Last active
February 6, 2021 12:26
-
-
Save LarsenClose/b511084f7e40200db067f29e49fb095b to your computer and use it in GitHub Desktop.
Revisions
-
LarsenClose revised this gist
Feb 6, 2021 . 1 changed file with 19 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -268,6 +268,23 @@ Tried this config >ssh -p 1403 [email protected] kex_exchange_identification: read: Connection reset by peer *** I think this was with the ssh AttributeError: 'ListenThread' object has no attribute 'connection' ListenThread:118 INFO - [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1123) *** >telnet 172.17.0.1 ─$ telnet 172.17.0.1 Trying 172.17.0.1... Connected to 172.17.0.1. Escape character is '^]'. Linux 5.4.0+ (30c106e103c9) (pts/0) 30c106e103c9 login: toor Password: Login incorrect 30c106e103c9 login: -
Feb 6, 2021 . 1 changed file with 79 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -192,7 +192,82 @@ git clone https://github.com/The-Mostly-Muggles/HPotter.git git checkout integration git pull > cd docker_files > cd sshd > docker build -t debian:sshd . │ File: Dockerfile ───────┼─────────────────────────────────────────────────────────────────────────────────── 1 │ FROM debian:latest 2 │ EXPOSE 22 3 │ RUN apt update && apt -y install openssh-server && mkdir /var/run/sshd 4 │ RUN echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config 5 │ RUN service ssh restart 6 │ RUN echo 'root:toor' | chpasswd 7 │ CMD ["/usr/sbin/sshd","-D"] > cd telnetd > docker build -t debian:telnetd . │ File: Dockerfile ───────┼─────────────────────────────────────────────────────────────────────────────────── 1 │ FROM debian:latest 2 │ EXPOSE 23 3 │ RUN apt update && apt -y install inetutils-telnetd sudo 4 │ RUN echo 'telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/telnetd' >> /etc/ │ inetd.conf 5 │ RUN useradd foo 6 │ RUN usermod -aG sudo foo 7 │ RUN echo 'foo:bar' | chpasswd 8 │ CMD ["/usr/sbin/inetutils-inetd","-d"] Tried this config │ File: config.yml ───────┼─────────────────────────────────────────────────────────────────────────────────── 1 │ --- 2 │ container: 'httpd:latest' 3 │ listen_IP: '127.0.0.1' 4 │ listen_port: 8080 5 │ request_length: 4096 6 │ theads: 2 7 │ lines: 4 8 │ line_end: 9 │ - '\n' 10 │ - '\r' 11 │ socket_timeout: 10 12 │ --- 13 │ container: 'httpd:latest' 14 │ listen_IP: '127.0.0.1' 15 │ listen_port: 8081 16 │ request_length: 4096 17 │ TLS: true 18 │ theads: 2 19 + │ --- 20 + │ container: 'debian:sshd' 21 + │ listen_IP: '127.0.0.1' 22 + │ listen_port: 22:22 23 + │ request_length: 4096 24 + │ TLS: true 25 + │ theads: 2 26 + │ --- 27 + │ container: 'debian:telnetd' 28 + │ listen_IP: '127.0.0.1' 29 + │ listen_port: 23:23 30 + │ request_length: 4096 31 + │ TLS: true 32 + │ theads: 2 >ssh -p 1403 [email protected] kex_exchange_identification: read: Connection reset by peer >telnet 172.17.0.1 1342 Trying 172.17.0.1... telnet: Unable to connect to remote host: Connection refused -
Feb 6, 2021 . 2 changed files with 70 additions and 24 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -117,34 +117,80 @@ For each OS the contents of the 'wpa_supplicant.conf' file should be: * Lots more could be done but those most important > sudo reboot **optional** for ease of use for shortcuts ``` vim choice ---- #! /bin/bash -e filename=".choices" # see if there's a '-f filename' if [[ "$1" == "-f" ]] then # use it for the commands filename="$2" shift shift elif [[ ! -r $filename ]] then # otherwise, look in the current directory for a '.choices' file and # use that. if there isn't one here, look in parent directories until # there are no more parent directories. prefix=. while true do absolute=$(cd $prefix; pwd) if [[ -r "$absolute/$filename" ]] then filename=$absolute/$filename break fi if [[ "$absolute" = "/" ]] then echo "No $filename file found, exiting" exit 1 fi prefix=$prefix/.. done fi # if the user pre-supplied a number, use that. if [[ "$1" != "" ]] then a=$1 shift echo `sed -ne "$a,$a p" "$filename"` "$*" eval `sed -ne "$a,$a p" "$filename"` "$*" exit fi IFS=$'\n' # otherwise, give them a choice and remember it in their history. select CHOICE in `cat $filename` do echo "$CHOICE" >> ~/.bash_history eval $CHOICE $* break done ---- chmod +x choice sudo mv choice /usr/local/bin/ **optional** for ease of use for shortcuts git clone https://github.com/The-Mostly-Muggles/HPotter.git git checkout integration git pull This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,9 +1,9 @@ # Initial steps taken on Ubuntu 20.04 git clone https://github.com/The-Mostly-Muggles/HPotter.git git checkout integration git pull #### If this is going to be on a virtual instance or on a pi dedicated to this purpose I wouldn't worry about a virtual env for the python code. Just doing so because currently on one of my main development machines. -
Feb 6, 2021 . 1 changed file with 17 additions and 17 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -111,21 +111,12 @@ For each OS the contents of the 'wpa_supplicant.conf' file should be: > sudo nano /etc/ssh/sshd_config change lines > PermitRootLogin No > PasswordAuthentication No * Lots more could be done but those most important ~~> sudo sysctl -p~~ > sudo reboot @@ -137,16 +128,25 @@ For each OS the contents of the 'wpa_supplicant.conf' file should be: Almost all of these ^ are contradicting each other and not good I don't think. I'm dealing with some network debugging im stuck on but from here should be able to just (I'll restarted everything today at somepoint and sure it'll be fine after) > sudo apt update && sudo apt full-upgrade > sudo apt install vim git ~* docker is a little funky on pi, they have a helper script (should just be something like these)~ ~> curl -fsSL https://get.docker.com -o get-docker.sh~ ~> sudo sh get-docker.sh~ ~> sudo usermod -aG docker Pi~ ~* may need to start or enable the daemon as well~ ~> sudo systemctl enable docker~ **optional** ``` vim choice git clone https://github.com/The-Mostly-Muggles/HPotter.git -
Jan 28, 2021 . 1 changed file with 8 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -117,13 +117,16 @@ For each OS the contents of the 'wpa_supplicant.conf' file should be: * Lots more could be done but those most important * I think this is a local network issue I am having right now struck threw below ~~* Now for updates and programs but if you block ipv6 traffic on your network like myself to avoid dealing with it you may need to diable it on the pi, as I've found to recently be the case (https://www.leowkahman.com/2016/03/19/disable-ipv6-raspberry-raspbian/) > sudo nano /etc/sysctl.conf~~ ~~add this line~~ ~~net.ipv6.conf.all.disable_ipv6 = 1~~ ~~> sudo sysctl -p~~ > sudo reboot -
Jan 28, 2021 . 2 changed files with 28 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -11,33 +11,43 @@ * Image of the OS to flash on the SD card for the pi. Recommend the light weight headless (withouth desktop enviornment) Raspberry Pi OS Lite > https://www.raspberrypi.org/software/operating-systems/ > https://downloads.raspberrypi.org/raspios_lite_armhf/images/raspios_lite_armhf-2021-01-12/2021-01-11-raspios-buster-armhf-lite.zip > linux or mac os ``` curl -O https://downloads.raspberrypi.org/raspios_lite_armhf/images/raspios_lite_armhf-2021-01-12/2021-01-11-raspios-buster-armhf-lite.zip``` * check your hashsums > linux ```sha256sum 2021-01-11-raspios-buster-armhf-lite.zip``` > MacOS ```shasum -a 256 2021-01-11-raspios-buster-armhf-lite.zip``` insure ouput matches the websites (lite is currently 'd49d6fab1b8e533f7efc40416e98ec16019b9c034bc89c59b83d0921c2aefeef') * Program to flash the SD card, etcher works great > debian based distros ```sudo apt update && sudo apt install balena-etcher-electron``` > MacOS ```brew install balenaetcher``` > Download for any OS here: https://www.balena.io/etcher/ ### Bootstrapping * Run etcher, select OS image, select sdcard, flash sdcard * After flashing remount the card if needed and create file of name 'ssh' with zero content in /boot directory > linux ```touch /media/$USER/boot/ssh``` > MacOS ```touch /Volumes/boot/ssh``` > Windows create and save a file with name 'ssh' no extention in the /boot directory of the card * Unmount the card and plug everything in to go -unless you need wifi * > linux ```vim [or nano or whatever] /media/$USER/boot/wpa_supplicant.conf``` > MacOS ```vim [or nano or whatever] /Volumes/boot/wpa_supplicant.conf``` > Windows create and save a file with name 'wpa_supplicant.conf' no extention in the /boot directory of the card For each OS the contents of the 'wpa_supplicant.conf' file should be: @@ -55,9 +65,11 @@ For each OS the contents of the 'wpa_supplicant.conf' file should be: * Find the IP address of your pi, either logging into the network router or scanning the network will work fine * If you don't have nmap install it; the flags are -v verbose, -A aggressive (enables OS detection), -T4 the speed of the scan, 192.168.???.???, 10.?.?.? CIDR notation for your local network > nmap -v -A -T4 192.168.0.0/24 * If accessible to you it's probably faster to just login to your router in a browser at the gatway address > http://192.168.0.1 * SSH into the pi @@ -72,7 +84,7 @@ For each OS the contents of the 'wpa_supplicant.conf' file should be: > ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519 -C "comments to distinguish this key" > ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -C "comments to distinguish this key" * if you like you can add the ssh-keys to your ssh-agent (on both mac and linux) > ssh-add * check keys were added @@ -81,7 +93,7 @@ For each OS the contents of the 'wpa_supplicant.conf' file should be: * Pass the your ssh-key to the raspberry > ssh-copy-id [email protected].??? * return to previous session to ensure ssh-key.pub is within ~/.ssh/authorized_keys > cat ~/.ssh/authorized_keys #### Config & Hardening This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,21 +4,30 @@ > cd HPotter > git clone [email protected]:drsjb80/HPotter.git #### If this is going to be on a virtual instance or on a pi dedicated to this purpose I wouldn't worry about a virtual env for the python code. Just doing so because currently on one of my main development machines. *pip install virtualenv; python3 -m venv venv; source venv/bin/activate* - didn't work for me, I think because of how the permissions structure builds in that case then needing to use sudo to run the program (or I just missed it) Instead I used: > sudo pip install virtualenvwrapper *appended these to my zshrc > vim .zshrc 58 │ #Virtualenvwrapper settings: 59 │ export WORKON_HOME=$HOME/.virtualenvs 60 │ VIRTUALENVWRAPPER_PYTHON=/usr/bin/python3 61 │ source /usr/local/bin/virtualenvwrapper.sh *Then the create; activate; upgrade pip; install requirements; run with full path for sudo use > mkvirtualenv venv1 > workon venv1 > python -m pip install -U pip > cd HPotter > pip install -r requirements.txt *I needed to add dependencies to both branches to get it running on Ubuntu -
Jan 28, 2021 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,10 +2,10 @@ ## Hardware * Raspberry Pi, anything would really work, for pi0 networking would need to be added and wifi isn't ideal on the pi0w but should work. * microSD card, 16-32gb very reasonably more than enough * Decent power cord, Raspberries are tough boards but not when it comes to inconsistent power supplies * Internet conection, ether hardwired preffered but wifi's also easy ## Software -
Jan 28, 2021 . 2 changed files with 158 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -26,4 +26,112 @@ insure ouput matches the websites (lite is currently 'd49d6fab1b8e533f7efc40416e > MacOS ```brew install balenaetcher``` > Download for any OS here: https://www.balena.io/etcher/ ### Bootstrapping * Run etcher, select OS image, select sdcard, flash sdcard * After flashing remount the card if needed and create file of name 'ssh' with zero content in /boot directory > linux ```touch /media/$USER/boot/ssh``` > MacOS ```touch /Volumes/boot/ssh``` > Windows create and save a file with name 'ssh' no extention in the /boot directory of the card * Unmount the card and plug everything in to go -unless you need wifi * > linux ```vim [or nano or whatever] /media/$USER/boot/wpa_supplicant.conf``` > MacOS ```vim [or nano or whatever] /Volumes/boot/wpa_supplicant.conf``` > Windows create and save a file with name 'wpa_supplicant.conf' no extention in the /boot directory of the card For each OS the contents of the 'wpa_supplicant.conf' file should be: country=US #change country if needed ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev update_config=1 network={ ssid="NETWORK-NAME" psk="NETWORK-PASSWORD" } ### Login add key * Find the IP address of your pi, either logging into the network router or scanning the network will work fine * If you don't have nmap install it; the flags are -v verbose, -A aggressive (enables OS detection), -T4 the speed of the scan, 192.168.???.???, 10.?.?.? CIDR notation for your local network > nmap -v -A -T4 192.168.0.0/24 * If accessible to you it's probably faster to just login to your router in a browser at the gatway address > http://192.168.0.1 * SSH into the pi > ssh [email protected].??? password: raspberry * change the password from default > passwd > leave session open * Generate SSH keys on host machine if you don't have them (currently two of the strongest key options) > ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519 -C "comments to distinguish this key" > ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -C "comments to distinguish this key" * add the ssh-keys to your ssh-agent (on both mac and linux) > ssh-add * check keys were added > ssh-add -l * Pass the your ssh-key to the raspberry > ssh-copy-id [email protected].??? * return to previous session to ensure ssh-key is within ~/.ssh/authorized_keys > cat ~/.ssh/authorized_keys #### Config & Hardening * There are a ton of ways to continue to harden the pi's operating system, just going to go over some of the most significant* * After changing password make changes needed within raspi-config > sudo raspi-config + change gpu memory to 16 + set local to en_US rather than en_GB (use space bar to deselect) Be sure to select UTF-8 + Expand file system + finish -> reboot * Change ssh configurations, relogin through ssh > sudo nano /etc/ssh/sshd_config change lines > PermitrooRootLogin No > PasswordAuthentication No * Lots more could be done but those most important * Now for updates and programs but if you block ipv6 traffic on your network like myself to avoid dealing with it you may need to diable it on the pi, as I've found to recently be the case (https://www.leowkahman.com/2016/03/19/disable-ipv6-raspberry-raspbian/) > sudo nano /etc/sysctl.conf add this line net.ipv6.conf.all.disable_ipv6 = 1 > sudo sysctl -p > sudo reboot #### update, upgrade, get software (https://phoenixnap.com/kb/docker-on-raspberry-pi) (https://dev.to/rohansawant/installing-docker-and-docker-compose-on-the-raspberry-pi-in-5-simple-steps-3mgl) (https://withblue.ink/2020/06/24/docker-and-docker-compose-on-raspberry-pi-os.html) Almost all of these ^ are contradicting each other and not good I don't think. I'm dealing with some network debugging im stuck on but from here should be able to just (I'll restarted everything today at somepoint and sure it'll be fine after) > sudo apt update -y && sudo apt full-upgrade > sudo apt install vim git * docker is a little funky on pi, they have a helper script (should just be something like these) > curl -fsSL https://get.docker.com -o get-docker.sh > sudo sh get-docker.sh > sudo usermod -aG docker Pi * may need to start or enable the daemon as well > sudo systemctl enable docker This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,50 @@ # Initial steps taken on Ubuntu 20.04 > mkdir HPotter > cd HPotter > git clone [email protected]:drsjb80/HPotter.git *pip install virtualenv; python3 -m venv venv; source venv/bin/activate* - didn't work for me, I think because of how the permissions structure builds in that case Instead I used: > sudo pip install virtualenvwrapper *appended these to my zshrc > vim .zshrc export WORKON_HOME=$HOME/.virtualenvs export PROJECT_HOME=$HOME/Devel source /usr/local/bin/virtualenvwrapper.sh > mkvirtualenv venv1 > workon venv1 > python -m pip install -U pip > cd HPotter *I needed to add dependencies to both branches to get it running on Ubuntu 1 │ > geolite 2 dependency missing 2 │ > pyyaml also missing from dependency list ─$ cat requirements.txt ───────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── │ File: requirements.txt ───────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 1 │ SQLAlchemy 2 │ SQLAlchemy-Utils>=0.34.0 3 │ cffi 4 │ paramiko 5 │ docker 6 │ pyOpenSSL 7 │ pyyaml 8 │ python-iptables 9 │ maxminddb-geolite2 10 │ pyyaml > sudo /home/lclose/.virtualenvs/venv1/bin/python3 -m src ### Both branches will currently spin up containter threads listening at localhost:8080 and localhost:8081 + getting no response from the requests and from what I can see and a brief scan these are the only ports being exposed from the Hpot. + dev branch also throws an error about no config.yml but the config.yml from main is nearly identicle to the containers.yml of dev branch. -
Jan 28, 2021 . 1 changed file with 13 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,8 +10,20 @@ ## Software * Image of the OS to flash on the SD card for the pi. Recommend the light weight headless (withouth desktop enviornment) Raspberry Pi OS Lite > https://www.raspberrypi.org/software/operating-systems/ > https://downloads.raspberrypi.org/raspios_lite_armhf/images/raspios_lite_armhf-2021-01-12/2021-01-11-raspios-buster-armhf-lite.zip > linux or mac os ``` curl -O https://downloads.raspberrypi.org/raspios_lite_armhf/images/raspios_lite_armhf-2021-01-12/2021-01-11-raspios-buster-armhf-lite.zip``` * check your hashsums > linux ```sha256sum 2021-01-11-raspios-buster-armhf-lite.zip``` > MacOS ```shasum -a 256 2021-01-11-raspios-buster-armhf-lite.zip``` insure ouput matches the websites (lite is currently 'd49d6fab1b8e533f7efc40416e98ec16019b9c034bc89c59b83d0921c2aefeef') * Program to flash the SD card, etcher works great > debian based distros ```sudo apt update && sudo apt install balena-etcher-electron``` > MacOS ```brew install balenaetcher``` > Download for any OS here: https://www.balena.io/etcher/ -
Jan 28, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,17 @@ # Requirements ## Hardware * Raspberry Pi, anything would really work, for pi 0w networking would need to be added and wifi isn't ideal * microSD card, 16-32gb very reasonably more than enough * Decent power cord, Raspberries are tough boards but not when it comes to inconsistent power supplies * Internet conection, ether hardwired preffered but will also go over wifi setup ## Software * Image of the OS to flash on the SD card for the pi. Recommend the light weight headless (withouth desktop enviornment) Raspberry Pi OS Lite https://www.raspberrypi.org/software/operating-systems/ > https://downloads.raspberrypi.org/raspios_lite_armhf/images/raspios_lite_armhf-2021-01-12/2021-01-11-raspios-buster-armhf-lite.zip