=0 enabled=1 enabled_metadata=1 install spiped yum clean all yum install spiped generate symmetric encryption key dd if=/dev/urandom of=/root/saltpipe. [Read More]

Using FIDO2 Auth Keys (Yubikey, Solokeys) with MacOS and FreeBSD

OpenSSH 8.2p1 with FIDO2 support was recently added to MacOS (via Homebrew) and FreeBSD (via ports/pkg). Here’s a short how-to securely login to your FreeBSD servers via FIDO2 (Yubikey, Solokey et. al.). On your MacOS client: Open your terminal and install libfido2 and openssh (8.2p1) brew install openssh libfido2 Generate you ecdsa key with libfido2. Insert your FIDO2 usb stick and run (push the auth button on your key when prompted): [Read More]

How-to migrate your FreeBSD jails from iocage to bastille

Stop the running jail and export it: iocage stop jailname iocage export jailname Move the backup files (.zip and .sha256) into Bastille backup dir (default: /usr/local/bastille/backups/): mv /iocage/images/jailname_2020-03-26.* /usr/local/bastille/backups/ for remote systems you could use rsync: rsync -avh /iocage/images/jailname_2020-03-26.* [email protected]:/usr/local/bastille/backups/ Import the iocage backup file (use zip file name) bastille import jailname_2020-03-26.zip ```</pr```e> Set your new ip address and interface: vim /usr/local/bastille/jails/jailname/jail.conf interface = bastille0; ip4.addr = "192.168.0.1"; You can use you primary network interface instead of the virtual bastille0 interface as well if you know what you’re doing. [Read More]

Easy and lightweight jails with BastilleBSD

HowTo create jails with Bastille TDLR of https://github.com/BastilleBSD/bastille/ install bastille Bastille is very active so make sure you switch to latest pkg mirror vim /etc/pkg/FreeBSD.conf FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/share/keys/pkg", enabled: yes } enable bastille sysrc bastille_enable=YES create virtual network bridge sysrc cloned_interfaces+=lo1 sysrc ifconfig_lo1_name="bastille0" service netif cloneup edit /etc/pf.conf (add the lines without #) ext_if="em0" set block-policy return scrub in on $ext_if all fragment reassemble set skip on lo table <jails> persist nat on $ext_if from <jails> to any -> ($ext_if) block in all pass out quick modulate state antispoof for $ext_if inet pass in inet proto tcp from any to any port ssh flags S/SA keep state add ZFS support (check zpool with “zpool list”) [Read More]

Install Redmine 3.4 on FreeBSD 11.2 with Apache, Passenger and MySQL

TLDR for Redmine on FreeBSD 11.2 install redmine and a bunch of dependencies UPDATE 2019/03/11 redmine pkg is currently not available on quaterly mirror (make sure you use latest branch in /etc/pkg/FreeBSD.conf) pkg install redmine apache24 mysql56-server mysql56-client rubygem-passenger-apache vim /usr/local/etc/apache24/httpd.conf add the following lines to your httpd.conf or Inlcudes/redmine.conf LoadModule passenger_module /usr/local/lib/ruby/gems/2.4/gems/passenger-6.0.0/buildout/apache2/mod_passenger.so PassengerRoot /usr/local/lib/ruby/gems/2.4/gems/passenger-6.0.0 PassengerRuby /usr/local/bin/ruby24 to use ssl uncomment the following lines and set Listen port to 443 LoadModule ssl_module libexec/apache24/mod_ssl. [Read More]

Secure Elasticsearch without X-Pack or SSL/TLS

HowTo Secure Elasticsearch using spiped on FreeBSD, Debian and CentOS Spiped makes it really easy to secure connections between clients and Elasticsearch databases. Keep in mind that the symmetric key (once compromised) can be used to intercept/mitm all connections. install spiped FreeBSD pkg install spiped Debian/Ubuntu apt install spiped CentOS vim /etc/yum.repos.d/spiped.repo [lsde-spiped] name=Copr repo for spiped owned by lsde baseurl=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/> epel-7-$basearch/ type=rpm-md skip_if_unavailable=True gpgcheck=1 gpgkey=https://copr-be.cloud.fedoraproject.org/results/lsde/spiped/pubkey.gpg repo_gpgcheck=0 enabled=1 enabled_metadata=1 install spiped [Read More]

Logstash 5 not starting on FreeBSD

Logstash services failes on FreeBSD (11.x)

[2018-11-06T12:24:56,663][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[2018-11-06T12:24:56,664][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}

Did you add procfs/fdesc in /etc/fstab?

vim /etc/fstab
fdesc   /dev/fd      fdescfs       rw    0    0
proc    /proc        procfs        rw    0    0
mount -a

Saltstack 2018.x fails to start after OS upgrade

If your Salt Minion fails to start with [salt.utils.process:754 ][ERROR ][5542] An un-handled exception from the multiprocessing process > ‘SignalHandlingMultiprocessingProcess-1:59’ was caught: Traceback (most recent call last): File “/usr/local/lib/python3.5/dist-packages/salt/utils/process.py”, line 747, in _run return self._original_run() […] File “/usr/lib/python3.5/asyncio/base_events.py”, line 411, in run_forever ‘Cannot run the event loop while another loop is running’) RuntimeError: Cannot run the event loop while another loop is running You might be running Tornado version 5+ [Read More]