Ezjail freebsd-update
I had an opportunity to upgrade a server from freebsd 8.1 to 8.2 since it had to be restarted any way. I upgraded it with freebsd-update and compiled a custom kernel with no problem. However I haven't been able to find a procedure for updating jails when they've been setup with ezjail. I did 'ezjail-admin update -u' however it doesn't seem like that upgraded things like the /etc/ dir inside jails. I'm not too worried since everything is working however if anyone can point me in the right direction I would appreciate it. I figure this will be especially important when moving to 9.0 when it's released. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
jailaudit
I've been trying to get jailaudit setup to mail reports daily and I haven't had much luck. It generates reports and I can read them in /usr/local/etc/jailaudit/reports. However when I try # jailaudit mail r...@example.com ALL No email is sent (nothing shows up in the maillog). The only time I've gotten it to send anything is doing # jailaudit generate ALL | mail r...@thelebowski.com However the email just says Downloading a current audit database: New database installed. Database created: Sat Sep 25 08:05:00 PDT 2010 Which doesn't seem right since the reports should show no vulnerable ports (and for what jail). I've checked the jailaudit website and the usage page seems incorrect. Any help would be greatly appreciated as I would like to not have to install portaudit in each jail. Or if anyone has a better way to handle portaudit with multiple jails I'm open to suggestions. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DSPAM
On 8/26/2010 5:36 PM, siefke_lis...@web.de wrote: -o smtpd_authorized_xforward_hosts=127.0.0.0/8 That's probably the problem. It needs to be the ip of the jail. A jail maps localhost addresses like 127.0.0.1 to the jail's address. So when you specify network blocks in access restrictions, filters and the like, make sure to use your jail IP rather than 127.0.0.1. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Mail and DNS setup
On 8/19/2010 3:44 PM, Depo Catcher wrote: While we're at it, any alternatives to bind? We have a slow internet so like to cache things locally. Other than local lookup and caching, nothing else is needed. Unbound ( http://www.unbound.net/ ) just does validating, recursive, and caching DNS. If you ever end up needing an authoritative server you can pair it with NSD ( http://www.nlnetlabs.nl/projects/nsd/ ). They are both from the same company. There is also MaraDNS, it promotes itself as being very secure, small, and easy to configure ( http://www.maradns.org/ ). I personally like MaraDNS, you can read the advocacy document which compares various DNS servers. http://www.maradns.org/advocacy.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: box reboot after hdd write error
On 8/17/2010 11:37 PM, claudiu vasadi wrote: Hello fellas, My system is a 8.0-RELEASE with 6 hdd's. 2 days ago I had some power failures and 2 disks were affected. These 2 hdd;s are connected to atapci0: SiI 3512 SATA150 controller port 0xd000-0xd007,0xd100-0xd103,0xd200-0xd207,0xd300-0xd303,0xd400-0xd40f mem 0xfa4a-0xfa4a01ff irq 12 at device 4.0 on pci2 s-ata controller. Before the power surge, the disks were operating normally. I use them for storage, therefore no system data is kept on them. The issue here is that after the write failure, the box reboots. Up to this point I cannot figure out why it reboots, since the disks contain no relevant data (from a OS point of view). Do you think it's normal for an OS to reboot if 2 disks have write errors ? even more so, if the disks have no OS files on them How often is it rebooting? And it's not saying or doing anything it just randomly reboots? That seems more like a hardware issue than something OS related since the OS isn't even on those disks. If it's just data disks you could unplug them to see if the machine still reboots. That would let you know for sure if they really are the problem or if it's something else. Are you sure the power surge didn't affect the power supply? Also did you do anything to the system after the power surge (like open it up for any reason where there may be a loose wire not plugged in all the way). The last thing I would mention is this could all be a coincidence and it might be related to heat, make sure all your fans are working and that there isn't any big dust buildup inside (gogo compressed air). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: releases, branches,..
On 8/12/2010 2:02 PM, Dick Hoogendijk wrote: On 12-8-2010 22:53, Polytropon wrote: On Thu, 12 Aug 2010 22:46:18 +0200, Dick Hoogendijkd...@nagual.nl wrote: I'm running 8.1-RELEASE now, but what about security issues found? Which brach do I follow? In this case, use freebsd-update to track -RELEASE; you will get the security patches by binary updating, e. g. you can use this tool to get from 8.1-RELEASE to 8.1-RELEASE-p1 without the need to compile anything. See man freebsd-update for details. Thank you. I will follow RELEASE than. Also a thanks to Svein. ;-) Is RELEASE automaticaly set in a fresh FreeBSD install or do I need to change anything? uname -raa freebsd-update will update that version you have installed (so yes RELEASE in a fresh install) only with security patches. If a new version comes out you want to upgrade to you would do something like freebsd-update upgrade -r 8.3-RELEASE ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Re : How to connect a jail to the web ?
On 8/11/2010 8:35 AM, Brice ERRANDONEA wrote: I tried all of this without any result. But I won't give up. What I want is a jail with an Apache http server running inside. So, the jail must have a public IPv4 and access to the web. I've been in the same boat as you and there isn't a lot of clear documentation that works in all situations. After reading tons of stuff on the subject I finally figured out what should work in almost every situation. Rather than fit everything in an email I put together a HOWTO on the freebsd forums. This should get you up and running quickly and if you have any problems or questions don't hesitate to ask. http://forums.freebsd.org/showthread.php?t=16860 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh under attack - sessions in accepted state hogging CPU
One thing I don't see mentioned a lot is port knocking. It's not perfect but it does have it's uses. Since it sounds like you have a lot of users that need to connect you might be able to adapt it to your situation. I haven't tried this specific port knocking sequence but you could setup a knock where if a user attempts to connect to port 22 say 3 times (most clients should auto retry) it then opens up port 22 to that ip and allows them to connect to sshd. This would depend on the type of brute force being done. A distributed botnet might only try an ip/port once or twice then move on. This would be pretty seemless to the end user except for an initial delay when connecting as their client retries the connection until the specific knock threshold has been hit. It's a middle ground to changing the port sshd is operating on. You can do this with firewall rules or http://www.freshports.org/security/knock/. A lot of SSH attacks are coming from large numbers of compromised hosts that make them very hard to stop with sshguard which is pretty annoying. On 8/9/2010 8:13 PM, Matt Emmerton wrote: Hi all, I'm in the middle of dealing with a SSH brute force attack that is relentless. I'm working on getting sshguard+ipfw in place to deal with it, but in the meantime, my box is getting pegged because sshd is accepting some connections which are getting stuck in [accepted] state and eating CPU. I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections? root 39127 35.2 0.1 6724 3036 ?? Rs 11:10PM 0:37.91 sshd: [accepted] (sshd) root 39368 33.6 0.1 6724 3036 ?? Rs 11:10PM 0:22.99 sshd: [accepted] (sshd) root 39138 33.1 0.1 6724 3036 ?? Rs 11:10PM 0:41.94 sshd: [accepted] (sshd) root 39137 32.5 0.1 6724 3036 ?? Rs 11:10PM 0:36.56 sshd: [accepted] (sshd) root 39135 31.0 0.1 6724 3036 ?? Rs 11:10PM 0:35.09 sshd: [accepted] (sshd) root 39366 30.9 0.1 6724 3036 ?? Rs 11:10PM 0:23.01 sshd: [accepted] (sshd) root 39132 30.8 0.1 6724 3036 ?? Rs 11:10PM 0:35.21 sshd: [accepted] (sshd) root 39131 30.7 0.1 6724 3036 ?? Rs 11:10PM 0:38.07 sshd: [accepted] (sshd) root 39134 30.2 0.1 6724 3036 ?? Rs 11:10PM 0:40.96 sshd: [accepted] (sshd) root 39367 29.3 0.1 6724 3036 ?? Rs 11:10PM 0:22.08 sshd: [accepted] (sshd) PID USERNAME THR PRI NICE SIZERES STATE C TIME WCPU COMMAND 39597 root 1 1030 6724K 3036K RUN 3 0:28 35.06% sshd 39599 root 1 1030 6724K 3036K RUN 0 0:26 34.96% sshd 39596 root 1 1030 6724K 3036K RUN 0 0:27 34.77% sshd 39579 root 1 1030 6724K 3036K CPU33 0:28 33.69% sshd 39592 root 1 1020 6724K 3036K RUN 2 0:27 32.18% sshd 39591 root 1 1020 6724K 3036K CPU22 0:27 31.88% sshd -- Matt Emmerton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to connect a jail to the web ?
On 8/10/2010 4:01 AM, Brice ERRANDONEA wrote: Hello, I've just created my first FreeBSD jail in order to install a web server inside. But I don't know how to connect it to the web. When I try pinging a http website, it doesn't work. Of course, it works when I do it from outside the jail. Another problem, probably linked to the first one, I can't run rc within the jail, even as the jail's root. It says : permission denied. Here's how I built and started my jail. I had already run make buildworld when upgrading to 8.1 release : # mkdir /usr/prison # cd /usr/src # make installworld DESTDIR=/usr/prison # make distribution DESTDIR=/usr/prison # mount -t devfs devfs /usr/prison/dev # jail -c path=/usr/prison host.hostname=ServeurWeb ip4.addr=192.1.1.1 persist # jail /usr/prison ServeurWeb 192.1.1.1 csh I guess this must be a very basic question but please help me. I would highly recommend ezjail for setting up jails. Although you should still read the handbook on jails so you understand the overall mechanics. Reading ezjails man page makes it very easy to setup and deploy new jails in the future. The only thing you need to do inside a jail setup with ezjail to connect to the web is put nameservers in /etc/resolv.conf For setting it up on your host system you can do something like this (there are a couple of ways you can do it, I've just found this to be the most portable). host rc.conf #Put jail on loopback device cloned_interfaces=lo1 ifconfig_lo1=inet 10.1.1.1 netmask 255.255.255.0 # Enable port forwarding and packet filtering gateway_enable=YES pf_enable=YES pf_rules=/etc/pf.conf # Jails ezjail_enable=YES host pf.conf, find your interface name via ifconfig #INTERFACES ext_if=em0 # nat from jails to your network cards ip nat on $ext_if from 10.1.1.0/24 to any - XXX.XXX.XXX.XXX Here are some resource I found helpful when I was setting up jails for the first time. Be aware some ezjail tutorials are really old and you should read the man page first as that is current. http://www2.budzien.com/wiki/Wiki.jsp?page=UsingEzJail http://wael.nasreddine.com/blog/jail-servers.html http://www.jeroen.se/articles/freebsd_jail_laptop_dhcp.php ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to connect a jail to the web ?
On 8/10/2010 5:02 PM, Fbsd8 wrote: 1. ping is a security risk from within a jail and is disabled by design. (read jail(8) for details). No use using a jail if the first thing you do is re-enable ping in the jail. To test for public internet connection from within a jail use dig or whois commands. There is a vast difference between testing a network connection and leaving something in for live deployment. Tools like ping and traceroute are for network diagnostics. You can easily run into a situation where dig and whois don't work but ping/traceroute will in which case you quickly realize hostnames aren't resolving in a jail (or you can find out where exactly packets stopped at). Meanwhile the person using only dig and whois might be spinning their wheels trying to fix problems that aren't really problems. They might of created a jail and have everything setup except they forgot to create an /etc/resolv.conf in the jail. There is nothing wrong with allowing raw sockets to get up and running and then changing it back (the jail man page states to use caution with raw sockets not a blatant don't do it). 2. Using the hosts firewall to drive traffic to a jail is a sign you have your jail incorrectly configured or do not understand how jails are intended to work. If you have jails assigned to non routable ip's (i.e. 10.0.0.2, 10.0.0.3) how else would you redirect traffic coming in from your hosts ip:(http_port, dns_port, etc..) to the corresponding jail that handles it. I've read a bunch of stuff on jails and unless I missed something (which is totally possible) using a NAT that's part of a firewall seems like pretty standard fare. How else would you go about it? 3. Jail do not have a network stack of their own, so they cant have a firewall. The host's firewall and and network stack are in control. The documentation is rather sparse since it's so new and I personally haven't used it but FreeBSD 8 has VIMAGE (network stack virtualization). http://wiki.freebsd.org/Image/VNETSamples http://bsdbased.com/2009/12/06/freebsd-8-vimage-epair-howto http://wiki.polymorf.fr/index.php/Howto:FreeBSD_jail_vnet 4. There are 2 utilities for creating jails. Qjail the better documented of the 2, is designed for the novice which clearly you are. I strongly suggest you checkout http://sourceforge.net/projects/qjail You should probably preface this by saying you're the author of Qjail and have been actively promoting it in a few places including the fbsd forums. Nothing wrong with that I guess, but I still haven't been able to figure out how it's any different(better?) than ezjail(which has both an excellent website and man page). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ANNOUNCE: Custom 64bit FreeBSD 8.1-RELEASE with XFCE packages released
On 8/6/2010 10:15 PM, Antonio Olivares wrote: Thank you Manolis for your work. I installed it and have one difficulty, that otherwise I would not bother you or other users here on the list. I loaded gdm to autologin xfce but I can autologin to gnome. How can I do it to only load xfce. Think this thread on the forums offers a solution to what you are talking about http://forums.freebsd.org/showthread.php?t=6809 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pkg_add on dialup: resume?
On 8/7/2010 6:03 PM, Douglas A. Tutty wrote: However, I'm on dialup. pkg_add doesn't seem to be able to resume since I can't use the phone line (or the computer) long enough to install packages all in one go. Is there a solution to this? There might be a more elegant solution but this is what I would say offhand. All pkg_add is doing is downloading the package from the freebsd ftp. It's just doing the behind the scenes stuff of picking which package is right for your system. So you could just use an ftp client with resume and go to ftp://ftp.freebsd.org/pub/FreeBSD/ports/ and find the packages you want and que them up in your ftp client. Then just do pkg_add /path/to/package when you've finished downloading them. If you don't use packages I think you can also setup resume if you're doing the make install method. Find an ftp client you want to use and change from using fetch to download source. This post describes setting up an ftp client to download using multiple connections but you should be able to adapt it for your needs. http://scratching.psybermonkey.net/2009/09/freebsd-download-ports-simultaneously.html I understand that if I go with building from source (both for security updates and for third-party apps) the there is a resume function with that. True? I was hoping to avoid the build-time, and I think it takes longer to download source than binary. If you have an old FreeBSD ISO/CD laying around or someone you know has one you could install whatever version of the source you have. The handbook describes methods you can use to update your source where you only need to download what's different (this also means you don't need to download the source all at once).This should limit how much you have to download if you have a fairly recent version of FreeBSD and it will be pretty easy to then keep updated with minimal downloads in the future. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Ifconfig (DHCP?) configures two IPs in one IF
On 8/5/2010 11:17 AM, Guojun Jin wrote: This problem comes in 8.1-R. I have seen it before and thought I filed a report but cannot find it. I found one (bin/21292) for ifconfig, but it was for two NICs with a same IP. Now is a reversed case One NIC has two IPs. Here is the description: Due to DHCP server down, I manually configured rl0 to 192.168.0.10 for temporarily use. In the middle of working, DHCP came back and assigned another IP on the rl0, now NIC is down due to two conflict IP addresses. rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8VLAN_MTU ether 00:40:f4:d1:23:9a inet 192.168.0.10 netmask 0xff00 broadcast 192.168.0.255 inet 10.10.50.126 netmask 0xff00 broadcast 10.10.50.255 media: Ethernet autoselect (100baseTXfull-duplex) status: active plip0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST metric 0 mtu 1500 I tried unplumb/delete rl0, but if does not work. Before the bug can be fixed, is any way to fix the IP without rebooting the machine? -Jin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Are you bringing down the interface before you try and delete? ifconfig r10 down ifconfig r10 delete ifconfig r10 up dhclient r10 That should delete all the ips then refresh it from DHCP at the end. At least it did on my desktop that I just tested it on. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: vmware and freebsd 8
I haven't used vmware so I can't say if it's better but it didn't take me long to get freebsd up and running with virtualbox. Just follow the instructions at http://wiki.freebsd.org/VirtualBox You do have to install /usr/ports/emulators/virtualbox-ose-additions/ on the guest. I got FreeBSD 8.1 and PC-BSD 8.1 both up and running on it. I'm having some sound issues but other than that it works great, in fullscreen mode you can't even tell it's running as a guest on a host machine. On 7/27/2010 9:47 PM, kalin m wrote: hi all... messing around with vmware and fbsd 8... has anybody used vmware esxi 4 to put a bunch of fbsd machines on it? i also installed the vmsphere client (they call it) which is pretty nice interface to interact with the virtual machines but apparently doesn't know much on how to install vmware tools on a bsd guest. so the question is which vmware tools should i get for the fbsd 8 guests to go with the esxi 4.1. in the ports there are vmware-tools6, 5, 4, 3. tried six. it wants some disk. there is also the open-vmware-tools. is that open one better to play with the esxi 4.1 an the vmsphere thing? also is there anything better than vmware for virtualization that plays nice and with fbsd? thanks... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: BSD logo (a moderate opinion)
On 7/28/2010 1:46 PM, Chuck Robey wrote: The point is, no sane person really believes that Beastie equates to devil worship, and I don't like the idea of letting crazies dictate my life. So you're saying I shouldn't be ritualing sacrificing a chicken as Carl Orff's - O Fortuna plays in the background, while chanting all hail Beastie, as FreeBSD boots up each time? I really wish someone would of told me this sooner, why isn't this in the handbook!? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
