ssh complaining about bad file descriptor on 4.3beta.
I'm getting bad file descriptor errors on every ssh connection on a box that I built from source on 4.3 beta last night. Anyone else seeing this as well ? Feb 21 09:54:43 crusty sshd[21741]: error: getsockname failed: Bad file descriptor Wanted to see if anyone else is seeing it as well before I send a bug report.
Re: Real men don't attack straw men
Mayuresh Kathe wrote: Mr. Stallman, I respect you for what you've managed to achieve as an individual. But, frankly, this thread has really gotten way out of control. A few days back everything had kind-a settled down and we got the impression that the thread had fortunately died, but that's not been the case, you are struggling hard to lay out your viewpoints which seem a tad bit twisted from where we look at it. Nobody out here is going to listen to what you're going to say, and you are going to go on and on about how you were justified in labeling OpenBSD as not compliant with your interpretation of the word free, which we don't give a farthing for. No offense, but, please, please go away, we really don't want you here, and on your way out, please take your minions along with you. ~Mayuresh +1just go away Richard, you're REALLY annoying. On Jan 3, 2008 3:20 PM, Richard Stallman [EMAIL PROTECTED] wrote: In fact many of the people did expect this when you favorite organization lost the battle publically on Reyk's code that your friends stole and tried to impose your license on it, and when they even tried vainly to go legal by the advice of a un-educated american lawyer but finally foun that they have just embarrassed themselves in public. I don't know who or what that refers to. I do know that my favorite organization is the Free Softwar Foundation, and I know it has not been involved in anything that fits that description. I suspect this is related to the harsh message Theo sent me a few months ago, which rebuked what you (was that me? the FSF?) had done. He mentioned the name Reyk (which I don't recognize) and said it had something to do with a license. But he did not go into details. The FSF was not involved in the matter. I could have investigated what he was talking about and determined what conduct he had criticized. Then, supposing I wanted to give them some advice, I could have asked someone to find the developers' addresses, and written to them. Then they might or might not have listened to me. I could have done all that, but I saw no reason to go so far out of my way for someone who was treating me rather badly. So I simply told him that the FSF was not involved in the matter. I know that one part of your description events is wrong--the part that says, that my favorite organization has lost the battle [publicly]. My favorite organization, the FSF, was not involved. If any of my friends were involved, they did not inform me. Those errors make me skeptical of the rest of your claims. Did someone lose a battle? Did anyone really steal anything? I don't know, but I won't take your word for it. Did they try to go legal? If so, was it vainly? If they got legal advice, was their lawyer un-educated? Was the outcome embarrassing for someone? I don't know. Whoever would like to know the answers to these questions would do well to check on his own.
Re: pf visible bridge/router
It's the same as an invisible bridge except you have IP's on the if's, that's the only diff. Beavis wrote: Hi all!, I've been searching lists with regards to building a Visible Bridge/Router with PF on OpenBSD. But most of the material I see are for invisible bridge configs. I wanted to just to a straight Routing/Bridging on my FW's (without the use of NAT) Any comments or experiences shared will be awesomely appreciated. thanks, -B
When spammers get whitelisted...
I have had to wipe my spamdb twice in the last month because spammers get past my blacklists (I run the ones that come in spamd.conf) and my greylisting and just hammer a few of my customers. The spam comes from multiple IP's so it's a bitch to block by hand...anyone have any tips on blocking these bastards ???
Re: Real men don't attack straw men
Can someone just kill this thread PLEASEonly a few posts were actually good, the rest is filling my inbox Jason Dixon wrote: On Dec 15, 2007, at 6:00 PM, Gilles Chehade wrote: On Sat, Dec 15, 2007 at 04:36:51PM -0500, Richard Stallman wrote: I know of at least four companies I've worked with/for that *rely* on gcc and that would switch to Linux/BSD if gcc was not available on Windows. I am surprised by this statement, because in general I don't expect that very many users would switch to a different operating system just to use GCC. Nonetheless, I would be interested in talking with them to see what they say about this. What you expect (conveniently) is far from what happens to be reality. In the real world, people need their work done and will take the necessary steps to do so. If work involves cross compilation, as an example, and you provide them with a free compiler (as in gratis) that does that job ok, it will be used. If Linux is a prerequisite to this and that you provide them for free (as in gratis), they will install it. When you write code to make gcc work on windows and endorse it, you tell them that there is no need to switch to Linux to get the work done. You are doing precisely what you blame on BSD, except that we provide just a set of Makefiles, and that you actually wrote code to make sure projects will run on a proprietary system and will be used by a broader public. And no, you will not get to talk to the people I worked with. It is not of any interest for me to send them the average troll when they do not care a tiny bit about discussing FSF/GPL and/or BSD philosophy. Live with it, you do encourage people to use proprietary systems by providing them the tools to get their work done without having to ever touch a free system. Richard Stallman is like the wife of a drunk. He is an enabler. Until he comes to this realization and cuts the ties, no progress will be made. --- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: inetd needed for basic NAT/Firewall operation?
I have run an OBSD firewall for years and run nothing on it...the only listening port is 22 on one of the internal interfaces. You don't need identd or any of that crap on a firewall...it's forwarding or blocking packets only. -- ~Allie D. On Wed, December 5, 2007 10:58, Andreas Maus wrote: On Wed, Dec 05, 2007 at 11:49:07AM -0500, Chris Smith wrote: Hello, When using OpenBSD only as a NAT router / Firewall with all of the services in inetd.conf commented out is there any need to enable inetd? Hi Chris. The only service that should (or could,depends on your point of view) be allowed from the internet is IMHO the identd service. Blocking this service may cause some delay because some mailers and irc servers are checking for this service. OTOH it may be considered as a security risc to give strangers valid usernames. (If you need inetd requests from the outside and dont want to give them valid usernames you can install a other identd, e.g. oidentd or just a fakeidentd to return an arbitrary username) I believe it's no longer necessary for ftp-proxy and want to make sure I'm not missing anything. I don't run ftp-proxy so I don't know about this, sorry. HTH, Andreas -- Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of an 8-bit operating system written for a 4-bit processor by a 2-bit company who cannot stand 1 bit of competition.
Re: OpenBSD 4.2 released Nov 1, 2007
I think I sent out my thanks beforebut what the hell, thanks again for another kick ass release. -- ~Allie D.
Re: qemu speed
I'm bitter because I can't run java on it. I have to use ubuntu with VirtualBox to run some critical work apps that use java :( -- ~Allie D. On Thu, October 4, 2007 15:41, Jacob Yocom-Piatt wrote: Gerald Thornberry wrote: I've never used QEMU so I may be talking out my hat. Looking at the docs for it yesterday I remember seeing something about the QEMU accelerator. Is that an option here? When used as a virtualizer, QEMU achieves near native performances by executing the guest code directly on the host CPU. A host driver called the QEMU accelerator (also known as KQEMU) is needed in this case. The virtualizer mode requires that both the host and guest machine use x86 compatible processors. i've found qemu-0.8.2p4 on 4.1-release (i386) to be horribly slow and some apps don't install correctly when emulating windows xp. it's ok for viewing ms office documents but doing anything processor or disk intensive takes an order of magnitude longer than usual. would be nice to know if the KQEMU driver is the bottleneck. cheers, jake http://fabrice.bellard.free.fr/qemu/about.html On 10/4/07, Frank Bax [EMAIL PROTECTED] wrote: Indeed, this is a FoxPro program. I had tried changing the path; and tested it by starting program without using full path to EXE - although the program does startup this way; it still fails at the same point. I also tried QEMU; but was still researching options before bringing speed question here. I've read that it can be a bit slow; but I'm wondering HOW slow? I use the FoxPro program to convert a database from one format to another. Native Win98 on P3-600 the process takes 1:20 (min:sec). On a 2GHz Core2Duo, QEMU takes 6:00 minutes. Is this expected speed? On QEMU/BSD forum, it was suggested I compile from source, so I used ports instead of package, but there was no change to speed of this process. Files are currently inside a virtual disk. Is that fastest for disk i/o? Am I likely to speed it up if I have files on host and access them via samba? Is there another way to access host files from Win98 guest? Frank Richard Toohey wrote: I do not know much about wine, but the issue interested me ... I've built from ports and I am having a look. From the manual page, re. the wine configuration file, it has this: format: path = directories separated by semi-colons default: C:\WINDOWS;C:\WINDOWS\SYSTEM Used to specify the path which will be used to find exe- cutables and .DLL's. Can you add C:\ and/or C:\\LIBS to that list and see if it helps? A FLL looks like a FoxPro dynamic link library, so it should count as a DLL. Back to RTFMing ... On 3/10/2007, at 8:27 AM, Joachim Schipper wrote: On Mon, Oct 01, 2007 at 05:56:46PM -0400, Frank Bax wrote: I installed wine-990225p0 from packages on 4.1 and can run simple programs like sol and notepad. I have an old program I'm trying to run; but this program cannot find it's own files unless the current working directory is set to the directory where software was installed. It seems more recent wine versions support 'bat' files which would solve this; but this doesn't seem to work in this version. When I try: wine c://program.exe the software complains that it cannot open LIBS\FOXTOOLS.FLL This file is found at C:\\LIBS\FOXTOOLS.FLL Is there a way to run something like this on wine 990225?: cd program.exe If this is not workable on 990225; do current wine versions work on OpenBSD? I'm not sure if there is a way to 'cd' on OpenBSD's version of Wine. As to porting: more recent Wines do weird things with threads, if I understand the issue correctly. In short, don't expect an update soon. Qemu works fine, if you don't need to run a particularly demanding program. Joachim -- TFMotD: inet6 (4) - Internet protocol version 6 family --
Qemu + auich = sound ?
Can anyone give me a hint how to get sound working in Qemu ? I'm running an X31 and am starting -soundhw all but I don't think it covers my sound hardware. The precompiled 4.1 package has: pcspk PC speaker sb16Creative Sound Blaster 16 es1370 ENSONIQ AudioPCI ES1370 But my sound device is an auich. Anyone get sound working for an auich device ?
Re: Qemu + auich = sound ?
On Wed, September 12, 2007 10:18, Chris Kuethe wrote: I'm gonna take a wild guess and say a) those are the emulated soundcards qemu can present to the guest OS, and b) qemu should just be able to do OSS audio to the host OS. It's not working out of the box. I'm gonna try and build from ports and see if I can get it to work. never tried audio though... *shrug* On 9/12/07, Allie D. [EMAIL PROTECTED] wrote: Can anyone give me a hint how to get sound working in Qemu ? I'm running an X31 and am starting -soundhw all but I don't think it covers my sound hardware. The precompiled 4.1 package has: pcspk PC speaker sb16Creative Sound Blaster 16 es1370 ENSONIQ AudioPCI ES1370 But my sound device is an auich. Anyone get sound working for an auich device ? -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: SSH brute force attacks no longer being caught by PF rule
3 times in 30 seconds as a src connection rate is pretty conservative and you don't have a connection rate trap. I run max-src-conn 5, max-src-conn-rate 5/5 and nail every one. Of course you'll see the first few attempts, but once they tickle that max-src-conn rule they get shutdown. -- ~Allie D. On Wed, August 8, 2007 10:26, David Newman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/27/07 10:39 PM, Daniel Ouellet wrote: Steve B wrote: The rule I've had in my pf.conf file to catch and block forceful SSH attempts no longer appears to be working. I see the entries in my authlog, but the IPs are no longer getting added to my table. I suspect I screwed something up, but so far I am at a loss to see where. Could someone pass another set of eyes over the relevant parts of my pf.conf? Put quickly as an example, but you can try: # Define some variable for clarity SSH_LIMIT=(max-src-conn-rate 3/30, overload scanners flush global) ## SSH Hackers - blocked IPs table scanners persist file /etc/tables/scanners # Block ssh access to bad ssh scanner block drop in log quick on $ext_if inet proto tcp \ from scanners to any port ssh # Allow quick valid traffic to ssh but log all attempts as well pass in log quick on $ext_if inet proto tcp from ! scanners \ to $ext_if port ssh flags S/SA keep state \ $SSH_LIMIT I've added something like this to pf.conf but it's only partially successful. I would appreciate any clues as to why it's not blocking all brute-force attempts. On an OBSD 4.1 box, here's what I added to pf.conf ($unpro is the Internet-facing interface): # # Define limit of ssh connection rates SSH_LIMIT=(max-src-conn-rate 3/30, overload scanners flush global) # SSH scanners - blocked IPs table scanners persist block drop in log quick on $unpro inet proto tcp \ from scanners to any port ssh # Allow quick valid traffic to ssh but log all attempts as well pass in log quick on $unpro inet proto tcp from ! scanners \ to $unpro port ssh $SSH_LIMIT # And it appears to be working, at least in part: [EMAIL PROTECTED] ~ 501$ sudo pfctl -t scanners -T show 61.146.178.13 61.189.145.103 67.76.237.190 161.200.144.108 193.254.31.194 # But some hosts on the protected side of the firewall still report brute-force ssh login attempts exceeding the 3/30 rate: Aug 7 10:16:00 mail sshd[21608]: Invalid user trash from 201.18.81.8 Aug 7 10:16:08 mail sshd[21610]: Invalid user aaron from 201.18.81.8 Aug 7 10:16:11 mail sshd[21612]: Invalid user gt05 from 201.18.81.8 Aug 7 10:16:18 mail sshd[21614]: Invalid user william from 201.18.81.8 Aug 7 10:16:22 mail sshd[21616]: Invalid user stephanie from 201.18.81.8 Aug 7 10:16:59 mail sshd[21628]: Invalid user gary from 201.18.81.8 Aug 7 10:17:07 mail sshd[21632]: Invalid user guest from 201.18.81.8 Aug 7 10:17:11 mail sshd[21634]: Invalid user test from 201.18.81.8 Aug 7 10:17:17 mail sshd[21636]: Invalid user oracle from 201.18.81.8 Aug 7 10:19:24 mail sshd[21717]: Invalid user apache from 201.18.81.8 Aug 7 10:19:43 mail sshd[21723]: Invalid user lab from 201.18.81.8 Aug 7 10:19:55 mail sshd[21729]: Invalid user oracle from 201.18.81.8 Aug 7 10:20:00 mail sshd[21736]: Invalid user svn from 201.18.81.8 Aug 7 10:20:06 mail sshd[21745]: Invalid user iraf from 201.18.81.8 Aug 7 10:20:13 mail sshd[21747]: Invalid user swsoft from 201.18.81.8 Aug 7 10:20:18 mail sshd[21749]: Invalid user production from 201.18.81.8 Aug 7 10:20:23 mail sshd[21751]: Invalid user guest from 201.18.81.8 Aug 7 10:20:28 mail sshd[21753]: Invalid user gast from 201.18.81.8 Aug 7 10:20:34 mail sshd[21755]: Invalid user gast from 201.18.81.8 Aug 7 10:20:40 mail sshd[21762]: Invalid user oliver from 201.18.81.8 Aug 7 10:20:45 mail sshd[21767]: Invalid user sirsi from 201.18.81.8 Aug 7 10:20:50 mail sshd[21769]: Invalid user nagios from 201.18.81.8 Aug 7 10:20:55 mail sshd[21771]: Invalid user nagios from 201.18.81.8 Aug 7 10:20:59 mail sshd[21773]: Invalid user nagios from 201.18.81.8 Thanks in advance for suggestions as to how to reduce these kind of login attempts. dn iD8DBQFGufyzyPxGVjntI4IRAty2AJ9WDCqLqkWyhx/KuciGINow6Upb5wCfUuP+ GfZ8lnaun1QPItnFK5c4MNU= =tjbD -END PGP SIGNATURE-
Re: SSH brute force attacks no longer being caught by PF rule
I just had to reply with this info because I already had an attempted brute force in the last hour. All you need to do is make your rule tighter and add a connection rate ratio to start collecting IP's. ( I use logsentry/logcheck) Security Violations =-=-=-=-=-=-=-=-=-= Aug 8 11:48:16 traci sshd[1099]: Failed password for invalid user root from 72.11.128.61 port 42049 ssh2 Aug 8 11:48:17 traci sshd[25952]: Failed password for invalid user root from 72.11.128.61 port 42104 ssh2 Aug 8 11:48:18 traci sshd[2543]: Failed password for invalid user root from 72.11.128.61 port 42149 ssh2 Aug 8 11:48:19 traci sshd[14785]: Failed password for invalid user root from 72.11.128.61 port 42193 ssh2 Aug 8 11:48:20 traci sshd[75]: Failed password for invalid user root from 72.11.128.61 port 42242 ssh2 Unusual System Events =-=-=-=-=-=-=-=-=-=-= Aug 8 11:48:16 traci sshd[1099]: User root from 72.11.128.61 not allowed because not listed in AllowUsers Aug 8 11:48:16 traci sshd[28065]: input_userauth_request: invalid user root Aug 8 11:48:16 traci sshd[1099]: Failed password for invalid user root from 72.11.128.61 port 42049 ssh2 Aug 8 11:48:16 traci sshd[28065]: Received disconnect from 72.11.128.61: 11: Bye Bye Aug 8 11:48:17 traci sshd[25952]: User root from 72.11.128.61 not allowed because not listed in AllowUsers Aug 8 11:48:17 traci sshd[4408]: input_userauth_request: invalid user root Aug 8 11:48:17 traci sshd[25952]: Failed password for invalid user root from 72.11.128.61 port 42104 ssh2 Aug 8 11:48:17 traci sshd[4408]: Received disconnect from 72.11.128.61: 11: Bye Bye Aug 8 11:48:18 traci sshd[2543]: User root from 72.11.128.61 not allowed because not listed in AllowUsers Aug 8 11:48:18 traci sshd[23885]: input_userauth_request: invalid user root Aug 8 11:48:18 traci sshd[2543]: Failed password for invalid user root from 72.11.128.61 port 42149 ssh2 Aug 8 11:48:18 traci sshd[23885]: Received disconnect from 72.11.128.61: 11: Bye Bye Aug 8 11:48:19 traci sshd[14785]: User root from 72.11.128.61 not allowed because not listed in AllowUsers Aug 8 11:48:19 traci sshd[22134]: input_userauth_request: invalid user root Aug 8 11:48:19 traci sshd[14785]: Failed password for invalid user root from 72.11.128.61 port 42193 ssh2 Aug 8 11:48:19 traci sshd[22134]: Received disconnect from 72.11.128.61: 11: Bye Bye Aug 8 11:48:20 traci sshd[75]: User root from 72.11.128.61 not allowed because not listed in AllowUsers Aug 8 11:48:20 traci sshd[12103]: input_userauth_request: invalid user root Aug 8 11:48:20 traci sshd[75]: Failed password for invalid user root from 72.11.128.61 port 42242 ssh2 Aug 8 11:48:20 traci sshd[12103]: Received disconnect from 72.11.128.61: 11: Bye Bye pfctl -t DoS_hosts -T show -v 72.11.128.61 Cleared: Wed Aug 8 11:48:20 2007 In/Block:[ Packets: 6 Bytes: 240 ] In/Pass: [ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass:[ Packets: 0 Bytes: 0 ] -- ~Allie D. On Wed, August 8, 2007 10:26, David Newman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/27/07 10:39 PM, Daniel Ouellet wrote: Steve B wrote: The rule I've had in my pf.conf file to catch and block forceful SSH attempts no longer appears to be working. I see the entries in my authlog, but the IPs are no longer getting added to my table. I suspect I screwed something up, but so far I am at a loss to see where. Could someone pass another set of eyes over the relevant parts of my pf.conf? Put quickly as an example, but you can try: # Define some variable for clarity SSH_LIMIT=(max-src-conn-rate 3/30, overload scanners flush global) ## SSH Hackers - blocked IPs table scanners persist file /etc/tables/scanners # Block ssh access to bad ssh scanner block drop in log quick on $ext_if inet proto tcp \ from scanners to any port ssh # Allow quick valid traffic to ssh but log all attempts as well pass in log quick on $ext_if inet proto tcp from ! scanners \ to $ext_if port ssh flags S/SA keep state \ $SSH_LIMIT I've added something like this to pf.conf but it's only partially successful. I would appreciate any clues as to why it's not blocking all brute-force attempts. On an OBSD 4.1 box, here's what I added to pf.conf ($unpro is the Internet-facing interface): # # Define limit of ssh connection rates SSH_LIMIT=(max-src-conn-rate 3/30, overload scanners flush global) # SSH scanners - blocked IPs table scanners persist block drop in log quick on $unpro inet proto tcp \ from scanners to any port ssh # Allow quick valid traffic to ssh but log all attempts as well pass in log quick on $unpro inet proto tcp from ! scanners \ to $unpro port ssh $SSH_LIMIT # And it appears to be working, at least in part: [EMAIL PROTECTED] ~ 501$ sudo pfctl -t scanners -T
Re: log rotation
Cronolog...no restart needed. -- ~Allie D. On Tue, May 15, 2007 12:11, John Mendenhall wrote: If you don't mind a second or two of down time then you can use something like this in newsyslog.conf as a restart command: apachectl stop;sleep 1;apachctl start;sleep 10;apachectl start The first sleep gives apache a second to finish active requests before trying to start again. The second sleep and start is to catch the case where the first start fails because apache is still running. I have a script which does the following: + rotates logs + calls apachectl stop (twice, with sleep 2 after each call) + calls apachectl stop and greps the output to make sure it is stopped (looks for 'not running') + if I don't find not running, pages me + run apachectl startssl This is all in a wrapper script which then calls awstats after a successful rotate and restart. Works for us. JohnM -- john mendenhall [EMAIL PROTECTED] surf utopia internet services
Re: log rotation
I run it on a chrooted server...works fine. ErrorLog |/usr/local/sbin/cronolog /var/www/logs/%Y/%m/%d/error.log CustomLog |/usr/local/sbin/cronolog /var/www/logs/%Y/%m/%d/access.log combined I don't think there's any more configuration than that. -- ~Allie D. On Tue, May 15, 2007 13:41, Robert Zajda wrote: But it dont' want to work in chroot. On 5/15/07, Allie D. [EMAIL PROTECTED] wrote: Cronolog...no restart needed. -- ~Allie D. On Tue, May 15, 2007 12:11, John Mendenhall wrote: If you don't mind a second or two of down time then you can use something like this in newsyslog.conf as a restart command: apachectl stop;sleep 1;apachctl start;sleep 10;apachectl start The first sleep gives apache a second to finish active requests before trying to start again. The second sleep and start is to catch the case where the first start fails because apache is still running. I have a script which does the following: + rotates logs + calls apachectl stop (twice, with sleep 2 after each call) + calls apachectl stop and greps the output to make sure it is stopped (looks for 'not running') + if I don't find not running, pages me + run apachectl startssl This is all in a wrapper script which then calls awstats after a successful rotate and restart. Works for us. JohnM -- john mendenhall [EMAIL PROTECTED] surf utopia internet services
Re: OpenBSD 4.1 Released
Thanks to all the developers for your continued hard work and dedication. -- ~Allie D. On Tue, May 1, 2007 07:54, Bob Beck wrote: May 1, 2007. We are pleased to announce the official release of OpenBSD 4.1. snip...
[Fwd: Shipped Order:2007/3/12-13:27:10-21493:]
YES ! It's on it's way !! -- ~Allie D. Original Message Subject: Shipped Order:2007/3/12-13:27:10-21493: From:OpenBSD Shipping [EMAIL PROTECTED] Date:Thu, April 19, 2007 15:30 To: [EMAIL PROTECTED] -- USPS tracking number 030508313176xx assigned to a shipment as follows: BSD41.0020 Computer Shop/OpenBSD Box 28 Sweet Grass, MT 59484 USA 98072 Software on CDROM Canada50 T-shirts Canada25 US $ TOTAL -- 75 This is the tracking number advice script, letting you know that a package has been or is just about to be mailed to you with a green USPS barcoded tracking label and that progress of the package may be watched by viewing the USPS website: http://www.usps.com/shipping/trackandconfirm.htm and entering in your tracking number. (They may be a delay of a day or two before it first shows up). Packages shipped by this method are not insured by USPS, however we guarantee safe delivery. Typical transit times are 4 to 10 days. Guarantee claims may be initiated after 30 days, should loss in the mail be suspected. However, if one of the rare, but overly long, postal delays interferes with an urgent project of yours, or events arise that increase the urgency of your requirements, do not hesitate to contact us. We have solutions for most any circumstance. This message concerns only one package, and there may, or may not, be other packages sent out for your order. OpenBSD Shipping
Re: OpenBSD 4.1 Pre-Orders...
Oh hell yea I did.right when it came out on undeadly I ordered -- ~Allie D. On Mon, March 12, 2007 15:01, Darrin Chandler wrote: Have you got yours yet?! http://undeadly.org/cgi?action=articlesid=20070312181549 -- Darrin Chandler | Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/darrin/ |
Re: spamd unnecessarily abrasive?
All I have to say about this thread ishey Theo nice to see you back, I needed some comic relief today. Oh and my feelings about being abrasive towards spammers is fuck 'em, I hate spammers. I wish spamd could shit on their servers but that's not a settable option. Maybe spamd -P would poop on the connecting MTA ;) Bob...can it be done ? -- ~Allie D. On Tue, February 20, 2007 12:23, Theo de Raadt wrote: I haven't looked at the implementation in OpenBSD extensively, but at Well, perhaps you should, instead of commenting before you do. a basic level there are two portions, the greylist function, and the waste their time function, yes? I'm talking about bypassing the first, not the second. Neither cost us. Neither is bypassable. Even in the second case, if the spammer notices they're connecting to something that will waste their (bot's) time, they can simply disconnect and use the bot's resources to do something else. No spam was delivered. Again, what is the problem? Not the the spammers really care about wasting resources *that* much since they don't have to pay for them (or very little for a bot herd compared to bulletproof hosting), but it could make them a little more efficient. No spammers care about wasted resources? I didn't know you were a spammer, and knew what they cared about. I guess their lack of wasted resources must be why they retry, like SMP demands. Except they don't. Perhaps it is not so simple? The history of fighting spam has tended to show that if any form of combating spam becomes too effective (and wide-spread), spammers will invest effort figuring out how to defeat it. You're right. We should not try. This whole conversation is totally stupid. You don't use spamd, yet you want to discuss it. I think you just want to see your words on mailing lists.
Re: MySQL, pulling my hair out
Try this, it works in chrooted Apache ;) Season to taste... rc.local ### MySQL rm -R /var/www/var/run/mysql mkdir -p /var/www/var/run/mysql \ chown -R _mysql._mysql /var/run/mysql /usr/local/bin/mysqld_safe --user=_mysql --open-files=1000 -log sleep 10 ln /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock rc.shutdown ### MySQL /usr/local/share/mysql/mysql.server stop -- ~Allie D. On Sun, November 19, 2006 10:50, Otto Moerbeek wrote: On Sun, 19 Nov 2006, Gaby Vanhegan wrote: I'm really having an incredibly painful time with MySQL on 3.9. Has anybody had a problem getting MySQL 4 or 5 to play happy? I've read these pages: http://www.openbsdsupport.org/mysql.htm http://monkey.org/openbsd/archive/misc/0411/msg03296.html http://marc.theaimsgroup.com/?l=openbsd-miscm=111881975209858w=2 http://marc.theaimsgroup.com/?l=openbsd-miscm=111887588311627w=2 And applied it to MySQL 5, both from ports, and the latest 4.x release built from source. I still get the database basically locking under moderate load, or failing to do a mysqlcheck. The errors I get (from the .err file) are along these lines: 061119 18:03:31 [ERROR] /usr/local/libexec/mysqld: Can't find file: './condor5/user.frm' (errno: 9) 061119 18:03:31 [ERROR] /usr/local/libexec/mysqld: Can't find file: './condor5/user_in_group.frm' (errno: 9) 061119 18:03:31 [ERROR] /usr/local/libexec/mysqld: Can't find file: './condor5/user_in_group.frm' (errno: 9) (using 4.x) Or these when doing the suggested mysqlcheck command: mysql.columns_priv OK mysql.db OK mysql.func error: File './mysql/func.MYD' not found (Errcode: 9) mysql.help_category error: File './mysql/help_category.MYD' not found (Errcode: 9) mysql.help_keyword error: File './mysql/help_keyword.MYD' not found (Errcode: 9) mysql.help_relation error: File './mysql/help_relation.MYD' not found (Errcode: 9) mysql.help_topic error: File './mysql/help_topic.MYD' not found (Errcode: 9) I've followed all the instructions on the relevant pages, and instructions form the mail archives but to no avail. I have a theory that it doesn't hold up under the load of dspam using MySQL as it's back end, and I'll be trying that running under something else but for the moment, normal every day databases just stop working after a while. What have you had to do to get MySQL up and running properly? How do you start mysql? It's essential you start it with the proper login class, like: su -c _mysql root ... -Otto # sysctl kern.maxfiles kern.maxfiles=13666 # cat /etc/login.conf ... # # MySQL daemon # _mysql:\ :datasize=infinity:\ :maxproc=infinity:\ :openfiles-cur=2048:\ :openfiles-max=8192:\ :stacksize-cur=8M:\ :localcipher=blowfish,8:\ :tc=default: # userinfo _mysql login _mysql passwd * uid 502 groups _mysql change NEVER class _mysql gecos MySQL Account dir /nonexistent shell /sbin/nologin expire NEVER # cat /etc/my.cnf | grep files open_files_limit = 2048 # dmesg OpenBSD 3.9 (GENERIC.MP) #598: Thu Mar 2 02:37:06 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Pentium(R) D CPU 2.66GHz (GenuineIntel 686-class) 2.68 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,TM2,CNXT-ID real mem = 2146541568 (2096232K) avail mem = 1952505856 (1906744K) using 4278 buffers containing 107429888 bytes (104912K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 10/30/05, BIOS32 rev. 0 @ 0xf0010 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios at bios0 function 0x1a not configured bios0: ROM list: 0xc/0x8000 0xc8000/0x2200 mainbus0: Intel MP Specification (Version 1.1) (INTELPremium ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 133 MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Pentium(R) D CPU 2.66GHz (GenuineIntel 686-class) 2.68 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,TM2,CNXT-ID mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 3 is type PCI mainbus0: bus 4 is type PCI mainbus0: bus 5 is type ISA ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82955X MCH rev 0x81 ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci1 at ppb0 bus 4 ppb1 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01 pci2 at ppb1 bus 3 em0 at pci2 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic
Re: Problems applying 002_openssl.patch for OpenBSD 4.0
rm -rf /usr/obj/* and then try again. P.S. I have an error code 71 on one of my boxes on the make install...think my disk is now full of cruft from countless upgrades, it's time to wipe it and start over. -- ~Allie D. On Sun, November 12, 2006 09:28, Andreas Maus wrote: Hi. After updating from OpenBSD 3.9 to 4.0 I extracted the new tarballs src.tar.gz and sys.tar.gz and got the patches for OpenBSD 4.0 from openbsd.org/errata.html I had no problem applying the patches except for 002_openssl which stops while make with: # make [... snipp ...] === crypto cc -O2 -pipe -g -DL_ENDIAN -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE -DNO_ERR -DOPENSSL_NO_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_MDC2 -DNO_WINDOWS_BRAINDEATH -DOPENSSL_NO_HW_CSWIFT -DOPENSSL_NO_HW_NCIPHER -DOPENSSL_NO_HW_ATALLA -DOPENSSL_NO_HW_NURON -DOPENSSL_NO_HW_UBSEC -DOPENSSL_NO_HW_AEP -DOPENSSL_NO_HW_SUREWARE -DOPENSSL_NO_HW_4758_CCA -I/usr/src/lib/libssl/crypto/../src -I/usr/src/lib/libssl/crypto/../src/crypto -I/usr/src/lib/libssl/crypto/obj -DAES_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENBSD_CAST_ASM -DOPENBSD_DES_ASM -c /usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c -o rsa_eay.o cc -O2 -pipe -g -DL_ENDIAN -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE -DNO_ERR -DOPENSSL_NO_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_MDC2 -DNO_WINDOWS_BRAINDEATH -DOPENSSL_NO_HW_CSWIFT -DOPENSSL_NO_HW_NCIPHER -DOPENSSL_NO_HW_ATALLA -DOPENSSL_NO_HW_NURON -DOPENSSL_NO_HW_UBSEC -DOPENSSL_NO_HW_AEP -DOPENSSL_NO_HW_SUREWARE -DOPENSSL_NO_HW_4758_CCA -I/usr/src/lib/libssl/crypto/../src -I/usr/src/lib/libssl/crypto/../src/crypto -I/usr/src/lib/libssl/crypto/obj -DAES_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENBSD_CAST_ASM -DOPENBSD_DES_ASM -c /usr/src/lib/libssl/src/crypto/rsa/rsa_err.c -o rsa_err.o cc -O2 -pipe -g -DL_ENDIAN -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE -DNO_ERR -DOPENSSL_NO_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_MDC2 -DNO_WINDOWS_BRAINDEATH -DOPENSSL_NO_HW_CSWIFT -DOPENSSL_NO_HW_NCIPHER -DOPENSSL_NO_HW_ATALLA -DOPENSSL_NO_HW_NURON -DOPENSSL_NO_HW_UBSEC -DOPENSSL_NO_HW_AEP -DOPENSSL_NO_HW_SUREWARE -DOPENSSL_NO_HW_4758_CCA -I/usr/src/lib/libssl/crypto/../src -I/usr/src/lib/libssl/crypto/../src/crypto -I/usr/src/lib/libssl/crypto/obj -DAES_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENBSD_CAST_ASM -DOPENBSD_DES_ASM -c /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c -o rsa_x931.o /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c: In function `RSA_X931_hash_id': /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:165: error: `NID_sha256' undeclared (first use in this function) /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:165: error: (Each undeclared identifier is reported only once /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:165: error: for each function it appears in.) /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:168: error: `NID_sha384' undeclared (first use in this function) /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:171: error: `NID_sha512' undeclared (first use in this function) *** Error code 1 Stop in /usr/src/lib/libssl/crypto. *** Error code 1 Stop in /usr/src/lib/libssl. All previous commands for this patch ( cd lib/libssl, make obj make depend make includes ) didn't produce any errors. Can someone give me some hints about this? Thanks, Andreas. -- Hobbes : Shouldn't we read the instructions? Calvin : Do I look like a sissy?
Re: OpenBSD 4.0 sparc64
I'm running a Blade 150 that I recently upgraded and have no complaints. You need to make a bootable install disk or boot into bsd.rd to get the install going. -- ~Allie D. On Thu, November 9, 2006 23:42, Ikmal Ahmad wrote: Hi all, Based on http://www.openbsd.org.my/sparc64.html, seem that OpenBSD can install on Sun Blade 100/150 machine. I have this problem when do disk installation on Blade 100. Below is the error. ok boot disk /bsd Boot device: /[EMAIL PROTECTED],0/[EMAIL PROTECTED]/[EMAIL PROTECTED],0 File and args: /bsd ERROR: Last Trap: Fast Data Access MMU Miss Error -256 ERROR: Last Trap: Fast Data Access MMU Miss Error -256 ok I have upgrade OBP to the latest version. Here the OBP info: Sun Blade 100 (UltraSPARC-IIe), Keyboard Present Copyright 2005 Sun Microsystems, Inc. All rights reserved. OpenBoot 4.17.1, 256 MB memory installed, Any idea how to solve this problem. -- Thanks Regards, Ikmal aka EvoIVGSR http://www.leakage.org/ http://root.justdied.com/mylife/ http://www.openbsd.org.my/ http://mirrors.mybsd.org.my/
Re: Problem when apply 001_httpd.patch
On Thu, November 9, 2006 12:49, Maverick wrote: Oop The rest of the post is gone :-( The thing that i got back after patch -p0 001_httpd.patch is this Hmm... Looks like a unified diff to me... The text leading up to this was: -- |Apply by doing: | cd /usr/src | patch -p0 001_httpd.patch | |And then rebuild and install httpd and its modules: | cd usr.sbin/httpd | make -f Makefile.bsd-wrapper obj | make -f Makefile.bsd-wrapper cleandir | make -f Makefile.bsd-wrapper depend | make -f Makefile.bsd-wrapper | make -f Makefile.bsd-wrapper install | | |If httpd had been started, you might want to run | apachectl stop |before running make install, and | apachectl start |afterwards. | |Index: usr.sbin/httpd/src/main//http_protocol.c |=== |RCS file: /cvs/src/usr.sbin/httpd/src/main/http_protocol.c,v |retrieving revision 1.30 |retrieving revision 1.30.4.1 |diff -u -p -r1.30 -r1.30.4.1 |--- usr.sbin/httpd/src/main//http_protocol.c 11 Feb 2006 19:15:57 - 1.30 |+++ usr.sbin/httpd/src/main//http_protocol.c 1 Nov 2006 21:18:38 - 1.30.4.1 -- File to patch: I try the 003 patch but it happend to be the same sort of thing. Why do they ask me for the file to patch :( Can you please tell me what i have done wrong here? :-( Thanks you very much Try and cd /usr/src before trying to patch ;) The patches assume you're patching from that directory. Enjoy... Joel Goguen wrote: I don't see an issue there. It looks like it applied properly. Follow the directions it printed out and see that it compiles and installs properly :) On 11/9/06, Maverick [EMAIL PROTECTED] wrote: Hi i am trying to apply the 001 patch What i have done is cd /usr/src patch -p0 001_httpd.patch and i come back to me as: Hmm... Looks like a unified diff to me... The text leading up to this was: -- |Apply by doing: | cd /usr/src | patch -p0 001_httpd.patch | |And then rebuild and install httpd and its modules: | cd usr.sbin/httpd | make -f Makefile.bsd-wrapper obj | make -f Makefile.bsd-wrapper cleandir | make -f Makefile.bsd-wrapper depend | make -f Makefile.bsd-wrapper | make -f Makefile.bsd-wrapper install | -- View this message in context: http://www.nabble.com/Problem-when-apply-001_httpd.patch-tf2603928.html#a7265560 Sent from the openbsd user - misc mailing list archive at Nabble.com. -- Joel Goguen Bachelor of Computer Science III University of New Brunswick http://iapetus.dyndns.org/ -- View this message in context: http://www.nabble.com/Problem-when-apply-001_httpd.patch-tf2603928.html#a7265975 Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: OpenBSD 4.0 released Nov 1, 2006
Thanks for an early xmas/Hanukkah present ! -- ~Allie D. On Tue, October 31, 2006 16:15, Theo de Raadt wrote: Nov 1, 2006. We are pleased to announce the official release of OpenBSD 4.0. This is our 20th release on CD-ROM (and 21st via FTP). We remain proud of OpenBSD's record of ten years with only a single remote hole in the default install. As in our previous releases, 4.0 provides significant improvements, including new features, in nearly all areas of the system:
Re: Chrooted apache with chrooted ftp - how users can upload websites now?
Read the FAQ..put the users home dirs in /var/www and setup anonyumous ftp yet define the users and it works well. BTW you don't need inetd, just run ftpd as a daemon. Marcin Wilk([EMAIL PROTECTED])@Sat, Nov 05, 2005 at 02:04:18AM +0100: Hello! I was searching i can't find answer. I got OpenBSD 3.7 with default Apache (chrooted) i'm using ftp server fdrom base system enabled by inetd. I would like to make users not be able to read anything except their own /home/user folder /var/www/users/user folder. How can i do that with such configuration? Is there any way to do that, or do i have to use some other FTP server? If i have to use other ftp, what will give features that i need? Best Regards -- Allie D. Allnix,LLC. http://www.allnix.net _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/_/ _/_/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/ _/_/_/ _/_/_/ _/ Locking down your network, one port at a time You will never amount to much. -- Munich Schoolmaster, to Albert Einstein, age 10
Re: Chrooted apache with chrooted ftp - how users can upload websites now?
Not out of the box you can't. I'd rather run an audited piece of software that's less secure but chroots a user than a band-aid that could open yourself up to other problems. Bob Ababurko([EMAIL PROTECTED])@Fri, Nov 04, 2005 at 08:51:52PM -0500: Allie D wrote: Read the FAQ..put the users home dirs in /var/www and setup anonyumous ftp yet define the users and it works well. BTW you don't need inetd, just run ftpd as a daemon. Marcin Wilk([EMAIL PROTECTED])@Sat, Nov 05, 2005 at 02:04:18AM +0100: Hello! I was searching i can't find answer. I got OpenBSD 3.7 with default Apache (chrooted) i'm using ftp server fdrom base system enabled by inetd. I would like to make users not be able to read anything except their own /home/user folder /var/www/users/user folder. How can i do that with such configuration? Is there any way to do that, or do i have to use some other FTP server? If i have to use other ftp, what will give features that i need? Best Regards I use scponly for that exact purpose. It is secure and you can chroot the user to their home directory. -Bob -- Allie D. Allnix,LLC. http://www.allnix.net _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/_/ _/_/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/ _/_/_/ _/_/_/ _/ Locking down your network, one port at a time Just because the message may never be received does not mean it is not worth sending.
Re: djbdns DNS server? Status, Pros and Cons?
I have used djbdns since '02with no issues whatsoever. You'll love the data file structure compared with BIND. Anders Jvnsson said: Hello folks. I recently bought a very good book: Mastering FreeBSD and OpenBSD security They have a chapter dealing with DNS servers and there they mention djbdns, they think it has some strong point s so I am somewhat curios about if anybody out there has any viewpoint about using this instead of BIND, especially since the last version djbdns I found was from 2001??! I can't believe that it is so good that it is no need to patch it now and then?
Re: Dell HW?
I run SC400's, various laptops (old and new),and desktops (old and new) without any issues. -- Allie D. Allnix,LLC. http://www.allnix.net PGP Public key: http://www.allnix.net/ads_public_key Marco Peereboom said: I run just about any imaginable server they sell. Works for me tm. On May 19, 2005, at 2:10 PM, L. V. Lammert wrote: We have been requested to use Dell HW for some new systems. Any recommended models (RM) for: 1) Gateway/firewall? 2) SAN? In the alternative, any to avoid? Thanks! Lee