ahci and user mount of cdrom

[Johan Hendriks]

Hello all
I am on 8.0-STABLE now, and using the ahci driver.

All works likei t should, but i can not mount my cdrom anymore as a
regular user.

i have this in my sysctl.conf

vfs.usermount=1

 

my /etc/devfs.conf looks like this

#CDROM_BURNER permissions

permacd00666

#permacd10666

permcd0 0666

#permcd1 0666

permcdrom   0666

#permcdrom1  0666

permpass0   0660

permpass1   0660

permpass2   0660

permpass3   0660

permpass4   0660

permpass5   0660

permpass6   0666

permxpt00660

 

dmesg list the following

 

atapci0:  port
0xdc00-0xdc07,0xd880-0xd883,0xd800-0xd807,0xd480-0xd483,0xd400-0xd40f
mem 0xfe9ffc00-0xfe9f irq 16 at device 0.0 on pci3

atapci0: [ITHREAD]

 

acd0: DVDR  at ata2-slave UDMA66

 

later on in my dmesg i get the following

 acd0: FAILURE - INQUIRY ILLEGAL REQUEST asc=0x24 ascq=0x00

(probe0:ata0:0:1:0): TEST UNIT READY. CDB: 0 0 0 0 0 0

(probe0:ata0:0:1:0): CAM Status: SCSI Status Error

(probe0:ata0:0:1:0): SCSI Status: Check Condition

(probe0:ata0:0:1:0): NOT READY asc:3a,1

(probe0:ata0:0:1:0): Medium not present - tray closed

(probe0:ata0:0:1:0): Unretryable error

 

 

cd0 at ata0 bus 0 scbus8 target 1 lun 0

cd0:  Removable CD-ROM SCSI-0 device

cd0: 66.000MB/s transfers

cd0: cd present [329835 x 2048 byte records]

 

my cdrom is attached to the pata port on the mainbord.

 

Regards,

Johan




 

 

 

 

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

RE: Hacked - FreeBSD 7.1-Release

[Andresen, Jason R.]

>From: Chris H
>
>On Tue, December 22, 2009 8:35 am, Andresen, Jason R. wrote:
>> Squirrel wrote:
>>
>>> most likely could be some kind of remote code execution or SQLi
>executed in
>>> the context of some php scripts, you should audit php code of your
>web
>>> interface and of the websites you host. also consider the strenght of
>your
>>> passwords, lots of login attempts to ssh/ftp may mean a he has tried
>a
>>> bruteforce (or a dictionary attack maybe). you should also check
>webmin logs,
>>> there are a few bruteforcer for webmin out there, (*hint*) consider
>the lenght
>>> of your average password if it's more than 7-8 characters
>aplhanumeric with
>>> simbols most likely this isn't the case.
>>
>> While it's true that it's a good idea to check your password strength,
>pretty
>> much any host connected to the internet is going to be hit daily by
>bots
>> looking for weak passwords.  It's one area where you logs don't help
>much
>> because there is too much noise.
>That's why there's GREP(1), AWK(1), FIND(1), TAIL(1), and CAT(1)
>Consider the following...
>adding the following to your /etc/rc.conf:
>
># SECURITY RELATED
>
>syslogd_flags="-ss"
>log_in_vain="YES"
>tcp_keepalive="YES"
>
>
>now your log file will /really/ sing (log_in_vain="YES").
>Of course, unless you have a great deal of time on your hands, visually
>parsing
>that "noisy" log will be quite tedious, and time consuming. So you have
>a few
>options...
>If your running X11, simply run tail in a root window - there are quite
>a few
>utilities in ports for doing just this - some that'll only write
>messages you
>want to see.
>You could also create a script out of cron that will only produce
>messages you
>are interested in, for example:
>
>~# cat /var/log/messages | ssh
>
>will emit any attempt to ssh into your box
>you can also redirect the messages to a file:
>
>~# cat /var/log/messages | ssh >>~/EVIL_DOERS
>
>You could also add en entry to PERIODIC(8) that will
>provide a daily report on any attempts you are interested in.
>
>HTH
>

Your solution to excessive noise in the security log is to greatly increase the 
noise level?!?

The point is, if your machine is on the internet, then bots are going to try 
password attacks on any open port they can find.  It's just the sad fact of 
life on the current internet.  Unfortunately, this activity will also make it 
much more difficult to determine when you are under attack from an actual 
person, which was my point earlier.  It's one that is not going to be easy to 
solve either, unless you're willing to rewrite SSH to require every connection 
attempt to pass a Turing test or something. 
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

ips(4) in toaster mode FreeBSD 7.2

[Jan Sieka]

Hi!

I'm writing to you because I've seen that you have recently commited patches to
the FreeBSD ips(4) driver and perhaps you can shed some light on a problem I've 
encountered. Here is a description:


Recently on one of our servers (IBM xSeries 345 [8760 M1X] with IBM ServeRAID 5i 
II (Sarasota) RAID controller) ips driver threw a warning about timed-out 
command and adapter being in toaster mode. After that kernel paniced - see 
console message below:


=== Begin of console message ===
ips0: WARNING: command timeout. Adapter is in toaster mode, resetting to known 
state
ips: io error, status=0x2000c
ipsd0: iobuf error 5
ips0: resetting adaptegr_,v ftsh_idso nmea(y) :tiapksed 0usp1 ft[oW R5I
TmE(ionftftsese
= 1543241728, length=16384)]error = 5
ips0: syncing config
Sleeping thread (tid 16, pid 15) owns a non-sleepable lock
panic: sleeping thread
cpuid = 2
=== End of console message ===

Lines 5 to 7 are two kernel messages mixed together. They say something like 
this:
ips0: resetting adapter, this may take up to 5 minutes
g_vfs_done(): ipsd0s1f[WRITE(offset=154321728, length=16384)]error = 5

After displaying the above messages system is completely unresponsive. The only
solution is to reboot.

Messages come from functions located in files:
"WARNING: [...]": ips_timeout(): sys/dev/ips/ips.c;
"resetting adapter, [...]": ips_morpheus_reinit(): sys/dev/ips/ips.c;
"syncing config": ips_clear_adapter(): sys/dev/ips/ips_commands.c;

I have found someone reporting similar problem (ips in toaster mode
throwing a warning and kernel panic after that) to freebsd-stable list in Nov
2006: 
http://lists.freebsd.org/pipermail/freebsd-stable/2006-December/031469.html
The difference is that our server was almost idle (Christmas time) compared to 
the situation described in the above thread (heavy disk usage during backups).


I've checked controller status with IBM's tools (IBM ServeRAID Manager) and it's 
OK. /var/log/messages yields nothing that could lead to problem's

explanation. Server is now up and running, but the reason for this panic is
still unclear. I'd be grateful for hints.

Also I'd like to know if there are any new changes to be commited to ips driver 
in future. If that's the case then I will wait for them before applying recent 
changes to our system.


Some info about the system:
# uname -a
FreeBSD xxx.xxx.xxx 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #0: Thu Oct 22
11:01:23 CEST 2009 x...@xxx.xxx.xxx:/usr/obj/usr/src/sys/XSERIES345  i386
# pciconf -lcv
[...]
i...@pci0:8:2:0:class=0x010400 card=0x02591014 chip=0x01bd1014 rev=0x00
hdr=0x00
 vendor = 'Elektronik'
 device = 'ServeRAID 4/5 Morpheus SCSI RAID Controller'
 class  = mass storage
 subclass   = RAID
 cap 01[80] = powerspec 2  supports D0 D3  current D0

ServeRAID BIOS/Firmware version: 7.12.02

Kernel config is a GENERIC config without unnecessary drivers and features.

I'm able to provide any further information about the system if needed.

I also send this e-mail to freebsd-stable with hope that somebody has some ideas 
on my problem.


With regards,

Jan Sieka

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: sheevaplug questions

[Attos]

Hi Zoran,

I have a Sheevaplug but I haven't been able to use the usb serial
interface from my FreeBSD box. What I ended up with is using a EEE-PC
with Ubuntu and minicomm set up as modem-less connection.

I only needed this to set the plug to use a SD card for the main
storage and not wear off the internal flash memory and have extra
storage.

Under normal operation you do not need the serial console since you
can connect to it using ssh once the plug boots and acquires an IP
using DHCP. The default name is debian or look into the DHCP server
log and find the assigned IP.

Cheers

On Sun, Dec 27, 2009 at 11:00 AM, Zoran Kolic  wrote:
> Howdy!
> I ordered sheevaplug box and read as much as I could,
> regarding controlling this little node from bsd box.
> Seems that cu works fine on linux, but module should
> be loaded to enable serial emulation from usb host port
> to mini usb port on sheevaplug. Does someone use this
> mini computer and how connects to serial console?
> Almost all of documetation mentions win and linux. I
> suppose would be pretty easy to go further with serial
> line available.
> Btw, there is freebsd port for this plug already. Would
> be fine to try it out.
> Best regards
>
>                         Zoran
>
>
> ___
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
>



-- 
Attos Janus
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: ahci and user mount of cdrom

[Oliver Pinter]

i think, usermount worked only with user owned and writable dir-s, example:

mkdir ~/cdrom
mount_cd9660 /dev/acd0 ~/cdrom

On 12/28/09, Johan Hendriks  wrote:
> Hello all
> I am on 8.0-STABLE now, and using the ahci driver.
>
> All works likei t should, but i can not mount my cdrom anymore as a
> regular user.
>
> i have this in my sysctl.conf
>
> vfs.usermount=1
>
>
>
> my /etc/devfs.conf looks like this
>
> #CDROM_BURNER permissions
>
> permacd00666
>
> #permacd10666
>
> permcd0 0666
>
> #permcd1 0666
>
> permcdrom   0666
>
> #permcdrom1  0666
>
> permpass0   0660
>
> permpass1   0660
>
> permpass2   0660
>
> permpass3   0660
>
> permpass4   0660
>
> permpass5   0660
>
> permpass6   0666
>
> permxpt00660
>
>
>
> dmesg list the following
>
>
>
> atapci0:  port
> 0xdc00-0xdc07,0xd880-0xd883,0xd800-0xd807,0xd480-0xd483,0xd400-0xd40f
> mem 0xfe9ffc00-0xfe9f irq 16 at device 0.0 on pci3
>
> atapci0: [ITHREAD]
>
>
>
> acd0: DVDR  at ata2-slave UDMA66
>
>
>
> later on in my dmesg i get the following
>
>  acd0: FAILURE - INQUIRY ILLEGAL REQUEST asc=0x24 ascq=0x00
>
> (probe0:ata0:0:1:0): TEST UNIT READY. CDB: 0 0 0 0 0 0
>
> (probe0:ata0:0:1:0): CAM Status: SCSI Status Error
>
> (probe0:ata0:0:1:0): SCSI Status: Check Condition
>
> (probe0:ata0:0:1:0): NOT READY asc:3a,1
>
> (probe0:ata0:0:1:0): Medium not present - tray closed
>
> (probe0:ata0:0:1:0): Unretryable error
>
>
>
>
>
> cd0 at ata0 bus 0 scbus8 target 1 lun 0
>
> cd0:  Removable CD-ROM SCSI-0 device
>
> cd0: 66.000MB/s transfers
>
> cd0: cd present [329835 x 2048 byte records]
>
>
>
> my cdrom is attached to the pata port on the mainbord.
>
>
>
> Regards,
>
> Johan
>
>
>
>
>
>
>
>
>
>
>
>
> ___
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
>
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

A script that modifies /etc/fstab to mount devices via glabel

[Christian Laursen]

Hi there,

I wrote a script that modifies fstab so that UFS filesystems are mounted 
via their UFS IDs and swap partitions are labeled with glabel in order 
to access them that way.


It works for me on at least FreeBSD 7.2 and 8.0. Use at your own risk.

For swap devices it is neccesary to label the device in order to 
recognize it later and that requires that swap is turned off briefly.


The script requires perl to run.

The script is here:
http://borderworlds.dk/utils/fstab-glabel.pl

Feel free to use it if you find it useful.

--
Christian Laursen
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Jailed Service contact IMAPS

[Peter Fraser]

Hi All

I have two servers, one running apache and squirrelmail in a jail.
Squirrelmail on this server is trying to contact dovecot running imaps
on port 993 on another server and failing. When I try from another
physical machine it works but I would prefer to run this service from
within a jail.

Can anyone please let me know how to make this work?
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Jailed Service contact IMAPS

[Paul Procacci]

Peter Fraser wrote:

Hi All

I have two servers, one running apache and squirrelmail in a jail.
Squirrelmail on this server is trying to contact dovecot running imaps
on port 993 on another server and failing. When I try from another
physical machine it works but I would prefer to run this service from
within a jail.

Can anyone please let me know how to make this work?
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"


Have you tried to first do a simple (from within the jail):

telnet host 993

Do you get connected?  If not, do you have any firewall rules either on
the host maintaining the jail or the host you are connecting to?  If
not, can you do a tcpdump to see what specificly is happening to those
packets via (on the host again):

tcpdump -i  host  and port 993

Do you see packets both leaving your machine and coming back?  If not,
can you repeat the process above on the host machine maintaining the
jail, but not within the jail itself.  Are the results the same?

The above is a start and should provide enough information as to whether
the problem is specific to the jail or the physical host.

~Paul

This message may contain confidential or privileged information.  If you are 
not the intended recipient, please advise us immediately and delete this 
message.  See http://www.datapipe.com/emaildisclaimer.aspx for further 
information on confidentiality and the risks of non-secure electronic 
communication. If you cannot access these links, please notify us by reply 
message and we will send the contents to you.
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Jailed Service contact IMAPS

[Michael Loftis]

--On Monday, December 28, 2009 3:43 PM -0500 Peter Fraser 
 wrote:



Hi All

I have two servers, one running apache and squirrelmail in a jail.
Squirrelmail on this server is trying to contact dovecot running imaps
on port 993 on another server and failing. When I try from another
physical machine it works but I would prefer to run this service from
within a jail.

Can anyone please let me know how to make this work?


Sounds like you have some sort of basic networking problem, a Jail in and 
of itself won't be blocked.  I'd first check to see if you can get a 
connection from within the jail host server to the IMAPS port on the other 
machine.  Use telnet or opennssl's s_client to see if you can get a 
connection open.  I assume the dovecot server and jail have separate IPs?


If so then try the same thing from within the jail.  If both of those work 
then I'd check your PHP setup and make sure that you have the appropriate 
PHP modules installed, and that they support SSL.

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Jailed Service contact IMAPS

[Peter Fraser]

Yes I can connect over telnet. If I even do openssl s_client -connect
:993 I can also connect and list my mail. The machine is
running FreeBSD 8 by the way.

On Mon, Dec 28, 2009 at 9:53 AM, Paul Procacci  wrote:
> Peter Fraser wrote:
>>
>> Hi All
>>
>> I have two servers, one running apache and squirrelmail in a jail.
>> Squirrelmail on this server is trying to contact dovecot running imaps
>> on port 993 on another server and failing. When I try from another
>> physical machine it works but I would prefer to run this service from
>> within a jail.
>>
>> Can anyone please let me know how to make this work?
>> ___
>> freebsd-stable@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
>>
> Have you tried to first do a simple (from within the jail):
>
> telnet host 993
>
> Do you get connected?  If not, do you have any firewall rules either on
> the host maintaining the jail or the host you are connecting to?  If
> not, can you do a tcpdump to see what specificly is happening to those
> packets via (on the host again):
>
> tcpdump -i  host  and port 993
>
> Do you see packets both leaving your machine and coming back?  If not,
> can you repeat the process above on the host machine maintaining the
> jail, but not within the jail itself.  Are the results the same?
>
> The above is a start and should provide enough information as to whether
> the problem is specific to the jail or the physical host.
>
> ~Paul
>
> This message may contain confidential or privileged information.  If you are
> not the intended recipient, please advise us immediately and delete this
> message.  See http://www.datapipe.com/emaildisclaimer.aspx for further
> information on confidentiality and the risks of non-secure electronic
> communication. If you cannot access these links, please notify us by reply
> message and we will send the contents to you.
>
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: FreeBSD 8.0: can't PXE Boot using nvidia nForce4 network card

[Olivier Cochard-Labbé]

On Thu, Dec 24, 2009 at 8:33 PM, Pyun YongHyeon  wrote:

>> nfe0: MII without any phy!
>  ^^
> Maybe this is the reason why you can't use NFS.
> If your BIOS has an option that disables management feature
> of ethernet controller try toggle the feature.
>

Hi,

I've disabled the "POST Check LAN Cable" in the BIOS: But still the
same "MII without any phy!" message.

Regards,

Olivier
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: FreeBSD 8.0: can't PXE Boot using nvidia nForce4 network card

[Pyun YongHyeon]

On Mon, Dec 28, 2009 at 10:30:25PM +0100, Olivier Cochard-Labb? wrote:
> On Thu, Dec 24, 2009 at 8:33 PM, Pyun YongHyeon  wrote:
> 
> >> nfe0: MII without any phy!
> > ?^^
> > Maybe this is the reason why you can't use NFS.
> > If your BIOS has an option that disables management feature
> > of ethernet controller try toggle the feature.
> >
> 
> Hi,
> 
> I've disabled the "POST Check LAN Cable" in the BIOS: But still the
> same "MII without any phy!" message.
> 

Ok, it seems Linux forcedeth driver seems to poke NFE_STATUS
register before accessing PHY. I'm not sure whether this code could
be related with the issue but would you try attached patch?

> Regards,
> 
> Olivier
Index: sys/dev/nfe/if_nfe.c
===
--- sys/dev/nfe/if_nfe.c	(revision 201135)
+++ sys/dev/nfe/if_nfe.c	(working copy)
@@ -340,6 +340,7 @@
 	struct nfe_softc *sc;
 	struct ifnet *ifp;
 	bus_addr_t dma_addr_max;
+	uint32_t phystat, phyrestore;
 	int error = 0, i, msic, reg, rid;
 
 	sc = device_get_softc(dev);
@@ -349,6 +350,7 @@
 	MTX_DEF);
 	callout_init_mtx(&sc->nfe_stat_ch, &sc->nfe_mtx, 0);
 	TASK_INIT(&sc->nfe_link_task, 0, nfe_link_task, sc);
+	phyrestore = 0;
 
 	pci_enable_busmaster(dev);
 
@@ -599,6 +601,13 @@
 	ifp->if_capabilities |= IFCAP_POLLING;
 #endif
 
+	phystat = NFE_READ(sc, NFE_STATUS) & NFE_STATUS_RUNNING;
+	if ((phystat & NFE_STATUS_RUNNING) != 0) {
+		phystat &= ~NFE_STATUS_RUNNING;
+		NFE_WRITE(sc, NFE_STATUS, phystat);
+		phyrestore = 1;
+	}
+
 	/* Do MII setup */
 	if (mii_phy_probe(dev, &sc->nfe_miibus, nfe_ifmedia_upd,
 	nfe_ifmedia_sts)) {
@@ -636,8 +645,11 @@
 	}
 
 fail:
-	if (error)
+	if (error) {
+		if (phyrestore != 0)
+			NFE_WRITE(sc, NFE_STATUS, phystat | NFE_STATUS_RUNNING);
 		nfe_detach(dev);
+	}
 
 	return (error);
 }
@@ -2744,7 +2756,8 @@
 	NFE_WRITE(sc, NFE_SETUP_R6, NFE_R6_MAGIC);
 
 	/* update MAC knowledge of PHY; generates a NFE_IRQ_LINK interrupt */
-	NFE_WRITE(sc, NFE_STATUS, sc->mii_phyaddr << 24 | NFE_STATUS_MAGIC);
+	NFE_WRITE(sc, NFE_STATUS, sc->mii_phyaddr << NFE_STATUS_PHYSHIFT |
+	NFE_STATUS_PHYVALID | NFE_STATUS_RUNNING);
 
 	NFE_WRITE(sc, NFE_SETUP_R4, NFE_R4_MAGIC);
 	NFE_WRITE(sc, NFE_WOL_CTL, NFE_WOL_MAGIC);
Index: sys/dev/nfe/if_nfereg.h
===
--- sys/dev/nfe/if_nfereg.h	(revision 201135)
+++ sys/dev/nfe/if_nfereg.h	(working copy)
@@ -137,7 +137,11 @@
 #define	NFE_PHY_BUSY		0x08000
 #define	NFE_PHYADD_SHIFT	5
 
-#define	NFE_STATUS_MAGIC	0x14
+#define	NFE_STATUS_START	0x0002
+#define	NFE_STATUS_LINKUP	0x0004
+#define	NFE_STATUS_PHYVALID	0x0004
+#define	NFE_STATUS_RUNNING	0x0010
+#define	NFE_STATUS_PHYSHIFT	24
 
 #define	NFE_R1_MAGIC_1000	0x14050f
 #define	NFE_R1_MAGIC_10_100	0x16070f
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

RE: Hacked - FreeBSD 7.1-Release

[Chris H]

On Mon, December 28, 2009 7:44 am, Andresen, Jason R. wrote:
>> From: Chris H
>>
>>
>> On Tue, December 22, 2009 8:35 am, Andresen, Jason R. wrote:
>>
>>> Squirrel wrote:
>>>
>>>
 most likely could be some kind of remote code execution or SQLi
>> executed in
 the context of some php scripts, you should audit php code of your
>> web
 interface and of the websites you host. also consider the strenght of
>> your
 passwords, lots of login attempts to ssh/ftp may mean a he has tried
>> a
 bruteforce (or a dictionary attack maybe). you should also check
>> webmin logs,
 there are a few bruteforcer for webmin out there, (*hint*) consider
>> the lenght
 of your average password if it's more than 7-8 characters
>> aplhanumeric with
 simbols most likely this isn't the case.
>>>
>>> While it's true that it's a good idea to check your password strength,
>>>
>> pretty
>>> much any host connected to the internet is going to be hit daily by
>> bots
>>> looking for weak passwords.  It's one area where you logs don't help
>> much
>>> because there is too much noise.
>> That's why there's GREP(1), AWK(1), FIND(1), TAIL(1), and CAT(1)
>> Consider the following...
>> adding the following to your /etc/rc.conf:
>>
>> # SECURITY RELATED
>> 
>> syslogd_flags="-ss" log_in_vain="YES" tcp_keepalive="YES"
>>
>>
>> now your log file will /really/ sing (log_in_vain="YES"). Of course, unless
>> you have a great deal of time on your hands, visually parsing that "noisy" 
>> log
>> will be quite tedious, and time consuming. So you have a few options... If 
>> your
>> running X11, simply run tail in a root window - there are quite a few 
>> utilities
>> in ports for doing just this - some that'll only write messages you want to
>> see. You could also create a script out of cron that will only produce
>> messages you are interested in, for example:
>>
>> ~# cat /var/log/messages | ssh
>>
>>
>> will emit any attempt to ssh into your box you can also redirect the messages
>> to a file:
>>
>> ~# cat /var/log/messages | ssh >>~/EVIL_DOERS
>>
>>
>> You could also add en entry to PERIODIC(8) that will
>> provide a daily report on any attempts you are interested in.
>>
>> HTH
>>
>>
>
> Your solution to excessive noise in the security log is to greatly increase 
> the
> noise level?!?
>
> The point is, if your machine is on the internet, then bots are going to try
> password attacks on any open port they can find.  It's just the sad fact of
> life on the current internet.  Unfortunately, this activity will also make it
> much more difficult to determine when you are under attack from an actual
> person, which was my point earlier.  It's one that is not going to be easy to
> solve either, unless you're willing to rewrite SSH to require every connection
> attempt to pass a Turing test or something.
My point here was that by increasing the verbosity, you will more easily be able
to grep against login /failures/, and more easily discover dictionary/ 
brute-force
attacks. It's certainly made my job easier, and hasn't required any 
modifications
to our current policies. You /have/ considered PF(4), haven't you? It's /really/
an excellent strategy for securing your network.

--Chris H
> ___
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"


___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: Hacked - FreeBSD 7.1-Release

[Adam Vande More]

On Mon, Dec 28, 2009 at 4:59 PM, Chris H  wrote:

>
> My point here was that by increasing the verbosity, you will more easily be
> able
> to grep against login /failures/, and more easily discover dictionary/
> brute-force
> attacks. It's certainly made my job easier, and hasn't required any
> modifications
> to our current policies. You /have/ considered PF(4), haven't you? It's
> /really/
> an excellent strategy for securing your network.
>
> --Chris H
>
> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
>

I use security/denyhosts for this, very simple to setup like 5 minutes if
you're a fast reader.  There are other options as well that offer similar
functionality.

-- 
Adam Vande More
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: A script that modifies /etc/fstab to mount devices via glabel

[Pieter de Goeje]

On Monday 28 December 2009 21:17:41 Christian Laursen wrote:
> Hi there,
>
> I wrote a script that modifies fstab so that UFS filesystems are mounted
> via their UFS IDs and swap partitions are labeled with glabel in order
> to access them that way.
>
> It works for me on at least FreeBSD 7.2 and 8.0. Use at your own risk.
>
> For swap devices it is neccesary to label the device in order to
> recognize it later and that requires that swap is turned off briefly.
>
> The script requires perl to run.
>
> The script is here:
> http://borderworlds.dk/utils/fstab-glabel.pl
>
> Feel free to use it if you find it useful.

Works as advertised, thank you!

It is probably faster to extract the label from glabel status -s  
instead of using dumpfs though.

- Pieter
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: FreeBSD 8.0: can't PXE Boot using nvidia nForce4 network card

[Olivier Cochard-Labbé]

On Mon, Dec 28, 2009 at 11:21 PM, Pyun YongHyeon  wrote:

> Ok, it seems Linux forcedeth driver seems to poke NFE_STATUS
> register before accessing PHY. I'm not sure whether this code could
> be related with the issue but would you try attached patch?
>

Allready a patch to try! Thanks for your reactivity!

The patch was applyed successfully and new kernel compiled/installed
without problem but same error message:

FreeBSD 8.0-STABLE #4: Mon Dec 28 23:48:36 CET 2009
r...@debugger.bsdrp.net:/usr/obj/usr/src/sys/GENERIC i386
(...)
nfe0:  irq 21 at device
10.0 on pci0
nfe0: Lazy allocation of 0x100 bytes rid 0x10 type 3 at 0x8100
nfe0: Reserved 0x100 bytes for rid 0x10 type 3 at 0x8100
nfe0: MII without any phy!
device_attach: nfe0 attach returned 6
(...)
Trying to mount root from nfs:10.0.0.1:/usr/tftpboot
nfs_diskless: no interface
ROOT MOUNT ERROR:
(...)

Regards,

Olivier
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: FreeBSD 8.0: can't PXE Boot using nvidia nForce4 network card

[Pyun YongHyeon]

On Tue, Dec 29, 2009 at 01:22:40AM +0100, Olivier Cochard-Labb? wrote:
> On Mon, Dec 28, 2009 at 11:21 PM, Pyun YongHyeon  wrote:
> 
> > Ok, it seems Linux forcedeth driver seems to poke NFE_STATUS
> > register before accessing PHY. I'm not sure whether this code could
> > be related with the issue but would you try attached patch?
> >
> 
> Allready a patch to try! Thanks for your reactivity!
> 
> The patch was applyed successfully and new kernel compiled/installed
> without problem but same error message:
> 
> FreeBSD 8.0-STABLE #4: Mon Dec 28 23:48:36 CET 2009
> r...@debugger.bsdrp.net:/usr/obj/usr/src/sys/GENERIC i386
> (...)
> nfe0:  irq 21 at device
> 10.0 on pci0
> nfe0: Lazy allocation of 0x100 bytes rid 0x10 type 3 at 0x8100
> nfe0: Reserved 0x100 bytes for rid 0x10 type 3 at 0x8100
> nfe0: MII without any phy!
> device_attach: nfe0 attach returned 6
> (...)
> Trying to mount root from nfs:10.0.0.1:/usr/tftpboot
> nfs_diskless: no interface
> ROOT MOUNT ERROR:
> (...)
> 

:-(
How about this one? Sorry, I'm just guessing(no hardware, no
documentation).

> Regards,
> 
> Olivier
Index: sys/dev/nfe/if_nfe.c
===
--- sys/dev/nfe/if_nfe.c(revision 201135)
+++ sys/dev/nfe/if_nfe.c(working copy)
@@ -340,6 +340,7 @@
struct nfe_softc *sc;
struct ifnet *ifp;
bus_addr_t dma_addr_max;
+   uint32_t phystat, phyrestore;
int error = 0, i, msic, reg, rid;
 
sc = device_get_softc(dev);
@@ -349,6 +350,7 @@
MTX_DEF);
callout_init_mtx(&sc->nfe_stat_ch, &sc->nfe_mtx, 0);
TASK_INIT(&sc->nfe_link_task, 0, nfe_link_task, sc);
+   phyrestore = 0;
 
pci_enable_busmaster(dev);
 
@@ -513,6 +515,8 @@
break;
}
 
+   NFE_READ(sc, NFE_WOL_CTL);
+   NFE_WRITE(sc, NFE_WOL_CTL, 0);
nfe_power(sc);
/* Check for reversed ethernet address */
if ((NFE_READ(sc, NFE_TX_UNK) & NFE_MAC_ADDR_INORDER) != 0)
@@ -599,6 +603,14 @@
ifp->if_capabilities |= IFCAP_POLLING;
 #endif
 
+   phystat = NFE_READ(sc, NFE_STATUS) & NFE_STATUS_RUNNING;
+   if ((phystat & NFE_STATUS_RUNNING) != 0) {
+   phystat &= ~NFE_STATUS_RUNNING;
+   NFE_WRITE(sc, NFE_STATUS, phystat);
+   phyrestore = 1;
+   }
+   NFE_WRITE(sc, NFE_PHY_STATUS, 0xf);
+
/* Do MII setup */
if (mii_phy_probe(dev, &sc->nfe_miibus, nfe_ifmedia_upd,
nfe_ifmedia_sts)) {
@@ -636,8 +648,11 @@
}
 
 fail:
-   if (error)
+   if (error) {
+   if (phyrestore != 0)
+   NFE_WRITE(sc, NFE_STATUS, phystat | NFE_STATUS_RUNNING);
nfe_detach(dev);
+   }
 
return (error);
 }
@@ -2744,7 +2759,8 @@
NFE_WRITE(sc, NFE_SETUP_R6, NFE_R6_MAGIC);
 
/* update MAC knowledge of PHY; generates a NFE_IRQ_LINK interrupt */
-   NFE_WRITE(sc, NFE_STATUS, sc->mii_phyaddr << 24 | NFE_STATUS_MAGIC);
+   NFE_WRITE(sc, NFE_STATUS, sc->mii_phyaddr << NFE_STATUS_PHYSHIFT |
+   NFE_STATUS_PHYVALID | NFE_STATUS_RUNNING);
 
NFE_WRITE(sc, NFE_SETUP_R4, NFE_R4_MAGIC);
NFE_WRITE(sc, NFE_WOL_CTL, NFE_WOL_MAGIC);
Index: sys/dev/nfe/if_nfereg.h
===
--- sys/dev/nfe/if_nfereg.h (revision 201135)
+++ sys/dev/nfe/if_nfereg.h (working copy)
@@ -137,7 +137,11 @@
 #defineNFE_PHY_BUSY0x08000
 #defineNFE_PHYADD_SHIFT5
 
-#defineNFE_STATUS_MAGIC0x14
+#defineNFE_STATUS_START0x0002
+#defineNFE_STATUS_LINKUP   0x0004
+#defineNFE_STATUS_PHYVALID 0x0004
+#defineNFE_STATUS_RUNNING  0x0010
+#defineNFE_STATUS_PHYSHIFT 24
 
 #defineNFE_R1_MAGIC_1000   0x14050f
 #defineNFE_R1_MAGIC_10_100 0x16070f
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

7.2 to 8.0 serial not working

[Wes Morgan]

I just upgraded from 7.2-stable to 8.0-stable, same kernel config (with 
uart), same everything else and now I can't receive more than a few bytes 
of data from my weather station before it just waits incessantly. 
Everything worked before, with the same serial port settings, uart device 
etc. Has anything else changed in the serial interface? I'm using the 
cuauX devices at 2400 baud.

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: 7.2 to 8.0 serial not working

[Mike Tancsa]

At 09:27 PM 12/28/2009, Wes Morgan wrote:
I just upgraded from 7.2-stable to 8.0-stable, same kernel config 
(with uart), same everything else and now I can't receive more than 
a few bytes of data from my weather station before it just waits 
incessantly. Everything worked before, with the same serial port 
settings, uart device etc. Has anything else changed in the serial 
interface? I'm using the cuauX devices at 2400 baud.



For some low speed apps (1200bps in our case) I found I needed to set

hint.uart.0.flags="0x00100"

---Mike


___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"



Mike Tancsa,  tel +1 519 651 3400
Sentex Communications,m...@sentex.net
Providing Internet since 1994www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike

___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"