| |
| |
| |
|
Page: 1 2
Comments:
<0> www/php4?
<1> i didn't see it the multipackages
<1> or flavors
<0> grep -r mod /usr/ports/www/php4
<1> danke schoen
<1> thanks
<0> may want to make that grep mod /usr/ports/www/php4/*/pkg/PLIST
<0> or PLIST*
<1> got cha
<2> hi
<2> is there a way to auto-black list in pf?
<2> say, some script kiddie is hammering my obsd box with ****, i wanna have him auto-blocked
<2> i recall something like this ... back in the 3.5/3.6 era... a certain number of connections from the same ip within a time frame and it trips a rule
<2> i just cannot recall what initialtes this
<3> Segfau|t, hmm, look at the rate limiting rule in this -> http://cvs.1984.ws/cgi-bin/cvsweb/pf/pf.nat%2bqueuing.conf?rev=1.2&content-type=text/x-cvsweb-markup
<3> well I call it rate limiting :-P
<3> idk if it's really called that
<3> look at ssh_rule
<2> i'll read that now... but from what you said -- rate limiting ... i'm interested in actually adding that IP to a black list which is then explicitly block drop on from <tools>
<3> yeah, where like if a certain ip tries to connect to the box X number of times in Y number of seconds
<3> it's blacklisted?
<4> segfau|t; yes look at overload
<4> segfau|t; in the pf handbook
<2> cool, thanks... i'm reading and generally finding goodness.. thanks for the direction
<5> Segfau|t: http://legonet.org/~griffin/openbsd/block_ssh_bruteforce.html
<6> just did an upgrade of 3.9, where do I look to see that the kernel, etc, has been updated? sysctl kern.osrevision and sysctl kern.version still show same values as before the upgrade
<6> sorry meant to type "sysctl kern.osversion"
<7> dmesg
<7> first line
<6> still shows "OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006" which is the same as before, should it be more recent?
<8> only if you updated to a snapshot
<8> there are no stable binaries to update to, if that's what you thought you'd get
<6> mkay, so how does one do that from the boot CDROM?
<7> ah sorry I was thinking of 'to 3.9' as in from 3.8 to 3.9
<8> update to the -stable branch? only through source update & rebuild.
<6> nope, had 3.9, want to make sure I have the latest build on 3.9
<8> the lastest, as in bleeding edge -current?
<8> or -stable, i.e. 3.9 release with patches applied?
<7> you should have the latest binary, only way to go further is update to -stable or -current (from source)
<0> -stable by source, -current by snapshot
<6> yes, bleeding edge, absolute latest... how do I do that?
<0> install the latest snapshot
<6> this is on a TEST TEST TEST machine, so no worries if it blows up
<6> I cna;t find the directions to do that on the site, or at least haven't found them yet
<9> ftp://ftp.nyc.openbsd.org/pub/OpenBSD/snapshots/
<8> after you pick/enter the ftp mirror to use during install, it asks for the server directory, defaulting to /3.9/ on a 3.9 cd, replace 3.9 with snapshots
<6> got it thanks
<6> alrighty, finally got the dang test machine on the bleeding edge "OpenBSD 3.9-current (GENERIC) #937: Sun Jul 2 11:13:02 MDT 2006" Thanks all for the help on this.
<6> anyone know why port 4500 "sae-urn" would be open, how do I find out what is using it?
<9> did you try fstat |grep 4500?
<6> so far I haven't ofund the right recipe with netstat
<6> I will try that
<6> fstat | grep 4500, doesn't return anything
<6> hrm...
<0> it is a kernel ipsec port iirc
<0> you can just ignore it
<6> hmmm..
<6> I think it was open before I went on IRC though
<6> how do I determine what is opening/using it?
<0> you read my last two sentences
<0> the kernel holds it open for ipsec. you can just ignore it
<6> yes, thanks for the info, I am just curious how to determine this for other open ports in the future,
<0> for most open ports
<0> use netstat/fstat
<0> if they don't appear in those but, eg, nmap picks them up, they are probably used by the kernel
<0> or something funny is going on
<6> yah, I did but didn't find out what opened the port, if it is opened by the kernel how do I see that?
<0> to my knowledge 4500 is the only port that works like that
<6> OIC
<0> you don't
<6> go ti
<6> it
<0> nfs may have some udp ports open occasionally
<0> if you use it
<0> can't remember
<6> thanks, this is just on a test machine that I upgrades to the latest/yesterday's snapshot and was checking how things went... saw the port open, got paranoid, etc.
<6> don't use NFS on the test machine, so it is probably what ou mentioned earlier
<0> oh, it definitely is
<0> all openbsd default installs have udp 4500 open
<6> hah, well there you have it
<6> thanks
<0> i'm pretty sure it shutdown(2) though, same as syslog
<0> anyway, it is expected and safe
<6> how do I turn that off, so it doesn't even show up on an NMAP scan? or it that not possible?
<0> firewall it
<6> yah, I figured... but checking anyhow
<6> where can I get a "safe" default PF config, i.e. for a laptop
<0> www.openbsd.org/faq/pf/
<0> also read /usr/share/pf/*
<0> and man pf.conf
<6> thanks, also found one on the site, sorry I asked a silly question, need more cafeine
<6> I am sure to mess things up with my pf.conf, but how do apply it after tinkering with it?
<6> rc.conf already has pf="YES"
<8> pfctl -f /etc/pf.conf
<6> thx
<6> gonna move to another terminal first... :-)
<6> well the pf.conf looks like it works, thanks dhartmei and NicM for your help
<10> anyone have issues with pf not logging anymore?
<11> pflogd running?
<10> yes, and i've stopped it, started it, restarted it
<10> deleted the /var/log/pflog file and let the program make a fresh one on startup
<10> I haven't rebooted the box because... its the middle of the day
<11> did you restart PF
<10> i only did pfctl -f /etc/pf.conf
<10> im also working on this remotely...
<10> so I am trying to be as careful as possible
<11> go into realtime mode
<11> is the pflog0 interface up an running?
<10> ifconfig says it is
<10> whats realtime mode?
<10> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
<11> tcpdump -n -e -ttt -i pflog0
<11> brb tea
<10> yes, I have had that running on a second terminal, its sitting there blank
<11> do you have any log rules?
<10> yes
<10> it was working
<10> I added some rules, it stopped working, I took those rules back out, and its still not working
<10> lol
<11> lol
<0> are you sure you reverted everything?
<0> and reloaded the ruleset?
<10> yes, its a very simple ruleset currently
<0> did you kill and restart pflogd?
<0> yes, you did, sorry
<10> I have 7 filter rules in currently
<10> im trying to put it in pastebin.... site seems messed up
<0> try a different site
<10> http://pastebin.ca/77925
<10> .ca seems to be working
<10> I have nat rules, binat rules, and rdr rules as well
<10> but these are my only filter rules
<10> and the only thing I've changed since it worked and didn't work
<0> are you sure traffic is matching the log rules?
<10> I nmap scanned the ips of the ph_srvs
<10> i also had a generic p*** in log on $ext_if
<10> and it didn't log anything
<10> and this is a very busy site
<10> I know the block to the ph_srvs rule worked because ports became unavailable to me from an nmap scan before i put it in and after, and its supposed to log any of those hits
<0> hmm. if tcpdump on pflog0 shows nothing then pflogd is irrelevent
<8> pfctl -si, check if it's enabled at all, and whether any counters are increasing between subsequent calls
<10> Status: Enabled for 0 days 19:19:30 Debug: Urgent
<12> Perhaps paste your ruleset?
<10> I have over 1 million matches
<10> for counters
<8> that's not as relevant as whether the counters are increasing now :)
<10> match counter is going up everytime i do pfctl -si
<8> simplest explanation: ph_srvs is empty or doesn't contain the ip address you think it does
<12> take it from the man
<12> dhartmei himself
<8> pfctl -t ph_srvs -vvTt 1.2.3.4, with the ip address you're connecting from/to
Return to
#openbsd
or
Go to some related
logs:
#beginner
#networking
videosz
#windows
bulldogpo
#nhl
#sex
gui torrent /usr/ports
unioned data
#slackware
|
|