Re: OpenBSD and SYNFlood / DDoS protection
synproxy in pf already makes sure the 3-way handshake completes before the connection is completed on the other side; rate limiting can also be done on the OpenBSD firewall, so it's not clear why you would need an extra box there. The bigger problem with DDoS attacks is that the upstream pipe is filled up with traffic, and no matter how much technology you deploy at your end of the pipe, it's still going to be full. Rate limiting and such needs to be deployed further out, at your ISP, and possibly further upstream. Also, it would help if all ISP's implemented proper egress filtering to prevent spoofing. On Fri, Jul 18, 2008 at 10:27:36PM -0700, Parvinder Bhasin wrote: This maybe dumb but won't hurt to throw this out there, maybe this has to be built with combination of tools, technologies etc but i would definately like to first collect as much info and then maybe work on this (or maybe the solution - open source is already out there , in that case I would like to know what :), I know of many 100K devices that will do this. Is there a way that I can setup a machine (another openbsd machine) in front of an OpenBSD firewall to help against DDoS attacks? If so what would be proper approach in doing so (if someone has already approached this subject). Machine would have 2 or 3 nics (3rd nic for management maybe?). You take the internet drop on the first port, say for example: fxp0 (external_if) . Maybe implement SYNCOOKIE (technology). The traffic only gets passed on to the firewall port throught fxp1 (internal_if) , once the server gets the ACK back.Would SYNPROXY do this too?? This machine could also be doing some form of RATE LIMITING?? maybe?? Anyone ?? Anytakes?? /Parvinder Bhasin --
Re: OpenBSD and SYNFlood / DDoS protection
2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]: This maybe dumb but won't hurt to throw this out there, maybe this has to be built with combination of tools, technologies etc but i would definately like to first collect as much info and then maybe work on this (or maybe the solution - open source is already out there , in that case I would like to know what :), I know of many 100K devices that will do this. Is there a way that I can setup a machine (another openbsd machine) in front of an OpenBSD firewall to help against DDoS attacks? If so what would be proper approach in doing so (if someone has already approached this subject). Machine would have 2 or 3 nics (3rd nic for management maybe?). You take the internet drop on the first port, say for example: fxp0 (external_if) . Maybe implement SYNCOOKIE (technology). The traffic only gets passed on to the firewall port throught fxp1 (internal_if) , once the server gets the ACK back.Would SYNPROXY do this too?? This machine could also be doing some form of RATE LIMITING?? maybe?? Anyone ?? Anytakes?? /Parvinder Bhasin I don't mean to be impolite, but considering that these guys http://www.rayservers.com/ddos-protection are the first Google hit for firewall ddos protection openbsd (w/o quotation marks), it would seem to me that you maybe didn't Use Teh Google. Also from http://www.rayservers.com/ddos-protection : The bottom line is that whatever the appliance you use, you need upstream bandwidth to be able to discard the attack traffic while allowing legitimate traffic to your exisiting servers. You also need competent persons who understand the technical issues, hardware and network bottlenecks and can put a solution in place that is resistant to abuse that works with your budget. --ropers
Re: CARP not leaving backup state
On 2008-07-19, William Stuart [EMAIL PROTECTED] wrote: Thanks everyone I figured it out! 19:13:46.334037 CARPv2-advertise 36: vhid=50 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 19:13:46.334299 CARPv2-advertise 36: vhid=50 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] Something is mirroring and replaying all the packets back. Grrr. Must be a vmWare config issue. Anyone asking about any wierd problems, _please_ mention any VMs that may be involved early on in the thread... as always, a dmesg would be a good starting point.
Re: how to undelete?
On Mon, Jul 7, 2008 at 9:30 PM, macintoshzoom [EMAIL PROTECTED] wrote: Which hex editor do you advise? Should I have to umount the partition before? the partition is 40 GB size on a secondary disk, OpenBSD old slice, should I need at least such space (/tmp ?) to open it on the hex editor from my OpenBSD 4.3? There is a very nice hex editor specialized in forensics called WinHex, but it runs on Windows. I don't know if there is an equivalent tool in the *nix world.
Re: clock on alic3 board
Marc Balmer wrote: * riwanlky wrote: Hai all, I have problem on clock with Alic3 board from Pc Engines on OpenBSD 4.3 dmesg- OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008 and the ntpd message on tail /var/log/daemon Jul 17 16:14:44 pceng4 ntpd[5847]: adjusting local clock by 86915.408347s Jul 17 16:18:00 pceng4 ntpd[5847]: adjusting local clock by 86914.457013s Jul 17 16:20:37 pceng4 ntpd[5847]: adjusting local clock by 86913.683080s Jul 17 16:21:46 pceng4 ntpd[5847]: adjusting local clock by 86913.389878s Jul 17 16:26:04 pceng4 ntpd[5847]: adjusting local clock by 86912.104979s Jul 17 16:26:33 pceng4 ntpd[5847]: adjusting local clock by 86911.965071s Jul 17 16:27:03 pceng4 ntpd[5847]: adjusting local clock by 86911.859542s Jul 17 16:31:19 pceng4 ntpd[5847]: adjusting local clock by 86910.603973s Jul 17 16:33:26 pceng4 ntpd[5847]: adjusting local clock by 86910.009693s Jul 17 16:37:10 pceng4 ntpd[5847]: adjusting local clock by 86908.914398s and possible configuration error? not an error, but you might want to start ntpd with the -s option. put 'ntpd_flags=-s' into your /etc/rc.conf.local file. True. A little addition for the archives (since it's been a while now): $ date -r 86908 Fri Jan 2 01:08:28 CET 1970 This would mean your clock is about 1 hour and 8 minutes off, but is slowly (as expected) working to reduce the clock skew (while noting the difference in your log every time). Marc's suggestion would make the clock take a big leap on next reboot and voila - problem solved (unless you system is very sensitive about timing, in which case you'd just hav to wait a few months for the clock to adjust). If you find the log entries confusing, go read the archives (might be a few years back from now), but PLEASE do NOT make any suggestion about changing the wording in the logs. It was beaten to death (or at least I really REALLY hope it's dead). So please. Don't. Cheers /Alexander
Re: clock on alic3 board
Alexander Hall wrote: Marc Balmer wrote: * riwanlky wrote: Hai all, I have problem on clock with Alic3 board from Pc Engines on OpenBSD 4.3 dmesg- OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008 and the ntpd message on tail /var/log/daemon Jul 17 16:14:44 pceng4 ntpd[5847]: adjusting local clock by 86915.408347s Jul 17 16:18:00 pceng4 ntpd[5847]: adjusting local clock by 86914.457013s Jul 17 16:20:37 pceng4 ntpd[5847]: adjusting local clock by 86913.683080s Jul 17 16:21:46 pceng4 ntpd[5847]: adjusting local clock by 86913.389878s Jul 17 16:26:04 pceng4 ntpd[5847]: adjusting local clock by 86912.104979s Jul 17 16:26:33 pceng4 ntpd[5847]: adjusting local clock by 86911.965071s Jul 17 16:27:03 pceng4 ntpd[5847]: adjusting local clock by 86911.859542s Jul 17 16:31:19 pceng4 ntpd[5847]: adjusting local clock by 86910.603973s Jul 17 16:33:26 pceng4 ntpd[5847]: adjusting local clock by 86910.009693s Jul 17 16:37:10 pceng4 ntpd[5847]: adjusting local clock by 86908.914398s and possible configuration error? not an error, but you might want to start ntpd with the -s option. put 'ntpd_flags=-s' into your /etc/rc.conf.local file. True. A little addition for the archives (since it's been a while now): $ date -r 86908 Fri Jan 2 01:08:28 CET 1970 Oops. My bad. A better approach (combined with correct reading): $ date -ur 0 Thu Jan 1 00:00:00 UTC 1970 $ date -ur 86908 Fri Jan 2 00:08:28 UTC 1970 So that would mean a little more than _one_day_ and eight minutes... No wonder it would take a few months (I was surprised and not at all convinced by my calculations). :-) /Alexander
Re: clock on alic3 board
* Alexander Hall wrote: [...] True. A little addition for the archives (since it's been a while now): $ date -r 86908 Fri Jan 2 01:08:28 CET 1970 Oops. My bad. A better approach (combined with correct reading): $ date -ur 0 Thu Jan 1 00:00:00 UTC 1970 $ date -ur 86908 Fri Jan 2 00:08:28 UTC 1970 So that would mean a little more than _one_day_ and eight minutes... No wonder it would take a few months (I was surprised and not at all convinced by my calculations). :-) Remember that the ALIX.2/3 boards usually do not have a battery to backup a realtime clock. Their clocks always start at 0 when powered up, and 0 is the epoch, Jan. 1 1970. A mechanism like ntpd -s is needed for those boards. The ALIX.1B/C do have a battery, btw. - Marc Balmer
Re: how to undelete?
On Sat, Jul 19, 2008 at 5:23 AM, Die Gestalt [EMAIL PROTECTED] wrote: On Mon, Jul 7, 2008 at 9:30 PM, macintoshzoom [EMAIL PROTECTED] wrote: Which hex editor do you advise? Should I have to umount the partition before? the partition is 40 GB size on a secondary disk, OpenBSD old slice, should I need at least such space (/tmp ?) to open it on the hex editor from my OpenBSD 4.3? There is a very nice hex editor specialized in forensics called WinHex, but it runs on Windows. I don't know if there is an equivalent tool in the *nix world. hexdump -C?
Re: OpenBSD and SYNFlood / DDoS protection
* Ryan McBride [EMAIL PROTECTED] [2008-07-19 10:16]: The bigger problem with DDoS attacks is that the upstream pipe is filled up with traffic that was true in the 90s, and maybe the first half of this decade, but really isn't any more. Most server installs I have worked with have the pipe limit at 100 MBit/s at their lan port. A DoS with 5 MBit/s can be very effective. Also, it would help if all ISP's implemented proper egress filtering to prevent spoofing. !!! -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Setting priority on interface fails in latest snapshot
After updating my i386 firewall cluster to the latest snapshot (16 Jul, 22:15) # ifconfig vr0 priority 2 ifconfig: priority: bad value Is this a regression, or did the syntax change since my last update about one week ago? I did re-read the man page and also looked through the CVS commits, but did not find any obvious hints. Thanks, Rolf
svnd questions (encrypting all of a partition or disk)
My laptop (Thinkpad T41p) and I are going to be doing a lot of travelling in the next year, so I'm investigating how to (cryptographically) improve my security in case of loss/theft/seizure. Right now I use cfs (ports) for a few sensitive subdirectories, but 95+% of my /home is still cleartext to anyone with physical access to the laptop. The same applies for my external backup disks. I'm considering putting all of /home under svnd encryption (still keeping cfs on top for sensitive subdirectories), and I have some questions (see below). I have RTFMs svnd(4), vnconfig(8), and mount_vnd(8), and googled my way to some useful web pages, notably http://www.xs4all.nl/~hanb/documents/OpenBSDEncryptedFilesystemHOWTO.html http://mareichelt.de/pub/notmine/linuxbsd-comparison.html http://geektechnique.org/projectlab/797/openbsd-encrypted-nas-howto (Some of these web pages seem to be a bit old, (eg) complaining about the now-fixed dictionary-attack vulnerability). As I understand it, the basic procedure for using svnd is this (starting with a brand-new-from-the-computer-store disk sd0, and with steps numbered for later reference: [1] # fdisk sd0 ... create single msdos-partition [2] # disklabel sd0 ... create single openbsd-partition a [3] # newfs /dev/sd0a [4] # mount -o softdep /dev/sd0a /mnt [5] # dd if=/dev/arandom bs=1m of=/mnt/imagefile count=... [6] # vnconfig -vck -K 10 -S /var/saltfile svnd0 /mnt/imagefile [7] # disklabel svnd0 ... create encrypted openbsd-partition a [8] # newfs /dev/svnd0a [9] # mount -o rw,nodev,nosuid,softdep -t vnd /dev/svnd0a /home Now my questions: 1. Are there other Fine Manuals (relevant to svnd) I should Read besides the ones I listed above? 2. Where (besides the source code) can I find the svnd encryption algorithm documented? This would help me research the answer to the next question... 3. What are the error propagation properties of the svnd encryption? That is, for example, if a disk/USB/memory error corrupts a single 512-byte block in the middle of /dev/sd0a, will that show up as 512 bytes of corruption in /dev/svnd0c, or will the entire /dev/svnd0c be corrupted from that point onwards? 4. Is there any upper size limit to the size of an encrypted image apart from the kernel 8TB limit and fsck time and memory usage? For example, is there any problem with using the above on (say) a 250GB disk? 5. Is there any problem with using softdep in steps [4] and [9]? 6. Are there any special newfs parameters needed for either the underlying filesystem (step [3]) or the encrypted one (step [8])? The underlying filesystem will only hold a single huge 'imagefile', whose size won't change after initial creation (step [5]), so I could imagine saving a bit of disk space by configuring very few inodes. What about the FFS/FFS2 minimum free space threshold (newfs -m) -- with the imagefile preallocated (step [5]), is there any benefit to a nonzero minimum free space threshold? 7. How worried should I be about bug kernel/5709 rapidly creating many small files on crypted svnd locks box, which as of a few minutes ago was/is shown as in state open? ciao, -- -- Jonathan Thornburg [remove -animal to reply] [EMAIL PROTECTED] t = 31.Aug.2008: School of Mathematics, U of Southampton, England t1.Sep.2008: Dept of Astronomy, Indiana University, Bloomington, USA Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam
OpenCON 2008
Hi, I was just wondering if a date for OpenCON 2008 is known. I would like to try to book earlier to save pennies :) Thanks -- Best Regards Edd http://students.dec.bmth.ac.uk/ebarrett
Re: Weird RAIDFrame behaviour in 4.3 [Solved]
On Mon, 14 Jul 2008 16:26:45 +0200 Simon Vallet [EMAIL PROTECTED] wrote: [...] I suspect this is due to a problem with the raidframe label on wd0d, but I have no clue on how to fix this : It turns out the component label simply hadn't been written on wd0, since my raid0.conf at -I time contained the wrong device. Rebooting on a minimal install, recreating the RAID device with a correct config and re-issuing a 'raidctl -I raid0' solved the problem. Simon
Re: how to undelete?
On Sat, 19 Jul 2008 10:18:19 -0400 Nick Guenther [EMAIL PROTECTED] wrote: On Sat, Jul 19, 2008 at 5:23 AM, Die Gestalt [EMAIL PROTECTED] wrote: On Mon, Jul 7, 2008 at 9:30 PM, macintoshzoom [EMAIL PROTECTED] wrote: Which hex editor do you advise? Should I have to umount the partition before? the partition is 40 GB size on a secondary disk, OpenBSD old slice, should I need at least such space (/tmp ?) to open it on the hex editor from my OpenBSD 4.3? There is a very nice hex editor specialized in forensics called WinHex, but it runs on Windows. I don't know if there is an equivalent tool in the *nix world. hexdump -C? bvi ( http://bvi.sourceforge.net/ )
Re: Setting priority on interface fails in latest snapshot
On Sat, Jul 19, 2008 at 05:34:10PM +0200, Rolf Sommerhalder wrote: After updating my i386 firewall cluster to the latest snapshot (16 Jul, 22:15) # ifconfig vr0 priority 2 ifconfig: priority: bad value Is this a regression, or did the syntax change since my last update about one week ago? I did re-read the man page and also looked through the CVS commits, but did not find any obvious hints. This diff got removed from the latest snaps. -- :wq Claudio
Re: svnd questions (encrypting all of a partition or disk)
This might be a good time to try my giant softraid diff that makes crypto useful. On Sat, Jul 19, 2008 at 05:04:44PM +0100, Jonathan Thornburg wrote: My laptop (Thinkpad T41p) and I are going to be doing a lot of travelling in the next year, so I'm investigating how to (cryptographically) improve my security in case of loss/theft/seizure. Right now I use cfs (ports) for a few sensitive subdirectories, but 95+% of my /home is still cleartext to anyone with physical access to the laptop. The same applies for my external backup disks. I'm considering putting all of /home under svnd encryption (still keeping cfs on top for sensitive subdirectories), and I have some questions (see below). I have RTFMs svnd(4), vnconfig(8), and mount_vnd(8), and googled my way to some useful web pages, notably http://www.xs4all.nl/~hanb/documents/OpenBSDEncryptedFilesystemHOWTO.html http://mareichelt.de/pub/notmine/linuxbsd-comparison.html http://geektechnique.org/projectlab/797/openbsd-encrypted-nas-howto (Some of these web pages seem to be a bit old, (eg) complaining about the now-fixed dictionary-attack vulnerability). As I understand it, the basic procedure for using svnd is this (starting with a brand-new-from-the-computer-store disk sd0, and with steps numbered for later reference: [1] # fdisk sd0 ... create single msdos-partition [2] # disklabel sd0 ... create single openbsd-partition a [3] # newfs /dev/sd0a [4] # mount -o softdep /dev/sd0a /mnt [5] # dd if=/dev/arandom bs=1m of=/mnt/imagefile count=... [6] # vnconfig -vck -K 10 -S /var/saltfile svnd0 /mnt/imagefile [7] # disklabel svnd0 ... create encrypted openbsd-partition a [8] # newfs /dev/svnd0a [9] # mount -o rw,nodev,nosuid,softdep -t vnd /dev/svnd0a /home Now my questions: 1. Are there other Fine Manuals (relevant to svnd) I should Read besides the ones I listed above? 2. Where (besides the source code) can I find the svnd encryption algorithm documented? This would help me research the answer to the next question... 3. What are the error propagation properties of the svnd encryption? That is, for example, if a disk/USB/memory error corrupts a single 512-byte block in the middle of /dev/sd0a, will that show up as 512 bytes of corruption in /dev/svnd0c, or will the entire /dev/svnd0c be corrupted from that point onwards? 4. Is there any upper size limit to the size of an encrypted image apart from the kernel 8TB limit and fsck time and memory usage? For example, is there any problem with using the above on (say) a 250GB disk? 5. Is there any problem with using softdep in steps [4] and [9]? 6. Are there any special newfs parameters needed for either the underlying filesystem (step [3]) or the encrypted one (step [8])? The underlying filesystem will only hold a single huge 'imagefile', whose size won't change after initial creation (step [5]), so I could imagine saving a bit of disk space by configuring very few inodes. What about the FFS/FFS2 minimum free space threshold (newfs -m) -- with the imagefile preallocated (step [5]), is there any benefit to a nonzero minimum free space threshold? 7. How worried should I be about bug kernel/5709 rapidly creating many small files on crypted svnd locks box, which as of a few minutes ago was/is shown as in state open? ciao, -- -- Jonathan Thornburg [remove -animal to reply] [EMAIL PROTECTED] t = 31.Aug.2008: School of Mathematics, U of Southampton, England t1.Sep.2008: Dept of Astronomy, Indiana University, Bloomington, USA Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam
Re: svnd questions (encrypting all of a partition or disk)
If you have some time and a spare disk, why not experiment with the 3 or 4 options available to you before settling on one. - cfs - svnd backed by a file in a filesystem - svnd backed by a whole slice on disk - softraid w/ crypto softraid w/ crypto is still kind of a work in progress, but it's very functional already. i'm running it on my laptop for all of /home. just make sure you use the latest diff (posted to tech@) On Sat, Jul 19, 2008 at 9:04 AM, Jonathan Thornburg [EMAIL PROTECTED] wrote: My laptop (Thinkpad T41p) and I are going to be doing a lot of travelling in the next year, so I'm investigating how to (cryptographically) improve my security in case of loss/theft/seizure. Right now I use cfs (ports) for a few sensitive subdirectories, but 95+% of my /home is still cleartext to anyone with physical access to the laptop. The same applies for my external backup disks. i'm not super keen on cfs - managed to crash it horribly under load a while back and wasn't terribly impressed with it. As I understand it, the basic procedure for using svnd is this (starting with a brand-new-from-the-computer-store disk sd0, and with steps numbered for later reference: [1] # fdisk sd0 ... create single msdos-partition [2] # disklabel sd0 ... create single openbsd-partition a [3] # newfs /dev/sd0a [4] # mount -o softdep /dev/sd0a /mnt [5] # dd if=/dev/arandom bs=1m of=/mnt/imagefile count=... i guess i can understand use of arandom so as not to leak where data has and hasn't been written... if you're just evaluating crypto solutions for performance and ease of use, you could create a sparse file by DD'ing a block way out at the end... bs=1k count=1 skip=1024000 would give you a 1G file that uses 1-8K on disk (initially) depending on how you set up the filesystem. [6] # vnconfig -vck -K 10 -S /var/saltfile svnd0 /mnt/imagefile [7] # disklabel svnd0 ... create encrypted openbsd-partition a [8] # newfs /dev/svnd0a [9] # mount -o rw,nodev,nosuid,softdep -t vnd /dev/svnd0a /home Now my questions: 1. Are there other Fine Manuals (relevant to svnd) I should Read besides the ones I listed above? those are them. you might want to read up on bioctl, though. 2. Where (besides the source code) can I find the svnd encryption algorithm documented? This would help me research the answer to the next question... 3. What are the error propagation properties of the svnd encryption? That is, for example, if a disk/USB/memory error corrupts a single 512-byte block in the middle of /dev/sd0a, will that show up as 512 bytes of corruption in /dev/svnd0c, or will the entire /dev/svnd0c be corrupted from that point onwards? man vnconfig says the cipher is blowfish. the source says: blf_ecb_encrypt(vnd-sc_keyctx, iv, sizeof(iv)); if (encrypt) blf_cbc_encrypt(vnd-sc_keyctx, iv, addr, bsize); else blf_cbc_decrypt(vnd-sc_keyctx, iv, addr, bsize); 4. Is there any upper size limit to the size of an encrypted image apart from the kernel 8TB limit and fsck time and memory usage? For example, is there any problem with using the above on (say) a 250GB disk? largest crypto disk i've built is 500G. takes a while to fsck but it works. 5. Is there any problem with using softdep in steps [4] and [9]? not that i've noticed 6. Are there any special newfs parameters needed for either the underlying filesystem (step [3]) or the encrypted one (step [8])? The underlying filesystem will only hold a single huge 'imagefile', whose size won't change after initial creation (step [5]), so I could imagine saving a bit of disk space by configuring very few inodes. What about the FFS/FFS2 minimum free space threshold (newfs -m) -- with the imagefile preallocated (step [5]), is there any benefit to a nonzero minimum free space threshold? i'd go with try it and see. i never bothered messing about with those settings... the defaults were good enough. 7. How worried should I be about bug kernel/5709 rapidly creating many small files on crypted svnd locks box, which as of a few minutes ago was/is shown as in state open? again, try it and see. i never hit this untarring ports or src... maybe i was lucky. -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: how to undelete?
You might want to try Photorec : http://www.cgsecurity.org/wiki/PhotoRec good luck On Mon, Jul 7, 2008 at 1:48 PM, macintoshzoom [EMAIL PROTECTED] wrote: I deleted a directory from an OpenBSD slice from my 2nd HD, and I need to recover a single file. I tried : http://myutil.com/2008/1/15/undelete-unrm-for-openbsd-4-2-with-dls but failed : # dls /dev/wd1x /xxx/xx/undelete.bin Sector offset supplied is larger than disk image (maximum: 0) Help thanks.
Re: Setting priority on interface fails in latest snapshot
cjeker wrote: This diff got removed from the latest snaps. Thanks for prompt reply. That's bad news, as I am using it on the firewall cluster to resolve a problem in connection with default routes and dhclient, as per your previous recommendation. Is this removal just a temporary measure until some isse is solved, or will interface priorities not return at all, e.g. do I need to go back to ifstated for some crutches? Rolf
Re: svnd questions (encrypting all of a partition or disk)
On Sat, Jul 19, 2008 at 05:04:44PM +0100, Jonathan Thornburg wrote: My laptop (Thinkpad T41p) and I are going to be doing a lot of travelling in the next year, so I'm investigating how to (cryptographically) improve my security in case of loss/theft/seizure. Right now I use cfs (ports) for a few sensitive subdirectories, but 95+% of my /home is still cleartext to anyone with physical access to the laptop. The same applies for my external backup disks. I'm considering putting all of /home under svnd encryption (still keeping cfs on top for sensitive subdirectories), and I have some questions (see below). I have RTFMs svnd(4), vnconfig(8), and mount_vnd(8), and googled my way to some useful web pages, notably http://www.xs4all.nl/~hanb/documents/OpenBSDEncryptedFilesystemHOWTO.html http://mareichelt.de/pub/notmine/linuxbsd-comparison.html http://geektechnique.org/projectlab/797/openbsd-encrypted-nas-howto (Some of these web pages seem to be a bit old, (eg) complaining about the now-fixed dictionary-attack vulnerability). As I understand it, the basic procedure for using svnd is this (starting with a brand-new-from-the-computer-store disk sd0, and with steps numbered for later reference: [1] # fdisk sd0 ... create single msdos-partition [2] # disklabel sd0 ... create single openbsd-partition a [3] # newfs /dev/sd0a use ffs2 and 64k blocks [4] # mount -o softdep /dev/sd0a /mnt [5] # dd if=/dev/arandom bs=1m of=/mnt/imagefile count=... prepare to wait a few days... there is known plaintext at specific locations anyway, disklabel, filesystem metadata,... It's not really worth it imho [6] # vnconfig -vck -K 10 -S /var/saltfile svnd0 /mnt/imagefile [7] # disklabel svnd0 ... create encrypted openbsd-partition a [8] # newfs /dev/svnd0a make this ffs2 as well, it will speed up fsck a lot, also bump blocksize if you have lots of large files or couldn't care less if you're going to waste a few megabytes... [9] # mount -o rw,nodev,nosuid,softdep -t vnd /dev/svnd0a /home Now my questions: 1. Are there other Fine Manuals (relevant to svnd) I should Read besides the ones I listed above? 2. Where (besides the source code) can I find the svnd encryption algorithm documented? This would help me research the answer to the next question... 3. What are the error propagation properties of the svnd encryption? That is, for example, if a disk/USB/memory error corrupts a single 512-byte block in the middle of /dev/sd0a, will that show up as 512 bytes of corruption in /dev/svnd0c, or will the entire /dev/svnd0c be corrupted from that point onwards? Afaik it uses blowfish in CBC mode, so you're fscked... Otoh modern disks make quite some noise before they start running out of spare blocks. Backups are a must, crypto or not. (That said, i've never managed to really fry a svnd disk) 4. Is there any upper size limit to the size of an encrypted image apart from the kernel 8TB limit and fsck time and memory usage? For example, is there any problem with using the above on (say) a 250GB disk? No problem, for the paranoid however you might want to read up on the birthday paradox ;) 5. Is there any problem with using softdep in steps [4] and [9]? 6. Are there any special newfs parameters needed for either the underlying filesystem (step [3]) or the encrypted one (step [8])? The underlying filesystem will only hold a single huge 'imagefile', whose size won't change after initial creation (step [5]), so I could imagine saving a bit of disk space by configuring very few inodes. What about the FFS/FFS2 minimum free space threshold (newfs -m) -- with the imagefile preallocated (step [5]), is there any benefit to a nonzero minimum free space threshold? -m 0 -o time or whatever it is doesn't hurt. 7. How worried should I be about bug kernel/5709 rapidly creating many small files on crypted svnd locks box, which as of a few minutes ago was/is shown as in state open? If you check the bugreport, it's a P3 450 with 256mb ram. It usually takes 24h+ using 20+ processes that write 5kb files (bit larger than the fragment size) to reproduce it on my T42. Like on a powerfailure, it's going to throw away a few recent changes to the filesystem and is fine afterwards. ciao, -- -- Jonathan Thornburg [remove -animal to reply] [EMAIL PROTECTED] t = 31.Aug.2008: School of Mathematics, U of Southampton, England t1.Sep.2008: Dept of Astronomy, Indiana University, Bloomington, USA Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam
uvideo trouble with snapshot of 20080717
Hi all, Lenovo X300, snapshot for i386, from 20080717 (also 20080716) dumps into dbb on boot on uvideo: uvm_fault(0xd0814b20, 0x0, 0, 1) - e kernel: page fault trap, code=0 Stopped at uvideo_vs_negotiation+0x81: mov10x15(%eax),%eax ddb{0} //no console to capture output, made some photos// last line of output from trace: Bad frame pointer: 0xd09555e78 Previous snapshot of a week ago was booting just fine, I sent in the dmesg to [EMAIL PROTECTED] few days back. snippet from previous dmesg: uvideo0 at uhub6 port 1 configuration 1 interface 0 Chicony Electronics Co., Ltd. product 0x4807 rev 2.00/31.25 addr 2 video0 at uvideo0 Disabling uvideo* on ukc allows kernel to boot. (the machine has 4G of ram, sounds like a problem already reported) Should I file a bug for this one? Any cluesticks/patches to try are appreciated. I can send the pictures of trace/ps if contacted off-list. Maxim
Re: OpenCON 2008
On Saturday 19 July 2008 18:33:33 you wrote: Hi, I was just wondering if a date for OpenCON 2008 is known. I would like to try to book earlier to save pennies :) Thanks Hi, 28-30 November 2008 Venice, Italy Bye -- fabioFVZ
Re: OpenBSD and SYNFlood / DDoS protection
On Jul 19, 2008, at 1:26 AM, ropers wrote: 2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]: This maybe dumb but won't hurt to throw this out there, maybe this has to be built with combination of tools, technologies etc but i would definately like to first collect as much info and then maybe work on this (or maybe the solution - open source is already out there , in that case I would like to know what :), I know of many 100K devices that will do this. Is there a way that I can setup a machine (another openbsd machine) in front of an OpenBSD firewall to help against DDoS attacks? If so what would be proper approach in doing so (if someone has already approached this subject). Machine would have 2 or 3 nics (3rd nic for management maybe?). You take the internet drop on the first port, say for example: fxp0 (external_if) . Maybe implement SYNCOOKIE (technology). The traffic only gets passed on to the firewall port throught fxp1 (internal_if) , once the server gets the ACK back.Would SYNPROXY do this too?? This machine could also be doing some form of RATE LIMITING?? maybe?? Anyone ?? Anytakes?? /Parvinder Bhasin I don't mean to be impolite, but considering that these guys http://www.rayservers.com/ddos-protection are the first Google hit for firewall ddos protection openbsd (w/o quotation marks), it would seem to me that you maybe didn't Use Teh Google. Perhaps I didn't make it clear..maybe but yeah..I totally know that there are PAY solutions, like I mentioned that I know of many devices that can achieve this. I have done research on these devices and was thinking maybe something ( open source - openbsd baseddevice?? maybe) can be made to prevent this attack upstream. So I have experienced (my network) attack that choked our GigE link to where DDoS attack was consuming almost 500mpbs (50% of total bandwidth) available. We still had 500mbps more that we would've liked to have used for our business purposes but the problem with these attacks is that they are NOT just meant to choke the BANDWIDTH, they are actually meant to choke the CPU and other resources on your firewalls or any devices you have in front. Its just that if some device was there upstream to take 50% or more load from the firewalls (cpu resources etc) in these attacks, maybe the firewalls won't be that busy as to stop responding to legitimate requests. Ofcourse BANDWIDTH consumption becomes a problem where if you had smaller pipe than basically you are screwed. I know that the ISPs can provide protection and some of them have already started doing so but at a HUGE COST per month and frankly they have their reasons on not protecting against such attacks as why would ISPs do the filtering for free as they are making money because of the attack. That is charging the customer for bandwidth usage. Lets get realistic they would never do that unless it becomes so much of a problem that all their customers start seeing the ill effects of that attack. Bandwidth issue can be sort of tackled separately where as you are finding command and control servers and eliminating them that way but that's another topic. Also when the device is sending ACKs back , you are sort of also in another way or form ATTACKING BACK but that's just a zombie system out there where the person is just wondering why he cannot even google know nothing that his bandwidth is choked because of the attack. I just thought to throw this out to the group and see if there was a person/group of people who have implemented such a solution using combination of technologies (both open source and/or monetary). I already see OpenBSD/PF a very good combination in defending companies from such attacks. Any comments are welcome :) /Parvinder Bhasin
Kaminsky's DNS bug: PF workaround
Suppose: 1. Dan Kaminsky's recently announced DNS cache poisoning vulnerability is anywhere near as serious as he and others have made it out to be, and 2. Simple UDP source port randomization of DNS requests is indeed sufficient to mitigate the vulnerability. I think we have little reason to doubt the first point, given the response to this bug of those credible individuals and companies already privy to its details. If we assume the second point as well, then users of OpenBSD's named may be interested a simple workaround that uses PF to implement source port randomization on behalf of named, until OpenBSD has the chance to release a patch of the usual quality reliability. Such a workaround can be implemented with a single NAT rule in pf.conf, as Jon Hart has described: http://blog.spoofed.org/2008/07/mitigating-dns-cache-poisoning-with-pf.html The configuration line in question: nat on $WAN_IF inet proto { tcp, udp } from a.b.c.d to any \ port 53 - a.b.c.d Or, if you have a dynamic IP address on a cable modem, etc.: nat on $WAN_IF inet proto { tcp, udp } from ($WAN_IF) to any \ port 53 - ($WAN_IF) Of course, this won't help at all if your resolver is behind a NAT on another box that performs source port rewriting; in that case, you'll need to take a look at your outermost NAT instead and make sure its port rewriting is random enough to keep you safe. PF is fine, for instance, but many consumer-oriented NAT routers -- e.g., the D-Link WBR-1310 -- rewrite port numbers sequentially, which is Bad. Linux iptables NAT is a special case: it does not rewrite source port numbers by default, unless a collision occurs. -- Mark Shroyer http://markshroyer.com/contact/
Re: OpenBSD and SYNFlood / DDoS protection
On Jul 19, 2008, at 1:26 AM, ropers wrote: I don't mean to be impolite, but considering that these guys http://www.rayservers.com/ddos-protection are the first Google hit for firewall ddos protection openbsd (w/o quotation marks), it would seem to me that you maybe didn't Use Teh Google. 2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]: Perhaps I didn't make it clear..maybe but yeah..I totally know that there are PAY solutions, like I mentioned that I know of many devices that can achieve this. I have done research on these devices and was thinking maybe something ( open source - openbsd baseddevice?? maybe) can be made to prevent this attack upstream. I personally believe that some people are unable to do so because, uh, some people out there on our list don't have man pages and, uh, I believe that our, uh, Internets like such as in, uh, www.rayservers.com/ddos-protection and, uh, the Iraq and everywhere like such as, and I believe that they should, uh, see how OpenBSD is mentioned over there on the rayservers page should help the people, uh, should help find man pages and should help Iraq and the Asian countries, so we will be able to build up our dDoS protection for our children. --ropers
Re: OpenBSD and SYNFlood / DDoS protection
* Parvinder Bhasin [EMAIL PROTECTED] [2008-07-19 23:12]: Perhaps I didn't make it clear..maybe but yeah..I totally know that there are PAY solutions, like I mentioned that I know of many devices that can achieve this. I have done research on these devices and was thinking maybe something ( open source - openbsd baseddevice?? maybe) can be made to prevent this attack yes, sure. I have used OpenBSD to fight various forms of (D)DoS multiple times. How? Different each and every time. It depends on the form of the attack. These plug that in and you don't have DDoS devices cannot work. There are some that do clever things to detect anomalies and help you fighting back. Some are even OpenBSD based. Just fiighting abck doesn't require these usually, but an experienced and clueful person. That you still need even with these kind of devices. But there is no plug and play solution, in any way. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: OpenBSD and SYNFlood / DDoS protection
On Jul 19, 2008, at 2:31 PM, ropers wrote: On Jul 19, 2008, at 1:26 AM, ropers wrote: I don't mean to be impolite, but considering that these guys http://www.rayservers.com/ddos-protection are the first Google hit for firewall ddos protection openbsd (w/o quotation marks), it would seem to me that you maybe didn't Use Teh Google. 2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]: Perhaps I didn't make it clear..maybe but yeah..I totally know that there are PAY solutions, like I mentioned that I know of many devices that can achieve this. I have done research on these devices and was thinking maybe something ( open source - openbsd baseddevice?? maybe) can be made to prevent this attack upstream. I personally believe that some people are unable to do so because, uh, some people out there on our list don't have man pages and, uh, I believe that our, uh, Internets like such as in, uh, www.rayservers.com/ddos-protection and, uh, the Iraq and everywhere like such as, and I believe that they should, uh, see how OpenBSD is mentioned over there on the rayservers page should help the people, uh, should help find man pages and should help Iraq and the Asian countries, so we will be able to build up our dDoS protection for our children. --ropers LoL:) didn't get a word out of it but yeah I think you took my suggestion of all comments are welcome to the next level Cheers!
Re: OpenBSD and SYNFlood / DDoS protection
btw: Ropers Thanks for the link. On Jul 19, 2008, at 2:31 PM, ropers wrote: On Jul 19, 2008, at 1:26 AM, ropers wrote: I don't mean to be impolite, but considering that these guys http://www.rayservers.com/ddos-protection are the first Google hit for firewall ddos protection openbsd (w/o quotation marks), it would seem to me that you maybe didn't Use Teh Google. 2008/7/19 Parvinder Bhasin [EMAIL PROTECTED]: Perhaps I didn't make it clear..maybe but yeah..I totally know that there are PAY solutions, like I mentioned that I know of many devices that can achieve this. I have done research on these devices and was thinking maybe something ( open source - openbsd baseddevice?? maybe) can be made to prevent this attack upstream. I personally believe that some people are unable to do so because, uh, some people out there on our list don't have man pages and, uh, I believe that our, uh, Internets like such as in, uh, www.rayservers.com/ddos-protection and, uh, the Iraq and everywhere like such as, and I believe that they should, uh, see how OpenBSD is mentioned over there on the rayservers page should help the people, uh, should help find man pages and should help Iraq and the Asian countries, so we will be able to build up our dDoS protection for our children. --ropers
Re: svnd questions (encrypting all of a partition or disk)
On 7/19/08, Chris Kuethe [EMAIL PROTECTED] wrote: - svnd backed by a whole slice on disk I know some people have done this, but the code doesn't like it. I'd stick with normal files.
Re: svnd questions (encrypting all of a partition or disk)
On 7/19/08, Tobias Ulmer [EMAIL PROTECTED] wrote: [4] # mount -o softdep /dev/sd0a /mnt [5] # dd if=/dev/arandom bs=1m of=/mnt/imagefile count=... prepare to wait a few days... there is known plaintext at specific locations anyway, disklabel, filesystem metadata,... very little really. especially if you create the inner filesystem/disklabel with anything other than the default of all space in one partition. it's easy to verify a correctly guessed key, but probably not enough to perform any interesting attacks. 3. What are the error propagation properties of the svnd encryption? That is, for example, if a disk/USB/memory error corrupts a single 512-byte block in the middle of /dev/sd0a, will that show up as 512 bytes of corruption in /dev/svnd0c, or will the entire /dev/svnd0c be corrupted from that point onwards? Afaik it uses blowfish in CBC mode, so you're fscked... Otoh modern disks make quite some noise before they start running out of spare blocks. CBC only for disk blocks. Each disk block is independent, otherwise you get the seek performance of a tape drive. 4. Is there any upper size limit to the size of an encrypted image apart from the kernel 8TB limit and fsck time and memory usage? For example, is there any problem with using the above on (say) a 250GB disk? No problem, for the paranoid however you might want to read up on the birthday paradox ;) Not sure what you mean here. There's only 23 hard drives? :)
Unable to connect to Xvfb using sshd
I am running an HP Vectra VL400 system under OpenBSD 4.4 beta 2007-07-11. When I attempt to connect using ssvnc from my windows box using the ssh option I am getting connection refused by server: Administratively prohibited When I check authlog, the error message is July 19 23:19:22 kendra sshd[4501]: error: connect to 127.0.0.1 port 5900 failed: Undefined error: 0 /etc/ssh/sshd_config is set to defaults which appears to allow for port forwarding. Any additional information or suggestions on how to resolve this issue? Anathae