Error in the handbook
Hi, there is an error in the handbook, section 28.6.5.7 An Example NAT and Stateful Ruleset. On the bottom are two examples, 1st with command: $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1 and second with command $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2 Both commands should look in via $pif setup keep-state limit Or am I wrong? Best regards, -- Peter Rosa ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Error in the Handbook
Hi, there is an error in the handbook, section 28.6.5.7 An Example NAT and Stateful Ruleset. On the bottom are two examples, 1st with command: $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1 and second with command $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2 Both commands should look in via $pif setup keep-state limit Or am I wrong? Best regards, -- Peter Rosa ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
sshd
Zdravim vsetkych, prosim, ako sa mam zbavit hlasky v logoch: Failed none for xxx from 192.168.1.53 port 1291 ssh2 Hlaska sa objavi *vzdy*, ked sa pripojim k tomu pocitacu. Pritom mam prihlasovanie heslom vypnute. FreeBSD 4.11-p12. sshd_config (ocisteny o komentare): LogLevel VERBOSE PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys RhostsAuthentication no IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no IgnoreUserKnownHosts no PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no GatewayPorts no Subsystem sftp/usr/libexec/sftp-server Vdaka, Peter Rosa ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW2+NATD stateful rules VS. FTP
Hello everybody, please can anybody help me with ipfw rules? My machine is acting as firewall/router/www-proxy/ftp-proxy for small LAN. It does not work as ftp-server. I set my ipfw2 rules exactly as in section 25.6.5.7 An Example NAT and Stateful Ruleset Ex.2 from handbook. Everything works well except miserable ftp. I just installed ports/jftpgw to be an transparent proxy for internal LAN but still without success. I understand all rules in those example, but I do not know where should I place fwd rule(s). Ftp depends on two ports 20 and 21. So i assume there should be two fwd rules semewhere in the ruleset. Please, where should I place those rules? Or is it better to use /etc/nad.conf to redirect all incomming connections on ports 20 and 21 to localhost? Any help is *very* appreciated :-) Peter Rosa P.S. Please consider adding such rules into mentioned example in handbook. I think a lot of users will welcome such addition. I spent four days on Ggle before writing here and I did not find anything helpful. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
periodic scripts
Hi all, please what is your opinion and possible repair of following. I have FreeBSD 4.10-REL-p2, cvsup+make world last week. It happened few times in last half-year, that server discontinue sending reports from periodics daily. I run it manually and see ps ax, but the only checks are started are those about security. And the only report send is security report. The daily report is never created. This status will remain until the next update. There is no difference between /usr/src/etc/default/periodic.conf and /etc/default/periodic.conf. I have reated my own /etc/periodic.conf.local, but I set only daily_status_XXX etc. variables, daily_output=root. Question - what is causing this; has anybody experience with this; how to repair it without make world ? Best regards, Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
What's with ipfw
Hi all, after I cvs-uped my system from cvsup.cz.freebsd.org I can not use IPFW firewall. Make world, make kernel - everything seemed well, but after reboot (when firewall rules should load) I got errors something with Invalid argument. When I try ipfw add pass all from any to any I get ipfw: getsockopt(IP_FW_ADD): Invalid argument. The only change of my kernel configuration is added SMBFS support to it. What's going wrong ? Could you help me, please ? Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Darkstat
Hi all, please, tell me about security of Darkstat. Is it good idea to install it on firewall/gateway ? I'd like to measure our company traffic, but I do not have Apache running on the gateway. How could I redirect Darkstat's output to web-server inside company ? Or is there some other tool, which can measure in/out traffic and send output to another machine ? I know MRTG, but it uses SNMP I do not know to work with. Best regards, Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
IPFW rules
Hi all,
please what's the difference between this ipfw rules:
${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif}
and
${fwcmd} add deny all from any to 255.255.255.255
It seems similar, but I think it is not. Both should stop broadcasts.
Peter Rosa
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
ImageGallery and PHP
Please, does anybody know the PHP interface to graphics/imagegallery port ? Or some other port for creating galleries, but it must support all graphic formats (bmp, tif, jpg, gif, png, wmf, eps, ai, ps). I'm trying to setup my searchable archive of images (not only bitmaps), and want to attach some keywords, etc. But I need the interface to imagegallery binary (if it exists). Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Squid questrion
Dear list friends, please, do you have some experience with Squid 2-4 ? I just installed it, and try to start. It runs 6 childs and each exits eith exit code 6, writing: failed to find or read error text file. Of course, I run squid -z to create the cache, edit squid.conf. I searched the web, but there was only results about Solaris, I do not have experience with it. But I realize, it is something with rights. I have my umask set to 077, so I can not find proper modes for its files/folders. Please help me. Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
natd
Hello, please, is there possibility to have natd configured to NAT two interfaces ? We have a network divided into two subnets, both will have their own interface in our router. Is it possible to have -n rl0 -n rl1 -dynamic as natd options in rc.conf ? Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd
Oh, yes... It's my misunderstanding of NAT process. I did not note there is ONLY external interface in natd_flags. Sorry again. I think, it automatically routes packets between one external and many internal interfaces, doesn't it ? Peter Rosa - Original Message - From: JJB [EMAIL PROTECTED] To: Peter Rosa [EMAIL PROTECTED] Sent: Wednesday, January 28, 2004 2:03 PM Subject: RE: natd Are you saying you have 2 separate Nic connections to the public internet, each one being assigned an different dynamic IP address by your ISP? Or are you saying you have 2 private Lan circuits. You only Nat the interface facing the public internet. IPFW and natd have bug when used with stateful rules. Stateful rules provide max protection. IPFILTER is the other firewall that comes with FBSD and it's stateful rules have no bugs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Peter Rosa Sent: Wednesday, January 28, 2004 7:10 AM To: FreeBSD Questions Subject: natd Hello, please, is there possibility to have natd configured to NAT two interfaces ? We have a network divided into two subnets, both will have their own interface in our router. Is it possible to have -n rl0 -n rl1 -dynamic as natd options in rc.conf ? Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Multiple RealTect adaptors
Dear list, I have created small server with 2 Eth RealTec adaptors. After boot, one is properly configured, second has no IP address, and I can not finish the setup. The failure apear right after recompiling the world and kernel. I have only ran make world; make kernel. Is there something I forgot to do? E.g. to recreate everything in /dev? And how to do it? Please help me ASAP, I have to finish it this night. Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Multiple RealTect adaptors
Dear list, I already have found MAKEDEV all in /dev folder. Started, finished, no progress. The card is physically OK. While trying to reconfigure eth card via ifconfig rl0 create inet 192.168.1.11 netmask 255.255.255.0 it returns err: SIOCIFCREATE: Invalid agrument. What do I do wrong? And how could I make the card work ? Peter ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Multiple RealTect adaptors
Hello again, of course, everything was there: dmesg - YES ifconfig - YES rc.conf - YES But, whenever the machine boots, ifconfig returns: rl0: flags 8843 snip mtu 1500 inet 192.168.1.11 netmask snip ether snip media snip status: active rl1: flags 8843 snip mtu 1500 ether snip media snip status: no carrier Both have the same flags. Second has no IP/MSK/BCAST. ifconfig rl1 192.168.1.12 netmask 255.255.255.0 always returns config: ioctl (SIOCIFADDR): File exists What could be wrong ? It is the same when I xchange both cards/use another PCI slots. Peter - Original Message - From: Olaf Hoyer [EMAIL PROTECTED] To: Peter Rosa [EMAIL PROTECTED] Cc: FreeBSD Questions [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 6:16 PM Subject: Re: Multiple RealTect adaptors On Wed, 3 Dec 2003, Peter Rosa wrote: Dear list, I already have found MAKEDEV all in /dev folder. Started, finished, no progress. The card is physically OK. While trying to reconfigure eth card via ifconfig rl0 create inet 192.168.1.11 netmask 255.255.255.0 it returns err: SIOCIFCREATE: Invalid agrument. What do I do wrong? And how could I make the card work ? Hi! Well, as the output states, your arguments to ifconfig are incorrect. to check if the card is recognized: dmesg |grep rl0 when it appears, do a: ifconfig -a to see, if a rl0 interface is there. to simply configure it, do: ifconfig rl0 192.168.1.11 netmask 255.255.255.0 shall be sufficient. To make it permanent during bootup, insert in /etc/rc.conf: ifconfig_rl0=inet 192.168.1.11 netmask 255.255.255.0 HTH Olaf -- Olaf Hoyer[EMAIL PROTECTED] Fuerchterliche Erlebniss geben zu raten, ob der, welcher sie erlebt, nicht etwas Fuerchterliches ist. (Nietzsche, Jenseits von Gut und Boese) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Multiple RealTect adaptors - SOLVED
Fantastic idea. It solved the problem. Many thanks and have a nice day. Peter - Original Message - From: Mykroft Holmes IV [EMAIL PROTECTED] To: Peter Rosa [EMAIL PROTECTED] Cc: Olaf Hoyer [EMAIL PROTECTED]; FreeBSD Questions [EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 6:53 PM Subject: Re: Multiple RealTect adaptors Peter Rosa wrote: Hello again, of course, everything was there: dmesg - YES ifconfig - YES rc.conf - YES But, whenever the machine boots, ifconfig returns: rl0: flags 8843 snip mtu 1500 inet 192.168.1.11 netmask snip ether snip media snip status: active rl1: flags 8843 snip mtu 1500 ether snip media snip status: no carrier Both have the same flags. Second has no IP/MSK/BCAST. ifconfig rl1 192.168.1.12 netmask 255.255.255.0 always returns config: ioctl (SIOCIFADDR): File exists What could be wrong ? It is the same when I xchange both cards/use another PCI slots. Peter Try putting the second NIC on a second subnet. IIRC FreeBSD doesn't support multiple adaptors on the same network. Adam ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: installing 4.9-R: READ command timeout
Jon, you are the next person, who encounters this problem. I had similar problem with 4.8 as well, and it seems to remain also in 4.9. I have resovled it that I copied whole FreeBSD install CD1 to the free newly MSDOS formated HDD, boot from install CD, then install from that HDD. I know it is very hard way, and I started some discussion here (look for subject 4.8 Install Failure in the archive - there is few next questions, but no solution). People wanted me to check my HDD/cables/jumpers/CD-burn but it seems to be the installer problem. It seems to apear AFTER 4.6, because I have succesfully instaled both 4.6 in the past onto the same machine. Dear FreeBSD team, could you please find that bug and repair it ? FreeBSD is an excelent OS, so make such the installation too, please. Yours Peter Rosa - Original Message - From: Jon Drukman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, November 02, 2003 8:57 PM Subject: installing 4.9-R: READ command timeout i'm trying to install 4.9-RELEASE from the bootable CDROMs. i can't get very far because it hangs during the boot process with the following error: ad3: READ command timeout tag=0 serv=0 resetting ata1: resetting devices... and that's it. total freeze. i've done a little googling and most of the suggestions i've found center around drive cabling/jumpering. however, the system is totally functional under Windows XP (that's how i'm writing this message) so i'm pretty sure all the hardware is wired up properly. ideas? hardware: asus a7n8x motherboard, athlon xp 2200+, onboard IDE primary master: western digital wd1200JB primary slave: yamaha crw-f1e cd-rw secondary master: western digital wd1200JB secondary slave: ibm dtla-307045 -jsd- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
3ware compatibility
Dear list's friends, is it possible to use 3ware EscaladeR 8506 Series in FreeBSD 4.x ? I've found few articles in archive, 3ware 5k, 6k, 7k series are mentioned in HW compat list, but not the newest serie 85xx. Has anybody an experience with it ? Many thanks for your answers. Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
3ware compatibility
Dear list's friends, I'm sorry for inconvenience, I had the date set badly (because of some testing). My previously posted message follows: Is it possible to use 3ware Escalade 8506 Series in FreeBSD 4.x ? I've found few articles in archive, 3ware 5k, 6k, 7k series are mentioned in HW compat list, but not the newest serie 85xx. Has anybody an experience with it ? Many thanks for your answers. Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Procmail Rules - please help
Hello list's friends.
I have FreeBSD box with sendmail+spamassassin+procmail. As it comes more and
more spam messages I realize to prepare rules for spam deletion. I have done
3 months work on spam mesgs+senders+scores analysis. Now I'm ready to do it,
but I'm not very familiar with procmail. I prepared the following list
I want to write rules, which will do following:
1. check if the X-Spam-Level is more than 15
2. retrieve the sender domain from Form: header
3. compare sender domain against my own list (freemails.txt),
where are all big freemail sites listed.
4. if sender is not there, add sender domain to the ACCESS
database with REJECT 550 Stop Spamming
5. delete the spam message
6. spams marked with score 10 should go to quarantene.
Please help me with second rule, as it can not work - it's only an idea:
FREEMAILS=`cat /etc/mail/freemails.txt`
SENDERDOMAIN=`egrep From: - | awk -F@ '{ print $2 }'`
:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
* ${SENDERDOMAIN}${FREEMAILS}
| echo '${SENDERDOMAIN}\t\t550 Stop Spamming' /etc/mail/access
:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
/dev/null
:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*
! [EMAIL PROTECTED]
Any solution is very welcome :-)
Peter Rosa
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD Upgrade on production server
Hello everybody, I wish to upgrade my production firewall / mailserver / DNS server from 4.3 to 4.8. The simplest way seems to be use of CVSUP. OK, but... Is it safe ? What should I backup ? There is running well-configured sendmail - are there some changes in its configuration between versions 8.11.3 used in FreeBSD 4.3 and 8.12.8p1 used in FreeBSD 4.8. This is my only mailserver and I don't have an secondary if something fails... Please, advice if you have some know-how :-))) Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD upgrade on production server - Solved
Many thanks to everybody. Of course, I have read the Handbook, but there are very wide solution, not so specific as I tried to find. There is never said e.g. Backup file /etc/fstab or After installation mergemaster your previously backed sendmail.cf with the new one to include your old changes. And I am so busy, that I tried to find such very specific type of information. Yes, yes, yes, it is bad idea to disturb you, but the list is the only live forum I have found. Once again, thanks a lot. However, I upgraded that machine and all works fine (finally the sendmail, too). Except when I login, I get following errors (written twice): Sep 8 08:35:01 ns login: ROOT LOGIN (root) ON ttyv1 Sep 8 08:35:01 ns login: no modules loaded for `login' service Sep 8 08:35:01 ns login: pam_open_session: Permission denied What is it ? Is it I have misconfigured pam ? And how can I repair it ? Please, help. Peter Rosa - Original Message - From: Lowell Gilbert [EMAIL PROTECTED] To: SUPPORT [EMAIL PROTECTED] Cc: FreeBSD Questions [EMAIL PROTECTED] Sent: Monday, September 08, 2003 3:28 PM Subject: Re: FreeBSD upgrade on production server SUPPORT [EMAIL PROTECTED] writes: I wish to upgrade my production firewall / mailserver / DNS server from 4.3 to 4.8. The simplest way seems to be use of CVSUP. OK, but... Right, so far. Is it safe ? It's not completely safe. Of course, neither is running a two-and-a-half year-old release of any operating system connected to the Internet. Risk is something you have to manage, not avoid. What should I backup ? Everything you'd mind losing. For me, that's mostly /etc, /usr/local/etc, user data, kernel configs, and the log directory. There is running well-configured sendmail - are there some changes in its configuration between versions 8.11.3 used in FreeBSD 4.3 and 8.12.8p1 used in FreeBSD 4.8. There certainly are some changes. Some of them are related to important security fixes. You will need to merge your configuration into the updates. This is my only mailserver and I don't have an secondary if something fails... Well, the safest approach is to have a spare system, and build the modifications on that. If you can't do that, then almost as safe (and actually safer from your own oversights) is to have a spare machine to try out the upgrade on so you get used to the procedure. If you really can't spare a machine for any of these things, accept some downtime and make sure you're *very* careful as you go through the documented procedure. Please, advice if you have some know-how :-))) All of my specific advice is *in* the Handbook. If I had any more advice, I'd submit it to, well, the Handbook. Good luck. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
HDDs dividing rules
Hi all, please, could you explain for those of us, who are new to Unix, are there some rules for partitioning of HDDs in accordance to security needs ? I know, I can set nosuid+noexec on whole partition (slice ?), I can mount something as read-only... It's everything fine, but what exactly should we do ? Everywhere I looked, I found only words as make your own choice of partitioning schema etc., but I think, there must be some rules. And what if I have an HW RAID controller. Are there some difficulties or differences from normal dividing ? Tell us, please, something like Divide your HDD as follows: 1. create slices for /, /home, /etc .. It's good because 2. mount / as RO.. 3. mount /user as noexec+nosuid... I think hope these rules are well-known, but one must know where to look for I also hope, this list could be such kind of brainstorming :-)) One of the best things on Unixes is they are opened. But one of the worst thing on Unixes is they are opened and it is not simple to get very clear information. Sorry for the trying a philosophy here :-)) Best regards and many thanks. Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
What is OUT OF THE BOX
Hello everybody, sorry for the stupid question, which should not be here, but sometimes you use phrase OUT-OF-THE-BOX. It can be also found on FBSD web-pages. I'm not from english-speaking country and I really do not know what does it mean. Can you explain, please ? Thanks and regards. Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RAID HW
Hello there, please, what RAID controller for ATA HDDs should I use in my new fileserver. There will be run 4.8 with samba (for Win clients) and netatalk (for Mac clients). I'm looking for some, which are officialy supported by FreeBSD, without any special requirements. I'd like to use RAID 5, if possible. Thanks for all recomendations. Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DVD/CD-RW not recognized (was: Re:)
It's because (as I know from some old articles) if you connect one device with high-speed, and second with lower speed onto the same cable, they will BOTH use the lower speed. And it may be problematic for some new HDD, to be as slow as CD is (using PIO, or UDMA-33) (although they all say about standards conformity etc.). Peter Rosa - Original Message - From: Mica Telodico [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Joshua Lokken [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, July 26, 2003 10:41 AM Subject: RE: DVD/CD-RW not recognized (was: Re:) Hi all again :D I've made some triee , and these are the results: Normal Configuration ATA1 Master: MAXTOR HD 60GB Slave : Liteon 52x 24x 52x ATA2 Master: Quantum Fireball HD 30GB Slave : NEC DV-5800 I get the problems described in the previous messages New Conf ATA1 Master: Maxtor HD 60GB Slave : Quantum Fireball HD 30GB ATA2 Master: Liteon 52x 24x 52x Slave : NEC DV-5800 No problems. All works correctly (both CD drives are initialized) I don't know why this, probably my MoBo is a bit slow in responding with ATA devices when have to initialize them. I had some problems with my precedent CDRW (a philips 8x 4x 32x) , but this time with Linux too (hang at boot) . Linux have solved this problem (I've posted a bug report to Vojitek Pavlik that have worked to eliminate this problem) , but FreeBSD have this again (but with my old CDRW the drive didn't work with all possible configuration , with this one changing the position of the drives solves the problem ) now , I think that could be a good idea increase the timeout time , in order to eliminate this problem in the future and make FreeBSD more compatible with ATA drives and ATA Controllers, at the cost of some millisecond longer boot-time :) Bye Marcello --- Fierman [EMAIL PROTECTED] ha scritto: On Fri, 2003-07-25 at 16:48, Joshua Lokken wrote: this problem sounds like the exact one as i am having, (see my mail to this list: Subject: ATA identify retries exceeded (still!) Date: 24 Jul 2003 23:59:57 + jumpersettings are all ok, no possible signs of hardware itself being faulty. dmesg : ata0: at 0x1f0 irq 14 on atapci0 ata1: at 0x170 irq 15 on atapci0 ata0-slave: ATA identify retries exceeded ad0: 38172MB MAXTOR 6L040J2 [77557/16/63] at ata0-master UDMA33 Mounting root from ufs:/dev/ad0s1a ??? Except that the board won't detect it? I think, if you've checked cables and jumpers (and they're proper), that the likely possibility is hardware damage. I don't know whether or not the drive is new, but new certainly doesn't equal good. Maybe at least consider it. If you can find another drive to test, try that. HTH, Joshua dont know if you didn't send this mail to the list intentionally, but thanx for the reply anyway :) yes, like I said in my previous mail to this list as well, I DID try other DVD players.. all with the same result. Also, the POST never gives any error message, as I suppose it should do with broken hardware. there are 2 possible solutions in my mind: 1. ATA driver is still somewhat broken, 2. There should be a way to adjust the time-out in the authentification routine in the ATA driver (if there is any, that is). cheers, Fierman ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] __ Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi allegati, l'antivirus, il filtro Anti-spam http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: suid files
Dear Chuck and others, of course, it's no problem to find-out which files ALREADY HAS suid-bit set. I'm asking to know: 1. what files MUST have... 2. what files HAVE FROM INSTALL... 3. what files DO NOT NEED... 4. what files NEVER MAY... ...the suid-bit set. Anyway, thank you and have a nice day. Peter Rosa - Original Message - From: Chuck Swiger [EMAIL PROTECTED] To: Peter Rosa [EMAIL PROTECTED] Cc: freebsd-questions [EMAIL PROTECTED] Sent: Saturday, July 26, 2003 1:54 AM Subject: Re: suid files Peter Rosa wrote: Some another question I wanted to ask a long time ago: 1. Is there some list of files, that REALLY need suid-bit set ? 2. Is there some list of files, installed from FreeBSD, which HAVE suid-bit set ? See /var/log/setuid.today for the latter, and maybe /etc/periodic/daily/450.status-security which performs a daily check on setuid files, if that is of interest to you... -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
suid bit files and securing FreeBSD
Hello everybody, I'm a newbie in this list, so I don't know if it's the appropriate place for my question. Anyway, I'd be happy to find out the solution. Please, has anyone simple answer for: I'm looking for an exact list of files, which: 1. MUST have... 2. HAVE FROM BSD INSTALLATION... 3. DO NOT NEED... 4. NEVER MAY... ...the suid-bit set. Of course, it's no problem to find-out which files ALREADY HAS suid-bit set. But what files REALLY MUST have it ? I know generalities, as e.g. shell should never have suid bit set, but what if someone has copied any shell to some other location and have set the suid bit ? It's security hole, isn't it ? And what if I have more such files on my machine ? It is not about my machine has been compromited, it is only WHAT IF... Second question is: Has anybody an exact wizard, how to secure the FreeBSD machine. Imagine the situation, the only person who can do anything on that machine is me, and nobody other. I have set very restrictive firewalling, I have removed ALL tty's except two local tty's (I need to work on that machine), but there are still open port 25 and 53 (must be forever), so someone very tricky can compromite my machine. I'm a little bit paranoic, don't I :-))) Cheers, Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: suid bit files and securing FreeBSD
Sorry for disturbing you. This was for security mailing list and I sent it here by mistake Cheers, Peter Rosa - Original Message - From: Peter Rosa [EMAIL PROTECTED] To: FreeBSD Questions [EMAIL PROTECTED] Sent: Saturday, July 26, 2003 7:11 PM Subject: suid bit files and securing FreeBSD Hello everybody, I'm a newbie in this list, so I don't know if it's the appropriate place for my question. Anyway, I'd be happy to find out the solution. Please, has anyone simple answer for: I'm looking for an exact list of files, which: 1. MUST have... 2. HAVE FROM BSD INSTALLATION... 3. DO NOT NEED... 4. NEVER MAY... ...the suid-bit set. Of course, it's no problem to find-out which files ALREADY HAS suid-bit set. But what files REALLY MUST have it ? I know generalities, as e.g. shell should never have suid bit set, but what if someone has copied any shell to some other location and have set the suid bit ? It's security hole, isn't it ? And what if I have more such files on my machine ? It is not about my machine has been compromited, it is only WHAT IF... Second question is: Has anybody an exact wizard, how to secure the FreeBSD machine. Imagine the situation, the only person who can do anything on that machine is me, and nobody other. I have set very restrictive firewalling, I have removed ALL tty's except two local tty's (I need to work on that machine), but there are still open port 25 and 53 (must be forever), so someone very tricky can compromite my machine. I'm a little bit paranoic, don't I :-))) Cheers, Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: suid bit files and securing FreeBSD
Hello Matthew,
thank you very much. It's excatly you say. FreeBSD is my option because of
historical reasons. Someone has installed it for me two years ago, and now
I love it (he installed it after two hacks and two reinstallations of RedHat
Linux [I don't want to say, RHL is not good, but FBSD is better :-) {now I
see the storm, like with I'm christian.. mail to this list :-))) } ] ).
Wow, such a short sentence I just produced :-)
Peter Rosa
- Original Message -
From: Matthew Graybosch [EMAIL PROTECTED]
To: Peter Rosa [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Saturday, July 26, 2003 7:22 PM
Subject: Re: suid bit files and securing FreeBSD
Second question is: Has anybody an exact wizard, how to secure
the FreeBSD machine. Imagine the situation, the only person who
can do anything on that machine is me, and nobody other. I have
set very restrictive firewalling, I have removed ALL tty's except
two local tty's (I need to work on that machine), but there are
still open port 25 and 53 (must be forever), so someone very
tricky can compromite my machine.
I'm a little bit paranoic, don't I :-)))
Uhm, yes, you *are* just a wee bit paranoid. But it helps to be
paranoid if you're root on somebody else's machine. Great power and
great responsibility, right?
But if you're concerned with security uber alles, I'm surprised you
didn't look into OpenBSD first. According to their site
(openbsd.org), they've had only one remote hole in the default
install, in more than 7 years!
FreeBSD certainly can be secured, but it appears that the developers
put performance and reliability first, and then security. Theo de
Raadt puts security first.
--
Matthew Graybosch
http://www.starbreaker.net
I am become root, shatterer of kernels.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Defragment HDD
SORRY, SORRY AND ONE MORE SORRY. I love FBSD very much, but it really writes (during boot-up) something about fragmentation. So I forgot about its professionality and so for a moment and write my stupid question to the list. At least, everyone will now know... Sincerelly Peter Rosa - Original Message - From: Bill Campbell [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 25, 2003 5:16 AM Subject: Re: Defragment HDD On Thu, Jul 24, 2003 at 03:38:06PM -0500, David Kelly wrote: On Thursday 24 July 2003 02:45 pm, Peter Rosa wrote: Hi all, is it possible, and by using what program, to defragment HDDs under FreeBSD ? Why are you worried about it? Professional-grade filesystems such as UFS do not require or benefit the way Microsoft-grade filesystems do. This is a common problem in that people can not imagine that the Microsoft way is any but the only way. Maybe this is a marketing opportunity! Write a do-nothing program that keeps the HD light flashing, displays something like the typical M$ defrag utility, and perhaps even simulates a random system crash and reboot. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/ Government is the great fiction, through which everbody endeavors to live at the expense of everybody else. -- Frederic Bastiat ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Problem with periodically done scripts
Hello everybody, is there really no one who knows answer for my question posted on July 24 ? Please help me, if you know. Peter Rosa - Original Message - From: Peter Rosa [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 24, 2003 7:46 AM Subject: System hack ?! Greetings to every FreeBSD fan. Is anybody out there who can help me with this problem ? I have FreeBSD 4.3 acting as a gateway to I-net and mailserver. In /etc/periodic are standard scripts, which send statistics to roots's mail every morning. Dated from April 24, 2003, 04:03 AM (standard time, when these scripts are running) there ara comming lines as follows: Checking for passwordless accounts: [: 0: unexpected operator The bad one is only the second line (unexpected operator), because till April 19 all worked well. Can you tell me, why it started from April 20, and what goes wrong ? I think, it is an error of awk or sed, but I checked their access/modified dates, and they seem to be the same as the rest of system. I think the hack is probably not the problem (?!?!?!). May be it is some automated actualisation, but I should know about it, don't I ? Please help if you can. Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with periodically done scripts
Dear Luke, thank you for helping. It is, of course possible, but on that machine areonly 10 users, no one is added from 2001. Passwd is not the only file, because whole security log seems as follows: Checking setuid files and devices: Checking for uids of 0: root 0 toor 0 [: 0: unexpected operator Checking for passwordless accounts: [: 0: unexpected operator hostname login failures: [: 0: unexpected operator hostname refused connections: [: 0: unexpected operator hostname checking for denied secondary zone transfers: [: 0: unexpected operator It seems to be an error of awk, which is used inside /etc/security script (but not the only one). I have recompiled sed, sh but I can not reinstall awk, as it is not in the port, nor /usr/src sub-tree. Any solution ? Peter Rosa - Original Message - From: "Luke Kearney" [EMAIL PROTECTED] To: "Peter Rosa" [EMAIL PROTECTED] Sent: Friday, July 25, 2003 2:06 PM Subject: Re: Problem with periodically done scripts Hello, Check you logs and see if any accounts were added between the periodic scripts running on the 19th and the 20th. My gut feeling is that the passwd file got a bit mangled or poorly edited. You may have to rebuild your master.passwd file and it will go away HTH LukeK - Original Message ----- From: "Peter Rosa" [EMAIL PROTECTED] To: "freebsd-questions" [EMAIL PROTECTED] Sent: Friday, July 25, 2003 8:50 PM Subject: Problem with periodically done scripts Hello everybody, is there really no one who knows answer for my question posted on July 24 ? Please help me, if you know. Peter Rosa - Original Message - From: "Peter Rosa" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 24, 2003 7:46 AM Subject: System hack ?! Greetings to every FreeBSD fan. Is anybody out there who can help me with this problem ? I have FreeBSD 4.3 acting as a gateway to I-net and mailserver. In /etc/periodic are standard scripts, which send statistics to roots's mail every morning. Dated from April 24, 2003, 04:03 AM (standard time, when these scripts are running) there ara comming lines as follows: Checking for passwordless accounts: [: 0: unexpected operator The bad one is only the second line (unexpected operator), because till April 19 all worked well. Can you tell me, why it started from April 20, and what goes wrong ? I think, it is an error of awk or sed, but I checked their access/modified dates, and they seem to be the same as the rest of system. I think the hack is probably not the problem (?!?!?!). May be it is some automated actualisation, but I should know about it, don't I ? Please help if you can. Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
What version of BSD should I use
Hello everybody, I have spent a lot of time on FreeBSD.org web pages, but I still can not find VERY SIMPLE answer for this question: what version of FreeBSD should I use ? I need system which is VERY STABLE, with as few possibilities to hack as possible (the best is absolutely closed :-) ), running only named, sendmail, samba, apache, php, perl, and firewall. It will be used also as a gateway to I-net for small company, so it MUST be SAFE, STABLE and nice. That is what I want. On the other side, it is possible to download FreeBSDs from 4.7 to 5.1. Currently, I run 4.3, and I have problems, because there is no milter support in sendmail, I can not use some commercial SW as it wants higher version etc. But I like it... I think, older is better, but I will not have support for some new technologies. And I think, the newest is good, but all new SW has some bugs - meaning it's UNSAFE. Less bugs = BETTER and SAFER life. What is your consideration - what version should I use ? Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: What version of BSD should I use
Thanks for quick response. I have thought so, but I want to be sure. There is also 4.7. Do you think better to use 4.8 ? Peter Rosa - Original Message - From: Kenneth Culver [EMAIL PROTECTED] To: Peter Rosa [EMAIL PROTECTED] Cc: freebsd-questions [EMAIL PROTECTED] Sent: Friday, July 25, 2003 6:34 PM Subject: Re: What version of BSD should I use I have spent a lot of time on FreeBSD.org web pages, but I still can not find VERY SIMPLE answer for this question: what version of FreeBSD should I use ? I need system which is VERY STABLE, with as few possibilities to hack as possible (the best is absolutely closed :-) ), running only named, sendmail, samba, apache, php, perl, and firewall. It will be used also as a gateway to I-net for small company, so it MUST be SAFE, STABLE and nice. That is what I want. On the other side, it is possible to download FreeBSDs from 4.7 to 5.1. Use FreeBSD 4.8. There are several pages on freebsd.org that say use 4.x for stability, 5.x for trying out new tech. Also, I'd not use named or sendmail. There are programs out there that are (in my opinion) better. djbdns is a lot more secure than named, and postfix is a lot more secure and a lot faster than sendmail... not to mention much easier to configure. Ken ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with periodically done scripts
Here is complete listing. Do you have any idea ?
+ echo Checking for uids of 0:
Checking for uids of 0:
+ awk -F: $3==0 {print $1,$3} /etc/master.passwd
+ tee /dev/stderr
root 0
toor 0
+ sed -e /^root 0$/d -e /^toor 0$/d
+ wc -l
+ n=
+ [ -gt 0 -a -lt 1 ]
[: 0: unexpected operator
+ echo Checking for passwordless accounts:
Checking for passwordless accounts:
+ awk -F: NF 1 $1 !~ /^[#+-]/ $2== {print $0} /etc/master.passwd
+ tee /dev/stderr
+ wc -l
+ n=
+ [ -gt 0 -a -lt 1 ]
[: 0: unexpected operator
Peter Rosa
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: What version of BSD should I use
Well, but what about djbdns ? Is it fully compatible with BIND ? I think it is, as you use it :-) I have never heard about it. And what should I do with my new book (900 pages about configuring this mega program) ? Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: What version of BSD should I use
And what should I do with my new book (900 pages about configuring this mega program) ? 900 pages about configuring which mega program? Of course, it is about sendmail. Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Fw: Problem with periodically done scripts
I'm asking again, as there is no response up now.
As for me, now it seems as I don't know what's the error here, I have
never seen that listings (using -x switch).
Peter Rosa
- Original Message -
From: Peter Rosa [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: freebsd-questions [EMAIL PROTECTED]
Sent: Friday, July 25, 2003 6:59 PM
Subject: Re: Problem with periodically done scripts
Here is complete listing. Do you have any idea ?
+ echo Checking for uids of 0:
Checking for uids of 0:
+ awk -F: $3==0 {print $1,$3} /etc/master.passwd
+ tee /dev/stderr
root 0
toor 0
+ sed -e /^root 0$/d -e /^toor 0$/d
+ wc -l
+ n=
+ [ -gt 0 -a -lt 1 ]
[: 0: unexpected operator
+ echo Checking for passwordless accounts:
Checking for passwordless accounts:
+ awk -F: NF 1 $1 !~ /^[#+-]/ $2== {print $0} /etc/master.passwd
+ tee /dev/stderr
+ wc -l
+ n=
+ [ -gt 0 -a -lt 1 ]
[: 0: unexpected operator
Peter Rosa
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with periodically done scripts
I'm asking again, as there is no response up now. You forgot to say please, sir... 8-| Sorry, sorry and one more sorry. You know, I'm currently about 14 hours at work SoP L E A S E Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with periodically done scripts
It is doing xactly the same as my scripts (unexpected operator).
Everything gone well until April 20. Scripts my machine use are from
standard FBSD installation, so why they are not working now ?
Peter Rosa
- Original Message -
From: Vitali Malicky [EMAIL PROTECTED]
To: freebsd-questions [EMAIL PROTECTED]
Sent: Friday, July 25, 2003 8:52 PM
Subject: Re: Problem with periodically done scripts
I'm asking again, as there is no response up now.
You forgot to say please, sir... 8-|
As for me, now it seems as I don't know what's the error here, I
have
never seen that listings (using -x switch).
try my scripts, I never have any problems with them, so don't even
understan
what you're about...
300.chkuid0
=
#!/bin/sh -
if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
case $daily_status_security_chkuid0_enable in
[Yy][Ee][Ss])
echo
echo 'Checking for uids of 0:'
n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
tee /dev/stderr |
sed -e '/^root 0$/d' -e '/^toor 0$/d' |
wc -l)
[ $n -gt 0 ] rc=1 || rc=0;;
*) rc=0;;
400.passwdless
#!/bin/sh -
if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
case $daily_status_security_passwdless_enable in
[Yy][Ee][Ss])
echo
echo 'Checking for passwordless accounts:'
n=$(awk -F: 'NF 1 $1 !~ /^[#+-]/ $2== {print $0}'
/etc/master.passwd |
tee /dev/stderr | wc -l)
[ $n -gt 0 ] rc=1 || rc=0;;
*) rc=0;;
esac
exit $rc
===
Peter Rosa
- Original Message -
From: Peter Rosa [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: freebsd-questions [EMAIL PROTECTED]
Sent: Friday, July 25, 2003 6:59 PM
Subject: Re: Problem with periodically done scripts
Here is complete listing. Do you have any idea ?
+ echo Checking for uids of 0:
Checking for uids of 0:
+ awk -F: $3==0 {print $1,$3} /etc/master.passwd
+ tee /dev/stderr
root 0
toor 0
+ sed -e /^root 0$/d -e /^toor 0$/d
+ wc -l
+ n=
+ [ -gt 0 -a -lt 1 ]
[: 0: unexpected operator
+ echo Checking for passwordless accounts:
Checking for passwordless accounts:
+ awk -F: NF 1 $1 !~ /^[#+-]/ $2== {print $0}
/etc/master.passwd
+ tee /dev/stderr
+ wc -l
+ n=
+ [ -gt 0 -a -lt 1 ]
[: 0: unexpected operator
Peter Rosa
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with periodically done scripts
It seems now, that my /etc/master.passwd is really broken. Have anybody an idea, how to recreate it ? Pls, help. Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with periodically done scripts
Impossible to do. It continues from April 20... :-((( Peter Rosa - Original Message - From: Dan Nelson [EMAIL PROTECTED] To: Peter Rosa [EMAIL PROTECTED] Cc: freebsd-questions [EMAIL PROTECTED] Sent: Friday, July 25, 2003 9:28 PM Subject: Re: Problem with periodically done scripts In the last episode (Jul 25), Peter Rosa said: It seems now, that my /etc/master.passwd is really broken. Have anybody an idea, how to recreate it ? Your last 2 previous versions should be in /var/backups. -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with periodically done scripts
Yes, in /var/backups was 2 old copies of master.passwd. One from Feb 9, second from Feb 24 (the last time I changed something). I tried both, but problem persists. Thank you, but have you still any idea? Peter Rosa - Original Message - From: Daniel Bye [EMAIL PROTECTED] To: freebsd-questions [EMAIL PROTECTED] Sent: Friday, July 25, 2003 9:51 PM Subject: Re: Problem with periodically done scripts ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Fw: Problem with periodically done scripts
Well, I have tried it. When I type exactly the same command
awk -F: '$3==0 {print $1,$3}' /etc/master.passwd | tee /dev/stderr |
sed -e
'/^root 0$/d' -e '/^toor 0$/d' | wc -l
at prompt, it works well. So the error must be around [ -gt 0 -a -lt 1 ]
rc==1
Of course, I *have* /etc/master.passwd.
The whole /etc/security script follows:
#!/bin/sh -
PATH=/sbin:/bin:/usr/bin
LC_ALL=C; export LC_ALL
rc=0
LOG=/var/log
TMP=/var/run/_secure.$$
separator () {
echo ''
echo ''
}
catmsgs() {
find $LOG -name 'messages.*' -mtime -2 |
sort -t. -r -n +1 -2 |
xargs zcat -f
[ -f $LOG/messages ] cat $LOG/messages
}
sflag=FALSE ignore=
while getopts ams c
do
case $c in
a) ignore=$ignore|^amd:;;
m) ignore=$ignore|^mfs:;;
s) sflag=TRUE;;
esac
done
yesterday=`date -v-1d +%b %e `
host=`hostname`
[ $sflag = FALSE ] echo Subject: ${host} security check output
umask 027
echo 'Checking setuid files and devices:'
# Don't have ncheck, but this does the equivalent of the commented out
block.
# Note that one of the original problems, the possibility of overrunning
# the args to ls, is still here...
#
MP=`mount -t ufs | grep -v nosuid | awk '{ print $3 }' | sort`
set ${MP}
while [ $# -ge 1 ]; do
mount=$1
shift
find $mount -xdev -type f \
\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
\( -perm -u+s -or -perm -g+s \) -print0
done | xargs -0 -n 20 ls -liTd | sort +10 ${TMP}
if [ ! -f ${LOG}/setuid.today ]; then
[ $rc -lt 1 ] rc=1
separator
echo No ${LOG}/setuid.today
cp ${TMP} ${LOG}/setuid.today || rc=3
fi
if ! cmp ${LOG}/setuid.today ${TMP} /dev/null; then
[ $rc -lt 1 ] rc=1
separator
echo ${host} setuid diffs:
diff -w ${LOG}/setuid.today ${TMP}
mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
mv ${TMP} ${LOG}/setuid.today || rc=3
fi
# Show changes in the way filesystems are mounted
#
[ -n $ignore ] cmd=egrep -v ${ignore#|} || cmd=cat
if mount -p | $cmd $TMP; then
if [ ! -f $LOG/mount.today ]; then
[ $rc -lt 1 ] rc=1
separator
echo No $LOG/mount.today
cp $TMP $LOG/mount.today || rc=3
fi
if ! cmp $LOG/mount.today $TMP /dev/null 21; then
[ $rc -lt 1 ] rc=1
separator
echo $host changes in mounted filesystems:
diff -b $LOG/mount.today $TMP
mv $LOG/mount.today $LOG/mount.yesterday || rc=3
mv $TMP $LOG/mount.today || rc=3
fi
fi
separator
echo 'Checking for uids of 0:'
n=$(awk -F: '$3==0 {print $1,$3}' /etc/master.passwd |
tee /dev/stderr |
sed -e '/^root 0$/d' -e '/^toor 0$/d' |
wc -l)
[ $n -gt 0 -a $rc -lt 1 ] rc=1
separator
echo 'Checking for passwordless accounts:'
n=$(awk -F: 'NF 1 $1 !~ /^[#+-]/ $2== {print $0}'
/etc/master.passwd |
tee /dev/stderr | wc -l)
[ $n -gt 0 -a $rc -lt 1 ] rc=1
# Show denied packets
#
if ipfw -a l 2/dev/null | egrep deny|reset|unreach ${TMP}; then
if [ ! -f ${LOG}/ipfw.today ]; then
[ $rc -lt 1 ] rc=1
separator
echo No ${LOG}/ipfw.today
cp ${TMP} ${LOG}/ipfw.today || rc=3
fi
if ! cmp ${LOG}/ipfw.today ${TMP} /dev/null; then
[ $rc -lt 1 ] rc=1
separator
echo ${host} denied packets:
diff -b ${LOG}/ipfw.today ${TMP} | egrep ^
mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3
mv ${TMP} ${LOG}/ipfw.today || rc=3
fi
fi
# Show ipfw rules which have reached the log limit
#
IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2 /dev/null`
if [ $? -eq 0 -a ${IPFW_LOG_LIMIT} -ne 0 ]; then
ipfw -a l | grep log | perl -n -e \
'/^\d+\s+(\d+)/; print if ($1 = '$IPFW_LOG_LIMIT')' ${TMP}
if [ -s ${TMP} ]; then
[ $rc -lt 1 ] rc=1
separator
echo 'ipfw log limit reached:'
cat ${TMP}
fi
fi
# Show kernel log messages
#
if dmesg 2/dev/null ${TMP}; then
if [ ! -f ${LOG}/dmesg.today ]; then
[ $rc -lt 1 ] rc=1
separator
echo No ${LOG}/dmesg.today
cp ${TMP} ${LOG}/dmesg.today || rc=3
fi
if ! cmp ${LOG}/dmesg.today ${TMP} /dev/null 21; then
[ $rc -lt 1 ] rc=1
separator
echo ${host} kernel log messages:
diff -b ${LOG}/dmesg.today ${TMP} | egrep ^
mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3
mv ${TMP} ${LOG}/dmesg.today || rc=3
fi
fi
# Show login failures
#
separator
echo ${host} login failures:
n=$(catmsgs | grep -i ^$yesterday.*login failure | tee /dev/stderr |
wc -l)
[ $n -gt 0 -a $rc -lt 1 ] rc=1
# Show tcp_wrapper warning messages
#
separator
echo ${host} refused connections:
n=$(catmsgs | grep -i ^$yesterday.*refused connect | tee /dev/stderr |
wc -l)
[ $n -gt 0 -a $rc -lt 1 ] rc=1
# Show denied secondary bind transfer attempts
#
separator
echo $host checking for denied secondary zone transfers:
n=$(catmsgs | grep -i -E denied (AXFR|IXFR) from | tee /dev/stderr |
wc -l)
[ $n -gt 0 -a $rc -lt 1 ] rc=1
rm -f ${TMP}
exit $rc
# --
-
Peter Rosa
- Original Message -
From: Lowell
Re: Problem with periodically done scripts
Dear Gilbert,
I have replaced wc with make install from /usr/src/usr.bin/wc and now it
works. Up now wc -l gave no results, now it give proper number.
Could you, please, explain the following line: [ $n -gt 0 -a $rc -lt 1 ] ???
Why are there [] ? When I write it at prompt as
[0 -gt 0 -a - lt 0] it writes [: 0: unexpected operator, but
[0 -gt 0 -a -lt ] writes nothing.
What is it ? What type of command is written such kind ?
Peter Rosa
P.S. Now awk -F: '$3==0 {print $1,$3}' /etc/master.passwd | tee /dev/stderr
| sed -e '/^root 0$/d' -e '/^toor 0$/d' | wc -l returns
root 0
toor 0
1
PR
- Original Message -
From: Lowell Gilbert [EMAIL PROTECTED]
To: Peter Rosa [EMAIL PROTECTED]
Sent: Friday, July 25, 2003 11:51 PM
Subject: Re: Problem with periodically done scripts
Peter Rosa [EMAIL PROTECTED] writes:
Well, I have tried it. When I type exactly the same command
awk -F: '$3==0 {print $1,$3}' /etc/master.passwd | tee /dev/stderr |
sed -e
'/^root 0$/d' -e '/^toor 0$/d' | wc -l
at prompt, it works well. So the error must be around [ -gt 0 -a -lt 1 ]
rc==1
echo 'Checking for uids of 0:'
n=$(awk -F: '$3==0 {print $1,$3}' /etc/master.passwd |
tee /dev/stderr |
sed -e '/^root 0$/d' -e '/^toor 0$/d' |
wc -l)
[ $n -gt 0 -a $rc -lt 1 ] rc=1
Note the $n.
n should be zero after the previous command.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with periodically done scripts
And what's wrong on [ 0 -gt 0 -a -lt 0]. Peter - Original Message - From: Dan Nelson [EMAIL PROTECTED] To: Peter Rosa [EMAIL PROTECTED] Cc: freebsd-questions [EMAIL PROTECTED] Sent: Saturday, July 26, 2003 12:22 AM Subject: Re: Problem with periodically done scripts In the last episode (Jul 26), Peter Rosa said: Dear Gilbert, I have replaced wc with make install from /usr/src/usr.bin/wc and now it works. Up now wc -l gave no results, now it give proper number. Could you, please, explain the following line: [ $n -gt 0 -a $rc -lt 1 ] ??? Why are there [] ? When I write it at prompt as [0 -gt 0 -a - lt 0] it writes [: 0: unexpected operator, but [0 -gt 0 -a -lt ] writes nothing. [ is another way to run the test command. man test for more info. -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with periodically done scripts
You are right. We are so close the solution... But WHY is $rc empty ? As you can see in my previous mail I send whole security script, it is set in the beginning of script and then it is set along whole script at least 10 times (using or =). So it should not be empty... Peter - Original Message - From: Dan Nelson [EMAIL PROTECTED] To: Peter Rosa [EMAIL PROTECTED] Cc: freebsd-questions [EMAIL PROTECTED] Sent: Saturday, July 26, 2003 12:33 AM Subject: Re: Problem with periodically done scripts In the last episode (Jul 26), Peter Rosa said: And what's wrong on [ 0 -gt 0 -a -lt 0]. -lt needs a number in front of it, since it does a less-than comparison. Could you, please, explain the following line: [ $n -gt 0 -a $rc -lt 1 ] ... which means that $rc is probably empty. -- Dan Nelson [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
suid files
Some another question I wanted to ask a long time ago: 1. Is there some list of files, that REALLY need suid-bit set ? 2. Is there some list of files, installed from FreeBSD, which HAVE suid-bit set ? Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with periodically done scripts
Well, well, well. We have done it. I just tried sh /etc/security and it REALLY works well. I have tried my changes in small fragment of /etc/security where I forgot to define $rc in the beginning. There was an really error in wc command - it did not count lines, so $n was never set properly. Thanks for everybody, who helped me with this strange thing. I have learned a lot of new. Even more to investigate who and how changed my wc file Last changes I made: cd /usr/src/bin/test make make install make clean cd /usr/src/usr.bin/wc make make install make clean And all works :-)) Peter Rosa P.S. Again, thank you, guys :-))) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Defragment HDD
Hi all, is it possible, and by using what program, to defragment HDDs under FreeBSD ? Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Defragment HDD
OK, but it is not the real defragmenting like Norton Speedisk or MS Defrag on windoze machines. Is there anything other ? Peter Rosa - Original Message - From: Scott Kupferschmidt [EMAIL PROTECTED] To: Peter Rosa [EMAIL PROTECTED] Cc: freebsd-questions [EMAIL PROTECTED] Sent: Thursday, July 24, 2003 9:48 PM Subject: Re: Defragment HDD Hello, I always cat /dev/zero file wait until the drive fills up, rm file and you're set. Sincerely, Scott Kupferschmidt ISPrime, Inc. 866.502.4678 ext. 3 AIM: Scott ISPrime - ICQ: 174337249 On Thu, 24 Jul 2003, Peter Rosa wrote: Hi all, is it possible, and by using what program, to defragment HDDs under FreeBSD ? Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
System hack ?!
Greetings to every FreeBSD fan. Is anybody out there who can help me with this problem ? I have FreeBSD 4.3 acting as a gateway to I-net and mailserver. In /etc/periodic are standard scripts, which send statistics to roots's mail every morning. Dated from April 24, 2003, 04:03 AM (standard time, when these scripts are running) there ara comming lines as follows: Checking for passwordless accounts: [: 0: unexpected operator The bad one is only the second line (unexpected operator), because till April 19 all worked well. Can you tell me, why it started from April 20, and what goes wrong ? I think, it is an error of awk or sed, but I checked their access/modified dates, and they seem to be the same as the rest of system. I think the hack is probably not the problem (?!?!?!). May be it is some automated actualisation, but I should know about it, don't I ? Please help if you can. Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
POP3d slowing down mail downloads
Hello everybody, I have sent this question few monts ago, but no reply come back. Is everybody out there who knows the solution? Please advice with small problem. I have the gateway running FreeBSD 4.3 with sendmail and pop3d. It seems to slow down all downloads of localy saved mails. Two months ago I can download eg. 5MB mail up to 15 secs, now it is about 2-3 mins. It is still worse and worse :-((( Where could be the problem ? Thanks for all replies. Peter Rosa To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Problem with Sendmail or pop3d
Hi all, please advice with small problem. I have the gateway running FreeBSD 4.3 with sendmail and pop3d. It seems to slow down all downloads of localy saved mails. Two months ago I can download eg. 5MB mail up to 15 secs, now it is about 2-3 mins. It is still worse and worse :-((( Where could be the problem ? Thanks for all replies. Peter Rosa To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
