limit number of ssh connections
Does anyone know a good way of limiting the number of ssh attempts from a single IP address? I found the following website, which describes a variety of approaches: http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins But I am honestly not really happy with any of them. Continuously polling log files for regex hits seems...well crude. Just to give you an idea of what I mean, here were some of the issues I had. The sshd-scan.sh script allows IPs to be reinstated, but the timing is dependent on how frequently you rotate logs. sshguard has a pretty website, but I can't actually find much useful documentation on how to configure it. fail2ban looks like it might work with sufficient work, but the defaults are terrible. By default, every time an IP is reinstated, all IPs are reinstated. Not to mention, at present I can't seem to get it to trigger any hits. I suppose I could keep shopping, but the truth is I just think polling log files is the wrong way to solve the problem. Anything based on this approach is going to have a long latency and be highly dependent on the unspecified and unstable formatting of log files (see http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) and the troubles an exclamation point can cause). I would much much rather do something like this: http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ Does anyone know a way to do something similar with ipfw? Thanks in advance, Jim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: limit number of ssh connections
Wow, I'm glad I asked. This has been very helpful. @Григорьев Александр Thanks for the tip on inetd, that looks like it might just do the trick. @Paul Macdonald My main reason for looking into this was glancing through the logs on a server I just put online and seeing large numbers of unauthorized login attempts. Everything so far is highly unsophisticated, but it did make me start to really think about the issue. I might put ssh onto a different port, that would at least stop the sort of fishing I am currently seeing. It's not clear if that would be good enough. @Damien Fleuriot Have you had success with sshguard? Installed it from ports, but then I couldn't quite figure out how to configure it. To be honest, I didn't give it much of a chance before I moved on to the next thing, so if you've had good luck then I should probably give it another shot. I did flip through sshd_config, but as far as I can tell it is only possible to limit the number of concurrent connections. It might take a little longer, but I'm concerned it would still allow a malicious individual to sequentially brute-force a password. Thanks for all the responses. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
wireless card won't associate
Hello, I've been trying to get a wireless card of mine working with a new install of freebsd 7.1, but I've been unable to associate with the access point. From pciconf -lv, it appears the chipset is Ralink RT2561/RT61. The documentation for ral doesn't mention this particular chipset, but there seems to be a consensus on various forums that this chipset is supported by ral. I've added the following lines to /boot/loader.conf: if_ral_load=YES wlan_scan_ap_load=YES wlan_scan_sta_load=YES wlan_wep_load=YES And am using the following ifconfig command ifconfig ral0 ssid MYSSID authmod shared wepmode on \ deftxkey 1 wepkey 1:MYKEY But ifconfig shows status as no carrier. The authentication is all correct (I've triple checked everything, and am using the same authentication on a linux laptop). The signal strength should be fine (the box was previously running linux, with very good signal strength). When I ran wlandebug -i ral0 +scan+auth+assoc the only error I receive is: shared key auth failed (reason 15) At this point I'm stymied. Any help would be very much appreciated. Thanks, Jim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
boot hangs on thinkpad x40
Hi, I recently installed FreeBSD 7.1-Beta2 on my IBM thinkpad X40. Everything works fine while the system is connected to the dock, but when I boot with the dock disconnected the system hangs. With verbose logging enabled it appears to hang at either acpi_cmbat or acpi_acad (they appear to run in parallel and which prints the last error message appears somewhat random). I've found several threads related to FreeBSD having difficulty with thinkpads that have the second ata enabled, so I've disabled that but am still having the same difficulty. Has anyone seen this behavior before? Any thoughts on how to fix it? Thanks, Jim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
wmp54g card not recognized
Sorry, email misfired. Please ignore. Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [laptop-discuss] wmp54g card not recognized
Here is the output from scanpci: pci bus 0x cardnum 0x00 function 0x00: vendor 0x8086 device 0x254c Intel Corporation E7501 Memory Controller Hub pci bus 0x cardnum 0x02 function 0x00: vendor 0x8086 device 0x2543 Intel Corporation E7500/E7501 Hub Interface B PCI-to-PCI Bridge pci bus 0x cardnum 0x1d function 0x00: vendor 0x8086 device 0x2482 Intel Corporation 82801CA/CAM USB Controller #1 pci bus 0x cardnum 0x1d function 0x01: vendor 0x8086 device 0x2484 Intel Corporation 82801CA/CAM USB Controller #2 pci bus 0x cardnum 0x1d function 0x02: vendor 0x8086 device 0x2487 Intel Corporation 82801CA/CAM USB Controller #3 pci bus 0x cardnum 0x1e function 0x00: vendor 0x8086 device 0x244e Intel Corporation 82801 PCI Bridge pci bus 0x cardnum 0x1f function 0x00: vendor 0x8086 device 0x2480 Intel Corporation 82801CA LPC Interface Controller pci bus 0x cardnum 0x1f function 0x01: vendor 0x8086 device 0x248b Intel Corporation 82801CA Ultra ATA Storage Controller pci bus 0x cardnum 0x1f function 0x03: vendor 0x8086 device 0x2483 Intel Corporation 82801CA/CAM SMBus Controller pci bus 0x0001 cardnum 0x01 function 0x00: vendor 0x8086 device 0x1229 Intel Corporation 82557/8/9/0/1 Ethernet Pro 100 pci bus 0x0002 cardnum 0x1c function 0x00: vendor 0x8086 device 0x1461 Intel Corporation 82870P2 P64H2 I/OxAPIC pci bus 0x0002 cardnum 0x1d function 0x00: vendor 0x8086 device 0x1460 Intel Corporation 82870P2 P64H2 Hub PCI Bridge pci bus 0x0002 cardnum 0x1e function 0x00: vendor 0x8086 device 0x1461 Intel Corporation 82870P2 P64H2 I/OxAPIC pci bus 0x0002 cardnum 0x1f function 0x00: vendor 0x8086 device 0x1460 Intel Corporation 82870P2 P64H2 Hub PCI Bridge pci bus 0x0003 cardnum 0x03 function 0x00: vendor 0x1814 device 0x0301 RaLink RT2561/RT61 802.11g PCI pci bus 0x0003 cardnum 0x06 function 0x00: vendor 0x1002 device 0x5960 ATI Technologies Inc RV280 [Radeon 9200 PRO] pci bus 0x0003 cardnum 0x06 function 0x01: vendor 0x1002 device 0x5940 ATI Technologies Inc RV280 [Radeon 9200 PRO] (Secondary) pci bus 0x0004 cardnum 0x01 function 0x00: vendor 0x8086 device 0x100f Intel Corporation 82545EM Gigabit Ethernet Controller (Copper) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: switching discs during install
I had actually avoided the base system because I was installing FreeBSD on a system with a poor internet connection, but I was able to download the discs on a system with a high speed connection. The DVD would have worked fine, but it was not available from the freebsd home page and so I did not know it was available. But thanks for the information. Next time, I'll give it a try. That said, I still think that as long as the freebsd foundation distributes CD images it would be worthwhile to make them as effective as possible. Actually, even if the install were moved to a DVD, the ordered install I proposed would still improve the situation. When the packages are haphazardly ordered on the disc, the CD/DVD reader is forced to perform a large number of seeks that dramatically reduces data throughput. When they are read in order, read rates should be much better. While I doubt many users choose an operating system based on installation performance, it would save people a little time and make a better first impression. -Jim On Sat, Sep 6, 2008 at 4:24 AM, Manolis Kiagias [EMAIL PROTECTED]wrote: James Strother wrote: I just completed an install of FreeBSD 7.0 and couldn't help but wonder why it was necessary for me to switch discs back and forth so much while installing ported applications. I've used FreeBSD on and off for a number of years and this issue has always irked me a just a little bit. It means that I have to babysit the installation and it really does increase the time required to perform the installation. SNIP Most people install only the base system from CD, then install applications from ports or download newer packages. If you insist on installing packages from the installation media, there is an easy way. Use the DVD: http://www.tuxdistro.com/download.php?id=921name=FreeBSD-7.0-RELEASE-DVD-ISO.torrent Or, create one yourself using your already downloaded discs: http://www.pa.msu.edu/~tigner/bsddvd.htmlhttp://www.pa.msu.edu/%7Etigner/bsddvd.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: switching discs during install
They might not be as haphazard as you suggest. ISTR once reading that the CDs were arranged with the most popular packages on the first CD so that you would only need to download disk 2 (and 3) if you wanted some of the less common packages. With your suggested layout it's quite likely that a package which most of the others depend on would be right down at the bottom of the list with the result that you'd invariably need to download all 3 CD images. I have to admit that I have no idea how they are organized, there could be very good reasons for doing it the current way. However, I was actually only suggesting that the packages be sorted by popularity, where popularity is the number of packages which depend on the package in question (this would need to include both direct and indirect dependencies). The most-depended-upon packages would go on the first disc and the least-depended-upon packages would go on the last. If you move from first to last, then all dependencies are automatically satisfied. While this should put most of the common packages on the first disc, you could have a frequently installed package that was not highly depended upon that was placed on the last disc. If your aim was to minimize the number of discs that had to be downloaded this ordering would be less that ideal. However, there are a large number of orderings which still satisfy the dependencies; the one I gave is just a good starting point. If you wanted, such packages could be promoted in the ordering by placing them immediately after all of their dependencies had been satisfied. In fact, you could do this recursively for every package that the particular package depended upon so that it occurred as early in the ordering as possible. And if you had a list of such important packages this could clearly be performed for each (if you started with the least important and moved to the most, you could ensure that the most important were placed earlier in the ordering). I think the best way to avoid the need for frequent CD switching would be for sysinstall to sort the list of selected packages into CD order before installing them. I imagine this would require some changes to pkg_add to prevent it from installing dependencies and I expect the possible benefits would not be considered to be sufficient to justify the effort. I agree that fiddling with pkg_add to place the packages neatly on the disc would probably not be worth the effort, but I'm not sure that it is necessary. In order for the method I suggested to work, sysinstall would have to be modified to attempt installation in the selected ordering. If you had a list of the packages in this ordering, you would only have to flip the please install this one bit for the selected packages, and then traverse the list in order installing/ignoring each package. Since all dependencies would be satisfied by virtue of the ordering, pkg_add would find that every dependency had already been satisfied and should not cause any problems. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
switching discs during install
I just completed an install of FreeBSD 7.0 and couldn't help but wonder why it was necessary for me to switch discs back and forth so much while installing ported applications. I've used FreeBSD on and off for a number of years and this issue has always irked me a just a little bit. It means that I have to babysit the installation and it really does increase the time required to perform the installation. This is, of course, a minor issue in the grand scheme of things but it seems easy enough to remedy. I assume that as packages are installed the dependencies are checked, and then required packages are installed as necessary. When a required package is on a different disc, then the installer prompts the user to switch discs. However, it should be necessary to organize packages on the discs and during the installation such that this never occurs. In case this isn't obvious, let me give a quick supporting argument. If you were to perform an installation in which every package was installed, then the installer would eventually resolve all dependencies and produce an ordering in which every package could be installed without violating its dependencies. If we removed a package that was not required by any other package, then clearly the same ordering could still be used to install the remaining packages without violating any dependencies. By extension, any number of packages could be removed and the ordering would remain valid provided that the remaining packages did not depend on a removed package. So, if the packages are placed on the discs in this order and the installer attempts to install packages in this order, then the dependencies will always be satisfied and the user will never have to switch discs. (As an aside, this is really only to say that the dependency tree is a directional acyclic graph and it has a topological sort). There multiple orderings which satisfy this condition. Perhaps the easiest is to calculate is the ordering in which packages are sorted by the number of packages that require it. This ordering would also tend to aggregate the most common packages on the first discs. Is there a reason that this wouldn't work. Something I'm not thinking about. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
installation causes panic
Hi, I've been trying to get FreeBSD 6.2 up and going on an AMD64 machine of mine, but have encountered a few problems. Most of the issues are minor annoyances, but I can't get around the last one for the life of me. Please let me know which bugs are known (I searched and couldn't find any of the following reported), and any help on the last issue would be most appreciated. Issue 1. During the installation, a menu asks which package group should be installed. If I use the arrows to select X-Kern-Developer then hit SPACE it immediately goes to the next screen. This seems to be a bug, the box should be selected but the installer should not progress to the next screen until the OK button is selected. As is, the behavior is inconsistent with every other menu in the installer. Issue 2. After hitting Issue 1, I decided to select a different package group so I hit Cancel. Somehow I wound up back at the beginning of the installer, which was fine. But when I re-started the install I never got the option of what package groups to install or whether or not I wanted the ports. In order to really restart I had to reboot the machine. Issue 3. After finishing the installation of selected ports, I get a menu that asks whether I would like to install other users/groups. When I hit ENTER after highlighting User, the installer crashed giving me the message panic: going nowhere without my init! then something about having no device to dump. Issue 4. After Issue 3, I normally would have copied down the exact text to send in a report. However, it seems to reboot automatically after 15s, while providing no means to stop the countdown. The auto- restart seems counter-productive. Why would I be in such a rush to restart the system after a failed install? Might as well leave the message so that bug reports can be reported with more information. Issue 5. After restarting the install, I successfully got through it the next time (I did essentially the same thing, which suggests that Issue 3 is intermittent at best). I installed KDE during the initial install, and setup KDM as per the handbook. However, when I log out of KDE the colors get messed up. It looks like some color table is getting corrupted so that certain colors are rendered as other colors. For example, it looks like what should be a sky blue is now rendered lime green. This happens every time I log out of KDE, every time I use the machine. If it matters, I'm using a GeForce 6200 card. Let me know what other details are needed. Thanks in advance, Jim Strother -- James Strother McHenry Laboratory UC-Irvine ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
