captive Portal Pfsense + FreeRadius + MySQL DBMS
Dear Friends Greetings, i have a question for you, i am sure someone can help. The pfsense captive portal is up and running. Time countdown vouchers are working without issue, such as 30m, 45m, 1h & so on. However, I'd like to set up a download quota of 200MB per voucher. but then you need to login with a username and password, instead of vouchers. but I haven't found a way to generate username & password when generating vouchers. is there someone who managed to get this working? At the moment vouchers are only for time based login. any clue, little information or document reference would be greatly appreciated. Thanks / Prabhpal S. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
captive Portal Pfsense + FreeRadius + MySQL DBMS
Dear Friends Greetings, i have a question for you, i am sure someone can help. The pfsense captive portal is up and running. Time countdown vouchers are working without issue, such as 30m, 45m, 1h & so on. However, I'd like to set up a download quota of 200MB per voucher. but then you need to login with a username and password, instead of vouchers. but I haven't found a way to generate username & password when generating vouchers. is there someone who managed to get this working? At the moment vouchers are only for time based login. any clue, little information or document reference would be greatly appreciated. Thanks / Shiv. Nath ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
WiFi / Hot-Spot Open Source World
Dear Experts i am sure many of you would be the part of the real game, where lot of technology is implemented (Internet Service Providers) those serve thousands of clients everyday . i am requesting opinion & advice from those experts. Surfing web does not help much unless someone who is practically touch and making the use of the technology everyday. And i could not find the best place than this where i can ask this question & where my request can reach highly technical peoples those know the information i need. Your advice is valuable, i wish to thanks in advance to those guys would spend their imp time to discuss or respond to this matter. The topic is WiFi / Hot-Spot reliable solution in open source world. I work with ISP offering service for hotspots and cafe clubs. initially company was using hosted service to authenticate / validate hotspot-cafe users etc for many years. Eventually, our management decided to purchased a solution that can be one time investment and serve the need for our clients. 24-Online is a wifi & hotspot solution comes in form of appliance. We purchased 24-Online appliance that costed more than $40,000. We purchased by thinking that it is commercial product and it would be reliable and considered support as well, anyways. After started using the solution, we released that is not reliable AT ALL. Almost everyday appliance has problems. sometimes it does not issue ip address (DHCP) to hotspot client, if that happens, it does not redirect to portal page so that a user can fill voucher number and start browsing. in short, everyday this & that. As said, we have purchased the commercial support as well but support guys take several hours sometime whole weekend to troubleshoot the problem. in result our customers are down. we have refund and call for apologies for the service interruption. After this one year frustration, i wish to seek advice form experts. what kind of program or what is the right approach to handle this wifi-hotspot clients using Linux/ Unix. Is there anything reliable exists that can work without everyday problem. i understand it is a technology once in a while always be some problem there but not everyday on words. There are four services those can make it work. 1.) User reached hotspot --> Switched his laptop on --> DHCP request travels to our data center using existing link to hotspot & hotspot software should issue a ip to the user (DHCP functionality). 2.) User clicked on his browser icon --> browser opens --> Request is redirected to a web server (customer portal page) where user can fill his valid voucher number he purchased form hotspot site for browsing(Apache functionality) 3.) User clicks ok after entering his voucher number --> authentication happens --> (FreeRadious functionality) 4.) Then accounting --> user can only browse for 1 hours if he purchased one hour voucher --> (FreeRadious functionality) how can i put all four service together and make stuff working. Thanks / Thanks ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Update Failing FreeBSD 9.1-Release
anyone knows what to do? [root@rock]# freebsd-update -r 9.1-RELEASE upgrade Looking up update.FreeBSD.org mirrors... 3 mirrors found. Fetching metadata signature for 9.1-RC3 from update5.FreeBSD.org... done. Fetching metadata index... done. Fetching 1 metadata patches. done. Applying metadata patches... done. Inspecting system... done. The following components of FreeBSD seem to be installed: kernel/generic src/src world/base world/doc world/games world/lib32 The following components of FreeBSD do not seem to be installed: Does this look reasonable (y/n)? y Fetching metadata signature for 9.1-RELEASE from update5.FreeBSD.org... failed. Fetching metadata signature for 9.1-RELEASE from update4.FreeBSD.org... failed. Fetching metadata signature for 9.1-RELEASE from update3.FreeBSD.org... failed. No mirrors remaining, giving up. Thanks / Shiv. Nath ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
FreeBSDD Upgrade Failing
Hi FreeBSD Community, i got warning that 9.1RC3 is approaching end of its life, i should upgrade with in two week. when i started the upgrade, i get the following error. any solution anyone knows? [root@rock]# freebsd-update -r 9.1-RELEASE upgrade Looking up update.FreeBSD.org mirrors... 3 mirrors found. Fetching metadata signature for 9.1-RC3 from update5.FreeBSD.org... done. Fetching metadata index... done. Inspecting system... done. The following components of FreeBSD seem to be installed: kernel/generic src/src world/base world/doc world/games world/lib32 The following components of FreeBSD do not seem to be installed: Does this look reasonable (y/n)? y Fetching metadata signature for 9.1-RELEASE from update5.FreeBSD.org... failed. Fetching metadata signature for 9.1-RELEASE from update4.FreeBSD.org... failed. Fetching metadata signature for 9.1-RELEASE from update3.FreeBSD.org... failed. No mirrors remaining, giving up. Thanks / Shiv. Nath ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Failed to attach P_CNT - FreeBSD 9.1 RC3
Dear FreeBSD Community Friends, It is FreeBSD 9.1 RC3, i get the following warning in the message log file. i need assistance to understand the meaning of this error, how serious is it? acpi_throttle23: failed to attach P_CNT History: This error is following FreeBSD for long time because when i was googled the error. i can across a post that was belongs to FreeBSD 6x. http://tgrove.com/2007/10/07/freebsd-6-acpi_throttle1-failed-to-attach-p_cnt/ They Provided the solution as well but did not work. They also said that is is only happening with Intel dual core processor but that is not true. As it is virtual machine, i tried to restore the FreeBSD VM on three different servers, those having different specification of processors (dual cores, quad cores, six cores) still the same then decided to consult with experts. Following was the solution but did not remove the error/warning vi /boot/device.hints # Add this to the end of the file hint.acpi_throttle.0.disabled="1" vi /boot/loader.conf # Add this to the end of the file hint.acpi_throttle.0.disabled=1″ Thanks / Shiv. Nath ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Alert When Hardware Changes !
Dear Friends of List, Well, i understand perhaps someone will think if it is correct please to ask this question here. But i did not find the better place than here. Here is community of technical people and the question is technical as well. Question: Is anyone aware of such program (software) that can alert me when hardware changes? i.e. lets say i will monitor the hardware for a computer/server using a program (i.e. Zabbix / Nagios) may be different program. Can i receive the alert when hard disk for the computer has been changed? Any software anyone aware of? ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: PF Configuration - FreeBSD Release 9.0 x64
I would actually question why avahi is even enabled on a server; perhaps the correct answer is simply to disable it in rc.conf. You do know that avahi-daemon's main use is to advertise _services_running on a host? Yes, but zeroconf-style services are often more of a peer-to-peer nature instead of fixed (which don't *need* zeroconf). It's also a larger attack surface. Dear Brandon A & Kimmo P. Thanks for the kind assistance and advices, in my case disabling "avahi" would not effect me much because it is only a mail server. thanks once again. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: PF Configuration - FreeBSD Release 9.0 x64
Sep 11 07:49:56 titan avahi-daemon[1567]: Received response from host 41.211.2.239 with invalid source port 4331 on interface 'em0.0' Sep 11 07:50:25 titan avahi-daemon[1567]: Received response from host 41.211.2.239 with invalid source port 38627 on interface 'em0.0' Sep 11 07:51:29 titan avahi-daemon[1567]: Received response from host 41.211.2.239 with invalid source port 38627 on interface 'em0.0' ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" It says it received a *response* so my understanding is *you* are trying to connect. Adjust your rule and see if it's any better.___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" Dear D. Fleuriot & Christer. S Thanks for your response and help, logically, you are correct (It says it received a *response* so my understanding is *you* are trying to connect) but frankly speaking, i don't know what is happening. i have 5,000 active public IP address configured in my network. The problematic IP belongs to one of my customer "41.211.2.239". i see the same log in many other server as well. i am bit confuse because how 10 servers from my data center has decided to send something to same particular IP whereas there are many thousand other ip available to send something. it is like that machine is sending broadcast and my servers receive it, but it confuse when reading logs. have you come across this kind of issue before? Thanks for your assistance, i will try to block using block log quick ... instead, or i will put this IP to VLAN to stop broadcasting. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
PF Configuration - FreeBSD Release 9.0 x64
Dear FreeBSD Guys, It is FreeBSD Release 9.0 x64 and i see this log very frequent almost every second, And i want to block this IP from reaching my server. i configured the PF as following but still see the same logs, it is like it did not work. block in log quick from 41.211.2.239/32 to any Sep 11 07:49:56 titan avahi-daemon[1567]: Received response from host 41.211.2.239 with invalid source port 4331 on interface 'em0.0' Sep 11 07:50:25 titan avahi-daemon[1567]: Received response from host 41.211.2.239 with invalid source port 38627 on interface 'em0.0' Sep 11 07:51:29 titan avahi-daemon[1567]: Received response from host 41.211.2.239 with invalid source port 38627 on interface 'em0.0' ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: USE PF to Prevent SMTP Brute Force Attacks - Resolved !!!
On 16/06/2012 21:03, Shiv. Nath wrote:
Dear Matthew,
Matthew, one a, one e.
first thanks for assisting to secure 22/25 ports from brute force
attack.
i wish to consult if the following white list looks fine to exclude
trusted networks (own network)
int0="em0"
secured_attack_ports="{21,22,25}"
table persist
block in log quick from
pass in on $int0 proto tcp \
from any to $int0 port $secured_attack_ports \
flags S/SA keep state \
(max-src-conn-rate 5/300, overload flush global)
## Exclude Own Network From Brute-Force Rule ##
table persist {71.221.25.0/24, 71.139.22.0/24}
pass in on $int0 proto tcp from to any port
$secured_attack_ports
But, yes, other than that it looks good. You want to move
the table definitions up to the top of the file and as you've shown, you
want your network specific rule after the more generic rate-limited
accept rule: remember that (except for quick rules) it's the last
matching rule in the ruleset that applies.
Cheers, Matthew
Dear Matthew,
i am sorry for misspelling your named, finally it is done with your
assistance. you have very good knowledge of PF because you are gentleman
indeed. sorry to trouble you too much.
Thanks / Thanks / Thanks / Thanks / Thanks /Thanks / Thanks / Thanks
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: USE PF to Prevent SMTP Brute Force Attacks - Resolved !!!
>> Ooops. Yes, -t bruteforce is correct. "expire 604800" means delete
>> entries after they've been in the table for that number of seconds (ie
>> after one week)
>>
>> Cheers,
>>
>> Matthew
>>
>> --
>> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
>> Flat 3
>> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
>> JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
Dear Metthew,
first thanks for assisting to secure 22/25 ports from brute force attack.
i wish to consult if the following white list looks fine to exclude
trusted networks (own network)
int0="em0"
secured_attack_ports="{21,22,25}"
table persist
block in log quick from
pass in on $int0 proto tcp \
from any to $int0 port $secured_attack_ports \
flags S/SA keep state \
(max-src-conn-rate 5/300, overload flush global)
## Exclude Own Netowrk From Brute-Force Rule ##
table persist {71.221.25.0/24, 71.139.22.0/24}
pass in on $int0 proto tcp from to any
OR
pass in on $int0 proto tcp from to secured_attack_ports
Thanks / Regards
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: PF to Preventing SMTP Brute Force Attacks
> On Jun 15, 2012, at 12:55 PM, Shiv. Nath wrote: > >> # START >> table bruteforce persist >> block in log quick from bruteforce >> >> pass in on $ext_if proto tcp \ >> from any to $ext_if port $trusted_tcp_ports \ >> flags S/SA keep state \ >> (max-src-conn-rate 3/300, overload bruteforce flush global) >> >> # END >> >> AND CRON: >> */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null >> 2>&1 >> >> What is the function "expire 604800" are they entries in the table? >> should it be -t bruteforce or -t ssh-bruteforce > > > It refers to entries in the table specified by the "-t" option and > instructs pf to expire (remove from the table) all entries older than the > specified time (in seconds). Basically, the value 604800 will expire > entries older than 1 week. > > For the above pf rules, the cron entry should be "-t bruteforce" (although > in the pf rules you should be using ""). > > Cheers, > > Paul. > > ___ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" > Dear Metthew & Paul, Thank you very much for your time, efforts and energy to help me configuring PF. Metthew also advised to create white, so that i do not lock myself. i have have to yet look at it. i will get in touch if i require more help. Thanks Regards ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: PF to Preventing SMTP Brute Force Attacks
>> Dear Mattthew, >> >> Grateful for sending me in right direction, solution really sounds well. >> Does it look good configuration for "/etc/pf.conf" ? >> >> # START >> table bruteforce persist > > Watch the syntax -- it's table persist with angle brackets. > >> block in log quick from bruteforce >> >> pass in on $ext_if proto tcp \ >> from any to $ext_if port $trusted_tcp_ports \ >> flags S/SA keep state \ >> (max-src-conn-rate 3/300, overload bruteforce flush global) > > Again -- you need angle brackets around the table name. > >> >> # END >> >> AND CRON: >> */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null >> 2>&1 >> >> What is the function "expire 604800" are they entries in the table? >> should it be -t bruteforce or -t ssh-bruteforce > > Ooops. Yes, -t bruteforce is correct. "expire 604800" means delete > entries after they've been in the table for that number of seconds (ie > after one week) > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matt...@infracaninophile.co.uk Kent, CT11 9PW Dear Mattthew, i am very much grateful for your assistance and advice configuring PF correctly. Well done ! Thanks / Regards ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: PF to Preventing SMTP Brute Force Attacks
> Limiting yourself to 200 states won't protect you very much -- you tend > to get a whole series of attacks from the same IP, and that just uses > one state at a time. > > Instead, look at the frequency with which an attacker tries to connect > to you. Something like this: > > table persist > > [...] > > block in log quick from > > [...] > > pass in on $ext_if proto tcp \ > from any to $ext_if port $trusted_tcp_ports \ > flags S/SA keep state \ > (max-src-conn-rate 3/300, overload flush global) > > Plus you'll need a cron job like this to clean up the bruteforce table, > otherwise it will just grow larger and larger: > > */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null > 2>&1 > > The end result of this is that if one IP tries to connect to you more > than 3 times in 5 minutes, they will get blacklisted. I normally use > this just for ssh, so you might want to adjust the parameters > appropriately. You should also implement a whitelist for IP ranges you > control or use frequently and that will never be used for bruteforce > attacks: it is quite easy to block yourself out with these sort of rules. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matt...@infracaninophile.co.uk Kent, CT11 9PW Dear Mattthew, Grateful for sending me in right direction, solution really sounds well. Does it look good configuration for "/etc/pf.conf" ? # START table bruteforce persist block in log quick from bruteforce pass in on $ext_if proto tcp \ from any to $ext_if port $trusted_tcp_ports \ flags S/SA keep state \ (max-src-conn-rate 3/300, overload bruteforce flush global) # END AND CRON: */12 * * * */sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null 2>&1 What is the function "expire 604800" are they entries in the table? should it be -t bruteforce or -t ssh-bruteforce Thanks ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
PF to Preventing SMTP Brute Force Attacks
Hi FreeBSD Gurus,
i want to use PF to Preventing SMTP Brute Force Attacks. i need some help
to understand correct syntax.
URL Explaining this: http://www.openbsd.org/faq/pf/filter.html#stateopts
i expect the following behavior from the PF rule below:
Limit the absolute maximum number of states that this rule can create to 200
Enable source tracking; limit state creation based on states created by
this rule only
Limit the maximum number of nodes that can simultaneously create state to 100
Limit the maximum number of simultaneous states per source IP to 3
Solution:
int0="em0"
trusted_tcp_ports="{22,25,443,465}"
pass in on $int0 proto tcp from any to any port $trusted_tcp_ports keep
state max 200, source-track rule, max-src-nodes 100, max-src-states 3
please help ..
Thanks / Regards
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
