Re: ftpd server
2011/9/1 Bryan Irvine sparcta...@gmail.com:
On Tue, Aug 30, 2011 at 11:38 PM, fqui nonez fquinon...@gmail.com wrote:
Hello
I have a ftpd server box, OBSD-4.9, and pflog shows:
Aug 29 10:11:03.520900 rule 3/(match) pass in on rl0:
190.87.195.241.2732 192.168.5.2.21: S 2008995709:2008995709(0) win
65535 mss 1452,nop,nop,sackOK
Aug 29 10:15:52.825409 rule 3/(match) pass in on rl0:
190.87.195.241.3190 192.168.5.2.21: S 409025537:409025537(0) win
65535 mss 1452,nop,nop,sackOK
Aug 29 10:27:40.085461 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.2732: FP 2719210498:2719210554(56) ack 2008995823 win
17424 (DF) [tos 0x10]
Aug 29 10:28:44.085510 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:29:48.085560 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:30:52.085653 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:31:56.085655 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:32:29.475695 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.3190: FP 2719185758:2719185814(56) ack 409025651 win
17424 [tos 0x10]
Aug 29 10:33:00.085705 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:33:33.475738 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:34:04.085762 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:34:37.475788 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:35:08.085806 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.2732: R 57:57(0) ack 1 win 0 (DF) [tos 0x10]
Aug 29 10:35:41.475843 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:36:45.475901 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:37:49.475947 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:38:53.476001 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:39:57.476044 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.3190: R 57:57(0) ack 1 win 0 [tos 0x10]
pf rules are:
set skip on lo
block in log all
block out log all
pass out log quick on rl0
pass in log quick on rl0 proto tcp from any to port {20 21 22}
antispoof quick log for rl0
pass# to establish keep-state
It look for me, that somebody send code over port 21, then ftpd
Thanks to all for the answers.
this is a typo error; it should say ftpd; it is only anonymous access.
respond over port 21, and pf stops sftp! - ftpd here
It seems that ftpd should not respond over port 21, because ftp-proxy
is on charge of connection.
I have seen that normal behaviour of ftpd is logged on random ports;
as effect of ftp_proxy.
Is it happening something weird here?
The FTP protocol itself is weird.
Most (all?) modern FTP clients now include SFTP/SCP. I convinced a
client to switch to that a few years ago, and their customers are
still using it to this day (chrooted with no login shell of course).
If you must use FTP you are always going to have problems firewalling
and troubleshooting whether someones client is set to active/passive,
or whether they're also behind a firewall. Just make the switch and
wash your hands of that protocol. :-)
-Bryan
Yes Bryan, except that this server has been working correctly for a
long time, and accept only anonymous connections.
ftpd server
Hello
I have a ftpd server box, OBSD-4.9, and pflog shows:
Aug 29 10:11:03.520900 rule 3/(match) pass in on rl0:
190.87.195.241.2732 192.168.5.2.21: S 2008995709:2008995709(0) win
65535 mss 1452,nop,nop,sackOK
Aug 29 10:15:52.825409 rule 3/(match) pass in on rl0:
190.87.195.241.3190 192.168.5.2.21: S 409025537:409025537(0) win
65535 mss 1452,nop,nop,sackOK
Aug 29 10:27:40.085461 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.2732: FP 2719210498:2719210554(56) ack 2008995823 win
17424 (DF) [tos 0x10]
Aug 29 10:28:44.085510 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:29:48.085560 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:30:52.085653 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:31:56.085655 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:32:29.475695 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.3190: FP 2719185758:2719185814(56) ack 409025651 win
17424 [tos 0x10]
Aug 29 10:33:00.085705 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:33:33.475738 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:34:04.085762 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.2732: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:34:37.475788 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:35:08.085806 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.2732: R 57:57(0) ack 1 win 0 (DF) [tos 0x10]
Aug 29 10:35:41.475843 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:36:45.475901 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:37:49.475947 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 (DF) [tos 0x10]
Aug 29 10:38:53.476001 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.3190: FP 0:56(56) ack 1 win 17424 [tos 0x10]
Aug 29 10:39:57.476044 rule 1/(match) block out on rl0: 192.168.5.2.21
190.87.195.241.3190: R 57:57(0) ack 1 win 0 [tos 0x10]
pf rules are:
set skip on lo
block in log all
block out log all
pass out log quick on rl0
pass in log quick on rl0 proto tcp from any to port {20 21 22}
antispoof quick log for rl0
pass# to establish keep-state
It look for me, that somebody send code over port 21, then ftpd
respond over port 21, and pf stops sftp!
I have seen that normal behaviour of ftpd is logged on random ports;
as effect of ftp_proxy.
Is it happening something weird here?
Thanks so much.
Re: pf rule?
2011/7/20 fqui nonez fquinon...@gmail.com:
2011/7/20 Andres Perera andre...@zoho.com:
On Wed, Jul 20, 2011 at 8:49 AM, fqui nonez fquinon...@gmail.com wrote:
On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez fquinon...@gmail.com
wrote:
Hello
I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all
blocked packets, and send them to /var/log/pfblocklog to be read with
tcpdump. What and where should be the rule?
Thanks for your attention.
Hello
I changed it to:
#$OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
set skip on lo
### Agregadas por mi: (added by me)
block log
pass out quick on rl0
antispoof quick for rl0
pass in log on rl0 proto tcp from any to port 22
pass in log on rl0 proto tcp from any to port 21
pass in log on rl0 proto tcp from any to port 80
replace all three by:
pass in log on rl0 proto tcp to port { 21 22 80 }
### Fin. (end)
# filter rules and anchor for ftp-proxy(8)
anchor ftp-proxy/*
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
you already pass these packets before. redundant rules make pfctl
output hard to read, so change it to:
match in proto tcp to port ftp rdr-to localhost port 8021
Done, thanks again!
Hello, again.
I am receiving this message at client side :
425 Can't build data connection: illegal port number
then, i changed it to:
# $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
set skip on lo
# filter rules and anchor for ftp-proxy(8)
anchor ftp-proxy/*
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
### Agregadas por mi: (added by me)
block log
pass out quick on rl0
antispoof quick for rl0
pass in log on rl0 proto tcp from any to port {21 22 80}
### Fin. (end)
#pass # to establish keep-state
# By default, do not permit remote connections to X11
#block in on ! lo0 proto tcp to port 6000:6010
ftpd is not working correctly with those rules; does somebody see the error?
Thanks for your attention.
pf rule?
Hello I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all blocked packets, and send them to /var/log/pfblocklog to be read with tcpdump. What and where should be the rule? # $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $ # set skip on lo ### Agregadas por mi: (added by me) block return pass in quick log on rl0 proto tcp from any to port 22 pass out quick on rl0 to any pass in quick log on rl0 proto tcp from any to port 21 pass in quick log on rl0 proto tcp from any to port 80 ### Fin. (end) # filter rules and anchor for ftp-proxy(8) anchor ftp-proxy/* pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass# to establish keep-state # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 Thanks for your attention.
Re: pf rule?
2011/7/20 Wesley MOUEDINE ASSABY open...@e-solutions.re: Also, you can see a sample on http://mouedine.net/ruleset49.aspx Wesley. On Wed, 20 Jul 2011 14:27:27 +0400, Wesley MOUEDINE ASSABY open...@e-solutions.re wrote: Hi, Try this: block log return Cheers, Wesley. On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez fquinon...@gmail.com wrote: Hello I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all blocked packets, and send them to /var/log/pfblocklog to be read with tcpdump. What and where should be the rule? Thanks for your attention. Hello I changed it to: #$OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $ # set skip on lo ### Agregadas por mi: (added by me) block log pass out quick on rl0 antispoof quick for rl0 pass in log on rl0 proto tcp from any to port 22 pass in log on rl0 proto tcp from any to port 21 pass in log on rl0 proto tcp from any to port 80 ### Fin. (end) # filter rules and anchor for ftp-proxy(8) anchor ftp-proxy/* pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 Thank so much both. How does it look?
ftpd intrusion?
Hello I have a ftpd server OBSD-4.9, and i found this: # last ftp ftp 62.234.84.203.hostway.com.au Thu May 12 12:40 - 12:40 (00:00) --(it is not me) Could it means that i have an intrusion in the server? Where should i see? and what should i care, please? # ls -laR /home/ftp total 12 drwxr-xr-x 3 root wheel 512 May 6 08:04 . drwxr-xr-x 4 root wheel 512 May 5 08:21 .. drwxr-xr-x 3 root wheel 512 May 6 08:05 pub /home/ftp/pub: total 12 drwxr-xr-x 3 root wheel 512 May 6 08:05 . drwxr-xr-x 3 root wheel 512 May 6 08:04 .. drwxr-xr-x 5 root wheel 512 May 9 06:14 GSA -- Agr. francisco Quinonez. Our mission, feed the World notre mission, nourrir au monde Nuestra mision, alimentar al mundo
Re: ftpd intrusion?
2011/5/12 fqui nonez fquinon...@gmail.com: Hello I have a ftpd server OBSD-4.9, and i found this: # last ftp ftp 62.234.84.203.hostway.com.au Thu May 12 12:40 - 12:40 (00:00) --(it is not me) Could it means that i have an intrusion in the server? Where should i see? and what should i care, please? # ls -laR /home/ftp total 12 drwxr-xr-x 3 root wheel 512 May 6 08:04 . drwxr-xr-x 4 root wheel 512 May 5 08:21 .. drwxr-xr-x 3 root wheel 512 May 6 08:05 pub /home/ftp/pub: total 12 drwxr-xr-x 3 root wheel 512 May 6 08:05 . drwxr-xr-x 3 root wheel 512 May 6 08:04 .. drwxr-xr-x 5 root wheel 512 May 9 06:14 GSA My mistake, i changed it to: # ls -laR /home/ftp/ total 12 dr-xr-xr-x 3 root ftp512 May 6 08:04 . drwxr-xr-x 4 root wheel 512 May 5 08:21 .. dr-xr-xr-x 3 root ftp512 May 6 08:05 pub /home/ftp/pub: total 12 dr-xr-xr-x 3 root ftp 512 May 6 08:05 . dr-xr-xr-x 3 root ftp 512 May 6 08:04 .. dr-xr-xr-x 5 root ftp 512 May 9 06:14 GSA /home/ftp/pub/GSA: total 20 dr-xr-xr-x 5 root ftp 512 May 9 06:14 . dr-xr-xr-x 3 root ftp 512 May 6 08:05 .. dr-xr-xr-x 2 root ftp 2048 May 9 03:37 2009 dr-xr-xr-x 2 root ftp 2048 May 9 06:13 2010 dr-xr-xr-x 2 root ftp 1024 May 10 09:25 2011 Does this line is a problem? Do i have to do something more with it? ftp ftp 62.234.84.203.hostway.com.au Thu May 12 12:40 - 12:40 (00:00) --(it is not me) -- Agr. francisco Quinonez. Our mission, feed the World notre mission, nourrir au monde Nuestra mision, alimentar al mundo
Re: is SHA256 file used or not ?
2011/2/8 Mihai Popescu mihai...@gmail.com: Hi Henning, It looks like you are in a bad mood. Please read my entire post and don't cut and paste out of context. Man, if you do not want to answer, please don't. You have spent a lot of time bitching and no time to give a damn clear answer. It's not my problem that you attract idiots ( I failed to see who are we from we keep attracting idiots...). Maybe you should read about how a documentation can or cannot help. Hapilly, Otto and Philip did participate with good answers. Hello Popescu I am not so educated as others, i use OBSD since 2001-2002, with many dificulties, but i have undertood that there are only 2 different kind of persons. Developers and users, developers work for them, and users recive the collateral benefit using OBSD. What kind of person are you Popescu? If you are a Developer, i can tell you thanks; or if you are a user, i can tell you, please let us to do what we like, and go to other list where your behaviour is normal, do you understand or do i have to write a man page? -- Agr. francisco Quinonez. Our mission, feed the World notre mission, nourrir au monde Nuestra mision, alimentar al mundo
Re: Donations
2010/12/7 ropers rop...@gmail.com: 2010/12/5 Theo de Raadt dera...@cvs.openbsd.org: Such an American viewpoint. On 7 December 2010 08:02, fqui nonez fquinon...@gmail.com wrote: Well, revising old documents, the word America was not used by the Government of US; but after I and II world war; when Europeans properly used America to refer to the continent or its troops from Canada, US and maybe others countries this word was taken as if it were referring to US; i do not know if it is by ignorance or by conceit. Do you have any sources or links to such research? regards, --ropers http://www.archives.gov/exhibits/charters/constitution_transcript.html -- Agr. francisco Quinonez. Our mission, feed the World notre mission, nourrir au monde Nuestra mision, alimentar al mundo
Re: Donations
2010/12/5 Adam M. Dutko dutko.a...@gmail.com: Are you planning on having the OpenBSD development team perform some sort of illegal activity soon? If not, you shouldn't be worried about Paypal. You're discussing intent. Intent is a tricky thing that in the past lawyers had to jump through hoops to prove in the (fed)nited States. Now with the (un)Patriot Act and other legislation they can rely on the whole notion of pre-crime. Seems like most of America is happy with point and click hegemony and I'm glad the Internet is trying to block the interrupts. No, i think only US, because the most of the other countries have had really bad experience under the external US politics. Among US, peple could forgotten the McCarthyism. In fact, the people in El Salvador who were responsible to assassinate 80,000 persons; were trained at La escuela de las Americas in US. ; the rest of other Hispanic countries have had the same experience In Canada, we can see the effect of insanity coming from US; bands and crime. -- Agr. francisco Quinonez. Our mission, feed the World notre mission, nourrir au monde Nuestra mision, alimentar al mundo
Re: Donations
2010/12/5 L. V. Lammert l...@omnitec.net: On Sun, 5 Dec 2010, Dmitrij D. Czarkoff wrote: On Sun, 5 Dec 2010, Randal L. Schwartz wrote: I agree totally that there are a lot of idiots running parts of the US system, but at least they ARE predictable. Being predictable is just not enough. Hardly You would enjoy predictibility of You being put to prison on suspection of possibility of You commiting some crime. Actually, being predictable ALLOWS planning to avoid such problems! Ever head of Don Quixote? THe moral of the storey - pick the battles you have a chance of winning and avoid the rest. Lee It looks, like if the proper name of it is cowardice, but Don Quijote de La Mancha, shows how to distinguish reality! -- Agr. francisco Quinonez. Our mission, feed the World notre mission, nourrir au monde Nuestra mision, alimentar al mundo
Re: Donations
2010/12/5 Theo de Raadt dera...@cvs.openbsd.org: Ever head of Don Quixote? THe moral of the storey - pick the battles you have a chance of winning and avoid the rest. Such an American viewpoint. Well, revising old documents, the word America was not used by the Government of US; but after I and II world war; when Europeans properly used America to refer to the continent or its troops from Canada, US and maybe others countries this word was taken as if it were referring to US; i do not know if it is by ignorance or by conceit. It didn't work out for Don Quixote either. -- Agr. francisco Quinonez. Our mission, feed the World notre mission, nourrir au monde Nuestra mision, alimentar al mundo
Lenovo ThinkPad Edge 14 i330
Hello I have a Compaq Presario 3019US working correctly with OBSD-4.7, and i have recived a ThinkPad Edge 14 i330 (4 processors) as a present; it has Windows 7. The parttions do not finish at the end of cilinders by defaults. My question is if you recomend keeping Windows 7 beside to OBSD working well? I installed OBSD-4.7 resulting that TTYs do not work correctly, but this Laptop has an extra key (fn) which i could not find how to use it to jump to TTYs. Another question is related to use ix86 or amd64? i could observed that temperature was higher than with Windows using amd64. Thanks -- Agr. francisco Quinonez. Our mission, feed the World notre mission, nourrir au monde Nuestra mision, alimentar al mundo
Re: authlog messages
2010/3/13 fqui nonez fquinon...@gmail.com: hello i founded messages on authlog of a OBSD-4.6, i have not seen it before, and i was not able to find information at archives and google. Mar 9 02:20:25 OpenBSD kdeinit: gethostby*.getanswer: asked for srx.main.ebayrtm.com IN , got type SOA Mar 9 02:47:32 OpenBSD kdeinit: gethostby*.getanswer: asked for srx.uk.ebayrtm.com IN , got type SOA Mar 9 02:50:17 OpenBSD kdeinit: gethostby*.getanswer: asked for srx.sg.ebayrtm.com IN , got type SOA Mar 9 02:52:03 OpenBSD kdeinit: gethostby*.getanswer: asked for srx.au.ebayrtm.com IN , got type SOA Mar 9 02:53:27 OpenBSD kdeinit: gethostby*.getanswer: asked for srx.ph.ebayrtm.com IN , got type SOA Mar 9 03:01:57 OpenBSD kdeinit: gethostby*.getanswer: asked for srx.ph.ebayrtm.com IN , got type SOA Mar 9 03:09:55 OpenBSD kdeinit: gethostby*.getanswer: asked for srx.ca.ebayrtm.com IN , got type SOA Could someone please tell me what it means? I use konqueror and lynx as web browsers. thanks for your attention. francisco. Updating information: I have a Compaq 3019us Laptop which had a Broadcome wireless adapter, it is broken; i tested a rtl-8187L and it fails working some times, it reboots the system; and i found that rt-73 adapter works perfectly. when i went to ebay to by the adapter, every time that i connect to a ebay web page, using Konqueror, the message appears; i am thinking that it could be an intrusion against my OBSD-4.6 system. Could somebody please confirm it? thanks.
Re: authlog messages
2010/3/14 Adriaan misc.adri...@gmail.com: It is a failing name lookup. Just like the following done with dig from the command line: Adriaan ok, thank you very much.
authlog messages
hello i founded messages on authlog of a OBSD-4.6, i have not seen it before, and i was not able to find information at archives and google. Mar 9 02:20:25 OpenBSD kdeinit: gethostby*.getanswer: asked for srx.main.ebayrtm.com IN , got type SOA Mar 9 02:47:32 OpenBSD kdeinit: gethostby*.getanswer: asked for srx.uk.ebayrtm.com IN , got type SOA Mar 9 02:50:17 OpenBSD kdeinit: gethostby*.getanswer: asked for srx.sg.ebayrtm.com IN , got type SOA Mar 9 02:52:03 OpenBSD kdeinit: gethostby*.getanswer: asked for srx.au.ebayrtm.com IN , got type SOA Mar 9 02:53:27 OpenBSD kdeinit: gethostby*.getanswer: asked for srx.ph.ebayrtm.com IN , got type SOA Mar 9 03:01:57 OpenBSD kdeinit: gethostby*.getanswer: asked for srx.ph.ebayrtm.com IN , got type SOA Mar 9 03:09:55 OpenBSD kdeinit: gethostby*.getanswer: asked for srx.ca.ebayrtm.com IN , got type SOA Could someone please tell me what it means? I use konqueror and lynx as web browsers. thanks for your attention. francisco.
