bsd.m3th.org » Howto

Archive for the ‘Howto’ Category

freebsd-update : 6.2-RELEASE to 8.1-RELEASE

Put on sysadmin hat and upgraded some 6.2 freebsd boxes recently. Here are the steps that I used. Please take note that you should have a good backup before attempting this upgrade. You are WARNED!
old6# uname -a FreeBSD old6.vnet.0rg 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 UTC 2007 root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
A rather aged machine without any update. Damn the lazy sysadmin:P

Now grab freebsd-update script from Colin Percival’s realm on people.freebsd.org and extract it. Note that you can’t use the default freebsd-update script in base as it does not have “-r” switch to upgrade your box to other -RELEASE.
old6# fetch http://people.freebsd.org/~cperciva/freebsd-update-upgrade.tgz old6# tar xvfz freebsd-update-upgrade.tgz

Next, fire up the freebsd-update script to upgrade the system to 8.1-RELEASE. You would be prompted to upgrade your kernel first if you use other kernel than GENERIC or SMP. You need to build and install a 8.1 kernel manually before proceed with freebsd-update install. The upgrade script will also prompt you with bunch of questions on file merge. They are pretty much self-explanatory.
old6# ./freebsd-update.sh upgrade -f freebsd-update.conf -r 8.1-RELEASE Looking up update.FreeBSD.org mirrors... 3 mirrors found. Fetching public key from update4.FreeBSD.org... done. Fetching metadata signature for 6.2-RELEASE from update4.FreeBSD.org... done. Fetching metadata index... done. Fetching 2 metadata files... done. Inspecting system... done.
The following components of FreeBSD seem to be installed: kernel/generic src/base src/bin src/contrib src/crypto src/etc src/games src/gnu src/include src/krb5 src/lib src/libexec src/release src/rescue src/sbin src/secure src/share src/sys src/tools src/ubin src/usbin world/base world/catpages world/dict world/doc world/games world/info world/manpages world/proflibs
The following components of FreeBSD do not seem to be installed: kernel/smp
Does this look reasonable (y/n)? y
Fetching metadata signature for 8.1-RELEASE from update4.FreeBSD.org... done. Fetching metadata index... done. Fetching 1 metadata patches. done. Applying metadata patches... done. Fetching 1 metadata files... done. Inspecting system... done.
Fetching files from 6.2-RELEASE for merging... done. Preparing to download files... done. Fetching 5294
patches.....10....20....30....40....50....60....70....80....90....100....110....120....130....140....150....160....170....180....190....200....210....220....230....240....250....260....270....280....290....300....310... done. Applying patches... done. Fetching 5416 files... done. Attempting to automatically merge changes in files... done.
The following changes, which occurred between FreeBSD 6.2-RELEASE and FreeBSD 8.1-RELEASE have been merged into /etc/group: --- current version +++ new version @@ -1,6 +1,6 @@ -# $FreeBSD: src/etc/group,v 1.32.2.1 2006/03/06 22:23:10 rwatson Exp $ +# $FreeBSD: src/etc/group,v 1.35.10.1.4.1 2010/06/14 02:09:06 kensmith Exp $ # wheel:*:0:root,chflags daemon:*:1: kmem:*:2: sys:*:3: @@ -9,10 +9,11 @@ mail:*:6: bin:*:7: news:*:8: man:*:9: games:*:13: +ftp:*:14: staff:*:20: sshd:*:22: smmsp:*:25: mailnull:*:26: guest:*:31: Does this look reasonable (y/n)? y
The following changes, which occurred between FreeBSD 6.2-RELEASE and FreeBSD 8.1-RELEASE have been merged into /etc/master.passwd: --- current version +++ new version @@ -1,6 +1,6 @@ -# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ +# $FreeBSD: src/etc/master.passwd,v 1.40.22.1.4.1 2010/06/14 02:09:06 kensmith Exp $ # root:$1$4Jd7.6Nx$ogtqf2/1drgoAFlO0iXmb.:0:0::0:0:Charlie &:/root:/bin/csh toor:*:0:0::0:0:Bourne-again Superuser:/root: daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5::0:0:System &:/:/usr/sbin/nologin Does this look reasonable (y/n)? y
The following changes, which occurred between FreeBSD 6.2-RELEASE and FreeBSD 8.1-RELEASE have been merged into /etc/nsswitch.conf: --- current version +++ new version @@ -1,7 +1,15 @@ +# +# nsswitch.conf(5) - name service switch configuration file +# $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.4.1 2010/06/14 02:09:06 kensmith Exp $ +# group: compat group_compat: nis hosts: files dns networks: files passwd: compat passwd_compat: nis shells: files +services: compat +services_compat: nis +protocols: files +rpc: files Does this look reasonable (y/n)? yThe following changes, which occurred between FreeBSD 6.2-RELEASE and FreeBSD 8.1-RELEASE have been merged into /etc/passwd: --- current version +++ new version @@ -1,6 +1,6 @@ -# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ +# $FreeBSD: src/etc/master.passwd,v 1.40.22.1.4.1 2010/06/14 02:09:06 kensmith Exp $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-again Superuser:/root: daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5:System &:/:/usr/sbin/nologin Does this look reasonable (y/n)? yThe following files will be removed as part of updating to 8.1-RELEASE-p0: /boot/kernel/ath_hal.ko /boot/kernel/ath_rate.ko /boot/kernel/bridge.ko /boot/kernel/digi.ko /boot/kernel/digi_CX.ko /boot/kernel/digi_CX_PCI.ko /boot/kernel/digi_EPCX.ko /boot/kernel/digi_EPCX_PCI.ko /boot/kernel/digi_Xe.ko /boot/kernel/digi_Xem.ko /boot/kernel/digi_Xr.ko /boot/kernel/g_md.ko /boot/kernel/geom_apple.ko /boot/kernel/geom_gpt.ko

<— Long listing truncated —>

The following files will be added as part of updating to 8.1-RELEASE-p0: /bin/pwait /bin/uuidgen /boot/firmware /boot/gptboot /boot/gptzfsboot /boot/kernel/3dfx.ko.symbols /boot/kernel/3dfx_linux.ko.symbols /boot/kernel/aac.ko.symbols /boot/kernel/aac_linux.ko.symbols /boot/kernel/accf_data.ko.symbols /boot/kernel/accf_dns.ko /boot/kernel/accf_dns.ko.symbols /boot/kernel/accf_http.ko.symbols /boot/kernel/acpi.ko.symbols /boot/kernel/acpi_aiboost.ko /boot/kernel/acpi_aiboost.ko.symbols /boot/kernel/acpi_asus.ko.symbols /boot/kernel/acpi_dock.ko /boot/kernel/acpi_dock.ko.symbols /boot/kernel/acpi_fujitsu.ko.symbols /boot/kernel/acpi_hp.ko /boot/kernel/acpi_hp.ko.symbols /boot/kernel/acpi_ibm.ko.symbols /boot/kernel/acpi_panasonic.ko.symbols /boot/kernel/acpi_sony.ko.symbols /boot/kernel/acpi_toshiba.ko.symbols /boot/kernel/acpi_video.ko.symbols /boot/kernel/acpi_wmi.ko /boot/kernel/acpi_wmi.ko.symbolsThe following files will be updated as part of updating to 8.1-RELEASE-p0: /.cshrc /.profile /COPYRIGHT /bin/[ /bin/cat /bin/chflags /bin/chio /bin/chmod /bin/cp /bin/csh /bin/date /bin/dd /bin/df /bin/domainname /bin/echo /bin/ed /bin/expr /bin/getfacl /bin/hostname /bin/kenv /bin/kill /bin/link /bin/ln /bin/ls /bin/mkdir /bin/mv /bin/pax /bin/pgrep /bin/pkill

At this point, you already have all the upgrade files ready. Time to roll. Please note that if you are running own custom kernel on 6.2-RELEASE, you should have your custom 8.1 kernel install before attempting this step if. In my attempt, sshd could not be started after reboot as the base is not in sync with the new kernel. Thus, remote binary upgrade from 6.2 to 8.1 seems not possible. Let me know if you experience otherwise or have better method dealing with remote upgrade.
old6# ./freebsd-update.sh -f freebsd-update.conf install Installing updates... Kernel updates have been installed. Please reboot and run "./freebsd-update.sh install" again to finish installing updates. old6# reboot
The uname shows spanking new 8.1-RELEASE kernel.

old6# uname -a FreeBSD old6.vnet.0rg 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386

New base will be installed in this step. Reboot and you have newly upgraded 8.1-RELEASE FreeBSD.
old6# ./freebsd-update.sh -f freebsd-update.conf install Installing updates... done.

PORTS
As this is a major upgrade, all ports are recommended to be recompiled. You could use compat6x (misc/compat6x) to minimise downtime if you have many services running on the box.

Tuesday, July 27th, 2010

FreeBSD, Howto No Comments

ssh brute force is still popular?

This is really old old old old stuff. But it still seems popular these days. Lots of script kiddies are out there I guess. My auth.log was harassed, flooded with ssh brute-force attacks.

Oct  1 10:13:50 sapphire sshd[43770]: Did not receive identification string from 202.150.213.94
Oct  1 12:40:35 sapphire sshd[45755]: Did not receive identification string from 212.122.224.24
Oct  1 20:15:14 sapphire sshd[51438]: Did not receive identification string from 219.239.17.98
Oct  1 20:19:08 sapphire sshd[51504]: User root from 219.239.17.98 not allowed because not listed in AllowUsers
Oct  1 20:19:11 sapphire sshd[51507]: User root from 219.239.17.98 not allowed because not listed in AllowUsers
Oct  1 20:19:16 sapphire sshd[51509]: User root from 219.239.17.98 not allowed because not listed in AllowUsers
Oct  1 20:19:24 sapphire sshd[51511]: Invalid user oper from 219.239.17.98
Oct  1 20:19:51 sapphire sshd[51513]: Did not receive identification string from 219.239.17.98
Oct  1 21:18:01 sapphire sshd[52675]: Did not receive identification string from 202.57.41.60
Oct  1 23:10:09 sapphire sshd[53993]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  1 23:10:11 sapphire sshd[53995]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  1 23:10:15 sapphire sshd[53997]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  1 23:10:21 sapphire sshd[53999]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  1 23:10:24 sapphire sshd[54001]: User root from 220.225.237.146 not allowed because not listed in AllowUsers
Oct  2 00:17:12 sapphire sshd[54918]: Did not receive identification string from 202.57.41.60
Oct  2 02:03:01 sapphire sshd[56453]: Did not receive identification string from 190.12.66.77
Oct  2 02:06:39 sapphire sshd[56484]: User root from 190.12.66.77 not allowed because not listed in AllowUsers
Oct  2 02:06:41 sapphire sshd[56486]: User root from 190.12.66.77 not allowed because not listed in AllowUsers
Oct  2 02:06:44 sapphire sshd[56488]: User root from 190.12.66.77 not allowed because not listed in AllowUsers
Oct  2 02:06:47 sapphire sshd[56490]: User root from 190.12.66.77 not allowed because not listed in AllowUsers
Oct  3 00:10:44 sapphire sshd[73858]: Did not receive identification string from 82.138.1.46
Oct  3 00:14:10 sapphire sshd[73974]: Invalid user admin from 82.138.1.46
Oct  3 00:14:14 sapphire sshd[73976]: User root from 82.138.1.46 not allowed because not listed in AllowUsers
Oct  3 00:14:17 sapphire sshd[73978]: Invalid user stud from 82.138.1.46
Oct  3 00:14:20 sapphire sshd[73980]: Invalid user trash from 82.138.1.46
Oct  3 00:57:23 sapphire sshd[74952]: Did not receive identification string from 85.46.29.147
Oct  3 01:06:54 sapphire sshd[75084]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 01:06:57 sapphire sshd[75086]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 01:07:00 sapphire sshd[75088]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 01:07:04 sapphire sshd[75090]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 01:07:07 sapphire sshd[75092]: User root from 85.46.29.147 not allowed because not listed in AllowUsers
Oct  3 09:33:55 sapphire sshd[83042]: Did not receive identification string from 200.46.247.78
Oct  3 10:13:44 sapphire sshd[83372]: Invalid user staff from 200.46.247.78
Oct  3 10:13:47 sapphire sshd[83374]: Invalid user sales from 200.46.247.78
Oct  3 10:13:49 sapphire sshd[83376]: Invalid user recruit from 200.46.247.78
Oct  3 10:13:52 sapphire sshd[83378]: Invalid user alias from 200.46.247.78
Oct  3 10:13:54 sapphire sshd[83380]: Invalid user office from 200.46.247.78
Oct  4 01:26:40 sapphire sshd[95219]: Invalid user oracle from 60.217.229.222
Oct  4 01:26:43 sapphire sshd[95221]: Invalid user oracle from 60.217.229.222
Oct  4 01:26:46 sapphire sshd[95223]: Invalid user oracle from 60.217.229.222
Oct  4 01:26:50 sapphire sshd[95225]: Invalid user oracle from 60.217.229.222
Oct  4 02:13:46 sapphire sshd[95625]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:13:49 sapphire sshd[95627]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:13:52 sapphire sshd[95629]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:13:54 sapphire sshd[95631]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:13:57 sapphire sshd[95633]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 02:14:02 sapphire sshd[95635]: User root from 61.78.70.53 not allowed because not listed in AllowUsers
Oct  4 08:02:10 sapphire sshd[1258]: Did not receive identification string from 203.116.18.173
Oct  4 12:11:38 sapphire sshd[4353]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:11:40 sapphire sshd[4355]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:11:42 sapphire sshd[4357]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:11:44 sapphire sshd[4359]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:11:46 sapphire sshd[4361]: User root from 218.74.116.19 not allowed because not listed in AllowUsers
Oct  4 12:47:16 sapphire sshd[5153]: Did not receive identification string from 221.231.150.248
Oct  4 13:51:05 sapphire sshd[5837]: User root from 221.231.150.248 not allowed because not listed in AllowUsers
Oct  4 13:51:07 sapphire sshd[5839]: User root from 221.231.150.248 not allowed because not listed in AllowUsers
Oct  4 13:51:08 sapphire sshd[5841]: Invalid user admin from 221.231.150.248
Oct  4 13:51:10 sapphire sshd[5843]: Invalid user admin from 221.231.150.248
Oct  4 13:51:12 sapphire sshd[5845]: Invalid user test from 221.231.150.248
Oct  4 16:48:13 sapphire sshd[8049]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 16:48:16 sapphire sshd[8051]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 16:48:18 sapphire sshd[8053]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 16:48:22 sapphire sshd[8055]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 16:48:25 sapphire sshd[8057]: User root from 58.216.151.131 not allowed because not listed in AllowUsers
Oct  4 17:56:38 sapphire sshd[8788]: Invalid user test from 60.191.2.228
Oct  4 17:56:40 sapphire sshd[8790]: Invalid user test1 from 60.191.2.228
Oct  4 17:56:42 sapphire sshd[8792]: Invalid user ftp from 60.191.2.228
Oct  4 17:56:44 sapphire sshd[8794]: Invalid user oracle from 60.191.2.228
Oct  4 17:56:46 sapphire sshd[8796]: Invalid user nagios from 60.191.2.228
Oct  4 21:30:16 sapphire sshd[11427]: Did not receive identification string from 202.6.230.10
Oct  4 21:34:15 sapphire sshd[11484]: User root from 202.6.230.10 not allowed because not listed in AllowUsers
Oct  4 22:24:12 sapphire sshd[11892]: Did not receive identification string from 118.97.7.82
Oct  4 22:42:39 sapphire sshd[12004]: Invalid user webmaster from 118.97.7.82
Oct  4 22:42:41 sapphire sshd[12006]: User root from 118.97.7.82 not allowed because not listed in AllowUsers
Oct  4 22:42:43 sapphire sshd[12008]: Invalid user ftp from 118.97.7.82
Oct  4 22:42:45 sapphire sshd[12010]: Invalid user sales from 118.97.7.82
Oct  4 22:42:47 sapphire sshd[12012]: Invalid user admin from 118.97.7.82
Oct  5 07:11:07 sapphire sshd[19909]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 07:11:09 sapphire sshd[19911]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 07:11:11 sapphire sshd[19913]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 07:11:13 sapphire sshd[19915]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 07:11:15 sapphire sshd[19917]: User root from 207.182.128.170 not allowed because not listed in AllowUsers
Oct  5 11:55:16 sapphire sshd[23196]: User root from 222.186.23.134 not allowed because not listed in AllowUsers
Oct  5 11:55:18 sapphire sshd[23198]: User root from 222.186.23.134 not allowed because not listed in AllowUsers
Oct  5 11:55:20 sapphire sshd[23200]: User root from 222.186.23.134 not allowed because not listed in AllowUsers
Oct  5 11:55:22 sapphire sshd[23202]: Invalid user roo from 222.186.23.134
Oct  5 11:55:24 sapphire sshd[23204]: User root from 222.186.23.134 not allowed because not listed in AllowUsers
Oct  6 06:51:49 sapphire sshd[38994]: Did not receive identification string from 202.57.41.60
Oct  6 13:20:18 sapphire sshd[44247]: Invalid user sato from 58.180.45.71
Oct  6 13:20:21 sapphire sshd[44249]: Invalid user suzuki from 58.180.45.71
Oct  6 13:20:28 sapphire sshd[44252]: Invalid user takahashi from 58.180.45.71
Oct  6 13:20:30 sapphire sshd[44254]: Invalid user tanaka from 58.180.45.71
Oct  6 13:20:35 sapphire sshd[44256]: Invalid user watanabe from 58.180.45.71
Oct  6 15:36:53 sapphire sshd[45503]: Did not receive identification string from 211.140.3.214
Oct  6 15:40:25 sapphire sshd[45521]: User root from 211.140.3.214 not allowed because not listed in AllowUsers
Oct  6 15:40:27 sapphire sshd[45523]: User root from 211.140.3.214 not allowed because not listed in AllowUsers
Oct  6 15:40:30 sapphire sshd[45525]: User root from 211.140.3.214 not allowed because not listed in AllowUsers
Oct  6 15:40:31 sapphire sshd[45527]: User root from 211.140.3.214 not allowed because not listed in AllowUsers
Oct  6 16:13:46 sapphire sshd[46124]: Did not receive identification string from 69.64.93.42
Oct  6 16:16:55 sapphire sshd[46185]: Did not receive identification string from 86.65.178.42
Oct  6 16:18:10 sapphire sshd[46218]: User root from 69.64.93.42 not allowed because not listed in AllowUsers
Oct  6 16:18:12 sapphire sshd[46220]: Invalid user PlcmSpIp from 69.64.93.42
Oct  6 16:18:14 sapphire sshd[46222]: Invalid user PlcmSpIp from 69.64.93.42
Oct  6 16:18:16 sapphire sshd[46224]: Invalid user PlcmSpIp from 69.64.93.42
Oct  6 16:20:38 sapphire sshd[46271]: User root from 86.65.178.42 not allowed because not listed in AllowUsers
Oct  6 16:20:41 sapphire sshd[46273]: Invalid user fluffy from 86.65.178.42
Oct  6 16:20:44 sapphire sshd[46275]: Invalid user admin from 86.65.178.42
Oct  6 16:20:46 sapphire sshd[46277]: Invalid user test from 86.65.178.42
Oct  6 18:27:52 sapphire sshd[13423]: Did not receive identification string from 222.236.47.48
Oct  6 18:31:39 sapphire sshd[16400]: Invalid user eaguilar from 222.236.47.48
Oct  6 18:31:42 sapphire sshd[16402]: User root from 222.236.47.48 not allowed because not listed in AllowUsers
Oct  6 18:31:45 sapphire sshd[16404]: Invalid user payala from 222.236.47.48
Oct  6 18:31:48 sapphire sshd[16406]: Invalid user estudiante from 222.236.47.48
Oct  6 19:54:42 sapphire sshd[17055]: Invalid user jian from 78.129.203.130
Oct  6 19:54:44 sapphire sshd[17057]: Invalid user jasonbc from 78.129.203.130
Oct  6 19:54:47 sapphire sshd[17059]: Invalid user sua from 78.129.203.130
Oct  6 19:54:50 sapphire sshd[17061]: Invalid user bernie from 78.129.203.130
Oct  6 19:54:53 sapphire sshd[17063]: Invalid user bernie from 78.129.203.130
Oct  6 20:24:26 sapphire sshd[17756]: User root from 218.87.32.224 not allowed because not listed in AllowUsers
Oct  6 20:24:28 sapphire sshd[17758]: Invalid user smtp from 218.87.32.224
Oct  6 20:24:30 sapphire sshd[17760]: Invalid user smtp from 218.87.32.224
Oct  6 20:24:33 sapphire sshd[17762]: Invalid user smtp from 218.87.32.224
Oct  6 20:24:35 sapphire sshd[17764]: User root from 218.87.32.224 not allowed because not listed in AllowUsers
Oct  6 21:15:42 sapphire sshd[18754]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 21:15:44 sapphire sshd[18756]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 21:15:45 sapphire sshd[18758]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 21:15:47 sapphire sshd[18760]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 21:15:48 sapphire sshd[18762]: User root from 216.75.8.84 not allowed because not listed in AllowUsers
Oct  6 23:47:47 sapphire sshd[20034]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  6 23:47:49 sapphire sshd[20036]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  6 23:47:52 sapphire sshd[20038]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  6 23:47:54 sapphire sshd[20040]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  6 23:47:56 sapphire sshd[20042]: User root from 59.167.240.72 not allowed because not listed in AllowUsers
Oct  7 00:03:48 sapphire sshd[20335]: Invalid user test from 60.31.110.17
Oct  7 00:03:51 sapphire sshd[20337]: Invalid user test1 from 60.31.110.17
Oct  7 00:03:55 sapphire sshd[20339]: Invalid user oracle from 60.31.110.17
Oct  7 00:03:58 sapphire sshd[20341]: Invalid user nagios from 60.31.110.17
Oct  7 00:04:02 sapphire sshd[20343]: User root from 60.31.110.17 not allowed because not listed in AllowUsers
Oct  7 03:20:50 sapphire sshd[24533]: Did not receive identification string from 212.25.36.95
Oct  7 03:43:50 sapphire sshd[24691]: User root from 212.25.36.95 not allowed because not listed in AllowUsers
Oct  7 03:43:53 sapphire sshd[24693]: Invalid user delta from 212.25.36.95
Oct  7 03:43:56 sapphire sshd[24695]: Invalid user admin from 212.25.36.95
Oct  7 03:43:59 sapphire sshd[24697]: Invalid user test from 212.25.36.95
Oct  7 03:44:03 sapphire sshd[24725]: Invalid user testing from 212.25.36.95
Oct  7 10:03:11 sapphire sshd[29896]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:15 sapphire sshd[29898]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:19 sapphire sshd[29900]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:22 sapphire sshd[29902]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:26 sapphire sshd[29904]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 10:03:37 sapphire sshd[29910]: Did not receive identification string from 203.92.35.148
Oct  7 11:02:52 sapphire sshd[1850]: Received signal 15; terminating.
Oct  7 11:07:43 sapphire sshd[1895]: Server listening on 202.190.74.44 port 22.
Oct  7 11:07:44 sapphire sshd[1983]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:44 sapphire sshd[1984]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:45 sapphire sshd[1985]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:46 sapphire sshd[1991]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:48 sapphire sshd[1994]: Did not receive identification string from 12.47.107.4
Oct  7 11:07:58 sapphire sshd[1997]: Did not receive identification string from 12.47.107.4
Oct  7 11:16:52 sapphire sshd[47265]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:16:52 sapphire sshd[47266]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:16:56 sapphire sshd[47534]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:16:56 sapphire sshd[47574]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:17:01 sapphire sshd[48389]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 11:17:03 sapphire sshd[48481]: User root from 203.92.35.148 not allowed because not listed in AllowUsers
Oct  7 12:07:15 sapphire sshd[1994]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:16 sapphire sshd[2001]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:16 sapphire sshd[2002]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:17 sapphire sshd[2004]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:17 sapphire sshd[2005]: Did not receive identification string from 12.47.107.4
Oct  7 12:07:29 sapphire sshd[2016]: Did not receive identification string from 12.47.107.4
Oct  7 15:17:22 sapphire sshd[4376]: Did not receive identification string from 202.166.200.106
Oct  7 15:20:50 sapphire sshd[4389]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:20:52 sapphire sshd[4391]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:20:54 sapphire sshd[4393]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:20:55 sapphire sshd[4395]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:20:57 sapphire sshd[4397]: User root from 122.224.69.38 not allowed because not listed in AllowUsers
Oct  7 15:21:06 sapphire sshd[4399]: User root from 202.166.200.106 not allowed because not listed in AllowUsers
Oct  7 15:21:11 sapphire sshd[4403]: Invalid user fluffy from 202.166.200.106
Oct  7 15:21:15 sapphire sshd[4405]: Invalid user admin from 202.166.200.106
Oct  7 15:21:22 sapphire sshd[4407]: Invalid user test from 202.166.200.106
Oct  7 19:34:59 sapphire sshd[7443]: Did not receive identification string from 203.116.18.173
Oct  8 03:52:42 sapphire sshd[15291]: Invalid user svn from 91.199.58.35
Oct  8 03:52:45 sapphire sshd[15293]: Invalid user postgres from 91.199.58.35
Oct  8 03:52:48 sapphire sshd[15295]: Invalid user user1 from 91.199.58.35
Oct  8 03:52:51 sapphire sshd[15297]: Invalid user testuser from 91.199.58.35
Oct  8 03:52:54 sapphire sshd[15299]: Invalid user test1 from 91.199.58.35
Oct  8 03:54:40 sapphire sshd[15301]: Invalid user svn from 91.199.58.35
Oct  8 08:34:29 sapphire sshd[19138]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 08:34:30 sapphire sshd[19140]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 08:34:32 sapphire sshd[19142]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 08:34:34 sapphire sshd[19144]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 08:34:35 sapphire sshd[19146]: User root from 203.116.198.165 not allowed because not listed in AllowUsers
Oct  8 11:50:51 sapphire sshd[21363]: Did not receive identification string from 174.34.129.66
Oct  8 12:37:50 sapphire sshd[22406]: Did not receive identification string from 202.116.0.145
Oct  8 13:14:26 sapphire sshd[23089]: Did not receive identification string from 190.24.138.77
Oct  8 13:45:43 sapphire sshd[23380]: Invalid user rfmngr from 190.24.138.77
Oct  8 13:45:46 sapphire sshd[23382]: Invalid user sales from 190.24.138.77
Oct  8 13:45:48 sapphire sshd[23384]: Invalid user recruit from 190.24.138.77
Oct  8 13:45:51 sapphire sshd[23386]: Invalid user alias from 190.24.138.77
Oct  8 13:45:53 sapphire sshd[23388]: Invalid user office from 190.24.138.77
Oct  8 14:38:56 sapphire sshd[23829]: Did not receive identification string from 218.246.196.3
Oct  8 14:52:25 sapphire sshd[23923]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 14:52:28 sapphire sshd[23925]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 14:52:30 sapphire sshd[23927]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 14:52:32 sapphire sshd[23929]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 14:52:35 sapphire sshd[23931]: User root from 218.246.196.3 not allowed because not listed in AllowUsers
Oct  8 15:59:31 sapphire sshd[24563]: Did not receive identification string from 210.109.48.22
Oct  8 18:13:25 sapphire sshd[26863]: Did not receive identification string from 59.41.254.83
Oct  8 20:13:02 sapphire sshd[28089]: Did not receive identification string from 203.65.162.165
Oct  8 22:39:07 sapphire sshd[30127]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  8 22:39:09 sapphire sshd[30129]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  8 22:39:10 sapphire sshd[30131]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  8 22:39:11 sapphire sshd[30133]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  8 22:39:12 sapphire sshd[30135]: User root from 122.160.240.133 not allowed because not listed in AllowUsers
Oct  9 01:33:45 sapphire sshd[32583]: Did not receive identification string from 203.200.81.104
Oct  9 02:19:08 sapphire sshd[32934]: User root from 203.200.81.104 not allowed because not listed in AllowUsers
Oct  9 02:19:12 sapphire sshd[32936]: User root from 203.200.81.104 not allowed because not listed in AllowUsers
Oct  9 02:19:16 sapphire sshd[32938]: Invalid user apple from 203.200.81.104
Oct  9 02:19:20 sapphire sshd[32940]: User root from 203.200.81.104 not allowed because not listed in AllowUsers
Oct  9 02:19:24 sapphire sshd[32942]: Invalid user brian from 203.200.81.104
Oct  9 02:51:05 sapphire sshd[33191]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 02:51:09 sapphire sshd[33193]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 02:51:12 sapphire sshd[33195]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 02:51:15 sapphire sshd[33197]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 02:51:19 sapphire sshd[33199]: User root from 122.200.82.181 not allowed because not listed in AllowUsers
Oct  9 06:00:49 sapphire sshd[37450]: Did not receive identification string from 219.234.93.101
Oct  9 06:09:47 sapphire sshd[37465]: Invalid user mary from 219.234.93.101
Oct  9 06:09:49 sapphire sshd[37467]: Invalid user mary from 219.234.93.101
Oct  9 06:09:51 sapphire sshd[37469]: Invalid user mary from 219.234.93.101
Oct  9 06:09:53 sapphire sshd[37471]: Invalid user mary from 219.234.93.101
Oct  9 06:09:55 sapphire sshd[37473]: Invalid user mary from 219.234.93.101
Oct  9 06:51:00 sapphire sshd[37807]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 06:51:02 sapphire sshd[37809]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 06:51:04 sapphire sshd[37811]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 06:51:07 sapphire sshd[37813]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 06:51:09 sapphire sshd[37815]: User root from 200.35.146.176 not allowed because not listed in AllowUsers
Oct  9 12:10:08 sapphire sshd[41569]: Did not receive identification string from 60.54.54.62
Oct  9 12:23:01 sapphire sshd[41878]: User root from 60.54.54.62 not allowed because not listed in AllowUsers
Oct  9 12:23:04 sapphire sshd[41895]: Invalid user admin from 60.54.54.62
Oct  9 12:23:10 sapphire sshd[41897]: Invalid user test from 60.54.54.62
Oct  9 12:23:12 sapphire sshd[41899]: User root from 60.54.54.62 not allowed because not listed in AllowUsers
Oct  9 12:23:14 sapphire sshd[41901]: Invalid user ghost from 60.54.54.62

Just to share the method I have been using for years. There are many ssh brute-force attack prevention tools out there to choose from. But I still prefer simple way by using PF and ssh pubkey for ssh access. With PF, it is just simple 3 line of rules to keep the kiddos out.

table <badguy> persist
block in quick on $ext_if from <badguy> to ($ext_if) port 22
pass  in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 \
 keep state(max-src-conn 6, max-src-conn-rate 5/300, overload <badguy> flush global)

* Explanation on pf rules:-

Line #1 – Create pf table <badguy>

Line #2 – block connection attempt from hosts in table <badguy> to port 22

Line #3 – Allow connection to port 22, limiting src to 6 at a rate of 5 within 300s. Place offending host IP to <badguy> table.
max-src-conn – maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make
max-src-conn-rate – Limit the rate of new connections to a certain amount per time interval. In this example 5 connections within 300 seconds
overload <badguy> – Put an offending host’s IP address into the “badguy” table.
flush global – Kill all states matching this source IP.

From the auth.log, you probably noticed that max of 5 attempts for same connection and they are gone. That is how effective PF is. You can look up the OpenBSD PF FAQ for more information on the syntax.

pfctl is nifty for displaying bad guys in table <badguy>.# pfctl -T show -t badguy

   12.47.107.4
   60.54.54.62
   91.199.58.35
   122.160.240.133
   122.200.82.181
   122.224.69.38
   190.24.138.77
   200.35.146.176
   202.166.200.106
   203.116.198.165
   203.200.81.104
   218.246.196.3
   219.234.93.101

False alarm? pfctl is still handy. Just remove the IP address from the table.

# pfctl -T delete -t badguy 219.234.93.101

From logging (with passive OS detection), it showed that 100% hosts that have been brute-forcing are running Linux. I’m seriously considering placing this line in pf.conf and the world will be peaceful place.

block in quick on $ext_if from any os "Linux" to ($ext_if) port 22

Friday, October 9th, 2009

FreeBSD, Howto, OpenBSD, Security No Comments

FreeBSD Root on ZFS mirror using GPT

ZFS has been ported to FreeBSD by Pawel Jakub Dawidek for quite some time and it has been rather stable although some bleeding edges in complex setup. The current missing features are kernel CIFS server iSCSI. Nonetheless, it is powerful I decided to give my freebsd box a spin on the power file system.

1. THE SYSTEM
The box is running FreeBSD 8.0-RC1 amd64 with 2 SATA HDDs, ad4 and ad6. System is installed on ad4. The second hdd is intended for gmirror. Unfortunately, I did not do so.

This is initial GPT disk output.
# gpart show


=>       63  167772087  ad4  MBR  (80G)
         63  167766732    1  freebsd  [active]  (80G)
  167766795       5355       - free -  (2.6M)

=>        0  167766732  ad4s1  BSD  (80G)
          0    4194304      1  freebsd-ufs  (2.0G)
    4194304    4194304      2  freebsd-swap  (2.0G)
    8388608   83886080      4  freebsd-ufs  (40G)
   92274688    4194304      5  freebsd-ufs  (2.0G)
   96468992   71297740      6  freebsd-ufs  (34G)

Clear out ad6 (WARNING! This is destructive. All data in ad6 will be wiped out. Please make sure that you back up before proceed!)
# dd if=/dev/zero of=/dev/ad6 count=79 79+0 records in 79+0 records out 49448 bytes transferred in 0.122015 secs (331500 bytes/sec)

2. CREATE GPT DISK
First, gpt disk was created on ad6. In this setup, only 2 partitions, freebsd-boot and freebsd-zfs will be created as swap will be on ZFS volume. Please note that crash dumps can’t be created on the ZFS swap volume. If you need crash dumps, please consider creating additional freebsd-swap partition on gpt disk.

# gpart create -s gpt ad6 ad6 created

# gpart add -b 34 -s 128 -t freebsd-boot ad6 ad6p1 added

# gpart add -b 162 -s 167771965 -t freebsd-zfs ad6 ad6p2 added

Installing the Protected MBR (pmbr) and gptzfsboot loader
# gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ad6 ad6 has bootcode

This is GPT disk output after gpt disk was created on ad6.
# gpart show


=>       63  167772087  ad4  MBR  (80G)
         63  167766732    1  freebsd  [active]  (80G)
  167766795       5355       - free -  (2.6M)

=>        0  167766732  ad4s1  BSD  (80G)
          0    4194304      1  freebsd-ufs  (2.0G)
    4194304    4194304      2  freebsd-swap  (2.0G)
    8388608   83886080      4  freebsd-ufs  (40G)
   92274688    4194304      5  freebsd-ufs  (2.0G)
   96468992   71297740      6  freebsd-ufs  (34G)

=>       34  167772093  ad6  GPT  (80G)
         34        128    1  freebsd-boot  (64K)
        162  167771965    2  freebsd-zfs  (80G)

3. CREATE ZFS POOL, ZSTORE (you can use any name for your ZFS pool)
Compression was used on this example. Please note that compression will cause some latency when accessing files on the ZFS filesystems. Use compression on ZFS filesystems which will not be accessed that often. Compression may be set to on, off, lzjb, gzip, gzip-N (where N is an integer from 1 (fastest) to 9 (best compresion ratio. gzip is equivalent to gzip-6).

# zpool create zstore ad6p2 # zfs create zstore/usr # zfs create -o compression=on zstore/usr/src # zfs create -o compression=gzip zstore/usr/ports # zfs create zstore/home # zfs create zstore/var # zfs create -V 2gb zstore/swap # zfs set org.freebsd:swap=on zstore/swap # zfs set checksum=off zstore/swap
2GB of ZFS swap volume was created without checksum.

Enabling ZFS and directing the system to mount root from zpool.
# echo 'zfs_enable="YES"' >> /etc/rc.conf # echo 'zfs_load="YES"' >> /boot/loader.conf # echo 'vfs.root.mountfrom="zfs:zstore"' >> /boot/loader.conf # echo 'LOADER_ZFS_SUPPORT=YES' >> /etc/src.conf
Adding LOADER_ZFS_SUPPORT=YES to /etc/src.conf is meant for later use when building zfs aware loader.

Let’s take a look at current disk layout after all the commands above. ZFS will automatically mount volumes after they are created.
# df -h


Filesystem          Size    Used   Avail Capacity  Mounted on
/dev/ad4s1a         1.9G    253M    1.5G    14%    /
devfs               1.0K    1.0K      0B   100%    /dev
/dev/ad4s1f          33G    4.0K     30G     0%    /home
/dev/ad4s1d          39G    661M     35G     2%    /usr
/dev/ad4s1e         1.9G    250K    1.8G     0%    /var
zstore               76G      0B     76G     0%    /zstore
zstore/usr           76G      0B     76G     0%    /zstore/usr
zstore/usr/src       76G      0B     76G     0%    /zstore/usr/src
zstore/usr/ports     76G      0B     76G     0%    /zstore/usr/ports
zstore/home          76G      0B     76G     0%    /zstore/home
zstore/var           76G      0B     76G     0%    /zstore/var

4. BUILD AND INSTALL ZFS AWARE LOADER
It is important that you did not miss out adding LOADER_ZFS_SUPPORT=YES to /etc/src.conf. If you missed that out, this part is useless and you will not be able to boot from ZFS.
# cd /usr/src/sys/boot/ # make obj && make depend && make # cd i386/loader # make install

5. REPLICATE CURRENT SYSTEM TO ZFS SYSTEM
# dump -L -0 -f- / | (cd /zstore ; restore -r -f-) # dump -L -0 -f- /usr | (cd /zstore/usr; restore -r -f-) # dump -L -0 -f- /home | (cd /zstore/home; restore -r -f-) # dump -L -0 -f- /var | (cd /zstore/var; restore -r -f-)

I found this step not necessary. However, I did experience boot prompt failed to mount ZFS volume properly. Create it anyway.
# cat << EOF > /zstore/etc/fstab


# Device                Mountpoint      FStype  Options         Dump    Pass#
zstore                  /               zfs     rw              0       0
zstore/home             /home           zfs     rw              0       0
zstore/usr              /usr            zfs     rw              0       0
zstore/usr/src          /usr/src        zfs     rw              0       0
zstore/usr/ports        /usr/ports      zfs     rw              0       0
zstore/var              /var            zfs     rw              0       0
/dev/acd0               /cdrom          cd9660  ro,noauto       0       0
EOF

6. CHANGE MOUNTING POINTS FOR ZFS POOL
# zfs set mountpoint=legacy zstore # zfs set mountpoint=/usr zstore/usr # zfs set mountpoint=/usr/src zstore/usr/src # zfs set mountpoint=/usr/ports zstore/usr/ports # zfs set mountpoint=/var zstore/var # zfs set mountpoint=/home zstore/home # zpool set bootfs=zstore zstore # zfs umount -a

At this stage, it is almost done. Finger crossed and reboot the box. ;P
# reboot
Note : If the case of failure to boot ZFS root, you could just power down the box and reboot it. Press “6″ on the Boot menu to escape to loader prompt and set vfs.root.mountfrom=”ufs:ad4s1a” to boot back to your original setup without ZFS.

After reboot, the system is mounted on ZFS root. The output of df will show these.

# df -h


Filesystem          Size    Used   Avail Capacity  Mounted on
zstore               76G    270M     76G     0%    /
devfs               1.0K    1.0K      0B   100%    /dev
zstore/home          76G    6.9M     76G     0%    /home
zstore/usr           76G    166M     76G     0%    /usr
zstore/usr/src       76G    297M     76G     0%    /usr/src
zstore/usr/ports     76G      0B     76G     0%    /usr/ports
zstore/var           76G    640K     76G     0%    /var


7. PREPARE AD4 FOR GPT DISK

Clear out disk layout for ad4 with dd.

# dd if=/dev/zero of=/dev/ad4 count=79

79+0 records in

79+0 records out

49448 bytes transferred in 0.122015 secs (331500 bytes/sec)


Steps below are similar to previous steps in GPT disk on ad6.

# gpart create -s gpt ad4

ad4 created
# gpart add -b 34 -s 128 -t freebsd-boot ad4

ad4p1 added
# gpart add -b 162 -s 167771965 -t freebsd-zfs ad4

ad4p2 added
# gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ad4

ad4 has bootcode
# gpart show

=>       34  167772093  ad6  GPT  (80G)
         34        128    1  freebsd-boot  (64K)
        162  167771965    2  freebsd-zfs  (80G)

=>       34  167772093  ad4  GPT  (80G)
         34        128    1  freebsd-boot  (64K)
        162  167771965    2  freebsd-zfs  (80G)


8. ADDING AD4P2 TO ZSTORE AS MIRROR

Attach ad4p2 to zstore and wait for it to be resilvered. zpool status is handy for checking the status.

# zpool attach zstore ad6p2 ad4p2

# zpool status

  pool: zstore
 state: ONLINE
status: One or more devices is currently being resilvered.  The pool will
	continue to function, possibly in a degraded state.
action: Wait for the resilver to complete.
 scrub: resilver in progress for 0h0m, 58.66% done, 0h0m to go
config:

	NAME        STATE     READ WRITE CKSUM
	zstore      ONLINE       0     0     0
	  mirror    ONLINE       0     0     0
	    ad6p2   ONLINE       0     0     0  2.24M resilvered
	    ad4p2   ONLINE       0     0     0  434M resilvered

errors: No known data errors


# df -h

Filesystem          Size    Used   Avail Capacity  Mounted on
zstore               76G    270M     76G     0%    /
devfs               1.0K    1.0K      0B   100%    /dev
zstore/home          76G    6.9M     76G     0%    /home
zstore/usr           76G    166M     76G     0%    /usr
zstore/usr/src       76G    297M     76G     0%    /usr/src
zstore/usr/ports     76G      0B     76G     0%    /usr/ports
zstore/var           76G    640K     76G     0%    /var


There you have it. Converted your existing FreeBSD box to ZFS root with mirroring.
9. REFERENCES

1. http://wiki.freebsd.org/RootOnZFS/GPTZFSBoot
2. http://yds.coolrat.org/zfsboot.shtml
3. GPT(8) manpage



				Friday, September 25th, 2009
				FreeBSD,  Howto   No Comments



				
				Battery info button on HP elitebook 6930p

				
					Keymap for laptop keyboard is fun especially there are lots of default actions attached to it. One particular key, FnF8, which has tiny battery icon is not mapped to any action. It has a keycode of 137 on HP elitebook 6930p. I decided to bind the keycode to call up kpowersave information dialog since I am using KDE4 as desktop manager. But how to call up only kpowersave information dialog? Running command “kpowersave” will only trigger another instance of kpowersave.
I tried to use qdbus but could not find suitable dbus object to display kpowersave information dialog. Nevertheless qdbus is quit handy when come to change power profile of kpowersave.
qdbus is a no go for this purpose. I had to look for something else. Luckily, it did not take much of my time searching. “dcop” is it! dcop kpowersave KPowersaveIface showDetailedDialog will display kpowersave information dialog. Awesome!
I edited keytouch keyboard with these lines.



<key>

<name>battery</name>

<scancode>137</scancode>

<keycode>PROG2</keycode>

<default-action>dcop kpowersave KPowersaveIface showDetailedDialog</default-action>

</key>
Reactivated keytouch, the nifty application to map your multimedia keyboard. This is the result of pressing FnF8.

Nice eh?
				

				Wednesday, September 16th, 2009
				Howto,  Linux   No Comments
			

				
				FreeBSD : zapping file system error

				
					
My box crashed many times last week until its file system had inconsistency issue. In another words, it is corrupted. Even manual fsck won’t help fixing the issue. The problem appeared to be a directory had its “.” file missing!! Whenever I tried to remove the directory, “rm” with force option or “rmdir” utilities just complained about “bad file descriptor” and did nothing! Shit happened… Log is showing the error.
Aug 22 13:20:11 zeus fsck: /dev/label/usr: SETTING DIRTY FLAG IN READ_ONLY MODE

Aug 22 13:20:11 zeus fsck:

Aug 22 13:20:11 zeus fsck: /dev/label/usr: UNEXPECTED SOFT UPDATE INCONSISTENCY; RUN fsck MANUALLY.

Aug 14 03:15:18 zeus fsck: /dev/label/usr: 551052 files, 6960462 used, 14873313 free (244305 frags,

1828626 blocks, 1.1% fragmentation)


The solution is rather simple. Just use a handy utility, clri(8),  to clear the corrupted inode. Reboot the box into single user mode and run fsck_ufs -y /dev/label/usr. fsck(8) will provide you the inode number which is corrupted.
Its usage is simple

clri special_device inode_number
In my case (i have geom_label. Thus, you are seeing /dev/label/usr here.):-

clri /dev/label/usr 5111832
Exit single user mode, login as usual and run “rm” or “rmdir” to remove the directory. Voila! A word of advice, messing around with inode is the least thing that you want to do. In any case, BACK UP YOUR STUFF BEFORE YOU ATTEMPT ANYTHING. YOU ARE WARNED!
				

				Tuesday, August 25th, 2009
				FreeBSD,  Howto   No Comments
			

				
				Quick note on Xen P2V migration

				
					

I had migrated some of the old machines at work to Xen hypervisor VM. The procedure is rather straight forward and with many options. In this post, I used simple dd command to migrate physical machine to a flat file image on Xen server.
DD IN ACTION
debian-HP370:~/ # dd if=/dev/cciss/c0d0 | ssh me@xenserver cat ‘>’/home/xen/img/debian-HP370.img
This will take a long time depending on your disk size/network speed. So leave it there and go on with other stuff. After a couple of hours, you have the image transferred to Xen server.
TAILORING TO VM ENVIRONMENT
As the physical machine has smart array raid and VM has choices of disk options: IDE, SATA, physical partition under the VM guest, I mounted the image and edit /etc/fstab to reflect disk on VM. Mounting an image file with many partitions is simple. Firstly, offset value of the partition is required. This can be obtained via fdisk command.
xenserver:/home/xen/img # fdisk -lu debian-HP370.img

You must set cylinders.

You can do this from the extra functions menu.
Disk debian-HP370.img: 0 MB, 0 bytes

255 heads, 63 sectors/track, 0 cylinders, total 0 sectors

Units = sectors of 1 * 512 = 512 bytes

Disk identifier: 0×111f5759
Device Boot      Start         End      Blocks   Id  System

debian-HP370.imgp1   *          63   102269789    51134863+  83  Linux

debian-HP370.imgp2       102269790   106655534     2192872+   5  Extended

debian-HP370.imgp5       102269853   106655534     2192841   82  Linux swap / Solaris
The offset value in this example is 63 * 512 = 32256
Note : 63 is the Start sector of the partition that I wanted to mount.
xenserver:/home/xen/img # mount -o loop,offset=32256 debian-HP370.img /mnt/stuff
Next, you can just vi /mnt/stuff/etc/fstab, to suit your Xen VM configurations. We are almost done.
CREATING NEW VM
Creating a new VM is rather easy. You need a configuration file for VM guest. Please refer to example and wiki for complete parameters. Just run xm new <configure file> i.e. xm new debian-vmconfig or else use vm-install and be prompted with bunch of questions for configuration parameters. Sample HVM configuration file for my VM:-
name=”Linux-debian-HP370″

memory=1024

maxmem=2048

vcpus=2

on_poweroff=”destroy”

on_reboot=”restart”

on_crash=”destroy”

localtime=0

keymap=”en-us”
builder=”hvm”

extid=0

device_model=”/usr/lib/xen/bin/qemu-dm”

kernel=”/usr/lib/xen/boot/hvmloader”

boot=”c”

disk=[ 'file:/home/xen/img/debian-HP370.img,sda,w', ]

vif=[ 'mac=00:16:3e:51:16:ee,bridge=br0,model=e1000', ]
stdvga=0

vnc=1

vncunused=1

apic=1

acpi=1

pae=1
serial=”pty”
START THE MACHINE, LITERALLY
At this point of time, you should turn off the physical machine to avoid IP address clash. There is one last step to go which is the editing grub on VM. You could just fire up the new guest VM with xm start Linux-debian-HP370 && xm console Linux-debian-HP370 and hit “e” at GRUB menu to edit kernel parameter for root disk. Lastly, modify /boot/grub/menu.lst to reflect your root partition. Remember to run update-grub after finished editing.
OPTIONAL
Since my xen is a headless box, I have to go extra mile to get into the console by ssh tunnel.
ssh me@xenserver -L 5900:127.0.0.1:5900
Connect vnc to localhost will give you the new shinny VM console.
				

				Friday, July 24th, 2009
				Howto,  Linux   No Comments
			

				
				FreeBSD : simple lagg usage

				
					

The link aggregation and link failover interface, lagg(4) device, first appeared in FreeBSD 6.3. It as the name suggested allows aggregation of multiple network interfaces as one virtual lagg(4) interface for the purpose of providing fault-tolerance and high-speed links. The driver currently supports the aggregation protocols such as failover, fec, lacp, loadbalance, roundrobin, and none by detecting child interface link state.
This is useful in large enterprise environment. Nonetheless, you can use it to set up roaming between wired and wireless network. The lagg(4) manpage provides simple example. However, it states that
WPA security does not currently work correctly with a wireless interface added to the lagg port.
Well, it is easy to overcome the issue by use of wpa_supplicant(8). Just set up /etc/wpa_supplicant.conf as normal. Please refer to wpa_supplicant.conf manpage for detailed setup. Here is my example.
/etc/wpa_supplicant.conf :-
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=1
network={
       ssid="MY_WPA_WIFI"
       scan_ssid=1
       key_mgmt=WPA-PSK
       psk="verysecretpassword"
}
/etc/rc.conf :-
ifconfig_nfe0="DHCP"
ifconfig_ndis0="WPA DHCP"
cloned_interfaces="lagg0"
ifconfig_lagg0="laggproto failover laggport ndis0 laggport nfe0 DHCP"
Relevant ifconfig output :-
ndis0: flags=8843 metric 0 mtu 1500
        ether 00:1a:73:73:92:34
        media: IEEE 802.11 Wireless Ethernet autoselect
        status: associated
        ssid "MY_WPA_WIFI" channel 1 (2412 Mhz 11b)
        authmode OPEN privacy OFF bmiss 7 scanvalid 60 roaming MANUAL
        bintval 0
        lagg: laggdev lagg0
nfe0: flags=8843 metric 0 mtu 1500
        options=8
        ether 00:1a:73:73:92:34
        media: Ethernet autoselect (none)
        status: no carrier
        lagg: laggdev lagg0
lagg0: flags=8843 metric 0 mtu 1500
        ether 00:1a:73:73:92:34
        inet 192.168.1.5 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect
        status: active
        laggproto failover
        laggport: nfe0 flags=0<>
        laggport: ndis0 flags=5
tun0: flags=8010 metric 0 mtu 1500
It is that easy. Your laptop will auto roam between wired and wireless connection.
				

				Sunday, July 12th, 2009
				FreeBSD,  Howto   No Comments
			

				
				FreeBSD : web cluster – Frontend nginx, backend apache with SSL

				
					

Previously, I posted write-up on glusterfs on FreeBSD clusters. Here the installment on round-robin web proxy part. In my configuration, nginx is running as front-end and apache is the back-end. Both boxes have same configuration on nginx and apache. Nginx SSL cert and key should be the same as well (with same common name i.e. www.yourdomain.com).
APACHE

I will skip most of the apache installation part as it is too common and easy to set up. The basic requirement for apache is to run with SSL on port 8443. Please take note that mod_rpaf is required for apache to capture the real IP address of the visitors. Install it from /usr/ports/www/mod_rpaf2. Then add these lines to your httpd.conf.

LoadModule rpaf_module       libexec/apache22/mod_rpaf.so

<IfModule rpaf_module>
RPAFEnable On
RPAFsethostname On
RPAFproxy_ips 192.168.100.82 192.168.100.84
</IfModule>


Note:

IP address for node 1 = 192.168.100.82

IP address for node 2 = 192.168.100.84
NGINX (engine X)

Installation of nginx is fairly simple under FreeBSD as the ports is complete (no messy manual patching and stuff). Just run the installation with this command. But take note that you need these two options: HTTP_SSL_MODULE and HTTP_UPSTREAM_FAIR. Yes, you need them.
cd /usr/ports/www/nginx && make install
The configuration file, nginx.conf, is relatively easy to understand if you are fimilar with lighttpd or apache mod_proxy. The following is an example of nginx config file. Remember, use with care because YMMV.
user  www;
worker_processes  4;

events {
    worker_connections  4096;
}                            

http {
    include       /usr/local/etc/nginx/mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  5;
    gzip  on;
    upstream backend_servers {
        fair;
        server 192.168.100.82:8443;
        server 192.168.100.84:8443;
    }                                                 

    server {
        listen   80 default;
        server_name  _;
        server_name_in_redirect  off;
        access_log /var/log/nginx-access.log;
        error_log /var/log/nginx-error.log;
        location / {
                proxy_pass https://backend_servers;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_connect_timeout      5;
                proxy_send_timeout         5;
                proxy_read_timeout         5;
        }
    }                                                                              

    server {
        listen       443 default;
        server_name  _;
        server_name_in_redirect  off;
        access_log /var/log/nginx-ssl-access.log;
        error_log /var/log/nginx-ssl-error.log;
        ssl                  on;
        ssl_certificate      /etc/ssl/certs/nginx-cert.pem;
        ssl_certificate_key  /etc/ssl/keys/nginx-key.pem;
        ssl_session_timeout  5m;

        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;

        location / {
                proxy_pass https://backend_servers;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_connect_timeout      5;
                proxy_send_timeout         5;
                proxy_read_timeout         5;
        }
    }
}
Vhost is managed by apache httpd. Thus these lines are needed in nginx.conf.
server_name  _;
server_name_in_redirect  off;
For SSL cert and key generation, please refer to previous post, glusterfs on FreeBSD. That’s it.
				

				Wednesday, April 22nd, 2009
				FreeBSD,  Howto   No Comments
			

				
				FreeBSD : nginx with php-cgi on unix socket

				
					UPDATE : Check out recent committed /usr/ports/www/spawn-fcgi/, it comes with a better spawn-fcgi rc.d script. Please use the script from the post. However, the spawn-fcgi.sh provided does not have option to run via unix socket. I have submitted the patch.
Few days ago, I posted a write-up, FreeBSD : php-cgi spawn-fcgi rc.d script for nginx, on running php-cgi on port 8888. But how do I run it via unix socket? It is trivial with spawn-fcgi rc.d script. Just add the flags to /etc/rc.conf
spawnfcgi_flags="-s /tmp/php-fastcgi.socket -u www -g www -f /usr/local/bin/php-cgi"

Next, replace the line
fastcgi_pass 127.0.0.1:8888;
with this
fastcgi_pass unix:/tmp/php-fastcgi.socket;

Lastly restart both php-cgi and nginx: 
/usr/local/etc/rc.d/spawnfcgi restart && /usr/local/etc/rc.d/nginx restart
That’s all. You have your php-cgi on unix socket.
				

				Friday, April 17th, 2009
				FreeBSD,  Howto   No Comments
			

				
				FreeBSD : Glusterfs with SSL (via stunnel)

				
					
I have been working on parallel round-robin web clusters (is this the right term?) using 2 x FreeBSD 7.1 AMD64 boxes, nginx (patched with fair upstream), apache + php (backend), glusterfs, tinydns (sitting on another box, a name server, for round robin A record) and mysql multi-master replication. The setup is mainly making use of round-robin replication concept. Although I have yet fully hammered the configuration, it was pretty impressive and secure.
Glusterfs and mysql replicate with SSL. Nginx with SSL. These, however, are slightly at the expense of CPU and performance. I can live it that though.
The write-up of the setup is in progress as I am quite tied up with my day job, HeX project and glusterfs 2.0 ports for FreeBSD. Hopefully, I can manage the time well to complete all these. Nevertheless, here is partial (optional) write-up for glusterfs replication with SSL.
Note: server1 and server2 denote the FreeBSD clusters.
1) Installing required software

Most of the software except glusterfs (not in the freebsd ports as of this posting) is available via the FreeBSD ports. I’m aware of that TimurBakeyev is working on glusterfs ports.
# cd /usr/ports/security/stunnel && make install clean
2) Creating SSL certs (on either of the box)

Generally, it is easier to manage all certs/keys generation on a single box and duplicate required certs to the rest of the boxes. But YMMV. Commonly, cacert.pem and cert/key generated are copied.
2.1) For the impatient

Just create the certificate in 1 liner. Remember to modify the content of “-subj”.
# openssl req -new -outform PEM -out /etc/ssl/stunnel-cert.pem -newkey rsa:1024 \
-nodes -keyout /etc/ssl/private/stunnel-key.pem -keyform PEM -days 3650 -x509 -subj \
'/C=ur country code/ST=ur state/L=ur location/CN=ur server common name/O=ur org/OU=ur org unit'
2.2) For the patient

Creating necessary directories for ssl with the following commands.
# mkdir /etc/ssl/newcerts
# mkdir /etc/ssl/private
# echo '01' >/etc/ssl/serial
# touch /etc/ssl/index.txt
Next, let’s generate a CA. You will be prompted with questions of your country, state, location etc and password for the CA key.
# openssl req -new -x509 -extensions v3_ca -keyout /etc/ssl/private/cakey.pem \
-out /etc/ssl/cacert.pem -days 3650 -config /etc/ssl/openssl.cnf
Generating a cert request for stunnel
# openssl req -outform PEM -out /etc/ssl/server-req.pem -newkey rsa:1024 -nodes \
-keyout /etc/ssl/private/stunnel-key.pem -keyform PEM -days 3650 -subj \
'/C=ur country code/ST=ur state/L=ur location/CN=ur server common name/O=ur org/OU=ur org unit'
Lastly using the CA key to sign the cert.
# openssl ca -in /etc/ssl/stunnel-req.pem -notext -out /etc/ssl/stunnel-cert.pem
3) Modifying stunnel rc.d for stunnel running client mode

The rc.d startup for stunnel is meant for running either server or client mode only. I need both modes here. Thus, a quick replication of stunnel rc.d to run another client mode instance of stunnel. I named it /usr/local/etc/rc.d/stunnelc.
#!/bin/sh
#
# $FreeBSD: ports/security/stunnel/files/stunnel.in,v 1.9 2008/01/26 14:18:12 roam Exp $
#

# PROVIDE: stunnelc
# REQUIRE: NETWORKING SERVERS
# BEFORE: DAEMON glusterfs
# KEYWORD: shutdown

#
# Add some of the following variables to /etc/rc.conf to configure stunnel:
# stunnelc_enable (bool):        Set to "NO" by default.
#                               Set it to "YES" to enable stunnel.
# stunnelc_config (str):         Default "/usr/local/etc/stunnel/stunnel-client.conf"
#                               Set it to the full path to the config file
#                               that stunnel will use during the automated
#                               start-up.
# stunnelc_pidfile (str):        Default "/var/tmp/stunnel/stunnel-client.pid"
#                               Set it to the value of 'pid' in
#                               the stunnel.conf file.
#

. /etc/rc.subr

name="stunnelc"
rcvar=`set_rcvar`

load_rc_config $name

: ${stunnelc_enable="NO"}
: ${stunnelc_config="/usr/local/etc/stunnel/stunnel-client.conf"}
: ${stunnelc_pidfile="/var/tmp/stunnel/stunnel-client.pid"}
procname="/usr/local/bin/stunnel"
command="/usr/local/bin/stunnel"
command_args=${stunnelc_config}
pidfile=${stunnelc_pidfile}

required_files="${stunnelc_config}"

run_rc_command "$1"
4) glusterfs vol configuration

In this setup, glusterfsd is listening on lo0 127.0.0.1 port 6996 and stunnel server listening on em0 (net facing nic) port 8996. Stunnel client, on the other hand, is listening on 127.0.0.1 port 7996, forwarding to remote host on port 8996. Glusterfs client mount volume which is on 127.0.0.1 port 6996 and 7996 (which is tunneled to port 8996 of remote host). Refer to the configurations below:-
i) stunnel-server.conf.
[glusterfsd]
accept = 8996
connect = 127.0.0.1:6996
ii) stunnel-client.conf.
[glusterfs]
accept = 127.0.0.1:7996
connect = server2:8996
Auth login was used due to privileged port ceiling of 1024 imposed by auth addr method. Auth login method care less about  privileged port ceiling.
Please refer to

http://www.gluster.org/docs/index.php/GlusterFS_Encrypted_network

http://www.gluster.org/docs/index.php/Translators_v2.0#auth.login
As I’m still working on glusterfs 2.0 ports, you can use the rc.d scripts that I have completed glusterfs and glusterfsd.
APPENDIX
Configuration files on server1
I) /etc/rc.conf
fusefs_enable="YES"
glusterfsd_enable="YES"
glusterfs_enable="YES"
glusterfs_mount="/usr/home/www"
stunnel_enable="YES"
stunnel_config="/usr/local/etc/stunnel/stunnel-server.conf"
stunnel_pidfile="/var/tmp/stunnel/stunnel-server.pid"
stunnelc_enable="YES"
stunnelc_config="/usr/local/etc/stunnel/stunnel-client.conf"
stunnelc_pidfile="/var/tmp/stunnel/stunnel-client.pid"
II) Stunnel configuration for glusterfsd (/usr/local/etc/stunnel/stunnel-server.conf)
cert = /etc/ssl/stunnel-cert.pem
key = /etc/ssl/private/stunnel-key.pem

sslVersion = SSLv3

chroot = /var/tmp/stunnel
setuid = stunnel
setgid = stunnel
; PID is created inside chroot jail
pid = /stunnel-server.pid

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
CAfile = /etc/ssl/cacert.pem

output = /var/log/stunnel.log

[glusterfsd]
accept = 8996
connect = 127.0.0.1:6996
III) Stunnel configuration for glusterfs (/usr/local/etc/stunnel/stunnel-client.conf)
cert = /etc/ssl/stunnel-cert.pem
key = /etc/ssl/private/stunnel-key.pem

sslVersion = SSLv3

chroot = /var/tmp/stunnel
setuid = stunnel
setgid = stunnel
; PID is created inside chroot jail
pid = /stunnel-client.pid

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
CAfile = /etc/ssl/cacert.pem
output = /var/log/stunnelc.log
client = yes

[glusterfs]
accept = 127.0.0.1:7996
connect = server2:8996
IV) Glusterfs client configuration (/usr/local/etc/glusterfs/glusterfs.vol)
volume remote1
  type protocol/client
  option transport-type tcp
  option remote-host 127.0.0.1
  option remote-port 6996
  option remote-subvolume brick
end-volume

volume remote2
  type protocol/client
  option transport-type tcp
  option remote-host 127.0.0.1
  option remote-port 7996
  option username yourusername
  option password yourpassword
  option remote-subvolume brick
end-volume

volume replicate
  type cluster/replicate
  subvolumes remote1 remote2
end-volume

volume writebehind
  type performance/write-behind
  option block-size 128KB
  option cache-size 1MB
  subvolumes replicate
end-volume

volume cache
  type performance/io-cache
  option cache-size 512MB
  subvolumes writebehind
end-volume
V) Glusterfs server configuration (/usr/local/etc/glusterfs/glusterfsd.vol)
volume posix
  type storage/posix
  option directory /usr/home/www-shared
end-volume

volume locks
  type features/locks
  subvolumes posix
end-volume

volume brick
  type performance/io-threads
  option thread-count 8
  subvolumes locks
end-volume

volume server
  type protocol/server
  option transport-type tcp
  option transport.socket.bind-address 127.0.0.1
  option auth.addr.brick.allow 127.0.0.1
  option auth.login.brick.allow yourusername
  option auth.login.yourusername.password yourpassword
  subvolumes brick
end-volume
				

				Wednesday, April 15th, 2009
				FreeBSD,  Howto   No Comments
			

		
		
			Previous Entries

bsd.m3th.org
**Yet another *nix admin blog**

Archive for the ‘Howto’ Category

freebsd-update : 6.2-RELEASE to 8.1-RELEASE

ssh brute force is still popular?

FreeBSD Root on ZFS mirror using GPT

Battery info button on HP elitebook 6930p

FreeBSD : zapping file system error

Quick note on Xen P2V migration

FreeBSD : simple lagg usage

FreeBSD : web cluster – Frontend nginx, backend apache with SSL

FreeBSD : nginx with php-cgi on unix socket

FreeBSD : Glusterfs with SSL (via stunnel)

Pages

Archives

Categories

Advertisement

bsd.m3th.orgYet another *nix admin blog

Archive for the ‘Howto’ Category

Pages

Archives

Categories

Advertisement

bsd.m3th.org
**Yet another *nix admin blog**