Re: Upgrading libxul, dependency on Firefox 3
At 02:54 22/10/2011, Joe Altman wrote: Greetings... I was running portupgrade on libxul and noticed it depends on Firefox 3.x. I cancelled the upgrade, because I thought FF3.x was insecure and therefore deprecated while FF7 was recommended and secure. My questions: 1) is the dependency libxul has for FF3 a security problem? 2) is the dependency on FF3 a bug in libxul? If it is a bug, who should receive a report: gecko@ or the Mozilla project? FYI: I'm pretty sure it was portsclean -D (and not me) that deleted FF3...yet libxul tried to pull it in during the portupgrade. As far as i know, the libxul port is inside ff3. Installing libxul doesn't install ff3, only libxul. Perhaps it's an old libxul and the newr one is inside ff7, so libxul port should point there, don't know that. Best regards, Joe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: csup: How do I know I have correct version?
From: Damien Fleuriot m...@my.gd: Maybe also I should put this releng9-supfile in a safer place where it won't be deleted by the next installation/upgrade? Indeed you should. From my /etc/make.conf: SUP_UPDATE= yes SUP=/usr/bin/csup SUPFLAGS= -zgL 2 SUPHOST=cvsup1.fr.freebsd.org SUPFILE=/etc/cvsup/stable-supfile PORTSSUPFILE= /etc/cvsup/ports-supfile DOCSUPFILE= /etc/cvsup/doc-supfile Then, you just have to copy the sample supfiles to /etc/cvsup/ Then how do you update the system source, ports tree or doc? Something with 'make'? 'make update' ? For ports, I run portsnap fetch update For system source, I run csup /usr/share/examples/releng9-supfile though I subsequently moved the releng9-supfile to /myconfig . from Matthew Seaman m.sea...@infracaninophile.co.uk: The file you want is /usr/src/sys/conf/newvers.sh This is a script that edits version information into various source code files. The bit you need is near the top of the file -- just following line 33: 33 TYPE=FreeBSD 34 REVISION=9.0 35 BRANCH=RC1 36 if [ X${BRANCH_OVERRIDE} != X ]; then 37 BRANCH=${BRANCH_OVERRIDE} 38 fi 39 RELEASE=${REVISION}-${BRANCH} 40 VERSION=${TYPE} ${RELEASE} 41 SYSDIR=$(dirname $0)/.. Unfortunately the value want is RELEASE, which is assembled from parts, so not trivially grep'able. But you can easily see the REVISION is set to 9.0 and BRANCH is RC1 so the whole things comes to 9.0-RC1. Simple. That's the file I was looking for, I was not familiar with that particular file name. It's easy to find a needle in the haystack when somebody points it out to me! My thanks! Maybe also I should put this releng9-supfile in a safer place where it won't be deleted by the next installation/upgrade? No -- you shouldn't need to worry about that. The name 'releng9-supfile' you chose doesn't match anything produced by the system, so it won't be overwritten. (Not that you shouldn't keep a backup somewhere -- that's only sensible.) Hmmm actually you have highlighted a small omission in the procedures for branching RELENG_9 and RELENG_9_0 -- the cvsup example supfiles /usr/src/share/examples/{stable,standard}-supfile should be updated to match the branch they are installed from. In your case both of those files should use the RELENG_9 tag, but that hasn't been commmitted yet. Cheers Matthew Good point. I had to make the little modification in the stable-supfile to accommodate RELENG_9 . Since my current efforts are directed toward a working FreeBSD 9.0 system, I am not currently doing anything with 10-current. Tom ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Upgrading libxul, dependency on Firefox 3
On Sat, 22 Oct 2011 09:32:47 +0200, Eduardo Morras wrote: As far as i know, the libxul port is inside ff3. Installing libxul doesn't install ff3, only libxul. Perhaps it's an old libxul and the newr one is inside ff7, so libxul port should point there, don't know that. I'm not sure if it still applies, but in earlier Firefox version transitions (and the consideration of dependencies) some programs depending on libxul would install an outdated Firefox version. The solution has been WITH_GECKO=libxul in /etc/make.conf so only the current version of this library would have been installed in the end. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: csup: How do I know I have correct version?
On 22/10/2011 10:22, Thomas Mueller wrote: From: Damien Fleuriot m...@my.gd: From my /etc/make.conf: SUP_UPDATE= yes SUP=/usr/bin/csup SUPFLAGS= -zgL 2 SUPHOST=cvsup1.fr.freebsd.org SUPFILE=/etc/cvsup/stable-supfile PORTSSUPFILE= /etc/cvsup/ports-supfile DOCSUPFILE= /etc/cvsup/doc-supfile Then, you just have to copy the sample supfiles to /etc/cvsup/ Then how do you update the system source, ports tree or doc? Something with 'make'? 'make update' ? make update is the correct command. For ports, I run portsnap fetch update For system source, I run csup /usr/share/examples/releng9-supfile though I subsequently moved the releng9-supfile to /myconfig . Don't define PORTSSUPFILE in /etc/make.conf if you're using portsnap(1). Apart from anything else, typing 'make update' in /usr/src will attempt to cvsup not just the system sources but as well any of PORTS, DOC where you've defined a ...SUPFILE. In fact, without PORTSUPFILE defined in /etc/make.conf typing 'make update' in /usr/ports will invoke portsnap for you, so long as you obtained the ports tree by 'portsnap fetch extract' originally. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Help needed: sound/audio only semi-working
On Fri, 21 Oct 2011 18:29:25 -0700, Ronald F. Guilmette wrote: The really strange thing is that after I followed all the directions here: http://www.freebsd.org/doc/en/books/handbook/sound-setup.html This command: cat /dev/random /dev/dsp *does* produce quite a bit of white noise sound. However when I perform the other officially recommended basic audio functionality test: cdcontrol -f /dev/acd0 play 1 with one of my favorite old audo CDs in the drive (AND with that special little wire running from the back of the drive to my motherboard) all that happens is that the CD/DVD drive apparently _does_ start to read some stuff... as evidenced by the blinking access light in the front of the drive... but I still get no sound out, and YouTube videos still aren't giving me any audio even though the video seems to be playing perfectly. Does the Handbook mention to check your mixer settings? Make sure to try that. Use any simple-enough media player to play some MP3, OGG or WAV file (e. g. per xmms or whatever comes with your preferred desktop environment). Make sure you have vol and pcm up. % mixer Mixer vol is currently set to 100:100 --- This. Mixer pcm is currently set to 84:84 --- And this. Mixer line is currently set to 75:75 Mixer mic is currently set to 0:0 Mixer cd is currently set to 75:75 --- This too. Mixer rec is currently set to 75:75 Mixer igainis currently set to 0:0 Mixer monitor is currently set to 75:75 Recording source: mic The problem regarding audio CDs seems to be quite modern. I also cannot play them anymore (but I don't have that special wire installed at the moment). Audio is VIA HDA. So, um, I am grasping for ideas here on how I can debug this problem furher. Check mixer and play simple stuff. :-) So how can it be that this works just fine: cat /dev/random /dev/dsp even while this: cdcontrol -f /dev/acd0 play 1 causes the disk to spin up and read, but otherwise produces utter silence? CD audio subsystem has been modernized. :-) P.S. My motherboard (w/ onboard audio) is a Gigabyte GA-M55Plus-S3G. Here is what a get when I cat /dev/sndstat: FreeBSD Audio Driver (newpcm: 64bit 2009061500/amd64) Installed devices: pcm0: HDA Realtek ALC883 PCM #0 Analog (play/rec) default pcm1: HDA Realtek ALC883 PCM #1 Analog (play/rec) pcm2: HDA Realtek ALC883 PCM #2 Digital (play/rec) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Upgrading libxul, dependency on Firefox 3
On Sat, 22 Oct 2011 12:45:11 +0200 Polytropon articulated: I'm not sure if it still applies, but in earlier Firefox version transitions (and the consideration of dependencies) some programs depending on libxul would install an outdated Firefox version. The solution has been WITH_GECKO=libxul in /etc/make.conf so only the current version of this library would have been installed in the end. I haven't had that notation in my /etc/make.conf file in ages and I am not experiencing the problems that the OP is reporting. Perhaps if the OP gave a fuller description of his system, and perhaps a perusal of his /etc/make.conf file a solution could be more readily deduced. -- Jerry ✌ jerry+f...@seibercom.net Disclaimer: off-list followups get on-list replies or ignored. Do not CC this poster. Please do not ignore the Reply-To header. http://www.catb.org/~esr/faqs/smart-questions.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Breakin attempt
Hello all FreeBSD odin.thorshammare.org 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Oct 22 10:14:48 CEST 2011 ha...@odin.thorshammare.org:/usr/obj/usr/src/sys/ODIN i386 Firewall PF. Blocking China and some other related countries in that region. Disabled ssh root logins Apparently, I'm under some kind of attack, for the last 3 days. Lots of attempts to ssh in as root from many different IP addresses. No bruteforce attempts. This just puzzles me. Using all these resources ? To achieve what ? Below is a one hour snip from my auth.log Nothing unusual in pflog Appreciate all ideas of how to proceed with this mather. Best regards Hasse Oct 22 12:00:19 odin sshd[14359]: error: PAM: authentication error for root from server.fabian.cz Oct 22 12:01:08 odin sshd[14365]: Address 87.105.187.194 maps to client-arsmedica-2.wroclaw.dialog.net.pl, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Oct 22 12:01:09 odin sshd[14365]: error: PAM: authentication error for root from 87.105.187.194 Oct 22 12:02:59 odin sshd[14422]: error: PAM: authentication error for root from 87.229.7.163 Oct 22 12:03:36 odin sshd[14865]: error: PAM: authentication error for root from 201.25.53.34 Oct 22 12:03:53 odin sshd[15571]: error: PAM: authentication error for root from 109.237.210.147 Oct 22 12:05:18 odin sshd[18357]: error: PAM: authentication error for root from 12.222.202.34 Oct 22 12:05:36 odin sshd[18375]: error: PAM: authentication error for root from mx.aysor.am Oct 22 12:05:53 odin sshd[18537]: error: PAM: authentication error for root from 190.129.11.76 Oct 22 12:07:06 odin sshd[19429]: Address 80.188.13.214 maps to www.profitaxi.cz, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Oct 22 12:07:06 odin sshd[19429]: error: PAM: authentication error for root from 80.188.13.214 Oct 22 12:07:27 odin sshd[19542]: error: PAM: authentication error for root from 85.185.180.48 Oct 22 12:08:05 odin sshd[19591]: error: PAM: authentication error for root from 208.125.137.121 Oct 22 12:09:45 odin sshd[19629]: error: PAM: authentication error for root from 83.14.240.10 Oct 22 12:10:53 odin sshd[19699]: error: PAM: authentication error for root from 200.160.121.246 Oct 22 12:10:59 odin sshd[19702]: error: PAM: authentication error for root from 151.1.183.216 Oct 22 12:11:38 odin sshd[19787]: error: PAM: authentication error for root from crm.nepinc.com Oct 22 12:12:16 odin sshd[19830]: error: PAM: authentication error for root from 189.16.12.146 Oct 22 12:12:45 odin sshd[19843]: error: PAM: authentication error for root from narro.uaaan.mx Oct 22 12:14:14 odin sshd[19913]: error: PAM: authentication error for root from 217.128.151.181 Oct 22 12:14:56 odin sshd[19925]: reverse mapping checking getaddrinfo for panda.zsuvoz.cz [195.178.81.116] failed - POSSIBLE BREAK-IN ATTEMPT! Oct 22 12:14:56 odin sshd[19925]: error: PAM: authentication error for root from 195.178.81.116 Oct 22 12:16:14 odin sshd[19995]: error: PAM: authentication error for root from 87.193.246.26 Oct 22 12:16:23 odin sshd[20008]: error: PAM: authentication error for root from 219.94.144.230 Oct 22 12:16:39 odin sshd[20026]: error: PAM: authentication error for root from 82.130.143.216 Oct 22 12:17:41 odin sshd[20073]: error: PAM: authentication error for root from 87.193.246.26 Oct 22 12:17:52 odin sshd[20102]: error: PAM: authentication error for root from 82.130.143.216 Oct 22 12:21:16 odin sshd[20268]: error: PAM: authentication error for root from 203.141.158.120 Oct 22 12:21:34 odin sshd[20286]: error: PAM: authentication error for root from 208.125.137.121 Oct 22 12:22:05 odin sshd[20326]: reverse mapping checking getaddrinfo for 86-100-134-185-ip.balticum.lt [86.100.134.185] failed - POSSIBLE BREAK-IN ATTEMPT! Oct 22 12:22:05 odin sshd[20326]: error: PAM: authentication error for root from 86.100.134.185 Oct 22 12:22:22 odin sshd[20339]: error: PAM: authentication error for root from 201.232.69.113 Oct 22 12:23:35 odin sshd[20428]: error: PAM: authentication error for root from 87.229.7.163 Oct 22 12:23:58 odin sshd[20486]: error: PAM: authentication error for root from 65.161.248.26 Oct 22 12:24:39 odin sshd[20605]: error: PAM: authentication error for root from 210.238.91.147 Oct 22 12:25:08 odin sshd[21400]: error: PAM: authentication error for root from 12.222.202.34 Oct 22 12:26:08 odin sshd[23744]: error: PAM: authentication error for root from zodiaq3d.info Oct 22 12:26:56 odin sshd[23747]: error: PAM: authentication error for root from mx.cbc-group.kz Oct 22 12:30:26 odin sshd[23752]: error: PAM: authentication error for root from 190.152.145.53 Oct 22 12:30:54 odin sshd[23757]: error: PAM: authentication error for root from 80.24.95.85 Oct 22 12:30:59 odin sshd[23759]: error: PAM: authentication error for root from 200.183.172.2 Oct 22 12:31:13 odin sshd[23755]: error: PAM: authentication error for root from starless.com.pl Oct 22 12:31:38 odin
Configuring IPFW
I am attempting to set up a firewall using IPFW with a stateful behavior. While I have investigated how to set up these rules, I have run into conflicting opinions as to whether to all or deny established behavior. EXAMPLE: (preceded by a checkstate rule) allow tcp from any to any established Some documentation states that it should be denied and others say it should be allowed. Neither has given me a convincing reason to follow either scenario or any real documentation either for that fact. If possible, could someone with some real firewall knowledge and familiarity with IPFW please give me some advice. Thanks! -- Carmel ✌ carmel...@hotmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Breakin attempt
El dÃa Saturday, October 22, 2011 a las 03:43:44PM +0200, Admin ValhallaProjectet escribió: Hello all FreeBSD odin.thorshammare.org 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Oct 22 10:14:48 CEST 2011 ha...@odin.thorshammare.org:/usr/obj/usr/src/sys/ODIN i386 Firewall PF. Blocking China and some other related countries in that region. This 'rule' is interesting. What are 'other related countries in that region' exactly or as regular expression? United States? :-) Disabled ssh root logins Disable PAM, i.e. set ChallengeResponseAuthentication to 'no'. HIH matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e g...@unixarea.de - w http://www.unixarea.de/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: trying to learn systems programming, fear I have not understood and thus messed up
On Fri, 21 Oct 2011 18:53:33 +0200 Christopher J. Ruwe c...@cruwe.de wrote: [...] I have tried to follow the suggestion from the comment by modifiying the else-statement thus: } else { struct passwd *trgpwd; if (!(trgpwd = GETPWNAM(arg-val))) errx(EX_DATAERR, User %s does not exist, arg-val); if (strcmp(a_name-val,root) == 0) errx(EX_DATAERR, can't change uid of `root' account); if (strcmp(trgpwd-pw_name, root) == 0) warnx(WARNING: account `%s' will have a uid of 0 (superuser access!), pwd-pw_name); pwd-pw_uid = (uid_t) (trgpwd-pw_uid); edited = 1; } What happens is not what I intended. I invoke as sudo ./pw usermod testuser1 -u testuser2. I can get testuser2's pwd-entry by GETPWNAM allright, but when I assign the pw_uid, so as to make testuser2's uid the same as testuser1's and imgaining to retain all other values, ./pw reports pw: user 'testuser2' disappeared during update and the testuser2's /etc/passwd entry is replaced by testuser1's. I fear I have not understood GETPWNAM correctly, as it seems to replace the struct pwd as some sort of sideeffect. I could manually set all pwd-members to the correct ones (those of testuser2), but I fear that I have messed something up beforehand. I am grateful for any suggestions and/or correction. It seems I have indeed not understood GETPWNAM correctly. I have worked out a method which works by calling GETPWNAM twice: else { /* * operation as follows: * a_name-val is passed as usermod uname * arg-val is passed as -u uname * * first check if we do someting stupid, i.e., want * to set root uid to some other users uid or * to set some user accout's uid to root uid. * then get pwd to that of uname passed as -u uname. * store uid from that pwdent. * get pwd to that of uname passed as usermod uname * change uid of that latter uid to the one stored */ if(strcmp(a_name-val,root) == 0) errx(EX_DATAERR, can't change uid of `root' account); if(strcmp(arg-val, root) == 0) warnx(WARNING: account `%s' will have a uid of 0 (superuser access!), pwd-pw_name); if(!(pwd = GETPWNAM(arg-val))) /* -u uname*/ errx(EX_DATAERR, User %s does not exist, arg-val); int alias_uid = pwd-pw_uid; if(!(pwd = GETPWNAM(a_name-val))) /*usermod uname*/ errx(EX_DATAERR, User %s does not exist, a_name-val); pwd-pw_uid = (uid_t) alias_uid; warnx(User %s's uid changed to %d, pwd-pw_name, pwd-pw_uid); edited = 1; } As I stil do not know why the latter variant of my code worked and the former does not, I would still appreciate any comment or explanation which would help me understanding GETPWNAM and getpwnam. Thanks and cheers, -- Christopher J. Ruwe TZ GMT + 2 signature.asc Description: PGP signature
Re: Breakin attempt
On 22/10/2011 14:43, Admin ValhallaProjectet wrote: Apparently, I'm under some kind of attack, for the last 3 days. Lots of attempts to ssh in as root from many different IP addresses. No bruteforce attempts. Appreciate all ideas of how to proceed with this mather. Keep calm and carry on? I suspect that these sorts of attacks are fairly normal if you're running ssh on the standard port. I used to have lots of 'break-in attempts' before I moved the ssh server to a different port. -- Bruce Cran ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Breakin attempt
On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote: I suspect that these sorts of attacks are fairly normal if you're running ssh on the standard port. I used to have lots of 'break-in attempts' before I moved the ssh server to a different port. Is there _any_ reason why moving from port 22 to something different is _not_ a solution? Reason why I'm asking: Moving SSH away from its default port seems to be a relatively good solution as break-in attempts concentrate on default ports. So in case a sysadmin decides to move SSH to a hidden location, what could be an argument against this decision? -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Breakin attempt
On 22 Oct 2011, at 15:12, Polytropon wrote: On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote: I suspect that these sorts of attacks are fairly normal if you're running ssh on the standard port. I used to have lots of 'break-in attempts' before I moved the ssh server to a different port. Is there _any_ reason why moving from port 22 to something different is _not_ a solution? If you run some sort of shell server, or where many people need to login using ssh, you'll have a bit of a support problem telling people to select the non-default port. Also, some might consider it security through obscurity, which is often said to be a bad thing. -- Bruce Cran ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
SV: Breakin attempt
-Oprindelig meddelelse- Fra: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] På vegne af Matthias Apitz Sendt: den 22 oktober 2011 15:59 Til: Admin ValhallaProjectet Cc: freebsd-questions@freebsd.org Emne: Re: Breakin attempt El dÃa Saturday, October 22, 2011 a las 03:43:44PM +0200, Admin ValhallaProjectet escribió: Hello all FreeBSD odin.thorshammare.org 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Oct 22 10:14:48 CEST 2011 ha...@odin.thorshammare.org:/usr/obj/usr/src/sys/ODIN i386 Firewall PF. Blocking China and some other related countries in that region. This 'rule' is interesting. What are 'other related countries in that region' exactly or as regular expression? United States? :-) Disabled ssh root logins Disable PAM, i.e. set ChallengeResponseAuthentication to 'no'. HIH matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e g...@unixarea.de - w http://www.unixarea.de/ Thank you for your answer. Well, I meant The Far East region. Without going in to details, that's where I've received most of my spam and hack attacks from this far. Will start with changing port and see how far that will take me. Best regards Hasse. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Breakin attempt
Polytropon wrote: On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote: I suspect that these sorts of attacks are fairly normal if you're running ssh on the standard port. I used to have lots of 'break-in attempts' before I moved the ssh server to a different port. Is there _any_ reason why moving from port 22 to something different is _not_ a solution? Reason why I'm asking: Moving SSH away from its default port seems to be a relatively good solution as break-in attempts concentrate on default ports. So in case a sysadmin decides to move SSH to a hidden location, what could be an argument against this decision? One such relatively minor argument might be the use by external entities for the ability to connect in a standardized way. Such a client may need to connect but has no way of knowing in advance what port to use. The only readily available means for them to locate you might be DNS, with them only knowing you by hostname. I tend to discount this as they would still need some form of auth, whether a user account/password combination or a certificate. In either case, this needs to be configured in advance - so there's no reason a port number couldn't be included when communicating how to login to the third party. There is also some remote possibility that the third party has some internal (albeit brain-dead) policy of mandating the use of some software that cannot be configured to use a port other than 22. I would consider such a software to be inherently 'broken by design', and not a good enough reason for me to 'break' my system just to make them happy. After all, aren't they the ones who want to connect to me and shouldn't the responsibility be on them to do it in accordance with what I have configured? I restrict any SSH access to my systems to certificate only, with password turned off. Only a trusted few will have these certificates, and these people will know what port to use because I told them. Just changing the port to some high number non well-known will not entirely stop a port scan if said scan is walking up every single port one after another. But simply changing it to something like 42347 works wonders for knocking down about 90% of script-kiddies. I just don't see SSH as the best tool for giving anonymous remote-access to the general public of the IntarWebZ in general. If access is not anonymous there must be some admin config done previous to the access. Providing anonymous access via SSH sort of defeats the purpose for using SSH in the first place. :-) Just my $.02 - Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: trying to learn systems programming, fear I have not understood and thus messed up
Christopher J. Ruwe c...@cruwe.de wrote: On Fri, 21 Oct 2011 18:53:33 +0200 Christopher J. Ruwe c...@cruwe.de wrote: [...] I have tried to follow the suggestion from the comment by modifiying the else-statement thus: } else { struct passwd *trgpwd; if (!(trgpwd = GETPWNAM(arg-val))) errx(EX_DATAERR, User %s does not exist, arg-val); if (strcmp(a_name-val,root) == 0) errx(EX_DATAERR, can't change uid of `root' account); if (strcmp(trgpwd-pw_name, root) == 0) warnx(WARNING: account `%s' will have a uid of 0 (superuser access!), pwd-pw_name); pwd-pw_uid = (uid_t) (trgpwd-pw_uid); edited = 1; } What happens is not what I intended. I invoke as sudo ./pw usermod testuser1 -u testuser2. I can get testuser2's pwd-entry by GETPWNAM allright, but when I assign the pw_uid, so as to make testuser2's uid the same as testuser1's and imgaining to retain all other values, ./pw reports pw: user 'testuser2' disappeared during update and the testuser2's /etc/passwd entry is replaced by testuser1's. I fear I have not understood GETPWNAM correctly, as it seems to replace the struct pwd as some sort of sideeffect. I could manually set all pwd-members to the correct ones (those of testuser2), but I fear that I have messed something up beforehand. I am grateful for any suggestions and/or correction. It seems I have indeed not understood GETPWNAM correctly. I have worked out a method which works by calling GETPWNAM twice: else { /* * operation as follows: * a_name-val is passed as usermod uname * arg-val is passed as -u uname * * first check if we do someting stupid, i.e., want * to set root uid to some other users uid or * to set some user accout's uid to root uid. * then get pwd to that of uname passed as -u uname. * store uid from that pwdent. * get pwd to that of uname passed as usermod uname * change uid of that latter uid to the one stored */ if(strcmp(a_name-val,root) == 0) errx(EX_DATAERR, can't change uid of `root' account); if(strcmp(arg-val, root) == 0) warnx(WARNING: account `%s' will have a uid of 0 (superuser access!), pwd-pw_name); if(!(pwd = GETPWNAM(arg-val))) /* -u uname*/ errx(EX_DATAERR, User %s does not exist, arg-val); int alias_uid = pwd-pw_uid; if(!(pwd = GETPWNAM(a_name-val))) /*usermod uname*/ errx(EX_DATAERR, User %s does not exist, a_name-val); pwd-pw_uid = (uid_t) alias_uid; warnx(User %s's uid changed to %d, pwd-pw_name, pwd-pw_uid); edited = 1; } As I stil do not know why the latter variant of my code worked and the former does not, I would still appreciate any comment or explanation which would help me understanding GETPWNAM and getpwnam. I'm not familiar with the code you're working with, but according to the man page getpwnam() isn't thread safe so you probably shouldn't mess with the returned pointer in the first place and only treat the one returned by the last call as valid. Did you try using getpwnam_r() instead? Fabian signature.asc Description: PGP signature
Groupware like OX for FreeBSD?
I'd like to know whether the power to serve OS FreeBSD is also capable of hosting a groupware like OX. I want to build a grupware server and found OX really nice. Our lab's administration is using OX. I can't find equivalent software for FreeBSD, but I may lack in the right termini and so I do not find something suitable in the ports. Does anyone has suggestions? Regards, Oliver P.S. I doubt that OX is ever working for FreeBSD as a native application? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Breakin attempt
Thanks for your statement. On Sat, 22 Oct 2011 10:54:49 -0400, Michael Powell wrote: One such relatively minor argument might be the use by external entities for the ability to connect in a standardized way. Such a client may need to connect but has no way of knowing in advance what port to use. The only readily available means for them to locate you might be DNS, with them only knowing you by hostname. This might be debatable in case of public services, but is not a problem in a somewhat contract-driven service where terms of use exist, as well as instructions on how to use the service. That's why I said this argument would go to the pragmatic (or organisatoric) section, not to the technical one. :-) I tend to discount this as they would still need some form of auth, whether a user account/password combination or a certificate. In either case, this needs to be configured in advance - so there's no reason a port number couldn't be included when communicating how to login to the third party. Fully agree. There is also some remote possibility that the third party has some internal (albeit brain-dead) policy of mandating the use of some software that cannot be configured to use a port other than 22. I would consider such a software to be inherently 'broken by design', and not a good enough reason for me to 'break' my system just to make them happy. After all, aren't they the ones who want to connect to me and shouldn't the responsibility be on them to do it in accordance with what I have configured? That would have been my next idea: The problem that suddenly appears when someone tries to connect to the system with a program _not_ supplied with the contract, trying :22 and complaining it no workin! -- that's not a problem at all: You are not supposed to use that program or try to login that way. Please refer to the documentation on how to properly do it. It's comparable to someone trying to connect to a web server with a MUA. :-) I restrict any SSH access to my systems to certificate only, with password turned off. Only a trusted few will have these certificates, and these people will know what port to use because I told them. Usable approach, although I try to educate about strong (!) passwords and strong password rules. I see certificates as the next stage of security _added_ to username/password. Just changing the port to some high number non well-known will not entirely stop a port scan if said scan is walking up every single port one after another. Yes, I didn't assume the approach would _not_ show up in a portscan. :-) Still a portscan is the minority in wide-area attacks. But simply changing it to something like 42347 works wonders for knocking down about 90% of script-kiddies. I thought so. The main attacks address the _default_ port, and those are mostly static, i. e. they don't try other ports or search for them. I just don't see SSH as the best tool for giving anonymous remote-access to the general public of the IntarWebZ in general. Oh, I was _not_ asking about anonymous access, that's what the WebTuberZ'n'Stuff'Load is for. :-) If access is not anonymous there must be some admin config done previous to the access. The only valid choice here. Providing anonymous access via SSH sort of defeats the purpose for using SSH in the first place. :-) The words anonymous access and secure shell do contradict. My EUR 0.02. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
SV: Breakin attempt
-Oprindelig meddelelse- Fra: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] På vegne af Polytropon Sendt: den 22 oktober 2011 16:13 Til: Bruce Cran Cc: freebsd-questions@freebsd.org Emne: Re: Breakin attempt On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote: I suspect that these sorts of attacks are fairly normal if you're running ssh on the standard port. I used to have lots of 'break-in attempts' before I moved the ssh server to a different port. Is there _any_ reason why moving from port 22 to something different is _not_ a solution? Reason why I'm asking: Moving SSH away from its default port seems to be a relatively good solution as break-in attempts concentrate on default ports. So in case a sysadmin decides to move SSH to a hidden location, what could be an argument against this decision? -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... Thank you all Polytropon, Matthias, Bruce and Michael for your answers. No, no reason at all to not change from port 22, and I will follow that advice. And my plan is to move away from password based ssh logins in the future. I've been running this server for educational purposes for several years, But this is first time I've had a Break in attempt going on for this long time. It don't bother me more than cluttering up my logfiles, but I got curious if this Attempt was originating from one person. All the Best to you all Hasse ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SV: Breakin attempt
On Sat, 22 Oct 2011 17:10:44 +0200, Hasse Hansson wrote: It don't bother me more than cluttering up my logfiles, but I got curious if this Attempt was originating from one person. That's problematic... in many cases, attackers do hijack home PCs or corporate networks to do their dirty work without the actual users noticing. In such a case, you could conclude that the attacks has been originated by one person, but carried out by several ones (or, to be precise, by their PCs). Attackers explore networks and turn them into tools they use theirselves, or they sell them to others who then use them (e. g. for further exploration, SSH attacks, spamming, illegal data storage and so on). -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Breakin attempt
Date: Sat, 22 Oct 2011 16:12:42 +0200 From: Polytropon free...@edvax.de Subject: Re: Breakin attempt On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote: I suspect that these sorts of attacks are fairly normal if you're running ssh on the standard port. I used to have lots of 'break-in attempts' before I moved the ssh server to a different port. Is there _any_ reason why moving from port 22 to something different is _not_ a solution? Reason why I'm asking: Moving SSH away from its default port seems to be a relatively good solution as break-in attempts concentrate on default ports. So in case a sysadmin decides to move SSH to a hidden location, what could be an argument against this decision? Arguements aginst doing so are generally based on the 'security by obscurity' is not security concept. That argument _is_ 'technically accurate'. grin Moving sshd to a non-standard port does _not_ do anything to make the system any more secure. Of course, as long as one understands that that _is_ the case, and is doing it for 'some other' defensible reason -- such as to eliminate logfile 'noise' from script-kiddie 'doorknob rattlers' -- doing so *is* perfectly reasonable. *I* do it on _my_ machines, expressly for the reason stated in the prior paragraph. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: [freebsd-questions] Breakin attempt
On 22/10/2011 15:37, Bruce Cran wrote: If you run some sort of shell server, or where many people need to login using ssh, you'll have a bit of a support problem telling people to select the non-default port. Also, some might consider it security through obscurity, which is often said to be a bad thing. Security through obscurity is only really a bad thing if it's your ONLY security. It doesn't hurt to make things harder for someone in addition to your other measures (strong passwords, large keys, limited network ranges etc) Howie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: [freebsd-questions] Breakin attempt
On Sat, Oct 22, 2011 at 03:58:20PM +0100, Howard Jones wrote: On 22/10/2011 15:37, Bruce Cran wrote: If you run some sort of shell server, or where many people need to login using ssh, you'll have a bit of a support problem telling people to select the non-default port. Also, some might consider it security through obscurity, which is often said to be a bad thing. Security through obscurity is only really a bad thing if it's your ONLY security. It doesn't hurt to make things harder for someone in addition to your other measures (strong passwords, large keys, limited network ranges etc) Actually, security through obscurity is always bad. The fact, however, is that something that could be used for security through obscurity is not automatically always a security through obscurity measure. Are you using a nonstandard port assignment for security, or just to make your logs cleaner? If you realize that moving SSH to a nonstandard port will not in any way protect you from a targeted attack, and only do so to clean up logs and reduce local SSH daemon activity from pointless low-hanging fruit attacks, while using other (better) techniques to actually properly secure the box, you aren't using employing a security through obscurity plan at all. Security through obscurity isn't the technique; it's the purpose to which a technique is directed. If what you're doing isn't intended as a security measure, it's something other than security through obscurity, and you shouldn't beat yourself up over it. If you have no specific need to keep SSH on 22, definitely move a public-facing SSH server to a nonstandard port, for reasons unrelated to actual intrusion security. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] pgpwkEgeduOxT.pgp Description: PGP signature
Re: Breakin attempt
On Sat, Oct 22, 2011 at 10:23:23AM -0500, Robert Bonomi wrote: Arguements aginst doing so are generally based on the 'security by obscurity' is not security concept. That argument _is_ 'technically accurate'. grin Moving sshd to a non-standard port does _not_ do anything to make the system any more secure. Of course, as long as one understands that that _is_ the case, and is doing it for 'some other' defensible reason -- such as to eliminate logfile 'noise' from script-kiddie 'doorknob rattlers' -- doing so *is* perfectly reasonable. *I* do it on _my_ machines, expressly for the reason stated in the prior paragraph. I should have finished reading the thread before sending my own reply on a different branch of the discussion. This is (stated differently) pretty much exactly the message I meant to convey. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] pgplvMknduAif.pgp Description: PGP signature
Fwd: re: thefish-0.6.6_5 is marked as broken: does not build [FreeBSD9.0]
howdy, when attempting to build x11/gnome2-power-tools from ports on my FreeBSD9.0 desktop, the package failed to build spitting out the error message below: gnome2-power-tools-2.32.1_2 depends on executable: thefish - not found === Verifying install for thefish in /usr/ports/sysutils/thefish === thefish-0.6.6_5 is marked as broken: does not build. *** Error code 1 Stop in /usr/ports/sysutils/thefish. *** Error code 1 Stop in /usr/ports/x11/gnome2-power-tools :; uname -a FreeBSD localhost 9.0-BETA3 FreeBSD 9.0-BETA3 #0: Sat Sep 24 20:46:57 UTC 2011 r...@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 is there a fix for this? thanks. Alexander Kapshuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Updating emacs fails
For at least several weeks, attempts to rebuild emacs from ports fails with an odd linker error saying it can't find symbols in the termcap library. I poked around a little, the makefile does include the appropriate library and adding it again at the end of the line in the makefile didn't help. This is on 8.2, building it with no nonstandard options I'm aware of. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: trying to learn systems programming, fear I have not understood and thus messed up
On Sat, 22 Oct 2011 16:45:08 +0200 Fabian Keil freebsd-lis...@fabiankeil.de wrote: Christopher J. Ruwe c...@cruwe.de wrote: On Fri, 21 Oct 2011 18:53:33 +0200 Christopher J. Ruwe c...@cruwe.de wrote: [...] I have tried to follow the suggestion from the comment by modifiying the else-statement thus: } else { struct passwd *trgpwd; if (!(trgpwd = GETPWNAM(arg-val))) errx(EX_DATAERR, User %s does not exist, arg-val); if (strcmp(a_name-val,root) == 0) errx(EX_DATAERR, can't change uid of `root' account); if (strcmp(trgpwd-pw_name, root) == 0) warnx(WARNING: account `%s' will have a uid of 0 (superuser access!), pwd-pw_name); pwd-pw_uid = (uid_t) (trgpwd-pw_uid); edited = 1; } What happens is not what I intended. I invoke as sudo ./pw usermod testuser1 -u testuser2. I can get testuser2's pwd-entry by GETPWNAM allright, but when I assign the pw_uid, so as to make testuser2's uid the same as testuser1's and imgaining to retain all other values, ./pw reports pw: user 'testuser2' disappeared during update and the testuser2's /etc/passwd entry is replaced by testuser1's. I fear I have not understood GETPWNAM correctly, as it seems to replace the struct pwd as some sort of sideeffect. I could manually set all pwd-members to the correct ones (those of testuser2), but I fear that I have messed something up beforehand. I am grateful for any suggestions and/or correction. It seems I have indeed not understood GETPWNAM correctly. I have worked out a method which works by calling GETPWNAM twice: else { /* * operation as follows: * a_name-val is passed as usermod uname * arg-val is passed as -u uname * * first check if we do someting stupid, i.e., want * to set root uid to some other users uid or * to set some user accout's uid to root uid. * then get pwd to that of uname passed as -u uname. * store uid from that pwdent. * get pwd to that of uname passed as usermod uname * change uid of that latter uid to the one stored */ if(strcmp(a_name-val,root) == 0) errx(EX_DATAERR, can't change uid of `root' account); if(strcmp(arg-val, root) == 0) warnx(WARNING: account `%s' will have a uid of 0 (superuser access!), pwd-pw_name); if(!(pwd = GETPWNAM(arg-val))) /* -u uname*/ errx(EX_DATAERR, User %s does not exist, arg-val); int alias_uid = pwd-pw_uid; if(!(pwd = GETPWNAM(a_name-val))) /*usermod uname*/ errx(EX_DATAERR, User %s does not exist, a_name-val); pwd-pw_uid = (uid_t) alias_uid; warnx(User %s's uid changed to %d, pwd-pw_name, pwd-pw_uid); edited = 1; } As I stil do not know why the latter variant of my code worked and the former does not, I would still appreciate any comment or explanation which would help me understanding GETPWNAM and getpwnam. I'm not familiar with the code you're working with, but according to the man page getpwnam() isn't thread safe so you probably shouldn't mess with the returned pointer in the first place and only treat the one returned by the last call as valid. Did you try using getpwnam_r() instead? Fabian You are quite right, GETPWNAM() is a macro to getpwnam(), which is not thread safe. GETPWNAM() is called throughout the code of pw and pw itself is not threaded, so it should not matter whether the functions called are thread-safe or not. I am not completely sure on my last statement though. Do you have other experience regarding this topic? Anyways, thanks and cheers, -- Christopher J. Ruwe TZ GMT + 2 signature.asc Description: PGP signature
RE: Groupware like OX for FreeBSD?
I'd like to know whether the power to serve OS FreeBSD is also capable of hosting a groupware like OX. I want to build a grupware server and found OX really nice. Our lab's administration is using OX. Googling open-xchange freebsd turns up a few circa-2005 tutorials and quite a bit of discussion. Dale --- Transparency with Trust http://www.dalescott.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Configuring IPFW
On Sat, 22 Oct 2011 09:56:12 -0400 Carmel wrote: I am attempting to set up a firewall using IPFW with a stateful behavior. While I have investigated how to set up these rules, I have run into conflicting opinions as to whether to all or deny established behavior. EXAMPLE: (preceded by a checkstate rule) allow tcp from any to any established Some documentation states that it should be denied and others say it should be allowed. Neither has given me a convincing reason to follow either scenario or any real documentation either for that fact. Normally if the rules are stateless you would allow established tcp packets, but would deny them with stateful rules. In the latter case, established traffic would be passed by the check-state ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Breakin attempt
On Sat, Oct 22, 2011 at 7:12 AM, Polytropon free...@edvax.de wrote: Is there _any_ reason why moving from port 22 to something different is _not_ a solution? Reason why I'm asking: Moving SSH away from its default port seems to be a relatively good solution as break-in attempts concentrate on default ports. So in case a sysadmin decides to move SSH to a hidden location, what could be an argument against this decision? Moving SSH to another port doesn't add appreciably to security, but it reduces the noise in the logs. ;-) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Configuring IPFW
On Sat, 22 Oct 2011 09:56:12 -0400 Carmel carmel...@hotmail.com wrote: I am attempting to set up a firewall using IPFW with a stateful behavior. While I have investigated how to set up these rules, I have run into conflicting opinions as to whether to all or deny established behavior. EXAMPLE: (preceded by a checkstate rule) allow tcp from any to any established Some documentation states that it should be denied and others say it should be allowed. Neither has given me a convincing reason to follow either scenario or any real documentation either for that fact. If possible, could someone with some real firewall knowledge and familiarity with IPFW please give me some advice. Thanks! Well, assuming that you're only allowing the connections you actually want to be be established to be setup in the first place, then the logical thing is to then allow any already established connections. All of your tcp allow rules should include the setup keyword, as well as keep-state. This way, only connections that are doing a first-time setup will be allowed, and their state will be remembered, for later checking using the check-state keyword. In other words, create setup/keep-state rules for all tcp connections you want to allow, and deny the rest. Just be sure the check-state and established rules precede the deny rules. Similarly, for udp rules, be sure to include the keep-state (but not setup) keyword. Hope this makes sense. :-) -- Conrad J. Sabatier conr...@cox.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Configuring IPFW
On Sat, Oct 22, 2011 at 9:54 AM, RW rwmailli...@googlemail.com wrote: Normally if the rules are stateless you would allow established tcp packets, but would deny them with stateful rules. In the latter case, established traffic would be passed by the check-state You need to pay attention to direction as well. Suppose you wanted to permit outbound TCP connections using stateful rules. If em0 is the outside interface of your firewall If you're using stateful rules, you would do something like this: ipfw add 1000 check-state ipfw add 2500 allow tcp from any to any out xmit em0 setup keep-state ipfw add 2550 deny tcp from any to any The check-state rule checks for established dynamic flows, 2500 permits outbound TCP with SYN,!ACK (the first part of the 3-way handshake), and 2550 denies all TCP traffic that is not permitted. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Breakin attempt
Polytropon free...@edvax.de writes: On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote: I suspect that these sorts of attacks are fairly normal if you're running ssh on the standard port. I used to have lots of 'break-in attempts' before I moved the ssh server to a different port. Is there _any_ reason why moving from port 22 to something different is _not_ a solution? Reason why I'm asking: Moving SSH away from its default port seems to be a relatively good solution as break-in attempts concentrate on default ports. So in case a sysadmin decides to move SSH to a hidden location, what could be an argument against this decision? Connecting from behind other people's paranoid firewalls gets difficult on other ports. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Updating emacs fails
On 22/10/2011 17:24, John Levine wrote: For at least several weeks, attempts to rebuild emacs from ports fails with an odd linker error saying it can't find symbols in the termcap library. I poked around a little, the makefile does include the appropriate library and adding it again at the end of the line in the makefile didn't help. This is on 8.2, building it with no nonstandard options I'm aware of. No errors are on record for building editors/emacs according to pointyhat/portsmon: http://portsmon.freebsd.org/portoverview.py?category=editorsportname=emacswildcard= Therefore I diagnose something specific to your system is broken. Unfortunately your report is too lacking in detail to be able to say anything useful that might help you to fix the problem. We'd need to see * Your choice of options for the port (ie. 'make showconfig' output) * A complete build log showing the problem occurring. (ie 'make clean build' output) * The config.log from $WRKSRC showing what autoconf did. That should give a fighting chance of being able to work out what's wrong. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Breakin attempt
Lowell Gilbert freebsd-questions-lo...@be-well.ilk.org writes: Polytropon free...@edvax.de writes: On Sat, 22 Oct 2011 15:08:50 +0100, Bruce Cran wrote: I suspect that these sorts of attacks are fairly normal if you're running ssh on the standard port. I used to have lots of 'break-in attempts' before I moved the ssh server to a different port. Is there _any_ reason why moving from port 22 to something different is _not_ a solution? Reason why I'm asking: Moving SSH away from its default port seems to be a relatively good solution as break-in attempts concentrate on default ports. So in case a sysadmin decides to move SSH to a hidden location, what could be an argument against this decision? Connecting from behind other people's paranoid firewalls gets difficult on other ports. And, yes, I realize this isn't a problem for most people, but I'm pretty sure I'm not the only one who runs into it, either. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Configuring IPFW
On Sat, Oct 22, 2011 at 10:08 AM, Conrad J. Sabatier conr...@cox.net wrote: Similarly, for udp rules, be sure to include the keep-state (but not setup) keyword. RIght - if you're just protecting a single host, for example, your ruleset might be something like ipfw add 1000 allow ip from any to any via lo0 ipfw add 1100 check-state ipfw add 1200 allow tcp from me to any setup keep-state ipfw add 1300 allow udp from me to any keep-state # stateful rules for ICMP sometimes work, and sometimes don't - traceroute for example ipfw add 1400 allow icmp from me to any ipfw add 1500 allow icmp from any to me icmptypes 0,3,8,11 # if you don't want to permit inbound echo requests, then use the next one instead # ipfw add 1500 allow icmp from any to me icmptypes 0,3,11 ipfw add 1600 deny ip from any to any There are sysctl variables you may want to look at: sysctl net.inet.ip.fw These are described in the man page, and some of these affect the behavior of dynamic rule sets. You generally don't need to worry about them for outbound connections, but they are critical for inbound connections - it's trivial to DOS a firewall with dynamic rules. Regards, M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Breakin attempt
Actually this looks like fairly normal white noise you can expect on a public facing ssh server. There are a lot of bots out there, looking for another box to own. If you're running PF put in something like the following. block in quick log from {BADGUYS} . . . pass in log on $ext_if proto tcp to ($ext_if) port { ssh } \ flags S/SA modulate state \ (max-src-conn-rate 3/60, overload BADGUYS flush global) And remember that that you need to wait a minute if you (for some reason) make more than x (3 in this case) connections from the same source in a minutes time. Tune as needed. The disable root logins and only use keys if you can, strong PWs if you can't and you should be good. --On Saturday, October 22, 2011 03:43:44 PM +0200 Admin ValhallaProjectet ad...@thorshammare.org wrote: Hello all FreeBSD odin.thorshammare.org 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Oct 22 10:14:48 CEST 2011 ha...@odin.thorshammare.org:/usr/obj/usr/src/sys/ODIN i386 Firewall PF. Blocking China and some other related countries in that region. Disabled ssh root logins Apparently, I'm under some kind of attack, for the last 3 days. Lots of attempts to ssh in as root from many different IP addresses. No bruteforce attempts. This just puzzles me. Using all these resources ? To achieve what ? Below is a one hour snip from my auth.log Nothing unusual in pflog Appreciate all ideas of how to proceed with this mather. Best regards Hasse Oct 22 12:00:19 odin sshd[14359]: error: PAM: authentication error for root from server.fabian.cz Oct 22 12:01:08 odin sshd[14365]: Address 87.105.187.194 maps to client-arsmedica-2.wroclaw.dialog.net.pl, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Oct 22 12:01:09 odin sshd[14365]: error: PAM: authentication error for root from 87.105.187.194 Oct 22 12:02:59 odin sshd[14422]: error: PAM: authentication error for root from 87.229.7.163 Oct 22 12:03:36 odin sshd[14865]: error: PAM: authentication error for root from 201.25.53.34 Oct 22 12:03:53 odin sshd[15571]: error: PAM: authentication error for root from 109.237.210.147 Oct 22 12:05:18 odin sshd[18357]: error: PAM: authentication error for root from 12.222.202.34 Oct 22 12:05:36 odin sshd[18375]: error: PAM: authentication error for root from mx.aysor.am Oct 22 12:05:53 odin sshd[18537]: error: PAM: authentication error for root from 190.129.11.76 Oct 22 12:07:06 odin sshd[19429]: Address 80.188.13.214 maps to www.profitaxi.cz, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Oct 22 12:07:06 odin sshd[19429]: error: PAM: authentication error for root from 80.188.13.214 Oct 22 12:07:27 odin sshd[19542]: error: PAM: authentication error for root from 85.185.180.48 Oct 22 12:08:05 odin sshd[19591]: error: PAM: authentication error for root from 208.125.137.121 Oct 22 12:09:45 odin sshd[19629]: error: PAM: authentication error for root from 83.14.240.10 Oct 22 12:10:53 odin sshd[19699]: error: PAM: authentication error for root from 200.160.121.246 Oct 22 12:10:59 odin sshd[19702]: error: PAM: authentication error for root from 151.1.183.216 Oct 22 12:11:38 odin sshd[19787]: error: PAM: authentication error for root from crm.nepinc.com Oct 22 12:12:16 odin sshd[19830]: error: PAM: authentication error for root from 189.16.12.146 Oct 22 12:12:45 odin sshd[19843]: error: PAM: authentication error for root from narro.uaaan.mx Oct 22 12:14:14 odin sshd[19913]: error: PAM: authentication error for root from 217.128.151.181 Oct 22 12:14:56 odin sshd[19925]: reverse mapping checking getaddrinfo for panda.zsuvoz.cz [195.178.81.116] failed - POSSIBLE BREAK-IN ATTEMPT! Oct 22 12:14:56 odin sshd[19925]: error: PAM: authentication error for root from 195.178.81.116 Oct 22 12:16:14 odin sshd[19995]: error: PAM: authentication error for root from 87.193.246.26 Oct 22 12:16:23 odin sshd[20008]: error: PAM: authentication error for root from 219.94.144.230 Oct 22 12:16:39 odin sshd[20026]: error: PAM: authentication error for root from 82.130.143.216 Oct 22 12:17:41 odin sshd[20073]: error: PAM: authentication error for root from 87.193.246.26 Oct 22 12:17:52 odin sshd[20102]: error: PAM: authentication error for root from 82.130.143.216 Oct 22 12:21:16 odin sshd[20268]: error: PAM: authentication error for root from 203.141.158.120 Oct 22 12:21:34 odin sshd[20286]: error: PAM: authentication error for root from 208.125.137.121 Oct 22 12:22:05 odin sshd[20326]: reverse mapping checking getaddrinfo for 86-100-134-185-ip.balticum.lt [86.100.134.185] failed - POSSIBLE BREAK-IN ATTEMPT! Oct 22 12:22:05 odin sshd[20326]: error: PAM: authentication error for root from 86.100.134.185 Oct 22 12:22:22 odin sshd[20339]: error: PAM: authentication error for root from 201.232.69.113 Oct 22 12:23:35 odin sshd[20428]: error: PAM: authentication error for root from 87.229.7.163 Oct 22 12:23:58 odin sshd[20486]: error: PAM: authentication error for root from
Re: Configuring IPFW
Date: Sat, 22 Oct 2011 12:08:56 -0500 To: FreeBSD freebsd-questions@freebsd.org Subject: Re: Configuring IPFW On Sat, 22 Oct 2011 09:56:12 -0400 Carmel carmel...@hotmail.com wrote: I am attempting to set up a firewall using IPFW with a stateful behavior. While I have investigated how to set up these rules, I have run into conflicting opinions as to whether to all or deny established behavior. EXAMPLE: (preceded by a checkstate rule) allow tcp from any to any established Some documentation states that it should be denied and others say it should be allowed. Neither has given me a convincing reason to follow either scenario or any real documentation either for that fact. If possible, could someone with some real firewall knowledge and familiarity with IPFW please give me some advice. Thanks! Well, assuming that you're only allowing the connections you actually want to be be established to be setup in the first place, then the logical thing is to then allow any already established connections. This, of course, ignores the possibility that a 'bad guy' might send an initial packet _without_ the 'SYN' flag set. grin All of your tcp allow rules should include the setup keyword, as well as keep-state. This way, only connections that are doing a first-time setup will be allowed, and their state will be remembered, for later checking using the check-state keyword. Now *THAT*, done _properly_, closes the aforementioned hole. :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Breakin attempt
Lowell == Lowell Gilbert freebsd-questions-lo...@be-well.ilk.org writes: Lowell Connecting from behind other people's paranoid firewalls gets difficult Lowell on other ports. That's why mine's on 443. Doubly useful when I want to connect to it from behind an outbound web proxy. :) -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: trying to learn systems programming, fear I have not understood and thus messed up
Christopher J. Ruwe c...@cruwe.de wrote: On Sat, 22 Oct 2011 16:45:08 +0200 Fabian Keil freebsd-lis...@fabiankeil.de wrote: Christopher J. Ruwe c...@cruwe.de wrote: On Fri, 21 Oct 2011 18:53:33 +0200 Christopher J. Ruwe c...@cruwe.de wrote: As I stil do not know why the latter variant of my code worked and the former does not, I would still appreciate any comment or explanation which would help me understanding GETPWNAM and getpwnam. I'm not familiar with the code you're working with, but according to the man page getpwnam() isn't thread safe so you probably shouldn't mess with the returned pointer in the first place and only treat the one returned by the last call as valid. Did you try using getpwnam_r() instead? You are quite right, GETPWNAM() is a macro to getpwnam(), which is not thread safe. GETPWNAM() is called throughout the code of pw and pw itself is not threaded, so it should not matter whether the functions called are thread-safe or not. I am not completely sure on my last statement though. Do you have other experience regarding this topic? My point is that if getpwnam() isn't thread safe because separate calls are using the same static buffer to return their result (which I didn't verify), and you do something like: pwd = GETPWNAM(...) [...] trgpwd = GETPWNAM(...) pwd-pw_uid = (uid_t) (trgpwd-pw_uid); the second getpwnam() call is going to reuse the memory pointed to by pwd. While I assume your intention was to only change pwd-pw_uid, the second getpwnam() call already had the side effect of overwriting all the other members as well. This would happen in a single-threaded application as well. Fabian signature.asc Description: PGP signature
Re: Breakin attempt
On 22/10/2011 16:12, Polytropon wrote: Is there _any_ reason why moving from port 22 to something different is _not_ a solution? Yes Reason why I'm asking: Moving SSH away from its default port seems to be a relatively good solution as break-in attempts concentrate on default ports. So in case a sysadmin decides to move SSH to a hidden location, what could be an argument against this decision? Moving to a non standard port does not provide you any additional real security. The random scannings and occasional attacks will disappear from your logs but these are not interesting, they fail because you already hardened your server. Those who are determined to break into your server will also find your ssh running on a non-standard port. On the other hand, those legitimate users who rely on ssh to connect remotely to their account may not be able to because the firewall on the network only allows access to standard ports for whatever reason, and running ssh on port, say, 24 is a non-standard port. It is actually common to block access to most ports and allow access only through a proxy, and then open for those particular services that will not run through a proxy. Hence, if you want to be sure to be able to connect remotely, your best bet is to run your services on standard ports. In summary, nothing is won moving ssh to a nonstandard port except for potential problems. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Upgrading libxul, dependency on Firefox 3
On Oct 22, 2011, at 2:54 AM, Joe Altman wrote: Greetings... I was running portupgrade on libxul and noticed it depends on Firefox 3.x. I cancelled the upgrade, because I thought FF3.x was insecure and therefore deprecated while FF7 was recommended and secure. My questions: 1) is the dependency libxul has for FF3 a security problem? libxul doesn't depend on FF3. We just use the FF3.6 source tarball to build xulrunner (libxul) as upstream no longer provides tarballs for the latest xulrunner 1.9.2.x releases. Nevertheless FF3.6 is still supported upstream and security problems get fixed regularly during the normal Mozilla release cycle. 2) is the dependency on FF3 a bug in libxul? If it is a bug, who should receive a report: gecko@ or the Mozilla project? There is no FF3 dependency in libxul. HTH, Beat FYI: I'm pretty sure it was portsclean -D (and not me) that deleted FF3...yet libxul tried to pull it in during the portupgrade. Best regards, Joe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Upgrading libxul, dependency on Firefox 3
On Sat, Oct 22, 2011 at 09:28:40PM +0200, Beat G?tzi wrote: On Oct 22, 2011, at 2:54 AM, Joe Altman wrote: Greetings... I was running portupgrade on libxul and noticed it depends on Firefox 3.x. I cancelled the upgrade, because I thought FF3.x was insecure and therefore deprecated while FF7 was recommended and secure. My questions: 1) is the dependency libxul has for FF3 a security problem? libxul doesn't depend on FF3. Got it. Thanks, and best regards, Joe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: trying to learn systems programming, fear I have not understood and thus messed up
On Fri, Oct 21, 2011 at 06:53:33PM +0200, Christopher J. Ruwe wrote: To improve on my C and to learn something about systems programming, I have begun to pick out bite-size bits from the bin-PRs. Currently, I am dispairing about bin/149972, which is about 1) adding error handling to pw being invoced pw -u username and 2) trying to get a uid from the (incorrectly) passed username. Currently, I cannot accomplish want I wanted to do, so I turn here for hints or help. [snip] Christopher, you're probably best off posting to hackers@ for programming problems pertaining to FreeBSD. Regards, -- Frank Contact info: http://www.shute.org.uk/misc/contact.html pgpMvw7dgrm0F.pgp Description: PGP signature
Re: Help needed: sound/audio only semi-working
In message 20111022125209.9ba97a1f.free...@edvax.de, Polytropon free...@edvax.de wrote: On Fri, 21 Oct 2011 18:29:25 -0700, Ronald F. Guilmette wrote: The really strange thing is that after I followed all the directions here: http://www.freebsd.org/doc/en/books/handbook/sound-setup.html This command: cat /dev/random /dev/dsp *does* produce quite a bit of white noise sound. However when I perform the other officially recommended basic audio functionality test: cdcontrol -f /dev/acd0 play 1 with one of my favorite old audo CDs in the drive (AND with that special little wire running from the back of the drive to my motherboard) all that happens is that the CD/DVD drive apparently _does_ start to read some stuff. .. as evidenced by the blinking access light in the front of the drive... but I still get no sound out, and YouTube videos still aren't giving me any audio even though the video seems to be playing perfectly. Does the Handbook mention to check your mixer settings? No, but I _did_ look at that anyway, because something I read while resarching this problem indicated that I should. And those (mixer) settings are all OK. Anyway... NEVERMIND! I fiddled a few things some more last night... nothing that really should have made any difference at all... and I re-booted and today, now, the sound _is_ playing when I watch YouTube videos in Firefox. I really don't understand why because I really didn't change anything. I did install mplayer and cdparanoia, and then I used the latter to suck some .wav files off of one of my old CDs and then used mplayer to play them (which worked OK) but I don't see how any of that should have had any effect on the audio coming out of the flash plugin for Firefox. Oh well! It works now, and mplayer can play .wav and .mp3 files too. So mostly everything is working now, and I am happy. But playing a CD using cdcontrol still is not working. That's OK. I can easily live without that. I was only using it for testing purposes anyway. Still, it is a shame it doesn't just work. The problem regarding audio CDs seems to be quite modern. I assume by that you mean quite recent. Yes? I also cannot play them anymore (but I don't have that special wire installed at the moment). Audio is VIA HDA. I do believe that the little wire is manditory. So that explains why it doesn't work for you. But I have the little grey wire installed, so I don't know why it doesn't work for me. So how can it be that this works just fine: cat /dev/random /dev/dsp even while this: cdcontrol -f /dev/acd0 play 1 causes the disk to spin up and read, but otherwise produces utter silence? CD audio subsystem has been modernized. :-) I wouldn't know about that. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Help needed: sound/audio only semi-working
On Sat, 22 Oct 2011 16:03:27 -0700, Ronald F. Guilmette wrote: I did install mplayer and cdparanoia, and then I used the latter to suck some .wav files off of one of my old CDs and then used mplayer to play them (which worked OK) but I don't see how any of that should have had any effect on the audio coming out of the flash plugin for Firefox. Oh well! It works now, and mplayer can play .wav and .mp3 files too. So mostly everything is working now, and I am happy. Both the Flash plugin and mplayer use the mixer's pcm channel for output (unlike CD audio). Maybe you'll find that mplayer is able to play *.mp3, but isn't the optimal program to do so - in this case have a look at xmms which can play both *.mp3 and *.ogg (a popular format when you want to make your CDs' content available on your system). And xmms also is able to play CD audio. But playing a CD using cdcontrol still is not working. That's OK. I can easily live without that. I was only using it for testing purposes anyway. Still, it is a shame it doesn't just work. Doesn't work _anymore_. :-) The problem regarding audio CDs seems to be quite modern. I assume by that you mean quite recent. Yes? No, modern (note the quotes) indicates disimprovement, reduction and removal of functionality that has been taken as granted for many years. :-) I also cannot play them anymore (but I don't have that special wire installed at the moment). Audio is VIA HDA. I do believe that the little wire is manditory. In this specific case, it is. In my old PC, I had one to connect the ATAPI drive to the sound card (a CMI based PCI card, no onboard stuff). This _did_ work perfectly using cdcontrol play track and the mixer's CD channel. So that explains why it doesn't work for you. But I have the little grey wire installed, so I don't know why it doesn't work for me. I'll install that wire tomorrow, just to check - I just hope my cheap (and nearly crappy) mainboard does have support for it. I can't use external wiring (to the sound card's line-in connector) as the drive doesn't have a front connector anymore. See modern. :-) OS is 8.2-STABLE/x86 of late August. So how can it be that this works just fine: cat /dev/random /dev/dsp even while this: cdcontrol -f /dev/acd0 play 1 causes the disk to spin up and read, but otherwise produces utter silence? CD audio subsystem has been modernized. :-) I wouldn't know about that. As far as I could understand, the track files /dev/acdXtYY will be gone in the upcoming 9.0, as well as the acd device files in favour of cd (the optional, but very nice ATAPICAM interface used by recording programs). Basically, I do appreciate merging acd and cd (so one device file per device becomes true), but if the price is that CD audio doesn't work anymore... we'll see. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkg_version: corrupted record (pkgdep line without argument), ignoring
On 10/22/11, b. f. bf1...@googlemail.com wrote: Jerry wrote: After attempting unsuccessfully to update KDE4 via portmaster, I found a number of errors printed out when using pkg_version-vIL=. I eventually used portmanager to update the KDE4 port successfully; however, I am still receiving the following error messages. These ports need updating: pkg_version: corrupted record (pkgdep line without argument), ignoring pkg_version: corrupted record (pkgdep line without argument), ignoring pkg_version: corrupted record (pkgdep line without argument), ignoring koffice-kde4-2.3.3_3 needs updating (index has 2.3.3_5) postgresql-client-8.2.21 needs updating (index has 8.2.22_1) I have not found a way to ascertain which ports contain the corrupted records. Originally, there were over a dozen of them but portmanager fixed most of them for me. How can I determine what ports are still damaged so that I might correct them. As the others have written, you could use sed, grep, or visual inspection to examine the pkgdb. Alternatively, you could try testing one port at a time, to see what ports pkg_version chokes on, by using something like: pkg_info -aE | xargs -tI @ pkg_version -vIL= -s @ Bah, sent this to freebsd-ports by mistake. Sorry. b. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org