Re: How to deny getting static ip address via pf ?
2011/7/26 Matthew Seaman m.sea...@infracaninophile.co.uk On 26/07/2011 11:44, Yavuz Maşlak wrote: I use pf on freebsd as packet filter. I have a wireless area. The users get to the internet using automatic ip from the dhcp server. I wish to deny to assign a static ip address by manual. How can I do that with pf or ipfw or another thing? Interesting problem. Do you control the DHCP server and is it running ISC dhcpd? If so, you can parse the dhcpd.leases file to find all of the addresses the DHCP server has allocated. Then you could create firewall rules that default to blocking the DHCP address range, but are overridden to allow the allocated addresses. The table feature in pf would be a good way of implementing something like that. (I think ipfw has an equivalent feature nowadays too.) It's not going to be pretty, and you'll need to update the table of allowed addresses quite frequently, or legitimate users will find themselves locked out of internet access. Also it won't stop someone who has hijacked an IP from someone else's lease. Wondering why your users would prefer manually setting addresses rather than using DHCP, since using DHCP takes away virtually all the effort involved? If it's because almost all the addresses are already assigned to leases and it takes ages to get on-line, then two courses of action suggest themselves: 1) Serve a larger address range through DHCP and/or make the lease times shorter. Assuming you're behind a NAT gateway, this shouldn't be particularly hard to set up. 2) Look at the 'adaptive-lease-time-threshold' setting in dhcpd.conf -- this says to dynamically shorten lease times once address pool usage goes above a threshold percentage. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW Hi, I would run a perl program as a daemon that would parse the dhcp logs for given IPs, then I would load those IPs to a PF table, which that way could contain the trusted hosts, which you would then pass packets from and to. This could work IMHO. But this aproach to the problem can contain serious flaws... Best Regards, Balazs. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: before i ugrade from 7.3 to 8.x....
On 16 July 2011 11:27, Matthew Seaman m.sea...@infracaninophile.co.ukwrote: On 16/07/2011 06:45, Gary Kline wrote: i ant to be as sure as possible that my network stuff and mail Works! how can i test my /etc/namedb/* 'stuff'? pretty sure mail works .. AND finally, i'm glad i stuck with FreeBSD and fer all your help. http://dnscheck.iis.se/ is a good start. Given that you're posting to this list, I'd say mail and DNS is probably working. Maybe not completely perfect, but good enough. Beyond that, it's usually a matter of checking your logs and dealing with any problems as they come up. Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW Hello, If you want to check your zones, you can use dig @localhost DOMAINTOCHECK AXFR for a local zone transfer from the dns server itself. Or from another server dig @yourdnsserver domainname. Or from a windows server the command nslookup, then in the nslookup query add your dns server as source like this: server yourdnsserver then your can check the domains by just typing them in. What exactly you want to check Gary? Best Regards, Balazs ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Upgrading very old installation
On 15 July 2011 22:46, Roland Smith rsm...@xs4all.nl wrote: On Fri, Jul 15, 2011 at 08:20:52AM -0400, Jaime Kikpole wrote: I'm running a FreeBSD 6.x server that hasn't been updated in about 1.5 years. atlas:~uname -mprs FreeBSD 6.4-RELEASE-p8 i386 i386 I've been using the cvsup/make method of upgrades for years and only used freebsd-upgrade once. I'm not sure if either method can handle a 6.x to 8.x upgrade. They are tested for upgrading to the next major version. Who knows if it will work across two major versions? Personally I wouldn't want to be the one ot try it out. :-) I also have a bunch of ports in this server (e.g. apache, postfix, etc.) Once the OS is updated, should I just portupgrade them all? Doesn't work reliably across major version updates. When updating to a newer major version, the best way is to delete all ports (save their config files of course), scrub the /usr/local tree clean and then re-install them. Matthews advice of re-installing 8.2 on a second harddrive is probably the easiest and safest way to go. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) Hi, I would try to update the split mirror of the 6.4 to 8.2, I did manage to update couple of years back from Releng6 to Current 8 :). Did the usual make kernel / world stuff mergemaster prebuild in the middle and mergemaster after the update then I rebuilt all the ports. I recently did a 6.4-STABLE 8.2-RELEASE-p2 migration to another server, but without using only some initial old config files from the old system because I had to build a better environment with other software for the same role (almost the same thing that Matt recommended you). For me this is a longer procedure then updating all the software and checking for maybe now deprecated options and other problems. So I think its down to your level of knowledge and personal preference ( whether you want to check what is to problem in case something goes wrong- I like this because I get to know the system and the inner workings in more detail). I personally don't like freebsd-update, and if your are new to the build from source way, you should really go with building up from scratch, then migrate. In case you want to update have a WORKING backup, and do a test run for the update (restore your 6.4 on a test machine and try to update it) before you bring down the productive system. Good luck! Regards, Balazs. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ghghg
On 14 July 2011 23:58, Jerry je...@seibercom.net wrote: On Wed, 13 Jul 2011 21:48:43 -0700 Gary Kline articulated: testing What? Did you check this URL out: http://lists.freebsd.org/mailman/listinfo/freebsd-test -- Jerry ✌ jerry+f...@seibercom.net Disclaimer: off-list followups get on-list replies or ignored. Do not CC this poster. Please do not ignore the Reply-To header. http://www.catb.org/~esr/faqs/smart-questions.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Our patience? :))) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Limitting SSH access
On 4 May 2011 13:35, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: On 04/05/2011 10:08, Jack Raats wrote: I have a question concerning SSH op a FreeBSD 7.4-STABLE server. Is it possible to limit the SSH access? I want t o restrict a user to his own home directory. So that if he connects to the server with SSH he only can go to his own home dir. Also the same for sftp... I believe you will need to install a version of OpenSSH from ports to get that functionality. It's the CHROOT config option in security/openssh-portable Cheers Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW Hello, It should work with the base openssh on 7.4. Check your version with sshd -v. Here, search for chroot(or use google :)): http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_configsektion=5 Regarding ssh login, I usually use rbash from the ports, that restricts the user from leaving his or her home directory! Regards, Balazs Mateffy. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Why are YT vids on FreeBSD all about hacking MSN? (solved)
Hi, I don't know about this, but you should definitely check out bsdconferences. http://www.youtube.com/bsdconferences Regards, MB. On 31 December 2010 02:13, Xn Nooby xno...@gmail.com wrote: I wanted to watch some videos about FreeBSD, so I went to Youtube and searched on FreeBSD. Then I sorted by Date Uploaded, and almost all the videos uploaded recently are about hacking MSN. I went to the people's profiles, and they had no videos available. I am guessing that people are creating fake YT accounts to post a video that then gets removed by YT. It makes it impossible to find recent YT videos about FreeBSD. I just wondering if anyone else noticed this. If you do the basic YT search sorted on Relevance, you get really old FreeBSD videos. SOLVED: I just noticed you can filter out msn from your results by searching for freebsd -msn. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Certification
Hi, You can find all the information here: http://www.bsdcertification.org/ Regards, MB. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: automake
Hi, Try this: portmaster -od /usr/ports/devel/automake19/ automake-1.4.6_5 or your automake version, look it up with pkg_info | grep automake Hope this helps! If needed try to update everything that was depending on automake! BR, Balazs. On 24 September 2010 23:20, ajtiM lum...@gmail.com wrote: Today I tried on my FreeBSD 8.0 portmaster -ad === Gathering distinfo list for installed ports === Starting check of installed ports for available updates === The devel/automake15 port has been deleted: Outdated, ports migrated to automake19 === Aborting update Thanks in advance. Mitja http://starikarp.redbubble.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: rebuilding world - is chflags -R noschg * necessary?
Hello!
Anton is right, really the handbook says that it MAY contain, so it's not
necessary that after every build there will be some files with the immutable
flag.
OFF: Long long time ago one night when I was playing with jails (to be exact
I was building and making work my first jail by hand) I got to know this
little thing known as immutable, after building a jail, and after #@$ing it
up (sry :)) I could not delete it. It was a funny discovery I remember I was
new to FBSD and unix in general:).
ON:
I think maybe in older releases the build process may have used the
immutable flag at build??, but the test machine I tried, started out as
maybe 5.2, and I never had this issue once. Now I'm at 8.1-REL. After you
make installworld you get some files immutable, check this:
# cd /usr/src/
# make installworld DESTDIR=/usr/home/testworld/
# cd /usr/home/testworld
# find . -xdev -flags +schg -exec ls -la {} \;
-r-sr-xr-x 1 root wheel 18584 Sep 23 16:54 ./bin/rcp
-r--r--r-- 1 root wheel 1150968 Sep 23 16:53 ./lib/libc.so.7
-r--r--r-- 1 root wheel 32104 Sep 23 16:53 ./lib/libcrypt.so.5
-r--r--r-- 1 root wheel 76412 Sep 23 16:54 ./lib/libthr.so.3
-r-xr-xr-x 1 root wheel 220596 Sep 23 16:54 ./libexec/ld-elf.so.1
-r-xr-xr-x 1 root wheel 663616 Sep 23 16:55 ./sbin/init
-r-sr-xr-x 6 root wheel 18588 Sep 23 16:56 ./usr/bin/chpass
-r-sr-xr-x 6 root wheel 18588 Sep 23 16:56 ./usr/bin/chfn
-r-sr-xr-x 6 root wheel 18588 Sep 23 16:56 ./usr/bin/chsh
-r-sr-xr-x 6 root wheel 18588 Sep 23 16:56 ./usr/bin/ypchpass
-r-sr-xr-x 6 root wheel 18588 Sep 23 16:56 ./usr/bin/ypchfn
-r-sr-xr-x 6 root wheel 18588 Sep 23 16:56 ./usr/bin/ypchsh
-r-sr-xr-x 1 root wheel 21836 Sep 23 16:56 ./usr/bin/login
-r-sr-xr-x 1 root wheel 4792 Sep 23 16:56 ./usr/bin/opieinfo
-r-sr-xr-x 1 root wheel 11868 Sep 23 16:56 ./usr/bin/opiepasswd
-r-sr-xr-x 2 root wheel 6160 Sep 23 16:56 ./usr/bin/passwd
-r-sr-xr-x 2 root wheel 6160 Sep 23 16:56 ./usr/bin/yppasswd
-r-sr-xr-x 1 root wheel 11244 Sep 23 16:56 ./usr/bin/rlogin
-r-sr-xr-x 1 root wheel 8896 Sep 23 16:56 ./usr/bin/rsh
-r-sr-xr-x 1 root wheel 14500 Sep 23 16:56 ./usr/bin/su
-r-sr-xr-x 1 root wheel 27044 Sep 23 16:56 ./usr/bin/crontab
-r--r--r-- 1 root wheel 16604 Sep 23 16:54 ./usr/lib/librt.so.1
total 4
dr-xr-xr-x 2 root wheel 512 Sep 23 16:53 .
drwxr-xr-x 22 root wheel 512 Sep 23 16:53 ..
# rm -rf testworld/
rm: testworld/bin/rcp: Operation not permitted
rm: testworld/bin: Directory not empty
rm: testworld/lib/libc.so.7: Operation not permitted
rm: testworld/lib/libcrypt.so.5: Operation not permitted
rm: testworld/lib/libthr.so.3: Operation not permitted
rm: testworld/lib: Directory not empty
rm: testworld/libexec/ld-elf.so.1: Operation not permitted
rm: testworld/libexec: Directory not empty
rm: testworld/sbin/init: Operation not permitted
and so on...
Anton if you wanna be sure just do it, or test it with the version you are
using, but I don't think you will find any immutable files in /usr/obj
/usr/obj]# find . -flags +schg -exec ls -la {} \;
/usr/obj]#
Sorry if this was a bit long, but I hope it helpded!
Regards,
Balazs.
On 23 September 2010 16:42, Arthur Chance free...@qeng-ho.org wrote:
On 09/23/10 15:10, Polytropon wrote:
On Thu, 23 Sep 2010 12:02:17 +0100, Anton Shterenlikht
me...@bristol.ac.uk wrote:
I've never seen a file under /usr/obj/ with immutable flag set.
I think it was a directory called empty/ that couldn't be removed
unless the flag was unset. This makes this step neccessary when
you rm -rf /usr/obj the object subtree.
I think you're thinking of /var/empty, not something under /usr/obj. On my
machine find fails to find anything immutable under /usr/obj.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
freebsd-questions-unsubscr...@freebsd.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Correct syntax of supfile to keep ports upgraded?
Hi, If you want to stick with cvsup, or csup, you can use the example port updating supfile (if you have the example files). for example: csup -L 2 -g -h cvsup10.us.freebsd.org/usr/share/examples/cvsup/ports-supfile You can check the example file, what csup or cvsup needs in the supfile, and in what form :). If You have no ports, a portsnap fetch extract is much much faster, because its fetching the ports in one file as tar.gz and extracting ig, but csup and cvsup checks Your port files and downloads only the files that are outdated. When getting ports the first time (if you sad no for sysinstall to install ports), it's recommended to use portsnap to ease the load on the CVS servers, but noone will knock on Your head if You use cvs anyway :). Hope this helps! Regards, MB. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD 8.0 p#3
Hi, Maybe portsnap fetch extract ? Maybe the tag in your supfile was wrong for the ports. MB. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: system is under attack (what can I do more?)
Hello, 1, maybe the line with the rule is in a bad place in the conf, but even if it's working it's possible that it wont be triggered. As far as I can see there are 30 sec interval pauses between attacks from one host. Your rule is looking for connections in 30 sec ranges. 2,You should use a program that monitors the logs, and then passes the ips after 3 unsuccessful logins to the bruteforce table. See bruteforceblocker, but there are a bunch of other programs for this. Regards, MB. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: installworld and sources
Hi! It's good practice to keep /usr/src (your source) intact and the same version as your worldkernel is and vica versa. For the particular installworld step AFAIK /usr/obj is used, where the system has the compiled world made in the build process. steps here: http://www.freebsd.org/doc/en/books/handbook/makeworld.html however you should always read the actual UPDATING file if something changes between versions! Regards, M.Balázs. On 6 June 2010 12:55, Fbsd1 fb...@a1poweruser.com wrote: Compiling a new kernel from source requires /usr/src to be populated, I understand that. The buildworld process for sure needs /usr/src. My question is , is /usr/src also used in the installworld process? Now I have never had to do this type of system RELEASE upgrade before, so I just don't know. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: chroot scp only network storage?
Hello, Try /usr/ports/shells/scponly . Look up the features, this way you can assign the restrictive scponly shell to the users: http://sublimation.org/scponly/wiki/index.php/Main_Page Best Regards: Balázs Mátéffy On 26 May 2010 00:05, Matthew Seaman m.sea...@infracaninophile.co.ukwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25/05/2010 22:29:57, Matthew Law wrote: I want to provide some users with secure network attached storage over SCP. The intent is to provide people with a similar thing to, e.g. rsync.net but inside of our network only. Security is obviously a priority so I would like each user to be chrooted into their allocated directory and allow them only to execute a small set of commands. Checkout the security/openssh-portable port which has options to enable chroot'ing. You should be able to configure the account to only be able to use scp(1) or sftp(1) by editing sshd_config or by using forced commands in the user authorized_keys files. I have come across scponly before. Is this the best way of achieving this with FreeBSD or is there some other better way? Another alternative is WebDAV. Run it over HTTPS for security, and use the standard Apache authn/authz controls to give each user access to only their own area. In principle your users can mount their WebDAV areas as networked filesystems on their desktops. In practice, this works fine with MacOS X, is horribly buggy under Windows, needs quite a lot of effort to make work on Linux, and I don't think it's actually available at all on FreeBSD. However, commandline clients like cadaver will work fine on anything Unixy. Cheers Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkv8ScYACgkQ8Mjk52CukIyLRQCginYWfMA2AJKnxZs9rvXlg7qf CnUAnj668eKglbUe8RIfp8actDj13gYe =jATZ -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jails and one dynamic ip address
Hi, Sure there can be a better solution (I think :)): Use an rfc1918 private address range for your Jail, and use nat, to forward your external interface IP to the private address of the jail. This can be done in ipnat, PF, or the other natting, packet filtering tools. Hope I understood your question :). Regards, Balázs M. On 26 May 2010 01:36, Fbsd1 fb...@a1poweruser.com wrote: I get one dynamic ip address from my ISP. This is what I specify on the jail for public network access. When the ip address changes on me I have to manually change the ip address associated with the jail. Is there some method I can code so jail will all ways have public network access? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: where can i dl freebsd?
Hi, I smell something fishy here, but whatever, here's a link to the gzipped 8.0 DVD ISO: ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/8.0/8.0-RELEASE-i386-dvd1.iso.gz 7.3: ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/7.3/FreeBSD-7.3-RELEASE-i386-dvd1.iso.gz On 7 May 2010 07:15, Gary Kline kl...@thought.org wrote: On Fri, May 07, 2010 at 12:44:24AM -0400, Brian Callahan wrote: Check the FreeBSD website? There have been DVD releases since 7.1-RELEASE, if my memory serves. i'll check again; couldn't find it... -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix The 7.83a release of Jottings: http://jottings.thought.org/index.php http://journey.thought.org 99 44/100% Guaranteed Novel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pf suggestions for paced attack
Hello,
What if you use a perl or whatever script, to look in the logs, and after a
number of bad password attempts you just add that IP to the badboys table?
Some programs out there are capable to do this eg. Daniel Gerzo'
bruteforceblocker (you have to edit it), or bruteblock (if i'm right with
the name).
Regards,
MB.
On 3 May 2010 18:39, John j...@starfire.mn.org wrote:
On Mon, May 03, 2010 at 05:29:24PM +0100, Matthew Seaman wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/05/2010 15:41:10, John wrote:
The script kiddies have apparently figured out that we use some
time-window sensitivity in our adaptive filtering. From sshd, I've
been seeing reverse mapping checking getaddrinfo ... failed and
from ftpd (when I have the port open at all, which is rare), I am
seeing probes at about 27 second intervals. This stays well below
the 3/30 (three connections in 30 seconds) sensitivity that I had
been using. It took them nearly two and a half hours to make 154
attemps, but computers are very patient.
I have now changed the timing window sensivity, but it's to the
point now where there's a significant probability that someone could
lock themselves out (temporarily, at least, I do clear these tables
periodically) if they are having a bit of a fat-finger moment with
their password.
Anybody got any superior suggestions?
Heh. If the attackers are forced to slow down the probe rate so
drastically, then their chances of breaking in would be greatly reduced
/even/ if you were using guessable passwords. Which I shall assume you
aren't: key based auth is what you need, or maybe OTP. You certainly
should not be relying on rate-adaptive blocking alone to secure your
system -- it's more a way of preventing your log files from being
flooded with crap -- and you've limited that quite effectively by
forcing the attackers to slow down. I'd not feel any necessity to
modify the rate settings on your PF rule.
Anyhow, there is certainly a potential to lock yourself out using
adaptive blacklisting. If you know where your friends are going to be
logging in from, then I'd set up a whitelist. Something like this:
(replace with a list of the addresses / ranges you want to allow)
table ssh-whitelist const { \
192.0.2.0/24 \
} persist
table ssh-bruteforce persist
set skip on lo0
scrub in
pass all
antispoof log quick for lo0
block drop in log quick from ssh-bruteforce
pass in proto tcp from !ssh-whitelist to port ssh \
flags S/SA keep state \
(max-src-conn-rate 3/30, overload ssh-bruteforce flush global)
pass in proto tcp from ssh-whitelist to port ssh \
flags S/SA keep state
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
Hi, Matthew. Indeed, yes, you may not recall, but my rules are
based on a set that I originally got from you, and I do, in fact,
have a white list, which I should have mentioned, but some of my
users are road warriors and could be coming from virtually anywhere.
You're right, though - it's time to look into alternatives to
password-based authenticaion. I think I've taken password-based
protection and rate adaptive rules to their logical limit.
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkve+eQACgkQ8Mjk52CukIzpTwCgg/NpuZjR1mnfkcBX169LB5Ih
ykYAnjQLprMKxMtKW2IfgWNEB5bTt33Q
=12Jn
-END PGP SIGNATURE-
--
John Lind
j...@starfire.mn.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
freebsd-questions-unsubscr...@freebsd.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pf suggestions for paced attack
Hi, I'm interested, by the way, is there a max size limit to a pf table? Mine always stops working at 2megs... On 3 May 2010 18:48, Adam Vande More amvandem...@gmail.com wrote: On Mon, May 3, 2010 at 11:39 AM, John j...@starfire.mn.org wrote: Hi, Matthew. Indeed, yes, you may not recall, but my rules are based on a set that I originally got from you, and I do, in fact, have a white list, which I should have mentioned, but some of my users are road warriors and could be coming from virtually anywhere. You're right, though - it's time to look into alternatives to password-based authenticaion. I think I've taken password-based protection and rate adaptive rules to their logical limit. What's wrong with denyhosts? Key-based authentication has it's own set pitfalls. I'm far more likely to lose my usb stick than my password. I imagine there are other like me. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Gaming
Hi, I lolled on the comment from David Kelly :D. By the way some time in the past I managed to use Counter-Stike 1.6 on wine with approx 20fps, and without sound :). On linux there is cedega, but cedega won't be ported to FreeBSD there was an old abandoned project to do it, but it died ;\. Your best bet is wine, but don't expect sky high fps rates, and fireworks, FreeBSD is not for gaming...ATM :D. Regards, MB. On 29 April 2010 19:58, pete wright nomadlo...@gmail.com wrote: On Thu, Apr 29, 2010 at 10:57 AM, pete wright nomadlo...@gmail.com wrote: On Thu, Apr 29, 2010 at 10:10 AM, Joe's Morgue joes_mor...@yahoo.com wrote: Looking thru your manuals, I have not seen anything about gaming on a FreeBSD machine. Are there drivers for higher end graphic cards available? nvidia provides a binary blob of their Unix driver for FreeBSD: http://www.nvidia.com/object/freebsd_1.0-4365.html arg! wrong URL! http://www.nvidia.com/object/freebsd-195.36.24.html -pete -- pete wright www.nycbug.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ping: sendto: No buffer space available
I almost forgot! And if you find out the reason for shortage you can tweak it with the appropiate sysctl value. At the moment I'm not sure which value you should tweak, but if you search for this issue, maybe you can find the appropiate net. values. Regards, MB. On 24 April 2010 22:35, Balázs Mátéffy repcs...@gmail.com wrote: Hello, I had a similar problem sometimes on one or two of my machines, look up netstat -m, usually if you run out of buffer space you have to tweak the mbuf memory size. You can see the memory usage current / cache / total, if the current or cache is the same value as the total, you have memory shortage. You can search for it, there are plenty of mail list archives about issue like this. Hope this helps! Best Regards, MB. On 24 April 2010 13:06, Erik Norgaard norga...@locolomo.org wrote: Hi! I'm running FreeBSD 8.0. Some times my network just go down without leaving any errors behind, now this morning it went down but didn't cut my ssh connection to the box and I got this error: ping: sendto: No buffer space available From what I have found this relates to protocols like udp and icmp, I assume this can occur with p2p but also vpn protocols like l2tp. Is there some way that I can set limits on these protocols such that they will not use up all available buffer space? Or some way to increase buffer? Or is the problem something completely different? I've got two vr interfaces on a VIA Nehemiah ITX. Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ping: sendto: No buffer space available
Hello, I had a similar problem sometimes on one or two of my machines, look up netstat -m, usually if you run out of buffer space you have to tweak the mbuf memory size. You can see the memory usage current / cache / total, if the current or cache is the same value as the total, you have memory shortage. You can search for it, there are plenty of mail list archives about issue like this. Hope this helps! Best Regards, MB. On 24 April 2010 13:06, Erik Norgaard norga...@locolomo.org wrote: Hi! I'm running FreeBSD 8.0. Some times my network just go down without leaving any errors behind, now this morning it went down but didn't cut my ssh connection to the box and I got this error: ping: sendto: No buffer space available From what I have found this relates to protocols like udp and icmp, I assume this can occur with p2p but also vpn protocols like l2tp. Is there some way that I can set limits on these protocols such that they will not use up all available buffer space? Or some way to increase buffer? Or is the problem something completely different? I've got two vr interfaces on a VIA Nehemiah ITX. Thanks, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Online school for FreeBSD
Sorry David for the mail before, I've got the wrong address! +1 :) I like the books of M.W.Lucas, easy to read, funny and on the other hand they have the needed details about the subject. On 11 April 2010 01:14, David Newman dnew...@networktest.com wrote: On 4/10/10 3:08 PM, Chris Whitehouse wrote: Roland Smith wrote: On Fri, Apr 09, 2010 at 09:34:59PM -0800, jt wrote: I've been doing searches for online schools that teach FreeBSD. I've been trying to learn on an off for years but when it starts getting complicated, I get stuck. The handbook don't do allot of good. You can download the book The Complete FreeBSD from http://www.lemis.com/grog/Documentation/CFBSD/ There is also Absolute FreeBSD http://www.absolutefreebsd.com/ Only available for purchase though. +1 I've found this and other books by Mr. Lucas to be informative, accessible and even entertaining, well worth their price. dn Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
