Re: BSDstats Project v2.0 ...
On Friday 11 August 2006 22:29, Nikolas Britton wrote: > On 8/11/06, Matthew Seaman <[EMAIL PROTECTED]> wrote: > > Marc G. Fournier wrote: > > > On Fri, 11 Aug 2006, Nikolas Britton wrote: > > >> Ok... With my new script it took only 158 minutes to compute ALL > > >> TCP/IP address hashes. I'll repeat that... I have an md5 hash for > > >> every IP address in the world! All I need to do is grep your hash and > > >> it will tell me your IP address. yippee! :-) > > > > > > Can someone please explain to me what exactly you are trying to secure > > > against in this case? > > > > He's trying to prevent any possibility of information disclosure about > > his servers. If I wanted to hack into his site, knowing what hosts he > > had running (ie. a bunch of live IP numbers) and what OS etc. each used > > would mean I'm already halfway to my goal. Now, while the design of > > bsdstats does not disclose that sort of stuff readily, any security > > conscious admin is going to worry about that data being collected and > > held outside of his administrative control. Having a completely > > anonymous and untraceable token to identify each of the hosts sending > > in information should make connecting the information back to the > > original sender practically impossible. > > YES! what he said... I don't want ANYTHING to trace back to me or my > systems. > > > Although, playing devil's advocate here, anyone that could steal the > > Apache log files from the bsdstats server would be able to work out > > that sort of data fairly readily. I guess the truly paranoid should > > only submit their data via some sort of anonymizing proxy. > > That's simple, don't keep the log files... > > * Can we trust Marc to delete them? > * I thought this was going to be an official FreeBSD project hosted on > freebsd.org? > * Maybe we should get the OpenBSD people involved? > > Just thinking out loud :-/ honestly, should said security concious admins, really be participating 'using his bosses servers' in this project? probably not. even if all the security consious admins out there decline to have all their datacenters participate in bsdstats, im sure just the ones who decide that the risk of sending the same info your browser does (plus a bit more if you choose and deliberatly enable) is appropriate for them, is still going to give one hell of a great demographic report to bsdstats. 2 cents, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Undelete for UFS2?
On 8/12/06, Chris <[EMAIL PROTECTED]> wrote: Just thought I'd ask though I'm pretty sure the answer is no. Nothing important just my mailbox files for mailing lists including this one. All my email addresses look alike and I was foulish enough to copy and paste. Why oh why I didn't add the backup cronjob I don't know... Nope. Some forensic solutions are available though. Is there anyway to get spools for this list? It's nice being able to search messages locally. http://lists.freebsd.org/mailman/listinfo http://lists.freebsd.org/pipermail/freebsd-questions/ Lastly surely someone has implemented a trash folder mechanism for freebsd... what is it called so I can look up how to install it? Nope. Snapshots are there, though. See mount(8) for more. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Tip Top Equity Spam
This is called spam. It's generally looked down upon in the modern world. This particular spam was posted on the blog of a friend of mine, several months ago. Despite the fact that we have long since abandoned the blogs, it's the principle of the thing. It's unappreciated, and CERTAINLY does not make me positively interested in Tip Top Equities in the least. Make no mistake: Our mission at Tip Top Equities is to sift through the thousands of underperforming companies out there to find the golden needle in the haystack. A stock worthy of your investment. A stock with the potential for big returns. More often than not, the stocks we profile show a significant increase in stock price, sometimes in days, not months or years. We have come across what we feel is one of those rare deals that the public has not heard about yet. Read on to find out more. Nano Superlattice Technology Inc. (OTCBB Symbol: NSLT) is a nanotechnology company engaged in the coating of tools and components with nano structured PVD coatings for high-tech industries. Nano utilizes Arc Bond Sputtering and Superlattice technology to apply multi-layers of super-hard elemental coatings on an array of precision products to achieve a variety of physical properties. The application of the coating on industrial products is designed to change their physical properties, improving a product's durability, resistance, chemical and physical characteristics as well as performance. Nano's super-hard alloy coating materials were especially developed for printed circuit board drills in response to special market requirements The cutting of circuit boards causes severe wear on the cutting edge of drills and routers. With the increased miniaturization of personal electronics devices the dimensions of holes and cut aways are currently less than 0.2 mm. Nano coats tools with an ultra thin coating (only a few nanometers in thickness) of nitrides which can have a hardness of up to half that of diamond. This has proven to increase tool life by almost ten times. Nano plans to continue research and development into these techniques due to the vast application range for this type of nanotechnology We believe that Nano is a company on the move. With today�s steady move towards miniaturization we feel that Nano is a company with the right product at the right time. It is our opinion that an investment in Nano will produce great returns for our readers. Online Stock trading, in the New York Stock Exchange, and Toronto Stock Exchange, or any other stock market requires many hours of stock research. Always consult a stock broker for stock prices of penny stocks, and always seek proper free stock advice, as well as read a stock chart. This is not encouragement to buy stock, but merely a possible hot stock pick. Get a live stock market quote, before making a stock investment or participating in the stock market game or buying or selling a stock option. 11:35 AM -- LOOK! EEZ A MUGGA FOONTIES! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
what's different between src CVS Tags RELENG_*_BP and RELENG_*?
hey all, i just know the release src tag is RELENG_*_RELEASE. lveax ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Slow Startup with nss_ldap
Hello everyone, I have a FreeBSD 6.1-RELEASE system configured as a Samba Server with an OpenLDAP backend. I have configured nss_ldap to allow local user authentication via LDAP. However if I reboot this machine for any reason, the bootup process gets stuck on named. If I Ctrl-C out of named, it gets stuck again on slapd. However, if i put the original nsswitch.conf back, the machine boots up fine and i have to copy the old nsswitch.conf back to get local user authentication. Here is the updated nsswitch.conf file: --8<-- passwd: files ldap group: files ldap --8<-- From looking at the logs, it looks like these processes are trying to access the ldap server which isnt up since it has not started yet. Is there any way I can get past this (other than using the original nsswitch.conf and changing back manually)? Thanks in advance, Pramod Venugopal ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: BSDstats Project v2.0 ...
On 8/11/06, Matthew Seaman <[EMAIL PROTECTED]> wrote: Marc G. Fournier wrote: > On Fri, 11 Aug 2006, Nikolas Britton wrote: > >> Ok... With my new script it took only 158 minutes to compute ALL >> TCP/IP address hashes. I'll repeat that... I have an md5 hash for >> every IP address in the world! All I need to do is grep your hash and >> it will tell me your IP address. yippee! :-) > > Can someone please explain to me what exactly you are trying to secure > against in this case? He's trying to prevent any possibility of information disclosure about his servers. If I wanted to hack into his site, knowing what hosts he had running (ie. a bunch of live IP numbers) and what OS etc. each used would mean I'm already halfway to my goal. Now, while the design of bsdstats does not disclose that sort of stuff readily, any security conscious admin is going to worry about that data being collected and held outside of his administrative control. Having a completely anonymous and untraceable token to identify each of the hosts sending in information should make connecting the information back to the original sender practically impossible. YES! what he said... I don't want ANYTHING to trace back to me or my systems. Although, playing devil's advocate here, anyone that could steal the Apache log files from the bsdstats server would be able to work out that sort of data fairly readily. I guess the truly paranoid should only submit their data via some sort of anonymizing proxy. That's simple, don't keep the log files... * Can we trust Marc to delete them? * I thought this was going to be an official FreeBSD project hosted on freebsd.org? * Maybe we should get the OpenBSD people involved? Just thinking out loud :-/ -- BSD Podcasts @: http://bsdtalk.blogspot.com/ http://freebsdforall.blogspot.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Undelete for UFS2?
Just thought I'd ask though I'm pretty sure the answer is no. Nothing important just my mailbox files for mailing lists including this one. All my email addresses look alike and I was foulish enough to copy and paste. Why oh why I didn't add the backup cronjob I don't know... Is there anyway to get spools for this list? It's nice being able to search messages locally. Lastly surely someone has implemented a trash folder mechanism for freebsd... what is it called so I can look up how to install it? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
converting an mdoc manual page into an old man format
Hello! I've written a man-page using mdoc macros for my own little program. I'd like to port the program to other Unixes (like Solaris), where my mdoc-based man page is rather unreadable :-( Is there a standard way to expand the mdoc macros once? `man mdoc' is not giving any useful examples -- I can create a PostScript or an HTML document, but I can't render it in the traditional man :-( Thanks for any hints! Yours, -mi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
USB Wireless client
I'm running FBSD 6.1 and I was wondering if there's a way of configuring a Orinoco USB client silver so I can have wireless internet. I haven't found any data on it yet. Please let me know thank you. - Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular. Registre seu aparelho agora! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: USB Media Keys
On 8/11/06, Jeff Molofee <[EMAIL PROTECTED]> wrote: Is it possible to get USB media keys to work in FreeBSD 6.x? I can't get anything to even see the keys, I would like to get my volume keys working on a Saitek Eclipse keyboard. What on earth are you talking about? USB keyboards, USB mass storage, or USB crypt keys (is there such a thing)? -- BSD Podcasts @: http://bsdtalk.blogspot.com/ http://freebsdforall.blogspot.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
USB Keyboard (media keys return nothing)
Just a follow up to my USB keyboard issue. I know what programs are available to bind the keys... unfortunately the keys do not return anything. No value returned at all, making it impossible to bind these keys :) I had the same problem with my last keyboard... In USB mode none of the keys returned anything. If I put a PS2 adapter on the keyboard all the media keys worked fine. Unfortunately I do not have a PS2 adapter with this keyboard. Any help or info on why this happens would be appreciated. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re[2]: BSDstats Project v2.0 ...
On Sat, 12 Aug 2006, Daniel Gerzo wrote: Hello Garance, Friday, August 11, 2006, 9:59:41 PM, you wrote: At 11:49 AM -0500 8/11/06, Paul Schmehl wrote: I know we are used to dealing in internet-time, where things happen instantly, but there could be many reasons that the host count is only 1612. Reasons that have nothing to do with the specific outcome of how these security issues are handled. I am certainly all for the improvements people have been talking about. I'm just saying that even if you make all those improvements, you're probably going to have to wait a few weeks before we see any significant number of hosts show up. That's just the way it is. It would be nice to see this in base system, that would help to raise this number enourmously. And surely it would be nice to see it somewhere under the freebsd.org domain. Actually, I've registered bsdstats.org for this ... I've been talking to various ppl from the other *BSDs about getting them involved as well, so went with the more 'neutral' domain instead of making this "FreeBSD Only" ... we share alot between us as it is, sharing "marketing power" is a good thing ... Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . [EMAIL PROTECTED] MSN . [EMAIL PROTECTED] Yahoo . yscrappy Skype: hub.orgICQ . 7615664 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re[2]: BSDstats Project v2.0 ...
Hello Garance, Friday, August 11, 2006, 9:59:41 PM, you wrote: > At 11:49 AM -0500 8/11/06, Paul Schmehl wrote: > I know we are used to dealing in internet-time, where > things happen instantly, but there could be many reasons > that the host count is only 1612. Reasons that have > nothing to do with the specific outcome of how these > security issues are handled. > I am certainly all for the improvements people have > been talking about. I'm just saying that even if you > make all those improvements, you're probably going to > have to wait a few weeks before we see any significant > number of hosts show up. That's just the way it is. It would be nice to see this in base system, that would help to raise this number enourmously. And surely it would be nice to see it somewhere under the freebsd.org domain. -- Best regards, Danielmailto:[EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: static linked python from the ports tree - possible ?
Ensel Sharon wrote: For a variety of reasons (long, hard to explain) I need a static python binary - with no external libraries. I know how to do this from source. However, I would like to install from the ports tree - what line can I run inside of /usr/ports/lang/python to get a totally static, standalone python binary ? Thanks. So, how do you do it from source? Perhaps you can apply changes to lang/python/Makefile to do the same steps (and then submit a PR with the changes so others can benefit). Checkout http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/ Alternately, doing a make install really does the following: make fetch, make extract, make patch, make configure, make build, then make install. You could manually run each make step and apply any needed changes in between steps, but that would make upgrading hard. HTH, Micah ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
smartctl: Raw_Read_Error_Rate very high
Dear Sirs, watching from time to time via smartctl my new drives (HITACHI HDT722525DLA380 T7K250 250 GB SATA II drives) I found this line on one drive (ad4, the 'clean' one is ad4): ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE 1 Raw_Read_Error_Rate 0x000b 100 100 016Pre-fail Always - 65536 The RAW value of this entry seems to be very high, on the other drives, it is zero. I detected some performance issues within last days, both drives are connected as ar0 RAID0 volume to the nForce4 chipset of the ASUS A8N32-SLI mainboard. Any suggestions? Thanks in advance, oh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
SAP - HP ProLiant DL580 G3 series
Dear FreeBSD, I am interested in setting up a SAP client at home that is running BW instance and SAP Portal. Ive come acrosss your O/S, however I am unsure if my hardware is compatiable. I have a HP ProLiant DL580 G3 series server. Can I run FreeBSD ?http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/sapr3.html Many thanks in advance for any help. Sam _ Be one of the first to try Windows Live Mail. http://ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9b0e-4911fb2b2e6d___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: BSDstats Project v2.0 ...
On Fri, 11 Aug 2006, Garance A Drosihn wrote: At 11:49 AM -0500 8/11/06, Paul Schmehl wrote: I would note that these issues appear to be impacting the project. As of right now, there are only 1612 systems reporting in, ... For my part, I've submitted two public hosts. I have four others I will not submit until I'm certain the data are securely transmitted and stored. Surely I'm not alone? I know we are used to dealing in internet-time, where things happen instantly, but there could be many reasons that the host count is only 1612. Reasons that have nothing to do with the specific outcome of how these security issues are handled. I am certainly all for the improvements people have been talking about. I'm just saying that even if you make all those improvements, you're probably going to have to wait a few weeks before we see any significant number of hosts show up. That's just the way it is. Which was totally expected ... this wasn't meant to be a 'short term project', that's for sure :) Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . [EMAIL PROTECTED] MSN . [EMAIL PROTECTED] Yahoo . yscrappy Skype: hub.orgICQ . 7615664 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
static linked python from the ports tree - possible ?
For a variety of reasons (long, hard to explain) I need a static python binary - with no external libraries. I know how to do this from source. However, I would like to install from the ports tree - what line can I run inside of /usr/ports/lang/python to get a totally static, standalone python binary ? Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
size of crypto file systems geli/gbde
Hi: I want to create encrypted memory filesystems for backup, and selective data destruction: If I have data from different users say, each user's backup will be stored as different encrypted file systems. Then I can selectively destroy data from one user by throwing away the key. Now, how do I estimate the actual available space on an encrypted partition? Say, I need to backup 100MB - how big an mfs do I need to create in order that the encrypted file system will be 100MB? Secondly: Which of the two supported crypto file systems is recommended: ELI or BDE? PHK writes in the manpage of BDE that no audit of the code have been made, but no such warning appears on ELI. Which is strongest/fastest/most efficient/reliable? Thanks, Erik -- Ph: +34.666334818 web: http://www.locolomo.org X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9 smime.p7s Description: S/MIME Cryptographic Signature
Re: BSDstats Project v2.0 ...
At 11:49 AM -0500 8/11/06, Paul Schmehl wrote: I would note that these issues appear to be impacting the project. As of right now, there are only 1612 systems reporting in, ... For my part, I've submitted two public hosts. I have four others I will not submit until I'm certain the data are securely transmitted and stored. Surely I'm not alone? I know we are used to dealing in internet-time, where things happen instantly, but there could be many reasons that the host count is only 1612. Reasons that have nothing to do with the specific outcome of how these security issues are handled. I am certainly all for the improvements people have been talking about. I'm just saying that even if you make all those improvements, you're probably going to have to wait a few weeks before we see any significant number of hosts show up. That's just the way it is. -- Garance Alistair Drosehn= [EMAIL PROTECTED] Senior Systems Programmer or [EMAIL PROTECTED] Rensselaer Polytechnic Instituteor [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Spoofers, Spammers & Other Bad Guys
Sorry mate :-) it's been a long day. http://bsdsecurity.wordpress.com/2006/03/25/filtering-attacks-from-china-and -korea-using-freebsd-and-pf/ Greg > > Greg, I meant give me an example of the below. I don't know > how the confusion occurred on the other LOL! > TIA, > beno > > Greg Hennessy wrote: > > Killing incoming 25/tcp from cidr blocks assigned to > various parts of > > APNIC and other registries. Much easier and far less hassle than > > blocking individual addresses. > > > Could you give an example of this? > TIA. > beno > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Spoofers, Spammers & Other Bad Guys
Well, you can do it with firewall rules. You can do it in the MTA. I'm sure there are other ways to do it as well. This might be a useful tool for doing this without blocking some of the good guys in that part of the world, like Oz and NZ. http://ftp.apnic.net/stats/apnic/delegated-apnic-latest {o.o} Joanne. - Original Message - From: "beno" <[EMAIL PROTECTED]> Greg, I meant give me an example of the below. I don't know how the confusion occurred on the other LOL! TIA, beno Greg Hennessy wrote: Killing incoming 25/tcp from cidr blocks assigned to various parts of APNIC and other registries. Much easier and far less hassle than blocking individual addresses. Could you give an example of this? TIA. beno ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Spoofers, Spammers & Other Bad Guys
Greg, I meant give me an example of the below. I don't know how the confusion occurred on the other LOL! TIA, beno Greg Hennessy wrote: Killing incoming 25/tcp from cidr blocks assigned to various parts of APNIC and other registries. Much easier and far less hassle than blocking individual addresses. Could you give an example of this? TIA. beno ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
"The Complete FreeBSD": errata and addenda
The trouble with books is that you can't update them the way you can a web page or any other online documentation. The result is that most leading edge computer books are out of date almost before they are printed. Unfortunately, The Complete FreeBSD, published by O'Reilly, is no exception. Inevitably, a number of bugs and changes have surfaced. "The Complete FreeBSD" has been through a total of five editions, including its predecessor "Installing and Running FreeBSD". Two of these have been reprinted with corrections. I maintain a series of errata pages. Start at http://www.lemis.com/errata-4.html to find out how to get the errata information. Note also that the book has now been released for free download in PDF form. Instead of downloading the changed pages, you may prefer to download the entire book. See http://www.lemis.com/grog/Documentation/CFBSD/ for more information. Have you found a problem with the book, or maybe something confusing? Please let me know: I'm no longer constantly updating it, but I may be able to help Greg ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
How to get best results from FreeBSD-questions
How to get the best results from FreeBSD questions. === Last update $Date: 2005/08/10 02:21:44 $ This is a regular posting to the FreeBSD questions mailing list. If you got it in answer to a message you sent, it means that the sender thinks that at least one of the following things was wrong with your message: - You left out a subject line, or the subject line was not appropriate. - You formatted it in such a way that it was difficult to read. - You asked more than one unrelated question in one message. - You sent out a message with an incorrect date, time or time zone. - You sent out the same message more than once. - You sent an 'unsubscribe' message to FreeBSD-questions. If you have done any of these things, there is a good chance that you will get more than one copy of this message from different people. Read on, and your next message will be more successful. This document is also available on the web at http://www.lemis.com/questions.html. = Contents: I:Introduction II: How to unsubscribe from FreeBSD-questions III: Should I ask -questions or -hackers? IV: How to submit a question to FreeBSD-questions V:How to answer a question to FreeBSD-questions I: Introduction === This is a regular posting aimed to help both those seeking advice from FreeBSD-questions (the "newcomers"), and also those who answer the questions (the "hackers"). Note that the term "hacker" has nothing to do with breaking into other people's computers. The correct term for the latter activity is "cracker", but the popular press hasn't found out yet. The FreeBSD hackers disapprove strongly of cracking security, and have nothing to do with it. In the past, there has been some friction which stems from the different viewpoints of the two groups. The newcomers accused the hackers of being arrogant, stuck-up, and unhelpful, while the hackers accused the newcomers of being stupid, unable to read plain English, and expecting everything to be handed to them on a silver platter. Of course, there's an element of truth in both these claims, but for the most part these viewpoints come from a sense of frustration. In this document, I'd like to do something to relieve this frustration and help everybody get better results from FreeBSD-questions. In the following section, I recommend how to submit a question; after that, we'll look at how to answer one. II: How to unsubscribe from FreeBSD-questions == When you subscribed to FreeBSD-questions, you got a welcome message from [EMAIL PROTECTED] In this message, amongst other things, it told you how to unsubscribe. Here's a typical message: Welcome to the freebsd-questions@freebsd.org mailing list! If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at: http://lists.freebsd.org/mailman/options/freebsd-questions/[EMAIL PROTECTED] (obviously, substitute your mail address for "[EMAIL PROTECTED]"). You can also make such adjustments via email by sending a message to: [EMAIL PROTECTED] with the word 'help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You must know your password to change your options (including changing the password, itself) or to unsubscribe. Normally, Mailman will remind you of your freebsd.org mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you. Here's the general information for the list you've subscribed to, in case you don't already have it: FREEBSD-QUESTIONS User questions This is the mailing list for questions about FreeBSD. You should not send "how to" questions to the technical lists unless you consider the question to be pretty technical. Normally, unsubscribing is even simpler than the message suggests: you don't need to specify your mail ID unless it is different from the one which you specified when you subscribed. If Majordomo replies and tells you (incorrectly) that you're not on the list, this may mean one of two things: 1. You have changed your mail ID since you subscribed. That's where keeping the original message from majordomo comes in handy. For example, the sample message above shows my mail ID as [EMAIL PROTECTED] Since then, I have changed it to [EMAIL PROTECTED] If I were to try to remove [EMAIL PROTECTED] from the list, it would fail: I would have to specify the name with which I joined. 2. You're subscribed to a mailing list which is subscribed to Fr
Re: DNS Blacklist Script?
Already many of the leading DNSBL lists like spamhaus.org and njbl.org uses such methods to detect new spammers. We've been using the SBL-XBL + dynablock + SURBL lists with much success reaching up to 95% reduction in spam and so far very very very little false positives. I have noticed the amount of spam I have been getting climbing, so I needed to crack down. Thanks, I had SBL but not SBL-XBL. I also added dynablock.njabl.org and multi.surbl.org. This is the anti-spam part of my freebsd.mc. That should do the trick. FEATURE(`dnsbl', `no-more-funn.moensted.dk', `Spammer $&{client_addr} $&f reject ed: see http://www.moensted.dk/ (relays)') FEATURE(`dnsbl',`blackholes.mail-abuse.org',` Mail from $&{client_addr} rejected : see http://mail-abuse.org/cgi-bin/lookup?$&; {client_addr}')dnl FEATURE(`dnsbl',`bl.spamcop.net',` Mail from $&{client_addr} Blocked - see http: //www.spamcop.net/bl.shtml?$& {client_addr}')dnl FEATURE(`dnsbl', `sbl-xbl.spamhaus.org', `Spammer $&{client_addr} $&f rejected: see http://www.spamhaus.org/sbl/index.lasso') FEATURE(`dnsbl', `list.dsbl.org', `Spammer $&{client_addr} $&f rejected: see htt p://dsbl.org/main') FEATURE(`dnsbl', `bl.kq6up.org', `Spammer $&{client_addr} $&f rejected: buzz off spammer') FEATURE(`dnsbl', `dynablock.njabl.org', `Spammer $&{client_addr} $&f rejected: s ee http://www.njabl.org/dynablock.html') FEATURE(`dnsbl', `multi.surbl.org', `Spammer $&{client_addr} $&f rejected: see h ttp://www.surbl.org') ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: BSDstats Project v2.0 ...
Matthew Seaman wrote: Paul Schmehl wrote: 1) encrypt the data being fed to your systems by the script - this should be relatively easy using keys and would ensure that a man in the middle attack would fail. You can connect using ssh and a unique key without having to reveal passwords to anyone. Uh... HTTPS surely? Because it's relatively simple to implement on both client and server, doesn't require extra software installed on every client beyond the monthly stats script itself and because of the way that HTTPS uses a one-sided Diffie Helmann exchange to create session keys which means that you don't have any trouble with key management on the many thousands of client boxes out there... I defer to your obviously greater experience and wisdom. :-) I would note that these issues appear to be impacting the project. As of right now, there are only 1612 systems reporting in, and I suspect there are a much greater number of systems distributed throughout the computing universe. Certainly some can be attributed to the newness of the project and the small amount of promotion done to date, but I can't help but think that at least some of it is due to hesitancy on the part of some to submit their data. For my part, I've submitted two public hosts. I have four others I will not submit until I'm certain the data are securely transmitted and stored. Surely I'm not alone? -- Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ smime.p7s Description: S/MIME Cryptographic Signature
Re: BSDstats Project v2.0 ...
Paul Schmehl wrote: > 1) encrypt the data being fed to your systems by the script - this > should be relatively easy using keys and would ensure that a man in the > middle attack would fail. You can connect using ssh and a unique key > without having to reveal passwords to anyone. Uh... HTTPS surely? Because it's relatively simple to implement on both client and server, doesn't require extra software installed on every client beyond the monthly stats script itself and because of the way that HTTPS uses a one-sided Diffie Helmann exchange to create session keys which means that you don't have any trouble with key management on the many thousands of client boxes out there... In which case rewriting the monthly_stats script to send all the data to the server in one transaction would be a pretty good optimization. It's a pity that fetch(1) doesn't have the capability to do a HTTP POST rather than a GET though, given the amount of stuff to send. As a matter of interest, does the FreeBSD project or any of the other *BSDs have a CA anywhere that could sign the bsdstats web server cert? If not, then I guess some sort of appeal to raise the cash to get a cert signed by one of the Root CAs might well be in order. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
RE: DNS Blacklist Script?
> > > >> Does anyone know of a script (or application) to > automagically add a > >> host to a dns blacklist? It would be very convenient to blacklist > >> all the e-mails sent from a spammer to a honeypot address, or to > >> blacklist all senders that thunderbird moves into the spam > sub-folder. > >> > > > > You need to be very careful implementing something like this. Most > > Spam nowadays is bot-generated and uses forged 'From' > addresses culled > > from the address books on infected machines. Unless you're > careful, > > you're going to end up blocking a lot of completely > innocent people, > > or worse, blocking your own legitimate e-mail users. > > > > Having said that, consider SpamAssassin's 'Auto white list' feature. > > It also works as a black list, but it's not a binary > on-off. Instead, > > anyone who sends e-mail to your server gets a spam score > depending on > > the ratings of their previous e-mails to you. That's added to the > > spam score for the e-mail being processed. So someone who > continually > > sends you spammy e-mails won't get the benefit of the doubt on a > > marginal e-mail, but someone else who sends a lot of ham will. > > > > Also included in SpamAssassin is a client for the Vipul's > Razor project. > > That's a database of checksums of spam e-mails that is updated live. > > Spammer starts sending a few million spam e-mails, but > after the first > > few, there's a mail signature in the Razor DB so that the > rest of the > > world can reject those spams straight away. (Port: > mail/razor-agents, WWW: > > http://razor.sourceforge.net/) > > > > Integrating SpamAssassin into a mailing system can be done in many > > ways depending on what mail software is in use and so forth. Ask > > again here with details of your mail setup if you're > interested in doing that. > > > > Cheers, > > > > Matthew > > > > > The Razor project looks interesting. However, the site is > poorly written, and I can't seem to find out how it actually works. > > I am still interested in setting up a honeypot account on my > server, then spreading this account all over the net so that > the harvesters that have picked up my e-mail address will > pick up the spamtrap address. > Then, any e-mail received to this account will get canned. > > Chris Maness Already many of the leading DNSBL lists like spamhaus.org and njbl.org uses such methods to detect new spammers. We've been using the SBL-XBL + dynablock + SURBL lists with much success reaching up to 95% reduction in spam and so far very very very little false positives. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: DNS Blacklist Script?
Matthew Seaman wrote: Chris Maness wrote: Does anyone know of a script (or application) to automagically add a host to a dns blacklist? It would be very convenient to blacklist all the e-mails sent from a spammer to a honeypot address, or to blacklist all senders that thunderbird moves into the spam sub-folder. You need to be very careful implementing something like this. Most Spam nowadays is bot-generated and uses forged 'From' addresses culled from the address books on infected machines. Unless you're careful, you're going to end up blocking a lot of completely innocent people, or worse, blocking your own legitimate e-mail users. Having said that, consider SpamAssassin's 'Auto white list' feature. It also works as a black list, but it's not a binary on-off. Instead, anyone who sends e-mail to your server gets a spam score depending on the ratings of their previous e-mails to you. That's added to the spam score for the e-mail being processed. So someone who continually sends you spammy e-mails won't get the benefit of the doubt on a marginal e-mail, but someone else who sends a lot of ham will. Also included in SpamAssassin is a client for the Vipul's Razor project. That's a database of checksums of spam e-mails that is updated live. Spammer starts sending a few million spam e-mails, but after the first few, there's a mail signature in the Razor DB so that the rest of the world can reject those spams straight away. (Port: mail/razor-agents, WWW: http://razor.sourceforge.net/) Integrating SpamAssassin into a mailing system can be done in many ways depending on what mail software is in use and so forth. Ask again here with details of your mail setup if you're interested in doing that. Cheers, Matthew The Razor project looks interesting. However, the site is poorly written, and I can't seem to find out how it actually works. I am still interested in setting up a honeypot account on my server, then spreading this account all over the net so that the harvesters that have picked up my e-mail address will pick up the spamtrap address. Then, any e-mail received to this account will get canned. Chris Maness ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: BSDstats Project v2.0 ...
Marc G. Fournier wrote: On Fri, 11 Aug 2006, Nikolas Britton wrote: Ok... With my new script it took only 158 minutes to compute ALL TCP/IP address hashes. I'll repeat that... I have an md5 hash for every IP address in the world! All I need to do is grep your hash and it will tell me your IP address. yippee! :-) Can someone please explain to me what exactly you are trying to secure against in this case? If you know my IP, my hostname, what OS I'm running and *every* driver I have enabled on my box, you're half way toward breaking in to my box. What he's saying is that you've chosen the IP address as the index key for the database. Even though you're hashing it with MD5, he has written a script that generates, in less than an hour, the MD5 hash for every single IP address in the world. *If* he can break in to your database and extract its information, he can simply match his hashes against yours and "decode" every IP address. Once he's done that, he has a big fat list of juicy targets to go after. This is the reason that the only hosts I've submitted on the two that are on public IP addresses. You can get the same info by probing them directly. You won't be getting my other boxes until this problem is solved. I think two suggestions have been made that are quite worthy of consideration. 1) encrypt the data being fed to your systems by the script - this should be relatively easy using keys and would ensure that a man in the middle attack would fail. You can connect using ssh and a unique key without having to reveal passwords to anyone. 2) use a unique hash, generated at the time of first conneciton, that identifies the box regardless of its IP, hostname, MAC address or any of the other myriad parameters that can all change over time. This would actually make your data more reliable, since parameters change (IPs, MACs, hostnames, peripherals, etc.), boxes do not. I realize everyone is very enthusiastic about this project, but, if you want a high adoption rate, you're going to have to consider the concerns of the more security conscious among us. -- Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ smime.p7s Description: S/MIME Cryptographic Signature
Re: BSDstats Project v2.0 ...
On Fri, Aug 11, 2006 at 02:38:48PM +0100, Matthew Seaman wrote: > > He's trying to prevent any possibility of information disclosure about > his servers. If I wanted to hack into his site, knowing what hosts he > had running (ie. a bunch of live IP numbers) and what OS etc. each used > would mean I'm already halfway to my goal. Now, while the design of > bsdstats does not disclose that sort of stuff readily, any security > conscious admin is going to worry about that data being collected and > held outside of his administrative control. Having a completely > anonymous and untraceable token to identify each of the hosts sending > in information should make connecting the information back to the > original sender practically impossible. Yes, this kind of information leakage is particularly bad. Some script kiddie with a given hammer can go in search of just the right nails, and find them. If it's some work to extract info it's still worth it for a tidy list of hosts with a high probability of vulnerability. > Although, playing devil's advocate here, anyone that could steal the > Apache log files from the bsdstats server would be able to work out > that sort of data fairly readily. I guess the truly paranoid should > only submit their data via some sort of anonymizing proxy. It's easier than stealing log files. Anyone with access to traffic anywhere along the line can sniff this stuff without cracking into anyone's box. The suggestion to use a 128-bit random as an ID is a good one. Further, the stats server should have a public key and data sent to it should be encrypted. Or submissions could be over SSL. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Almost ready with diskless setup
On Thu, Aug 10, 2006 at 08:39:15PM +0200, Nagy L?szl? Zsolt wrote: > > > > >2. syslogd tells that it cannot open the pid file. (Operation not > >supported) However, it creates /var/log/syslogd.pid. But that file is > >empty. What can be the problem? > After making another diskless distribution, I found out that the > 'Operation not supported' error comes out because of calling flock() on > nfs. For example: > > --- > sendmail_submit: /etc/mail/aliases.db not present, generating > cannot flock(/etc/mail/aliases, fd=3, type=6, omode=4002, euid=0): > Operation not supported > -- > > The same message (Operation not supported) comes when creating the pid > file /var/log/syslogd.pid. The /var/log filesystem is writeable. Is it > possible that flock() is not implementedon nfs? :-( It is, but you need to enable it: On the NFS server and clients, add to /etc/rc.conf: rpcbind_enable="YES" rpc_lockd_enable="YES" rpc_statd_enable="YES" > Laszlo Regards, -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: BSDstats Project v2.0 ...
Marc G. Fournier wrote: > On Fri, 11 Aug 2006, Nikolas Britton wrote: > >> Ok... With my new script it took only 158 minutes to compute ALL >> TCP/IP address hashes. I'll repeat that... I have an md5 hash for >> every IP address in the world! All I need to do is grep your hash and >> it will tell me your IP address. yippee! :-) > > Can someone please explain to me what exactly you are trying to secure > against in this case? He's trying to prevent any possibility of information disclosure about his servers. If I wanted to hack into his site, knowing what hosts he had running (ie. a bunch of live IP numbers) and what OS etc. each used would mean I'm already halfway to my goal. Now, while the design of bsdstats does not disclose that sort of stuff readily, any security conscious admin is going to worry about that data being collected and held outside of his administrative control. Having a completely anonymous and untraceable token to identify each of the hosts sending in information should make connecting the information back to the original sender practically impossible. Although, playing devil's advocate here, anyone that could steal the Apache log files from the bsdstats server would be able to work out that sort of data fairly readily. I guess the truly paranoid should only submit their data via some sort of anonymizing proxy. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: problem compliling new kernel for SCTP
On Thu, Aug 10, 2006 at 03:16:56PM -0500, [EMAIL PROTECTED] wrote: > Iam trying to install SCTP enabled Apache server and Mozilla browser on > FreeBSD 6.0 > These are things that i have done: > > 1) I downloaded the kernel patch from sctp.org and applied it. > 2) Included the line "options SCTP" in MY kernel source code at /usr/src/sys > after making a copy of GENERIC and > called it MYKERNEL > 3) ran config to generate kernel source code > > Problem: > > this gives error, device mfi and device bce are unknown, so i commented out > device mfi and device bce. > > 3) again ran config to generte kernel source code, which was successful. > changed into > the /usr/src/compileMYKERNEL. > 4) Ran the "make depend" command. > > Problem: > Now it gives the following error: > ERROR(1) > ln -s /usr/src/sys/i386/compile/MYKERNEL/opt_bce.h opt_bce.h > ln: opt_bce.h: File exists > *** Error code 1 > > Stop in /usr/src/sys/modules/bce. > *** Error code 1 > > Stop in /usr/src/sys/modules. > *** Error code 1 > > Stop in /usr/src/sys/i386/compile/MYKERNEL. > > > 5) Then I copied /usr/src/sys/kern into /usr/include/sys and tried doing > "make buildworld" > > PROBLEM: > This gives the following error: > ERROR (2) > /usr/src/usr.bin/netstat/mbuf.c: In function `mbpr': > /usr/src/usr.bin/netstat/mbuf.c:158: error: `MBUF_JUMBOP_MEM_NAME' undeclared > (first use in this function) > /usr/src/usr.bin/netstat/mbuf.c:158: error: (Each undeclared identifier is > reported only once > /usr/src/usr.bin/netstat/mbuf.c:158: error: for each function it appears in.) > /usr/src/usr.bin/netstat/mbuf.c:171: error: `MBUF_JUMBO9_MEM_NAME' undeclared > (first use in this function) > /usr/src/usr.bin/netstat/mbuf.c:184: error: `MBUF_JUMBO16_MEM_NAME' > undeclared (first use in this function) > *** Error code 1 > > Stop in /usr/src/usr.bin/netstat. > *** Error code 1 > > Stop in /usr/src/usr.bin. > *** Error code 1 > > Stop in /usr/src. > *** Error code 1 > > Stop in /usr/src. > *** Error code 1 > > Stop in /usr/src. > > REQUIRE HELP with the following: > 1) HOw dO i enable FREEBSD kernel with SCTP? > 2) Am i moving in the right direction? Are the steps followed above corect? > 3) How do i get rid of errors (1)and (2)? > > I would really appreciate any kind of assistance. Talk to the author of the SCTP patch. Kris pgpaBMkBHJG56.pgp Description: PGP signature
Re: BSDstats Project v2.0 ...
On Fri, 11 Aug 2006, Nikolas Britton wrote: Ok... With my new script it took only 158 minutes to compute ALL TCP/IP address hashes. I'll repeat that... I have an md5 hash for every IP address in the world! All I need to do is grep your hash and it will tell me your IP address. yippee! :-) Can someone please explain to me what exactly you are trying to secure against in this case? Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . [EMAIL PROTECTED] MSN . [EMAIL PROTECTED] Yahoo . yscrappy Skype: hub.orgICQ . 7615664 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Any idea how to stress test our bandwidth?
Your client has major flaw in their test plan. Just because they have large bandwidth to you does not mean the public websites that want to test with also have that size bandwidth. So any time they test loading up targeting some public website they will be limited to some portion of the targeted website max bandwidth. Both sending and receiving sites must have same bandwidth for their test plan to have meaning. Like when client tests with you who is their ISP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of jay alvarez Sent: Friday, August 11, 2006 4:02 AM To: freebsd-questions@freebsd.org Subject: Any idea how to stress test our bandwidth? I hope you don't mind my asking this here. I'm working in an ISP right now. We are using mrtg for each client connected to us. They can view their mrtg statistics. Their way to the internet is to us. Say a client connects to us via E1, they are guaranteed of 2.048Mbps because our uplink to the Internet is more than the total of all the clients link's bandwidth that are connected to us. Now one client wants to make sure that they will be able to reach their guaranteed bandwidth through the mrtg graphs. If we transfer huge data from their site only up to us, we can theoretically stress out their bandwidth. However, they want to try increasing their consumption and see for their self if they will reach the desired bandwidth if they are actually connecting to any site in the Internet, outside our network. Running iperf from their site to us doesn't seem to reflect to the MRTG. Any idea how to explain this to our client? Thank you very much for your help -JaY __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Spoofers, Spammers & Other Bad Guys
Greg Hennessy wrote: Killing incoming 25/tcp from cidr blocks assigned to various parts of APNIC and other registries. Much easier and far less hassle than blocking individual addresses. Could you give an example of this? TIA. beno ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: BSDstats Project v2.0 ...
Nikolas Britton wrote: > Ok... With my new script it took only 158 minutes to compute ALL > TCP/IP address hashes. I'll repeat that... I have an md5 hash for > every IP address in the world! All I need to do is grep your hash and > it will tell me your IP address. yippee! :-) > > Can we please find a new method to track hosts... perhaps my earlier > example: ifconfig |md5. If not please remove my entries in the > database. How about the attached diff. As discussed else-thread, this generates a random ID 128bit token -- the chances of any two hosts generating the same token are so minuscule as to be negligible. The token is cached in a file /var/db/bsdstats for re-use in later months. This also adds the capability for the paranoid to withhold the hostname of the machine, and it removes what looks like a forgotten bit of debugging code that would mean Marc would get quite a lot of e-mail each month... I believe the default for CGI scripts is to ignore any extra parameters that they weren't programmed to expect[1], so this should even be compatible with the current bsdstats stuff. Cheers, Matthew [1] No one would seriously contemplate running PHP with 'register_globals' enabled in this day and age would they? -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --- /usr/ports/sysutils/bsdstats/files/300.statistics Thu Aug 10 10:58:00 2006 +++ 300.statistics Fri Aug 11 12:56:54 2006 @@ -5,7 +5,6 @@ # If there is a global system configuration file, suck it in. # -monthly_statistics_mailto="[EMAIL PROTECTED],root" if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf @@ -37,22 +36,50 @@ /usr/bin/fetch -qo /dev/null "http://$checkin_server/scripts/$1"; } -checkin_server="bsdstats.hub.org"; +get_id_token () { +if [ -f $id_token_file ] ; +then + . $id_token_file +else + IDTOKEN=$( openssl rand -base64 16 ) + touch $id_token_file && \ + chown root:wheel $id_token_file && \ + chmod 600 $id_token_file && \ + echo "IDTOKEN='$IDTOKEN'" > $id_token_file +fi +IDTOKEN=$( uri_escape $IDTOKEN ) +} + +checkin_server='bsdstats.hub.org' +id_token_file='/var/db/bsdstats' + +# Send hostname to the stats server? Default yes -- set to "NO" +# in periodic.conf if desired. + +monthly_statistics_reveal_hostname=${monthly_statisics_reveal_hostname-"YES"} case "$monthly_statistics_enable" in [Yy][Ee][Ss]) - HN=`/bin/hostname` + get_id_token + case "$monthly_statistics_reveal_hostname" in + [Yy][Ee][Ss]) + HN=`/bin/hostname` + ;; + *) + HN='(no-hostname)' + ;; + esac SYS=`/usr/bin/uname -r` ARCH=`/usr/bin/uname -m` OS=`/usr/bin/uname -s` - do_fetch getid.php?hn=$HN\&sys=$SYS\&arch=$ARCH\&opsys=$OS + do_fetch getid.php?id=$IDTOKEN\&hn=$HN\&sys=$SYS\&arch=$ARCH\&opsys=$OS echo "Posting monthly OS statistics to $checkin_server" case "$monthly_statistics_report_devices" in [Yy][Ee][Ss]) IFS=" " -do_fetch clear_devices.php?hn=$HN +do_fetch clear_devices.php?id=$IDTOKEN\&hn=$HN for line in `/usr/sbin/pciconf -l | /usr/bin/grep -v none` do DRIVER=`echo $line | awk -F\@ '{print $1}'` @@ -60,7 +87,7 @@ DEV=`echo $line | awk '{print $4}' | cut -c8-11` CLASS=`echo $line | awk '{print $2}' | cut -c9-10` SUBCLASS=`echo $line | awk '{print $2}' | cut -c11-14` -do_fetch report_device.php?driver=$DRIVER\&vendor=$VEN\&device=$DEV\&class=$CLASS\&subclass=$SUBCLASS\&hn=$HN +do_fetch report_device.php?id=$IDTOKEN\&driver=$DRIVER\&vendor=$VEN\&device=$DEV\&class=$CLASS\&subclass=$SUBCLASS\&hn=$HN done echo "Posting monthly device statistics to $checkin_server" @@ -69,10 +96,10 @@ DEV=$( uri_escape $( echo $line | cut -d ' ' -f 2- ) ) n=0 count=$( sysctl -n hw.ncpu ) -do_fetch clear_cpu.php?hn=$HN +do_fetch clear_cpu.php?id=$IDTOKEN\&hn=$HN while [ $n -lt $count ] do -do_fetch report_cpu.php?cpu_id=CPU$n\&vendor=$VEN\&cpu_type=$DEV\&hn=$HN +do_fetch report_cpu.php?id=$IDTOKEN\&cpu_id=CPU$n\&vendor=$VEN\&cpu_type=$DEV\&hn=$HN n=$(( $n + 1 )) done echo "Posting monthly CPU statistics to $checkin_server" signature.asc Description: OpenPGP digital signature
Re: iCal Server
On 8/9/06, Joe Auty <[EMAIL PROTECTED]> wrote: Anybody working on porting this Apple product to FreeBSD? The source code can be downloaded here: http://trac.macosforge.org/projects/collaboration/wiki I'm really interested in a product like this, and Chandler looks like a pretty decent client. I doubt it... iCal server was just announced at WWDC06. Looks cool... Is it suppose to be an MS exchange killer? -- BSD Podcasts @: http://bsdtalk.blogspot.com/ http://freebsdforall.blogspot.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Any idea how to stress test our bandwidth?
Maybe this helps... http://www.netperf.org/netperf/NetperfPage.html Bob On Fri, 2006-08-11 at 01:01 -0700, jay alvarez wrote: > I hope you don't mind my asking this here. > > I'm working in an ISP right now. We are using mrtg for > each client connected to us. They can view their mrtg > statistics. Their way to the internet is to us. Say a > client connects to us via E1, they are guaranteed of > 2.048Mbps because our uplink to the Internet is more > than the total of all the clients link's bandwidth > that are connected to us. Now one client wants to make > sure that they will be able to reach their guaranteed > bandwidth through the mrtg graphs. If we transfer huge > data from their site only up to us, we can > theoretically stress out their bandwidth. However, > they want to try increasing their consumption and see > for their self if they will reach the desired > bandwidth if they are actually connecting to any site > in the Internet, outside our network. Running iperf > from their site to us doesn't seem to reflect to the > MRTG. Any idea how to explain this to our client? > > > Thank you very much for your help > -JaY > > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: BSDstats Project v2.0 ...
Ok... With my new script it took only 158 minutes to compute ALL TCP/IP address hashes. I'll repeat that... I have an md5 hash for every IP address in the world! All I need to do is grep your hash and it will tell me your IP address. yippee! :-) Can we please find a new method to track hosts... perhaps my earlier example: ifconfig |md5. If not please remove my entries in the database. I've attached the script used to make the hashes. On 8/10/06, Nikolas Britton <[EMAIL PROTECTED]> wrote: On 8/9/06, Nikolas Britton <[EMAIL PROTECTED]> wrote: > On 8/9/06, Marc G. Fournier <[EMAIL PROTECTED]> wrote: > > On Wed, 9 Aug 2006, Paul Schmehl wrote: > > > > > Marc G. Fournier wrote: > > >> On Wed, 9 Aug 2006, Igor Robul wrote: > > >> > > >>> On Tue, Aug 08, 2006 at 09:30:42PM -0300, Marc G. Fournier wrote: > > Could create problems long term .. one thing I will be using the > > IPs to do is: > > > > SELECT ip, count(1) FROM systems GROUP BY ip ORDER BY count DESC; > > > > to look for any 'abnormalities' like todays with Armenia ... > > > > hashing it would make stuff like that fairly difficult ... > > >>> You can make _two_ hashes and then concatenate to form unique key. > > >>> Then you still be able to see "a lot of single IPs". Personaly, I dont > > >>> care very much about IP/hostname disclosure :-) > > >> > > >> Except that you are disclosing that each and every time you send out an > > >> email, or hit a web site ... :) > > >> > > > The systems I'm concerned about are on private IP space, to not send email > > > and don't have X installed, much less a web browser and can only access > > > certain FreeBSD sites to update ports. In fact, they're not even accessible > > > from *inside* our network except from certain hosts. In order to > > > successfully run the stats script on these hosts, I would have to open a hole > > > in the firewall to bsdstats.hub.org on the correct port. > > > > > > And yes, I *am* paranoid. But if you really want *all* statistics you can > > > get, then you'll have to deal with us paranoid types. My workstation, which > > > is on a public IP, is already registered. > > > > Done ... now I really hope that the US stats rise, maybe? I have a hard > > time believing that Russia and the Ukraine have more deployments then the > > 'good ol'US of A' ... or do they? *raised eyebrow* > > > > Here is what is now stored in the database (using my IP as a basis) > > > > # select * from systems where ip = md5('24.224.179.167'); > >id |ip| hostname | operating_system | release | architecture | country |report_date > > --+--+--+--++--+-+--- > > 1295 | 45c80b9266a5a6683eee9c9798bd6575 | 4a9110019f2ca076407ed838bf190017 | FreeBSD | 6.1-RC1| i386 | CA | 2006-08-09 02:34:05.12579 > > 1 | 45c80b9266a5a6683eee9c9798bd6575 | 9a45e58ab9535d89f0a7d2092b816364 | FreeBSD | 6.1-STABLE | i386 | CA | 2006-08-09 16:01:03.34788 > > > > Why don't you just broadcast the ip address, it's what your doing now > anyways. 253^4 is a very small number. > > infomatic# perl > my $num = 0; > system "date"; > while ($num <= 409715208) { > $num++ > } > system "date"; > Wed Aug 9 18:18:45 CDT 2006 > Wed Aug 9 18:20:48 CDT 2006 > > 2 minutes * 10 = 20 minutes to iterate though 4 billion IP addresses > on a very slow uni-proc system. I could even store every IP to md5 > hash using less then 222GB of uncompressed space. > > If you want... give me the md5 hash of a real ip address that is > unknown to me and I will hand you the ip address in two days... or > less. run the IP address though like this: > > md5 -s "xxx.xxx.xxx.xxx" > > I have other things to do with my time, so I don't really want to do > this, but if that's what it takes to stop this idea dead I'll do it. > > Here's a better way to explain the problem: Let's say we need to find Marc's IP address but we only have it's md5 hash value. Some of you may think this is hard to do but it's not. All we need to do is compute every IP address into a hash and then match Marc's hash to one in are list: 24.224.179.164 = e7e7a967c5f88d9fb10a1f22cd2133d2 24.224.179.165 = 3aa9b50aa7190f5aca1f78f075dc69c2 24.224.179.166 = c695175e48d649e3496ac715406a488d 24.224.179.167 = 45c80b9266a5a6683eee9c9798bd6575 So what is an IP address?... mathematically speaking it's 4 base 255 numbers grouped together: {0, ..., 255}.{0, ..., 255}.{0, ..., 255}.{0, ..., 255} To calculate how many combinations there could be you simply take the base unit and raise it to the 4th power, since there are 4 of them. This gives us 255^4 combinations or 4,228,250,625 TCP/IP addresses. We also know that the first number can't be 0 or 255 and the others can't be 255, we can also rule out all 127
Once again lost in the woods with QEMU, pf, bridge.sh, tap...
Hello. I'm trying to get qemu with tap networking happening under FreeBSD 6.1. I did make some progress with the last solution given to me, but I still couldn't get it to work. Doing things this way seems to be the only method that works for me currently. The main problem I'm having is that I can't seem to get pf to do any packet filtering. My setup currently looks like this: /etc/pf.conf: nic0 = "fxp0" host_ip = "192.168.2.5" #--# pass in log all pass out log all -- if-up2: #!/bin/sh -x ext_if="fxp0" tap_if="$1" sudo ifconfig $tap_if 0.0.0.0 up -- run-qemu2.sh: #!/bin/sh -x sudo sysctl net.link.tap.user_open=1 sudo ./bridge.sh start qemu \ -m 128 \ -net nic \ -net tap,script=if-up2 \ -hda openbsd_39_hda.img sudo ./bridge.sh stop sudo sysctl net.link.tap.user_open=0 -- 'bridge.sh' is the standard bridge.sh copied from /usr/src and edited for my interfaces: BRIDGE_NAME="bnet0" BRIDGE_IFACES="fxp0 tap0" LOCAL_IFACES="fxp0" Now, the OpenBSD guest is set up to have the IP address '192.168.2.7', and it does work. I can connect out from the guest and I can SSH in with no problems. HOWEVER - pf doesn't log the packets, and this is worrying. I seem to be somehow avoiding pf logging, despite the fact that I've told pf to log everything coming in or out of the machine (it also logs traffic on loopback, for now). I fully admit that I don't understand everything going on here, particularly the magic inside bridge.sh. I basically just want to be able to tell pf to filter all packets coming from the tap0 interface (doesn't seem to work) or all packets coming from 192.168.2.7 (unreliable, I would think, what if the guest OS spoofs the source address?). help, flames, etc, appreciated. MC ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Any idea how to stress test our bandwidth?
I hope you don't mind my asking this here. I'm working in an ISP right now. We are using mrtg for each client connected to us. They can view their mrtg statistics. Their way to the internet is to us. Say a client connects to us via E1, they are guaranteed of 2.048Mbps because our uplink to the Internet is more than the total of all the clients link's bandwidth that are connected to us. Now one client wants to make sure that they will be able to reach their guaranteed bandwidth through the mrtg graphs. If we transfer huge data from their site only up to us, we can theoretically stress out their bandwidth. However, they want to try increasing their consumption and see for their self if they will reach the desired bandwidth if they are actually connecting to any site in the Internet, outside our network. Running iperf from their site to us doesn't seem to reflect to the MRTG. Any idea how to explain this to our client? Thank you very much for your help -JaY __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Accessing FreeBSD partition from Windows with dual boot
Martin Miedema wrote: I'm looking for a way to access (read only is fine) a FreeBSD partition on my Windows installation on a dual boot notebook (so Samba won't do the trick) I read a couple of things after some googling about CrossFS which basically should be a UFS driver for windows. Unfortunately all these articles / posts are from 2001 / 2002 and the link that's in them no longer works: http://crossfs.bizland.com Does any one know if this project still exists? and if not if there is any other alternative to use? Martin. FFS driver is doing the trick perfectly, it took a couple of reboots before I got it to work (only used hibernation in Windows since I installed FreeBSD so Windows didn't see the partition yet.) I haven't tried UFS2tools.sourceforge.net yet, but I will definitely try. Thanks every one for the great help :-) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Finding IP Addresses (OT)
Olivier Nicole wrote: I'd advise you not to filter SSH by IP, that would be the best way to lock you out of your server. I did that once :) No fun! But I'll be much more careful this time! Even if you find all the IP used by your ISP, you cannot predict when the IP range will change, and it DOES change. Hmmm. Worst-case scenario, the server farm would have access. Thinking... If you limit the IP that can SSH to your server, you will not be able to login when you are traveling and some urgent administration task need to be performed. And the most urgent tasks must often be performed when traveling... I *never* travel! I live in paradise, my needs are minimal and satisfied, and I have no reason to travel :) Set a strong password to your account (8+ characters, using letters up and lower case, numbers and punctuation signs), do not allow SSH to root account, enforce using sudo instead of su. Never heard of sudo before. Looking it over, I don't understand how that would be beneficial in my case, since I'm the only one who really does anything on the machine. I could and should set it up for those occasions when I have others go in, however. Comments? TIA, beno ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"