CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new notes

Browse Source
This commit is contained in:
Petar Cubela
2025-03-18 14:23:17 +01:00
parent e6c2775f5f
commit 6c47451c60
58 changed files with 1648 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
projects/OPNsense/Initial-Notes/OPNsense-about.md
View File

@@ -1,11 +0,0 @@
**OPNsense** is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.
OPNsense started as a fork of pfSense and m0n0wall in 2014, with its first official release in January 2015. The project has evolved very quickly while still retaining familiar aspects of bot m0n0wall and pfSense. A strong focus on security and code quality drives the development of the project.
OPNsense offers weekly security updates with small increments to react on new emerging threats within in a fashionable time. A fixed release cycle of 2 major releases each year offers businesses the opportunity to plan upgrades ahead. For each major release a roadmap is put in place to guide development and set out clear goals.
## Mission Statement
> "Our mission is to make OPNsense the most widely used open source security platform. We give users, developers and business a friendly, stable and transparent environment.
> The project's name is derived from open and sense stands for: 'Open (source) makes sense.'"

43
projects/OPNsense/Initial-Notes/OPNsense-approxminated-service-time.md
View File

@@ -1,43 +0,0 @@
---
title: "OPNsense - Maintenance time estimate"
author: Petar Cubela
date: July 03, 2024
geometry: margin=1.5cm
output: pdf_document
---
## Intro
Let us roughly calculate the time needed to maintain a OPNsesne firewall.
Here we assumer that the firewall is already configured. Thus we are looking at standard maintenance of the device.
## OPNcentral
We are using OPNcentral which is able to monitor arbitrary numbers of OPNsense firewalls:
- it manually/automatically creates backups of all integrated firewalls
- backups can be read and compared for any firewall integrated in OPNcentral
- firmware, services and resources status of each OPNsense firewall can be managed via OPNcentral
- plugin configuration can be managed and send to each firewall via OPNcentral
## Time Consumption
- updates have to been done regularly which can be checked and updated for all firewalls simultaneously via OPNcentral (~ 1h per month for all firewalls!)
- in general the firewall will run flawlessly once setup without much interaction as long as nothing complicated has to be changed.
- changes in the configuration for known features should be in general simple (~1h per month for all firewalls!)
- changes for new plugins should take longer depending on the plugin but happens seldom (few/many days depending on plugin once each half year)
- OpenVPN integration is better integrated in Sophos. We will probably need to export the client configuration for each user (~ 1h per week for each firewall, depending on the number of users requiring vpn)
- there can be unexpected problems with the firewall in production use which we have to test and can not assess pre-usage (~ 1h per month a firewall)
### Estimation
- ~ 1h/month for updates
- ~ 1h/month for small config changes
- ~ up to days for configuring new desired plugins. happens once per year/half year?
- ~ 1h/month for vpn client export
- ~ 1h/month for unexpected issues/tickets
Which summarizes to **~ 4 hours per month** and more when new not-so-known plugins have to be configured.

38
projects/OPNsense/Initial-Notes/OPNsense-config.md
View File

@@ -1,38 +0,0 @@
## Intro
Start from beginning with factory settings.
### TODO
- [x] create sbxadmin user
- [x] Enable ssh
- [x] check wan is working
- [x] familiarize with Center management
- [x] manage opnsense via wan port (use DynDNS)
- [ ] try cluster of two opnsense nodes in proxmox
### Comments
- Very loooong boot times
## Enable LAN Bridge
Links to manuals:
- <https://docs.opnsense.org/manual/how-tos/lan_bridge.html>
- <https://kb.protectli.com/kb/how-to-enable-lan-bridge-in-opnsense/>
## Enable SSH
System -> Settings -> Administration -> Secure Shell
- **Check** Enable Secure Shell
- Login Group: wheel, admins
- **DO NOT** permit root user login
- Permit password login
- Changed ssh port to 69
## Central Management
Follow: <https://docs.opnsense.org/vendor/deciso/opncentral.html>

8
projects/OPNsense/Initial-Notes/OPNsense-config_summary.md
View File

@@ -1,8 +0,0 @@
## DONE
- general settings
- SSH settings
- Networkflow config (optional??)
- Setup OpenVPN (authentication via local database)
- local backup for OPNcentral
- backup for hosts via OPNcentral

16
projects/OPNsense/Initial-Notes/OPNsense-future.md
View File

@@ -1,16 +0,0 @@
- mailgateway
- reverse proxy (web application firewall)
- ssl/tsl inspection and decryption
- VPN authentication via Active Directory
## TODO
- [x] setup simple web server on a virtual linux machine
- [x] setup smtp in a virtual linux machine
- [x] set the test sever in opnsense's network
## Notes
VPN: Jan passwd: itKE=-gcbXN.=46

3
projects/OPNsense/Initial-Notes/OPNsense.md
View File

@@ -1,3 +0,0 @@
[[OPNsense-about]]
[[OPNsense-config]]
[[OPNsense-config_summary]]

4
projects/OPNsense/Initial-Notes/OPNsense_IDS-and-IPS.md
View File

@@ -1,4 +0,0 @@
## Introduction
An _Intrusion Detection System_ (IDS) watches network traffic for suspicious patterns and can alert operators when a pattern matches a database of known behaviors.
An _Intrusion Prevention System_ (IPS) goes a step further by inspecting each packet as it traverses a network interface to determine if the packet is suspicious in some way. If it matches a known pattern the system can drop the packet in an attempt to mitigate a threat.

38
projects/OPNsense/apsa-pfsense_vs_opnsense/setup-notes.md
View File

@@ -1,38 +0,0 @@
## Location
Schwanthalerstr. 106
Backup key: f2e3e44045f5da80fa7cfd2ccf38c4b03686764715398c20f538d12817670b63
## Questions
- Ist the VLAN tag 7 for the pppoe manually set
- Gast interface ipv6 prefixx id of 1 not working
- do we need router advertisement?
## Credentials
### PPPoe
![ppp confitg](/files/apsa/pfsense_ppp-setup.png)
- username: vdsl.vodafone/bi9442189781-static
- password: cnh2bWJ3Y2w= (hashed via base64)
### DynDNS
- username: apsa-muc.spdns.de
- password: YnptYi11ZGd1LWJ2d2I= (hashed via base64)
## Config in place
- PPPoe
- DynDNS
## Pass
pfsense/opnsense local: admin, pass: xfapimsgwztkojrulqeb
pfsense/opnsense rz: admin, pass: xfapimsgwztkojrulqeb

21
projects/OPNsense/opnsense-bussines-edition.md
View File

@@ -1,21 +0,0 @@
## Intro
[Source](https://docs.opnsense.org/be.html#)
> A mission critical version of the well-known OPNsense firewall.
> The Business Edition offers additional safeguards where functional changes are being included in a more conservative manner and feedback has been collected from development and community.
> Offering specific business-oriented features and third party security verification. Currently, the only open source LINCE compliant firewall.
> - Mission critical
> - LINCE compliant (security verification by trained third party independent professionals)
> - Commercial firmware repository
> - Free GeoIP database
> - Official OPNsense Open Virtualisation Image
> - Central Management, including easy one click remote host access, provisioning and monitoring.
> - Web Application Firewall
> - Free E-Book (English & German)
### More Information
- [Central Management](https://docs.opnsense.org/vendor/deciso/opncentral.html)
- [Web Application Firewall](https://docs.opnsense.org/vendor/deciso/opnwaf.html)
- [Extended Blocklist](https://docs.opnsense.org/vendor/deciso/extended_dnsbl.html)

17
projects/OPNsense/opnsense-central-management.md
View File

@@ -1,17 +0,0 @@
## MyNotes
- It is advised to generate proper certificates for the machines.
## Installation
Install `os-OPNcentral` under System->Firmware->Plugins
## Register new hosts
- Generate an API key and secret from the machine which should be granted access to.
- API keys are managed in the user manager
-
## Provisioning Classes

62
projects/OPNsense/opnsense-checklists.md
View File

@@ -1,62 +0,0 @@
## Sbx Office IP
- 213.160.17.142/28
- 213.160.17.141
## Generic Checklist
- [x] Set WAN - generic DHCP
- [x] Set LAN - generic 192.168.1.1
- [x] timezone: Europe/Berlin
- [x] Set Hostname (OPNsense) , domain name (localhost)
- [x] ntp server
- [x] static dns setup
- [x] std sbxadmin user
- [x] enable assess log (system -> settings -> administration)
- [x] LAN Bridge - generic all ports in bridge except igc1 (second port) is WAN port
- [x] enable ssh: enable, DO NOT permit root login, permit password login, port: 22
- [ ] firewall rules (LAN, WLAN, WLAN Guest {drop packets to LAN} ), std port activation
- [ ] local backups
- [ ] add office public ip as trusted (wan only reachable via office ip)
### Optional
- [x] web filtering
- [x] http scanning
- [ ] application control
- [x] ssl/tls inspection
- [ ] ssl certificates
### Mandatory Plugins
- [x] OPNcentral (for central management)
## Special Checklist
- [ ] add license TO: system -> firmware -> settings
- [ ] WAN - static config or pppoe or whatever
- [ ] LAN - ip network
- [ ] domain name (gw.domain.tld)
- [ ] ldap server config
- [ ] system update on first boot! (WITH BUSSINES LICENSE)
- [ ] setup dhcp server if used
- [ ] connect to opncentral
- [ ] create backups to opncentral
- [ ] setup ldap server
- [ ] setup openvpn server with authentication via ldap
## OPNsense Importer
> "All Full Images have the OPNsense Importer feature that offers flexibility in recovering failed firewalls, testing new releases without overwriting the current installation by running the new version in memory with the existing configuration or migrating configurations to new hardware installations."
- Create generic standard config to import at each customer install.
## OPNcentral Provisioning
We can use OPNcentral to provision the configuration of the customer's device, which is probably more useful than using the importer. Has to be tested.
## Notes
- ATTENTION: On first initial install bussines license has to be configured before updating!!
- DNS Servers: Cloudflare

86
projects/OPNsense/opnsense-frankeriger-current.md
View File

@@ -1,86 +0,0 @@
## Intro
The customer Franke Rieger Architekten is currently using a Sophos XG 106 firewall. The firewall is not anymore supported in the future or simply broken.. I dont know and care.
The Sophos thingy should be replaced by a OPNsense solution. In order to do this we try to reproduce the Sophos configuration as neatly as possible. Although it will be very hard.
### Plugins
- os-OPNcentral
- os-squid
- os-clamav
- os-c-icap
- os-acme-client
## Sophos features to reproduce
### Network
- [x] LAN port has a static network of: 192.168.9.254/24
- [x] default dhcp at br-lan: from 192.168.9.123 - 192.168.9.127
- [ ] WAN port has a static ip of: 192.168.99.253/24 (Speedport before firewall)
- [ ] ipv4 gateway: Name: Speedport, IP: 192.168.99.254, Interface: WAN port, Health check: on
- [x] DNS request route configured : Host/domain name: ffr.local, Target Servers: frr-srv-dc02.frr.local. OPNsense analogue: UnboundDNS -> Query Forwarding. (this is a config required for ad integration)
- [x] DNS servers are: itself, and choose arbitrary monopolistic techgiant
- [ ] ssl cert via acme (http-challenge), needs only to be enabled in ui and cert issued
### Authentication
- [x] Require MFA for: user portal, web admin console
- [ ] setup ad as "server" in opnsense
- [ ] import users form ad!!! (I hope it works...)
#### Not required
- [y] Kerberos for authenticating non-AD users (web authentication??)
- [y] captive portal
### Miscellaneous
- [x] sophos antivirus alternative (clamav + c-icap + squid web proxy)
- [x] SSL VPN - Needs to be tested properly
- [x] using SSL/TLS inspection with squid (transparent web proxy)
## Firewall rules to reproduce
- [x] allow VPN access to LAN network (any service) (web proxy) (ips: general policy) (waf)
- [x] allow LAN access to WAN network (dhcp. dns. ftp. http. https. icmp. icmpv6. imap(s). Jimdo-Mail??. ntp. ping. pop3(s). smtp. smtp(s). Teamviewer. ) (scan http and decrypted https, scan ftp for malware, use web proxy) (ips: general policy) (waf)
- [ ] service alias for imap(s), jimdo-mail, pop3(s), smtps_465, Teamviewer
- [x] allow wan access over https and ssh only via office ip (213.160.17.158) (in sophos jargon: "local service ACL exception rule" )
## IPS
- [x] default general policies
- [x] built-in [suricata](https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/)
## Web Proxy
- [x] risky downloads, suspicious, nudity and adult content, not suitable for the office, bandwidth-heavy browsing, unproductive browsing, not suitable for schools
- [x] https encryption
- [x] managed TLS exclusion list (corresponds to "SSL no bump sites" under Services -> Squid Web Proxy -> Administration, General Forwarding Settings under Froward Proxy list)
### Optional
The following features are too complicated and thus only optional.
## Web application firewall
- [ ] too complicated
## Wireless
- [ ] does it need to be configured on opnsense???
## Mail protection
- [y] scan ~~outgoing~~ incoming mails for malware (why??)
## Web Server
- not used

5
projects/OPNsense/opnsense-planing.md
View File

@@ -1,5 +0,0 @@
1. Learn Central Management
2. Include firewall to OPNcentral
3. Setup acme for ssl/ setup OPNWAF with acme included
4. Provision OPNsense Firewall via central management

40
projects/OPNsense/opnsense-proposal-draft.md
View File

@@ -1,40 +0,0 @@
## Introduction
Goal: Propose a UTM firewall based on the opnsense operating system to the customer.
Make "Bundles" including different kind of features with different price tags:
### Features
#### Main
- Base setup (routing, generic config, firewall rules, vlans, authentication via ad, etc...)
- VPN (standard OpenVPN)
- Free SSL certs (via ACME and Lets Encrypt) with auto-renewal
- Web Proxy (Caching Proxy, Web Filter, Transparent Proxy, SSL inspection, managed TLS exclusion, https de-/encryption) (!NOTE!: opnsense ca needs to be trusted from every client, which can be distributed by a GPO rule)
- Extend Feature of OPNsense Antivirus (with clamav + c-icap)
- IDS/IPS Protection via Suricata
#### Not implemented yet
- Mail Protection via Mail Relay on OPNsense
- WAF
#### Optional
- DynDNS
- Backup of config to google cloud, git or nextcloud (standard is backup locally and to opncentral)
- `OPNProxy`-Plugin extends Web Proxy to fine grained control of user/group access to certain domains/urls
### Bundles
#### Level 1
- Base
- VPN
- SSL certs (can be managed centrally by opncentral and pushed to specific customers when needed)
#### Level 2
- Web Proxy + Antivirus
- IDS/IPS Protection
#### Level 3
- Mail Protection
- WAF

38
projects/OPNsense/opnsense-utm-features/opnsense-ids_ips-suricata.md
View File

@@ -1,38 +0,0 @@
## Source
- <https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/>
- <https://docs.opnsense.org/manual/ips.html>
## Introduction
> "The Intrusion Prevention System (IPS) system of OPNsense is based on Suricata and utilizes Netmap to enhance performance and minimize CPU utilization. This deep packet inspection system is very powerful and can be used to detect and mitigate security threats at wire speed."
## Initial Settings
1. Got to "Services > Intrusion Detection > Administration" which defaults to the "Settings" tab
2. Click the "Enable" checkbox to activate intrusion detection
3. Activate IPS by checking "IPS mode"
4. Optional: If using VLANs, check the "Promiscuous mode" checkbox
5. Set the pattern matcher as "Hyperscan"
6. As Interface choose "LAN" to monitory the local network traffic
7. When finished click "Apply" to save the settings.
Even though intrusion detection is enabled nothing will happen until we have
downloaded some rule sets and configure at least one policy.
Below you see a picture of the network configuration:
![img1](opnsense/idsips/settings.png)
## Downloading and Enabling Rulesets
**(NOTE FOR ME: It has yet too be decided which rules we will use eventually. This
also depends on the specific customer' needs.)**
1. Change to the "Download" tab.
2. Select all pre-defined lists (depends on customer' needs) and click on "Enable
selected" and directly after "Download & Update Rules"
3.
![img2](opnsense/idsips/downloads.png)
## Creating a Policy

3
projects/OPNsense/opnsense-utm-features/opnsense-lets_encrypt.md
View File

@@ -1,3 +0,0 @@
## Source
- <https://homenetworkguy.com/how-to/replace-opnsense-web-ui-self-signed-certificate-with-lets-encrypt/>

15
projects/OPNsense/opnsense-utm-features/opnsense-utm-checklist.md
View File

@@ -1,15 +0,0 @@
## UTM Configuration
- [x] ids/ips (suricata)
- [ ] web proxy
- [ ] antivirus
- [ ] openvpn
- [ ] acme
- [ ] mail protection
- [ ] waf
## Non-common
- [ ] VLAN
- [ ] LAGG

31
projects/VZ/Rezept-Installation.md Normal file
View File

@@ -0,0 +1,31 @@
## Source
- [unattended Winstall - Github](https://github.com/memstechtips/UnattendedWinstall)
- [answer files](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs?view=windows-11)
- [unattended-generator](https://schneegans.de/windows/unattend-generator/)
## 20250303 - Todo
- [ ] Zertifikat (VZBY_SecurityAppliance_SSL_CA.cer) einfuegen
- [ ] Vantage Tool Installieren im Userkontext
- [ ] Energiesparmodus bei Netzbetrieb auf 'nie' setzen
- [ ] Freigabe [\\vzby-srv-fp01\install$](file://vzby-srv-fp01/install$) (nur als Domain-Admin) mappen wäre praktisch…
- [ ] SW - M365, MS Teams, PDF24, Sophos Connect, Sophos Endpoint Agent, Firefox, Acrobat Reader, Teamviewer QS aus Public Desktop, Netlogon Script als Verknuepfung auf Plublic Desktop
- [ ] SW in Userkontext - SBX-Generator
- [ ] Taskleiste:
- [ ] ausblenden von: Copilot, Store, Outlook New
- [x] Suchefeld auf "nur Suchsymbol setzen"
- [ ] Aktive Anwendungen auf "aus"
- [x] Taskleiste auf "links" verschieben
- [ ] Sophos Connect (wenn installiert), auf "dauerhaft" im SysTray platzieren
## Rezept
The steps we want to implement:
1. Win 11 OS autoinstall - the idea is to use Microsoft's own "Answer files" and install NinjaOne Agent autmatically
2. Change Computername
3. AD coupling - it probably possible to also use the Answer files for this
4. SW Installation - Use NinjaOne
5. OS and SW Configuration and Personalization - Use NinjaOne

1
projects/VZ/Win11-autoinstall-iso.md
View File

@@ -22,6 +22,7 @@
## VZ requirements
- Kein Secure Boot benoetigt
- USB sticks anzahl
### User

149
projects/discopharma/20250310-Next_Steps.md Normal file
View File

@@ -0,0 +1,149 @@
## Goal
Setup a metabase instance via docker with https support and a professional Deployment Pipeline
## Questions
- Separate Reverse Proxy or local Web Server enough??
- Exisiterende SSL Zertifikate nutzen?
- Kriege ich irgendwie Zugang?
### 20250311
- How many users?
- What is the old db software? Maybe we can reuse it? Are there backups of the old database ?
- DNS Verwaltung
- is the metabase version a requirement?
## Meeting-20250311
Teilnehmer: Lukas Maas, Milos Nikolic, Petar Cubela
### Answers
- DB: MySQL. Backup dump exist.
- Version needs to be 0.49.18
- 20 people
- Existing certs
- Use Reverse Proxy
- I will get access to the machines
### My Time/ Steps
1. Databse Instance MySQL (0.5h -1h)
2. Metabase (.50 h)
3. VM R2verse Proxy (.50 h)
4. Find and Test the recreation of the data/dashboard database (metabase.db/) (1-2h)
5. write overwivew network setup (ip address, open ports in firewall, metabase.discopharma.de -> public ip ) (1h)
6. Recreate in discopharma setup: (2-3h)
1. dns setup properly
2. network setup properly
3. creation of the VMs (oeither discopharma or me)
4. Installation process (db exist, docker deployment of metabase, reverse proxy)
5. Test
## List of requirements regarding Metabase deployment (discopharma)
1. Find or create backup of Metabase Dashboard data within Docker image on the old machine (marketplace image that was compromised, or a previous image of it)
2. Solution architecture that obeys to best practices of security, so that
- DISCO employees can connect to a DISCO-internal metabase application using a web browser and the URL “metabase.discopharma.de”
- The application is not exposed to the public
- All connections to the application are encrypted (https)
3. Solution architecture that includes a
- Productive instance (highest priority)
- Development/sandbox instance (lower priority)
- A process to deploy upgrades of the application (lower priority)
4. Metabase version 0.49.18
## Requirements
- properly configured and firewalled google cloud; VMs should only be able to communicate via private IPs!
- VM in google cloud for the metabase instance; Public IP address, port 80 and 443 forwarded; 1 cores, 2GB RAM (depends on user number)
- VM in google cloud for the metabase database instance; Private IP address; 1 cores, 1GB RAM (depends on user number); PostgreSQL
- Use existing SSL certs(??) with web server/reverse proxy like nginx/traefik/etc
## Software
- Debian 12
- Docker
- Metabase
- PostgreSQL
- Traefik/Nginx (depends)
## Notes
### 20250311
- <https://www.metabase.com/learn/metabase-basics/administration/administration-and-operation/metabase-in-production#metabase-application-server-size>
- Run separate database (PostgreSQL) and application server instances
#### Metabase application server size
- Metabase needs at least 1 core and 1GB of RAM
- For every 20 concurrent people it needs 1CPU and 2GB of RAM
#### Metabase application database server size
- Database needs at least 1 core and 2GB of RAM
- For every 40 concurrent people it needs 1CPU and 1GB of RAM
## docker-compose.yml example
```yml
services:
metabase:
image: metabase/metabase:latest
container_name: metabase
hostname: metabase
restart: unless-stopped
volumes:
- /dev/urandom:/dev/random:ro
- "./metabase-db:/metabase.db"
- ./plugins:/plugins
ports:
- 3000:3000
environment:
JAVA_TIMEZONE: Europe/Berlin
MB_DB_FILE=/metabase.db
MB_DB_TYPE: postgres
MB_DB_DBNAME: metabase
MB_DB_PORT: 5432
MB_DB_USER_FILE: /run/secrets/db_user
MB_DB_PASS_FILE: /run/secrets/db_password
MB_DB_HOST: postgres
networks:
- metanet1
secrets:
- db_password
- db_user
healthcheck:
test: curl --fail -I http://localhost:3000/api/health || exit 1
interval: 15s
timeout: 5s
retries: 5
postgres:
image: postgres:latest
container_name: postgres
hostname: postgres
restart: unless-stopped
environment:
POSTGRES_USER_FILE: /run/secrets/db_user
POSTGRES_DB: metabase
POSTGRES_PASSWORD_FILE: /run/secrets/db_password
networks:
- metanet1
secrets:
- db_password
- db_user
networks:
metanet1:
driver: bridge
secrets:
db_password:
file: db_password.txt
db_user:
file: db_user.txt
```

65
projects/discopharma/20250311-metabase-environment.md Normal file
View File

@@ -0,0 +1,65 @@
## VM Ressources and Setup
The listed IP Addresses are only example values here and can be chosen on your judgement. Important is that the machines can communicate with each other.
### MySQL Database
- Name: MySQL Database
- OS: Debian 12
- hostname: db.discopharma.de (unimportant)
- IP Address: 10.156.0.5/24
- CPU: 1 core
- RAM: 2 GB (2048 MB)
- Storage: depends (30 GB)
- DNS entry: none
- Note: for every 40 concurrent users: needs 1CPU and 1GB of RAM more
### Metabase Server
- Name: Metabase Server
- OS: Debian 12
- hostname: mb.discopharma.de (unimportant)
- IP Address: 10.156.0.6/24
- CPU: 1 core
- RAM: 1 GB (1024 MB)
- Storage: depends (30 GB)
- DNS entry: none
- Note: for every 20 concurrent users: needs 1CPU and 2GB of RAM more
### Reverse Proxy
- Name: Reverse Proxy
- OS: Debian 12
- hostname: rproxy.discopharma.de (unimportant)
- IP Address: 10.156.0.7/24 + \<PUBLIC IP\> address (only activated in the end)
- CPU: 1 core
- RAM: 1 GB (1024 MB)
- Storage: depends (16 GB)
- DNS entry: metabase.discopharma.de -> \<PUBLIC IP\>
- Note: for every concurrent users: needs 1CPU and 2GB of RAM more
## SSL/TSL certificates
- we need the discopharma wildcard certificate placed on the Reverse Proxy
- usually two files enough called `privkey.pem` and `fullchain.pem`
- you can put all the cert files on the reverse proxy and we will then use only the needed ones or convert them in the process if necessary
## Firewall Setup
I list all necessary communications and respective ports needed:
(Abbreviations:
- Databse: db = 10.156.0.5
- Metabse: mb = 10.156.0.6
- ReverseProxy: rp = 10.156.0.7)
| Source | SourcePort | Destination | DestPort | Description |
| ------------- | ----------------- | --------------- | ----------------- | ------------------------------------------------------------------------------------------- |
| mb | 3306/tcp | db | 3306/tcp | 3306 is the standard mysql port. Communication of mb to db |
| rp | 3000/tcp,3000/udp | mb | 3000/tcp,3000/udp | 3000 is the metabase web port (arbitrary). Reverse Proxy sends request via this port to mb. |
| OPEN INTERNET | any | PUBLIC IP of rp | 443/tcp | 443 is the https port to communicate to rp over internet |
You could also limit the access to the public ip such that only your company ip can reach it. The 443 port should be opened as the last thing when everything is done.
When the VMs are in the same private network, they should be able to openly communicate with each other; the first two entries in the table should be already open.

19
projects/discopharma/20250312-metabase-deployment.md Normal file
View File

@@ -0,0 +1,19 @@
## Metabase Instance
### Requirements
- [x] unattended-updates
- [x] docker
### Database
- name: metabase
- user: metabase
- pass: /E^bOu|<C{Y{bZu
### Reverse Proxy
- [x] unattended-updates
- [x] fail2ban
- [x] nginx

11
projects/discopharma/20250317-finishing-meeting.md Normal file
View File

@@ -0,0 +1,11 @@
## To do's:
- Cloud SQL dump load and user mgmt (Miloš)
- Docker licensing (Lukas)
- backup procedure for MB application db (Petar)
- Documentation/ manual (Petar)
- For example,
- how deployment works,
- what docker image to select
- how the routing in the reverse proxy is done

12
projects/kwa/20250318-mailstore-lizenz.md Normal file
View File

@@ -0,0 +1,12 @@
## Lizenzfile
License-ID: 47ac3c43-b120-4577-ad8f-57abd4d7a5e9
License-Type: MSV3
Customer-Name: Knopp Wassmer Architekten PartG mbB
Product-Name: MailStore Server
Product-Version: 25.1.0.22653
Product-Key: HRETS-CBTGE-HPNGP-GNKLL-MREBM
Max-Named-Users: 20
Machine-Name: SRVW-KWA-MAILST
Support-Expiry-Date: 2025-05-03
Support-Level: Standard Service

52
projects/kwa/firewall_migration/20250317_first-meeting.md Normal file
View File

@@ -0,0 +1,52 @@
## Base Info
- Time: 18.03.2025 09:00 Uhr
- Location: Teams
- Participants: Nina Schiffel, ~Markus Wassmer~, Sebastian Peter, Oliver Kaspar, Petar Cubela
## Todo
- [x] Kalkulation fuer OPNsense
- [x] Kalkulation fuer Sophos
- [x] Kosten einer Sophos?
## Topics
- Sophos or OPNsense - HW, SW
- Zeitrahmen: vor dem 03.05
- Arbeitszeit besprechen
- Rekonstruktion der Kerio Firewall
## Sophos
- Trusted industry standard firewall which delivers default features needed in the industry.
- Support for several years vie expensive license and expensive hardware which becomes useless after license expiration
## OPNsense
- Open Source product. No cost for the OS
- Can be installed on any hardware (as long as it has two network interfaces)
- Yearly (or 3 years) license (~150/500 euro) which enables management features and commercial firmware repository
## Preis
| Topic | Preis - OPNsense | Preis - Sophos |
| --------------------- | -------------------------------------------------------------------- | ------------------------------------------------------------ |
| HW | Vorhandene Hardware oder neue Hardware (Kosten: 500 - 1000 Euro) | ein Preis fuer HW + OS + Lizenz |
| OS | Keine Kosten | n/a |
| Lizenz | Business License: 130 Euro/Yearly + Support License: 300 Euro/yearly | 7600 Euro (Lizenz gueltig fuer 3 Jahre) |
| Arbeitsstunden | ~40h, ~4000 Euro | ~30h, ~3000 Euro |
| Wartungspauschale | TBA - Bespreche mit Thilo und Oli | ?? |
| Summary \[euro/year\] | 4000 (5000) Euro Einbau + 500 Euro/yearly Lizenz | 3000 Euro Einbau + 7600 Euro auf 3 Jahre (~2500 Euro/yearly) |
## Meeting 20250317
- diskutiere laufdauer bestehender hardware
- ueberlegen neuer hw bestellung thomas-krenn
- vergleiche preise: stunden + lizenz kosten + hw kosten
- deadline 03.05
- opnsense vs sophos - security features
- wartungspauschale?
- herrman fragen wegen opnsense lizenz

34
projects/kwa/firewall_migration/20250318-OPNsense_Migration.md Normal file
View File

@@ -0,0 +1,34 @@
## Base Info
- Deadline: 03.05
- Anzahl User: 15
## Angebot Liste
- Arbeitstunden ausrechnen
- Angebot fuer Lizenzen raussuchen ([Business License](https://shop.opnsense.com/product/opnsense-business-edition/), [Business Support Subscription](https://shop.opnsense.com/product/opnsense-business-support-subscription/))
- Keine Hardware noetig
## Bestehende Hardware
- System: Linux, Memory: 7888 MB, 8 processors
- No PPPoe (done by Fritz)
## Funktionen
- Basis Setup (routing, Generische Einstellung, Firewall Regeln, Authentizierung via AD,..)
- VLANs als Grundlage (MGMT, SRV, CLIENT, WLAN, WLAN-Guest)
- VPN (OpenVPN)
- Free SSL certs (via ACME)
- Web Proxy (Caching Proxy, Web Filter, Transparent Proxy, SSL Inspection, https de-/encryption) (!NOTE! OPNsense CA needs to be trusted by every client. Distribute via Filewave)
- OPNsense Antivirus Loesung (Clamav + C-Icap)
- IDS/IPS
- WAF
- OPNcentral
## Zertifikate
- SSL for https (Let's Encrypt oder gekaufte Wildcard)
- Self Signed for Web Proxy (SSL Inspection)
- Self Signed for OpenVPN

0
projects/sbx/20241211-Max-Meeting-Kerio2M365.md → projects/kwa/mail_migration/20241211-Max-Meeting-Kerio2M365.md
View File

0
projects/neosphere/20250502-storage-cluster.md → projects/neosphere/qumulus/20250502-storage-cluster.md
View File

51
projects/neosphere/qumulus/manual_25Gbit-nic.md Normal file
View File

@@ -0,0 +1,51 @@
## Quellen
### Treiber
- [ice treiber](https://www.intel.com/content/www/us/en/download/19630/intel-network-adapter-driver-for-e810-series-devices-under-linux.html)
- [key in bios](https://support.hpe.com/hpesc/public/docDisplay?docId=a00112581en_usen_us&page=GUID-E4427875-D123-4BBF-9056-342168478A02.html&docLocale=en_US)
- [installationsanaleitung (nicht 1zu1 anwendbar; use case different)](https://clouddocs.f5.com/cloud/public/v1/kvm/kvm_intel.html)
- [troubleshooting(SR-IOV)](https://forum.endeavouros.com/t/intel-e810xxv-25g-network-card-not-working-no-ice-driver/39633/7)
- [troubleshooting(BIOS - virt)](https://forum.proxmox.com/threads/troubleshooting-intel-e810-xxvam2-nic-setup.146257/)
### Configure LACP bond with failover
- [bonding_router-template](https://github.com/canonical/netplan/blob/main/examples/bonding_router.yaml)
- [bonding_manual(nicht 1zu1 angewendet!)](https://netrouting.com/knowledge_base/configuring-bonding-on-ubuntu-with-netplan/)
### Cloning Problem
- [Aendere Machine ID](https://unix.stackexchange.com/questions/402999/is-it-ok-to-change-etc-machine-id)
- [troubleshooting bonds have same mac (same machine id)](https://askubuntu.com/questions/1126037/netplan-generates-the-same-mac-address-for-bridges-on-two-different-machines)
## Anleitung
1. Lade die [Intel Ice Treiber](https://www.intel.com/content/www/us/en/download/19630/intel-network-adapter-driver-for-e810-series-devices-under-linux.html) fuer die verfuegbar Netzwerkkarte herunter. Fuer eine Debian-basierte GNU/Linux OS wird die .tar.gz Datei benoetigt und `intel-public-key-ice-ko.zip`. Die .tar Datei kann an einem beliebigen Ort abgespeichert werden, zum Beispiel, `/home/username/ice`.
2. Folge der [hpe Anleitung](https://support.hpe.com/hpesc/public/docDisplay?docId=a00112581en_usen_us&page=GUID-E4427875-D123-4BBF-9056-342168478A02.html&docLocale=en_US), um den Intel Public Key im BIOS zu hinterlegen und aktiviere Secure Boot im BIOS(!). Secure Boot ist wichtig, damit der signierte Treiber authentiziert werden kann; dies geht nur im Secure Boot Mode, wo auch der Key hinterlegt wurde. Zusammengasst BIOS Aenderung:
- Key File im Secure Boot Key Store hinterlegen
- Secure Boot anschalten
- SR-IOV abschalten; Im BIOS selbst UND direkt bei den pcie Einstellungen des NICs
- Bei Problemen mit der Installation spaeter kann es sein, dass BIOS Einstellungen im Zusammenhang Virtualisierung abegeschaltet werden muessen. Siehe dazu letzten drei Links in Quellen Liste zu den Treibern
3. Untar/unzip die archiv-Datei, wobei "<x.x.x>" die Versions Nummer ist:
> `tar zxvf ice-<x.x.x>.tar.gz`
4. Wechsle in das `src`-Verzeichnis:
> `cd ice-<x.x.x>/src/`
5. Kompiliere das Treiber modul (als root user!)
> `make install`
> Das Binary wird installiert als: `/lib/modules/<KERNEL VER>/updates/drivers/net/ethernet/intel/ice/ice.ko`
6. Reboote das System und schalte Secure Boot wieder aus (das Linux Kernel ist gelocked, mit Secure Boot und daher koennte das Modul nicht angeschaltet werden)
7. Nach erfolgreichem Neustart kann die Version des Treibers gecheckt und aktiviert werden mit den Befehlen: (deaktivieren des Moduls mit: `rmmod ice`)
> `modinfo ice`
> `modprobe ice`
8. Um Nachrichten zu Netzwerlinks in der Konsole zu sehen, muss `dmesg` angepasst werden: `dmesg -n 8`. Nach dem aktivieren des Treibers sollten die Kernel Logs mit dem folgenden Befehl geprueft werden: `dmesg | grep '\<ice\>`.
9. Bei erfolgreicher Installation sollte der Befehl `lshw -c network` die Interfaces der netzwerkkarte anzeigen.
## Notizen
### Nuetzliche Befehle
- Zeige Netzwerk Specs der Hardware an: `lshw -c network`
- Zeige Bonding Konfiguration an: `cat /proc/net/bonding/<name-des-bonds>` ;hier: `cat /proc/net/bonding/bond0`
- Kernel Logs zu ice Treibern pruefen: `dmesg | grep '\<ice\>`

34
projects/neosphere/qumulus/manual_lacp-bonding.md Normal file
View File

@@ -0,0 +1,34 @@
## Beispiel Config ubt01
Netplan Konfigurationsdatei: `/etc/netplan/00-bonding.yaml`
```yaml
network:
version: 2
renderer: networkd
ethernets:
ens2f0:
dhcp4: no
ens2f1:
dhcp4: no
bonds:
bond0:
interfaces:
- ens2f0
- ens2f1
addresses:
- 192.168.60.200/24
- 192.168.60.210/24
routes:
- to: default
via: 192.168.60.254
nameservers:
addresses:
- 192.168.60.254
parameters:
mode: active-backup
mii-monitor-interval: 100
gratuitious-arp: 5
```

22
projects/neosphere/qumulus/manual_qumulus.md Normal file
View File

@@ -0,0 +1,22 @@
## Qumulus MGMT
Zur Adminstration des Qumulus Cluster besuchen Sie das Qumulus Dashboard (ueber VPN oder sonst im Netzwerk befindlich):
<https://192.168.60.11-15>
Das Qumulus Dashboard kann ueber jede IP Adresse der Cluster Node erreicht werden; entsprechend haben die Noden IP Adressen von .11 bis .15.
Das Qumulus Cluster arbeitet im Grunde wie ein klassische NAS:
- Es bietet elaborierte Analysedaten zur Funktionsweise ders Clusters
- Sharing im Dashboard konfigurierbar:
- smb shares
- nfs exports
- s3 buckets
- ftp
- Authentizierung und Authorizierung:
- Locale User und Gruppen
- AD
- LDAP
- Role Management
- Snapshots moeglich
- Replizierung zu S3

0
projects/neosphere/qumulus/overview-qumulus_and_comp-nodes.md Normal file
View File

15
projects/patryk-projekt/202503012-initial.md Normal file
View File

@@ -0,0 +1,15 @@
## Data
- Datum: Anmeldung, Abgabe
- Projekt Beschreibung
- Titel
- Infrastuktur
- Komponenten
- Quellen
## Quellen
- <https://wazuh.com/>
- <https://documentation.wazuh.com/>

35
projects/phytron/nextcloud_gitlab_after_hack.md
View File

@@ -1,10 +1,45 @@
## General
- [x] Change Admin Passwords to: General Domain Administrator Password
## Nextcloud
IP address: 192.168.66.66
Domain: https://cloud.phytron.de
### Resources
- <https://docs.nextcloud.com/server/28/admin_manual/configuration_server/occ_command.html#user-commands-label>
### User MGMT
- [x] Gruppe: Nextcloud_extern (fuer externe nutzer)
### Design
- Integrate Phytron CI
- Ask Holger
- Primary Gray/ Secondary Red (Related to Homepage)
### Folder
**Expiration time: 6 months** (user choses a time which is maximally 6 months..)
- [x] Ablaufdatum erzwungen bei public shares
- [x] delete default files and folders which are generated for each new user
- [x] Check if its possible that files/folders are deleted automatically after some time and that the user is notified about it
- [x] two kinds of share folders: one folder 'intern' without expiration dates and one folder 'extern' with a strict expiration date
- [ ] possibility to edit 'Microsoft Words' files
## Gitlab
IP address: 192.168.66.67
Domain: http://git.phytron.local
### Design
- Check CI

2
projects/project-list.md
View File

@@ -1,4 +1,4 @@
## List
- [sbx-knowledgebase](/projects/sbx/knowledgebase)
- [sbx-knowledgebase](knowledgebase.md)

0
projects/sbx/raci_matrix-automation.md → projects/sbx/RACI-Matrix/raci_matrix-automation.md
View File

0
projects/sbx/raci_matrix-monitoring.md → projects/sbx/RACI-Matrix/raci_matrix-monitoring.md
View File

0
projects/sbx/disney-workshop.md → projects/sbx/orga/disney-workshop.md
View File

0
projects/sbx/knowledgebase.md → projects/sbx/orga/knowledgebase.md
View File

0
projects/sbx/sbx-myrules.md → projects/sbx/orga/sbx-myrules.md
View File

18
projects/sbx/sbx-lab-network.md Normal file
View File

@@ -0,0 +1,18 @@
## network
- Gateway/Firewall Static IP: 10.11.12.254/24
- DHCP: 10.11.12.100 - 10.11.12.200
### Static IPs
| hostname | mac | IP | comment |
| -------- | ----------------- | ------------ | --------------------- |
| gw | | 10.11.12.254 | sophos fw |
| dns1 | | 10.11.12.253 | bind master |
| dns2 | | 10.11.12.252 | bind slave |
| pxe | BC:24:11:99:2D:8A | 10.11.12.69 | netbbot_xyz |
| node1 | | 10.11.12.2 | opnsense cluster test |
| node2 | | 10.11.12.3 | opnsense cluster test |
| vip-wan | | 10.11.12.4 | opnsense cluster test |
| metabase | | 10.11.12.99 | test for discopharma |

4
projects/sbx/sbx-proxmox-test-server.md
View File

@@ -1,4 +0,0 @@
mac-address:
- 00:19:99:b9:9a:a2 of interface enp8s0f0
- 00:19:99:b9:??:?? of interface enp8s0f1