Re: can't recognize my cdrom, here is my dmesg
On 9/23/05, Csaba Nemes [EMAIL PROTECTED] wrote: Hi all it boots from an unofficial cdrom, but it doesn't find my cdrom here is my dmesg: Booting is done by the BIOS and once the OS comes up if you need to use the CDROM your operating system should support it. (If you have installed MS windows earlier you would have seen after booting the installer copies all the instalation files into the hard disk before starting installation to avoid such issues) Stating your CDROM model would help others to help you with the issue. Also you could try changing the channel in which your CDROM is connected. Not sure if this would help but it works at times. Kind Regards Siju
Re: Portmap non-local set / unset attempt
Quoting Clint M. Sand [EMAIL PROTECTED]: On Thu, Sep 22, 2005 at 07:09:12PM -0600, Theo de Raadt wrote: People keep yammering this bullshit about Security is a process. Bullshit! Lies! It's about paying attention to the frigging details when they are right in front of your face. And it is very clear other vendors do not pay attention to the details, considering the work I did here was talked about all over BUGTRAQ back in that month. No wonder these vendors and their blogboys have to have this Security is a process mantra to protect themselves from looking bad. Security is a process is intended to mean 2 things. One is that the idea that you can set and forget anything and think it's somehow secure is a joke. To secure a network includes at a minimum, keeping up with vendor patches for example. Processes like patch management help keep systems secure. It does not say Security is ONLY a process. Secondly, it is meant to refute the moronic idea that some admins seem to have is that buying any product makes you secure. Prevelant is the idea for example that if you have a firewall then you are now secure. Or, I have Norton AntiVirus so now my PC is secured. No, no no. You are playing the same semantic games that avoid responsibility at the ENGINEERING and PRODUCT DEVELOPMENT STAGES. It's so very very Microsoft. Just like the air-conditioning technicians I keep firing because they can't read schematics and charts. Which is why I now know MORE about air-conditioners than most of the technicians who come here. The phrase, and everything you said, is all excuses for the vendors. It IS POSSIBLE to set something up and have it be secure and NOT TOUCH IT, because many people have OpenBSD machines running older releases running without any modification for YEARS now, RISK FREE, without having to update ANY THING. No, you can put an openbsd box up and leave it for years with root login enabled and password for a password. It takes more than correct code. It's correct code plus correct usage. I think the GOBBLES sshd exploit is proof enough that set and forget is not risk free. Security is everything you've ever said, plus a process. If it is secure, it doesn't need a process. So why would security be a process again? Because of the vendors making mistakes and fix it later? Jimmy Scott This message has been sent through ihosting.be To report spamming or other unaccepted behavior by a iHosting customer, please send a message to [EMAIL PROTECTED]
Re: Portmap non-local set / unset attempt
On 2005-09-23 00:05:14 -0700, Wolfgang S. Rupprecht wrote: appreciable added risk. The only loose end is that sshd doesn't currently log the RSA/DSA key that is used to gain access. Ideally it Hu? Try LogLevel VERBOSE Best Martin -- http://www.tm.oneiros.de
Re: Portmap non-local set / unset attempt
[EMAIL PROTECTED] wrote: Security is everything you've ever said, plus a process. If it is secure, it doesn't need a process. So why would security be a process again? Because of the vendors making mistakes and fix it later? Jimmy Scott It is a process in the same way that making toast is a process. The purchase of a bread-crisping solution that is UL-certified to not set your house on fire is the contribution of the engineering and product development stages. In common usage, using this solution to toast your morning snack will produce crispy bread and will not produce a howling conflagration. However, note that it is still very much possible to ignite your domicile by soaking a rag in lighter fluid, stuffing it into the bread-toasting slot, and jamming the switch closed with a butter knife. For a less extreme example, it _may_ be possible to cause a fire by leaving a towel too near the toaster while it is operating, something which is easy to do and all too common. Having a morning snack and an un-burnt house at the same time, then, is contingent upon two things - possessing a toaster of adequate quality, and using it properly. You don't get to have the whole package without a) looking for a good toaster in the first place, and b) learning how to use it. Security operates similarly: one boner mistake on anybody's part - coder, engineer or administrator - and your security vaporizes _instantly_. Go read some of Bruce Schneier's screeds on the subject, they're informative. So yes, security most certainly _is_ partly a process, various opinions to the contrary notwithstanding. It is identical to the process of locking your doors and checking your windows before you go to bed at night, or of making sure that you're not stuffing a paper towel or a cardboard box top in your toaster in the morning before you've had coffee. You could call it habitual prudence, I suppose. Of course, computers being based on hard-core determinism and Boolean logic, a higher standard is possible. I note in passing that the security of every operating system in common use (including OpenBSD) is _unproven_ [1], with the possible exception of Coyotos. Asserting something that is unproven and which may actually be impossible to prove (X is more secure than Y) is not a good idea. In other words, don't toss shit at the vendors unless you can _prove_, from a chain of irrefutable deduction, that your proposed solution is more secure than theirs. (Something which is likely impossible, due to OpenBSD's design and the language in which it is written.) Hint: the manpower, brainpower, and computing power needed to accomplish this task _even if_ it is possible is probably going to exceed anything you're willing to marshal to that end. Theo is right about one thing, however: Bugs and security flaws arise from mistakes, every one of which is avoidable. There are no new classes of bugs or design flaws, essentially every one has been generally known of and understood for decades. It is only sloppy practices - dare I say it, bad processes - that permit these bugs to creep into various codebases and multiply. The cure for this problem is better processes. The easy cure is for these processes to entail continuous auditing (the OBSD solution). The harder cure is to work on establishing and maintaining a process that incorporates rigorous proof as a necessary component. We may not ever see that, but hey - it's nice to dream, isn't it? -- (c) 2005 Unscathed Haze via Central Plexus [EMAIL PROTECTED] I am Chaos. I am alive, and I tell you that you are Free. -Eris Big Brother is watching you. Learn to become Invisible. | Your message must be this wide to ride the Internet. | [1] Rigorous proof, that is. Anecdotal evidence does not establish proof of anything whatsoever.
RE: Re: Portmap non-local set / unset attempt
Making is a process. Toast is not a process. - --- Original Message --- - From: [EMAIL PROTECTED] To: misc@openbsd.org Sent: Fri, 23 Sep 2005 02:30:10 [EMAIL PROTECTED] wrote: Security is everything you've ever said, plus a process. If it is secure, it doesn't need a process. So why would security be a process again? Because of the vendors making mistakes and fix it later? Jimmy Scott It is a process in the same way that making toast is a process. The purchase of a bread-crisping solution that is UL-certified to not set your house on fire is the contribution of the engineering and product development stages. In common usage, using this solution to toast your morning snack will produce crispy bread and will not produce a howling conflagration. However, note that it is still very much possible to ignite your domicile by soaking a rag in lighter fluid, stuffing it into the bread-toasting slot, and jamming the switch closed with a butter knife. For a less extreme example, it _may_ be possible to cause a fire by leaving a towel too near the toaster while it is operating, something which is easy to do and all too common. Having a morning snack and an un-burnt house at the same time, then, is contingent upon two things - possessing a toaster of adequate quality, and using it properly. You don't get to have the whole package without a) looking for a good toaster in the first place, and b) learning how to use it. Security operates similarly: one boner mistake on anybody's part - coder, engineer or administrator - and your security vaporizes _instantly_. Go read some of Bruce Schneier's screeds on the subject, they're informative. So yes, security most certainly _is_ partly a process, various opinions to the contrary notwithstanding. It is identical to the process of locking your doors and checking your windows before you go to bed at night, or of making sure that you're not stuffing a paper towel or a cardboard box top in your toaster in the morning before you've had coffee. You could call it habitual prudence, I suppose. Of course, computers being based on hard-core determinism and Boolean logic, a higher standard is possible. I note in passing that the security of every operating system in common use (including OpenBSD) is _unproven_ [1], with the possible exception of Coyotos. Asserting something that is unproven and which may actually be impossible to prove (X is more secure than Y) is not a good idea. In other words, don't toss shit at the vendors unless you can _prove_, from a chain of irrefutable deduction, that your proposed solution is more secure than theirs. (Something which is likely impossible, due to OpenBSD's design and the language in which it is written.) Hint: the manpower, brainpower, and computing power needed to accomplish this task _even if_ it is possible is probably going to exceed anything you're willing to marshal to that end. Theo is right about one thing, however: Bugs and security flaws arise from mistakes, every one of which is avoidable. There are no new classes of bugs or design flaws, essentially every one has been generally known of and understood for decades. It is only sloppy practices - dare I say it, bad processes - that permit these bugs to creep into various codebases and multiply. The cure for this problem is better processes. The easy cure is for these processes to entail continuous auditing (the OBSD solution). The harder cure is to work on establishing and maintaining a process that incorporates rigorous proof as a necessary component. We may not ever see that, but hey - it's nice to dream, isn't it? -- (c) 2005 Unscathed Haze via Central Plexus [EMAIL PROTECTED] I am Chaos. I am alive, and I tell you that you are Free. -Eris Big Brother is watching you. Learn to become Invisible. | Your message must be this wide to ride the Internet. | [1] Rigorous proof, that is. Anecdotal evidence does not establish proof of anything whatsoever.
em/carp switches slower than fxp/carp
Hello, is there any known problem related to em interfaces and carp? They take 25 seconds longer to switch status from master to backup compared to an fxp one ... Output of 'while true; do date; ifconfig| grep carp:; sleep 1;done' while rebooting the master (=advskew 50): Fri Sep 23 14:25:16 CEST 2005 carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 100 carp: MASTER carpdev em1 vhid 2 advbase 1 advskew 100 carp: MASTER carpdev fxp0 vhid 3 advbase 1 advskew 100 Fri Sep 23 14:25:17 CEST 2005 carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 100 carp: MASTER carpdev em1 vhid 2 advbase 1 advskew 100 carp: BACKUP carpdev fxp0 vhid 3 advbase 1 advskew 100 . . . Fri Sep 23 14:25:43 CEST 2005 carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 100 carp: MASTER carpdev em1 vhid 2 advbase 1 advskew 100 carp: BACKUP carpdev fxp0 vhid 3 advbase 1 advskew 100 Fri Sep 23 14:25:44 CEST 2005 carp: BACKUP carpdev em0 vhid 1 advbase 1 advskew 100 carp: BACKUP carpdev em1 vhid 2 advbase 1 advskew 100 carp: BACKUP carpdev fxp0 vhid 3 advbase 1 advskew 100 Any ideas? Thanks! -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
Clamav problem
Hi list, I have a odd problem with clamav. I am following the openbsd 3.7 (release + fix) and i have clamav-0.86.2p0, smtp-vilter and sendmail. When a mail with a zip attachment arrives sometime i have the following message in /var/log/maillog : Milter: data, reject=451 4.3.2 Please try again later I have this problem ONLY with some zip attachments. Does anyone know how to solve this problem? I have tried to install clamav ( and his dependences ) from packages but the problem isn't fix. Thanks, Cristian Del Carlo
Re: MegaRAID SCSI 320-1
I checked OpenBSD/i386, saw MegaRAID 320 was supported. I intend to get a MegaRAID SCSI 320-1 Kit(3201064KIT) - per LSI LOGIC catalog. Supported by 3.7 stable ? Thanks.
Re: em/carp switches slower than fxp/carp
Any chance the em's are on a switch doing spanning tree? Or that the fxp port (on the master is set to port fast)? Sounds like STP locking out the em ports on the master to me. --Bill On 9/23/05, Stephan A. Rickauer [EMAIL PROTECTED] wrote: Hello, is there any known problem related to em interfaces and carp? They take 25 seconds longer to switch status from master to backup compared to an fxp one ... Output of 'while true; do date; ifconfig| grep carp:; sleep 1;done' while rebooting the master (=advskew 50): Fri Sep 23 14:25:16 CEST 2005 carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 100 carp: MASTER carpdev em1 vhid 2 advbase 1 advskew 100 carp: MASTER carpdev fxp0 vhid 3 advbase 1 advskew 100 Fri Sep 23 14:25:17 CEST 2005 carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 100 carp: MASTER carpdev em1 vhid 2 advbase 1 advskew 100 carp: BACKUP carpdev fxp0 vhid 3 advbase 1 advskew 100 . . . Fri Sep 23 14:25:43 CEST 2005 carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 100 carp: MASTER carpdev em1 vhid 2 advbase 1 advskew 100 carp: BACKUP carpdev fxp0 vhid 3 advbase 1 advskew 100 Fri Sep 23 14:25:44 CEST 2005 carp: BACKUP carpdev em0 vhid 1 advbase 1 advskew 100 carp: BACKUP carpdev em1 vhid 2 advbase 1 advskew 100 carp: BACKUP carpdev fxp0 vhid 3 advbase 1 advskew 100 Any ideas? Thanks! -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
Re: Dell 2650, Stupid Adaptec Controller, and Daily Crashes
On Fri, Sep 23, 2005 at 09:08:28AM -0500, eric wrote: First of all, thanks everyone for your replies. They are much appreciated. On Thu, 2005-09-22 at 18:53:23 -0500, Marco Peereboom proclaimed... Have you tried by any chance tried a 3.8 with aac enabled? This seems to go wrong in em and not aac. I haven't, yet. I'll just checkout a 3.8-BETA from that box and compile userland/kernel and give that a go. As far as I can tell, it's just a matter of uncommenting aac(4) from the GENERIC.MP configuration, correct? Correct. I'll also fiddle around with the bios and see if I can't disable some of the pointlessly-enabled junk on the machine. Thanks again, - eric
Any advice on 'Indemnification'? (US Only, obviously)
I have been working with a local OS friendly hosting company to add support for OpenBSD. Unfortunately, they also support with Red Hat, SuSE, and Apple, and these vendors offer an 'Open Source Indemnification', ostensibly protecting against legal action from contributors. Of course, the OBSD project is meticulous about good copyright practices, so WE all know this isn't an issue here, but, unfortunately, the hosting company has lawyer(s) asking for similar 'Indemnification' for OBSD before they will officially allow OBSD on premesis. Question - I know that copyright law trumps 'indemnification' - especially given the BSD licenses on all project s/w, but has anyone dealt with this issue before? Can anyone point me to any legal resources that I could pass along to help satisfy the lawyers? TIA, Lee
Re: Storage Server
Marco Peereboom wrote: On Wed, Sep 21, 2005 at 02:05:31PM -0600, Tom Geman wrote: I was hoping someone here could answer a few questions. Can I install OpenBSD on this PV 220, or is it just a bunch of disks with no processor? This question is very ambiguous. You can't install OpenBSD on the PV220S itself however you can install OpenBSD on a machine that uses the PV220S as its disk storage device. To add more confusion the box does have a SCSI processor device thats supported by ses(4). If so, does that mean I need another computer to install OpenBSD on, that will use the PV 220 as it's storage? Yes. Can this be any computer (what requirements, any recommended brands), or does it have to be this Dell PowerVault 745N (which seems to come pre-install with some Windows Storage Server OS)? It can be virtually any computer. Beck@ uses IBM amd64 boxes for this with a Dell PERC4 HBA. Some examples of well supported HBAs are PERC3/4, ahc/ahd and mpt. The 745N is a NAS box; don't get that. If the 745N is anything like the 730N (i'm too lazy to look it up), it's just a PowerEdge server with some disks and a special version of windows advanced server which can do clustering, but not domain controller stuff. Marco is right - Don't get it. As for the 220 - we have three PV220s scsi arrays. In my experience you want to make sure your firmware on that baby is right up to snuff. There were some really bad versions out there that caused our windows servers to be unable to read from the volumes. Rebooting fixed it (much as it fixes many things in windows) but firmware upgrade resolved it long term. In our case the volumes held a few million little 3-5k .tif files.
Re: Portmap non-local set / unset attempt
Martin SchrC6der [EMAIL PROTECTED] writes: On 2005-09-23 00:05:14 -0700, Wolfgang S. Rupprecht wrote: appreciable added risk. The only loose end is that sshd doesn't currently log the RSA/DSA key that is used to gain access. Ideally it Hu? Try LogLevel VERBOSE Your eloquent reply aside, setting the loglevel to versbose doesn't add proper key accounting to the sshd login record. What it does is add yet more clutter to /var/log/authlog by emitting quite a few more lines per login. Sshd's logs seem more like debug printfs, scattered willy-nilly around the code. The information one would expect from a security program is never gathered in one spot and output in a single audit line to see who logged in as what user. -wolfgang
Intel ICH6-M chipset and Fujitsu-Siemens Lifebook S7020 on current
Hi, there is a problem with Intel ICH6-M chipset support in current snapshot (2005-09-22), it doesn't recognize devices (eg. sata controller). I've checked, that it should be supported in current. dmesg -- OpenBSD 3.8 (RAMDISK_CD) #794: Sat Sep 10 15:58:32 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel(R) Pentium(R) M processor 1.73GHz (GenuineIntel 686-class) 1.73 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2 real mem = 526491648 (514152K) avail mem = 474501120 (463380K) using 4278 buffers containing 26427392 bytes (25808K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(05) BIOS, date 05/30/05, BIOS32 rev. 0 @ 0xfd5f0 pcibios0 at bios0: rev 2.1 @ 0xfd5f0/0xa10 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf00/224 (12 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #4 is the last bus bios0: ROM list: 0xc/0xf200! 0xcf800/0x1000 0xd0800/0x1600 0xdc000/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 915GM/PM/GMS Host rev 0x03 vga1 at pci0 dev 2 function 0 Intel 915GM/GMS Video rev 0x03 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) Intel 915GM/GMS Video rev 0x03 at pci0 dev 2 function 1 not configured Intel 82801FB HD Audio rev 0x04 at pci0 dev 27 function 0 not configured ppb0 at pci0 dev 28 function 0 Intel 82801FB PCIE rev 0x04 pci1 at ppb0 bus 1 bge0 at pci1 dev 0 function 0 Broadcom BCM5751M rev 0x11, BCM5750 B1 (0x4101): irq 11 address 00:0b:5d:91:30:db brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb1 at pci0 dev 28 function 1 Intel 82801FB PCIE rev 0x04 pci2 at ppb1 bus 2 uhci0 at pci0 dev 29 function 0 Intel 82801FB USB rev 0x04: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801FB USB rev 0x04: irq 11 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801FB USB rev 0x04: irq 11 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 29 function 3 Intel 82801FB USB rev 0x04: irq 11 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801FB USB rev 0x04: irq 11 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered ppb2 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xd4 pci3 at ppb2 bus 3 cbb0 at pci3 dev 3 function 0 vendor O2 Micro, unknown product 0x7134 rev 0x20: irq 11 Intel PRO/Wireless 2200BG rev 0x05 at pci3 dev 5 function 0 not configured Texas Instruments TSB43AB21 FireWire rev 0x00 at pci3 dev 6 function 0 not configured cbb0: bad Vcc request. sock_ctrl 0xff88, sock_status 0x cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 4 device 0 cacheline 0x0, lattimer 0x20 pcmcia0 at cardslot0 pcib0 at pci0 dev 31 function 0 Intel 82801FBM LPC rev 0x04 pciide0 at pci0 dev 31 function 1 Intel 82801FB IDE rev 0x04: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: MATSHITA, UJ-831Db, 1.00 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) pciide1 at pci0 dev 31 function 2 Intel 82801FBM IDE rev 0x04: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: couldn't map channel 0 cmd regs pciide1: channel 1 disabled (no drives) Intel 82801FB SMBus rev 0x04 at pci0 dev 31 function 3 not configured isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo biomask ffed netmask ffed ttymask ffef rd0: fixed, 3800 blocks root on rd0a rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02
Re: Question about atheros driver??
On 23/09/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Hi all,
Is atheros driver supported under Alpha platform on OpenBSD 3.7??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Why didn't you check, at least, www.openbsd.org/alpha.html?
Re: is there a way to block sshd trolling?
IIRC there are scripts what will automatically add lines to your hosts.deny file. Sorry, but I can't remember the names. I suggest you also create some keys for yourself to use and disable password authentication. With password auth disabled the attacks won't go be more than an annoyance for the most part. If you google you'll find it's a very common problem, I'm sure you'll also find the scripts I mentioned above. If I can find them I'll post links. Good luck! Mike
Re: is there a way to block sshd trolling?
Have snort or portsentry add those ips to a table in pf.conf.
--Bryan
On 9/23/05, John Marten [EMAIL PROTECTED] wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
Re: is there a way to block sshd trolling?
John Marten ([EMAIL PROTECTED]) dixit:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
That's how I handle this type of annoyance:
http://data.homeip.net/projects/ssh_wall.php
Of course, YMMV.
Ciao.
--
.--.
| Florin (Slippery) Iamandi|
| Reason is the first victim of emotion. -- Scytale, Dune Messiah |
Re: is there a way to block sshd trolling?
why not use max-connections ? and dump them into a
table with no access. Or if this is a home machine just
move the port to some high port, most scripts wont bother
looking.
cheers
rm
John Marten wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
Re: is there a way to block sshd trolling?
On Friday 23 September 2005 02:40 pm, John Marten wrote: There's got to be a better way, and I'm open to suggestions. Use a non-standard port and/or public key exchange. Chris
Re: is there a way to block sshd trolling?
John Marten wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
You can try to limit the overly persistant number of incoming
connections. Or you can run SSH on a non-default port. Try the pf way
first with the max-src-conn-rate on all incoming connections. I think
it's like pass in quick on $external from any to any port $services
flags... etc keep state (max-src-conn-rate 100/10) or whatever you need.
Brandon
Re: is there a way to block sshd trolling?
You could use connection throttling, it won't eliminate them, but it will
make it take longer. If you don't need ssh on that host (although, you
probably do, I'd be lost without it) disable it. You could bind sshd to a
different port, and disable port 22 (most of these attacks are automated
bots). The best thing you can do is to disable root access, use difficult
passwords (or better yet, use keys and disable passwords), go out of your
way to make sure you don't use common names for usernames (if you can), and
enforce a good password policy. Then you can do what I do when I get the
output of my logs, laugh.
On 9/23/05, John Marten [EMAIL PROTECTED] wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
--
Abe Al-Saleh
And then came the Apocolypse. It actually wasn't that
bad, everyone got the day off and there were barbeques
all around.
Re: is there a way to block sshd trolling?
-
Original Message:
From: Bryan Irvine [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Date: Friday, September 23 2005 09:55 AM
Subject: Re: is there a way to block sshd trolling?
Have snort or portsentry add those ips to a table in pf.conf.
--Bryan
On 9/23/05, John Marten [EMAIL PROTECTED] wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
-
You could use pf to add the entries to your block table based upon
connect/disconnect rate.
Notice the timescale of this attack in your authlog, no human types this fast.
See man pf.conf for pertinent examples.
Regards,
Rob
Re: Question about atheros driver??
Use the tarpit patch that I wrote
http://www.linbsd.org/openssh-samepasswd.patch
-Ober
On Fri, 23 Sep 2005, Marcos Latas wrote:
On 23/09/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Hi all,
Is atheros driver supported under Alpha platform on OpenBSD 3.7??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Why didn't you check, at least, www.openbsd.org/alpha.html?
Re: PowerEdge 1850 w/ dual Xeon : now tested with 3.8 GENERIC.MP
Thanks, my question was exactly about that, the lack of some hardware support on 3.7 :-) Nick Holland wrote: Mariano Benedettini wrote: I wrote last week, about some problems I've experienced with 3.7 GENERIC.MP on a PowerEdge 1850 dual Xeon [1]. Some people suggested to try a 3.8 snapshot, and that's what I did. The system runs fine, but is there any way to make it work with 3.7 GENERIC.MP ? Of course there is! Push all the things that changed in 3.8 to 3.7. You will then end up with...a poorly done 3.8! Wow! :) Slightly more seriously, no. The OpenBSD project is about moving forward, not adding features to previous versions. 3.7 may have bugs fixed, but will not be receiving new features, support new hardware, etc. Just run 3.8. It works. Obviously, you weren't running 3.7 on this machine. There is no reason not to keep running what you have now, and bump to 3.8-release when it ships. Nick. Here's the full dmesg: OpenBSD 3.8 (GENERIC.MP) #298: Sat Sep 10 15:51:54 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP ... thanks! :)
Re: is there a way to block sshd trolling?
On Fri, Sep 23, 2005 at 11:40:36AM -0700, John Marten wrote: You know what i mean? Every day I get some script kiddie, or adult trying to guess usernames or passwords. You can change the port number in /etc/ssh/sshd_config . It's 100% effective against that kind of bots. Greetings, Tomasz Baranowski
ssh passwords and publickeys
Is there any way to accomplish this: 1. Use ssh with passwords internally (lan to lan connections) 2 Use ssh with publickeys externally (wan to lan connections) ...thanks! J.D. Bronson Off The Hook Phone Repair, Inc. 24 Hour Service // Free Estimates For Fast Repairs: CALL US - IF YOU CAN! Office: 414.978.8282 // Pager: 414.314.8282
Re: is there a way to block sshd trolling?
My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. Don't *you* end up blacklisting your default route and you become 'so long suckah'd? --ja That's how I handle this type of annoyance: http://data.homeip.net/projects/ssh_wall.php Of course, YMMV. Ciao. --
Re: Any advice on 'Indemnification'? (US Only, obviously)
On Fri, 23 Sep 2005, L. V. Lammert wrote: so WE all know this isn't an issue here, but, unfortunately, the hosting company has lawyer(s) asking for similar 'Indemnification' for OBSD before they will officially allow OBSD on premesis. We've solved this in the past by running 'FooBSD' and simply indemnificate this 'inhouse FooBSD' product ourselves. Dw
Re: Question about atheros driver??
On Fri, Sep 23, 2005 at 08:28:29PM +0200, [EMAIL PROTECTED] wrote: Hi all, Is atheros driver supported under Alpha platform on OpenBSD 3.7?? no, but i would be really happy about a donated alpha to port ath(4) to this platform ;). reyk
Re: ssh passwords and publickeys
On Fri, 2005-09-23 at 14:44:20 -0500, J.D. Bronson proclaimed... Is there any way to accomplish this: 1. Use ssh with passwords internally (lan to lan connections) Yes. 2 Use ssh with publickeys externally (wan to lan connections) Yes! ...thanks! Thank you!
Re: is there a way to block sshd trolling?
You could use pf to block linux ssh access.
block in log quick on $EXT_IF inet proto tcp from any os Linux to port
22 label Blocked Linux ssh access:
That'll reduce it quite a lot.
John Marten wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
Re: ssh passwords and publickeys
J.D. Bronson wrote: No. Its not answering wrong. It crossed my mind...but I am not sure I can actually do this and if so, how do I specify the alternate config? start is as 'sshd -f BLAH' ? At 03:27 PM 9/23/2005, you wrote: just a guess, but can you run two instances of sshd with different conf files? .. each binding to a specific interface? is this answering a question with a question? J.D. Bronson wrote: Is there any way to accomplish this: 1. Use ssh with passwords internally (lan to lan connections) 2 Use ssh with publickeys externally (wan to lan connections) ...thanks! J.D. Bronson Off The Hook Phone Repair, Inc. 24 Hour Service // Free Estimates For Fast Repairs: CALL US - IF YOU CAN! Office: 414.978.8282 // Pager: 414.314.8282 J.D. Bronson Off The Hook Phone Repair, Inc. 24 Hour Service // Free Estimates For Fast Repairs: CALL US - IF YOU CAN! Office: 414.978.8282 // Pager: 414.314.8282 Yep, looks like it on the command line. sshd -f /etc/ssh/sshd2.config #ListenAddress 0.0.0.0
Re: is there a way to block sshd trolling?
On Fri, 23 Sep 2005 11:40:36 -0700
John Marten [EMAIL PROTECTED] wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
Use tables.
See:
http://www.section6.net/wiki/index.php/Thwarting_ssh_hackers_with_swatch_pf
--
Thordur I. [EMAIL PROTECTED]
Humppa!
Re: is there a way to block sshd trolling?
Use the tarpit patch that I wrote
http://www.linbsd.org/openssh-samepasswd.patch
-Ober
-Ober
On Fri, 23 Sep 2005, Abraham Al-Saleh wrote:
You could use connection throttling, it won't eliminate them, but it will
make it take longer. If you don't need ssh on that host (although, you
probably do, I'd be lost without it) disable it. You could bind sshd to a
different port, and disable port 22 (most of these attacks are automated
bots). The best thing you can do is to disable root access, use difficult
passwords (or better yet, use keys and disable passwords), go out of your
way to make sure you don't use common names for usernames (if you can), and
enforce a good password policy. Then you can do what I do when I get the
output of my logs, laugh.
On 9/23/05, John Marten [EMAIL PROTECTED] wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
--
Abe Al-Saleh
And then came the Apocolypse. It actually wasn't that
bad, everyone got the day off and there were barbeques
all around.
Re: is there a way to block sshd trolling?
Roy Morris wrote: why not use max-connections ? and dump them into a table with no access. Or if this is a home machine just move the port to some high port, most scripts wont bother looking. Yup, I forgot to add that you can put another thing in that max-conn... that handles the overflow it sends it to a bad hosts file or some such... then just persist that. Brandon
Re: is there a way to block sshd trolling?
On Friday 23 September 2005 03:15 pm, Mr.Slippery wrote: That's how I handle this type of annoyance: http://data.homeip.net/projects/ssh_wall.php Slick. Er...slippery, that is.
Re: ssh passwords and publickeys
just a guess, but can you run two instances of sshd with different conf files? .. each binding to a specific interface? is this answering a question with a question? J.D. Bronson wrote: Is there any way to accomplish this: 1. Use ssh with passwords internally (lan to lan connections) 2 Use ssh with publickeys externally (wan to lan connections) ...thanks! J.D. Bronson Off The Hook Phone Repair, Inc. 24 Hour Service // Free Estimates For Fast Repairs: CALL US - IF YOU CAN! Office: 414.978.8282 // Pager: 414.314.8282
Re: ssh passwords and publickeys
No. Its not answering wrong. It crossed my mind...but I am not sure I can actually do this and if so, how do I specify the alternate config? start is as 'sshd -f BLAH' ? At 03:27 PM 9/23/2005, you wrote: just a guess, but can you run two instances of sshd with different conf files? .. each binding to a specific interface? is this answering a question with a question? J.D. Bronson wrote: Is there any way to accomplish this: 1. Use ssh with passwords internally (lan to lan connections) 2 Use ssh with publickeys externally (wan to lan connections) ...thanks! J.D. Bronson Off The Hook Phone Repair, Inc. 24 Hour Service // Free Estimates For Fast Repairs: CALL US - IF YOU CAN! Office: 414.978.8282 // Pager: 414.314.8282 J.D. Bronson Off The Hook Phone Repair, Inc. 24 Hour Service // Free Estimates For Fast Repairs: CALL US - IF YOU CAN! Office: 414.978.8282 // Pager: 414.314.8282
passive ftp-ssl client behind OpenBSD 3.7 NAT/pf
Is it possible to get such a client running in passive mode using pf rdr/rules? I understand that I can't use ftp-proxy for this b/c the PORT command coming back from the FTP server is encrypted. Is there any way to do this? thanks Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: is there a way to block sshd trolling?
On Fri, 23 Sep 2005 21:55:12 +0200 Tomasz Baranowski [EMAIL PROTECTED] wrote: You can change the port number in /etc/ssh/sshd_config . It's 100% effective against that kind of bots. Some intelligent scripts look at tcp responses to port scans, ssh responds with SSH-2.0, which isn't too hard to identify. I don't know if changing the greeting would break the protocol, but I suspect it might break certain clients. -- A horse is a horse, of course, of course, And no one can talk to a horse, of course, Unless, of course, the horse, of course, Is the famous Mr. Ed! http://www.usenix.org.uk - http://irc.is-cool.net
Re: is there a way to block sshd trolling?
John Marten wrote: There's got to be a better way, and I'm open to suggestions. Use public key authentication to start with. It's very easy to setup and much more secure than password authentication. With public key authentication, passwords will never work. You might also want to make it a practice to disallow root logins via ssh. Changing the port number is not a bad idea also.
Re: ssh passwords and publickeys
From: J.D. Bronson [mailto:[EMAIL PROTECTED] Is there any way to accomplish this: 1. Use ssh with passwords internally (lan to lan connections) 2 Use ssh with publickeys externally (wan to lan connections) ...thanks! I can't think of a way to do it with the same user account, but you could handle it for different users by not setting a password for users that will only connect externally, and set them up for key-based auth, and then do keys + set a password for internal user accounts. Alternatively, you may be able to use some PF magic to get external users redirected to an sshd listening on a different port on the box - one configured for only pubkey auth. DS
Re: is there a way to block sshd trolling?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. Don't *you* end up blacklisting your default route and you become 'so long suckah'd? If you blacklist an IP on syn attempts only, maybe. In order for you to try to brute force logins you'll need a full TCP handshake which you'll never accomplish if you're spoofing yourself as the IP of the router. DS
Re: is there a way to block sshd trolling?
--On 23 September 2005 15:05 -0500, [EMAIL PROTECTED] wrote: My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. The suggestion is for max-src-conn-rate, not max-src-state.
Re: is there a way to block sshd trolling?
John Marten wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
http://lfriends.franoculator.com/phpBB2/viewtopic.php?t=103
That's the hosts.deny method, for those of you scoring at home.
It's a good solution, but you're better off enabling DSA/RSA keys and
doing away with password auth altogether. Running sshd on a different
port never hurt anyone either.
HTH.
--
Matt
Re: passive ftp-ssl client behind OpenBSD 3.7 NAT/pf
On Fri, 23 Sep 2005 13:45:45 -0700 (PDT)
Daniel Smereka [EMAIL PROTECTED] wrote:
Is it possible to get such a client running in passive mode using pf
rdr/rules?
I understand that I can't use ftp-proxy for this b/c the PORT command
coming back from the FTP server is encrypted. Is there any way to do
this? thanks
The whole idea of passive ftp is that it is the client initiating both
control and data connections, so ftp or ftpssl there should be no need
for additional nat fw rules.
If the server is behind the NAT then you need to set a rdr rule for the
high port numbers and the ftp server must masquerade as the nat's ip
address.
rdr on $ext_if from any to $ftp port {6:65535} - $local_ftp
for example.
--
A horse is a horse, of course, of course, And no one can talk to a
horse, of course, Unless, of course, the horse, of course, Is the famous
Mr. Ed! http://www.usenix.org.uk - http://irc.is-cool.net
Re: is there a way to block sshd trolling?
[EMAIL PROTECTED] writes: My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. Don't *you* end up blacklisting your default route and you become 'so long suckah'd? This isn't a problem for 2 reasons. 1) The upstream router isn't likely to be the destination of any packet in a consumer-isp situation. Only if you are running some routing protocol that uses that upstream router as an endpoint (eg. rip, ospf, etc) will a block against that router's IP matter to you. I've heard of cases where folks intentionally add an IP-level block against their ISP's whole infrastructure. (Some ISP's don't allow any servers. If they find an sshd hanging on port 22 are they going to hassle you? Just block 'em.) 2) Forging the source IP in a TCP packet and succeeding in negotiating the 3-way handshake isn't all that simple any more. I wouldn't worry about it. If someone could forge that reliably, there is much better game to go after (like breaking into machines that still use IP addresses for authorization.) Someone spoofing an IP so that you mistakenly block an innocent party is pretty much wasting a good trick. -wolfgang
No sound in KDE
Hello. I am still relatively new to openbsd. I have followed the docs pretty closely, and seem to have a vice nice system going. I have a couple snags, however. One of them is that I am not getting any sound while I am running KDE. I had the same problem running 3.6, I thought I would try upgrading to 3.7, but it changed nothing there. The sound card works fine. I can run waveplay from the commandline on a wave file and it sounds great. To rule out permission issues, I am running this all as root. Normally, I wouldn't do this. It is only in KDE that my sound does not work. Artsd is running in the background, and by default points to /dev/sound and uses OSS. I have tried about every permutation I can think of settings on the control panel, and nothing works. I get no errors if I leave these defaults. Sometimes I get a high-pitched squeak, but usually I get nothing out of the speakers. When I click test on the sound system control panel in KDE, I hear nothing, but this prints up on the vt where I started X: Server STatus: Running, autosuspend disabled real-time status: no real-time support server buffer time: 40.5349 ms buffersize multiplier: 1 minimum stream buffer time: 40.6349 ms auto suspend time: 0 s audio method: oss sampling rate 44100 channels: 2 sample size 16 bits duplex: half device: /dev/sound fragments 7 fragment size: 1024 Any ideas? Thank you in advance. Here is my dmesg: dmesg: == OpenBSD 3.7 (RAMDISK_CD) #573: Sun Mar 20 00:27:05 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel Celeron (GenuineIntel 686-class, 256KB L2 cache) 299 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 267952128 (261672K) avail mem = 238706688 (233112K) using 3296 buffers containing 13500416 bytes (13184K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(7c) BIOS, date 11/17/99, BIOS32 rev. 0 @ 0xfd7a0 apm0 at bios0: Power Management spec V1.2 pcibios0 at bios0: rev 2.1 @ 0xfd7a0/0x860 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf40/160 (8 entries) pcibios0: PCI Interrupt Router at 000:02:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0xc000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Neomagic Magicgraph NM2200 rev 0x20 wsdisplay0 at vga1: console (80x25, vt100 emulation) pcib0 at pci0 dev 2 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 2 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: TOSHIBA MK3021GAS wd0: 16-sector PIO, LBA, 28615MB, 58605120 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: LG, CD-ROM CRN-8241B, 1.16 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 uhci0 at pci0 dev 2 function 2 Intel 82371AB USB rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered Intel 82371AB Power Mgmt rev 0x02 at pci0 dev 2 function 3 not configured cbb0 at pci0 dev 3 function 0 Texas Instruments PCI1251 CardBus rev 0x01: irq 11 cbb1 at pci0 dev 3 function 1 Texas Instruments PCI1251 CardBus rev 0x01: irq 11 ATT/Lucent LTMODEM rev 0x01 at pci0 dev 6 function 0 not configured ESS SOLO-1 AudioDrive rev 0x02 at pci0 dev 7 function 0 not configured isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using wsdisplay0 npx0 at isa0 port 0xf0/16: using exception 16 pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0x80 pcmcia0 at cardslot0 cardslot1 at cbb1 slot 1 flags 0 cardbus1 at cardslot1: bus 3 device 0 cacheline 0x0, lattimer 0x80 pcmcia1 at cardslot1 biomask fff5 netmask fff5 ttymask fff7 rd0: fixed, 3800 blocks ep1 at pcmcia0 function 0 3Com, OfficeConnect 572B, B port 0xa000/32: address 00:00:86:62:83:f5 tqphy0 at ep1 phy 0: 78Q2120 10/100 PHY, rev. 10 root on rd0a rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02 syncing disks... done rebooting... OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Celeron (GenuineIntel 686-class, 256KB L2 cache) 299 MHz cpu0:
Thats Business - so verdient man heute...!
Achtung: Wenn Sie ein Skeptiker und f|r neue innovative Mvglichkeiten nicht aufgeschlossen sind, dann sollten Sie diese Webseite verlassen! Anderenfalls bewahren Sie sich einfach Ihr gesundes Ma_ an Misstrauen und starten Sie. That4s Business 450.000 Euro in 7 Monaten mvglich! Durch Network-Marketing ging mein Traum in Erf|llung! Hallo, schvn, dass Sie auf meiner Homepage vorbeischauen. Ich bin genauso wie Sie, im Internet auf dieses Programm aufmerksam geworden. Was mir hier sofort sympathisch war: ALLES wird sofort beschrieben, wie Sie leicht Geld verdienen kvnnen und Sie kvnnen SOFORT loslegen. (Anders wie bei verschiedenen Nebenjob-Anbietern im Internet, wo Sie erst einmal f|r viel Geld Informationen anfordern m|ssen, um nur zu erfahren worum es |berhaupt geht...) Nehmen Sie sich ein paar Minuten Zeit und lesen Sie sich den Text unten in Ruhe einmal durch. Und Sie werden sehen WIE einfach man Geld verdienen kann. Und was mir persvnlich auch sehr wichtig war: Es macht Spass!!! Die Personen weiter unten auf der Liste sind ganz normale Personen wie Sie und ich, die sich auch entschieden haben an dem Programm teilzunehmen. Es gibt also keine Person dazwischen die noch Kohle einkassiert. Sie sind Ihr eigener Chef! \brigens f|r alle Skeptiker: ich habe beim Gewerbeaufsichtsamt nochmals nachgefragt, es gibt definitiv rechtlich KEINE Einwdnde gegen dieses Programm! Ich w|nsche Ihnen genauso viel Erfolg und Spass wie ich bis jetzt damit habe! Wie aus 35 Euro 450.000 Euro und mehr werden - in 7 Monaten mvglich !!! Sehr geehrte Damen und Herren, Wir distanzieren uns von allen bis jetzt da gewesenen, dhnlichen Programmen. \berzeugen Sie sich selbst. Den Grundgedanken haben wir gelassen, weil das Programm GOLD wert ist. Die Dnderungen sind jetzt auf deutschsprachige Ldnder zugeschnitten (Gesetze, Verordnungen etc.). Guten Tag! Im Internet mit Ihrem PC von zu Hause Geld verdienen! Sie kvnnen innerhalb der ndchsten 7 Monaten mehr als 450.000 ? erhalten, indem Sie kostenlos Werbung machen, erfahren Sie in einer Schritt f|r Schrittanweisung, die in den 7 E-B|chern stehen, die Sie per e-mail erhalten werden. Sie sind f|r jeden leicht verstdndlich geschrieben. Bis 450.000 ? in nur 7 Monaten! Erscheint Ihnen das unmvglich? Lesen Sie weiter und erfahren Sie detailliert, wie das funktioniert. Nein, - es gibt dabei keinen Haken ! Vielen Dank f|r Ihre Zeit und Ihr Interesse! Wegen der Popularitdt dieses Briefes im Internet widmete ein bekanntes deutsches Nachrichtenmagazin eine komplette Sendung der Untersuchung des unten beschriebenen Programms, um herauszufinden ob es wirklich Geld bringt. Diese Sendung pr|fte auch, ob das Programm legal ist oder nicht. Dabei wurde herausgefunden, dass es keine Gesetze gibt, dass die Teilnahme an dem Programm verbietet. Dies hat dazu beigetragen zu zeigen, dass dies ein einfacher, harmloser Weg ist, zusdtzlich Geld von zu Hause aus zu verdienen und bemerkenswerte Resultate gebracht.. Es nehmen so viele Menschen an diesem Programm teil, dass es f|r diejenigen, die schon dabei sind, noch besser lduft, als zuvor. Da jeder mehr verdient, je mehr Menschen es ausprobieren, war es in letzter Zeit sehr aufregend dabei zu sein. Das werden Sie verstehen, sobald Sie Erfahrungen sammeln. Sie kvnnen sich das Folgende jetzt ausdrucken, um jederzeit darauf zur|ckzugreifen, in jedem Fall aber sicher aufbewahren, denn Sie werden das unglaubliche Konzept noch vfters lesen, d.h. wenn Sie gerne 450.000 ? in weniger als 7 Monaten verdienen mvchten, dann lesen Sie das folgende Programm ... und dann lesen Sie es noch einmal! Das Programm bietet eine legale Mvglichkeit, Geld im Internet zu verdienen. Daf|r m|ssen Sie keinem etwas persvnlich verkaufen, hart arbeiten und das Beste daran ist: Sie m|ssen nicht einmal das Haus verlassen. Sie werden eines Tages einen Kontostand erreichen, von dem Sie schon lange getrdumt haben, ob Sie es wollen oder nicht! Rezession: (Einer von vielen Anwendern dieser Geschdftsmvglichkeit) Ich hei_e Markus Weber. Vor zwei Jahren hat die Firma, f|r die ich die letzten 12 Jahre arbeitete, rationalisiert und ich wurde entlassen. Nach unergiebigen Vorstellungsgesprdchen entschloss ich mich mein eigenes Geschdft aufzumachen. In den vergangenen Jahren erlebte ich einige unvorhergesehene finanzielle Probleme. Ich schuldete meiner Familie, meinen Freunden und meinen Geldgebern mehr als 18.000 ?. Die Wirtschaftslage forderte ihren Tribut von meinem Geschdft und es gelang mir nicht, ein ausreichendes Auskommen zu finden. Ich musste refinanzieren und eine Hypothek aufnehmen, um meine Familie und mein Geschdft zu erhalten. In diesem Moment passierte etwas Entscheidendes in meinem Leben. Ich schreibe Ihnen dies, um meine Erfahrung zu teilen und bin sicher, dass es auch Ihr Leben finanziell f|r immer verdndern wird! Mitte Mdrz erhielt ich dieses
Re: Userland Compilation Dies
Oh no! My eyes must have slipped up the page! (I have the docs open on my other machine, and I am going back and forth). I have been at this too long! Thank you Mitja! I actually did do it right the first time.. but it errored out. Interesting that using the current didn't error out in the same way... I wound up deleting /usr/src /usr/X4 and /usr/ports, downloading the tarballs and updating them. Then everything worked. Thank you all for catching my blunder. Chris Chris wrote: Hello. I had an OBSD system, 3.6. I went to update it the other day to 3.7, and everything seemed to work swell. I followed the instructions from the upgrade faq, and things seemed to work without a hitch. I am trying to follow the stable branch, so updated my CVS for src, ports and X like so: # cd /usr #cvs -d$CVSROOT up -Pd* *It took its time, but it updated everything without complaint. I then recompiled the kernel (GENERIC). This also seemed to go without a hitch -- almost. The only thing that seemed to contradict the documentation was that it said: # *cd /usr/src/sys/arch/i386/conf* # *config GENERIC* # *cd ../compile/GENERIC* # *make clean make depend make* /[...lots of output...]/ # *make install* Replace i386 in the first line with your machine name. Well, my machine name was nowhere to be found in /usr/src/sys/arch (or anywhere under /usr/src at all), so I had to use i386. I don't know if this is an error in the docs or if something else somewhere got botched. I do know that there were no complaints from the system what-so-ever. It rebooted very nicely. Then I went to recompile the userland utilities. I followed the documentation: # *rm -rf /usr/obj/** # *cd /usr/src* # *make obj* # *cd /usr/src/etc env DESTDIR=/ make distrib-dirs \\Now I am not certain if is an error in the docs. Should it be setenv DESTIR=/? (I tried both ways..) * # *cd /usr/src* # *make build* The compile goes for about 1 hour and 48 minutes, then it crashes: c++ -O2-fno-implicit-templates -idirafter /=/usr/include/g++ -I/usr/src/gnu/e gcs/libio -I/usr/src/gnu/egcs/libio/obj -nostdinc -idirafter /=/usr/include -c /usr /src/gnu/egcs/libio/editbuf.cc -o editbuf.o In file included from /usr/src/gnu/egcs/libio/editbuf.cc:31: /usr/src/gnu/egcs/libio/editbuf.h:79: error: friend declaration requires class-key, i.e. `friend struct edit_buffer' /usr/src/gnu/egcs/libio/editbuf.cc: In member function `edit_buffer* edit_mark::buffer()': /usr/src/gnu/egcs/libio/editbuf.cc:648: warning: invalid access to non-static data member `edit_buffer::end_mark' of NULL object /usr/src/gnu/egcs/libio/editbuf.cc:648: warning: (perhaps the `offsetof' macro was used incorrectly) *** Error code 1 Stop in /usr/src/gnu/egcs/libio. *** Error code 1 Stop in /usr/src/gnu/egcs/libio (line 48 of /usr/src/gnu/egcs/libio/Makefile.bsd-wrapper). *** Error code 1 Stop in /usr/src/gnu/egcs. *** Error code 1 Stop in /usr/src/gnu/lib. *** Error code 1 Stop in /usr/src (line 72 of Makefile). === I have gone through these steps repeatedly, and I get the same results every time. Can someone please give me a hand? Thanks! Chris My system: IBM thinkpad 390e 256 megs of ram 30 gb hard drive (21gb free) pentium II processor dmesg: == OpenBSD 3.7 (RAMDISK_CD) #573: Sun Mar 20 00:27:05 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel Celeron (GenuineIntel 686-class, 256KB L2 cache) 299 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 267952128 (261672K) avail mem = 238706688 (233112K) using 3296 buffers containing 13500416 bytes (13184K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(7c) BIOS, date 11/17/99, BIOS32 rev. 0 @ 0xfd7a0 apm0 at bios0: Power Management spec V1.2 pcibios0 at bios0: rev 2.1 @ 0xfd7a0/0x860 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf40/160 (8 entries) pcibios0: PCI Interrupt Router at 000:02:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0xc000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Neomagic Magicgraph NM2200 rev 0x20 wsdisplay0 at vga1: console (80x25, vt100 emulation) pcib0 at pci0 dev 2 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 2 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: TOSHIBA MK3021GAS wd0: 16-sector PIO, LBA, 28615MB, 58605120 sectors
pf log entries
'tcpdump -r /var/log/pflog' shows a lot of entries like this: 14:31:38.279681 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=98 14:31:41.794668 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=98 14:31:42.464382 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=98 14:31:42.614922 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=98 15:06:10.377268 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=954 15:08:53.601656 33:0:0:0:0:0 3d:2:0:0:6e:65 null I (s=0,r=0,C) len=94 15:23:15.870547 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=86 15:36:11.213396 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=94 15:36:11.798560 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=94 15:36:12.405731 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=94 I'm curious what these mean but Google and misc archives haven't shed much light for me. The MAC addresses (?) don't match anything I know of. Can anyone point me to a reference or explanation? TIA, RPK.
Re: is there a way to block sshd trolling?
just to add my $0.02. The best they could hope for would be disallowing your default gateway from connecting to your ssh server... whoop-de-doo. On 9/23/05, Wolfgang S. Rupprecht [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] writes: My only question is what if I traceroute to you, find out the IP number of your upstream router? Then I make a bunch of connection attempts to your IP but forge the packets to make them look like they came from your upstream. Don't *you* end up blacklisting your default route and you become 'so long suckah'd? This isn't a problem for 2 reasons. 1) The upstream router isn't likely to be the destination of any packet in a consumer-isp situation. Only if you are running some routing protocol that uses that upstream router as an endpoint (eg. rip, ospf, etc) will a block against that router's IP matter to you. I've heard of cases where folks intentionally add an IP-level block against their ISP's whole infrastructure. (Some ISP's don't allow any servers. If they find an sshd hanging on port 22 are they going to hassle you? Just block 'em.) 2) Forging the source IP in a TCP packet and succeeding in negotiating the 3-way handshake isn't all that simple any more. I wouldn't worry about it. If someone could forge that reliably, there is much better game to go after (like breaking into machines that still use IP addresses for authorization.) Someone spoofing an IP so that you mistakenly block an innocent party is pretty much wasting a good trick. -wolfgang
Re: is there a way to block sshd trolling?
From: Wolfgang S. Rupprecht 2) Forging the source IP in a TCP packet and succeeding in negotiating the 3-way handshake isn't all that simple any more. I wouldn't worry about it. If someone could forge that reliably, there is much better game to go after (like breaking into machines that still use IP addresses for authorization.) Someone spoofing an IP so that you mistakenly block an innocent party is pretty much wasting a good trick. Is it possible at all? You spoof your address to appear as my ISP for the source address of a TCP connection. You send a SYN packet seeming to appear from the ISP. I send SYN+ACK back to that ISP address. ISP drops it because that address never sent SYN in first place. You never get anything back, neither do I, and no TCP handshake occurs. Or does this involve a much more sophisticated attack than I'm imagining? DS
Re: is there a way to block sshd trolling?
Spruell, Darren-Perot [EMAIL PROTECTED] writes: From: Wolfgang S. Rupprecht 2) Forging the source IP in a TCP packet and succeeding in negotiating the 3-way handshake isn't all that simple any more. I wouldn't worry about it. If someone could forge that reliably, there is much better game to go after (like breaking into machines that still use IP addresses for authorization.) Someone spoofing an IP so that you mistakenly block an innocent party is pretty much wasting a good trick. Is it possible at all? You spoof your address to appear as my ISP for the source address of a TCP connection. You send a SYN packet seeming to appear from the ISP. I send SYN+ACK back to that ISP address. ISP drops it because that address never sent SYN in first place. You never get anything back, neither do I, and no TCP handshake occurs. Or does this involve a much more sophisticated attack than I'm imagining? Spoofing the tcp connection is possible if you can guess what was in the packet that the other side sent back in response to the first spoofed syn. Obviously you'll never see the packet, but the only thing that you need to know that isn't obvious is the initial sequence number. Back in the early days of BSD the initial tcp-sequence number wasn't all that hard to guess. Predicting it was relatively easy if the other side was a BSD system that didn't have too many tcp connections per second. After each tcp connections the kernel incremented the initial sequence number by some small, fixed amount. Connecting up to any tcp port would tell you what the kernel was currently using. Connecting a few times in a row would tell you how much it incremented the initial number by for each connection. It also gave on a rough idea how many connections per second the kernel was seeing. -wolfgang
Re: Any advice on 'Indemnification'? (US Only, obviously)
L. V. Lammert wrote: I have been working with a local OS friendly hosting company to add support for OpenBSD. Unfortunately, they also support with Red Hat, SuSE, and Apple, and these vendors offer an 'Open Source Indemnification', ostensibly protecting against legal action from contributors. Of course, the OBSD project is meticulous about good copyright practices, so WE all know this isn't an issue here, but, unfortunately, the hosting company has lawyer(s) asking for similar 'Indemnification' for OBSD before they will officially allow OBSD on premesis. Question - I know that copyright law trumps 'indemnification' - especially given the BSD licenses on all project s/w, but has anyone dealt with this issue before? Can anyone point me to any legal resources that I could pass along to help satisfy the lawyers? Well, you could try a little logic with the suits. 1) Do they permit W2k? I glanced at the license there, didn't see any indemnification promises there. What if GNU sues MS and all users of W2k over improper use of code (a common bug between GPL'd code and Windows would be pretty good evidence of such borrowing). How about every other piece of software they run on their servers? 2) What if someone runs Application X on their legally safe Redhat server? Do they audit the systems to make sure *every* app offers indemnification? We had a situation at my employer recently where we had to custom compile Apache from source on an SuSE box. Were we still indemnified then? 3) Indemnification for the ISP? I've not looked over any of those contracts, but the hosting company seems to be really far out on the liability limb, would they really be protected by what you run on your machine? If it is your machine, are they really claiming they have to make sure your software meets their standards? Are they going to do this for people running supported OSs? If they are dictating standards, are they going to accept the responsibilty for those decisions? 4) Point out that OpenBSD created and maintains OpenSSH. I'm sure they would feel happy to follow the logic of their desire to be legal risk-free and remove all Cisco, Linux, and lots of other products. Sure, they may claim that Redhat provides indemnification for OpenSSH. *IF* that's true, apparently they are either pretty confident there is no problem with OpenSSH (which might imply that the OpenBSD project is pretty careful), or they don't think the real risk of a lawsuit over this stuff is significant, and it's all a big marketing game (scare you into using our product...i.e., FUD with the emphisis on F) 5) Anyone done a check to see if RedHat/SuSE/Apple really have the spare cash to spend on someone else's defense? 6) Do they feel confident that if you switch to one of the supported OSs at their demand, and if your box gets rooted and lots of people's credit card numbers (or similar) gets scattered across the 'net, that they won't have their pants sued off them by you and your customers for forcing you to run crapware (you probably wouldn't win that suit, but you could end up costing them a lot of money defending it)? 7) Do they understand that it is your money to spend with whatever vendor they wish, and I doubt they are the only hosting company around? Not sure any one of those is a killer argument, but might get them to think about what it is they are requesting. Nick.
upgrade is it important ?
dear all i guess this is stupid question, but since i very young in the openbsd land, i have a lof of question : 1. how important to make our system (OS and packages) always up-to-date ( except with security reason of course ), because some people says you should update your system at least once a year 2. if i'm doing upgrade from 3.7 to 3.8, what happen to my old program's since my old program's using the old librari's ? is it still works without recompiling ? 3. and another if, how to make my system clean after i'm upgrade from one version to another version ? because i still see the old libraries from the old version ! thank's -- /Budhi Setiawan
Re: passive ftp-ssl client behind OpenBSD 3.7 NAT/pf
Hi Ed thx for the reply. First I should mention that all non-ssl ftp traffic works great through the firewall (setup according to FAQ on openbsd site). My setup is: my client - my nat'd OpenBSD - internet - remote ftp-ssl server I don't have any control over the remote server. The client simply hangs saying Connected to server on port 21. Waiting for response I did a tcpdump on the internal nic during a connection attempt from the client: tcpdump -ttt -n -i vr0 host remote_ip Sep 23 19:01:51.887070 192.168.1.111.1156 remote_ip.21: S 34496577:34496577(0) win 8192 mss 1460 (DF) Sep 23 19:01:51.887122 remote_ip.21 192.168.1.111.1156: S 2282047294:2282047294(0) ack 34496578 win 16384 mss 1460 Sep 23 19:01:51.887433 192.168.1.111.1156 remote_ip.21: . ack 1 win 8760 (DF) Sep 23 19:02:56.887799 192.168.1.111.1156 remote_ip.21: F 1:1(0) ack 1 win 8760 (DF) Sep 23 19:02:56.887840 remote_ip.21 192.168.1.111.1156: . ack 2 win 17520 and another on the external nic at the same time: tcpdump -ttt -n -i fxp0 host remote_ip Sep 23 19:01:51.891462 my_external_ip.63441 remote_ip.21: S 3772606012:3772606012(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3166560978 0 (DF) Sep 23 19:01:57.883262 my_external_ip.63441 remote_ip.21: S 3772606012:3772606012(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3166560990 0 (DF) Sep 23 19:02:09.883267 my_external_ip.63441 remote_ip.21: S 3772606012:3772606012(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3166561014 0 (DF) Sep 23 19:02:33.883268 my_external_ip.63441 remote_ip.21: S 3772606012:3772606012(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3166561062 0 (DF) I would appreciate if anyone can help me understand the tcpdump output. thx Click here to donate to the Hurricane Katrina relief effort.
Re: upgrade is it important ?
Budhi Setiawan wrote: dear all i guess this is stupid question, but since i very young in the openbsd land, i have a lof of question : 1. how important to make our system (OS and packages) always up-to-date ( except with security reason of course ), because some people says you should update your system at least once a year Depends on you really. I keep my ports tree up to date on a weekly basis. My src tree - only when SA's are out or I wish to upgrade to a new release - Then again, FreeBSD allows you to do that - I have not done that with Open. I always pretty much wiped and reinstalled - seems like a waste, but that be on my own ignorance. 2. if i'm doing upgrade from 3.7 to 3.8, what happen to my old program's since my old program's using the old librari's ? is it still works without recompiling ? OpenBSD and FreeBSD do things differantly here. While Open prefers you to use and do binary installs of packages (thus the reason they are called packages) you still can grab the ports tree and work from there. To me, FreeBSD is far superior when it comes to update/upgrading the ports tree agains the installed ports. Meaning, there are ports in the ports tree of FreeBSD that allows you to do just that - somewhat effortlessly. Don't get me wrong - I adore Open, but I like to upgrade the src tree and ports tree within releases and after. FreeBSD is just more flexable - then again, I speak from a biased point of view - meaning, I have been with FBSD since 2.2.8 If you find Open to rigit for your tastes, try FreeBSD. However, there will be a learing curve if you wish to maintane ports and src. 3. and another if, how to make my system clean after i'm upgrade from one version to another version ? because i still see the old libraries from the old version ! I have never upgraded Open from one version to another. It may be very simple - To me (again I'm biased) FreeBSD gives you that playability. These are just my opinions of course. -- Best regards, Chris You can make it foolproof, but you can't make it damnfoolproof.
Re: is there a way to block sshd trolling?
On Friday 23 September 2005 14:40, John Marten wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Special
Don't know if this is better and then better in what sense but here it
goes and it's easy as pie:
I installed denyhosts - a python script. Obvious downside is that you need
to install python. Only adjustment you need to do is that denyhosts looks
into /var/log/authlog for OBSD instead of /var/log/auth.log for Linux.
My /etc/hosts.deny is growing steadily ever since ...
Kind regards, Eike
--
Eike Lantzsch ZP6CGE
Casilla de Correo 1519
Asuncion / Paraguay
Tel.: 595-21-578698 FAX: 595-21-578690
Re: Max number of states in pf? (100k? 200k? 1M?)
On Fri, 23 Sep 2005, nate wrote: ok thats the kind of info I wanted to hear, so kernel space can go up to ~300MB ? is this a tunable paramter anywhere or is it hard coded? it is actually 768MB on i386, but you can't use anywhere close to all of it for pf states. it is hard coded. is this a low memory vs high memory thing? if so is there a good way to monitor low memory on openbsd? I tried doing some google searches and all I found was people running out of memory. there is no way i know of to monitor it. what matters is not memory, but address space. also one last Q - when you allocate memory for states in the pf config, say I allocate for 200k states does that allocation happen when the config is loaded or is it dynamic? Just wondering if I do exceed the limit should I expect it to misbehave immediately upon reload(even if it isn't holding that many states) or not until it actually hits the state limit. states are only allocated on demand. you could set the limit to a billion with no problem until you actually start using too many states. the limit is there to protect you from the firewall imploding. -- And that's why your software sucks.
Re: is there a way to block sshd trolling?
Some intelligent scripts look at tcp responses to port scans, ssh responds with SSH-2.0, which isn't too hard to identify. I don't know if changing the greeting would break the protocol, but I suspect it might break certain clients. I wonder if it's possible to fingerprint these programs. I actually have a copy of the ssh-scanner that they use. I got it by looking at the hack logs on a Linux server and going to the same FTP site they used (anonymous ftp even ;). The program that most of you see is probably Skara. If you're interested you run the program by doing ./a xxx.xxx where xxx.xxx is the first 2 octects of the network you want to scan (it only does class b). Once it finds all the servers running ssh, it then forks and runs ssh-scan on each and just crashes through the dictionary, till it finds some servers, and reports the findings. Usually something stupid like admin/admin or vmail/vmail. I ran it on my network to look for things that may have been done sloppily. I actually did find one server where someone had created a user of test with the pasword of test...nice. As long as you have secure passwords, I'd recomend just logging in as a standard user, and using su so that you don't see all those logs. Keep in mind that they are just kiddies scanning class b's so there's probably better things to worry about. A lot of nice tips though. I've learned a lot about PF just reading the thread. --Bryan
Re: is there a way to block sshd trolling?
On Fri, Sep 23, 2005 at 08:24:15PM -0700, Bryan Irvine wrote: Some intelligent scripts look at tcp responses to port scans, ssh responds with SSH-2.0, which isn't too hard to identify. I don't know if changing the greeting would break the protocol, but I suspect it might break certain clients. I wonder if it's possible to fingerprint these programs. I actually have a copy of the ssh-scanner that they use. I got it by looking at the hack logs on a Linux server and going to the same FTP site they used (anonymous ftp even ;). I use the blocker script from this article. Seems to work pretty well. I'd just block Linux but I have a few friends who have yet to see the OpenBSD light. http://www.undeadly.org/cgi?action=articlesid=20041231195454mode=expanded The program that most of you see is probably Skara. If you're interested you run the program by doing ./a xxx.xxx where xxx.xxx is the first 2 octects of the network you want to scan (it only does class b). Once it finds all the servers running ssh, it then forks and runs ssh-scan on each and just crashes through the dictionary, till it finds some servers, and reports the findings. Usually something stupid like admin/admin or vmail/vmail. I ran it on my network to look for things that may have been done sloppily. I actually did find one server where someone had created a user of test with the pasword of test...nice. As long as you have secure passwords, I'd recomend just logging in as a standard user, and using su so that you don't see all those logs. Yeah. This is only a threat against *really* weak boxes. Having said that I've seen a lot of posts talking about changing ports. That's a line that I won't cross. I refuse to hide from the bots and it's not even a speedbump against somebody who is a real threat. But that just my personalline in the sand. Keep in mind that they are just kiddies scanning class b's so there's probably better things to worry about. A lot of nice tips though. I've learned a lot about PF just reading the thread. --Bryan -- BOFH excuse #345: Having to manually track the satellite.
