wifi profiles in hostname.if
Good day, I am curious if there is the possibility of adding/using multiple profiles or network entries, much like ~/.ssh/config ? eg: In /etc/hostname.iwn0 nwid primary wpakey key dhcp ânwid âsecondary wpakey key dhcp Is this possible? I would imagine that wrapping some sort of identifiers/formatting around the network information would be required, much like the ssh/config parameters. Net primary { nwid primary wpakey key dhcp } Net secondary { nwid secondary wpakey key dhcp } The manpage of hostname.if(5) does not specifically mention/allow for this. My work-around for this is to have all my locations/ap's use the same nwid where possible. And where not, just use # comments in my hostname.if files and just manually edit the appropriate entries in/out, and rerun /etc/netstart. Is it possible to bake this in, rather than going down the wpa_supplicant path as others have done? Or am I getting my hopes up for the sake of being lazy? Thanks Chris
softraid questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pardon the noise, but I'm wondering if softraid supports nested raid types? Specifically, I'm looking to do a raid 0+1 over 4 drives. A mirror of stripes. wd1 wd2 would be striped to stripe0 wd3 wd4 would be striped to stripe1 stripe0 would be mirrored to stripe1. Is this even possible with bioctl? I'm currently assembling my hardware, and I would like to at least ask a high-level question before digging into the low-level areas. The reason I ask, is the softraid and bioctl man pages do not mention nesting capabilities. Or, am I going about this the wrong way and should I concatenate wd1+2 wd3+3 and then mirror? I'm not looking to create a bomb-proof solution, just something to create a little bit of fault tolerance in my home data store. And lastly, can I create my wd1+2 stripe, populate the data, then create my second stripe mirror and rebuild/cross pollinate? Thanks Chris Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQMkFVAAoJEFxdNdJhPdR3O2cH/28PHfw4ZNgHzjqNM0+IceAj nxl/bN3j3B781FM6WzPDiApp4qBpn8MdaU13aVzBH5PYHszYKYBcSpfGuYWZxvt7 gA1wkTQr7hwuMImLR4E5QoyeVY241xf/rET2e7uM7PXEQmz8TtziJV/SQkM+Dbvu jtZzw9rgL5FkKU+uxXj0HFJtVGOQB3tI/tRoXQMoEmhaA2jfpwfK9Uc8L6/Prlvk VSTP28x0EabiXAlXaaZhrrXWt5t7SppDo9IZlOl12+822C390IDFUHG3fvCOpJD9 6pDxq0lZxdl2aW8+vwIxF9vgVjsmlPsNQ1nMcYhiJ9IzIFfjbVqaGKZz67PF1JQ= =0tGa -END PGP SIGNATURE-
Re: sshguard
Hmm, good point. I hadn't considered the potential issues at upgrade time. Thanks for pointing that out and saving me significant frustration in November. On 27/07/2012 03:04, Stuart Henderson wrote: Editing scripts in /etc/rc.d will give you problems at upgrade time. I don't know where else we can document this as the relevant manuals already tell you how to configure flags in rc.conf.local. It works the same way as programs from the base OS e.g. sshguard_flags=blah blah. See rc.d(8) for more.
Re: sshguard
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 sshguard prefers to use the log-sucker way of parsing authlog. I don't even have a mention of sshguard in syslog.conf. the rc script just basically daemonises sshguard, and points it at /var/log/authlog # /etc/rc.d/sshguard daemon=/usr/local/sbin/sshguard # REALLY Touchy version daemon_flags=-a 3 -l /var/log/authlog -w /var/db/sshguard/friends.db - -b 5:/var/db/sshguard/blacklist.db # Less Touchy Version #daemon_flags=-l /var/log/authlog -w /var/db/sshguard/friends.db -b 5:/var/db/sshguard/blacklist.db . /etc/rc.d/rc.subr rc_bg=YES rc_reload=NO rc_cmd $1 sshguard documentation on their website is quite thorough on how to install/use. The documentation on how to tweak is a little lacking though. All that is missing from an install of sshguard is the required entries into pf.conf, and which log files to monitor in the rc script. Works very, very well I might add. Good luck! Cheers Chris On 25/07/2012 08:04, Otto Moerbeek wrote: On Wed, Jul 25, 2012 at 02:25:44PM +0200, Hasse Hansson wrote: Hello all. # uname -a OpenBSD odin.thorshammare.org 5.2 GENERIC#13 i386 sshguard-1.5 Are we not supposed to use the entry in /etc/syslog.conf any more ? auth.info;authpriv.info |/usr/local/sbin/sshguard I get a message on my console saying: syslogd: unknown priority name info |/usr/local/sbin/sshguard The info about the syslog.conf entry seems to be gone in the install message too. All the best Hasse syslog is very picky about the difference between spaces and tabs. Always use one or more tabs. -Otto Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQEBXQAAoJEFxdNdJhPdR3NK4IALCdIRU3ffb5W7l8rA1coIRR 6/UNM3IfOyBa1mO9750oiMzOCPS8qyGQ/93nt9xt8TcQC2XYV0gGhGBa0jDLXLNe ujRXBFHXoSmd4DZ60WaZ6Ej9+TNV3rN2WZRZRjXHWWtEm1dacTWhNDakBp3pCtY3 GYfFLWTQe5wSHVxrI/yB9eiCz6dCdwcL1xewTsQrTYtahtT46uPweCqjUCtx5pFv SogLHiWvA9qiUHhiPAoh/79KM11QDQGPpX+agm+LVA9/qkMuglAMhhaBM8IzXIIN qkJiz4KNGQuqLh2BfEetIr6bM44W3G3QTy+z+N1HEdRH3jayC+wkvb7TT91zEbk= =+k75 -END PGP SIGNATURE-
Re: sshguard
I use both. Sshguard seems to catch a lot, and the subsequent pf ruleset for max-src-conn seems to catch a fair bit as well. Here is a snip of my pf.conf: # SSHguard protection table sshguard persist block in quick on em0 proto tcp from sshguard to any port ssh label sshguard # Bruteforce Protection table bruteforce persist counters block log (all) quick from bruteforce pass log (all) proto tcp to port ssh keep state (max-src-conn 5, max-src-conn-rate 5/120, overload bruteforce) As for the selectivity on services, I've never used it, so your mileage may vary, but I do believe sshguard will monitor a service, and block the offender on that service, and leave the other services access alone. Let us know how it goes. Cheers Chris On 25/07/2012 11:15, Alvaro Mantilla Gimenez wrote: Is it a better solution than pf rules based on max-src-conn and/or max-src-conn-rate? According to the documentation sshguard add ip address to sshguard tablesowhat about if I want to selectively block ip address to some services and let other services open? (i.e.: one ip offending ssh access but still I want to have smtp open for that ip). I can accomplish that with different tables/rules on pf...is there any way to differentiate IPs blocked by sshguard based on the offended service? (ssh, smtp,..).