Unable to estable ikev2 vpn with ios after update to current
Hello I have been a bit remiss, and have not updated my system in a couple of months. I have been following current for a year or two, in general, without incident. Anyway, after updating last night, I am unable to establish a ikev2 vpn with an ios 10.3.2 device. A OBSD6.1<->OBSD6.1 ikev2 vpn is working fine. I am hoping that someone could shove me in a direction. I have been using iked with iOS for about a year without a problem. However, after the update, I noticed that all iOS vpn attempts were failing. Running # iked -dvvv and trying to connect showed: ... ca_setauth: auth length 510 ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG ikev2_resp_recv: failed to send auth response sa_state: AUTH_REQUEST -> CLOSED from xxx.yyy.1.254:64252 to xxx.yyy.1.20:4500 policy 'ios_vpn' ikev2_recv: closing SA sa_free: ispi 0xcd95648ffb47ac65 rspi 0x86e6b00a7646172e config_free_proposals: free 0x13f816f06500 config_free_proposals: free 0x13f8e4f63580 ca_setauth: auth length 528 ca_validate_pubkey: could not open public key pubkeys/fqdn/ios.ikev2.myfqdn.com ca_x509_subjectaltname: FQDN/ios.ikev2.myfqdn.com ca_validate_cert: /C=US/ST=Illinois... ok ikev2_getimsgdata: imsg 24 rspi 0x86e6b00a7646172e ispi 0xcd95648ffb47ac65 initiator 0 sa invalid type 14 data length 528 ikev2_dispatch_cert: invalid auth reply I found a suggestion that placing an RSA public certificate on the local OBSD machine could help. So, I used: # openssl rsa -in private.key -pubout > /etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com Now, running # iked -dvvv shows: set_policy_auth_method: using rsa for peer /etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com set_policy: found pubkey for /etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com ikev2 "ios_vpn" passive esp inet from 0.0.0.0/0 to xxx.yyy.15.0/24 local xxx.yyy.1.20 peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid ikesync.myfqdn.com dstid ios.ikev2.myfqdn.com ikelifetime 1800 lifetime 1800 bytes 536870912 rsa config address xxx.yyy.15.131 config netmask 255.255.255.0 config name-server xxx.yyy.1.128 config name-server xxx.yyy.1.129 config netbios-server xxx.yyy.2.99 ca_privkey_serialize: type RSA_KEY length 2349 ca_pubkey_serialize: type RSA_KEY length 526 ca_privkey_to_method: type RSA_KEY method RSA_SIG config_getpolicy: received policy ca_getkey: received private key type RSA_KEY length 2349 ca_getkey: received public key type RSA_KEY length 526 ca_dispatch_parent: config reset config_getpolicy: received policy config_getpolicy: received policy config_getpolicy: received policy config_getpolicy: received policy config_getpolicy: received policy config_getpolicy: received policy config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 ca_reload: loaded ca file ca.crt ca_reload: /C=US/ST=Illinois... ca_reload: loaded 1 ca certificate ca_reload: loaded cert file local.myfqdn.com.crt ca_reload: loaded cert file ikesync.myfqdn.com.crt ca_validate_cert: /C=US/ST=Illinois... ok ca_validate_cert: /C=US/ST=Illinois... ok ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_recv: IKE_SA_INIT request from initiator xxx.yyy.1.254:55008 to xxx.yyy.1.20:500 policy 'jacqueline_iphone_vpn' id 0, 432 bytes ikev2_recv: ispi 0xd14315b81593285a rspi 0x ikev2_policy2id: srcid FQDN/ikesync.myfqdn.com length 27 ikev2_pld_parse: header ispi 0xd14315b81593285a rspi 0x nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 432 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 20 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0xd14315b81593285a 0x
Re: bgp-spamd added 192.43.244.163
On Sun, 04 Jun 2017 12:09:51 -0500, Edgar Pettijohn wrote: > Did a little more digging. Looks like the list 192.43.244.163 is on the > SORBS Spam list. I have delisted it. - todd
Re: httpd and wordpress
A very select few security-focused plugins are worth keeping around, like WordFence. Every plugin, theme and add-on is additional attack surface, and some popular plugins and themes have a horrifying track record with regard to security. WordPress core has gotten a lot better recently, but there are still some whopper vulnerabilities disclosed on occasion. For most people, I recommend giving it lenient enough file permissions that it can automatically apply its own updates. The most severe WP vulnerabilities are Remote Code [Inclusion|Execution]. Disallowing _www write access to the document root isn't going to save you from those, but allowing write access and enabling automatic updates means critical patches are applied faster than you'd normally be able to do it yourself. I have experimented in my development environment with a "split installation" where two different virtual hosts entries serve WP from two different document roots but are pointed to the same database: A full-blown normal install on 127.0.0.1 that you access through something such as an SSH dynamic proxy, then a copied, locked-down install on the public IP address. The locked-down install doesn't even have wp-admin, and uses database credentials that are limited to SELECT queries only. This took a lot of extra work to keep maintained, and updates applied to, and obviously things like user-login and comments won't work on the public-facing site. I'm not convinced this experiment is worth the hassle, because if you're that paranoid, you're likely already looking at static-site generators and getting away from WP by any means possible. On Sun, Jun 4, 2017 at 4:34 PM, flipchanwrote: > Delete ALL readme and don't install plugins > > On June 3, 2017 9:52:13 PM GMT+02:00, Markus Rosjat > wrote: > >Hi there, > > > > > >well if it would be up to me I would skip wordpress for good but well > >it's not my decition. > > > >So I was wondering if there is some recommendations on what to block in > > > >the httpd.conf and what file permissions to use. > > > >For now I have: > > > >- like wordpress suggest 0755 on dirs and 0644 on files > > > >- wp-config.php setting to 0400 is not going to work at all I need at > >least a 0644 or nothing shows up > > > >- in http.conf I blocked /wp_content , /wp-content /uploads/*.php, > >/wp-includes, /wp-includes/*.php and /wp-admin > > > > > >so if there is something I can do further to harden things just let me > >know :) > > > > > >advice is most apreciated > > > > > >Regards > > > > > >-- > >Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de > > > >G+H Webservice GbR Gorzolla, Herrmann > >Königsbrücker Str. 70, 01099 Dresden > > > >http://www.ghweb.de > >fon: +49 351 8107220 fax: +49 351 8107227 > > > >Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! > >Before you print it, think about your responsibility and commitment to > >the ENVIRONMENT > > -- > Take Care Sincerely flipchan layerprox dev
Re: Can I bind USB/other interface/device number (e.g. cdceX) to particular MAC, USB serial number or the like?
On Fri, 2 Jun 2017 08:25:57 -0400 > Linux's (and Windows and Solaris and ...) attempts to "fix" this > problem is one of the reasons I'd consider Linux (and Windows > and ...) crappy. A complicated solution that creates far more > problems than it ever solves, and usually at the worst times possible > (i.e., disaster recovery, where you are trying to rebuild a failed > system). > > The tools to deal with this are already in OpenBSD as I and Peter > indicated. We don't need an "automatic" solution that penalizes > everyone for an edge-case problem (and yes, I'd consider this an edge > case. I can't imagine a serious, industrial firewall with USB > interfaces). Yeah, definitely, there are more than a few mailing list requests on switching the linux solution back to eth0...1 etc to fix new issues. The linux code before (eth0,1,2) did have issues OpenBSD does not too. My experience that has always been better than Linux is that the e.g. fxp0,1,2 are in order of pci slot. I assume usbs are the same after boot so anyone who unplugs and plugs devices and doesn't check the outcome on critical hardware deserves what they get. Also having critical hardware that can be physically damaged is also asking for trouble, so I cannot see an issue at all?? p.s. I love the ethernet card driver specific man pages!!
Re: httpd and wordpress
Delete ALL readme and don't install plugins On June 3, 2017 9:52:13 PM GMT+02:00, Markus Rosjatwrote: >Hi there, > > >well if it would be up to me I would skip wordpress for good but well >it's not my decition. > >So I was wondering if there is some recommendations on what to block in > >the httpd.conf and what file permissions to use. > >For now I have: > >- like wordpress suggest 0755 on dirs and 0644 on files > >- wp-config.php setting to 0400 is not going to work at all I need at >least a 0644 or nothing shows up > >- in http.conf I blocked /wp_content , /wp-content /uploads/*.php, >/wp-includes, /wp-includes/*.php and /wp-admin > > >so if there is something I can do further to harden things just let me >know :) > > >advice is most apreciated > > >Regards > > >-- >Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de > >G+H Webservice GbR Gorzolla, Herrmann >Königsbrücker Str. 70, 01099 Dresden > >http://www.ghweb.de >fon: +49 351 8107220 fax: +49 351 8107227 > >Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! >Before you print it, think about your responsibility and commitment to >the ENVIRONMENT -- Take Care Sincerely flipchan layerprox dev
HPLIP HP Laserjet Pro MFP M130fn PPD Plugin installation fails
Hi all, Recently I acquired an HP Laserjet Pro MFP M130fn and I would like to use it with my OpenBSD Deskop... As it is supported since hplip 3.17 I have to use OpenBSD Current. I managed to get until the plugin installation, but now I am stuck at the point: /usr/local/bin/python2.7 plugin_install.py License blablabla Do you accept the license terms for the plug-in (y=yes*, n=no, q=quit) ? y sh: lsb_release: not found Plugin installation failed error: Plugin installation failed Any advice? thx Greetings Claus
Re: bgp-spamd added 192.43.244.163
On 06/04/17 11:56, Edgar Pettijohn wrote: On 06/04/17 06:09, Peter Hessler wrote: Please double check your setup. That IP is for 'lists.openbsd.org', and should be listed in the *whitelist*. I do distrubute the whitelist next to the blacklist, so you MUST NOT blindly block every IP that I distribute to you. On 2017 Jun 03 (Sat) at 23:30:36 +0200 (+0200), Markus Rosjat wrote: :hi there, : :just had some strange encounter, I was wondering why I don't get mail from :this list for a while. : :So I did some digging and found that even 192.43.244.163 was whitelisted with :like 32k mails delivered there are also GREY entries for this ip. so I :checked my blacklists, nothing to find and then I thought okay check the list :from the bgp-spamd project and to my surprise I found 192.43.244.163 in the :table. I deleted it and my mails from this list coming in again. since I :didnt do anything lately on my setup I wonder if someone else had this :encounter. : : :regards : :-- :Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de : :G+H Webservice GbR Gorzolla, Herrmann :Königsbrücker Str. 70, 01099 Dresden : :http://www.ghweb.de :fon: +49 351 8107220 fax: +49 351 8107227 : :Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT : Just had a chance to check and I didn't see it in my blacklists. However, I already had it in my nospamd so it probably wouldn't have affected me even if it were. Did a little more digging. Looks like the list 192.43.244.163 is on the SORBS Spam list.
Re: bgp-spamd added 192.43.244.163
On 06/04/17 06:09, Peter Hessler wrote: Please double check your setup. That IP is for 'lists.openbsd.org', and should be listed in the *whitelist*. I do distrubute the whitelist next to the blacklist, so you MUST NOT blindly block every IP that I distribute to you. On 2017 Jun 03 (Sat) at 23:30:36 +0200 (+0200), Markus Rosjat wrote: :hi there, : :just had some strange encounter, I was wondering why I don't get mail from :this list for a while. : :So I did some digging and found that even 192.43.244.163 was whitelisted with :like 32k mails delivered there are also GREY entries for this ip. so I :checked my blacklists, nothing to find and then I thought okay check the list :from the bgp-spamd project and to my surprise I found 192.43.244.163 in the :table. I deleted it and my mails from this list coming in again. since I :didnt do anything lately on my setup I wonder if someone else had this :encounter. : : :regards : :-- :Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de : :G+H Webservice GbR Gorzolla, Herrmann :Königsbrücker Str. 70, 01099 Dresden : :http://www.ghweb.de :fon: +49 351 8107220 fax: +49 351 8107227 : :Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT : Just had a chance to check and I didn't see it in my blacklists. However, I already had it in my nospamd so it probably wouldn't have affected me even if it were.
Fwd: Re: RTL8153 stopped-communicating("crashed")-bug. I think because it was USB3 & OBSD doesn't support 5gbit/superspeed mode yet.
(fw very clarifying answer from mpi@) Original Message Subject: Re: RTL8153 stopped-communicating("crashed")-bug. I think because it was USB3 & OBSD doesn't support 5gbit/superspeed mode yet. Date: 2017-06-04 07:49 From: Martin PieuchotTo: Tinker On 04/06/17(Sun) 00:46, Tinker wrote: On 2017-06-02 13:53, Martin Pieuchot wrote: .. > So it's an xhci(4) problem? Could you submit a bug report with a dmesg > of a kernel compiled with XHCI_DEBUG and exposing the problems above > motioned? Will do! Meanwhile to understand how USB3 is expected to work currently, save for due to any unexpected bugs: * Should USB devices always come up when you boot? Yes they should. If they don't that's 1 bug. Possibly related to uhub(4). In that case you could install the "usbutils" packages and compare the output of 'lsusb -v' when: - you booted without device connected - you booted with a device connected - after you connected a device What's interesting us are the Port Status of the parent hub to the device. They look like: Hub Port Status: Port 1: .0100 power Port 2: .0100 power Port 3: .0100 power Port 4: .0100 power Port 5: .0100 power Port 6: .0100 power Port 7: .0100 power Port 8: .0100 power Of course this could also be an xhci(4) bug. So booting a kernel with XHCI_DEBUG and/or UHUB_DEBUG can give us more informations * Total bandwidth per controller will be 1gbps currently? I don't remember, you can look at xhci.c. But honestly what's your problem? I doubt this matters. * At how many / how bandwidth-demanding devices plugged in to a controller, should failure to attach more devices start happening? I don't know, but once again I doubt it matters. What's your problem? * All of this is supposed to work without any config tweaking by user right? Of course, that's one of OpenBSD goal ;) * ..And then per-USB device ioerror, timeout, watchdog timeout etc. errors should be handled transparently by the respective device driver, i.e., there are expected situations where USB will fail to push data through for a moment, so a good driver should have the logics to restore device function transparently by whatever means necessary. (E.g. even device reset should be fine for a USB NIC as the device not has any substantial state.) Yes, but driver authors aren't perfect and they don't write perfect drivers ;) However anybody is welcome to improve them :)
Re: bgp-spamd added 192.43.244.163
Please double check your setup. That IP is for 'lists.openbsd.org', and should be listed in the *whitelist*. I do distrubute the whitelist next to the blacklist, so you MUST NOT blindly block every IP that I distribute to you. On 2017 Jun 03 (Sat) at 23:30:36 +0200 (+0200), Markus Rosjat wrote: :hi there, : :just had some strange encounter, I was wondering why I don't get mail from :this list for a while. : :So I did some digging and found that even 192.43.244.163 was whitelisted with :like 32k mails delivered there are also GREY entries for this ip. so I :checked my blacklists, nothing to find and then I thought okay check the list :from the bgp-spamd project and to my surprise I found 192.43.244.163 in the :table. I deleted it and my mails from this list coming in again. since I :didnt do anything lately on my setup I wonder if someone else had this :encounter. : : :regards : :-- :Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de : :G+H Webservice GbR Gorzolla, Herrmann :Königsbrücker Str. 70, 01099 Dresden : :http://www.ghweb.de :fon: +49 351 8107220 fax: +49 351 8107227 : :Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT : -- "Virtual" means never knowing where your next byte is coming from.
SNMP OID for free memory
Hi, I am using OpenBSD 6.1 the the Net-SNMP port in order to monitor the system resources. I don't seem to find any OID for the free memory and was wondering if this information is simply not made available in SNMP. Doing an snmpwalk on the HOST-RESOURCES MIB for memory shows the following avaialble OIDs related to memory: HOST-RESOURCES-MIB::hrStorageDescr.1 = STRING: Physical memory HOST-RESOURCES-MIB::hrStorageDescr.2 = STRING: Real memory HOST-RESOURCES-MIB::hrStorageDescr.3 = STRING: Virtual memory HOST-RESOURCES-MIB::hrStorageDescr.8 = STRING: Shared virtual memory HOST-RESOURCES-MIB::hrStorageDescr.9 = STRING: Shared real memory HOST-RESOURCES-MIB::hrStorageDescr.10 = STRING: Swap space HOST-RESOURCES-MIB::hrStorageDescr.31 = STRING: / Any idea where the the free memory info would be hiding? I found a script called check_snmp_openbsd.py (https://github.com/alexander-naumov/nagios-plugins/blob/master/check_snmp_openbsd.py) where the OID .1.3.6.1.4.1.11.2.3.1.1.7.0 is used for getting the free memory but when I do an snmpget on my OpenBSD box this OID is not available. Regards, Mabi A