Hi Bob and Michael,

Thanks for the responses. Since the below is missing information I will try to recap and answer:

...

On 17 Jan 2019, at 20:15, Rachid Groeneveld rachidgroeneveld@hotmail.nl wrote:

...

...

Hi all,

...

...

I'm fairly new to perl and cgi scripts, I can find most of it on the web, but I've been unable to solve this riddle. Is it possible to query the unbound statistics from a cgi script? I can't seem to figure out how to do this without cron-ing a bash script and reading its output, I want them on-demand when a page is requested.

That depends on what you need.

The CGI scripts can in theory run any shell command. Those commands will be executed as an unprivileged user called “nobody” so that nobody else who gains access through a vulnerability in the web UI can change the system configuration for which root permissions would be required.

For some special actions - for example reboot - we have special binaries that can then gain root privileges and perform very specific actions only.

I think this is exactly the way it should work, I will read into those binaries and how to use 'em, thanks for the pointer. I don't have any desires to compromise security/safety in favor of reporting purposes.

...

I think it's a permission issue, as far as I've been able to assess the webpages run under 'nobody' and unbound-control needs elevated rights to execute a peek at the statistics. I'm using the following command to do so: “unbound-control stats_noreset”. That way I can query all the DNS info I want (for reporting purposes), because I don't think unbound was compiled with dnstap enabled. At least I haven't found anything to back that up, that would eliminate the need for peeking at stats, because an up-to-date database can be built (async). I will further investigate dnstap in a later stage.

Running that command fails as follows:

[root@ipfire ~]# sudo -u nobody unbound-control stats

error: Error setting up SSL_CTX client cert

/etc/unbound/unbound_control.pem: Permission denied

The certificate that unbound uses is only supposed to be read by root.

I figured as much, this only confirms the need to a specific binary to solve the issue.

...

Can someone point me in the right direction for peeking unbound statistics from perl/cgi scripts? I’ve tried sudo-ing (I’d rather not, for security reasons), separate bash scripts and qx/backticks, they all seem to fail with exit code 256 which seems to be a permission problem. Running anything from an SSH session obviously succeeds, because then I have all the rights I need.

Depending how fit you are with C, you can build such a “setuid binary” yourself. There is plenty of inspiration here:

https://git.ipfire.org/?p=ipfire-2.x.git;a=tree;f=src/misc-progs;h=a1a3f2c9c...

But since you have said that you are not a developer, this might be a little bit hard :) Let me know where I can help out.

I need to carefully read into this and see what it's all about and how I should use it. To be continued 😉

What are you building with all this?

Best,

-Michael

I've been looking at PiHole and Firewalla and I like how those dashboards are pleasing to the eye and wanted to achieve the same within IPFire. I think it's quite possible and IPFire hosts way more functionality, so why not the fancy dashboard? With that in mind I looked for info on the themes in IPF, I found that someone - a few years ago - already created an admin dashboard, but I never received responses to my communication attempts. So I thought, what the heck, I'll just create the dashboard myself, but in order to actually - have a dashboard - I need metrics. PiHole has an FTL implementation which includes (parts of) Unbound and they're able to show quite a bit of interesting information (see attachment, apologies for the size I had to google it). Firewalla has the same, but is more tailored to SOHO and is managed through an app.

TLDR; I want the dashboard to show metrics you can work with, like PiHole does. The whole controlling DNS and traffic part is not yet part of the scope. I already queried the network info (I used parts of other cgi's), DNS is the next step and then firewall stats (blocked/dropped, maybe per country etc.)

Cheers!

-----Oorspronkelijk bericht----- Van: Development development-bounces@lists.ipfire.org Namens Bob Brewer Verzonden: zaterdag 19 januari 2019 11:44 Aan: development@lists.ipfire.org Onderwerp: Re: Peeking at unbound statistics from WUI

Michael Tremer wrote:

...

Can someone point me in the right direction for peeking unbound

...

statistics from perl/cgi scripts? I’ve tried sudo-ing (I’d rather

...

not, for security reasons), separate bash scripts and qx/backticks,

...

they all seem to fail with exit code 256 which seems to be a permission problem.

...

Running anything from an SSH session obviously succeeds, because then

...

I have all the rights I need.

Depending how fit you are with C, you can build such a “setuid binary”

yourself. There is plenty of inspiration here:

I had the same problem when porting the IPCop Banish addon to IPFire because the setuid binary program that was bundled with the original Banish addon did not run on a lot of the hardware I was using for testing.

As a workaround I added my update command to /etc/sudoers as nobody ALL=NOPASSWD: /your/command/here so it can be run from the cgi with sudo.

I suspect that this has security implications so use at your own risk.

https://git.ipfire.org/?p=ipfire-2.x.git;a=tree;f=src/misc-progs;h=a1a

3f2c9ca75d8077a6f3d122b7a5e7ffaa71432;hb=HEAD

But since you have said that you are not a developer, this might be a

little bit hard :) Let me know where I can help out.

Thank you for the links Michael this should be the way I should go with Banish. I'll see if get something compiled for my prog.

HTH

Rob

Hey,

On 20 Jan 2019, at 17:07, Rachid Groeneveld rachidgroeneveld@hotmail.nl wrote:

Hi Bob and Michael,

Thanks for the responses. Since the below is missing information I will try to recap and answer:

...

...

On 17 Jan 2019, at 20:15, Rachid Groeneveld rachidgroeneveld@hotmail.nl wrote:

Hi all,

I'm fairly new to perl and cgi scripts, I can find most of it on the web, but I've been unable to solve this riddle. Is it possible to query the unbound statistics from a cgi script? I can't seem to figure out how to do this without cron-ing a bash script and reading its output, I want them on-demand when a page is requested.

That depends on what you need.

The CGI scripts can in theory run any shell command. Those commands will be executed as an unprivileged user called “nobody” so that nobody else who gains access through a vulnerability in the web UI can change the system configuration for which root permissions would be required.

For some special actions - for example reboot - we have special binaries that can then gain root privileges and perform very specific actions only.

I think this is exactly the way it should work, I will read into those binaries and how to use 'em, thanks for the pointer. I don't have any desires to compromise security/safety in favor of reporting purposes.

...

...

I think it's a permission issue, as far as I've been able to assess the webpages run under 'nobody' and unbound-control needs elevated rights to execute a peek at the statistics. I'm using the following command to do so: “unbound-control stats_noreset”. That way I can query all the DNS info I want (for reporting purposes), because I don't think unbound was compiled with dnstap enabled. At least I haven't found anything to back that up, that would eliminate the need for peeking at stats, because an up-to-date database can be built (async). I will further investigate dnstap in a later stage.

Running that command fails as follows:

[root@ipfire ~]# sudo -u nobody unbound-control stats error: Error setting up SSL_CTX client cert /etc/unbound/unbound_control.pem: Permission denied

The certificate that unbound uses is only supposed to be read by root.

I figured as much, this only confirms the need to a specific binary to solve the issue.

...

...

Can someone point me in the right direction for peeking unbound statistics from perl/cgi scripts? I’ve tried sudo-ing (I’d rather not, for security reasons), separate bash scripts and qx/backticks, they all seem to fail with exit code 256 which seems to be a permission problem. Running anything from an SSH session obviously succeeds, because then I have all the rights I need.

Depending how fit you are with C, you can build such a “setuid binary” yourself. There is plenty of inspiration here:

https://git.ipfire.org/?p=ipfire-2.x.git;a=tree;f=src/misc-progs;h=a1a3f2c9c...

But since you have said that you are not a developer, this might be a little bit hard :) Let me know where I can help out.

I need to carefully read into this and see what it's all about and how I should use it. To be continued 😉

...

What are you building with all this?

Best, -Michael

I've been looking at PiHole and Firewalla and I like how those dashboards are pleasing to the eye and wanted to achieve the same within IPFire. I think it's quite possible and IPFire hosts way more functionality, so why not the fancy dashboard? With that in mind I looked for info on the themes in IPF, I found that someone - a few years ago - already created an admin dashboard, but I never received responses to my communication attempts. So I thought, what the heck, I'll just create the dashboard myself, but in order to actually - have a dashboard - I need metrics. PiHole has an FTL implementation which includes (parts of) Unbound and they're able to show quite a bit of interesting information (see attachment, apologies for the size I had to google it). Firewalla has the same, but is more tailored to SOHO and is managed through an app.

TLDR; I want the dashboard to show metrics you can work with, like PiHole does. The whole controlling DNS and traffic part is not yet part of the scope. I already queried the network info (I used parts of other cgi's), DNS is the next step and then firewall stats (blocked/dropped, maybe per country etc.)

Yes, they are quite pretty to look at. I am not entirely sure why people are so much in love with them because many dashboards out there (not talking about anything specifically) do not transport much information. They just show that the “system is busy”. I am not sure whether that is useful information or not.

IPFire doesn’t have a very pretty stats section, but it does the job. The main job is to show what has happened over time. That is in recent history like “last week” or “yesterday” so that problems with the system can be spotted very easily; and showing trends over time so that people can see if bandwidth usage has “doubled” over a year or so. That would be information I care about.

We have a thing called collecty which is supposed to achieve that in IPFire 3. It collects various system statistics, but you can probably add unbound and some other sources, too. It is written in Python which makes it easier to extend - although it has a little C module to talk to hard drives. It potentially could be ported to IPFire 2.

Maybe it is worth having a look at that. IPFire 2 right now has loads of different scripts and tools that collect statistics. It would be nice to have this all in the same place and use it where ever we want to present this data.

Here is the code:

https://git.ipfire.org/?p=oddments/collecty.git;a=summary

This is an example graph in SVG:

https://people.ipfire.org/~ms/graph.svg

Right now, there is no mechanism to get the raw data, but that is trivial to add. We could store the last hour with a really high resolution to make JS graphs looks nice, too.

-Michael

Cheers!

-----Oorspronkelijk bericht----- Van: Development development-bounces@lists.ipfire.org Namens Bob Brewer Verzonden: zaterdag 19 januari 2019 11:44 Aan: development@lists.ipfire.org Onderwerp: Re: Peeking at unbound statistics from WUI

Michael Tremer wrote:

...

...

Can someone point me in the right direction for peeking unbound statistics from perl/cgi scripts? I’ve tried sudo-ing (I’d rather not, for security reasons), separate bash scripts and qx/backticks, they all seem to fail with exit code 256 which seems to be a permission problem. Running anything from an SSH session obviously succeeds, because then I have all the rights I need.

Depending how fit you are with C, you can build such a “setuid binary” yourself. There is plenty of inspiration here:

I had the same problem when porting the IPCop Banish addon to IPFire because the setuid binary program that was bundled with the original Banish addon did not run on a lot of the hardware I was using for testing.

As a workaround I added my update command to /etc/sudoers as nobody ALL=NOPASSWD: /your/command/here so it can be run from the cgi with sudo.

I suspect that this has security implications so use at your own risk.

...

https://git.ipfire.org/?p=ipfire-2.x.git;a=tree;f=src/misc-progs;h=a1a 3f2c9ca75d8077a6f3d122b7a5e7ffaa71432;hb=HEAD

But since you have said that you are not a developer, this might be a little bit hard :) Let me know where I can help out.

Thank you for the links Michael this should be the way I should go with Banish. I'll see if get something compiled for my prog.

HTH

Rob

<pihole_admin_dashboard.png>

Hi,

Collecty can do this already.

When we ping a host, we do this for more than just one round-trip. I think it is 10. Then, we calculate standard deviation, packet loss and some other metrics more. Hence the pink block around the line in the graph I linked.

Collecty also has a dbus interface. A client connects to that and asks the daemon to render an image with the given resolution, format, language, units and so on. Of course the start and end time can be specified. I don’t have any UI to select this because I am really sh*t with frontend coding. But we can even export the graphs as PDF :)

-Michael

On 21 Jan 2019, at 11:35, Tom Rymes trymes@rymes.com wrote:

While we are discussing useful statistics that would be nice to have, Smokeping would be a really nice thing to have, along with the ability to specify a custom time window. Sometimes I want to see more than an hour, but less than a day, etc.

Tom

...

On Jan 21, 2019, at 6:03 AM, Michael Tremer michael.tremer@ipfire.org wrote:

Hey,

...

On 20 Jan 2019, at 17:07, Rachid Groeneveld rachidgroeneveld@hotmail.nl wrote:

Hi Bob and Michael,

Thanks for the responses. Since the below is missing information I will try to recap and answer:

...

...

On 17 Jan 2019, at 20:15, Rachid Groeneveld rachidgroeneveld@hotmail.nl wrote:

Hi all,

I'm fairly new to perl and cgi scripts, I can find most of it on the web, but I've been unable to solve this riddle. Is it possible to query the unbound statistics from a cgi script? I can't seem to figure out how to do this without cron-ing a bash script and reading its output, I want them on-demand when a page is requested.

That depends on what you need.

The CGI scripts can in theory run any shell command. Those commands will be executed as an unprivileged user called “nobody” so that nobody else who gains access through a vulnerability in the web UI can change the system configuration for which root permissions would be required.

For some special actions - for example reboot - we have special binaries that can then gain root privileges and perform very specific actions only.

I think this is exactly the way it should work, I will read into those binaries and how to use 'em, thanks for the pointer. I don't have any desires to compromise security/safety in favor of reporting purposes.

...

...

I think it's a permission issue, as far as I've been able to assess the webpages run under 'nobody' and unbound-control needs elevated rights to execute a peek at the statistics. I'm using the following command to do so: “unbound-control stats_noreset”. That way I can query all the DNS info I want (for reporting purposes), because I don't think unbound was compiled with dnstap enabled. At least I haven't found anything to back that up, that would eliminate the need for peeking at stats, because an up-to-date database can be built (async). I will further investigate dnstap in a later stage.

Running that command fails as follows:

[root@ipfire ~]# sudo -u nobody unbound-control stats error: Error setting up SSL_CTX client cert /etc/unbound/unbound_control.pem: Permission denied

The certificate that unbound uses is only supposed to be read by root.

I figured as much, this only confirms the need to a specific binary to solve the issue.

...

...

Can someone point me in the right direction for peeking unbound statistics from perl/cgi scripts? I’ve tried sudo-ing (I’d rather not, for security reasons), separate bash scripts and qx/backticks, they all seem to fail with exit code 256 which seems to be a permission problem. Running anything from an SSH session obviously succeeds, because then I have all the rights I need.

Depending how fit you are with C, you can build such a “setuid binary” yourself. There is plenty of inspiration here:

https://git.ipfire.org/?p=ipfire-2.x.git;a=tree;f=src/misc-progs;h=a1a3f2c9c...

But since you have said that you are not a developer, this might be a little bit hard :) Let me know where I can help out.

I need to carefully read into this and see what it's all about and how I should use it. To be continued 😉

...

What are you building with all this?

Best, -Michael

I've been looking at PiHole and Firewalla and I like how those dashboards are pleasing to the eye and wanted to achieve the same within IPFire. I think it's quite possible and IPFire hosts way more functionality, so why not the fancy dashboard? With that in mind I looked for info on the themes in IPF, I found that someone - a few years ago - already created an admin dashboard, but I never received responses to my communication attempts. So I thought, what the heck, I'll just create the dashboard myself, but in order to actually - have a dashboard - I need metrics. PiHole has an FTL implementation which includes (parts of) Unbound and they're able to show quite a bit of interesting information (see attachment, apologies for the size I had to google it). Firewalla has the same, but is more tailored to SOHO and is managed through an app.

TLDR; I want the dashboard to show metrics you can work with, like PiHole does. The whole controlling DNS and traffic part is not yet part of the scope. I already queried the network info (I used parts of other cgi's), DNS is the next step and then firewall stats (blocked/dropped, maybe per country etc.)

Yes, they are quite pretty to look at. I am not entirely sure why people are so much in love with them because many dashboards out there (not talking about anything specifically) do not transport much information. They just show that the “system is busy”. I am not sure whether that is useful information or not.

IPFire doesn’t have a very pretty stats section, but it does the job. The main job is to show what has happened over time. That is in recent history like “last week” or “yesterday” so that problems with the system can be spotted very easily; and showing trends over time so that people can see if bandwidth usage has “doubled” over a year or so. That would be information I care about.

We have a thing called collecty which is supposed to achieve that in IPFire 3. It collects various system statistics, but you can probably add unbound and some other sources, too. It is written in Python which makes it easier to extend - although it has a little C module to talk to hard drives. It potentially could be ported to IPFire 2.

Maybe it is worth having a look at that. IPFire 2 right now has loads of different scripts and tools that collect statistics. It would be nice to have this all in the same place and use it where ever we want to present this data.

Here is the code:

https://git.ipfire.org/?p=oddments/collecty.git;a=summary

This is an example graph in SVG:

https://people.ipfire.org/~ms/graph.svg

Right now, there is no mechanism to get the raw data, but that is trivial to add. We could store the last hour with a really high resolution to make JS graphs looks nice, too.

-Michael

...

Cheers!

-----Oorspronkelijk bericht----- Van: Development development-bounces@lists.ipfire.org Namens Bob Brewer Verzonden: zaterdag 19 januari 2019 11:44 Aan: development@lists.ipfire.org Onderwerp: Re: Peeking at unbound statistics from WUI

Michael Tremer wrote:

...

...

Can someone point me in the right direction for peeking unbound statistics from perl/cgi scripts? I’ve tried sudo-ing (I’d rather not, for security reasons), separate bash scripts and qx/backticks, they all seem to fail with exit code 256 which seems to be a permission problem. Running anything from an SSH session obviously succeeds, because then I have all the rights I need.

Depending how fit you are with C, you can build such a “setuid binary” yourself. There is plenty of inspiration here:

I had the same problem when porting the IPCop Banish addon to IPFire because the setuid binary program that was bundled with the original Banish addon did not run on a lot of the hardware I was using for testing.

As a workaround I added my update command to /etc/sudoers as nobody ALL=NOPASSWD: /your/command/here so it can be run from the cgi with sudo.

I suspect that this has security implications so use at your own risk.

...

https://git.ipfire.org/?p=ipfire-2.x.git;a=tree;f=src/misc-progs;h=a1a 3f2c9ca75d8077a6f3d122b7a5e7ffaa71432;hb=HEAD

But since you have said that you are not a developer, this might be a little bit hard :) Let me know where I can help out.

Thank you for the links Michael this should be the way I should go with Banish. I'll see if get something compiled for my prog.

HTH

Rob

<pihole_admin_dashboard.png>

Hey,

On 21 Jan 2019, at 19:54, Rachid Groeneveld rachidgroeneveld@hotmail.nl wrote:

Hi Michael,

...

Yes, they are quite pretty to look at. I am not entirely sure why people are so much in love with them because many dashboards out there (not talking about anything specifically) do not transport much information. They just show that the “system is busy”. I am not sure whether that is useful information or not.

IPFire doesn’t have a very pretty stats section, but it does the job. The main job is to show what has happened over time. That is in recent history like “last week” or “yesterday” so that problems with the system can be spotted very easily; and showing trends over time so that people can see if bandwidth usage has “doubled” over a year or so. That would be information I care about.

We have a thing called collecty which is supposed to achieve that in IPFire 3. It collects various system statistics, but you can probably add unbound and some other sources, too. It is written in Python which makes it easier to extend - although it has a little C module to talk to hard drives. It potentially could be ported to IPFire 2.

Maybe it is worth having a look at that. IPFire 2 right now has loads of different scripts and tools that collect statistics. It would be nice to have this all in the same place and use it where ever we want to present this data.

Here is the code:

https://git.ipfire.org/?p=oddments/collecty.git;a=summary

This is an example graph in SVG:

https://people.ipfire.org/~ms/graph.svg

Right now, there is no mechanism to get the raw data, but that is trivial to add. We could store the last hour with a really high resolution to make JS graphs looks nice, too.

-Michael

I'm not saying current graphs don't do their job, I just wanted to integrate the graphs in the theme nicely, and in order to do so I need raw data; so I can have the graphs drawn by the framework. This also means it'll be fairly easy to save lots of data (in a relational database), which can be queried easily. Then you can show trends over years, because saving a few numbers in a database is not very expensive in terms of performance and storage.

A relational database is probably not the right tool here. That highly depends on what you want to achieve though.

With my two objectives outlined earlier, you will have a massive amount of data and the older the data gets, the more irrelevant it is wasting loads of space. Space was a huge issue here in the past. Many firewalls ran on embedded systems with slow and expensive flash storage which did not survive too many cycles. The solution that we have that is really great is an RRD database:

https://oss.oetiker.ch/rrdtool/index.en.html

It stores values with different precision and generates averages over time so that historical data is still present, but with less resolution. That gives you a database of constant and compact size. It’s a cool thing.

I agree on the single stats gathering entity, this makes it easier to maintain. The reason I'm so interested in the WUI, is that I want to be able to see what's happening on the network and be able to respond to that. For example if I'm seeing lots of egression to countries I don't trust, I want to be informed (automatically) and confirm the behavior in the WUI. As for DNS, if someone is visiting lots of untrustworthy sites, I'd like to be able to see that. Maybe I'm just curious out of bounds, that's possible too 😉 Plus I like to tinker, unbound stats was just a quick way of getting DNS stats, the dnstap plugin logs way more (async, so it shouldn't affect performance too much). That info can be stored in a database and queried whenever.

I am not sure if DNS will tell you where your packets are going...

Finally there's the question of out-of-date information, is a cron job frequent enough to manage the network or should on-demand info be acquired for research? It all depends on the way the data, or information if you will, is going to be used.

I just thought DNS stats would be the easiest to gather, since the command provided me with simple stats. What stats and information is required for business still requires research, but since pihole stats were so popular I thought it would make for a good start. But I think firewall and IDS stats would be even more interesting for people to see/monitor.

Anyways, just thinking out loud here, from a SIEM point of view it seemed reasonable to also investigate DNS behavior. 😊 I will have a look at the collect solution and c-binary one.

I like thinking out loud :)

Thanks for all the pointers!

Cheers,

Rachid

Michael Tremer wrote:

...

Thank you for the links Michael this should be the way I should go with Banish. I'll see if get something compiled for my prog.

I still think you should have a look at my last email on this. It might make sense to integrate that functionality into the firewall engine that we have which will save you a lot of coding of things that are already there.

Best, -Michael

That would make a lot of sense and I'll see if I can incorporate the firewall engine into my next update. My motivation so far has been to maintain continuity with my move from IPCop but do realize things have moved on significantly since this addon was written. That said this ported version Banish is working well on IPFire here, and for me is a useful enhancement but I do recognize there could be improvements.

Kind Regards

Rob