Re: [SSHd] Limiting access from authorized IP's
this: AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] It looks like AllowHosts is not available with the version of SSH that comes with FreeBSD. This works: AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] man hosts.allow ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
At 18:17 18/04/2008 -0500, Paul Schmehl wrote: If you want to restrict sshd logins by host, you can use AllowUsers like this: AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] It looks like AllowHosts is not available with the version of SSH that comes with FreeBSD. This works: AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
On Fri, 18 Apr 2008 13:46:48 -0500 Paul Schmehl <[EMAIL PROTECTED]> wrote: > Let me clarify. When I use the term "host", I'm referring to what > many would call a "personal workstation" or "personal computer". If > you have more than one person who has shell access to a computer, > then you no longer have a host. You have a server. Sure, you may not > think of it that way, but that's what it is. > > Servers are a completely different ballgame, and the decisions you > make regarding protecting them have everything to do with who has > access to what. The servers that I referenced in my post have one > person with root access - me > - and one user - the owners. No one else has access. So, it's a > great deal easier for me to lock down the boxes than it is, for > example, here at work, where *many* people have shell access and more > than one have root access through sudo or even su. Sorry for bikeshedding here, since it's just a matter of terminology, but... "Hosts" used to be multi-user machines for a long time, and actually still are. Most RFCs, including newer ones, refer to "hosts" and mean "nodes" on the net. They don't care whether the hosts are workstations used by a single or few user(s), or big multi-user machines with hundreds of shell accounts. "Server" is merely the role a program assumes when it waits passively for requests from "clients". "Servers" run on "hosts", regardless of the number of users on those hosts (ranging from 0 to very high). Obviously, the security implications vary considerably if you have to host many user accounts, esp. on hosts used by mission critical server programs. ;) And of course, the bikeshed has to be painted... red! :) Regards, -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
--On Saturday, April 19, 2008 00:12:41 +0200 Gilles <[EMAIL PROTECTED]> wrote: On Fri, 18 Apr 2008 10:04:37 +0100, FreeBSD - Wire Consulting <[EMAIL PROTECTED]> wrote: (snip) Seems like I didn't do it right: /etc/ssh/sshd_config: [...] AllowHosts 192.168.0 82.227.x.x # /etc/rc.d/sshd restart Stopping sshd. Starting sshd. /etc/ssh/sshd_config: line 119: Bad configuration option: AllowHosts /etc/ssh/sshd_config: terminating, 1 bad configuration options I don't see an "AllowHosts" option in man (5) sshd_config. There's AllowGroups, AllowTcpForwarding, AllowUsers, but no AllowHosts. If you want to restrict sshd logins by host, you can use AllowUsers like this: AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] etc., etc. The list is space-separated on a single line. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
On Fri, 18 Apr 2008 10:04:37 +0100, FreeBSD - Wire Consulting <[EMAIL PROTECTED]> wrote: (snip) Seems like I didn't do it right: /etc/ssh/sshd_config: [...] AllowHosts 192.168.0 82.227.x.x # /etc/rc.d/sshd restart Stopping sshd. Starting sshd. /etc/ssh/sshd_config: line 119: Bad configuration option: AllowHosts /etc/ssh/sshd_config: terminating, 1 bad configuration options Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
--On Friday, April 18, 2008 21:37:45 +0200 Mel <[EMAIL PROTECTED]> wrote: >> [4] # grep sshd /etc/defaults/rc.conf >> sshd_enable="NO"# Enable sshd > > No? Surely you're not using inetd? I haven't used inetd in years. I'm not sure why you think I would be. Well, since sshd_enable is set to no, I assumed inetd would be where you've started it. Aw, I got it. You apparently didn't notice that I grepped /etc/*defaults*/rc.conf. (I don't set any flags for sshd, so I wouldn't have anything except enable in /etc/rc.conf.) -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
On Friday 18 April 2008 20:53:37 Paul Schmehl wrote: > --On Friday, April 18, 2008 20:30:53 +0200 Mel > > <[EMAIL PROTECTED]> wrote: > > On Friday 18 April 2008 16:53:49 Paul Schmehl wrote: > >> Firewalls are for preventing access to running services. By definition, > >> if you are running a service, you want it to be accessed. > > > > That's your assumption. > > First of all, firewalls are for preventing unwanted connections, this is > > not necessarily the same as access to running services. > > Prime examples: cable modem and windows hosts broadcast spam on an ISP's > > network, ping floods. User scans [1], vulnerability scans, open relay > > scanners, spammers fall into running services category. > > They don't fall into the category of services that you authorized or > approved of. Keep in mind, we're talking about *hosts*, individual > workstations if you will, not enterprises. Well, I don't particularly like someone using my bandwidth to find out if I changed my mailserver config to such that I would now be an open relay, every 10-20 minutes for weeks on end, so I want it to be over with at the TCP level, not at the daemon level. Individual hosts are exactly the target for these scans. Same with the webserver, there are a great number of requests that seperate a scan from a legitimate user. > >> For an individual host it makes a great deal more sense to only run > >> those services you intend to use ***and keep them up to date and > >> properly configured***. > > > > It is an illusion to think that the patch always comes before the > > exposure. > > It's a worse illusion to believe the firewall is going to help. If the > service is exposed and compromised, the firewall wouldn't be blocking it > anyway. In a targetted scenario, this is correct. However, scans precede the attack and one example I gave with grok, you can limit the chances that the attacker gets the information he needs to exploit the bug he's looking for. > Furthermore, if the host is compromised, the firewall is one of the > first things that will be disabled. That would require root. So there's something else wrong in the chain, or it is one of those unfortunate services that run as root. > > Secondly, pending the ammount of services you offer, this can be a full > > task and especially for the "hobby" category, it is more time-efficient > > to shut off any unauthorized traffic to begin with. > > Say, some webapp allows uploading a file and executing it. It is then > > quite easy to add a daemon to your server, that you have not configured. > > With a firewall in default block mode, this daemon does not receive > > connections. Even when the patch is released before exposure, you could > > be, say sleeping and it can be too late. For some this is paranoia, for > > others common sense. > > Again, the firewall is providing a false sense of security in exactly the > scenario you propose. Where do you think hacker's daemons are running > these days? **On the ports that you can't close on the firewall**. I'm curious which those are. > > >> [4] # grep sshd /etc/defaults/rc.conf > >> sshd_enable="NO"# Enable sshd > > > > No? Surely you're not using inetd? > > I haven't used inetd in years. I'm not sure why you think I would be. Well, since sshd_enable is set to no, I assumed inetd would be where you've started it. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
--On Friday, April 18, 2008 09:15:41 -0700 Kurt Buff <[EMAIL PROTECTED]> wrote: Not to detour this conversation too much, I hope, but I'm in a different situation, and this is going to be an issue for me. I'm putting together a box that's going to be a router for our company, using BGP to give access to our T1 and frac DS3. That's all it should be doing, it will have no other services. It'll be in our server room, though, so I won't have to get at it from anywhere, except perhaps home, and even that could be avoided by simply traveling the 10 miles to work. So, I'm wondering how to lock it down - I'm even contemplating eliminating any MTA and sshd, and just running the routing daemon, but sshd is just so useful that it's hard to do without, and eliminating the MTA denies me the goodness of the periodic reports. Just have the MTA listen on localhost or on a unix socket. It can still send the reports that way but can't be attacked from outside (excepting the limited case that Matthew referred to.) 'Casting syslog to my internal syslog host is also problematic, but possible, I suppose. Well, you *should* be remote syslogging any critical machines like that, but that doesn't mean the host itself has to listen for incoming syslog messages. WRT SSH, if it's a real concern, only allow access from your internal network. Then use a publicly accessible machine to tunnel through to it. (But lock it down as well. Attackers can come from the inside of your network just as easily as they can from outside.) Then there's the problem of managing and monitoring the thing once it's installed. Being able to use mrtg/cacti/something to query SNMP would be extraordinarily useful, as we will be paying extra for bandwidth above our fractional rate on the DS3, and also to monitor the health of the box. If you're wanting to do this from "foreign" networks (not your own), then set up ssl and logins (.htaccess or httpd.conf, local or ldap, pam, whatever your have available) for the web interface. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
--On Friday, April 18, 2008 20:30:53 +0200 Mel <[EMAIL PROTECTED]> wrote: On Friday 18 April 2008 16:53:49 Paul Schmehl wrote: Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. That's your assumption. First of all, firewalls are for preventing unwanted connections, this is not necessarily the same as access to running services. Prime examples: cable modem and windows hosts broadcast spam on an ISP's network, ping floods. User scans [1], vulnerability scans, open relay scanners, spammers fall into running services category. They don't fall into the category of services that you authorized or approved of. Keep in mind, we're talking about *hosts*, individual workstations if you will, not enterprises. For an individual host it makes a great deal more sense to only run those services you intend to use ***and keep them up to date and properly configured***. It is an illusion to think that the patch always comes before the exposure. It's a worse illusion to believe the firewall is going to help. If the service is exposed and compromised, the firewall wouldn't be blocking it anyway. Furthermore, if the host is compromised, the firewall is one of the first things that will be disabled. Secondly, pending the ammount of services you offer, this can be a full task and especially for the "hobby" category, it is more time-efficient to shut off any unauthorized traffic to begin with. Say, some webapp allows uploading a file and executing it. It is then quite easy to add a daemon to your server, that you have not configured. With a firewall in default block mode, this daemon does not receive connections. Even when the patch is released before exposure, you could be, say sleeping and it can be too late. For some this is paranoia, for others common sense. Again, the firewall is providing a false sense of security in exactly the scenario you propose. Where do you think hacker's daemons are running these days? **On the ports that you can't close on the firewall**. [4] # grep sshd /etc/defaults/rc.conf sshd_enable="NO"# Enable sshd No? Surely you're not using inetd? I haven't used inetd in years. I'm not sure why you think I would be. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
--On Friday, April 18, 2008 13:18:44 -0400 Jon Radel <[EMAIL PROTECTED]> wrote: Paul Schmehl wrote: I see this statement all the time, and I wonder why. What does a firewall on an individual host accomplish? I have maintained publicly available servers for a small hobby domain for almost ten years now. Initially, I bought in to this logic and ran a firewall. (At that time we only had one server.) What it cost me was CPU and memory. What it gained me was nothing. I turned it off. I have never run a firewall on a publicly available host since. Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. So firewalls are self-defeating or completely useless at the host level **unless** you don't know what you're doing. For an enterprise they make a great deal of sense. No matter what a user inside your network might do, you can prevent access by simply not allowing traffic on that port. Yes, in a world where nothing ever breaks, all system administrators never make dumb mistakes, and no one ever breaks into your box to install services that you certainly wouldn't approve of, the defense-in-depth techniques being discussed here are pretty much a waste of time. Alas, alack, my machines prove every couple of years that they don't live in such a world. Must be me. ;-) If *everyone* knew how to properly configure and maintain a host, even enterprise firewalls would be completely unnecessary. And if you've got users on your network Oh, my, users do the darnedest things. As one little example: My firewall blocks outbound traffic to port 25 from all those pesky workstations to anywhere other than the local SMTP servers. Why? Makes me worry just a bit less about some Windows box pumping spam out to the world due to an unfortunate choice made by a user. I doubt there's an enterprise in the world where every user both knows enough about host security *and* is disciplined enough to apply that knowledge every minute of every day. Let me clarify. When I use the term "host", I'm referring to what many would call a "personal workstation" or "personal computer". If you have more than one person who has shell access to a computer, then you no longer have a host. You have a server. Sure, you may not think of it that way, but that's what it is. Servers are a completely different ballgame, and the decisions you make regarding protecting them have everything to do with who has access to what. The servers that I referenced in my post have one person with root access - me - and one user - the owners. No one else has access. So, it's a great deal easier for me to lock down the boxes than it is, for example, here at work, where *many* people have shell access and more than one have root access through sudo or even su. But then, I'm the guy who takes the time to put on his seatbelt each and every time he starts the car, despite never, not once, having to actually use it in 3 decades of driving. Well, that was the point I was trying to make. A firewall might be analagous to a big rubber bumper that surrounds your car. *If* you get it, it provides some protection, but you *still* have to be able to use the doors, open the hood and the trunk, carry passengers, etc. So, why do you wear your seatbelt? Because it provides protection *even when* the bumpers fail. We think about security from the outside in when we should be thinking about security from the inside out. The firewall should be the *last* thing you think about *after* you've already taken all the precautions you can to make the firewall completely unnecessary. In today's world, all too often, people think they can not patch, not run antivirus, not do this, not do that, and everything will be fine because the firewall is protecting them. It's foolish and a false sense of security. What we *should* be doing is making sure the door locks function correctly (going back to the car analogy), the seats are properly anchored, the engine is properly maintained, the hood is properly closed, etc., etc. and *then* check to see if the bumper is in place. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
On Friday 18 April 2008 16:53:49 Paul Schmehl wrote: > I see this statement all the time, and I wonder why. What does a firewall > on an individual host accomplish? ... > Firewalls are for preventing access to running services. By definition, if > you are running a service, you want it to be accessed. That's your assumption. First of all, firewalls are for preventing unwanted connections, this is not necessarily the same as access to running services. Prime examples: cable modem and windows hosts broadcast spam on an ISP's network, ping floods. User scans [1], vulnerability scans, open relay scanners, spammers fall into running services category. > So firewalls are > self-defeating or completely useless at the host level **unless** you don't > know what you're doing. Or, when you do know what you're doing and don't see the firewall as a single entity but as a node in the security tree, where tools like grok come in as well. > For an individual host it makes a great deal more sense to only run those > services you intend to use ***and keep them up to date and properly > configured***. It is an illusion to think that the patch always comes before the exposure. Secondly, pending the ammount of services you offer, this can be a full task and especially for the "hobby" category, it is more time-efficient to shut off any unauthorized traffic to begin with. Say, some webapp allows uploading a file and executing it. It is then quite easy to add a daemon to your server, that you have not configured. With a firewall in default block mode, this daemon does not receive connections. Even when the patch is released before exposure, you could be, say sleeping and it can be too late. For some this is paranoia, for others common sense. > Firewalls are too often crutches for people that don't want to learn how to > properly maintain a host. Or save time, till it can be properly done. You're also assuming that you have full control over installed software. The "hobby" case you mention or a hosting environment this isn't always reality. > # sockstat | grep cupsd > root cupsd 6208 3 stream /var/run/cups.sock > root cupsd 6208 4 udp4 *:631 *:* Sure, block in proto udp from any to any port 631 Works for nfs and rpc as well :) > [4] # grep sshd /etc/defaults/rc.conf > sshd_enable="NO"# Enable sshd No? Surely you're not using inetd? sshd has tcp wrapper support built in, so you can set everything from /etc/ssh/sshd_config, including the port and using tcp wrappers. So in the event, inetd is vulnerable, sshd won't be. [1] # cat /etc/pf/grok-ssh.conf file "/var/log/auth.log" { type "ssh-illegal-user" { match = "Invalid user %USERNAME% from %IP%"; threshold = 5; # 5 hits ... key = "%IP%";# from a single ip ... interval = 60; # in 1 minutes reaction = "/sbin/pfctl -t scans -Tadd %IP%"; }; type "ssh-scan-possible" { match = "Did not receive identification string from %IP%"; threshold = 3; interval = 60; reaction = "/sbin/pfctl -t scans -Tadd %IP%"; }; }; -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
Paul Schmehl wrote: > I see this statement all the time, and I wonder why. What does a > firewall on an individual host accomplish? > > I have maintained publicly available servers for a small hobby domain > for almost ten years now. Initially, I bought in to this logic and ran > a firewall. (At that time we only had one server.) What it cost me was > CPU and memory. What it gained me was nothing. I turned it off. I have > never run a firewall on a publicly available host since. > > Firewalls are for preventing access to running services. By definition, > if you are running a service, you want it to be accessed. So firewalls > are self-defeating or completely useless at the host level **unless** > you don't know what you're doing. For an enterprise they make a great > deal of sense. No matter what a user inside your network might do, you > can prevent access by simply not allowing traffic on that port. Yes, in a world where nothing ever breaks, all system administrators never make dumb mistakes, and no one ever breaks into your box to install services that you certainly wouldn't approve of, the defense-in-depth techniques being discussed here are pretty much a waste of time. Alas, alack, my machines prove every couple of years that they don't live in such a world. Must be me. ;-) > If *everyone* knew how to properly configure and maintain a host, even > enterprise firewalls would be completely unnecessary. And if you've got users on your network Oh, my, users do the darnedest things. As one little example: My firewall blocks outbound traffic to port 25 from all those pesky workstations to anywhere other than the local SMTP servers. Why? Makes me worry just a bit less about some Windows box pumping spam out to the world due to an unfortunate choice made by a user. I doubt there's an enterprise in the world where every user both knows enough about host security *and* is disciplined enough to apply that knowledge every minute of every day. But then, I'm the guy who takes the time to put on his seatbelt each and every time he starts the car, despite never, not once, having to actually use it in 3 decades of driving. > Firewalls are too often crutches for people that don't want to learn > how to properly maintain a host. Now that, on the other hand, I can completely agree with. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: [SSHd] Limiting access from authorized IP's
Hi, Gilles wrote: I don't have a firewall on that host because there's already a NAT router connecting the LAN to the Net. I don't know your setup, but I'm pretty sure you can run the packet filter on your host anyway. You don't need to configure NAT to run your host firewall. I'll just add the following to /etc/ssh/sshd_config, and restart the service: AllowHosts 192.168.0 82.x.x.x OK! BTW, is the SSHd that comes with the system good enough, or should I upgrade to what's in /usr/ports/security/ssh2? For me base system ssh works like a sharm. IMO, you only want to "upgrade" if you need a specific feature that is not available on system SSH. Pedro ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
On Fri, Apr 18, 2008 at 04:59:07PM +0100, Matthew Seaman wrote: > Paul Schmehl wrote: > > >I have maintained publicly available servers for a small hobby > >domain for almost ten years now. Initially, I bought in to this > >logic and ran a firewall. (At that time we only had one server.) > >What it cost me was CPU and memory. What it gained me was nothing. > >I turned it off. I have never run a firewall on a publicly > >available host since. > > > >Firewalls are for preventing access to running services. By > >definition, if you are running a service, you want it to be > >accessed. So firewalls are self-defeating or completely useless at > >the host level **unless** you don't know what you're doing. For an > >enterprise they make a great deal of sense. No matter what a user > >inside your network might do, you can prevent access by simply not > >allowing traffic on that port. > > On the whole I agree with you -- you should be able to view a > firewall as a luxury rather than a necessity on a well configured > server. However there is one rather nasty loophole that you can > block with a firewall which otherwise is pretty impossible to deal > with, at least on FreeBSD machines. > > It's all to do with the weak routing model -- that is, a network > packet to an IP on one of a host's interfaces will be accepted on > *any* interface on that host[*]. So even though you protect > services that are not meant to be for public consumption by binding > them to the loopback address, some one can still send you a spoofed > packet to 127.0.0.1 that arrives on your external network i/f /and > it will let you connect to the service bound to the loopback/ The > attacker has to have access to the same layer 2 network as your > host, but sending the spoofed packet is as simple as tweaking the > routing table. See eg: > >http://seclists.org/bugtraq/2001/Mar/0042.html > > Blocking this sort of attack against the loopback address can be > done with the following 3 line PF firewall config. Extending this > to back-end networks etc. is left as an exercise for the student: > scrub in all > pass all > antispoof log quick for lo0 > > Cheers, > > Matthew > [*] Which is not without its legitimate uses, as anyone who as ever > configured a load balancer using DSR mode will attest. I don't think that it's enough to say that this is the only case where a firewall is useful. Modern firewalls can do simple DOS protection, and on a multi-user system, they can prevent services from being started by your users. Egress firewalls on servers can stop unprivileged user compromises from wreaking havoc on external hosts. I'm sure that are other circumstances where a firewall is useful. Now I believe that there are other ways to address the above requirements, but they may require tradeoffs. mac_portacl allows restricting binding of ports (though I've never actually heard of anyone using it--this alone may be a reason ot go with a more tride-and-true solution.) This, however, requires compiling a custom kernel, which may be undesirable for other reasons. Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
On Fri, 18 Apr 2008 10:04:37 +0100, FreeBSD - Wire Consulting <[EMAIL PROTECTED]> wrote: >sshd(8) is part of the base system, which is a FreeBSD patched version of >OpenSSH. Although, you can find some ports of bulk OpenSSH in >/usr/ports/security. I don't have a firewall on that host because there's already a NAT router connecting the LAN to the Net. I'll just add the following to /etc/ssh/sshd_config, and restart the service: AllowHosts 192.168.0 82.x.x.x BTW, is the SSHd that comes with the system good enough, or should I upgrade to what's in /usr/ports/security/ssh2? Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
Kurt Buff wrote: On Fri, Apr 18, 2008 at 8:59 AM, Matthew Seaman <[EMAIL PROTECTED]> wrote: At any rate, locking down ssh access is one of my concerns, for sure, so this discussion is helpful. Wouldn't turning off password based logins and using public and private keys (with a strong password) for ssh logins do the trick? if you limit yourself based on IP addresses, its inevitable that you will need access from an IP NOT on your exemption list at some time (like when you are on vacation, at relatives, etc). Using keys to authenticate ssh sessions has worked very well for me. if you are concerned about the brute force attempts (which cant work without the private key which you put a strong password on), you can use something like denyhosts to block those hosts from even connecting. hth Eric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
On Fri, Apr 18, 2008 at 8:59 AM, Matthew Seaman <[EMAIL PROTECTED]> wrote: > Paul Schmehl wrote: > > > > I have maintained publicly available servers for a small hobby domain for > almost ten years now. Initially, I bought in to this logic and ran a > firewall. (At that time we only had one server.) What it cost me was CPU > and memory. What it gained me was nothing. I turned it off. I have never > run a firewall on a publicly available host since. > > > > Firewalls are for preventing access to running services. By definition, > if you are running a service, you want it to be accessed. So firewalls are > self-defeating or completely useless at the host level **unless** you don't > know what you're doing. For an enterprise they make a great deal of sense. > No matter what a user inside your network might do, you can prevent access > by simply not allowing traffic on that port. > > > > On the whole I agree with you -- you should be able to view a firewall as > a luxury rather than a necessity on a well configured server. However > there > is one rather nasty loophole that you can block with a firewall which > otherwise > is pretty impossible to deal with, at least on FreeBSD machines. > > It's all to do with the weak routing model -- that is, a network packet to > an IP on one of a host's interfaces will be accepted on *any* interface on > that host[*]. So even though you protect services that are not meant to be > for public consumption by binding them to the loopback address, some one > can still send you a spoofed packet to 127.0.0.1 that arrives on your > external > network i/f /and it will let you connect to the service bound to the > loopback/ > The attacker has to have access to the same layer 2 network as your host, > but sending the spoofed packet is as simple as tweaking the routing table. > See eg: >http://seclists.org/bugtraq/2001/Mar/0042.html > > Blocking this sort of attack against the loopback address can be done with > the following 3 line PF firewall config. Extending this to back-end > networks > etc. is left as an exercise for the student: > > scrub in all > pass all > antispoof log quick for lo0 > > Cheers, > > Matthew > > [*] Which is not without its legitimate uses, as anyone who as ever > configured > a load balancer using DSR mode will attest. > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > Kent, CT11 9PW Not to detour this conversation too much, I hope, but I'm in a different situation, and this is going to be an issue for me. I'm putting together a box that's going to be a router for our company, using BGP to give access to our T1 and frac DS3. That's all it should be doing, it will have no other services. It'll be in our server room, though, so I won't have to get at it from anywhere, except perhaps home, and even that could be avoided by simply traveling the 10 miles to work. So, I'm wondering how to lock it down - I'm even contemplating eliminating any MTA and sshd, and just running the routing daemon, but sshd is just so useful that it's hard to do without, and eliminating the MTA denies me the goodness of the periodic reports. 'Casting syslog to my internal syslog host is also problematic, but possible, I suppose. Then there's the problem of managing and monitoring the thing once it's installed. Being able to use mrtg/cacti/something to query SNMP would be extraordinarily useful, as we will be paying extra for bandwidth above our fractional rate on the DS3, and also to monitor the health of the box. I haven't found any good guides for this, but I do have "Security Power Tools", "Mastering FreeBSD and OpenBSD Security", and a couple of other books, including one on OpenBSD and PF, but haven't teased out all that I need from them regarding doing this in a sane/secure manner. At any rate, locking down ssh access is one of my concerns, for sure, so this discussion is helpful. Kurt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
Paul Schmehl wrote: I have maintained publicly available servers for a small hobby domain for almost ten years now. Initially, I bought in to this logic and ran a firewall. (At that time we only had one server.) What it cost me was CPU and memory. What it gained me was nothing. I turned it off. I have never run a firewall on a publicly available host since. Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. So firewalls are self-defeating or completely useless at the host level **unless** you don't know what you're doing. For an enterprise they make a great deal of sense. No matter what a user inside your network might do, you can prevent access by simply not allowing traffic on that port. On the whole I agree with you -- you should be able to view a firewall as a luxury rather than a necessity on a well configured server. However there is one rather nasty loophole that you can block with a firewall which otherwise is pretty impossible to deal with, at least on FreeBSD machines. It's all to do with the weak routing model -- that is, a network packet to an IP on one of a host's interfaces will be accepted on *any* interface on that host[*]. So even though you protect services that are not meant to be for public consumption by binding them to the loopback address, some one can still send you a spoofed packet to 127.0.0.1 that arrives on your external network i/f /and it will let you connect to the service bound to the loopback/ The attacker has to have access to the same layer 2 network as your host, but sending the spoofed packet is as simple as tweaking the routing table. See eg: http://seclists.org/bugtraq/2001/Mar/0042.html Blocking this sort of attack against the loopback address can be done with the following 3 line PF firewall config. Extending this to back-end networks etc. is left as an exercise for the student: scrub in all pass all antispoof log quick for lo0 Cheers, Matthew [*] Which is not without its legitimate uses, as anyone who as ever configured a load balancer using DSR mode will attest. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: [SSHd] Limiting access from authorized IP's
--On Friday, April 18, 2008 19:14:49 +1000 Gary Newcombe <[EMAIL PROTECTED]> wrote: ssh is part of the base system, not an installed port (by default anyway) so you won't see it with pkg_info which will only list installed packages. The config file is /etc/ssh/sshd_config. To limit connections, you should be using the firewall. I do use hosts.allow too, but the firewall is your primary defence. I see this statement all the time, and I wonder why. What does a firewall on an individual host accomplish? I have maintained publicly available servers for a small hobby domain for almost ten years now. Initially, I bought in to this logic and ran a firewall. (At that time we only had one server.) What it cost me was CPU and memory. What it gained me was nothing. I turned it off. I have never run a firewall on a publicly available host since. Firewalls are for preventing access to running services. By definition, if you are running a service, you want it to be accessed. So firewalls are self-defeating or completely useless at the host level **unless** you don't know what you're doing. For an enterprise they make a great deal of sense. No matter what a user inside your network might do, you can prevent access by simply not allowing traffic on that port. For an individual host it makes a great deal more sense to only run those services you intend to use ***and keep them up to date and properly configured***. If you're running syslogd on 514/tcp (because it installs that way be default) and you're not running a syslogd server, then that is an error on your part [1]. If you're running cupsd listening on 631/tcp, but you're not running a print server, then that's an error [2]. Secondly, for those services that you *must* have publicly available, research what protections are available (e.g. mod_security for apache, hosts.allow for other services.) Read the man pages. Learn to lock down your box properly. Then, spend your time and attention on the services that *are* exposed (because they have to be) and make sure you have those fully patched and properly configured. Never, ever, ever, run a service that you do not intend to use and have it listening on a port! Those are the doors hackers use to get in. Firewalls are too often crutches for people that don't want to learn how to properly maintain a host. If *everyone* knew how to properly configure and maintain a host, even enterprise firewalls would be completely unnecessary. To the OP, you *must* run sshd to remotely access your box. There are several things you can (and should) do. 1) Don't allow root logins (that is now the default configuration) 2) Only allow protocol 2 (now also the default) 3) Consider not allowing any logins and requiring cert exchange instead [3] 4) Consider using ChallengeResponseAuthentication (see [3]) 5) Consider running sshd on a different port [4] 6) Consider using /etc/hosts.allow to restrict access [1] # grep syslogd /etc/rc.conf syslogd_flags="-b 127.0.0.1" # sockstat | grep syslogd root syslogd850 4 dgram /var/run/log root syslogd850 5 dgram /var/run/logpriv root syslogd850 6 udp4 127.0.0.1:514 *:* [2] # grep -i LISTEN /usr/local/etc/cups/cupsd.conf # Only listen for connections from the local machine. Use unix sockets and disable ip completely when possible. #Listen localhost:631 Listen /var/run/cups.sock # sockstat | grep cupsd root cupsd 6208 3 stream /var/run/cups.sock root cupsd 6208 4 udp4 *:631 *:* (If anyone knows how to disable the udp port as well, let me know.) [3] man (5) sshd_config - see AuthorizedKeysFile, ChallengeResponseAuthentication [4] # grep sshd /etc/defaults/rc.conf sshd_enable="NO"# Enable sshd sshd_program="/usr/sbin/sshd" # path to sshd, if you want a different one. sshd_flags="" # Additional flags for sshd. man (8) sshd -p port flag -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
Mel wrote: > On Friday 18 April 2008 10:51:45 Gilles wrote: > >> 1. I'd like to limit connections from the Net only from specific IP's. >> It seems like there are several ways to do it (/etc/hosts.allow, >> AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would >> you recommend? > > hosts.allow == TCP wrapper. > I recommend firewall, with hosts.allow backup. In the event the firewall gets > disabled, hosts.allow takes over. > Note though, that with setups like this, you will have to call someone to add > your IP to the lists, when your IP changes or you're on a location you didn't > think you'd need access from. > I personally prefer sshd to be world accessible and block scans, since I > consider being locked out of the machines a security risk as well... > Some additional thoughts: If you want to control which users can connect from which IP addresses, use the AllowUsers, etc. statements in sshd_config. That's the big advantage of doing it at that level. If you're not going to get that granular, I'd stick with the advice others have already given. Also, some of us are convinced that we further reduce our risk from scanning by turning off password access and forcing the use of keys. --Jon Radel smime.p7s Description: S/MIME Cryptographic Signature
Re: [SSHd] Limiting access from authorized IP's
Hi, Gilles wrote: Hello I have a couple of questions about running SSHd: 1. I'd like to limit connections from the Net only from specific IP's. It seems like there are several ways to do it (/etc/hosts.allow, AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would you recommend? You can limit the access using one of the packet filters available, ipfw(8), ipf(8) or pf(4). 2. Although it's up and running, I can't find SSHd in the list of installed apps: sshd(8) is part of the base system, which is a FreeBSD patched version of OpenSSH. Although, you can find some ports of bulk OpenSSH in /usr/ports/security. Pedro ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
On Friday 18 April 2008 10:51:45 Gilles wrote: > 1. I'd like to limit connections from the Net only from specific IP's. > It seems like there are several ways to do it (/etc/hosts.allow, > AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would > you recommend? hosts.allow == TCP wrapper. I recommend firewall, with hosts.allow backup. In the event the firewall gets disabled, hosts.allow takes over. Note though, that with setups like this, you will have to call someone to add your IP to the lists, when your IP changes or you're on a location you didn't think you'd need access from. I personally prefer sshd to be world accessible and block scans, since I consider being locked out of the machines a security risk as well... > 2. Although it's up and running, I can't find SSHd in the list of > installed apps: > > $ which sshd > > /usr/sbin/sshd It's not a port, comes with the base system. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
Hi Gilles, ssh is part of the base system, not an installed port (by default anyway) so you won't see it with pkg_info which will only list installed packages. The config file is /etc/ssh/sshd_config. To limit connections, you should be using the firewall. I do use hosts.allow too, but the firewall is your primary defence. hth, Gary On Fri, 18 Apr 2008 10:51:45 +0200 Gilles <[EMAIL PROTECTED]> wrote: > Hello > > I have a couple of questions about running SSHd: > > 1. I'd like to limit connections from the Net only from specific IP's. > It seems like there are several ways to do it (/etc/hosts.allow, > AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would > you recommend? > > 2. Although it's up and running, I can't find SSHd in the list of > installed apps: > > $ which sshd > > /usr/sbin/sshd > > $ pkg_info | grep -i ssh > => Nada. How come? > > Thank you. > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: [SSHd] Limiting access from authorized IP's
Gilles wrote: > Hello > > I have a couple of questions about running SSHd: > > 1. I'd like to limit connections from the Net only from specific IP's. > It seems like there are several ways to do it (/etc/hosts.allow, > AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would > you recommend? > I tend to use a firewall anyway so thats what works best for me, on machine that I dont firewall, /etc/hosts.allow (which is TCP-wrappers) is a good quick and easy solution. Its very much a "whatever works best for you" type question. > 2. Although it's up and running, I can't find SSHd in the list of > installed apps: > > $ which sshd > > /usr/sbin/sshd > > $ pkg_info | grep -i ssh > => Nada. How come? > ssh is part of the base system. Its also in ports so you can have a more recent version if you like or so you have have things like the ssh hpn patches (http://www.psc.edu/networking/projects/hpn-ssh/) etc etc. Vince > Thank you. > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
[SSHd] Limiting access from authorized IP's
Hello I have a couple of questions about running SSHd: 1. I'd like to limit connections from the Net only from specific IP's. It seems like there are several ways to do it (/etc/hosts.allow, AllowHosts/AllowUsers, TCP-wrapper, port-knocking, etc.). Which would you recommend? 2. Although it's up and running, I can't find SSHd in the list of installed apps: $ which sshd /usr/sbin/sshd $ pkg_info | grep -i ssh => Nada. How come? Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How can I access video tape under FBSD?
On Wed, 2008-04-16 at 20:28 +0200, Frank Wißmann wrote: > Hi, folks! > I have bought for myself a taperecorder-to-usb-connector, which I wrote > in /etc/usbd.conf as following: > Device "Video tape" > Product "0x2821" > Vendor "0xeb1a" > > Now I want to move all of my archived video tapes to harddisk/DVD. How > can I perform this, that means how can I access my tape recorder, put > the files onto HD and view it, meaning what kind of program is capable > of doing so? Mplayer would be fine because I have it just installed> A couple of ways to do this- depends on space and quality required. If you have space and want quality, capture the data raw from the tuner and then use mencoder to convert to mpeg/divx/whatever(30-40Gb+ 3hr tape). If space is at a premium, or quality is not as important, then use ffmpeg and convert on the fly. Need a fairly new cpu, plenty of RAM. This all very general, but good luck... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How can I access video tape under FBSD?
On Wednesday 16 April 2008 22:11:16 Roland Smith wrote: > On Wed, Apr 16, 2008 at 08:28:30PM +0200, Frank Wißmann wrote: > > Hi, folks! > > I have bought for myself a taperecorder-to-usb-connector, which I wrote > > in /etc/usbd.conf as following: > > Device "Video tape" > > Product "0x2821" > > Vendor "0xeb1a" > > Neither the vendor nor the device are listed in > /usr/src/sys/dev/usb/usbdevs. That does not bode well. Quick scan on google reveils 0xeb1a is Pinnacle. You might ask on multimedia list if anyone knows this card. Could be it's accessible as 'tv tuner' or similar interface. I suspect there's gonna be a few requests like this with harddisk space being cheap and old home movies hitting the expiring date. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How can I access video tape under FBSD?
On Wed, Apr 16, 2008 at 08:28:30PM +0200, Frank Wißmann wrote: > Hi, folks! > I have bought for myself a taperecorder-to-usb-connector, which I wrote in > /etc/usbd.conf as following: > Device "Video tape" > Product "0x2821" > Vendor "0xeb1a" Neither the vendor nor the device are listed in /usr/src/sys/dev/usb/usbdevs. That does not bode well. > Now I want to move all of my archived video tapes to harddisk/DVD. How can > I perform this, that means how can I access my tape recorder, You'll need a device driver. Since the device is not listed in the known devices list, I doubt whether one exists for FreeBSD. > put the files > onto HD and view it, meaning what kind of program is capable of doing so? > Mplayer would be fine because I have it just installed> Mencoder can convert video to different formats. Ports like multimedia/dvdauthor can help you to create DVD content, and sysutils/dvd+rw-tools can help you to burn it. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpPfm9e7FJ3h.pgp Description: PGP signature
How can I access video tape under FBSD?
Hi, folks! I have bought for myself a taperecorder-to-usb-connector, which I wrote in /etc/usbd.conf as following: Device "Video tape" Product "0x2821" Vendor "0xeb1a" Now I want to move all of my archived video tapes to harddisk/DVD. How can I perform this, that means how can I access my tape recorder, put the files onto HD and view it, meaning what kind of program is capable of doing so? Mplayer would be fine because I have it just installed> TIA Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RAID-5/Stripe Size and verifying absolute disk stripe access
My problem is aligning reads/writes properly on a 3 disk RAID-5 volume with stripe size of 16384. Since my measurements all show the same relatively low read/write performance on the volume matter which offset i choose on the disklabel "partition" (i've tried with the granularity of a single sector and the results are the same). In FreeBSD 7.0-RELEASE, is there any way to find out a absolute read/write sector location for the beginning of filesystem within a disklabel "partition"? -- Sten Daniel Soersdal ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Internet Access problem
At 03:30 PM 4/6/2008, comperr wrote: Hi, I am having trouble accessing the internet with my freeBSD 6.2 computer. The router is a Lynksys router. When I do a tcpdump I see a series of requests that have something like pathcost 0 max 20 or something like that.. (sample: 8000.00:01:ff:f1:e9:93.8004 root 8000.00:01:ff:f1:e9:93 pathcost 0 age 0 max 60 hello 2 ...) Also once in a while I see arp who-has 192.168.1.103 and no reply. You need to provide more information, such as is your freebsd system using DHCP or a static IP? What is the output from: ifconfig -a can your freebsd system ping itself? Ping the router? ping a host outside your LAN? -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Internet Access problem
Hi, I am having trouble accessing the internet with my freeBSD 6.2 computer. The router is a Lynksys router. When I do a tcpdump I see a series of requests that have something like pathcost 0 max 20 or something like that.. (sample: 8000.00:01:ff:f1:e9:93.8004 root 8000.00:01:ff:f1:e9:93 pathcost 0 age 0 max 60 hello 2 ...) Also once in a while I see arp who-has 192.168.1.103 and no reply. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Access Point Failures using hostapd and ath0 w/ WG311 WiFi Card
I actually resolved the issues described. I don't know if this was the true source of the disfunctional AP services, however, when I turned off routed all became sound again. I had also rebuilt world, and installed a newly compiled version of 6-stable, however, that still did not resolve the issues as of the previous email. I wanted to research what may have caused this issue, since I will likely see it again, especially if there is some misscommunication with routed and hostapd authentication. - Respectfully, Martes G Wigglesworth, CEO M.G. Wigglesworth,LLC [EMAIL PROTECTED] On Mon, 2008-03-31 at 07:34 +0200, Ashant Chalasani wrote: > On Sun, Mar 30, 2008 at 6:37 PM, Martes G Wigglesworth > <[EMAIL PROTECTED]> wrote: > > I am running 6-Stable on an old Pentium III 800MHz box for routing and > > wireless access point services. I am unable to maintain a concurrent > > conection with the wireless link. The system seems to run fine without > > authentication, however, when using hostapd I get the following error > > message on std output. I am not familiar with driver troubleshooting, > > or hostapd code, so if someone could point me in the correct direction, > > I would appreciate the assistance. > > I've seen this happen with 6.0-REL (Tinybsd 0.8 distribution) hostapd > networks as well on a customer's network. I wasn't responsible for > fixing the problem, but there was also a line of thought that the real > culprit was the Windows CE supplicant. > > With 6.0-REL, we've had problems with WEP with the Intel Pro Wireless > 3945ABG chipset on Window XP, but WPA and WPA-EAP worked fine. > > Also problematic with WEP was a hand-held Windows CE. > > We didn't get far with troubleshooting with the Tinybsd 0.8 distro, > but upgrading to 0.9 helped alleviate the problem (although we are > still testing the 0.9 system) > > Asahnt > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Access Point Failures using hostapd and ath0 w/ WG311 WiFi Card
I am running 6-Stable on an old Pentium III 800MHz box for routing and wireless access point services. I am unable to maintain a concurrent conection with the wireless link. The system seems to run fine without authentication, however, when using hostapd I get the following error message on std output. I am not familiar with driver troubleshooting, or hostapd code, so if someone could point me in the correct direction, I would appreciate the assistance. -- Respectfully, Martes G Wigglesworth, CEO M.G. Wigglesworth,LLC [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Serial access to a Extreme Nwtworks Switch
Benjamin Cance wrote: > Sam Fourman Jr. wrote: >> hello, >> >> I am Running FreeBSD 7.0, I am trying to gain console access to my >> Extreme Networks Switch, the command cu -l /dev/cuad0 -s 9600 , Says >> Connected and then does nothing What am I doing Wrong? >> I have a Straight through serial cable connected to com1, Does someone >> know a quick way to do this From FreeBSD? >> >> the machine is a Dell 1650 if that matters >> >> >> Thank you in advance for any help >> >> Sam Fourman Jr. >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "[EMAIL PROTECTED]" >> > > With Cisco products, we use a roll-over cable. I am not 100% sure if > Extreme Networks use the same, but it maybe worth looking into. Unless they differ from model to model you need a null modem cable. http://www.extremenetworks.com/libraries/services/AlpineInstall.pdf http://www.extremenetworks.com/libraries/services/Sumhwv60.pdf have details of the pinouts, I'd imagine the Hardware installation guide for your model would also have details. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Serial access to a Extreme Nwtworks Switch
Sam Fourman Jr. wrote: hello, I am Running FreeBSD 7.0, I am trying to gain console access to my Extreme Networks Switch, the command cu -l /dev/cuad0 -s 9600 , Says Connected and then does nothing What am I doing Wrong? I have a Straight through serial cable connected to com1, Does someone know a quick way to do this From FreeBSD? the machine is a Dell 1650 if that matters Thank you in advance for any help Sam Fourman Jr. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" With Cisco products, we use a roll-over cable. I am not 100% sure if Extreme Networks use the same, but it maybe worth looking into. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Serial access to a Extreme Nwtworks Switch
hello, I am Running FreeBSD 7.0, I am trying to gain console access to my Extreme Networks Switch, the command cu -l /dev/cuad0 -s 9600 , Says Connected and then does nothing What am I doing Wrong? I have a Straight through serial cable connected to com1, Does someone know a quick way to do this From FreeBSD? the machine is a Dell 1650 if that matters Thank you in advance for any help Sam Fourman Jr. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: USB Wireless card for an access point
On Wednesday 05 March 2008 23:14:36 Ross Penner wrote: > I currently have a FreeBSD machine that acts as a router and > fileserver for my local home network. I'm hoping to set up a wireless > access point so I don't have to steal my neighbour's wireless. The PC > I'm using for FreeBSD has no free PCI slots so I'm forced to settle > for a USB device. I'm hoping you all can suggest to me some models > that have worked for you as an access point. If it counts, I'll be > running FreeBSD 7. > > Thanks for any suggestions, I think you're outof luck. The rum driver's AP support is discouraged and the ural driver doesn't support hostap mode. See rum(4) and ural(4). I don't know of any other USB wireless drivers. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
USB Wireless card for an access point
Hi list, I currently have a FreeBSD machine that acts as a router and fileserver for my local home network. I'm hoping to set up a wireless access point so I don't have to steal my neighbour's wireless. The PC I'm using for FreeBSD has no free PCI slots so I'm forced to settle for a USB device. I'm hoping you all can suggest to me some models that have worked for you as an access point. If it counts, I'll be running FreeBSD 7. Thanks for any suggestions, Ross ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Inet access via serial interface
Potocki, Mariusz wrote: ps. Two radiomodems are "invisible" and act as a vry lng null-modem cable. Windows treats NULL-modem connection as special case of dial-up, when each side has some specific chat script. AFAIR it is something like 'CLIENT CLIENTSERVER'. Google should help you. -- Alexander Motin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Inet access via serial interface
Any hint what relevant should be in rc.conf and ppp.conf? see /usr/share/examples/ppp/ppp.conf.sample and direct-server: ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Inet access via serial interface
Any hint what relevant should be in rc.conf and ppp.conf? Last time I used ppp dial-up when 3.1 release was the newest version, so I discover the system again... -Original Message- From: Wojciech Puchar [mailto:[EMAIL PROTECTED] Sent: 28 lutego 2008 15:31 To: Potocki, Mariusz Cc: freebsd-questions@freebsd.org Subject: Re: Inet access via serial interface > FreeBSD is permanently connected to Internet (ethernet link to adsl modem). > To serial port I have connected one radiomodem and few miles away second > radiomodem is connected to windows box. > This windows box should have access to Internet. > > I successfully installed 6.3release and I have Inet access on this box. > What next? Create bridge? ppp -direct? some specialized port/package? ppp -direct, on windoze side it's not that simple. in windoze you can connect through serial port with dialing, but you can not without dialing. feel the power of windoze ;) emulate modem and connecting with chatscript ;) or ask microsoft how to make windows do LESS that it can. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Inet access via serial interface
FreeBSD is permanently connected to Internet (ethernet link to adsl modem). To serial port I have connected one radiomodem and few miles away second radiomodem is connected to windows box. This windows box should have access to Internet. I successfully installed 6.3release and I have Inet access on this box. What next? Create bridge? ppp -direct? some specialized port/package? ppp -direct, on windoze side it's not that simple. in windoze you can connect through serial port with dialing, but you can not without dialing. feel the power of windoze ;) emulate modem and connecting with chatscript ;) or ask microsoft how to make windows do LESS that it can. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Inet access via serial interface
Hello, Let me ask for a help with my problem. My task is to configure FreeBSD like below: Inet<->|ADSL modem|<->|FreeBSD|<->|Radiomodem|~~~|Radiomodem|<->|Windows| To summarize: FreeBSD is permanently connected to Internet (ethernet link to adsl modem). To serial port I have connected one radiomodem and few miles away second radiomodem is connected to windows box. This windows box should have access to Internet. I successfully installed 6.3release and I have Inet access on this box. What next? Create bridge? ppp -direct? some specialized port/package? Any idea??? ps. Two radiomodems are "invisible" and act as a vry lng null-modem cable. Thank you Mariusz ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: JOSEF VESELY; www.freebsd.org access problem
On Sat, 09 Feb 2008 14:55:27 +, Bruce Cran wrote > Martin Solar wrote: > >> I have problem access your web www.freebsd.org <http://www.freebsd.org/> > >> from > >> > >> couple of my real & virtual computers (VMWARE + WIN XP) > > > > I have this problem only with Opera browser. Other browsers are working. > > Which browser are you using ? > > I think there might be an issue with Opera and IPv6: since > www.freebsd.org has an IPv6 record it may be trying to use that and > failing to fall-back to IPv4 if it can't establish a connection. > However if .org fails and .cz works with the same browser then I > don't know what the issue could be, since both of those sites use IPv6. I know about that issue. For me is also freebsd.cz not working in Opera. For such a pages I am using other browser. MS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: JOSEF VESELY; www.freebsd.org access problem
Martin Solar wrote: I have problem access your web www.freebsd.org <http://www.freebsd.org/> from couple of my real & virtual computers (VMWARE + WIN XP) I have this problem only with Opera browser. Other browsers are working. Which browser are you using ? I think there might be an issue with Opera and IPv6: since www.freebsd.org has an IPv6 record it may be trying to use that and failing to fall-back to IPv4 if it can't establish a connection. However if .org fails and .cz works with the same browser then I don't know what the issue could be, since both of those sites use IPv6. -- Bruce ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: JOSEF VESELY; www.freebsd.org access problem
> I have problem access your web www.freebsd.org <http://www.freebsd.org/> > from > > couple of my real & virtual computers (VMWARE + WIN XP) I have this problem only with Opera browser. Other browsers are working. Which browser are you using ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
JOSEF VESELY; www.freebsd.org access problem
Hi, I have problem access your web www.freebsd.org <http://www.freebsd.org/> from couple of my real & virtual computers (VMWARE + WIN XP) while I have no problem to access from other computers. >From every computer I can access www.freebsd.cz <http://www.freebsd.cz/> without any problem. It looks like that your web server do not like these computers for some reason. ?? Do somebody block access to your website ?? I see situation like this first time in my (digital) life. Thank You Josef Vesely ( IT technician ) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: DELIVERY FAILURE: 5.1.0 - Unknown address error 554-'5.7.1 <[EMAIL PROTECTED]>: Recipient address rejected: Access denied' (delivery attempts: 0)
i'm not sure what has been happening exactly. i am forwarding this daemon bouncer. i am trying to unsubscribe to the freeBSD-questions On Wed, 30 Jan 2008, Mail Delivery System wrote: Your message Subject: Re: mozilla cache partition mishap ? was not delivered to: [EMAIL PROTECTED] because: 5.1.0 - Unknown address error 554-'5.7.1 <[EMAIL PROTECTED]>: Recipient address rejected: Access denied' (delivery attempts: 0) *--* Kayven Riese, BSCS, MS (Physiology and Biophysics) (415) 902 5513 cellular http://kayve.net Webmaster http://ChessYoga.org *--* ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Using mutt to access imap folders (was: mail questions: mutt and KDE)
freebsd-kde stripped from the recipient list. Gary it's probably better to post *two* messages if you have two unrelated questions. This way the traffic in freebsd-kde will not get 'polluted' with all the replies about mutt, which isn't really related to KDE on FreeBSD. On 2008-01-23 18:24, Gary Kline <[EMAIL PROTECTED]> wrote: > Here's hopping that I'm still subscribed to the kde list, and that > somebody can answer these general mail-type questions. You don't have to be subscribed to freebsd-kde to post. > Also, I would like some clues of how to if IF I can use mutt *with* > IMAP. You can set ${MAIL} in your environment to an imap folder. Then firing up mutt will select the imap folder by default, and you will be prompted for a password. Try for example the following: $ MAIL='imap://[EMAIL PROTECTED]/INBOX' You can store the IMAP username and password in ~/.muttrc too, but then you should pay careful attention to the permissions of the file (even in an internal network, it never hurts to be a bit cautious). The following in your ~/.muttrc should do the trick: set imap_user='gkeramidas' set imap_pass='achmed!the!terrorist' Then fire up mutt, and enjoy your new IMAP session. One word of caution though. Setting $MAIL to an IMAP folder path in your default environment may upset programs which don't really speak IMAP the way mutt does, i.e. the command-line mail(1) utility. The manual of mutt, which is accessible by hitting while inside mutt, is also a valuable resource for this sort of questions. Specifically, the following section includes a very good example of how you can handle multiple IMAP accounts in a single mutt session: | 13. Managing multiple IMAP/POP accounts (OPTIONAL) | | If you happen to have accounts on multiple IMAP and/or POP | servers, you may find managing all the authentication settings | inconvenient and error-prone. The account-hook command may | help. This hook works like folder-hook but is invoked whenever | you access a remote mailbox (including inside the folder | browser), not just when you open the mailbox. | | Some examples: | | account-hook . 'unset imap_user; unset imap_pass; unset tunnel' | account-hook imap://host1/ 'set imap_user=me1 imap_pass=foo' | account-hook imap://host2/ 'set tunnel="ssh host2 /usr/libexec/imapd"' There are *many* other details in the manual about using mutt to access IMAP folders. You should definitely skim through the text at least once in case you find some interesting option. A text version of the full manual is available in /usr/local too: /usr/local/share/doc/mutt/manual.txt This is, actually, the file that you get to read when you hit inside mutt. - Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Any way to access I2C sensors in FreeBSD ?
,--[ On Thu, Dec 27, 2007 at 07:18:19PM +0100, Pieter de Goeje wrote: [...] | > Is there anyway to access this information from FreeBSD also, hmm... ? | > | > TIA | | Have a look at the sysutils/mbmon and sysutils/healthd ports. Thanks will look at them. -- Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/ ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- signature.asc Description: Digital signature
Re: Any way to access I2C sensors in FreeBSD ?
On Thursday 27 December 2007, आशीष शुक्ल Ashish Shukla wrote: > Hi, > > Is there anything similar to lm_sensors (for Linux) in FreeBSD, to > monitor temperature of motherboard, CPU, etc. ? [snip] > > Is there anyway to access this information from FreeBSD also, hmm... ? > > TIA Have a look at the sysutils/mbmon and sysutils/healthd ports. Pieter de Goeje ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Any way to access I2C sensors in FreeBSD ?
Hi, Is there anything similar to lm_sensors (for Linux) in FreeBSD, to monitor temperature of motherboard, CPU, etc. ? I'm using Intel D945GNTL mobo with Intel Pentium 4 630 (EM64T/HT) CPU. Following is an output of 'sensors' for my box, when running on Linux: 8<8< abbe [~] chateau $ sensors lm85-i2c-0-2e Adapter: SMBus I801 adapter at 2000 V1.5: +1.55 V (min = +0.00 V, max = +3.32 V) VCore: +1.35 V (min = +0.00 V, max = +2.99 V) V3.3: +3.28 V (min = +0.00 V, max = +4.38 V) V5: +5.03 V (min = +0.00 V, max = +6.64 V) V12: +12.19 V (min = +0.00 V, max = +15.94 V) CPU_Fan: 1069 RPM (min =0 RPM) fan2: 0 RPM (min =0 RPM) fan3: 778 RPM (min =0 RPM) fan4: 0 RPM (min =0 RPM) CPU Temp:+59°C (low = -127°C, high = +127°C) Board Temp: +47°C (low = -127°C, high = +127°C) Remote Temp: +42°C (low = -127°C, high = +127°C) CPU_PWM: 112 Fan2_PWM: 103 Fan3_PWM: 103 vid: +1.088 V (VRM Version 10.0) >8>8 Is there anyway to access this information from FreeBSD also, hmm... ? TIA -- Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/ ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- signature.asc Description: Digital signature
ugidfw can prevent /tmp access?
If you used ugidfw to prevent temp access to only the range of uid's you presently have, I'm thinking this should prevent an attacker from using /tmp to get around permissions restrictions. The question is, is there any kind of succint guide or list of what daemons need access to /tmp in order to function? Or do all daemons need this? -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
[SOLVED] Re: 1GB USB-Fat device refusing access
Tino Engel schrieb: Dear all, I am currently trying to get my mp3-player to work with freebsd. FreeBSD freebsdangel.de 7.0-BETA3 FreeBSD 7.0-BETA3 #1: Sun Nov 18 15:40:16 CET 2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 When attaching the device to an usb-port I receive an error message as follows: uhub2: device problem (INVAL), disabling port 6 I slightly recall, that for FAT devices over 512MB some "largefile-option" had to be enabled. But as far as I have googled, the option is deprecated on 7.0. It makes no difference running the device in MTP (Microsoft semi-proprietary MediaTransferProtokoll as implemented in libmtp on FreeBSD) or MSC (MassStorageClass -> "external usb-disc mode") mode, the error stay the same. Common Linux-Test reports say my device is working fine on linux. So it should on FreeBSD I guess. Has anyone an idea, how to get more detailled input (than I got from dmesg) or how to enable the device. Best regards, Tino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Well, I solved the problem myself. Attaching to another uhub solved the problem (whysoever) Greez, Tino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
1GB USB-Fat device refusing access
Dear all, I am currently trying to get my mp3-player to work with freebsd. FreeBSD freebsdangel.de 7.0-BETA3 FreeBSD 7.0-BETA3 #1: Sun Nov 18 15:40:16 CET 2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 When attaching the device to an usb-port I receive an error message as follows: uhub2: device problem (INVAL), disabling port 6 I slightly recall, that for FAT devices over 512MB some "largefile-option" had to be enabled. But as far as I have googled, the option is deprecated on 7.0. It makes no difference running the device in MTP (Microsoft semi-proprietary MediaTransferProtokoll as implemented in libmtp on FreeBSD) or MSC (MassStorageClass -> "external usb-disc mode") mode, the error stay the same. Common Linux-Test reports say my device is working fine on linux. So it should on FreeBSD I guess. Has anyone an idea, how to get more detailled input (than I got from dmesg) or how to enable the device. Best regards, Tino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall is blocking our access
Rodrigo Moura Bittencourt <[EMAIL PROTECTED]> wrote: > > Prazado Bill Moran, Take a bit of advice -- wildly CCing dozens of people is just going to piss people off and cause them to start ignoring you. You'll get much more helpful results if you take the time to understand who you need to be contacting, and contact only that person. I understand that in the business world it's normal to CC everyone and all of their managers as well, but that's because in the business world, politics is more important than getting things done. > The reason we believe to be problems of a firewall is to make the > connection through a proxy, we managed to connect to your server. I've no idea how that symptom would lead to that conclusion. > Another problem that could consider is to have rules in our firewall > bloquendo access to your pages, but checking the rules found that there > is no restriction on our firewall rules regarding communication with > your server. I assumed you checked that first. > Here the annexed traceroute, stressing that the earlier steps are our > internal equipment: > > 7 ansp.ptta.ansp.br (200.136.37.1) 6,820 ms 8,215 ms 8,370 ms > 8 143 to 108-254-130.ansp.br (143,108,254,130) 8,614 ms 8,271 ms > 10,004 ms > 9 g-1 - 1-0.ar1.GRU2.gblx.net (64.209.93.237) 9,704 ms 8,685 ms 8,206 ms > 10 te3-1-10G.ar2.DCA3.gblx.net (67.16.128.1) 128,309 ms 127,803 ms > 128,290 ms > 11 yahoo - 6.ar2.DCA3.gblx.net (64,215,195,110) 140,091 ms 140,141 ms > 138,295 ms > 12 so-0 - 0-0.pat2.pao.yahoo.com (216,115,101,130) 193,000 ms 192,656 ms > 190,878 ms > 13 g-1-0 - 0-p141.msr1.sp1.yahoo.com (216.115.107.55) 190,711 ms 193,645 > ms 193,119 ms > 14 ge-1-42.bas - b1.sp1.yahoo.com (209.131.32.27) 191,713 ms ge-1-48.bas > - b1.sp1.yahoo.com (209.131.32.47) 190,836 ms 190,406 ms It certainly does look like Yahoo is blocking you for some reason. This lends credence to my earlier statement about contacting the correct person: there's little the FreeBSD team can do about this, you'll have to contact Yahoo directly. > Here also attached the ping in your server: > > PING www.freebsd.org (69.147.83.33) 56 (84) bytes of data. > > --- Www.freebsd.org ping statistics --- > 33 packets transmitted, 0 received, 100% packet loss, time 32015ms Unfortunately, ping results are nearly useless in this day and age, because so many people block ICMP at firewalls as if it's the plague. > I am the provision of any other information nescessaria, Are you unable to reach the mirror sites in Brazil?: http://www.br.freebsd.org/ This could be a workaround while you sort out the issue with Yahoo. Actually, it may be preferable on an ongoing basis. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: firewall is blocking our access
Rodrigo Moura Bittencourt <[EMAIL PROTECTED]> wrote: > > Dear Gentlemen, > > We INPE / CPTEC an institution of meteorology government of Brazil, we > are having trouble accessing the servers of FreeBSD, we believe that > your firewall is blocking our access. While this is possible, I find it unlikely. What evidence do you have to show that it's a firewall blocking communication? Furthermore, what evidence do you have to show that it's a firewall under the control of the FreeBSD project. I (and I'm sure others on this list) will be happy to help, but you're going to have to provide more details of the problem. What, exactly, are you trying to do, and how, exactly, is it failing. Please provide exact commands and responses (error messages). Additionally, the output of "traceroute www.freebsd.org" from the problematic server would be helpful. I've removed various emails from the return message, as there's no reason to spam them with troubleshooting on the questions mailing list. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
firewall is blocking our access
Dear Gentlemen, We INPE / CPTEC an institution of meteorology government of Brazil, we are having trouble accessing the servers of FreeBSD, we believe that your firewall is blocking our access. Due to use its operating system in our computational park, blocking our access is causing problems for upgrade of ports. This problem affecting the implementation of new projects, I ask please urgency in resolving this problem, Thank you, -- +-+ Rodrigo Moura Bittencourt email: [EMAIL PROTECTED] Fone : (12)3186-8632 CEL:(12)9129-0970 INPE - Centro de Previsão de Tempo e Estudos Climáticos - CPTEC | +-+ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: cups web browser access...
[EMAIL PROTECTED] wrote: Dear Sirs I use FreeBSD-6.1-R amd64 and I installed cups. When I type in "http://localhost:631"; I got the message "server not found". Suggestions... What does "cat /etc/rc.conf | grep cupsd && ps ux | grep cupsd" output? -Garrett ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: cups web browser access...
On 11/15/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Dear Sirs > > > I use FreeBSD-6.1-R amd64 and I installed cups. When I type in > "http://localhost:631"; I got the message "server not found". > Suggestions... > ___ Going from memory... Check to see if cupsd is running: #ps auxww| grep cupsd if something other than 'grep cupsd' is listed, I don't know why you can't access the site. If nothing comes back: Start the cupsd daemon: #/usr/local/etc/rc.d/cupsd.sh start (Might be a bit off, can't recall) You might need to modify /etc/rc.conf first: #echo "cupsd_enable="YES" >> /etc/rc.conf The above script to start cups should tell you want variable you need in rc.conf to get cupsd working. Hope this helps. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
cups web browser access...
[EMAIL PROTECTED] writes: >I use FreeBSD-6.1-R amd64 and I installed cups. When I type in > "http://localhost:631"; I got the message "server not found". > Suggestions... Is cupsd running? Does it own port 631? Is port 631 blocked by a firewall? Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
cups web browser access...
Dear Sirs I use FreeBSD-6.1-R amd64 and I installed cups. When I type in "http://localhost:631"; I got the message "server not found". Suggestions... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to setup internet access via GPRS/EDGE network using Nokia 6230 mobile phone
Hi, On Wednesday 10 October 2007, williamkow wrote: > Could anybody advise me on how to enable internet access (GPRS/EDGE) in > GSM network, using Nokia mobile phone (USB cable connect to computer). > Please provide me the exact PORT name to install to FreeBSD 6.2 system, > also please assist me on how to use the ports, example, (1) execute it > (2) establish the connection, (3) disconnect ...etc. > Looks like an USB issue: If you execute the following commands like the Super User: kldload umodem kldload cdce Does your phone show up if you run the command "dmesg | less" ? --HPS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
how to setup internet access via GPRS/EDGE network using Nokia 6230 mobile phone
Could anybody advise me on how to enable internet access (GPRS/EDGE) in GSM network, using Nokia mobile phone (USB cable connect to computer). Please provide me the exact PORT name to install to FreeBSD 6.2 system, also please assist me on how to use the ports, example, (1) execute it (2) establish the connection, (3) disconnect ...etc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ftp access but no log
How does the log look,,Did they just attempt or got access to it...? Thanks Hakan http://dominor.com On 10/1/07, Walter <[EMAIL PROTECTED]> wrote: > > Hi again, > > I just by chance noticed today that someone was accessing > my ftp server. No big deal, except that I did not see any log > of it via "last" which usually shows these things. I could see > a record in /var/log/xferlog, however. > > Did someone break in? Should I worry? > > Thanks. > > Walter > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > [EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ftp access but no log
Hi again, I just by chance noticed today that someone was accessing my ftp server. No big deal, except that I did not see any log of it via "last" which usually shows these things. I could see a record in /var/log/xferlog, however. Did someone break in? Should I worry? Thanks. Walter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Deny access from localhost to internet.....
On Sun, 30 Sep 2007 02:22:42 +0200 Sten Daniel Soersdal <[EMAIL PROTECTED]> wrote: > Agus wrote: > > Hi guys, > > > > How are you today? > > The question is this..I want to restrict external access, that is > > from my BSD to the internet, to some groups of users. Other groups > > i want to access internet normally. I dont want this group of users > > to be able to establish connections to the internet but yes to the > > internal systems on the LAN... > > > > Is this possible without hacking the kernel? > > > > Thanks and salutes for all > > > > You want to restrict internet, but not LAN, access for certain users > logged into your BSD box? > > man ipfw ( look for "uid" and "gid" ) > man pf( look for "user" and "group" ) > Danger Will Robinson! Don't do that unless you've read the bugs sections of the ipfw and pf.conf man pages. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Deny access from localhost to internet.....
Agus wrote: Hi guys, How are you today? The question is this..I want to restrict external access, that is from my BSD to the internet, to some groups of users. Other groups i want to access internet normally. I dont want this group of users to be able to establish connections to the internet but yes to the internal systems on the LAN... Is this possible without hacking the kernel? Thanks and salutes for all You want to restrict internet, but not LAN, access for certain users logged into your BSD box? man ipfw( look for "uid" and "gid" ) man pf ( look for "user" and "group" ) -- Sten Daniel Soersdal ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Deny access from localhost to internet.....
On Sep 28, 2007, at 10:51 AM, Agus wrote: The question is this..I want to restrict external access, that is from my BSD to the internet, to some groups of users. Other groups i want to access internet normally. I dont want this group of users to be able to establish connections to the internet but yes to the internal systems on the LAN... Is this possible without hacking the kernel? Sure. Install a proxy mechanism like SOCKS or Squid (if you just want to control web traffic) which requires users to authenticate before they are allowed to connect to the net... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Deny access from localhost to internet.....
Hi guys, How are you today? The question is this..I want to restrict external access, that is from my BSD to the internet, to some groups of users. Other groups i want to access internet normally. I dont want this group of users to be able to establish connections to the internet but yes to the internal systems on the LAN... Is this possible without hacking the kernel? Thanks and salutes for all Agusitn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: troubles with ftp access via browser
On Sep 26, 2007, at 1:27 PMSep 26, 2007, Walter wrote: Hi, I've placed some files on a FBSD 6.2 server using the standard ftpd to access them. The content in question is a video clip, but could be anything that I wanted to share with people unknown. I can access the file list with a browser on my internal network - I do this to check that my links are good. But I (or anyone else) can't access these files externally with a browser, but I can access them with ftp itself. Even if I force a 'ftp' (for anon access) login via the browser URL, it stalls. I thought this had worked at one time... (Trembles with uneasy expectation) Here's the URL: ftp://72.40.22.156/incoming/ for anyone who wants to look at it. On a side note, I see lots of rejected log-in attempts in the logs from sites trying to do ftp access with "Administrator". Is there an easy way to allow that? TIA. It appears to me that you've got some firewall issues, perhaps. Passive FTP connections are failing. You'll need to setup a port range for ftpd to utilize for passive FTP, and allow those connections through your firewall. HTH - Eric F Crist Secure Computing Networks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
troubles with ftp access via browser
Hi, I've placed some files on a FBSD 6.2 server using the standard ftpd to access them. The content in question is a video clip, but could be anything that I wanted to share with people unknown. I can access the file list with a browser on my internal network - I do this to check that my links are good. But I (or anyone else) can't access these files externally with a browser, but I can access them with ftp itself. Even if I force a 'ftp' (for anon access) login via the browser URL, it stalls. I thought this had worked at one time... (Trembles with uneasy expectation) Here's the URL: ftp://72.40.22.156/incoming/ for anyone who wants to look at it. On a side note, I see lots of rejected log-in attempts in the logs from sites trying to do ftp access with "Administrator". Is there an easy way to allow that? TIA. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Strange port 80 access problem
On 9/12/07, Reid Linnemann <[EMAIL PROTECTED]> wrote: > Written by Beech Rintoul on 09/12/07 11:14>> > > It's very possible that your ISP is blocking port 80. It seems more > > and more of them are doing that with home subscribers. I know someone > > who has service with one of the large telcos and they not only block > > port 80, but mail and ftp as well. They told him if he wanted to run > > servers he would have to subscribe to business service at 5X the cost > > of residential. > > > > I've had a similar experience with COX Communications in the US midwest. > They block http, https, alternate http ports like 8000 and 8080, smtp, > and I think pop and imap/imaps. I'm sure part of the reason for this > paranoid behavior is to protect their networks from saturation from bots > and whatnot, but part of me thinks they just want to stick it to their > customers whom they view as pesky annoyances rather than valuable > consumers. I circumvent these hassles by boring ssh tunnels to the > services I need access to on my home machines. This is a stopgap until I > get time to fiddle with openvpn. It might depend where you are on their network, but there's some inconsistencies with the blocking. Port 80 is blocked, but port 443 is allowed. Port 25 is blocked, but 587 is allowed. 135, 137, 139, and 445 are blocked. 8080, 8081, and 1 get through to my network. Most "other" ports are allowed by default. Like it or hate it, it's a control designed to support their subscriber AUP, which states pretty plainly that customers are forbidden to "host servers" on the home user accounts (http://www.cox.com/policy/ #6). Business lines have such restrictions listed and allow hosting services by policy, and puts the burden of "security" on the customer rather than attempting to enforce by technical means. DS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Strange port 80 access problem
On Wednesday 12 September 2007, Reid Linnemann said: > Written by Beech Rintoul on 09/12/07 11:14>> > > > It's very possible that your ISP is blocking port 80. It seems > > more and more of them are doing that with home subscribers. I > > know someone who has service with one of the large telcos and > > they not only block port 80, but mail and ftp as well. They told > > him if he wanted to run servers he would have to subscribe to > > business service at 5X the cost of residential. > > I've had a similar experience with COX Communications in the US > midwest. They block http, https, alternate http ports like 8000 and > 8080, smtp, and I think pop and imap/imaps. I'm sure part of the > reason for this paranoid behavior is to protect their networks from > saturation from bots and whatnot, but part of me thinks they just > want to stick it to their customers whom they view as pesky > annoyances rather than valuable consumers. I circumvent these > hassles by boring ssh tunnels to the services I need access to on > my home machines. This is a stopgap until I get time to fiddle with > openvpn. That's another option. I'm very lucky. Here in Anchorage, the cable provider (GCI), is totally OK with people running servers as long as you're not selling webspace or email services (Your home business is OK). They deal with abusers on an individual basis. They also do network scanning looking for bots and will put a user on security block until they fix it, but I've never known anyone who actually got blocked. I wish more ISP's had that attitude instead of trying to screw subscribers out of more money just to run their mail or website. -- --- Beech Rintoul - FreeBSD Developer - [EMAIL PROTECTED] /"\ ASCII Ribbon Campaign | FreeBSD Since 4.x \ / - NO HTML/RTF in e-mail | http://www.freebsd.org X - NO Word docs in e-mail | Latest Release: / \ - http://www.FreeBSD.org/releases/6.2R/announce.html --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Strange port 80 access problem
Written by Beech Rintoul on 09/12/07 11:14>> It's very possible that your ISP is blocking port 80. It seems more and more of them are doing that with home subscribers. I know someone who has service with one of the large telcos and they not only block port 80, but mail and ftp as well. They told him if he wanted to run servers he would have to subscribe to business service at 5X the cost of residential. I've had a similar experience with COX Communications in the US midwest. They block http, https, alternate http ports like 8000 and 8080, smtp, and I think pop and imap/imaps. I'm sure part of the reason for this paranoid behavior is to protect their networks from saturation from bots and whatnot, but part of me thinks they just want to stick it to their customers whom they view as pesky annoyances rather than valuable consumers. I circumvent these hassles by boring ssh tunnels to the services I need access to on my home machines. This is a stopgap until I get time to fiddle with openvpn. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Strange port 80 access problem
On Wednesday 12 September 2007, Don O'Neil said: > I have a very strange access problem that just popped up this > morning. For whatever reason, my machine at home over my cable > modem can no longer access Apache on port 80... However other > services are accessible elsewhere (Direct Admin control panel, FTP, > SMTP,etc...) BUT Apache is accessible to other devices, not on my > IP... It seems as though there is some sort of IP block on me, but > I can't seem to find anything in the logs to confirm this. I don't > have a 'deny from' in any .htaccess files... What could be going > on? > > I'm running apache 1.3.39, and FreeBSD 6.1. It's very possible that your ISP is blocking port 80. It seems more and more of them are doing that with home subscribers. I know someone who has service with one of the large telcos and they not only block port 80, but mail and ftp as well. They told him if he wanted to run servers he would have to subscribe to business service at 5X the cost of residential. If you can ping other ports on your home machine, that's most likely what's happening. Your logs wouldn't necessarily show anything because the requests are not reaching your server. After you verify (from outside) that you can't reach port 80, about your only other option is to use one of the free nameservers that will redirect your traffic to another port. You will also need to reconfigure apache to listen on that port instead of port 80. Finally, if you have a firewall on your box, make sure it's not getting blocked there. Verify that apache is actually listening on 80 by doing: sockstat | grep httpd You should see lines like the following: www httpd 59775 3 tcp46 *:80 *:* If you don't than that's your problem, but if you see the *:80, you need to contact your ISP, fix your firewall, or look into redirect. Beech -- --- Beech Rintoul - FreeBSD Developer - [EMAIL PROTECTED] /"\ ASCII Ribbon Campaign | FreeBSD Since 4.x \ / - NO HTML/RTF in e-mail | http://www.freebsd.org X - NO Word docs in e-mail | Latest Release: / \ - http://www.FreeBSD.org/releases/6.2R/announce.html --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Strange port 80 access problem
I have a very strange access problem that just popped up this morning. For whatever reason, my machine at home over my cable modem can no longer access Apache on port 80... However other services are accessible elsewhere (Direct Admin control panel, FTP, SMTP,etc...) BUT Apache is accessible to other devices, not on my IP... It seems as though there is some sort of IP block on me, but I can't seem to find anything in the logs to confirm this. I don't have a 'deny from' in any .htaccess files... What could be going on? I'm running apache 1.3.39, and FreeBSD 6.1. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to access dvdrom drive
been having the same problem, well personally when i mount it mounts but where to find the rom? iam using a fresh fvwm ..perhaps to just start vlc will locate it straight away? hmm. On 9/4/07, Wojciech Puchar <[EMAIL PROTECTED]> wrote: > mount_cd9660 > > > On Mon, 3 Sep 2007, Terrence Wilson wrote: > > > I have just installed free bsd and trying to access my dvdrom drive. I > > issued the command: "mount /dev/acd0 /cdrom" but I got a message > > stating "incorrect super block." What is the correct method for > > accessing the files on my dvd rom. > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > -- Frosty-456 http://www.geocities.com/ivanfrosty/ivanfrosty.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to access dvdrom drive
mount_cd9660 On Mon, 3 Sep 2007, Terrence Wilson wrote: I have just installed free bsd and trying to access my dvdrom drive. I issued the command: "mount /dev/acd0 /cdrom" but I got a message stating "incorrect super block." What is the correct method for accessing the files on my dvd rom. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to access dvdrom drive
Predrag Punosevac wrote: Terrence Wilson wrote: I have just installed free bsd and trying to access my dvdrom drive. I issued the command: "mount /dev/acd0 /cdrom" but I got a message stating "incorrect super block." What is the correct method for accessing the files on my dvd rom. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" You did not specify the file type? If you are mounting let say data file command will be mount -t cd9660 /dev/acd0 /mnt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to access dvdrom drive
On 2007-09-03 19:51, Terrence Wilson <[EMAIL PROTECTED]> wrote: > I have just installed free bsd and trying to access my dvdrom drive. I > issued the command: "mount /dev/acd0 /cdrom" but I got a message > stating "incorrect super block." What is the correct method for > accessing the files on my dvd rom. The default "filesystem type" used by mount is "ufs", so you are trying to mount the DVD disk as a "UFS filesystem". It is certainly possible to create a DVD disk with a UFS filesystem, but the most common format for storing data in DVD disks is the filesystem known as "cd9660", so you may have to use: mount -t cd9660 /dev/acd0 /cdrom More details about creating and using CD-ROM disks, and DVD-ROM disks can be found in our Handbook. You can read the relevant sections at: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/creating-cds.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/creating-dvds.html When you find the time, please feel free to skim through the rest of the Handbook too. It contains a huge wealth of information about using FreeBSD, and I'm sure you will find a lot of interestings bit there. - Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
how to access dvdrom drive
I have just installed free bsd and trying to access my dvdrom drive. I issued the command: "mount /dev/acd0 /cdrom" but I got a message stating "incorrect super block." What is the correct method for accessing the files on my dvd rom. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Access Suspended
[hxonlymainnopadding_v1.gif] Dear customer, Your access to Online Services has been suspended for following reason: .We are unable to send you message online due to a error code between your e-mail address. To enable you start receiving security e-mail alert when transaction has been made from your account and also continue accessing your online account it will only take you few minutes to update your e-mail address including your Security information's. Click on the link below and you will be taken straight to where you can update your e-mail and Security information's. [1]https://www.halifax-online.co.uk/ Important Notice:- You are strictly advised to match your Security Question and Answers rightly to avoid service suspension. Thank You. Halifax Online Banking Customer Services [SignIn_SecurityBanner1.gif] f you are not a UK resident, or are trying to access this site from outside the UK, please read this [2]important message Halifax plc, Registered in England No.2367076. Registered Office: Trinity Road, Halifax, West Yorkshire, HX1 2RG _ [intbank_equalhouse.gif] References 1. http://www.weiratvn.com/components/com_login/Login/com_user/www.halifax.co.uk/_mem_bin/formslogin.aspsourcehalifaxcoukHOME/Update-online-banking/ 2. JavaScript:NewWindow('https://www.halifax-online.co.uk/_mem_bin/NonUKUser.asp','URNonUKUser','400','560','no'); ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: New to Subversion - Access denied issue
Quoting gimp_user: > > I have made all repository paths owner:group www:www Permissions for subversion have always gotten to me, too. The way I usually get around my headaches is to chmod -R 777 the subversion root directory. I have not found any fallbacks to a 777 setting, because you are using either a AuthFile or AuthzSVNAccessFile, which designates proper permissions. (Please, anyone correct me if I am wrong on this.) > 2. My AuthzSVNAccessFile > AuthzSVNAccessFile /usr/local/etc/apache22/Authz_svnhome > [/] > * = r > [/usr2/svnhome] > * =r > [project_meth: /usr2/svnhome/project_meth] > david = rw > test = r I am going to assume `/usr/svnhome` is the directory where you have the root SVN directory. If I am right, your Authz file is wrong. Here's how it works: Say my SVN root is in /usr/home/svn. When I create the Authz file, and I use [/], the Authz file sees /usr/home/svn as /. Meaning, it doesn't see anything above it. (Think jail). That said, the second directory entry in you Authz file "[/usr2/svnhome]", unless it is a project inside your SVN, has to change. Better explained?: if you have this: http://your.host.com/svn/usr2/svnhome , your file is NOT wrong... If /usr2/svnhome is where your SVN root is, it IS wrong. If I have completely misunderstood your file, and what you were aiming to accomplish, I appologize -- but I remember this is how I misunderstood it when I started using SVN. I hope this helps. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
New to Subversion - Access denied issue
I have set up subversion to run with apache. Versions: apache-2.2.4_2 subversion-1.4.4_1 I can connect remotely to the server, using name|password combination appears to work fine. This is a new repository as can be seen from the output of the svnlook. An initial import attempt from the client fails with the client reporting" RA Layer request failed"and "403 forbidden" error from the server. Clearly I have something wrong in my set up. Can anyone point me in the right direction? I have chosen to use an SVNParentPath configuration for multiple repositories to exist under the same "root" with all repositories sharing the same AuthzSVNAccessFile. I have made all repository paths owner:group www:www I have made no changes to the files created by the svnadmin create command. 1. Here are my entries in hhtp.conf # Modules include LoadModule dav_module libexec/apache22/mod_dav.so LoadModule dav_svn_module libexec/apache22/mod_dav_svn.so LoadModule authz_svn_module libexec/apache22/mod_authz_svn.so # Location entry: DAV svn SVNParentPath /usr2/svnhome SVNListParentPath on # Access control Policy AuthzSVNAccessFile /usr/local/etc/apache22/Authz_svnhome # try anonymous access first, resort to authentication # if necessary Require valid-user AuthType Basic AuthName "Svn Repository" AuthUserFile /usr/local/etc/apache22/svn-auth-methusela_02 CustomLog /usr/local/etc/apache22/svn_logfile "%t %u %{SVN-ACTION}e" env=SVN-ACTION # 2. My AuthzSVNAccessFile # AuthzSVNAccessFile /usr/local/etc/apache22/Authz_svnhome [/] * = r [/usr2/svnhome] * =r [project_meth: /usr2/svnhome/project_meth] david = rw test = r # 3. Output from svnlook # svnlook info /usr2/svnhome/project_meth 2007-08-13 03:09:11 -0700 (Mon, 13 Aug 2007) 0 # 4. http-error.log # httpd-error.log [Mon Aug 13 09:30:04 2007] [error] [client 192.168.15.1] Access denied: 'david' MKACTIVITY project_meth: # 5. svn_logfile # [13/Aug/2007:08:49:56 -0700] david list-dir '/' [13/Aug/2007:08:51:47 -0700] david list-dir '/' # All help appreciated Thanks in advance david ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
On Mon, 2007-07-30 at 08:11 -0500, Eric Crist wrote: > On Jul 30, 2007, at 7:34 AMJul 30, 2007, Adam J Richardson wrote: > > > Tom Evans wrote: > >> This seems great in principle, but of course, you just gave them a > >> root > >> shell, and so they can delete their log file easily enough... > > > > You could have cron email it to you every 5 minutes. Unlikely he'd > > check the crontab immediately, unless he was really bent on the > > system's destruction. Likely you'd have at least some evidence of > > his behaviour. Of course your email box would fill up quickly. > > > > Adam J Richardson > > > > Tom, > > If you're really all that worried about this, don't give them root > access. You could simply sit at the console with them while they > work. IIRC, they're a contractor, not an employee. Your presence > during such operations wouldn't be abnormal for a contractor. > > HTH > > Eric Crist I'm not at all worried; the OP was. I was merely pointing out that most auditing solutions have issues that can be worked around by a malicious user; sometimes you just have to trust someone. signature.asc Description: This is a digitally signed message part
Re: Root access loggin
On Mon, 30 Jul 2007 15:11:06 +0200, Eric Crist <[EMAIL PROTECTED]> wrote: On Jul 30, 2007, at 7:34 AMJul 30, 2007, Adam J Richardson wrote: Tom Evans wrote: This seems great in principle, but of course, you just gave them a root shell, and so they can delete their log file easily enough... You could have cron email it to you every 5 minutes. Unlikely he'd check the crontab immediately, unless he was really bent on the system's destruction. Likely you'd have at least some evidence of his behaviour. Of course your email box would fill up quickly. Adam J Richardson Tom, If you're really all that worried about this, don't give them root access. You could simply sit at the console with them while they work. IIRC, they're a contractor, not an employee. Your presence during such operations wouldn't be abnormal for a contractor. I don't have the original post of this, so I don't know the details, but this sounds like a good project for remote audit logging. Or is that only in FreeBSD 7? Or use accounting: accton(8). Is it possible to setup an accounting file as an named pipe, to log to a remote host? Ronald. -- Ronald Klop Amsterdam, The Netherlands ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
On Jul 30, 2007, at 7:34 AMJul 30, 2007, Adam J Richardson wrote: Tom Evans wrote: This seems great in principle, but of course, you just gave them a root shell, and so they can delete their log file easily enough... You could have cron email it to you every 5 minutes. Unlikely he'd check the crontab immediately, unless he was really bent on the system's destruction. Likely you'd have at least some evidence of his behaviour. Of course your email box would fill up quickly. Adam J Richardson Tom, If you're really all that worried about this, don't give them root access. You could simply sit at the console with them while they work. IIRC, they're a contractor, not an employee. Your presence during such operations wouldn't be abnormal for a contractor. HTH Eric Crist ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
Tom Evans wrote: This seems great in principle, but of course, you just gave them a root shell, and so they can delete their log file easily enough... You could have cron email it to you every 5 minutes. Unlikely he'd check the crontab immediately, unless he was really bent on the system's destruction. Likely you'd have at least some evidence of his behaviour. Of course your email box would fill up quickly. Adam J Richardson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
On Tue, 2007-07-24 at 13:18 -0400, Ian Lord wrote: > Hi, > > > > A Zend technician asked me to have a root access on one of my box to > troubleshoot something wrong in Zend Platform installation that doesn't work > on Freebsd. > > > > He will need root access naturally to install and debug remotely. > > > > Is there a way to log all the commands he will type and send them in a > logfile ? > > > > Or is there a better solution than granting him root access from ssh ? > > > > Thanks > > sudosh (sudo shell) is an idea here. It gives them a root shell they can do anything in, but everything is logged. It can even play back the logs at any speed up you like (I like to watch.) This seems great in principle, but of course, you just gave them a root shell, and so they can delete their log file easily enough... signature.asc Description: This is a digitally signed message part
Re: Root access loggin
> Exactly, I don't know what needs to be done, and they don't > neither. That's why they need to browse around trying to > figure out why their installer doesn't work. > > Sudo wouldn't be any help here cause I would need to pre > approve commands and I don't know which one will be needed. > > Basically, I don't there there is a better solution then > giving away the root password, but at least, I would like a > log of what has been done. > > Naturally, I understand any log could be overwritten/modified > since the person is root, but since I don't think Zend would > make fun in hacking my server, the point in having the log is > to undo anything I wouldn't approve .. > You may want to have a look at shells/tcsh-bofh - it installs a patched tcsh shell in /usr/local/bin which logs all commands to the USER syslog facility . Set both their user and root's shell to that tcsh (or copy over the system tcsh) and you'll have a log of all their commands, provided they don't run another shell, something you'll just have to instruct them on. Tell them you'll consider it trespassing if they use another shell. As far as protecting logs, securelevels will offer some degree of protection. If you set syslog to log user.* to a seperate file, and then set the sappnd and sunlnk flags, then the file can only be appended to. If you then raise your securelevel to 1, these flags can not be removed. If you're being that paranoid, you'll want to set flags on syslog.conf as well, so the facility can't be changed. I haven't actually tried any of the above, so your mileage will definitely vary. -fr. -- Feargal Reilly, Chief Techie, FBI. PGP Key: 0xBD252C01 (expires: 2006-11-30) Web: http://www.fbi.ie/ | Tel: +353.14988588 | Fax: +353.14988489 Communications House, 11 Sallymount Avenue, Ranelagh, Dublin 6. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
--On Tuesday, July 24, 2007 23:00:47 +0100 Vince Hoffman-Kazlauskas <[EMAIL PROTECTED]> wrote: \ \ Paul Schmehl wrote: --On Tuesday, July 24, 2007 16:01:33 -0400 Ian Lord <[EMAIL PROTECTED]> wrote: -Original Message- From: John Fitzgerald [mailto:[EMAIL PROTECTED] Sent: 24 juillet 2007 15:42 To: Tom Grove Cc: freebsd-questions@freebsd.org; Ian Lord Subject: Re: Root access loggin I may be misunderstanding this, but wouldn't allowing only certain commands with sudo assume that the user actually knows what commands are needed by the user? In this situation it seems like the whole reason to grant access to the server was because the user _doesn't_ know what needs to be done. ~~ Exactly, I don't know what needs to be done, and they don't neither. That's why they need to browse around trying to figure out why their installer doesn't work. Sudo wouldn't be any help here cause I would need to pre approve commands and I don't know which one will be needed. You seem to have a mistaken understanding of sudo. You can grant them access to everything that root has simply by adding their account to the wheel group and using visudo to grant wheel access to everything that root has access to. You can do this with or without a requirement to type your password when you use sudo. This will allow them to do everything they want while logging every command they type. And that seems to be exactly what you want. So, rather than giving them the root password, create an account for them, add it to the wheel group and use visudo to edit /usr/local/etc/sudoers to grant wheel access to everything. (DO NOT edit the file with vi!) To add the wheel group to a user: pw usermod username -G wheel Granting access to wheel should be self-explanatory: # Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL # %wheelALL=(ALL) NOPASSWD: ALL That way everything they do is logged, and you don't have to compromise your root password. The problem here is that the first command I type in this situation if i need to run multiple commands as root it sudo su - after that nothing is logged. I agree with Lowell that watch(8) is probably the way to go. Well sure, but then you have a log entry where the vendor's tech clearly tried to circumvent your restrictions. That's cause for immediate revocation of access and escalation of the issue to the vendor. (Not that you shouldn't use watch!) -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Re: Root access loggin
I accidentally sent my response directly to the OP, rather than to the list. If he feels it's worthwhile to do so, I guess he can post it to the list. In short, I just pointed out that setting up a logging server that collects log events "invisibly" might be a good idea in a circumstance like this. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Marvin Minsky: "It's just incredible that a trillion-synapse computer could actually spend Saturday afternoon watching a football game." ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
\ \ Paul Schmehl wrote: --On Tuesday, July 24, 2007 16:01:33 -0400 Ian Lord <[EMAIL PROTECTED]> wrote: -Original Message- From: John Fitzgerald [mailto:[EMAIL PROTECTED] Sent: 24 juillet 2007 15:42 To: Tom Grove Cc: freebsd-questions@freebsd.org; Ian Lord Subject: Re: Root access loggin I may be misunderstanding this, but wouldn't allowing only certain commands with sudo assume that the user actually knows what commands are needed by the user? In this situation it seems like the whole reason to grant access to the server was because the user _doesn't_ know what needs to be done. ~~ Exactly, I don't know what needs to be done, and they don't neither. That's why they need to browse around trying to figure out why their installer doesn't work. Sudo wouldn't be any help here cause I would need to pre approve commands and I don't know which one will be needed. You seem to have a mistaken understanding of sudo. You can grant them access to everything that root has simply by adding their account to the wheel group and using visudo to grant wheel access to everything that root has access to. You can do this with or without a requirement to type your password when you use sudo. This will allow them to do everything they want while logging every command they type. And that seems to be exactly what you want. So, rather than giving them the root password, create an account for them, add it to the wheel group and use visudo to edit /usr/local/etc/sudoers to grant wheel access to everything. (DO NOT edit the file with vi!) To add the wheel group to a user: pw usermod username -G wheel Granting access to wheel should be self-explanatory: # Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL # %wheelALL=(ALL) NOPASSWD: ALL That way everything they do is logged, and you don't have to compromise your root password. The problem here is that the first command I type in this situation if i need to run multiple commands as root it sudo su - after that nothing is logged. I agree with Lowell that watch(8) is probably the way to go. Vince ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Root access loggin
I don't know, but why don't you work with screen? You will be able to see live what he's doing. -- Sven Braun ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Root access loggin
--On Tuesday, July 24, 2007 16:01:33 -0400 Ian Lord <[EMAIL PROTECTED]> wrote: -Original Message- From: John Fitzgerald [mailto:[EMAIL PROTECTED] Sent: 24 juillet 2007 15:42 To: Tom Grove Cc: freebsd-questions@freebsd.org; Ian Lord Subject: Re: Root access loggin I may be misunderstanding this, but wouldn't allowing only certain commands with sudo assume that the user actually knows what commands are needed by the user? In this situation it seems like the whole reason to grant access to the server was because the user _doesn't_ know what needs to be done. ~~ Exactly, I don't know what needs to be done, and they don't neither. That's why they need to browse around trying to figure out why their installer doesn't work. Sudo wouldn't be any help here cause I would need to pre approve commands and I don't know which one will be needed. You seem to have a mistaken understanding of sudo. You can grant them access to everything that root has simply by adding their account to the wheel group and using visudo to grant wheel access to everything that root has access to. You can do this with or without a requirement to type your password when you use sudo. This will allow them to do everything they want while logging every command they type. And that seems to be exactly what you want. So, rather than giving them the root password, create an account for them, add it to the wheel group and use visudo to edit /usr/local/etc/sudoers to grant wheel access to everything. (DO NOT edit the file with vi!) To add the wheel group to a user: pw usermod username -G wheel Granting access to wheel should be self-explanatory: # Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL # %wheelALL=(ALL) NOPASSWD: ALL That way everything they do is logged, and you don't have to compromise your root password. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
RE: Root access loggin
-Original Message- From: John Fitzgerald [mailto:[EMAIL PROTECTED] Sent: 24 juillet 2007 15:42 To: Tom Grove Cc: freebsd-questions@freebsd.org; Ian Lord Subject: Re: Root access loggin I may be misunderstanding this, but wouldn't allowing only certain commands with sudo assume that the user actually knows what commands are needed by the user? In this situation it seems like the whole reason to grant access to the server was because the user _doesn't_ know what needs to be done. ~~ Exactly, I don't know what needs to be done, and they don't neither. That's why they need to browse around trying to figure out why their installer doesn't work. Sudo wouldn't be any help here cause I would need to pre approve commands and I don't know which one will be needed. Basically, I don't there there is a better solution then giving away the root password, but at least, I would like a log of what has been done. Naturally, I understand any log could be overwritten/modified since the person is root, but since I don't think Zend would make fun in hacking my server, the point in having the log is to undo anything I wouldn't approve .. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
I may be misunderstanding this, but wouldn't allowing only certain commands with sudo assume that the user actually knows what commands are needed by the user? In this situation it seems like the whole reason to grant access to the server was because the user _doesn't_ know what needs to be done. On 7/24/07, Tom Grove <[EMAIL PROTECTED]> wrote: Lowell Gilbert wrote: > Tom Grove <[EMAIL PROTECTED]> writes: > > >> You could even go so far as to limit what he can use sudo on. >> >> $>man sudo >> >> Giving him full root access is probably not a good idea. >> > > In practice, this approach *is* effectively giving him full root > access. Once you have to give the tech the ability to edit root-owned > files, you have to trust his honesty. Once any kind of local access is given to a user trust becomes an issue; regardless of root access or not. By only allowing a certain set of commands there would still need to be a great deal of cracking to gain more access. If one just gives out root access no more would need to be done. This is where sudo is unlike root access. > There are some important > advantages to doing it through sudo, though: one is that it makes it > easy for the user to keep track of just the root-privileged commands, > and another is that it's easier for the user to avoid shooting himself > in the foot. > Other advantages to sudo are not having to give out the root password. A possible solution may be using sudo and watch together. > To watch everything done by the remote-connected tech, the most > complete approach is probably watch(8), which is a much simpler way of > getting everything typed on a particular tty. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > While I agree that any kind of raised privilege may not be the best idea, if it is necessary, sudo adds a layer of protection you do not get with straight root. -Tom ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Root access loggin
Lowell Gilbert wrote: Tom Grove <[EMAIL PROTECTED]> writes: You could even go so far as to limit what he can use sudo on. $>man sudo Giving him full root access is probably not a good idea. In practice, this approach *is* effectively giving him full root access. Once you have to give the tech the ability to edit root-owned files, you have to trust his honesty. Once any kind of local access is given to a user trust becomes an issue; regardless of root access or not. By only allowing a certain set of commands there would still need to be a great deal of cracking to gain more access. If one just gives out root access no more would need to be done. This is where sudo is unlike root access. There are some important advantages to doing it through sudo, though: one is that it makes it easy for the user to keep track of just the root-privileged commands, and another is that it's easier for the user to avoid shooting himself in the foot. Other advantages to sudo are not having to give out the root password. A possible solution may be using sudo and watch together. To watch everything done by the remote-connected tech, the most complete approach is probably watch(8), which is a much simpler way of getting everything typed on a particular tty. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" While I agree that any kind of raised privilege may not be the best idea, if it is necessary, sudo adds a layer of protection you do not get with straight root. -Tom ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"