Re: Doubts about the successors of OpenBSD leadership and development
On Mon, 10 Jul 2017, Stefan Sperling wrote: > From: Stefan Sperling <s...@stsp.name> > To: SOUL_OF_ROOT 55 <soulofroo...@gmail.com> > Cc: misc@openbsd.org > Date: Mon, 10 Jul 2017 22:16:36 > Subject: Re: Doubts about the successors of OpenBSD leadership and development > > On Mon, Jul 10, 2017 at 06:04:53PM -0300, SOUL_OF_ROOT 55 wrote: > > Who will succeed Theo de Raadt in the leadership and development of OpenBSD? > > Obviously, Theo de Raadt will succeed Theo de Raadt in the leadership and > development of OpenBSD: http://marc.info/?l=openbsd-misc=137609553004700=2 I have some doubts about the provenance of that message. In particular: Date: 2013-08-10 0:45:10 looks suspicious. Shouldn't it be dated 1st April ? Or is this a cunning ploy to mislead your favourite acronym agencies ? -- Dennis Davis <dennisda...@fastmail.fm>
Re: iwm0: fatal firmware error / could not initiate scan
On Mon, 4 May 2015, Maximilian Pichler wrote: From: Maximilian Pichler maxim.pich...@gmail.com To: misc@openbsd.org Date: Mon, 4 May 2015 06:19:13 Subject: iwm0: fatal firmware error / could not initiate scan I'm getting these console errors on startup and each time I run ifconfig iwm0 scan: iwm0: fatal firmware error iwm0: could not initiate scan Not sure how to diagnose the problem better. I tried rebooting, but to no avail. Full dmesg below. ... iwm0: hw rev: 0x140, fw ver 25.228 (API ver 9), address f8:16:54:dd:a7:0c iwm0: fatal firmware error iwm0: could not initiate scan Don't have an iwm interface. But is the firmware installed? Is the following thread of any use: http://openbsd-archive.7691.n7.nabble.com/iwm0-fatal-firmware-error-on-current-td267434.html -- Dennis Davis dennisda...@fastmail.fm
Re: macppc install56.iso - CD issues
On Tue, 9 Dec 2014, patrick keshishian wrote: From: patrick keshishian pkesh...@gmail.com To: misc misc@openbsd.org Date: Tue, 9 Dec 2014 08:10:43 Subject: macppc install56.iso - CD issues ... On a related note, how can base tools (cdio(1)?) be used instead of cdrecord(1) (from ports) to burn these images to disc? As described in the FAQ, 4.3.1 - Making a CD-ROM ? -- Dennis Davis dennisda...@fastmail.fm
Re: OT:Password strength
On Sun, 30 Nov 2014, Miod Vallat wrote: From: Miod Vallat m...@online.fr To: Ted Unangst t...@tedunangst.com Cc: Eric Furman ericfur...@fastmail.net, OpenBSD Misc misc@openbsd.org Date: Sun, 30 Nov 2014 20:34:01 Subject: Re: OT:Password strength Examples: treetykaveprethicooputhedu soonataviceenoopatecoge gootrozapiceelytrithunula preezypeendothanundipeesooka These stand no chance against a finnish attacker! Are you sure? I thought these passwords would be low-hanging fruit for the Swedish chef from the Muppets[1]. [1] http://en.wikipedia.org/wiki/Swedish_Chef -- Dennis Davis dennisda...@fastmail.fm
Re: ksh, csh same vulnerability as bash
On Wed, 8 Oct 2014, Gregor Best wrote: From: Gregor Best g...@unobtanium.de To: Jason Adams adams...@gmail.com Cc: misc@openbsd.org Date: Wed, 8 Oct 2014 08:57:53 Subject: Re: ksh, csh same vulnerability as bash On Tue, Oct 07, 2014 at 10:05:57PM -0700, Jason Adams wrote: [...] So the question is, for those of us that have added the bash package, why is bash still vulnerable after all these weeks, when everyone else has fixed their bash packages? Just checked for updated pkg, today, and its still vulnerable. [...] I'm running current here, with bash-4.3.28 from packages. The error seems fixed: ... There's been a couple of extra patches released: bash43-029 bash43-030. For my sins I'm still on OpenBSD5.3 on a couple of antique laptops. Yes, I know OpenBSD5.3 isn't supported and I should upgrade. However I've tweaked the port for bash to include all the recent patches. So I'm now running: GNU bash, version 4.2.53(1)-release (i386-unknown-openbsd5.3) -- Dennis Davis dennisda...@fastmail.fm
Re: openssh
On Thu, 3 Jul 2014, Peter N. M. Hansteen wrote: From: Peter N. M. Hansteen pe...@bsdly.net To: misc@openbsd.org Date: Thu, 3 Jul 2014 09:41:12 Subject: Re: openssh On Thu, Jul 03, 2014 at 10:32:42AM +0200, Henning Brauer wrote: * Mihai Popescu mih...@gmail.com [2014-07-02 17:05]: Better buy a hardisk, copy your data and mail it abroad. Seriously. A truck full of harddisks is a transport link with fantastic bandwidth. Latency kinda sucks, tho. And if the hard disks are small enough, you can attach them to pigeons, or swallows, even! (African or European) Sounds to me like this means that RFC1149[1] should be updated. Technology has improved somewhat since this RFC was written. [1] http://tools.ietf.org/html/rfc1149 -- Dennis Davis dennisda...@fastmail.fm
Re: openssh
On Thu, 3 Jul 2014, Blaise Hizded wrote: From: Blaise Hizded bla...@ovh.fr To: misc@openbsd.org Date: Thu, 3 Jul 2014 14:41:10 Subject: Re: openssh Le 03/07/2014 15:17, Dennis Davis a écrit : On Thu, 3 Jul 2014, Peter N. M. Hansteen wrote: From: Peter N. M. Hansteen pe...@bsdly.net To: misc@openbsd.org Date: Thu, 3 Jul 2014 09:41:12 Subject: Re: openssh On Thu, Jul 03, 2014 at 10:32:42AM +0200, Henning Brauer wrote: * Mihai Popescu mih...@gmail.com [2014-07-02 17:05]: Better buy a hardisk, copy your data and mail it abroad. Seriously. A truck full of harddisks is a transport link with fantastic bandwidth. Latency kinda sucks, tho. And if the hard disks are small enough, you can attach them to pigeons, or swallows, even! (African or European) Sounds to me like this means that RFC1149[1] should be updated. Technology has improved somewhat since this RFC was written. [1] http://tools.ietf.org/html/rfc1149 It was: https://tools.ietf.org/html/rfc2549 Oops, my apologies to all. My research was obviously conducted without due diligence. I must try harder. Further afternoon, armchair research shows a later RFC[2] with an extension for IPv6. Nice to see the IETF on the ball :-) [2] http://tools.ietf.org/html/rfc6214 -- Dennis Davis dennisda...@fastmail.fm
Re: Vision 2020: Making OpenBSD the world's fastest OS
On Mon, 9 Jun 2014, John D. Verne wrote: From: John D. Verne j...@clevermonkey.org To: misc@openbsd.org Date: Tue, 10 Jun 2014 01:37:53 Subject: Re: Vision 2020: Making OpenBSD the world's fastest OS ... Probably the biggest reason OpenBSD will never be the fastest OS around is the simple fact that when optimizing for speed, you sacrifice other things. Like security. Security, or correctness, means you are looking for the most reliable way to do something, not the fastest. Mechanisms like pro-police (or a new name for it?) are going to slow things down a little. I think Theo said that all the security systems slow a system down by less than 5%. I believe that. The effect isn't huge but some would call that too much. Indeed. Good, fast, or cheap. Choose any two. To go somewhat off-topic, I'm reminded of one of the quotes of the late Chuck Yerkes: Shirt, Shoes, Sober... -- pick two. -- Chuck Yerkes Chuck was a long-time contributor to this list and OpenBSD. The above quote amuses me. -- Dennis Davis dennisda...@fastmail.fm
Re: Wrong Shutdown
On Mon, 26 May 2014, Theo de Raadt wrote: From: Theo de Raadt dera...@cvs.openbsd.org To: Walter Souza wsouz...@gmail.com Cc: misc@openbsd.org Date: Mon, 26 May 2014 15:09:03 Subject: Re: Wrong Shutdown ... And let's work in World Peace too.. :) Your makeup has a smudge, so you don't win. That's not makeup! That's the black eye I got in last night's bar brawl :-( Now what's this World Peace thingie? -- Dennis Davis dennisda...@fastmail.fm
Re: The book of PF
On Thu, 1 May 2014, Peter N. M. Hansteen wrote: From: Peter N. M. Hansteen pe...@bsdly.net To: Andy a...@brandwatch.com Cc: misc@openbsd.org misc@openbsd.org Date: Thu, 1 May 2014 20:40:13 Subject: Re: The book of PF Andy a...@brandwatch.com writes: When is the next edition of 'The book of PF' expected? ... I'm deeply flattered and a bit horrified that anyone would see my scribblings as a prerequisite for trying out an exciting new OpenBSD feature. Well, some of us with the first two editions of the book of PF are hoping to see a pecuniary advantage here. We're hoping that, as they fade into the past, early editions will appreciate massively in value. Much as early CD releases of OpenBSD have. At least according to the prices listed at the Computer Shop of Calgary :-) -- Dennis Davis dennisda...@fastmail.fm
Re: Unbound in base, yes, what about ldns?
On Sun, 23 Mar 2014, Chris Smith wrote:
From: Chris Smith obsd_m...@chrissmith.org
To: Stuart Henderson s...@spacehopper.org
Cc: OpenBSD-Misc misc@openbsd.org
Date: Sun, 23 Mar 2014 22:09:00
Subject: Re: Unbound in base, yes, what about ldns?
...
How about this line added to rc.conf.local when using the package:
syslogd_flags=${syslogd_flags} -a /var/unbound/dev/log
Is it still needed or should it be removed?
Probably. If you're running chrooted and logging to syslog, you
should still need this line.
See the manual page for unbound.conf. A cursory reading indicates
it doesn't seem to have materially changed from the version in the
port/package. *But* cursory reading has let me and others down
badly in the past :-(
--
Dennis Davis dennisda...@fastmail.fm
Re: ksh: expr 2147483648 / 2 = -1073741824 expected behavior or bug?
On Tue, 25 Feb 2014, Ingo Schwarze wrote: From: Ingo Schwarze schwa...@usta.de To: Fabian Raetz fabian.ra...@gmail.com Cc: misc@openbsd.org Date: Tue, 25 Feb 2014 01:00:49 Subject: Re: ksh: expr 2147483648 / 2 = -1073741824 expected behavior or bug? ... so i tried expr 2147483647 / 2 which returns 1073741824 while expr 2147483648 / 2 returns -1073741824 ksh(1) states that expr does Integer arithmetic. So is this the expected behaviour or a bug? How strange, six replies but nobody answered your question... The above behaviour is required by POSIX: ... Possibly worth muddying the waters slightly by noting the bash shell on my old i386 box gets the sum right: poulidor $ cat /tmp/t.sh #!/usr/local/bin/bash echo $((2147483647/2)) echo $((2147483648/2)) poulidor $ /tmp/t.sh 1073741823 1073741824 poulidor $ /usr/local/bin/bash --version GNU bash, version 4.2.42(1)-release (i386-unknown-openbsd5.3) Copyright (C) 2011 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Seems like bash is not adhering to the POSIX standard :-) -- Dennis Davis dennisda...@fastmail.fm
Re: unbound dnssec revisited
On Mon, 30 Dec 2013, Chris Smith wrote:
From: Chris Smith obsd_m...@chrissmith.org
To: OpenBSD-Misc misc@openbsd.org
Date: Mon, 30 Dec 2013 17:10:10
Subject: unbound dnssec revisited
I've been working on using dnssec with the unbound package and viewing
some of the threads here on the list regarding this.
Enabling autotrust and the validator module in unbound.conf and
running unbound-anchor before starting unbound will enable dnssec but
eventually will log errors of:
could not open autotrust file for writing
This is apparently because the _unbound user or group does not have
write privileges to the directory, running unbound-anchor with sudo
-u _unbound doesn't change the directory perms.
I'm using the following diff to make this all work (you can all
probably improve on it, and please do):
===
--- unbound.origMon Dec 30 11:03:51 2013
+++ unbound Mon Dec 30 11:38:19 2013
@@ -8,6 +8,14 @@
. /etc/rc.d/rc.subr
pexp=unbound${daemon_flags:+ ${daemon_flags}}
+
+autotrust() {
+ chgrp _unbound /var/unbound/etc
+ chmod 775 /var/unbound/etc
+ sudo -u _unbound /usr/local/sbin/unbound-anchor
+ wait
+}
+
rc_reload=NO
rc_pre() {
@@ -16,6 +24,7 @@
-f /var/unbound/etc/unbound_control.pem ]]; then
unbound-control-setup /dev/null 21
fi
+ autotrust
}
rc_start() {
===
If the autotrust function is run (it can be commented out if desired)
it retrieves the root.key and gives the _unbound group write
privileges to the /var/unbound/etc directory thereby preventing the
above log errors.
...
It's a while since I looked at this, so the exact details are hazy,
but is all this necessary?
When it's up and running, unbound will probe for a new root
key at intervals. This is indicated in the manual entry for
auto-trust-anchor-file in unbound.conf(5) which also states:
The file is written to when the anchor is updated, so the unbound
user must have write permission.
unbound also requires write permission on the containing directory.
Certainly make sense for unbound to check the root key periodically.
unbound is potentially a very long running process on a server.
So all I did was run unbound-anchor once to create the root key in a
separate directory. I then changed the ownership of the directory
and the root key file to the unbound user. Seems to work; switching
on this laptop for the first time since early this morning resulted
in:
poulidor $ pwd
/var/unbound/etc
poulidor $ ls -ld autokey/
drwxr-xr-x 2 _unbound _unbound 512 Dec 31 19:18 autokey/
poulidor $ ls -l autokey/
total 4
-rw-r--r-- 1 _unbound _unbound 759 Dec 31 19:18 root.key
poulidor $ cat autokey/root.key
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1388517505 ;;Tue Dec 31 19:18:25 2013
;;last_success: 1388517505 ;;Tue Dec 31 19:18:25 2013
;;next_probe_time: 1388557610 ;;Wed Jan 1 06:26:50 2014
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 172800 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0
;;lastchange=1326728235 ;;Mon Jan 16 15:37:15 2012
poulidor $
so unbound checked the root key and put a date stamp in the root
key file indicating when this was done. And a further date stamp
indicating when the next check is due.
Doesn't seem to me that you need to run unbound-anchor as a part of
/etc/rc.d/unbound. You just need to run it once as part of setting
up unbound. After that a running unbound will periodically check
the root key.
--
Dennis Davis dennisda...@fastmail.fm
Re: unbound dnssec revisited
On Tue, 31 Dec 2013, Chris Smith wrote: From: Chris Smith obsd_m...@chrissmith.org To: Dennis Davis dennisdavis+openbsd-m...@fastmail.fm Cc: OpenBSD-Misc misc@openbsd.org Date: Tue, 31 Dec 2013 19:53:03 Subject: Re: unbound dnssec revisited On Tue, Dec 31, 2013 at 2:40 PM, Dennis Davis dennisdavis+openbsd-m...@fastmail.fm wrote: It's a while since I looked at this, so the exact details are hazy, but is all this necessary? snip Doesn't seem to me that you need to run unbound-anchor as a part of /etc/rc.d/unbound. You just need to run it once as part of setting up unbound. After that a running unbound will periodically check the root key. Good question - I've wondered if it was all necessary as well. Although I see it as probably useful. For one, it keeps the user involved housekeeping to a minimum. I'd suggest that the housekeeping is built into unbound because it periodically checks the root key. See my slightly tongue-in-cheek example below. And my other thought was that in case of a server that was retired for a time and brought back into service that it would be proper for an updated root.key to be installed at startup and without some automation the onus again falls on the user for additional housekeeping. There should be no need to add any automation. It's built into unbound. To re-use my example I noted my root.key contains: ;;last_queried: 1388517505 ;;Tue Dec 31 19:18:25 2013 ;;last_success: 1388517505 ;;Tue Dec 31 19:18:25 2013 ;;next_probe_time: 1388557610 ;;Wed Jan 1 06:26:50 2014 It's New Year's Eve. I'll be shortly switching off this laptop and indulging in a small glass or two of alcofrolic beverages. I *very* much doubt I'll be switching this machine on again before Wed Jan 1 06:26:50 2014. So, when I do switch it on, the first thing unbound will do is check the root key and update it if necessary. This should cover your case of a server that was retired for a time and brought back into service. -- Dennis Davis dennisda...@fastmail.fm
Re: BackupPC
On Mon, 9 Dec 2013, Peter Fraser wrote: From: Peter Fraser p...@thinkage.ca To: 'misc@openbsd.org' misc@openbsd.org Date: Mon, 9 Dec 2013 19:33:55 Subject: BackupPC ... I gather from reading the documentation that winbindd needs pam and since OpenBSD doesn't support pam winbindd is not going to allow authentication. Is my belief about winbindd correct or am I missing something. You might find the OpenBSD port/package of openpam: /usr/ports/security/openpam of use in getting authentication via winbindd working. I've never used openpam myself, just installed it to satisfy the build requirement of other software. -- Dennis Davis dennisda...@fastmail.fm
Re: Are there OpenBSD users who are not IT professionals?
On Tue, 19 Nov 2013, Michael wrote: From: Michael ber...@opensuse.us To: misc misc@openbsd.org Date: Tue, 19 Nov 2013 19:44:29 Subject: Re: Are there OpenBSD users who are not IT professionals? ... I haven't looked at comparable programs for powerpoint files, so I boot Windows for those. Impress: http://www.libreoffice.org/features/impress/ from LibreOffice may do what you want. Haven't used it myself. LibreOffice is in ports/packages on the amd64 i386 platforms. -- Dennis Davis dennisda...@fastmail.fm
Re: Data Mining/Crawling a Mailing List
On Thu, 5 Sep 2013, Chris Cappuccio wrote: From: Chris Cappuccio ch...@nmedia.net To: Kasper Adel karim.a...@gmail.com Cc: misc misc@openbsd.org Date: Thu, 5 Sep 2013 19:40:16 Subject: Re: Data Mining/Crawling a Mailing List The NSA has some good tools. I'd give them a call. Their contact info: No, no, no. The NSA, and their British counterparts GCHQ, are already aware of your request. They will shortly be in contact with both of you. -- Dennis Davis dennisda...@fastmail.fm
Re: OpenSMTPD - thank you!
On Sun, 3 Feb 2013, Gilles Chehade wrote: From: Gilles Chehade gil...@poolp.org To: Miod Vallat m...@online.fr Cc: bofh goodb...@gmail.com, OpenBSD general usage list misc@openbsd.org Date: Sat, 2 Feb 2013 23:12:16 Subject: Re: OpenSMTPD - thank you! On Sat, Feb 02, 2013 at 11:08:52PM +, Miod Vallat wrote: Don't be a tease!! What's in -current? Ponies. Lots of'em. folding ponies into envelopes turned out to be gross, we gave up. Oh, I don't know. We have no trouble folding them into our beefburgers over here: http://www.guardian.co.uk/world/2013/jan/15/horse-dna-found-supermarket-beefburgers ...yes, I know. Totally off-topic and in extremely poor taste. I'll get my coat and leave by the first exit... -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: OpenBSD/iwn(4) support for WPA2/PEAP/MSCHAPv2?
On Thu, 24 Jan 2013, Reyk Floeter wrote: From: Reyk Floeter r...@openbsd.org To: Erling Westenvik erling.westen...@gmail.com Cc: Misc misc@openbsd.org Date: Thu, 24 Jan 2013 08:45:46 Subject: Re: OpenBSD/iwn(4) support for WPA2/PEAP/MSCHAPv2? On Wed, Jan 23, 2013 at 5:41 PM, Erling Westenvik erling.westen...@gmail.com wrote: I need to connect my ThinkPad T500 running 5.2 current to the wifi network here at my university. E.g. the eduroam network which is available at most universities through, at least, Europe. After Googling around for a while I'm not sure whether OpenBSD yet has support for WPA2 and PEAP/MSCHAPv2. And if it does: if someone could provide me with a sample ifconfig? I haven't checked wpa_supplicant for a while, but you can find it in ports and some people actually seem to use it with OpenBSD. ... Comments in the DESCR file for your port of wpa_supplicant state: wpa_supplicant is the implementation of an IEEE 802.1X supplicant. This port is for wired authentication only (Ethernet PAE) and does not support the wireless WPA/WPA2 functionality. I tried using the example from Aachen to try to get wireless WPA/WPA2 to work. This was some time ago, but I never got it to work here. Of course that could well be a reflection on my lack of skills. The setup here is similar to that described by the original requestor. If I plug in a USB wireless device into my desktop and run a scan I see: anquetil.bath.ac.uk ?// ./wifiprobe rum0 wifiprobe: Wireless access selection for device: rum0 Available public networks . . . . . . . . . . score --- 1 BUCS-WiFi111 2 BTOpenzone 111 3 BTOpenzone 111 4 BUCS-WiFi111 Available secured networks --- 5 eduroam 111 6 eduroam 111 Select network 0 anquetil.bath.ac.uk ?// The BUCS-WiFi network is our unsecured network. You have to authenticate to use it. The BTOpenzone network is there for visitors to use if they can't access via eduroam. I believe you need an account to use BTOpenzone. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: man page contents [was: Re: C******.org]
On Fri, 27 Jul 2012, ropers wrote: From: ropers rop...@gmail.com To: Eric Oyen technomage.ha...@gmail.com Cc: misc misc@openbsd.org Date: Fri, 27 Jul 2012 16:25:14 Subject: Re: man page contents [was: Re: C**.org] ... Even with that, I didn't quite manage with OpenBSD (there seems to be no pdftex/pdflatex 386 port). Using my Ubuntu box, I converted the above tex file to a PDF, which I've taken the liberty to put here: http://ompldr.org/vZXcxYg (How are PDF files for you? Do your screen readers deem them edible?) I certainly have pdftex pdflatex on my 5.1 i386 boxes. I suspect they were installed as part of the texlive_base-2011p3.tgz package. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: OpenBSD in a dual stack anycast DNS resolving setup
On Thu, 15 Dec 2011, Vitali wrote: From: Vitali coonar...@gmail.com To: misc@openbsd.org Date: Thu, 15 Dec 2011 15:57:24 Subject: Re: OpenBSD in a dual stack anycast DNS resolving setup X-Spam-Score: 0.0 (/) Uh?!? # pkg_add -v jdk-1.7.0.00v0.tgz By the way, I got this jdk-1.7.0.00v0.tgz installed on my system, but I don't see a JAVA plugin for the Firefox. :( I need JAVA for a couple of minutes to check out several remove Windows machines through a remote JAVA applet. Anybody can advise something? From: http://www.openbsd.org/faq/faq8.html#Programming Due to Sun's restrictive SCSL license, OpenBSD cannot ship binary packages for the JDK 1.7. Starting from 1.7 OpenBSD has a fully GPLv2 licensed port, that can be installed as a package. Users looking for the browser plugin will still need to build 1.5 or 1.6 from ports until Sun releases the plugin code. Note that you will need plenty of RAM for this build to succeed. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: maildir in sendmail
On Thu, 8 Dec 2011, Vitali wrote: From: Vitali coonar...@gmail.com To: misc@openbsd.org Date: Thu, 8 Dec 2011 09:33:33 Subject: Re: maildir in sendmail ... Or there is Postfix http://www.pocock.com.au/wiki/ConvertMboxToMailbox The exim MTA should be able to deliver mail directly in maildir format. Although this facility isn't built in by default. See: http://www.exim.org/exim-html-current/doc/html/spec_html/ch26.html -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: comp.unix.bsd.openbsd.announce
On Wed, 23 Nov 2011, sc...@web.de wrote: From: sc...@web.de To: misc@openbsd.org Date: Wed, 23 Nov 2011 10:32:04 Subject: comp.unix.bsd.openbsd.announce ... I preffer newsgroups than mailing lists filling my mailbox. Note you can read this mailing list as a newsgroup or read it on the web. See: http://dir.gmane.org/index.php?prefix=gmane.os.openbsd or point your newreader at news.gmane.org, eg: knews -nntpServer news.gmane.org or: NNTPSERVER=news.gmane.org trn See: http://gmane.org/faq.php for further details. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: route flush and sh /etc/netstart not enough?
On Wed, 16 Feb 2011, Kevin Chadwick wrote: From: Kevin Chadwick ma1l1i...@yahoo.co.uk To: misc@openbsd.org Date: Wed, 16 Feb 2011 14:27:08 Subject: Re: route flush and sh /etc/netstart not enough? On Wed, 16 Feb 2011 14:47:39 +0100 Henning Brauer wrote: indeed. hmmm, it's bugging me where I read that there was a window. I have a memory that it was quite an authoritive source but I guess not. Anyway, cool to know now. This is quite clearly covered in Peter Hansteen's online PF tutorial. To quote from: http://home.nuug.no/~peter/pf/en/stricter.html Under any circumstances the last valid rule set loaded will be in force until you either disable PF or load a new rule set. That is worth noting: When loading a new rule set, the last valid rule set stays loaded until the new one is fully parsed and loaded, and PF switches directly from one to the other. There is no intermediate stage with no rules loaded or a mixture of the two rule sets. This is also explained quite early in both editions of his book. On page 14 in the first edition, page 21 in the second edition. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: Minimally painful mail client for rich (spit!) messages
On Wed, 9 Feb 2011, Oliver Peter wrote: From: Oliver Peter li...@peter.de.com To: misc@openbsd.org Date: Wed, 9 Feb 2011 16:53:53 Subject: Re: Minimally painful mail client for rich (spit!) messages X-Spam-Score: 0.0 (/) On Wed, Feb 09, 2011 at 05:38:38PM +0100, Peter N. M. Hansteen wrote: ... I probably need to start looking around for a mail client that will make reading Outlook and peers' output less painful. Does such a beast exist, preferably among OpenBSD packages (as in, it has to run on OpenBSD, but I can build locally if needs be)? I've tried and hated both Evolution and Thunderbird, but surely there must be other choices? Peter, does mutt (ports/mail/mutt/snapshot I recommend) count as 'old-style' mail reader, too? If so, it feels very modern to me and also is my choice for 'heavy' mail reading. If you are looking for some graphical client you may want to give clawsmail a try (mail/claws-mail). Similarly for an 'old-style' mail reader I use alpine (ports/mail/alpine) or build re-alpine: http://sourceforge.net/projects/re-alpine/ from scratch. I also quite like claws-mail as a graphical mail reader. Also sylpheed (ports/mail/sylpheed) from which claws-mail is a development. If you want to go wierder, the linux graphical mail reader mulberry: http://www.mulberrymail.com/ works well under linux emulation. Although you'll need to augment the linux emulation with the linux rpm openssl-0.9.8b-8.i386.rpm to get the secure connection stuff. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: (Perhaps?) dumb pf question relating to tables
On Thu, 11 Nov 2010, Tor Houghton wrote:
From: Tor Houghton t...@bogus.net
To: Ryan McBride mcbr...@openbsd.org
Cc: misc@openbsd.org
Date: Thu, 11 Nov 2010 11:06:25
Subject: Re: (Perhaps?) dumb pf question relating to tables
X-Spam-Score: 0.0 (/)
On Thu, Nov 11, 2010 at 05:32:27PM +0900, Ryan McBride wrote:
On Wed, Nov 10, 2010 at 01:45:16PM +0100, Tor Houghton wrote:
May I ask whether or not per user ownership (or permission to update) a
table is/will be possible?
I am pondering the best mechanism for a non-root process to add/remove
addresses to a table.
You can look at sysutils/tabled in ports, which provides this
functionality (permissions would be controlled by the filesystem
permissions on the fifo)
I don't think we'll be making /dev/pf accessible by non-root processes
any time soon.
This looks exactly like what I need.
You could also used pftabled from:
http://www.wolfermann.org/pftabled.html
although it's mainly intended for keeping table(s) in step across
co-operating hosts. Access is controlled by knowing a HMAC-SHA1
keyed hash.
Make this small change to get it to build on OpenBSD4.8:
--- Makefile.in.origWed Feb 4 11:09:33 2009
+++ Makefile.in Thu Nov 11 11:28:31 2010
@@ -27,7 +27,7 @@
${CC} ${LDFLAGS} -o $@ ${SERVEROBJS} ${LIBS}
pftabled.cat1: pftabled.1
- nroff -Tascii -man pftabled.1 pftabled.cat1
+ mandoc -Tascii -mandoc pftabled.1 pftabled.cat1
pftabled-client: ${CLIENTOBJS}
${CC} ${LDFLAGS} -o $@ ${CLIENTOBJS} ${LIBS}
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: Multi-Port SSH brute force protection
On Mon, 1 Nov 2010, Gonzalo L. R. wrote: From: Gonzalo L. R. gonz...@x61.com.ar To: misc@openbsd.org Date: Mon, 1 Nov 2010 14:39:41 Subject: Re: Multi-Port SSH brute force protection pf and tables are your friends. More precisely, Peter Hansteen is your friend: http://home.nuug.no/~peter/pf/en/bruteforce.html -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: Wireless Network GUI
$TFILE $HFILE X Xexit 0 END-of-rc.wireless echo x - rc.wireless.conf sed 's/^X//' rc.wireless.conf 'END-of-rc.wireless.conf' X#!/bin/sh X X# Wireless configuration. Comments starting '#wifi ' are special X# and contain wifi card parameters, non-default DHCP values, that X# are picked out by our parent, /etc/rc.wireless. X X# Make sure this file is *NOT* accessible by others if it contains X# sensitive data, eg Wireless Equivalent Privacy (WEP) keys or Wi-Fi X# Protected Access (WPA-PSK and WPA2-PSK) passphrases. X X# Belkin cardbus wireless card. Broadcom AirForce based. X# X# bwi0 at cardbus0 dev 0 function 0 Broadcom BCM4318 rev 0x02: irq 11, address 00:11:50:f4:f4:4c X# X#wifi IFNAME=bwi0 X#wifi RESET=-bssid -chan media autoselect nwid -nwkey -wpa -wpapsk X#wifi MAC_ADDR=00:11:50:f4:f4:4c X#wifi DHCP=dhcp media autoselect mode 11g X Xcase $MAC in X$MAC_ADDR) Xreturn 1 X;; X X# University of Bath, UK. Computing Services, building X# 2 South. X X00:0f:90:4d:e9:50 | 00:11:20:8d:b4:30 | 00:1b:d5:c0:11:00) X XNWID=BUCS-WiSM XNWKEY= XWPAKEY= XCHAN= XBSSID=$MAC X;; X X# University of Bath, UK. All these seem visible, with X# varying strengths, from the University Library foyer. X X00:11:20:70:4a:50 | 00:11:20:70:4d:30 | 00:11:20:70:4f:c0 | \ X00:11:20:70:50:e0 | 00:11:20:70:56:50 | 00:11:20:70:66:10 | \ X00:11:20:70:6d:b0 | 00:11:20:70:71:c0 | 00:11:20:70:78:e0 | \ X00:11:20:70:79:f0 | 00:11:20:75:8e:e0 | 00:11:20:75:a2:30 | \ X00:11:20:8d:b9:20 | 00:11:20:8d:ef:40 | 00:11:20:8d:f4:20 | \ X00:11:20:90:d5:40 | 00:11:20:90:ff:00 | 00:16:47:0c:fd:10 | \ X00:16:47:0d:02:90 | 00:16:47:0d:07:10 | 00:27:0d:4a:29:ef | \ X00:27:0d:60:b3:ff) X XNWID=BUCS-WiSM XNWKEY= XWPAKEY= XCHAN= XBSSID=$MAC X;; X X*) Xreturn 1 X;; Xesac X Xreturn 0 END-of-rc.wireless.conf exit -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: 1 out of 3 hunks failed--saving rejects to kerberosV/src/lib/krb5/crypto.c.rej
On Mon, 21 Jun 2010, Tony Berth wrote: From: Tony Berth tonybe...@googlemail.com To: Nick Holland n...@holland-consulting.net Cc: misc@openbsd.org Date: Mon, 21 Jun 2010 14:03:08 Subject: Re: 1 out of 3 hunks failed--saving rejects to kerberosV/src/lib/krb5/crypto.c.rej did the following: after navigating to: http://openbsd.org/anoncvs.html#starting applied: # *cd /usr; cvs checkout -P -rOPENBSD_4_7 src* using *cvsroot=anon...@anoncvs.fr.openbsd.org:/cvs* I think you missed the line: The OPENBSD_4_7 tag contains the release sources and errata already applied. in: http://openbsd.org/anoncvs.html#starting which would explain the failure to apply patches which are already applied. Then downloaded: ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.7.tar.gz and applied: cd /usr/src patch -p0 001_kerberos.patch as referred in: ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.7/common/001_kerberos.patch -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: 4.6 arriving
On Fri, 9 Oct 2009, Martin Schrvder wrote: From: Martin Schrvder mar...@oneiros.de To: OpenBSD general usage list misc@openbsd.org Date: Fri, 9 Oct 2009 13:07:01 Subject: Re: 4.6 arriving X-Spam-Score: 0.0 (/) 2009/10/9 Bret S. Lambert bret.lamb...@gmail.com: On Fri, Oct 09, 2009 at 09:30:07AM +0200, Lukas Ratajski wrote: Oh man, I'd LOVE to give the 2.1 version a boot opportunity on i386. Just for the sake of curiosity. Anyone offering a copy? Yes, but it's a collectible at this point: https://https.openbsd.org/cgi-bin/order Indeed. But 2.4 is the real collectible. :-) I'm rich! I'm rich!! I'm rich!!! I'm rich because OpenBSD4.6 arrived last week. I'm also rich because I found all my early OpenBSD releases, that's release 2.1 to 3.1. Which includes the pricey OpenBSD2.1, OpenBSD2.2, OpenBSD2.3 OpenBSD2.4 CDs. Now this is a problem. The cardboard-box-under-the-bed bank is possibly a little too insecure for such great treasures. I'll have to place them in a hermetically-sealed, lead-lined box and bury them in the garden. Sigh, and then forget where they are. Leaving some future fortunate to find this treasure trove long after I'm gone. Damn, I'll be worrying about this for some time. ...with great wealth comes great responsibilty...
Re: 4.5 - stable/ports/gcc-4.2/Error code 1
On Fri, 29 May 2009, soko.tica wrote: From: soko.tica soko.t...@gmail.com To: misc@openbsd.org Date: Fri, 29 May 2009 13:01:13 +0200 Subject: 4.5 - stable/ports/gcc-4.2/Error code 1 X-Spam-Score: 0.4 (/) Hello list, I am trying to install gnome-session from ports on 4.5 - stable, and I am facing the following error in gcc-4.2 .. === Configuring for gcc-4.2.20070307 loading site script /usr/ports/infrastructure/db/config.site loading cache ./config.cache checking host system type... i386-unknown-openbsd4.5 checking target system type... i386-unknown-openbsd4.5 checking build system type... i386-unknown-openbsd4.5 checking for a BSD compatible install... /usr/bin/install -c -o root -g bin checking whether ln works... yes checking whether ln -s works... yes checking for gcc... /usr/ports/lang/gcc/4.2/w-gcc-4.2.20070307/bin/egcc checking whether the C compiler (/usr/ports/lang/gcc/4.2/w-gcc-4.2.20070307/bin/egcc -O2 -g ) works... no *** Error code 1 Stop in /usr/ports/lang/gcc/4.2 (line 2147 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Seriously consider installing gcc-4.2 from a pre-built package. Alternatively add the soft link libc.so.42.0 in /usr/lib: (root) ?// pwd /usr/lib (root) ?// ls -l libc.so.42.0 lrwxr-xr-x 1 root wheel 12 May 7 12:35 libc.so.42.0 - libc.so.50.1 Can't remember how I found this out. Seems the bootstrap compiler wants it: (root) ?// ldd /usr/ports/lang/gcc/4.2/w-gcc-4.2.20070307/bootstrap/bin/egcc /usr/ports/lang/gcc/4.2/w-gcc-4.2.20070307/bootstrap/bin/egcc: StartEnd Type Open Ref GrpRef Name 1c00 3c008000 exe 10 0 /usr/ports/lang/gcc/4.2/w-gcc-4.2.20070307/bootstrap/bin/egcc 04402000 2443b000 rlib 01 0 /usr/lib/libc.so.42.0 09b3d000 09b3d000 rtld 01 0 /usr/libexec/ld.so *But* as noted above, consider installing the package -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: PF and CLamAV Integration - how to do it?1,$
On Thu, 19 Mar 2009, Protocol Six Consulting wrote: From: Protocol Six Consulting contact...@protocol6.com To: misc@openbsd.org Date: Thu, 19 Mar 2009 10:27:43 -0400 Subject: PF and CLamAV Integration - how to do it? Reply-To: scasw...@protocol6.com I was wondering if anyone here knows how to integrate the PF firewall with ClamAV. I am planning on putting into production an OpenBSD firewall and would like to do virus scanning at the network perimeter. I am definitely interested in scanning email traffic, but also possibly Web and IRC (and any other traffic types that makes sense) for a group of 25 people. ... Any pointers and/or info would be greatly appreciated by this newbie. You might find Wil Knolls's paper mentioned in: http://undeadly.org/cgi?action=articlesid=20081220195047 useful background reading. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: Howto connect to several wireless network ?
On Thu, 28 Aug 2008, Francisco Valladolid Hdez. wrote: From: Francisco Valladolid Hdez. [EMAIL PROTECTED] To: misc@openbsd.org Date: Thu, 28 Aug 2008 07:20:48 -0700 (PDT) Subject: Howto connect to several wireless network ? frequently i have the necessity to connect to several networks (my home, office and another public network ) How can perform it task ? NetBSD has a ifwatchd daemon which can help in this situations detected the up/down and monitor dynamic interfaces. Any help on it, can be really appreciated. See: http://undeadly.org/cgi?action=articlesid=20071224164233 for an OpenBSD journal article on a similar subject. There was also some discussion on this topic last year on this list. One reader posted details of the script he uses to probe for wireless networks. It'll be in the various mail list archives. For example: http://www.mail-archive.com/misc@openbsd.org/msg52116.html Usual disclaimer applies: I've not used either of the above, but they might be useful and/or a useful starting point for your own ideas. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101
Re: avoid logging useless ssh brute force attempts
On Fri, 1 Feb 2008, Matt wrote: From: Matt [EMAIL PROTECTED] To: Chris [EMAIL PROTECTED] Cc: OpenBSD Misc misc@openbsd.org Date: Fri, 01 Feb 2008 09:25:02 +0100 Subject: Re: avoid logging useless ssh brute force attempts ... One of the suggestions I have seen on this list is to enable pf and add an max-src-connection rate for ssh. So if someone connects, say 4 times within 30 seconds, you block them. It will not stop the first attempts from being logged but after that you are in the clear. As Peter has pointed out: http://home.nuug.no/~peter/pf/en/bruteforce.html is an excellent starting point for setting this up. That's where I started from. Make sure you empty the table with attackers once in a while though. See: /usr/ports/sysutils/expiretable for an easy way to set this up, either as a daemon process or run out of cron. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101
Re: : booting openbsd on eee without cd-rom
On Wed, 30 Jan 2008, Raimo Niskanen wrote: From: Raimo Niskanen [EMAIL PROTECTED] To: misc@openbsd.org Date: Wed, 30 Jan 2008 15:50:30 +0100 Subject: Re: : booting openbsd on eee without cd-rom ... Anyway, OpenBSD will boot but ethernet does not work: The wired adapter is not suppoerted, and the wireless driver reports an error and does not work :-( Then one could create such a bootable image and throw in the file sets too, that is: most of the /4.2/i386 download directory except install42.iso, but the size would be about 250 MByte. If the ethernet adapters does not work, what is the use? wireless driver reports an error and does not work is short on detail. It might just be that non-free firmware needs installing (eg the firmware for the iwi driver) to get it to work. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101
Re: OT: OpenBSD on Asus eeePC
On Wed, 14 Nov 2007, Karl Sjodahl - dunceor wrote: From: Karl Sjodahl - dunceor [EMAIL PROTECTED] To: Marc Balmer [EMAIL PROTECTED] Cc: Jacob Winther [EMAIL PROTECTED], misc@openbsd.org, Andreas Maus [EMAIL PROTECTED] Date: Wed, 14 Nov 2007 08:47:04 +0100 Subject: Re: OT: OpenBSD on Asus eeePC ... In UK: http://www.clove.co.uk/viewProduct.aspx?product=9136E4FD-2F3C-4289-84A9-4B96ED813B9Dcategory=GROUP4 Also shortly available in the UK as a re-badged RM machine: http://www.rm.com/HE/Products/product.asp?cref=PD1024415 Looks neat, a bigger (memory, flash memory) device running OpenBSD would be attractive. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101
Re: OpenBSD for a desktop environment ?
On Tue, 14 Feb 2006, Andreas Bihlmaier wrote: From: Andreas Bihlmaier [EMAIL PROTECTED] To: misc@openbsd.org Date: Tue, 14 Feb 2006 07:14:10 +0100 Subject: Re: OpenBSD for a desktop environment ? ... Only think to remember is the lack of OpenOffice in (native) OpenBSD. Sure there is gnumeric and abiword as well as koffice, but I think it is not an adequate replacement for OO. There was some discussion about this on the list some time ago. Apparently the Linux version works OK in compatability mode. I installed this version on my i386 OpenBSD machine. I haven't used it -- other than to verify soffice fires up -- so I can't say how well it works. I followed the instructions from a web page that seems to have vanished. So here's the steps I took. You'll obviously need the Redhat libraries (/usr/ports/emulators/redhat) installed. And have: kern.emul.linux=1 set in /etc/sysctl.conf. Touched /emul/linux/etc/mnttab to create it as an empty file. Added: # # For OpenOffice in Linux compatability mode. /proc /proc procfs rw,linux 0 0 to /etc/fstab. Created and mounted /proc. Created the directory OOo_2.0.0, untarred OOo_2.0.0_LinuxIntel_install.tar.gz in this directory to create all the RPMs. Created /opt as a soft link to /usr/local. Installed the software by typing: /emul/linux/bin/rpm --nodeps --ignoreos --ignorearch -ivh *.rpm Programs are installed in /opt/openoffice.org2.0/program/s*. For instance the text editor is /opt/openoffice.org2.0/program/swriter and the main app is /opt/openoffice.org2.0/program/soffice. The web page then said: If programs don't start and if you have a Java virtual machine, temporarily disable it (chmod 0 /usr/local/jdk*), then start OpenOffice. You can then re-enable Java (chmod 755 /usr/local/jdk*) and keep it that way. but I'm not running with a Java virtual machine so it's not a problem I've experienced. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101
Re: #define failure opportunity
From: Qv6 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: #define failure opportunity Date: Mon, 28 Nov 2005 18:35:24 -0600 ... Intersting news. I once worked for a major Telecom firm that used a commercial implementation of ssh. I was curious and I asked one of the other techies why pay for ssh when openssh is available. Because we can go to the company for support was his answer. I couldn't help but wonder what type of issues people encounter while using openssh. Aside from the usuall software bugs, has there really been any major problems with openssh that the community has not fixed promptly? I'm reminded of the following quote I saved -- can't remember where I found it: Open source code is not guaranteed nor does it come with a warranty. -- the Alexis de Tocqueville Institute I guess that's in contrast to proprietary software, which comes with a money-back guarantee, and free on-site repairs if any bugs are found. -- Rary I certainly couldn't provide the services I currently support without a *lot* of open source software running on OpenBSD. Well, not without it costing a great deal of money.
Re: Blocking many accesses to ssh port from single IP
Date: Thu, 30 Jun 2005 11:05:43 +0200
From: Nico Meijer [EMAIL PROTECTED]
To: Steve Williams [EMAIL PROTECTED]
Cc: misc@openbsd.org
Subject: Re: Blocking many accesses to ssh port from single IP
I am running OpenBSD 3.7-stable, pretty standard install, spamd
greylisting, httpd, sendmail. Going over my log files, I have
noticed that I am more and more coming under attach with dictionary
based login attempts to the SSH port.
I don't know if this still holds true, but some months ago rogue Linux
machines were responsible for large scale network probing. It's in the
archives; please go check.
Short version:
block in log proto tcp from any os Linux to ($ext_if) port ssh
I've just been looking at this over the last few days. As others
have pointed out, pf[1] is your friend. As a first time pf user,
I'm using the following *very* simple pf.conf file:
# Simple pf.conf file to prevent silly sods playing ssh
# username/password guessing games with us.
# DHD June 2005
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if = em0
# Table maintained entirely by pfctl. It's empty to start with, but
# IDS systems etc can add to it.
table ssh-blacklist persist
# Normalize all traffic.
scrub in
# This is extremely lenient..
pass in
pass out
# ...but we'll block those playing ssh games with us.
block return-rst in on $ext_if proto tcp from ssh-blacklist to port ssh
Then you can add suspect IPs to the blacklist with:
pfctl -t ssh-blacklist -T add {suspect-ip}
and remove them with:
pfctl -t ssh-blacklist -T delete {friendly-ip}
If you want to automate this, have a look at:
http://www.pettingers.org/code/SSHBlack.htm
It's a perl program which tails a log. Have it tail
/var/log/authlog looking for strings such as Failed password and
Invalid user. As written this perl program used iptables commands
to block IPs. But it's trivial to alter it to use the above pfctl
commands.
[1] The book Absolute OpenBSD by Michael W Lucas contains a very
useful discussion on pf.
Re: Limit access to msn to a couple of hours a day
Date: Tue, 28 Jun 2005 09:25:18 -0400 From: Nick Holland [EMAIL PROTECTED] To: misc misc@openbsd.org Subject: Re: Limit access to msn to a couple of hours a day ... (note: grepping the output of ps -ax is a starting point...but remember: sometimes the you will pick up the grep line itself in ps...) Quite. For example: bahamontes $ ps -ax|grep 'ntpd' 23336 ?? Is 0:00.11 ntpd: [priv] (ntpd) 10490 ?? I 0:10.36 ntpd: ntp engine (ntpd) 28841 p1 ?+ 0:00.00 grep ntpd so instead write: bahamontes $ ps -ax|grep '[n]tpd' 23336 ?? Is 0:00.11 ntpd: [priv] (ntpd) 10490 ?? I 0:10.36 ntpd: ntp engine (ntpd)
