GBDE encryped File system
In release 8.0 is GBDE now part of the base system? If not what is the /boot/loader.conf command to add to enable it? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: GBDE encryped File system
On 3/20/10 6:29 AM, Aiza wrote: In release 8.0 is GBDE now part of the base system? If not what is the /boot/loader.conf command to add to enable it? You don't have to enable it. Nothing to add to the loader.conf. But if you want to mount the partitions during the boot: 18.16.1.2.1 Automatically Mounting Encrypted Partitions It is possible to create a script to automatically attach, check, and mount an encrypted partition, but for security reasons the script should not contain the gbde(8) password. Instead, it is recommended that such scripts be run manually while providing the password via the console or ssh(1). Please read: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html -- Adam PAPAI ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Samba read speed performance tuning
On Sat, Mar 20, 2010 at 3:49 AM, Gary Gatten ggat...@waddell.com wrote: It MAY make a big diff, but make sure during your tests you use unique files or flush the cache or you'll me testing cache speed and not disk speed. Yeah I did make sure to use unique files for testing the effects of prefetch. This is Atom D510 / Supermicro X75SPA-H / 4Gb Ram with 2 x slow 2tb WD Green (WD20EADS) disks with 32mb cache in a ZFS mirror after enabling prefetch.: Code: bonnie -s 8192 ---Sequential Output ---Sequential Input-- --Random-- -Per Char- --Block--- -Rewrite-- -Per Char- --Block--- --Seeks--- MachineMB K/sec %CPU K/sec %CPU K/sec %CPU K/sec %CPU K/sec %CPU /sec %CPU 8192 29065 68.9 52027 39.8 39636 33.3 54057 95.4 105335 34.6 174.1 7.9 DD read: dd if=/dev/urandom of=test2 bs=1M count=8192 dd if=test2 of=/dev/zero bs=1M 8589934592 bytes transferred in 76.031399 secs (112978779 bytes/sec) (107,74mb/s) Individual disks read capability: 75mb/s Reading off a mirror of 2 disks with prefetch disabled: 60mb/s Reading off a mirror of 2 disks with prefetch enabled: 107mb/s - Sincerely, Dan Naumov ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
freenas-like solution for aoe?
Does anybody know a FreeNAS-like solution, that supports AoE? - Ata over Ethernet? Thank you! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD 8.0 Booting Problem on ZV5320US Laptop
richard.delaur...@gmail.com wrote: Are you able to get to the FreeBSD splash screen (where you get a countdown to startup with a menu of 6 selections)? Yes, It doesn't go beyond that selection most of the time. One of the choices there is boot w/o ACPI; you could try that if you get that far. That is exactly where I am, at that screen when I make the selection (any selection) it just pauses for about 30 Secs before the computer shuts down. Tried all options including 'set hint.acpi.0.disabled=1' followed by 'boot' at the loader prompt. Its more or less 1 successful boot in 7 attempts, totally random, not dependent on w/o ACPI is picked or not, sometimes it just works with verbose logging or normal boot. It is definitely something to do with the RESET BIOS timer (If at all there is anything like that) expiring before FreeBSD kernel can fully load or something... Thank you HP ! -Anoop Good luck-- Richard On Fri, Mar 19, 2010 at 11:55 AM, Anoop Kumar Narayanan anoop...@gmail.com wrote: On Fri, Mar 19, 2010 at 7:49 PM, Richard DeLaurell richard.delaur...@gmail.com wrote: On Fri, Mar 19, 2010 at 8:20 AM, Anoop Kumar Narayanan anoop...@gmail.comwrote: I have recently installed FreeBSD8.0 on my 5 year old HP laptop with absolute 0 battery backup (behaviour same when batter removed). Installation works fine but when I try to boot into FreeBSD I get to the BTX loader screen, after having made any selection and it pauses for about 15 secs and the computer suddenly powers down. I was able to boot into the system occasionally lets say about 1 in 5 boots. I am able to install and boot into Linux without any problem. So then you are attempting to startup using a power adaptor (i.e. your computer is plugged in to a wall socket)? Yes. I don't know if its a specific Athlon XP related problem as I did observe a similar post some years ago. And, Apparently its the same thing. http://osdir.com/ml/os.freebsd.devel.hardware/2004-10/msg00044.html In this case its the installation. In my case its after the installation. I had the reverse problem a while ago with Slackware shutting down in the middle of installation onto a Toshiba laptop while FreeBSD has always been no problem. My guess is that these issues reflect power management settings, perhaps even something in the bios. Maybe its something in the BIOS, but the thing is that Linux boots fine on the machine. Maybe some driver is crashing and is causing a reboot of the machine. Are there any critical drivers in the system that can result in such a problem. Does this occur when you use the installation or boot-only disks? I can install it just fine, but can't seem to to boot into the installed version (Once its been installed). I did create the FreeBSD swap partition before the root file-system (and it still seems to label the root file-system as 'a'), Would this affect the system boot up in anyway ? Sorry this is not more help to you. Richard ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
GBDE and fixit.iso
Does the fixit.iso file include the GBDE application? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
securing sshd
Hello I've been reading up on securing sshd after being bombarded with attempted logins. The steps i've taken so far to make things more secure are: * changed the encryption method for passwords in /etc/login.conf from md5 to blowfish and changed all the passwords to ridiculously obscure ones (at least as obscure as I could think of). * changed /etc/ttys secure entries to insecure to prevent root logins on the console (the above are not really sshd specific i know.) * Disabled root login by ssh in /etc/ssh/sshd_config * Set myself as the only user able to login by ssh * Disabled password logins completely, and to only allow public key authentication * Changed the default ssh port from 22 to something much higher I'm the only user that will ever need to log into the machine. I wondered, does this setup seem ok and are there any other methods used by anyone on list that might help me to secure remote logins even further? Thanks for any help. Jamie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: securing sshd
On 20/03/10 14:18, Jamie Griffin wrote: I've been reading up on securing sshd after being bombarded with attempted logins. Hi! First step to ssh security is: Don't panic! Take your time to read the logs and understand what's going on. So, you've got bombarded with login attempts, but they failed. Just because there is some log entry doesn't mean you have to act on it. I recall reading an analysis of this kind of brute force attacks on securityfocus.com. These brute force attacks are pretty harmless if you've got basic security in place. This was also discussed on the list two weeks ago, check the archives. * Disabled root login by ssh in /etc/ssh/sshd_config Good, if you read the logs you will see that about 50% of the attempts are against the root account. * Set myself as the only user able to login by ssh Good, if you read the logs you will see that about 40% of the attempts are against standard unix accounts, and guest. The remaining are against randomly generated user names usually based on common names (john, smith, etc) you can get this statistic from your logs. * Disabled password logins completely, and to only allow public key authentication This seems good for security, but not always practical. Now you have to walk around with a USB or have keys on your laptop and if you loose the USB or the laptop gets stolen you can't get access. Worse, you can't revoke the keys till you get back home. * Changed the default ssh port from 22 to something much higher Number is irrelevant and I discourage this. If you ever find yourself behind somebody else's firewall, if access is enabled it is enabled for the default port. I'm the only user that will ever need to log into the machine. I wondered, does this setup seem ok and are there any other methods used by anyone on list that might help me to secure remote logins even further? Since you're the only one on that system, you know where you're going to connect from, at least roughly. Why allow connections from anywhere? Restrict the client access to certain ranges of IPs. The different registries publish ip ranges assigned per country and you can create a list blocking countries you are certain not to visit, you can use my script: http://www.locolomo.org/pub/src/toolbox/inet.pl The last things I can think of is not to have your user name as in your mail address, not have mail password as your unix account password and remember to password protect your ssh keys. Run other services such as mail, http, dns etc. in jails - if possible separate jails. All this all depends on your paranoia. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Copying mirrored partitions - will this work?
I'm currently running 8.0-RELEASE and am considering experimenting with 8.0-STABLE. I'd like to preserve my existing system in case things go pear-shaped so I'll copy the entire system onto a spare slice and then use csup to upgrade the copy to STABLE. Normally I'd go through the steps of bsdlabel, newfs and then dump|restore to create the copy but I'm wondering if I can take advantage of my recently created gmirror to cut down the work. I have two 500GB disks, /dev/ad4 and /dev/ad8, each partitioned into 4 slices of 88, 88, 42 and 259GB. My system is installed on the first slices (ad4s1 and ad8s1) which are mirrored as /dev/mirror/gm0. The second slices (ad4s2 and ad8s2) are currently unused. My thoughts are to temporarily add ad4s2 into gm0 with gmirror insert gm0 ad4s2 and wait for the mirror to synchronise. I should then be able to remove the temporary addition with gmirror remove gm0 /dev/ad4s2 at which point ad4s2 should be a duplicate of the original system and I can then go ahead and create a new mirror with gmirror label -b load gm1 ad4s2 and gmirror insert gm1 ad8s2. After editing /etc/fstab in the new mirror to use gm1 instead of gm0 I should then be able to boot into the system on slice 2 and upgrade it to STABLE while still keeping my original system to fall back to if required. Is this approach of moving disks from one mirror to another workable, or have I missed something that would lead me into deep trouble? I don't mind unduly if I make a mess of the second slice and have to start again but I don't want to lose the contents of my original system on slice 1. -- Mike Clarke ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: securing sshd
On Sat, 20 Mar 2010 16:32:28 +0100 Erik Norgaard norga...@locolomo.org articulated: * Disabled password logins completely, and to only allow public key authentication This seems good for security, but not always practical. Now you have to walk around with a USB or have keys on your laptop and if you loose the USB or the laptop gets stolen you can't get access. Worse, you can't revoke the keys till you get back home. Worse yet, if you get shot and killed you won't be able to access your data no matter how hard you try. Seriously, disabling password log-ins and using key authentication is extremely secure. Do make sure that you password protect your keys however. In any event, if you laptop or whatever is stolen, you have more than just one problem to contend with anyway. -- Jerry ges...@yahoo.com Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ It's not whether you win or lose, it's how you place the blame. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: securing sshd
On Saturday 20 of March 2010 18:14:17 Jerry wrote: On Sat, 20 Mar 2010 16:32:28 +0100 Erik Norgaard norga...@locolomo.org articulated: * Disabled password logins completely, and to only allow public key authentication This seems good for security, but not always practical. Now you have to walk around with a USB or have keys on your laptop and if you loose the USB or the laptop gets stolen you can't get access. Worse, you can't revoke the keys till you get back home. Worse yet, if you get shot and killed you won't be able to access your data no matter how hard you try. Seriously, disabling password log-ins and using key authentication is extremely secure. Do make sure that you password protect your keys however. In any event, if you laptop or whatever is stolen, you have more than just one problem to contend with anyway. Another thing you could do is perhaps to secure your sshd using a program like sshguard. This is another measure you could take against brute force attack to your ssh. Elias ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: securing sshd
On 20/03/10 17:14, Jerry wrote: Seriously, disabling password log-ins and using key authentication is extremely secure. Do make sure that you password protect your keys however. In any event, if you laptop or whatever is stolen, you have more than just one problem to contend with anyway. I don't doubt that it is much harder to brute force a key than a password. I simply say that it is not always practical. Anyone stealing or finding your usb or laptop will likely not be too interested in your data. But, now you have to carry the key and protect it. If you travel a lot, and travel light, you bring just a usb stick which is easily lost, and being without access for months is not fun. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: securing sshd
Jamie Griffin ja...@fantomatic.co.uk writes: Hello I've been reading up on securing sshd after being bombarded with attempted logins. The steps i've taken so far to make things more secure are: * changed the encryption method for passwords in /etc/login.conf from md5 to blowfish and changed all the passwords to ridiculously obscure ones (at least as obscure as I could think of). * changed /etc/ttys secure entries to insecure to prevent root logins on the console (the above are not really sshd specific i know.) * Disabled root login by ssh in /etc/ssh/sshd_config * Set myself as the only user able to login by ssh * Disabled password logins completely, and to only allow public key authentication * Changed the default ssh port from 22 to something much higher I'm the only user that will ever need to log into the machine. I wondered, does this setup seem ok and are there any other methods used by anyone on list that might help me to secure remote logins even further? Hi, I'm using the following pf snippet in order to protect myself and my system's logs against brute force attemps on sshd: # # Block them all # block log quick from bruteforce_ssh # # connection rate the incoming ssh connections and fill the bruteforce # table # pass in log inet proto tcp from any to any port = 22 \ flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 5/4, \ overload bruteforce_ssh flush global) For more information on how this works, take a look at pf.conf(5). I don't know if it's complete (or even good practice), but a) I think it works for me and b) it does not depend on a port-provided solution. Thanks for any help. Jamie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: securing sshd
I think on reflection I might have been a little over the top with blocking password logins and I think the point about carrying a key on a usb stick, etc, is a very good one. The reason I went with that decision is because I only expect to be logging in to the server from two locations: at home or from a computer at my university, where the public key can be kept in the accounts I use at each location. Also, there are no other users loggin into it so it won't be too much of a problem doing it this way, i hope. When I saw hundreds of failed login attemps I panicked a bit i think :-) I really like the pf option and have just set up a similar rule actually, which i think will work well because i've also got it working with spamd to greylist inbound mail, as recommended by someone on this list the other day. Really appreciate all the good advice though, thanks. Jamie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Trouble Installing JKD15 On A Vanilla 8.0 Installation
On Fri, Mar 19, 2010 at 10:03 AM, Warren Block wbl...@wonkity.com wrote: On Fri, 19 Mar 2010, Tom Purl wrote: First, after the port had compiled on my system for many hours, it crashed with an error message stating that I was out of swap space. I had only devoted 128 MB of RAM to the VM at this point (I planned to increase it later), so I doubled that to 256 MB That still seems pretty small for a Java build from source. Give the VM as much memory as the host can afford. You can always reduce that after the build is done. and re-ran make install clean. There may have been a half-built work directory still in place from the failed build. If that happens, clear it with a 'make clean'. For big ports like Java, it helps to break up the steps. Do just a make, then if it builds, make install, then after that succeeds, make clean. Thanks for the advice Warren! I ended up doing the following: * Giving the VM 512 MB of RAM. I also tried with 256, but I got the same out of swap space error. * cd /usr/ports/java/jdk15 make clean * make # wait 4 or 5 hours for this package alone :) * make install * make clean * make distclean This finally worked for me I didn't get any other errors. 1. Is Java 5 not supported on version 8 of FreeBSD? I found the following tip that apparently eliminates this error, but it really seems to be a hack to me. Is there a better way? * http://lists.freebsd.org/pipermail/freebsd-ports/2008-July/049686.html Don't know, but jkd16 works on 8. Except the Firefox plugin. It's now clear to me that jdk15 does work on 8. Thanks again Warren! Tom Purl ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: securing sshd
On 20/03/10 18:23, Jamie Griffin wrote: The reason I went with that decision is because I only expect to be logging in to the server from two locations: at home or from a computer at my university In that case, the best thing you can do is figure out the IP ranges of either location. Check your log for your own successful logins to find the source IP, then look up the range with whois. You can be pretty sure that wherever you are on campus, the assigned IP will be in that range. Then just allow access from those ranges and block everything else in your firewall. Whitelists are far easier to manage than black lists. Having some daemon running to monitor illicit attempts to login and block the source is futile. You can be almost certain that you won't see that IP in your logs again, partly because these attempts may come from botnets, partly because the source may be assigned IP dynamically. Btw. I found two articles on securityfocus.com, the first is analysis using a honeypot, as you see these attacks are pretty lame: http://www.symantec.com/connect/articles/analyzing-malicious-ssh-login-attempts Then somebody having to respond, because security was pretty lame: http://www.symantec.com/connect/articles/responding-brute-force-ssh-attack?ref=rss BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
AMD 64 X2 - Dual Core?
Hi - I just got a board with an AMD Athlon 64 X2 cpu. I was wondering - 1) Is the amd64 8.0 release the fbsd of choice here? and 2) Does it take advantage of the athlon's dual cores? Thanks, IHN, Gene -- To everything there is a season, And a time to every purpose under heaven. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: API to find the memory usage of a process.
On Thursday 18 March 2010 18:28:48 Jayadev Kumar wrote: Hi, I need to find the memory usage of a process, from inside the process. Is there any system call do this ? I was trying to find it from 'top' utility source code. I couldn't find the port which it is coming from yet. Thanks, Jayadev. Check out getrusage(2). - Pieter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: securing sshd
In that case, the best thing you can do is figure out the IP ranges of either location. Definately a good idea, thanks Eric. Btw. I found two articles on securityfocus.com, the first is analysis using a honeypot, as you see these attacks are pretty lame: http://www.symantec.com/connect/articles/analyzing-malicious-ssh-login-attempts Then somebody having to respond, because security was pretty lame: http://www.symantec.com/connect/articles/responding-brute-force-ssh-attack?ref=rss Thanks for posting those links, interesting information there. Jamie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: How do I fix the broken python26 port in 7.2-RELEASE ?
Virgin 7.2-RELEASE install. I run: csup -h cvsup4.freebsd.org -i ports/lang/python26 -g -L 2 /usr/share/examples/cvsup/ports-supfile and now I have a /usr/ports/lang/python26/distinfo that looks like: MD5 (python/Python-2.6.4.tgz) = 17dcac33e4f3adb69a57c2607b6de246 SHA256 (python/Python-2.6.4.tgz) = 1a25a47506e4165704cfe2b07c0a064b0b5762a2d18b8fbdad5af688aeacd252 SIZE (python/Python-2.6.4.tgz) = 13322131 This looks like mine. Perfect. I'll just do a 'make install' and ... # make install === Vulnerability check disabled, database not found === Found saved configuration for python26-2.6.4 = Python-2.6.1.tgz is not in /usr/ports/lang/python26/distinfo. = Either /usr/ports/lang/python26/distinfo is out of date, or = Python-2.6.1.tgz is spelled incorrectly. *** Error code 1 This is the wrong distfile. Ok, but as you can see from the paste above, I _do_ have the right distfile in my /ports/lang/python26 directory. So where is it getting this wrong distfile from, and why is it using it ? I am NOT csup'ing and installing the port all in one operation - I am doing two distinct things: 1. csup ONLY the python26 port 2. make install the python26 port Why is this rocket science ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: How do I fix the broken python26 port in 7.2-RELEASE ?
George Sanders wrote: Virgin 7.2-RELEASE install. I run: csup -h cvsup4.freebsd.org -i ports/lang/python26 -g -L 2 /usr/share/examples/cvsup/ports-supfile and now I have a /usr/ports/lang/python26/distinfo that looks like: MD5 (python/Python-2.6.4.tgz) = 17dcac33e4f3adb69a57c2607b6de246 SHA256 (python/Python-2.6.4.tgz) = 1a25a47506e4165704cfe2b07c0a064b0b5762a2d18b8fbdad5af688aeacd252 SIZE (python/Python-2.6.4.tgz) = 13322131 This looks like mine. Perfect. I'll just do a 'make install' and ... # make install === Vulnerability check disabled, database not found === Found saved configuration for python26-2.6.4 = Python-2.6.1.tgz is not in /usr/ports/lang/python26/distinfo. = Either /usr/ports/lang/python26/distinfo is out of date, or = Python-2.6.1.tgz is spelled incorrectly. *** Error code 1 This is the wrong distfile. Ok, but as you can see from the paste above, I _do_ have the right distfile in my /ports/lang/python26 directory. So where is it getting this wrong distfile from, and why is it using it ? I am NOT csup'ing and installing the port all in one operation - I am doing two distinct things: 1. csup ONLY the python26 port And by doing this and not refreshing the entire ports tree you are trying to build with an out of date /usr/ports/Mk. With other ports which have dependencies this would become apparent much quicker. Since python26 does not, it would seem the bsd.python.mk thinks you should be trying to build python 2.6.1. 2. make install the python26 port Why is this rocket science ? Dunno - works for me. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: AMD 64 X2 - Dual Core?
At 02:46 PM 3/20/2010, Gene wrote: Hi - I just got a board with an AMD Athlon 64 X2 cpu. I was wondering - 1) Is the amd64 8.0 release the fbsd of choice here? Yes. 8.0R is the way to go. However, you might want to bring it upto date after installing it as there are a number of bug fixes and feature enhancements since the release of 8.0. The FreeBSD handbook tells you how to do it. and 2) Does it take advantage of the athlon's dual cores? Both the i386 (32bit) and AMD64 (64bit) versions take advantage of multiple cores. If you have more than 4G of RAM, use the 64 bit version, otherwise use the 32bit install. ---Mike Mike Tancsa, tel +1 519 651 3400 Sentex Communications,m...@sentex.net Providing Internet since 1994www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: AMD 64 X2 - Dual Core?
I totally disagree with using the 32bit unless you have a specific need or potentially if you are running it as a desktop. 64 everytime for servers for loads of reasons. If you are running less than 4 gig their is a fair chance you will in the next few years On 3/20/10, Gene f...@brightstar.bomgardner.net wrote: Hi - I just got a board with an AMD Athlon 64 X2 cpu. I was wondering - 1) Is the amd64 8.0 release the fbsd of choice here? and 2) Does it take advantage of the athlon's dual cores? Thanks, IHN, Gene -- To everything there is a season, And a time to every purpose under heaven. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Sent from my mobile device ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
net-snmp pass scripts
Hi, I know this isn't the ideal, place but im not having much joy on the net-snmp users mailing list. Does anyone have any good guides for writing or examples of snmp pass scripts? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
bruteforce protection howto
Two pc's: 1 - router 2 - logger Situation: someone tries to bruteforce into a server, and the logger get's a log about it [e.g.: ssh login failed]. What's the best method to ban that ip [what is bruteforcig a server] what was logged on the logger? I need to ban the ip on the router pc. How can i send the bad ip to the router, to ban it? Just run a cronjob, and e.g.: scp the list of ip's from the logger to the router, then ban the ip from the list on the router pc? Or is there any offical method for this? I'm just asking for docs/howtos.. :\ to get started.. Thank you! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: bruteforce protection howto
Two pc's: 1 - router 2 - logger Situation: someone tries to bruteforce into a server, and the logger get's a log about it [e.g.: ssh login failed]. What's the best method to ban that ip [what is bruteforcig a server] what was logged on the logger? I need to ban the ip on the router pc. How can i send the bad ip to the router, to ban it? I was asking about this earlier, I went with pf which is already in the base system and also making sshd more secure by using the options in /etc/ssh/sshd_config. Have a look at `man 5 sshd_config` and there is loads of stuff on goodgle about this. So far, I really like what pf can do, check it out. `man pf.conf` and again there are lots of old posts on google, and the OpenBSD pf guide is good too: https://calomel.org/pf_config.html http://www.freebsd.org/doc/handbook/firewalls-pf.html http://www.openbsd.org/faq/pf/ Jamie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: confirm 0e468fd0cede091de70f462228a30f3c07dd71fa
On Sat, 20 Mar 2010 21:34:27 + freebsd-questions-requ...@freebsd.org freebsd-questions-requ...@freebsd.org freebsd-questions-requ...@freebsd.org articulated: Mailing list subscription confirmation notice for mailing list freebsd-questions We have received a request for subscription of your email address, freebsd.u...@seibercom.net, to the freebsd-questions@freebsd.org mailing list. To confirm that you want to be added to this mailing list, simply reply to this message, keeping the Subject: header intact. Or visit this web page: http://lists.freebsd.org/mailman/confirm/freebsd-questions/0e468fd0cede091de70f462228a30f3c07dd71fa Or include the following line -- and only the following line -- in a message to freebsd-questions-requ...@freebsd.org: confirm 0e468fd0cede091de70f462228a30f3c07dd71fa Note that simply sending a `reply' to this message should work from most mail readers, since that usually leaves the Subject: line in the right form (additional Re: text in the Subject: is okay). If you do not wish to be subscribed to this list, please simply disregard this message. If you think you are being maliciously subscribed to the list, or have any other questions, send them to freebsd-questions-ow...@freebsd.org. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: securing sshd
Jamie Griffin ja...@fantomatic.co.uk writes:
Hello
I've been reading up on securing sshd after being bombarded with
attempted logins.
The steps i've taken so far to make things more secure are:
* changed the encryption method for passwords in /etc/login.conf from
md5 to blowfish and changed all the passwords to ridiculously obscure
ones (at least as obscure as I could think of).
* changed /etc/ttys secure entries to insecure to prevent root logins on
the console
(the above are not really sshd specific i know.)
* Disabled root login by ssh in /etc/ssh/sshd_config
* Set myself as the only user able to login by ssh
* Disabled password logins completely, and to only allow public key
authentication
* Changed the default ssh port from 22 to something much higher
I'm the only user that will ever need to log into the machine. I
wondered, does this setup seem ok and are there any other methods used
by anyone on list that might help me to secure remote logins even
further?
Hi,
I'm using the following pf snippet in order to protect myself and my
system's logs against brute force attemps on sshd:
#
# Block them all
#
block log quick from bruteforce_ssh
#
# connection rate the incoming ssh connections and fill the bruteforce
# table
#
pass in log inet proto tcp from any to any port = 22 \
flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 5/4, \
overload bruteforce_ssh flush global)
For more information on how this works, take a look at pf.conf(5).
I don't know if it's complete (or even good practice), but a) I think it
works for me and b) it does not depend on a port-provided solution.
Thanks for any help.
Jamie
On the same line, portknocking with pf:
.
..
...
# Table for allowed IPs
# [gets auto populated via portknocking]
table portknock_ssh persist
.
..
...
block #default block policy
# Allow everyone to hit 'any' on port '1234' - pf proxies tcp connection
# [if not using 'synproxy', the connection is never established to
#'overload' the rule]
# 5 attempts in 15 seconds
pass in log quick proto tcp from any to any port {1234} synproxy state \
(max-src-conn-rate 5/15, overload portknock_ssh)
#Allow IPs that have been 'overload'ed into the portknock_ssh table
pass in log quick proto tcp from {portknock_ssh} to any port {ssh}
.
..
...
Although ssh is blocked from all except some trusted IPs, you can still
always have access, just have to knock first.
]Peter[
Then put a crontab on a per needed basis to expire all IPs in that table
that have not been referenced in 60 seconds:
* *** * /sbin/pfctl -vt portknock_ssh -T expire 60
All established sessions will be kept alive, all new sessions will need to
portknock after the IP is cleared from table
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: bruteforce protection howto
On 20/03/10 23:17, Vadkan Jozsef wrote: What's the best method to ban that ip [what is bruteforcig a server] what was logged on the logger? I need to ban the ip on the router pc. Take your time to think about if this is indeed the right solution. 1st: You need to decide which is the right policy to deploy. Basically you can opt for a default deny or a default allow. With default deny you create white lists for the exceptions that should be allows. With default allow you create black lists. Default deny and default allow roughly corresponds to the policies of OpenBSD vs. Microsoft Windows. So, when is white listing an option? When you have a limited set of exceptions, for example your local users that need ssh access. If this set is limited consider deploying default deny. On the other hand, this is not an option for your web service that you wish to provide for anyone anywhere. Blacklisting is futile (think, did anti-virus solve the virus problem?). Intruders may attempt to connect from anywhere, blocking a single IP won't solve your problem, most likely the next attempt will not come from that IP. This is because these attacks may be launched from a number of compromised pc's and because the attacking pc may have dynamically assigned address. So you need to block entire ranges, but which? I recently analysed my maillog to see where attempted spammers connected from. I found some 3500 hosts in 1600 ranges (using whois lookup). These ranges being typically /16. I haven't tried with ssh but I doubt it would be much different. If on top of this you make some auto-respond system, you expose yourself to a denial of service attack, blindly blocking anything that creates a log entry. Whether you use white or black listing this is effective only if you can make informed decisions. If you don't do business with say China and you know that 25% of all spam originates from China, it is only rational to block access from China. But, whenever possible, use white listing. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Copying mirrored partitions - will this work?
How valuable is your data? I recommend you make an offline backup. There's a lot of steps in your procedure which introduce room for error. You could perhaps disconnect one of the hard drive's data cable (same thing). Also, make a backup copy of your geom meta data somewhere. Other than that, your procedure sounds like it should work. Though, I've never tried it. I do recall, that when updating from 6.2-RELEASE to 8-RELEASE, the geom meta data was automatically updated. I'm not sure if there is any change between Release and Stable, though. I'm also not sure if it was a backward incompatible change, as I never went back to 6.2. Just something to be aware of. Sorry I can't be more helpful. Maybe someone else knows more. -Modulok- On 3/20/10, Mike Clarke jmc-freeb...@milibyte.co.uk wrote: I'm currently running 8.0-RELEASE and am considering experimenting with 8.0-STABLE. I'd like to preserve my existing system in case things go pear-shaped so I'll copy the entire system onto a spare slice and then use csup to upgrade the copy to STABLE. Normally I'd go through the steps of bsdlabel, newfs and then dump|restore to create the copy but I'm wondering if I can take advantage of my recently created gmirror to cut down the work. I have two 500GB disks, /dev/ad4 and /dev/ad8, each partitioned into 4 slices of 88, 88, 42 and 259GB. My system is installed on the first slices (ad4s1 and ad8s1) which are mirrored as /dev/mirror/gm0. The second slices (ad4s2 and ad8s2) are currently unused. My thoughts are to temporarily add ad4s2 into gm0 with gmirror insert gm0 ad4s2 and wait for the mirror to synchronise. I should then be able to remove the temporary addition with gmirror remove gm0 /dev/ad4s2 at which point ad4s2 should be a duplicate of the original system and I can then go ahead and create a new mirror with gmirror label -b load gm1 ad4s2 and gmirror insert gm1 ad8s2. After editing /etc/fstab in the new mirror to use gm1 instead of gm0 I should then be able to boot into the system on slice 2 and upgrade it to STABLE while still keeping my original system to fall back to if required. Is this approach of moving disks from one mirror to another workable, or have I missed something that would lead me into deep trouble? I don't mind unduly if I make a mess of the second slice and have to start again but I don't want to lose the contents of my original system on slice 1. -- Mike Clarke ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: freenas-like solution for aoe?
In the last episode (Mar 20), Vadkan Jozsef said: Does anybody know a FreeNAS-like solution, that supports AoE? - Ata over Ethernet? You can get iSCSI with the net/istgt port, which should perform better than AoE. -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ezjail
I don't have sources installed on my system. Just use the binary Freebsd-update function. At new releases I do a clean install. I only have a single public IP address. Now I would like to play with jails. One for postfix, apache, and ftp. My reading of EZJAIL and the jails section of the handbook lead me to believe I need a unique IP address for each jail. Is that correct? I have no need to build world or install world because it does this from /usr/src which i don't install. Is there some EZJAIL option to just copy over the running system binaries instead of the sources? The handbook 15.4 Creating and Controlling Jails talks about “complete” jails, which resemble a real FreeBSD system, and “service” jails, dedicated to one application or service. Section 15.4 is the procedure for building a complete jail using the jail command. The 15.6 Application of Jails (service jails) talks about creating a root skeleton containing the host running files which are shared with all the guest jails in read only mode. This eliminates the massive duplication of running system files in each jail as in the complete jail system talked about in handbook section 15.4 Creating and Controlling Jails. Now reading the ezjail man pages I see that ezjail also creates a base template that is shared between all jails. Is this the same method talked about in the handbook section 15.6 Application of Jails (service jail)? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
