Re: FS of choice for max random iops ( Maildir )
Volodymyr Kostyrko c.kw...@gmail.com, 2011-09-17 14:33 (+0200): You really like to wait for hours before fsck will finish checking for your volume? While it's true that fsck on large filesystems takes ages soft updates and background fsck makes it a lot less bothersome than it used to be. -- http://hack.org/mc/ Use plain text e-mail, please. HTML messages silently dropped. OpenPGP welcome, 0xE4C92FA5. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can't Download FreeBSD
Or you can try BT: http://torrents.freebsd.org:8080/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
LVS/DR load balancing via FreeBSD
Hi, We have two Linux servers doing LVS/DR load balancing (rewriting MAC addresses). Is there a way to do this in FreeBSD, so there won't be need for a Linux servers here? ( http://www.linuxvirtualserver.org/VS-DRouting.html ) There is a port net/ipvs but it's an old and (seemingly) unmaintained patches. -- Alexandr Matveev ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: LVS/DR load balancing via FreeBSD
On 19/09/2011 11:44, Alexandr Matveev wrote: We have two Linux servers doing LVS/DR load balancing (rewriting MAC addresses). Is there a way to do this in FreeBSD, so there won't be need for a Linux servers here? ( http://www.linuxvirtualserver.org/VS-DRouting.html ) There is a port net/ipvs but it's an old and (seemingly) unmaintained patches. Sounds like relayd(8) might be what you need -- in ports as net/relayd. It works with the pf(4) firewall, and you can use it to implement almost all of the functions of an expensive hardware loadbalancer on a cheap PC. It should be able to do what you want -- which I am more familiar with as 'Direct Server Return.' relayd(8) is ported from OpenBSD, and the FreeBSD port doesn't yet support absolutely everything that it can do natively on OpenBSD. The missing stuff is mostly to do with creating a HA firewall/load-balancer pair, which seems to be one of your requirements, so you might want to try it under OpenBSD. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: 9.0 beta2 the new bsdinstaller
Nathan Whitehorn wrote: On 09/19/11 02:52, Fbsd8 wrote: Kevin Oberman wrote: On Sun, Sep 18, 2011 at 2:55 AM, Thomas Mueller mueller6727@bellsouth.net wrote: Some more ideas on the new bsdinstaller cross my mind. Since the way the bsdinstaller would make partitions is unpredictable, at least to the uninitiated, and in all likelihood at variance with how much space the user wants to allocate, it might be better to offer a roadmap to help guide the user to allocating space for FreeBSD using gpart or Rod Smith's gdisk. Also, I can't see the function of the 64 KB boot partition with no file system, which does not boot for me, though I can boot the main partition using grub2 from the System Rescue CD (http://sysresccd.org/). The 64KB freebsd-boot partition is to contain the GPT boot code which is used by UEFI BIOS in place of the old MBR used by legacy BIOS. You need to use gpart(8) to write the GPT boot code to that partition, but I don't know if bsdinstall does so. It might just write the PMBR that is used for booting with legacy BIOS. I'll admit that I have not checked. (See the gpart(8) man page for details on writing the pmbr and gptboot.) I assume bsdinstall writes both so that AMD64 machines with EFI and 32-bit systems will both work. This is very different from the old traditional slice/partition system. The above info is another example of the type of information that should be added to a help option on the dialog screen for the bsdinstall disk configuration function. I also think that the bsdinstaller should offer the user an option to select between using the old MBR configuration used by legacy BIOS that sysinstall uses and the new gpart configuration which bsdinstall offers now. You absolutely can do new MBR installs, as well as new straight bsdlabel installs (dangerously dedicated). You just have to use the partition editor instead of the autopartitioner, and then choose to use the appropriate partition type. -Nathan I think you missed the point here. What is being requested is the partitioning dialog from sysinstall to be included in bsdinstall. The bsdinstall partitioning dialog should inform users about the differences between older and newer PCs and offer options to auto-configure the H.D appropriately. Or better yet have bsdinstall check the hardwares bios to determine if the bios are UEFI aware and what methods can be used to partition. The key here is that bsdinstall should provide at least the same level of automation as sysinstall has on this subject. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
OpenLDAP + CARP
Hi guys, Is there a way to setup an OpenLDAP HA cluster (intersite multimaster) with CARP on FreeBSD ? Rafael. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Passing additional options to jail(8) via rc.conf
Hello, let's say I want to pass additional options like ip4=inherit to my jails configured via /etc/rc.conf. How do I get this to work? Apparently, setting jail_www_flags=-l -U root ip4=inherit is the wrong order, because these parameters are expected after -c, which is apparently inserted by the rc-script *after* the flags passed via the variable. Has anyone else had this problem, and is there a way to solve it rather than setting the jail up things by hand in rc.local? I'd prefer using the sugar rc.conf offers me. Maybe there is another, undocumented variable for this kind of options? Am I overlooking something? Thanks in advance, Moritz ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
location of bsdinstall welcome dialog screen source
When installing 9.0 from cd or dvd the first screen bsdinstall shows is the bsdinstall welcome screen. I can not locate the source for this. Its not in /usr/sbin or /usr/libexec/bsdinstall/ Can someone please point it out? Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Segmentation fault, _malloc_prefork () - debugging help needed
In the last episode (Sep 18), Unga said: I'm developing an multi-threaded application on FreeBSD. When it is running for sometime, it develops a Segmentation fault. The ddd debugger shows following: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 296c6580 (LWP 100137)] 0x28ee390e in _malloc_prefork () from /lib/libc.so.7 How could I know the exact line in source where this issue develops? If you have a full /usr/src tree extracted, you can edit /usr/src/lib/libc/Makefile and add DEBUG_FLAGS=-g at the top, then run make obj make depend make make install to install the new libc with debugging symbols. Then your debugger will show more info for functions inside libc. If you don't have a source tree checked out yet, install the devel/subversion-freebsd port, cd into /usr/src/ and run svn co svn://svn.freebsd.org/base/stable/8 . (or base/release/8.2.0, or base/stable/7 or base/head, depending on which version you want; you can browse the branches at http://svnweb.freebsd.org/base/ before you checkout anything) -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Enlightenment tips and tricks
After using Gnome for awhile I am giving Enlightenment a try. Loved it many years ago but it consumed a lot of resources, the current version does not appear to have that limitation. What other ports do Enlightenment fans recommend to extend its functionality? I have the gimp, Abi Word, Lyx, and Bluefish. I do like Gnumenric, but doesn't that pull in a lot of Gnome? (i already have Gnome but want to do over without it.) I am not a heavy spreadsheet power-user, maybe I should stick with Google Docs, which I do use? Favorite mail clients? I used to use sylpheed, does it play well with Enlightenment? Favorite web browser, again looking for integration, the way Epiphany fits in with Gnome. System administration tools? Notebook computer stuff, especially power management, at least as much as Gnome has. Monitoring tools, at least. A replacement for gdm that is more like Enlightenment than xdm is, as I recall. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Using ports and packages together (or, how do I get mod_php5 ? )
Hi, I'm running RELENG_8_2 and I've been using packages instead of ports for most things, because they're so much quicker. But certain packages aren't compiled the way I need them to be-- postfix had no TLS or SASL support, for example, so I built it from the port. However, that is beginning to lead to some dependency issues. When attempting to build php5 in order to obtain the apache module (see: http://lists.freebsd.org/pipermail/freebsd-questions/2009-March/195199.html ) Portinstall informs that libtool-2.2.10 (from the release package) is too old, that I need to upgrade to libtool 2.4 (which is available from the port). I'm concerned that, if I have some packages built from ports and some installed from the release, that the system will become unstable if things get too out of sync. Am I incorrect? i.e. should I just go ahead and install libtool 2.4 from the port? I don't see this discussed explicitly in the handbook. Thanks in advance, Brandon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
limit number of ssh connections
Does anyone know a good way of limiting the number of ssh attempts from a single IP address? I found the following website, which describes a variety of approaches: http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins But I am honestly not really happy with any of them. Continuously polling log files for regex hits seems...well crude. Just to give you an idea of what I mean, here were some of the issues I had. The sshd-scan.sh script allows IPs to be reinstated, but the timing is dependent on how frequently you rotate logs. sshguard has a pretty website, but I can't actually find much useful documentation on how to configure it. fail2ban looks like it might work with sufficient work, but the defaults are terrible. By default, every time an IP is reinstated, all IPs are reinstated. Not to mention, at present I can't seem to get it to trigger any hits. I suppose I could keep shopping, but the truth is I just think polling log files is the wrong way to solve the problem. Anything based on this approach is going to have a long latency and be highly dependent on the unspecified and unstable formatting of log files (see http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) and the troubles an exclamation point can cause). I would much much rather do something like this: http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ Does anyone know a way to do something similar with ipfw? Thanks in advance, Jim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: limit number of ssh connections
Again if your goal is to protect against attacks, you might want to look at sshguard from the ports. Otherwise I believe there's a sshd_config directive to limit the number of concurrent connections from a single source IP On 19 Sep 2011, at 22:02, James Strother jstrother9...@gmail.com wrote: That's an interesting project, I hadn't realized port knocking had become so easy to use. Unfortunately, for this particular server, I need to be able to provide a simple way for (a very limited number of) users to login into the system remotely using a variety of OS platforms. So I don't think port knocking is a good fit here. Thanks, Jim 2011/9/19 Григорьев Александр mr.fes...@yandex.ru: If your target is protect freebsd box from bruting passwords from inet maybe security/knockd will help you? 19.09.2011, 23:05, James Strother jstrother9...@gmail.com: Does anyone know a good way of limiting the number of ssh attempts from a single IP address? I found the following website, which describes a variety of approaches: http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins But I am honestly not really happy with any of them. Continuously polling log files for regex hits seems...well crude. Just to give you an idea of what I mean, here were some of the issues I had. The sshd-scan.sh script allows IPs to be reinstated, but the timing is dependent on how frequently you rotate logs. sshguard has a pretty website, but I can't actually find much useful documentation on how to configure it. fail2ban looks like it might work with sufficient work, but the defaults are terrible. By default, every time an IP is reinstated, all IPs are reinstated. Not to mention, at present I can't seem to get it to trigger any hits. I suppose I could keep shopping, but the truth is I just think polling log files is the wrong way to solve the problem. Anything based on this approach is going to have a long latency and be highly dependent on the unspecified and unstable formatting of log files (see http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) and the troubles an exclamation point can cause). I would much much rather do something like this: http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ Does anyone know a way to do something similar with ipfw? Thanks in advance, Jim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: limit number of ssh connections
2011/9/19 Григорьев Александр mr.fes...@yandex.ru: If your target is protect freebsd box from bruting passwords from inet maybe security/knockd will help you? 19.09.2011, 23:05, James Strotherjstrother9...@gmail.com: Does anyone know a good way of limiting the number of ssh attempts from a single IP address? Hi James, (not what you asked obv,) in my experience running ssh on a high port cuts the amount of unwanted ssh connections to approximately zero, in fact i got a surprise when seeing a sec log from a box which i hadn't done this for Paul. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Using ports and packages together (or, how do I get mod_php5 ? )
On Mon, 19 Sep 2011, Brandon Kuczenski wrote: I'm concerned that, if I have some packages built from ports and some installed from the release, that the system will become unstable if things get too out of sync. I'd like to say it doesn't matter, but ... If you are using packages from the time of 8.2 release, you almost certainly will have trouble using the current (not CURRENT) ports tree for 8.2. With a fresh ports tree study UPDATING. There is quite a lot of reading since 8.2 release. Ruby rolled forth and back, perl has rolled forward etc. You may do better upgrading with packages first before recompiling things you need to recompile. In principle there is nothing wrong with having mixed self-compiled ports and packages. THE MAIN PERILS are letting the ports tree get out of sync with itself. This could happen, for example, if you cvsup and it stops (or is stopped) before it is finished (to deal with that example, redo cvsup and be sure it completes before doing anything with ports); or getting the package database snafued which can happen if you or the electric company interrupt the database update process. Am I incorrect? i.e. should I just go ahead and install libtool 2.4 from the port? I don't see this discussed explicitly in the handbook. The handbook should not have much to say about this. Compiling ports yourself or using packages should leave you in exactly the same place (unless of course you make changes when you compile). The system cannot tell where the binary came from. We have the habit of saying port when we compile from the ports tree and package when install a package - but they are really the same thing at a slightly deeper level. Packages ARE ports. /usr/ports/UPDATING is the key document. I don't see any notes since 8.2 release to suggest libtool backward compatibility problems have cropped up since then. Since more things depend on libtool than you can shake a stick at it is likely to a long time for pkgdb to edit the dependencies in the usual way. Investigating -s might help. PS: installing mod_php is an option which I think is called WITH_APACHE. To be absolutely sure it is set, run make config in php5 port. The config will be saved and some port maintenance tools may assume it is right without prompting you. -- Lars Eighner http://www.larseighner.com/index.html 8800 N IH35 APT 1191 AUSTIN TX 78753-5266 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: limit number of ssh connections
Standard inetd(8) has many options including limiting connections based on IP-address. Can it help in this case? 20.09.2011, 00:02, James Strother jstrother9...@gmail.com: That's an interesting project, I hadn't realized port knocking had become so easy to use. Unfortunately, for this particular server, I need to be able to provide a simple way for (a very limited number of) users to login into the system remotely using a variety of OS platforms. So I don't think port knocking is a good fit here. Thanks, Jim 2011/9/19 Григорьев Александр mr.fes...@yandex.ru: If your target is protect freebsd box from bruting passwords from inet maybe security/knockd will help you? 19.09.2011, 23:05, James Strother jstrother9...@gmail.com: Does anyone know a good way of limiting the number of ssh attempts from a single IP address? I found the following website, which describes a variety of approaches: http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins But I am honestly not really happy with any of them. Continuously polling log files for regex hits seems...well crude. Just to give you an idea of what I mean, here were some of the issues I had. The sshd-scan.sh script allows IPs to be reinstated, but the timing is dependent on how frequently you rotate logs. sshguard has a pretty website, but I can't actually find much useful documentation on how to configure it. fail2ban looks like it might work with sufficient work, but the defaults are terrible. By default, every time an IP is reinstated, all IPs are reinstated. Not to mention, at present I can't seem to get it to trigger any hits. I suppose I could keep shopping, but the truth is I just think polling log files is the wrong way to solve the problem. Anything based on this approach is going to have a long latency and be highly dependent on the unspecified and unstable formatting of log files (see http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) and the troubles an exclamation point can cause). I would much much rather do something like this: http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ Does anyone know a way to do something similar with ipfw? Thanks in advance, Jim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: System locking up.
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Daniel Staal Sent: 18 September 2011 22:59 To: 'freebsd-questions@freebsd.org' Subject: Re: System locking up. --As of September 18, 2011 2:29:20 PM +0100, Graeme Dargie is alleged to have said: I have a system that is being problematic, I suspect but I cannot say for sure it is maybe related to ZFS as I have a fairly large ZFS pool on the machine. The system will just lock up, local console does not respond to the keyboard, num lock still changes the led on the keyboard, the system still responds to pings but you cannot ssh to the unit. The behaviour is random the system can be running for 50 days plus with no issues then suddenly it enters this state, the error logs do not show anything. --As for the rest, it is mine. Where is your swap located? I've seen similar on a ZFS system with swap on ZFS, when running low on RAM. If that's the case, you can either put in more RAM (so you don't need to use swap) or move swap to a dedicated disk/partition, that's not under ZFS control. Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Swap is on the UFS boot disk, so it might be a heat/psu issue as previously suggested. Regards Graeme ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: limit number of ssh connections
Wow, I'm glad I asked. This has been very helpful. @Григорьев Александр Thanks for the tip on inetd, that looks like it might just do the trick. @Paul Macdonald My main reason for looking into this was glancing through the logs on a server I just put online and seeing large numbers of unauthorized login attempts. Everything so far is highly unsophisticated, but it did make me start to really think about the issue. I might put ssh onto a different port, that would at least stop the sort of fishing I am currently seeing. It's not clear if that would be good enough. @Damien Fleuriot Have you had success with sshguard? Installed it from ports, but then I couldn't quite figure out how to configure it. To be honest, I didn't give it much of a chance before I moved on to the next thing, so if you've had good luck then I should probably give it another shot. I did flip through sshd_config, but as far as I can tell it is only possible to limit the number of concurrent connections. It might take a little longer, but I'm concerned it would still allow a malicious individual to sequentially brute-force a password. Thanks for all the responses. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: location of bsdinstall welcome dialog screen source
Michel Talon wrote: Fbsd8 wrote: When installing 9.0 from cd or dvd the first screen bsdinstall shows is the bsdinstall welcome screen. I can not locate the source for this. Its not in /usr/sbin or /usr/libexec/bsdinstall/ Can someone please point it out? http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/bsdinstall/scripts/auto?rev=1.14 Sorry if my post was not clear. The 9.0 cd and dvd have bsdinstall in /usr/sbin and /usr/libexec/bsdinstall/. After the install is completed the H.D also contains the same directories. /usr/sbin/bsdinstall is a script which sets some bsdinstall variables that launch the different install functions from /usr/libexec/bsdinstall/. This whole process starts with the keymap process as coded in the auto script. Now what I am looking for is the script that has the bsdinstall welcome screen dialog in it. It is displayed before the keymap screen is displayed. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: limit number of ssh connections
On 9/19/2011 2:05 PM, James Strother wrote: Does anyone know a good way of limiting the number of ssh attempts from a single IP address? I found the following website, which describes a variety of approaches: http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins But I am honestly not really happy with any of them. Continuously polling log files for regex hits seems...well crude. Just to give you an idea of what I mean, here were some of the issues I had. The sshd-scan.sh script allows IPs to be reinstated, but the timing is dependent on how frequently you rotate logs. sshguard has a pretty website, but I can't actually find much useful documentation on how to configure it. fail2ban looks like it might work with sufficient work, but the defaults are terrible. By default, every time an IP is reinstated, all IPs are reinstated. Not to mention, at present I can't seem to get it to trigger any hits. I suppose I could keep shopping, but the truth is I just think polling log files is the wrong way to solve the problem. Anything based on this approach is going to have a long latency and be highly dependent on the unspecified and unstable formatting of log files (see http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) and the troubles an exclamation point can cause). I would much much rather do something like this: http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ Does anyone know a way to do something similar with ipfw? Thanks in advance, Jim ___ They cannot attack what they cannot see. That's why I wrote this: http://www.tundraware.com/Software/tperimeter/ It allows you to restrict access to a fixed set of hosts (via tcpwrappers) but to dynamically request access from any host (via wrapper rewriting) so long as you have credentials to do so. The current version has a worst-case latency of 5 minutes from the time you remotely request ssh access be granted until it actually is. I am working toward an update that will grant the request immediately. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: limit number of ssh connections
Moving ssh to another port has solved the problem for me. I had used sshguard in the past, but was always leery of locking myself out. Regards, Matt Emmerton -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of James Strother Sent: Monday, September 19, 2011 5:47 PM To: freebsd-questions@freebsd.org Subject: Re: limit number of ssh connections Wow, I'm glad I asked. This has been very helpful. @Григорьев Александр Thanks for the tip on inetd, that looks like it might just do the trick. @Paul Macdonald My main reason for looking into this was glancing through the logs on a server I just put online and seeing large numbers of unauthorized login attempts. Everything so far is highly unsophisticated, but it did make me start to really think about the issue. I might put ssh onto a different port, that would at least stop the sort of fishing I am currently seeing. It's not clear if that would be good enough. @Damien Fleuriot Have you had success with sshguard? Installed it from ports, but then I couldn't quite figure out how to configure it. To be honest, I didn't give it much of a chance before I moved on to the next thing, so if you've had good luck then I should probably give it another shot. I did flip through sshd_config, but as far as I can tell it is only possible to limit the number of concurrent connections. It might take a little longer, but I'm concerned it would still allow a malicious individual to sequentially brute-force a password. Thanks for all the responses. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: limit number of ssh connections
Does anyone know a good way of limiting the number of ssh attempts from a single IP address? I found the following website, which describes a variety of approaches: http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins But I am honestly not really happy with any of them. Continuously polling log files for regex hits seems...well crude. Just to give you an idea of what I mean, here were some of the issues I had. The sshd-scan.sh script allows IPs to be reinstated, but the timing is dependent on how frequently you rotate logs. sshguard has a pretty website, but I can't actually find much useful documentation on how to configure it. fail2ban looks like it might work with sufficient work, but the defaults are terrible. By default, every time an IP is reinstated, all IPs are reinstated. Not to mention, at present I can't seem to get it to trigger any hits. I suppose I could keep shopping, but the truth is I just think polling log files is the wrong way to solve the problem. Anything based on this approach is going to have a long latency and be highly dependent on the unspecified and unstable formatting of log files (see http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) and the troubles an exclamation point can cause). I would much much rather do something like this: http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ Does anyone know a way to do something similar with ipfw? Thanks in advance, Jim Maybe you mean something like this?! http://home.nuug.no/~peter/pf/en/bruteforce.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: 9.0 bata2 keymap
Now I must point out that I tested hitting the cancel button in the kbdmap command. It worked in that no keymap= statement was inserted into /etc/rc.conf but it must also make some other changes some where else in the system because if you do select an entry from the kbdmap database and them remove the keymap= statement that was inserted into /etc/rc.conf and then reboot the system, it will hang on reboot. Another point of interest is when selecting cancel for the default keyboard still results in the block of 9 keys above the arrow keys to not function. Issuing the man cmd_name command does display the man page, but the {Page up, Page down keys } don't work. Also when using the ee edit command the {delete, Page up, Page down don't work. There may be more system utility commands with the same flaw. This may indicate that the default keyboard map in kbdmap command has changed, is not the same as in previous releases or some thing else in the 9.0 system has changed. In either case this needs research. Joe I continued to research this problem and found the cause. The content of 9.0 /etc/ttys has changed, (IE; cons25 is now xtern). I have some changes in ttys on 8.2 and I just copied that file over to 9.0 without looking at the content. The block of 9 keys above the arrow keys now work correctly. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: limit number of ssh connections
Григорьев == Григорьев Александр mr.fes...@yandex.ru writes: Григорьев If your target is protect freebsd box from bruting passwords Григорьев from inet maybe security/knockd will help you? Portknocking adds only a dozen bits or so to your password. Do you really think it helps to go from a 1024-bit key to a 1036-bit? In other words, Portknocking belongs in the security for dummies pile right along with turning off your SSID announce and use MAC address filtering when people talk about wifi security. All three are useless and give you a false sense of having increased security. The real security is disable plaintext passwords. Then no amount of bruteforce will ever get in. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: limit number of ssh connections
Paul == Paul Macdonald p...@ifdnrg.com writes: Paul in my experience running ssh on a high port cuts the amount of unwanted ssh Paul connections to approximately zero, in fact i got a surprise when seeing a sec Paul log from a box which i hadn't done this for I run sshd on 443 (for firewall-bending reasons), and the only connections I see there are people trying to break into the web. Never an actual sshd hit. :) -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/ Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: 9.0 bata2 keymap
I continued to research this problem and found the cause. The content of 9.0 /etc/ttys has changed, (IE; cons25 is now xtern). I have some changes in ttys on 8.2 and I just copied that file over to 9.0 without looking at the content. The block of 9 keys above the arrow keys now work correctly. I saw the keyboard layout and there are many :(, I don't even know if I have a standard 101/105 US keyboard. When I press up arrow, I get an 8 on the screen :( I was going to ask on another thread/create a new thread, but I guess this one is the correct one to ask? Regards, Antonio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: limit number of ssh connections
On Mon, Sep 19, 2011 at 05:11:28PM -0700, Randal L. Schwartz wrote: Григорьев == Григорьев Александр mr.fes...@yandex.ru writes: Григорьев If your target is protect freebsd box from bruting passwords Григорьев from inet maybe security/knockd will help you? Portknocking adds only a dozen bits or so to your password. Do you really think it helps to go from a 1024-bit key to a 1036-bit? In other words, Portknocking belongs in the security for dummies pile right along with turning off your SSID announce and use MAC address filtering when people talk about wifi security. All three are useless and give you a false sense of having increased security. I'd say, rather, that it's useful in deflecting the drive-by, casual cracking attempts, but not as real security against a more sophisticated attack. It's nice to have cleaner logging sometimes -- which is the real benefit of such techniques, rather than security per se. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] pgpZvrddJ0hZg.pgp Description: PGP signature
Re: Cannot remove filesystem ACLs
Victor Sudakov wrote: I don't understand why I cannot completely remove the ACLs from a directory. Please look: [dd] Why are the + sign and the mask entry still there? How do I get rid of them completely? It may seem a bit radical but it does the job: find /some/dir | xargs rmextattr system posix1e.acl_access find /some/dir | xargs rmextattr system posix1e.acl_default -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: limit number of ssh connections
From owner-freebsd-questi...@freebsd.org Mon Sep 19 19:12:32 2011 From: mer...@stonehenge.com (Randal L. Schwartz) To: Paul Macdonald p...@ifdnrg.com Date: Mon, 19 Sep 2011 17:12:14 -0700 Cc: James Strother jstrother9...@gmail.com, freebsd-questions@freebsd.org Subject: Re: limit number of ssh connections Paul == Paul Macdonald p...@ifdnrg.com writes: Paul in my experience running ssh on a high port cuts the amount of Paul unwanted ssh connections to approximately zero, in fact i got a Paul surprise when seeing a sec log from a box which i hadn't done this Paul for I run sshd on 443 (for firewall-bending reasons), and the only connections I see there are people trying to break into the web. Never an actual sshd hit. :) A wise man said: this belongs in the security for dummies pile right along with turning off your SSID announce and use MAC address filtering when people talk about wifi security. All three are useless and give you a false sense of having increased security. IT is worthy of note that 'merely' running sshd on an 'unconventional' port provides _less_ of an increase in security than portknocking does. :) That said, _I_ also run sshd on the well-known port for unrelated services. *NOT* because I have a belief it provides any increase in security -- it _doesn't_ -- but simply to eliminate the script-kiddie 'doorknob rattling' 'clutter' from the logs. Making it far easier to see a truely 'targeted' attempt. 'Clutter elimination' makes it -- *or* portknocking -- worth doing even though neither provide any measurable increase in 'real' security. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Need an audio multicasting solution
RW wrote: You can use videolan / vlc. It allows you to multicast video too. In September 2011 BSD Magazine you have some examples about that. I like vlc on Linux/Windows machines. But installing it to a streaming server is a pain. Even if you disable all options in make config, it still tries to build scores of dependencies including some components of the X Window system. Not nice. did you try setting WITH_SERVER_ONLY? Actually, setting WITH_SERVER_ONLY only sets 4 options WITHOUT_LUA=yes WITHOUT_QT4=yes WITH_RUNROOT=yes WITHOUT_XCB=yes which I have set anyway. The number of dependencies is still appalling. In fact, I have found a solution with ffmpeg, the example command lines are: ffmpeg -i file.mp3 -acodec copy -f rtp rtp://239.8.8.8:5000 -re ffmpeg -f oss -i /dev/dsp -acodec mp2 -f rtp rtp://239.8.8.8:5000 -re ffmpeg should be compiled WITH_LAME. Multicast stream playback has been tested with vlc (Windows XP, Fedora Linux) and mplayer (FreeBSD 8). In more detail in Russian: http://victor-sudakov.dreamwidth.org/68437.html http://victor-sudakov.dreamwidth.org/68975.html http://victor-sudakov.dreamwidth.org/69243.html -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Using ports and packages together (or, how do I get mod_php5 ? )
On 09/19/11 13:56, Lars Eighner wrote: On Mon, 19 Sep 2011, Brandon Kuczenski wrote: I'm concerned that, if I have some packages built from ports and some installed from the release, that the system will become unstable if things get too out of sync. I noticed only recently that there are now packages on FTP in a folder called packages-8-stable. I am not sure how often these are built. I expect that the entire ports tree is built much like it is during a release, except at some later point in time. I would expect that those ports are all dependency consistent with each other to the maximum extent possible. I also prefer packages to ports, but there are a few updates to ports that I want now (xorg, xfce, rhythmbox), but I really don't want to try 9.0 when it becomes a release. I plan to upgrade my packages to 8-stable from this directory in a couple weeks. Maybe this policy will work for you. Later, Jason ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Using ports and packages together (or, how do I get mod_php5 ? )
On 09/19/11 13:56, Lars Eighner wrote: On Mon, 19 Sep 2011, Brandon Kuczenski wrote: I'm concerned that, if I have some packages built from ports and some installed from the release, that the system will become unstable if things get too out of sync. Doh, I just read the handbook. http://www.freebsd.org/doc/handbook/packages-using.html ** If you want to force pkg_add(1) http://www.FreeBSD.org/cgi/man.cgi?query=pkg_addsektion=1 to download FreeBSD 8-STABLE packages, set PACKAGESITE to ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/Latest/. Later, Jason ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Firefox clean installation but does not execute
Hello, I've installed Firefox36 from ports, it installed without a problem but it does not launch. In other words, there's no firefox file on my system. Had it installed before and working, then to clean out the system with unnecessary ports, I removed all ports and reinstalled only what is necessary. Somehow now I can't get firefox to work. The installation runs through cleanly, but when I try to run firefox, the system just responds with 'command not found' fabry@desmo 7:27 % pkg_info | grep firefox firefox-3.6.22,1Web browser based on the browser portion of Mozilla afabry@desmo 7:28 % firefox firefox: Command not found. What could be the problem, where could I start looking? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org