Re: Max number of states in pf? (100k? 200k? 1M?)
Ted Unangst said: states are only allocated on demand. you could set the limit to a billion with no problem until you actually start using too many states. the limit is there to protect you from the firewall imploding. thanks for all the info, very useful! hopefully such info can get added to the docs at some point, since others have contacted me as well asking similar questions. thanks a lot(again) nate
Re: upgrade is it important ?
--On 24 September 2005 08:53 +0700, Budhi Setiawan wrote: 1. how important to make our system (OS and packages) always up-to-date ( except with security reason of course ), because some people says you should update your system at least once a year Given the ease of upgrading OpenBSD, and the recommendation not to skip releases when upgrading, it's probably worthwhile to install each new version of the OS. If not, you'll have to do more work when there is a security update to install. Upgrading packages is usually straightforward, and the updates to the package tools between 3.7 and 3.8 make it simpler than before. 2. if i'm doing upgrade from 3.7 to 3.8, what happen to my old program's since my old program's using the old librari's ? is it still works without recompiling ? 3. and another if, how to make my system clean after i'm upgrade from one version to another version ? because i still see the old libraries from the old version ! These two questions are linked - the old libraries are left so that you can continue to use your old software without recompiling. Unless you're seriously short of disk space, just leave them, they won't cause a problem.
Re: slow ssh connect
Simon Strandgaard wrote: I have openbsd 3.7 on an old P133. Connecting with SSH to the box takes near 20 seconds. Any ideas on how to make it go faster? http://www.openssh.com/faq.html#3.3 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: is there a way to block sshd trolling?
On Fri, Sep 23, 2005 at 08:07:35PM -0600, jared r r spiegel wrote: caveat is that i currently haven't implemented a way to expire entries out, however until you get something fancier tested/implemented, some simple pf action like that above might fly /usr/ports/sysutils/expiretable in -current
Re: slow ssh connect
On 9/24/05, Simon Strandgaard [EMAIL PROTECTED] wrote:
I have openbsd 3.7 on an old P133.
Connecting with SSH to the box takes near 20 seconds.
Any ideas on how to make it go faster?
just realized that ssh takes a '-v' argument.. output attached.
approx 13 seconds is spend in this line:
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1+CAN-2004-0175
any ideas how to make this error go away?
--
Simon Strandgaard
prompt ssh -v [EMAIL PROTECTED]
OpenSSH_3.6.1p1+CAN-2004-0175, SSH protocols 1.5/2.0, OpenSSL 0x0090707f
debug1: Reading configuration data /etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to 192.168.1.123 [192.168.1.123] port 22.
debug1: Connection established.
debug1: identity file /Users/simonstrandgaard/.ssh/identity type -1
debug1: identity file /Users/simonstrandgaard/.ssh/id_rsa type 1
debug1: identity file /Users/simonstrandgaard/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.1
debug1: match: OpenSSH_4.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1+CAN-2004-0175
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: An invalid name was supplied
A parameter was malformed
Validation error
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: An invalid name was supplied
A parameter was malformed
Validation error
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server-client aes128-cbc hmac-md5 none
debug1: kex: client-server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.1.123' is known and matches the RSA host key.
debug1: Found key in /Users/simonstrandgaard/.ssh/known_hosts:7
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/simonstrandgaard/.ssh/identity
debug1: Offering public key: /Users/simonstrandgaard/.ssh/id_rsa
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Offering public key: /Users/simonstrandgaard/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 433 lastkey 0x300b80 hint 2
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: channel 0: request pty-req
debug1: channel 0: request shell
debug1: channel 0: open confirm rwindow 0 rmax 32768
Last login: Sat Sep 24 12:26:40 2005 from 192.168.1.2
OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
I had to hit him -- he was starting to make sense.
molly:neoneye {98}
Re: slow ssh connect
--On 24 September 2005 11:27 +0200, Simon Strandgaard wrote: I have openbsd 3.7 on an old P133. Connecting with SSH to the box takes near 20 seconds. Any ideas on how to make it go faster? Depending on your needs, either read about ControlMaster in ssh_config(5) and -M in ssh(1), or use the less robust but faster v1 protocol.
Re: slow ssh connect
On 9/24/05, Simon Strandgaard [EMAIL PROTECTED] wrote: I have openbsd 3.7 on an old P133. Connecting with SSH to the box takes near 20 seconds. Any ideas on how to make it go faster? ssh [EMAIL PROTECTED] -- Simon Strandgaard look into /etc/hosts, it probably has to do with dns
Re: slow ssh connect
You may want to check your /etc/resolv.conf and make sure you have at least one valid nameserver entry. nameserver a.b.c.d Tarquin. On 9/24/05, Simon Strandgaard [EMAIL PROTECTED] wrote: I have openbsd 3.7 on an old P133. Connecting with SSH to the box takes near 20 seconds. Any ideas on how to make it go faster? ssh [EMAIL PROTECTED] -- Simon Strandgaard
Time limited internet connection
I want to build a home network using OpenBSD as gateway. A child in network have a computer, and like to surf the Internet. I want to drop her Internet connection at night (11:00AM) because the child don't go to sleep. I don't want to unplug the network cable, i need to do this job with OpenBSD. Exist a proxy server or solution which limit the Internet connection using time? An example: Drop internet connection at 11:AM night and allow Internet at 6:00 AM morning. Thank you very much
Re: Time limited internet connection
On Sat, 24 Sep 2005 13:29:18 +0300, Kiraly Zoltan wrote: I want to build a home network using OpenBSD as gateway. A child in network have a computer, and like to surf the Internet. I want to drop her Internet connection at night (11:00AM) because the child don't go to sleep. 11 AM at night is a very strange time seeing that AM literally means before noon I don't want to unplug the network cable, i need to do this job with OpenBSD. Exist a proxy server or solution which limit the Internet connection using time? An example: Drop internet connection at 11:AM night and allow Internet at 6:00 AM morning. Thank you very much How about two pf.conf files (pf6to23.conf and pf 23to6.conf) and a couple of cron entries to do pfctl -f pf6to23.conf and pfctl -f pf23to6.conf ? I am sure you can work out the rules. Watch out for established connections keeping state. Flushing those might be good. It varies with your other needs. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: Time limited internet connection
On 9/24/05, Kiraly Zoltan [EMAIL PROTECTED] wrote: I want to drop her Internet connection at night (11:00AM) because the child don't go to sleep. It would seem your problem is primarily one of parenting and not so much a technical one. Still, cron(8) and various self-made scripts may prove useful tools. What scripting you need/want is limited only by your creativity. If I recall correctly, the misc@ archives also hold several posts with concrete pointers. You'll want to search those as well. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: Time limited internet connection
Rod.. Whitworth wrote: On Sat, 24 Sep 2005 13:29:18 +0300, Kiraly Zoltan wrote: I want to build a home network using OpenBSD as gateway. A child in network have a computer, and like to surf the Internet. I want to drop her Internet connection at night (11:00AM) because the child don't go to sleep. 11 AM at night is a very strange time seeing that AM literally means before noon I don't want to unplug the network cable, i need to do this job with OpenBSD. Exist a proxy server or solution which limit the Internet connection using time? An example: Drop internet connection at 11:AM night and allow Internet at 6:00 AM morning. Thank you very much How about two pf.conf files (pf6to23.conf and pf 23to6.conf) and a couple of cron entries to do pfctl -f pf6to23.conf and pfctl -f pf23to6.conf ? I am sure you can work out the rules. Watch out for established connections keeping state. Flushing those might be good. It varies with your other needs. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server. 11 AM at night is a very strange time seeing that AM literally means before noon Sorry, yes is 11 PM instead of 11 AM..
Re: Time limited internet connection
On Sat, Sep 24, 2005 at 08:45:25PM +1000, Rod.. Whitworth wrote: On Sat, 24 Sep 2005 13:29:18 +0300, Kiraly Zoltan wrote: I want to build a home network using OpenBSD as gateway. A child in network have a computer, and like to surf the Internet. I want to drop her Internet connection at night (11:00AM) because the child don't go to sleep. 11 AM at night is a very strange time seeing that AM literally means before noon I don't want to unplug the network cable, i need to do this job with OpenBSD. Exist a proxy server or solution which limit the Internet connection using time? An example: Drop internet connection at 11:AM night and allow Internet at 6:00 AM morning. Thank you very much How about two pf.conf files (pf6to23.conf and pf 23to6.conf) and a couple of cron entries to do pfctl -f pf6to23.conf and pfctl -f pf23to6.conf ? wouldn't it be easier to set up a table with IPs to block and put the IP of this computer in that table at night/remove it again in the morning? should be easy with pfctl. -- steven Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Re: slow ssh connect
On 9/24/05, Darren Tucker [EMAIL PROTECTED] wrote: Simon Strandgaard wrote: just realized that ssh takes a '-v' argument.. output attached. approx 13 seconds is spend in this line: debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1+CAN-2004-0175 any ideas how to make this error go away? Sounds like a name resolution problem, probably reverse resolution of the client's IP by the server. If it's not that then check the rest of the name-IP and IP-name resolutions and make sure they match (on both client and server). Ok. Solved, the problem was that in my mac' network setup, had configured a DNS-server, which no longer was on the same lan. I deleted it and ssh connect is now snappy (3 seconds). Thanks for suggestions, without them I wouldn't have gotten this solved. -- Simon Strandgaard
Re: Time limited internet connection
Rod.. Whitworth wrote: On Sat, 24 Sep 2005 13:29:18 +0300, Kiraly Zoltan wrote: I want to build a home network using OpenBSD as gateway. A child in network have a computer, and like to surf the Internet. I want to drop her Internet connection at night (11:00AM) because the child don't go to sleep. 11 AM at night is a very strange time seeing that AM literally means before noon I don't want to unplug the network cable, i need to do this job with OpenBSD. Exist a proxy server or solution which limit the Internet connection using time? An example: Drop internet connection at 11:AM night and allow Internet at 6:00 AM morning. Thank you very much How about two pf.conf files (pf6to23.conf and pf 23to6.conf) and a couple of cron entries to do pfctl -f pf6to23.conf and pfctl -f pf23to6.conf ? and put a pf.conf that matches the one you want to have at boot time. You may may not want someone bumping the reset button or power switch and having the system default to [insert your undesired case here. And don't be sure your first answer will be your final answer!] I am sure you can work out the rules. Watch out for established connections keeping state. Flushing those might be good. It varies with your other needs. A few other tips... Hard code the MAC address of machines you DON'T want to turn off into dhcpd.conf, so they always get the same address, and add those addresses to an always on table. Add/remove the switched nodes by cron job/menu/whatever. I found that easier than the two PF rules files, as I kept forgetting to make changes to both/all copies. Run a self-poisoned DNS resolver so you can point completely undesired sites at something harmless, filter all dns traffic so only your firewall can get to the outside, and the inside people can get only to your DNS resolver. http://www.holland-consulting.net/tech/imblock.html I've done stuff like this at schools. Interesting results. The students actually seemed to like the DNS blocking -- they would regularly bring us sites to block (typically, pop-up hells or porn sites that were easy typos or misspellings of good sites for students). I had it set so the teachers could turn the lab on and off relatively easily (off easier than on...tap a key and run out the door and kill the 'net if needed). First year it was in use, it was ignored. Second and third years (two different teachers), it was well used. Fourth year, teacher figured she was in the room most of the time, and the room layout (teacher could see all monitors easily, students couldn't easily tell if teacher was watching), and turned it on and left it. She then forgot about the thing, and whenever the firewall would be rebooted, I'd get a call about the lab not being able to get to the Internet. :) Moral: Technology is cool. But good supervision beats technology every time. Nick.
Re: upgrade is it important ?
Budhi Setiawan wrote: dear all i guess this is stupid question, but since i very young in the openbsd land, i have a lof of question : 1. how important to make our system (OS and packages) always up-to-date ( except with security reason of course ), because some people says you should update your system at least once a year Well..the reason you probably want to run OpenBSD is because you don't have many security issues. This can actually be a mixed blessing, if not managed properly. You can plant an OpenBSD box, and pretty much ignore it for a long time. You slowly forget how you configured it. You don't have a way to deal with issues should they come up (like hardware failures). And the box keeps doing its job. And one day...you *need* to upgrade. Maybe it is a security issue. Maybe it is as minor as needing new features. Now you got a problem. Keeping your system upgradable is critical. The goal isn't to get a machine running, but to keep your application running as much as possible, and that includes life-cycle issues like upgrades, repairs, etc. OpenBSD releases are supported for one year after initial release. Releases are made every six months. Upgrade instructions are published for release-to-release, not skipping releases. I'd highly recommend keeping your system up-to-date on the most recent release (or recent -stable, if you so desire, though most people will usually not need to do that). Keep the upgrade process in mind. I'm in the middle of building a box for my office, relatively simple config, but not exactly off-the-shelf. Did it once, got it all working, now I'm doing it again, WHILE DOCUMENTING IT. I'm discovering I'm not remembering the stuff I did a month ago...I'm surely not going to recall all the little tweeks in six months or a year! :) 2. if i'm doing upgrade from 3.7 to 3.8, what happen to my old program's since my old program's using the old librari's ? is it still works without recompiling ? yep, old libraries are not deleted. Your old programs will most likely keep running. HOWEVER, you probably want to keep those up to date, too. 3. and another if, how to make my system clean after i'm upgrade from one version to another version ? because i still see the old libraries from the old version ! That kinda defeats what you wanted in #2. We can't please everyone, and it looks like we aren't going to please you on these two issues. :) You are free to delete anything you want, but don't expect OpenBSD to do that for you. We provide the bullets, you provide the foot (leg, head, whatever). Nick.
Re: recommended USB 2.0 host adapters?
On Sun, Sep 18, 2005 at 02:34:10AM +0100, Niall O'Higgins wrote: I'm going to extend my i386 machine with a USB 2.0 (PCI) host adapter. Are there any recommended cards or cards that I should not buy or that do not work? I think they are pretty much all ehci(4). yep, bought a Eminent EM1038 which has a NEC chip, it just works. thanks, -- steven Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Re: is there a way to block sshd trolling?
On Fri, 23 Sep 2005 21:24:26 -0700
Ray Percival [EMAIL PROTECTED] wrote:
Yeah. This is only a threat against *really* weak boxes. Having said
that I've seen a lot of posts talking about changing ports. That's a
line that I won't cross. I refuse to hide from the bots and it's not
even a speedbump against somebody who is a real threat. But that just
my personalline in the sand.
I agree, but I've personally been the victim of such an attack, it's a
pain in the ass when you can't su to root, or login on the console.
What they did was to exploit gzip, I'm fairly certain. I could not
apt-get of course and thus left helpless. I no longer have faith in user
passwords. I do my best to prevent people using common user names
(besides myself who uses 'ed' of course, but with a descent password).
The account abused was dominic/dominic, at the time this account was
created the box did not have ssh open, and it was never an idea to, but
then the service was opened and about 6 weeks later it was thoroughly
shafted.
I use the following now:
rdr pass on $ext_if proto tcp from any to 1.2.3.4 port {22,3389} -
10.10.10.10
block quick drop from abuse_src
pass in on $ext_if proto tcp from any to $range port {22,3389} keep
state ( max-src-conn 3, max-src-conn-rate 2/5, overload flush global )
After several weeks I have accumulated a list of about 60 IP blocks. I
am wondering if block quick drop from abuse_src/24 is possible? But most
the IP addresses are not sequential.
--
A horse is a horse, of course, of course, And no one can talk to a
horse, of course, Unless, of course, the horse, of course, Is the famous
Mr. Ed! http://www.usenix.org.uk - http://irc.is-cool.net
Re: is there a way to block sshd trolling?
--On 24 September 2005 13:31 +0100, ed wrote: What they did was to exploit gzip, I'm fairly certain. I could not apt-get of course and thus left helpless. I no longer have faith in user passwords. I do my best to prevent people using common user names (besides myself who uses 'ed' of course, but with a descent password). See /usr/ports/security/passwdqc if you'd like to enforce strong passwords.
Re: is there a way to block sshd trolling?
just a minor variation (in B dur) for what the others had said: relevant parts of /etc/pf.conf: SSH_LIMIT=(max-src-conn-rate 3/30, overload bad_ssh flush global) table bad_ssh persist block return-rst log quick proto tcp from bad_ssh label ssh-pirate block in pass in on $ext_if proto tcp from any to ($ext_if) port ssh \ flags S/SA keep state $SSH_LIMIT label ssh kripel cat /etc/daily.local #!/bin/sh echo flushing bad_ssh: pfctl -t bad_ssh -T show pfctl -t bad_ssh -T flush yes, i know, i am forgiving, i flush the table everyday.. but you get the idea. you can play with this as much as you like. even make statistics, draw graphs, etc ;-) corporate drones like that ;-) show them how much they need openbsd -f -- drinking kills brain cells, but just the weak ones...
Re: upgrade is it important ?
I am on OpenBSD since 3.6. Whenever i did feel i need an upgrade to a newer version, i did, because it works for my configurations. i insert the cd (if it's a snapshot or release), or fetch the sources, upgrade the whole system and it simply works. that's it. and that's the thing i am awaiting from the software, just upgrade it, merging the configs and it works (and not fiddling with configs and hope, that it works). every upgrade, i did of the software simply went smooth and worked like i excepted. i thank the team of obsd for doing such a great job and hope, that every future upgrade will do that fine. thanks, for that great job, every developer is doing. marc Budhi Setiawan schrieb: dear all i guess this is stupid question, but since i very young in the openbsd land, i have a lof of question : 1. how important to make our system (OS and packages) always up-to-date ( except with security reason of course ), because some people says you should update your system at least once a year 2. if i'm doing upgrade from 3.7 to 3.8, what happen to my old program's since my old program's using the old librari's ? is it still works without recompiling ? 3. and another if, how to make my system clean after i'm upgrade from one version to another version ? because i still see the old libraries from the old version ! thank's
Re: named log files
named[1028]: unable to rename log file 'named_query.log' to 'named_query.log.0': permission denied The logfiles are in /var/named... do I need to chgrp on this directory? Yes, typical Unix stuff. Check r/w and uid/gid permissions. --Bryan
