Re: LibreNMS 500 Internal Server Error

[Mihai Popescu]

Maybe a shot in the dark:

"But if these directives are put inside the “ ... ” location, the last
flag should be replaced by break, or otherwise nginx will make 10
cycles and return the 500 error: "

>From this: [1] [2].
[1] http://nginx.org/en/docs/http/ngx_http_rewrite_module.html
[2] https://www.nginx.com/blog/creating-nginx-rewrite-rules/

Encrypted data partition

[Jan Betlach]

Hello,

I'd like to have an encrypted Ext2 data partition, which can be shared
between OpenBSD and Linux. LUKS probably does not work in OpenBSD. Maybe
something like EncFS is the way to go?

Thank you

Jan

Re: Encrypted data partition

[ds]

On 12/14/2016 10:34 AM, Jan Betlach wrote:

Hello,

I'd like to have an encrypted Ext2 data partition, which can be shared
between OpenBSD and Linux. LUKS probably does not work in OpenBSD. Maybe
something like EncFS is the way to go?

Thank you

Jan




Rot 13 or caesar cipher should do the job just fine
why go all complex with luks/encfs? you're trading in complexity for 
convenience. why not write a slim kernel module to suit your needs? 
heck, if you stick to ansi c, you could even write it portable (use 
posix for best results!)


/s

Re: Encrypted data partition

[Gregor Best]

On Wed, Dec 14, 2016 at 10:34:53AM +0100, Jan Betlach wrote:
> Hello,
> 
> I'd like to have an encrypted Ext2 data partition, which can be shared
> between OpenBSD and Linux. LUKS probably does not work in OpenBSD. Maybe
> something like EncFS is the way to go?
> [...]

EncFS seems to be the most sensible option.

If you share an ext2 partition between Linux and OpenBSD, make sure it's
actually an ext2, not an ext[34]. While those can be mounted as ext2 by
OpenBSD (unless you create an ext4 with extents), things might become
weird if Linux writes to the partition using the journal, the power
fails and you reboot into OpenBSD.

-- 
Gregor

Re: Encrypted data partition

[Carsten Kunze]

Jan Betlach  wrote:

> I'd like to have an encrypted Ext2 data partition, which can be shared
> between OpenBSD and Linux. LUKS probably does not work in OpenBSD. Maybe
> something like EncFS is the way to go?

I need the same and tried EncFS (cloned from GitHub) a year ago.  It compiles 
but doesn't work.  I asked upstream for support but they are not interested, 
they don't care for anything but Linux.  Which makes EncFS pointless--since 
there is LUKS--why should anyone use EncFS? (rhetorical question, don't answer)

If you get (a current version of) EncFS or any other portable encryption method 
to work, I would be very interested!

(But don't code it yourself, if you're not already an expert in this field.)

Carsten

Re: Encrypted data partition

[Carsten Kunze]

Gregor Best  wrote:

> EncFS seems to be the most sensible option.

Are you using EncFS on OpenBSD?  Which EncFS version?

Carsten

Re: Encrypted data partition

[Gregor Best]

Hi Carste,

On Wed, Dec 14, 2016 at 12:49:14PM +0100, Carsten Kunze wrote:
> [...]
> Are you using EncFS on OpenBSD?  Which EncFS version?
> [...]

I just installed EncFS from ports, the version there is 1.7.4

With some short testing, it looks like it works nicely. Since the
kern.usermount option is gone, you'll have to mount the file system as
root, which means reading from and writing to the encrypted FS needs to
be done as root as well, since OpenBSD's fuse implementation doesn't yet
support the allow_* options to libfuse.

For reference, this is the commandline I used:

# encfs /home/gbe/test/enc /home/gbe/test/root

-- 
Gregor

OpenJDK and support for JCE Unlimited Strength Jurisdiction Policy

[Rubén Llorente]

Hello.

I am running a Java application that throws a non-fatal warning when used. The
warning states that, in order for the application to work properly, the JCE
Unlimited Strength Jurisdiction Policy files should be downloaded to
/usr/local/jre-1.8.0/lib/security

I used to think that OpenJDK already included the Unlimited Strength Policies,
so this is a bit confusing.

Is there an easy way for checking myself if such policies are installed and
working on the system?

For the record, I am running OpenBSD 6.0 amd64. 

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Re: How to make spamd more annoying ?

[Robert Szasz]

Just wanted to second this. While individuals would rarely send through 
email servers set up this way, mid sized to enterprise businesses can.



On 12/13/2016 1:53 PM, Mikkel C. Simonsen wrote:

OpenBSD lists wrote:
Most of the spam I've received from marketing companies tends to come 
from send-only servers (looking at the user-agent of the sending 
server its some kind of Python library intended for just sending 
pre-formatted messages to a list of recipients).


What I've done is constructed a script that while spmad is stuttering 
their connection, it connects back to the sending server on port 25 
and executes an EHLO.  If the sending server doesn't respond to the 
EHLO, it runs pfctl to add that server's address to a block list.


That will block a LOT of legitimate e-mail also. Including 
semi-legitimate e-mails like this one... Why should all e-mail servers 
accept connections from the outside?


Mikkel

Re: OpenJDK and support for JCE Unlimited Strength Jurisdiction Policy

[Martin Schröder]

2016-12-14 14:09 GMT+01:00 Rubén Llorente :
> I used to think that OpenJDK already included the Unlimited Strength
Policies,
> so this is a bit confusing.

http://stackoverflow.com/q/1179672/821436 :-)

Best
   Martin

Re: Encrypted data partition

[Carsten Kunze]

Gregor Best  wrote:

> I just installed EncFS from ports, the version there is 1.7.4
> 
> With some short testing, it looks like it works nicely.

Thank you for this information and the test.
But it should be taken into account that this version is 6 years old, current 
release is 1.9.1.
(It would be great of course if the package maintainer would find the time to 
update the package to a somewhat newer version some day :)

Carsten

Re: bgplg httpd "ping: socket: Permission denied"

[Reyk Floeter]

On Tue, Dec 13, 2016 at 02:03:37PM -0500, Michael W. Lucas wrote:
> On Tue, Dec 13, 2016 at 02:21:51AM +0100, Jeremie Courreges-Anglas wrote:
> > "Michael W. Lucas"  writes:
> > 
> > > Hi,
> > 
> > Hi,
> > 
> > > Running the 12/12 snapshot, amd64.
> > >
> > > I'm setting up the looking glass CGI included with httpd. Requests for
> > > ping and traceroute fail.
> > >
> > > Per bgplg(8), I've set mode 4555 on the static binaries:
> > >
> > > ls -lai /var/www/bin/
> > > total 1844
> > > 77958 drwxr-xr-x   2 root  daemon 512 Dec 11 17:47 .
> > > 77956 drwxr-xr-x  15 root  daemon 512 Dec 12 15:35 ..
> > > 77959 -r-xr-xr-x   1 root  bin 256240 Dec  8 12:09 bgpctl
> > > 77978 -rwxr-xr-x   1 root  bin 273200 Dec  8 15:36 femail
> > > 77960 -r-sr-xr-x   2 root  bin 318320 Dec  8 12:09 ping
> > > 77960 -r-sr-xr-x   2 root  bin 318320 Dec  8 12:09 ping6
> > > 77961 -r-sr-xr-x   2 root  bin 281168 Dec  8 12:09 traceroute
> > > 77961 -r-sr-xr-x   2 root  bin 281168 Dec  8 12:09 traceroute6
> > >
> > > Ping and traceroute run fine as root. As an unprivileged user, though,
> > > I get:
> > >
> > > ./ping 8.8.8.8
> > > ping: socket: Permission denied
> > >
> > > $ ./traceroute 8.8.8.8
> > > traceroute: unable to revoke privs: Operation not permitted
> > >
> > > Any suggestions? Or have I found a bug?
> > 
> > Is the partition that holds /var/www/bin mounted "nosuid"?
> 
> (Replying mostly for the archives.)
> 
> Yes, /var is mounted nosuid.
> 
> bgplg(8) has lovely detailed instructions on how to set it up,
> including setting the suid bit, but don't mention that detail.
> 

And, for the sake of completeness, it should mention that detail.

Does the attached wording sound right?

Reyk

Index: usr.bin/bgplg/bgplg.8
===
RCS file: /cvs/src/usr.bin/bgplg/bgplg.8,v
retrieving revision 1.15
diff -u -p -u -p -r1.15 bgplg.8
--- usr.bin/bgplg/bgplg.8   10 Sep 2015 15:16:44 -  1.15
+++ usr.bin/bgplg/bgplg.8   14 Dec 2016 13:53:14 -
@@ -153,6 +153,12 @@ To enable the corresponding functionalit
 .Xr chmod 1
 utility to manually set the file permission mode to 0555 or anything
 appropriate.
+Some of these executables need the set-user-ID bit;
+enabling them requires to mount the filesystem of
+.Pa /var/www
+without the
+.Ic nosuid
+option.
 .Pp
 .Bl -tag -width "/var/www/bin/traceroute6XX" -compact
 .It Pa /var/www/cgi-bin/bgplg

Re: bgplg httpd "ping: socket: Permission denied"

[Jeremie Courreges-Anglas]

Reyk Floeter  writes:

> On Tue, Dec 13, 2016 at 02:03:37PM -0500, Michael W. Lucas wrote:
>> On Tue, Dec 13, 2016 at 02:21:51AM +0100, Jeremie Courreges-Anglas wrote:
>> > "Michael W. Lucas"  writes:
>> > 
>> > > Hi,
>> > 
>> > Hi,
>> > 
>> > > Running the 12/12 snapshot, amd64.
>> > >
>> > > I'm setting up the looking glass CGI included with httpd. Requests for
>> > > ping and traceroute fail.
>> > >
>> > > Per bgplg(8), I've set mode 4555 on the static binaries:
>> > >
>> > > ls -lai /var/www/bin/
>> > > total 1844
>> > > 77958 drwxr-xr-x   2 root  daemon 512 Dec 11 17:47 .
>> > > 77956 drwxr-xr-x  15 root  daemon 512 Dec 12 15:35 ..
>> > > 77959 -r-xr-xr-x   1 root  bin 256240 Dec  8 12:09 bgpctl
>> > > 77978 -rwxr-xr-x   1 root  bin 273200 Dec  8 15:36 femail
>> > > 77960 -r-sr-xr-x   2 root  bin 318320 Dec  8 12:09 ping
>> > > 77960 -r-sr-xr-x   2 root  bin 318320 Dec  8 12:09 ping6
>> > > 77961 -r-sr-xr-x   2 root  bin 281168 Dec  8 12:09 traceroute
>> > > 77961 -r-sr-xr-x   2 root  bin 281168 Dec  8 12:09 traceroute6
>> > >
>> > > Ping and traceroute run fine as root. As an unprivileged user, though,
>> > > I get:
>> > >
>> > > ./ping 8.8.8.8
>> > > ping: socket: Permission denied
>> > >
>> > > $ ./traceroute 8.8.8.8
>> > > traceroute: unable to revoke privs: Operation not permitted
>> > >
>> > > Any suggestions? Or have I found a bug?
>> > 
>> > Is the partition that holds /var/www/bin mounted "nosuid"?
>> 
>> (Replying mostly for the archives.)
>> 
>> Yes, /var is mounted nosuid.
>> 
>> bgplg(8) has lovely detailed instructions on how to set it up,
>> including setting the suid bit, but don't mention that detail.
>> 
>
> And, for the sake of completeness, it should mention that detail.

Agreed, Michael isn't the first one to stumble upon this.

> Does the attached wording sound right?

Looks better than the diff I had, ok jca@

> Reyk
>
> Index: usr.bin/bgplg/bgplg.8
> ===
> RCS file: /cvs/src/usr.bin/bgplg/bgplg.8,v
> retrieving revision 1.15
> diff -u -p -u -p -r1.15 bgplg.8
> --- usr.bin/bgplg/bgplg.8 10 Sep 2015 15:16:44 -  1.15
> +++ usr.bin/bgplg/bgplg.8 14 Dec 2016 13:53:14 -
> @@ -153,6 +153,12 @@ To enable the corresponding functionalit
>  .Xr chmod 1
>  utility to manually set the file permission mode to 0555 or anything
>  appropriate.
> +Some of these executables need the set-user-ID bit;
> +enabling them requires to mount the filesystem of
> +.Pa /var/www
> +without the
> +.Ic nosuid
> +option.
>  .Pp
>  .Bl -tag -width "/var/www/bin/traceroute6XX" -compact
>  .It Pa /var/www/cgi-bin/bgplg
>


-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: VPS default gateway in a different subnet than host

[Ax0n]

I'm guessing the default route a.k.a. gateway already exists, and you're
trying to add another, duplicate route. What's the output of the following
command before and after you do the route add?

netstat -rn -finet

On Tue, Dec 13, 2016 at 2:51 PM, Jyri Hovila [iki.fi] 
wrote:

> Hi,
>
> a brief follow-up.
>
> With Linux, default gateway that resides in different subnet than the
> host, all that has to be done is 1) adding a static route to the
> default gateway and then 2) adding the default gateway to routing table.
>
> With my OpenBSD test case, I already have a static route to the default
> gateway (thanks to correctly configured DHCP server) but when I try to
> add default gateway:
>
> # route add default 5.166.16.254
> add net default: gateway 5.166.16.254: Too many levels of symbolic links
>
> I'm still googling but haven't found a solution yet.
>
> Any tips, anyone?
>
> - Jyri

Re: bgplg httpd "ping: socket: Permission denied"

[Reyk Floeter]

On Wed, Dec 14, 2016 at 03:14:51PM +0100, Jeremie Courreges-Anglas wrote:
> Reyk Floeter  writes:
> 
> > On Tue, Dec 13, 2016 at 02:03:37PM -0500, Michael W. Lucas wrote:
> >> On Tue, Dec 13, 2016 at 02:21:51AM +0100, Jeremie Courreges-Anglas wrote:
> >> > "Michael W. Lucas"  writes:
> >> > 
> >> > > Hi,
> >> > 
> >> > Hi,
> >> > 
> >> > > Running the 12/12 snapshot, amd64.
> >> > >
> >> > > I'm setting up the looking glass CGI included with httpd. Requests for
> >> > > ping and traceroute fail.
> >> > >
> >> > > Per bgplg(8), I've set mode 4555 on the static binaries:
> >> > >
> >> > > ls -lai /var/www/bin/
> >> > > total 1844
> >> > > 77958 drwxr-xr-x   2 root  daemon 512 Dec 11 17:47 .
> >> > > 77956 drwxr-xr-x  15 root  daemon 512 Dec 12 15:35 ..
> >> > > 77959 -r-xr-xr-x   1 root  bin 256240 Dec  8 12:09 bgpctl
> >> > > 77978 -rwxr-xr-x   1 root  bin 273200 Dec  8 15:36 femail
> >> > > 77960 -r-sr-xr-x   2 root  bin 318320 Dec  8 12:09 ping
> >> > > 77960 -r-sr-xr-x   2 root  bin 318320 Dec  8 12:09 ping6
> >> > > 77961 -r-sr-xr-x   2 root  bin 281168 Dec  8 12:09 traceroute
> >> > > 77961 -r-sr-xr-x   2 root  bin 281168 Dec  8 12:09 traceroute6
> >> > >
> >> > > Ping and traceroute run fine as root. As an unprivileged user, though,
> >> > > I get:
> >> > >
> >> > > ./ping 8.8.8.8
> >> > > ping: socket: Permission denied
> >> > >
> >> > > $ ./traceroute 8.8.8.8
> >> > > traceroute: unable to revoke privs: Operation not permitted
> >> > >
> >> > > Any suggestions? Or have I found a bug?
> >> > 
> >> > Is the partition that holds /var/www/bin mounted "nosuid"?
> >> 
> >> (Replying mostly for the archives.)
> >> 
> >> Yes, /var is mounted nosuid.
> >> 
> >> bgplg(8) has lovely detailed instructions on how to set it up,
> >> including setting the suid bit, but don't mention that detail.
> >> 
> >
> > And, for the sake of completeness, it should mention that detail.
> 
> Agreed, Michael isn't the first one to stumble upon this.
> 
> > Does the attached wording sound right?
> 
> Looks better than the diff I had, ok jca@
> 

Thanks,  I committed it with a tweak from jmc@

> > Reyk
> >
> > Index: usr.bin/bgplg/bgplg.8
> > ===
> > RCS file: /cvs/src/usr.bin/bgplg/bgplg.8,v
> > retrieving revision 1.15
> > diff -u -p -u -p -r1.15 bgplg.8
> > --- usr.bin/bgplg/bgplg.8   10 Sep 2015 15:16:44 -  1.15
> > +++ usr.bin/bgplg/bgplg.8   14 Dec 2016 13:53:14 -
> > @@ -153,6 +153,12 @@ To enable the corresponding functionalit
> >  .Xr chmod 1
> >  utility to manually set the file permission mode to 0555 or anything
> >  appropriate.
> > +Some of these executables need the set-user-ID bit;
> > +enabling them requires to mount the filesystem of
> > +.Pa /var/www
> > +without the
> > +.Ic nosuid
> > +option.
> >  .Pp
> >  .Bl -tag -width "/var/www/bin/traceroute6XX" -compact
> >  .It Pa /var/www/cgi-bin/bgplg
> >
> 
> 
> -- 
> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: LibreNMS 500 Internal Server Error

[Stuart Henderson]

On 2016-12-14, Predrag Punosevac  wrote:
> I followed pkg-readmes and mysql, php, and nginx are correctly
> configured and working in the INSECURE mode(no chroot). Please no
> remarks if you are not familiar with LibreNMS and the fact that it has
> to be run in the insecure mode.

The pkg-readme only says to run php outside the chroot, nginx is OK as normal.

Try normal chrooted nginx (remove the -u flag) and undo your changes to the
"location" block, I have it working on multiple installations like that.

For un-chrooted nginx you will have to make some other changes, though I don't
see any reason to do that.

>  The one other thing I did different was my
> /var/www/librenms is owned by _librenms:_librenms.

Only the logs/ and rrd/ directories should be writable by the user running
the php code.

Re: PC-Engines Wireless - PPPOE timeouts.

[Stuart Henderson]

Your dmesg is missing.

Re: How to make spamd more annoying ?

[Craig Skinner]

Hi Mik,

On Tue, 13 Dec 2016 18:29:00 + (UTC) Mik J wrote:
> I use spamlogd so that every outgoing mail adds the remote mx IP in
> my whitelist.

As with many domains, large mail services deploy/out source separate
inbound & outbound clusters, so spamlogd'ing outbound mail wont help.

These spamlogd flags seem to work best here:

spamlogd_flags='-I -Y ... -Y ... -Y '

> 
> I'm not sure I understood what this patch does.
> It's used to give some additional statistics?
> 

spamd expires trapped IP addresses after 24 hours.

Boudewijn's patch keeps them trapped while they continue to spam.
His stats prove it works.

> 
> I read somewhere that gmail servers change their IPs when they retry
> to send the mails.

This tool helps to auto white list silly round robin senders:
http://web.Britvault.Co.UK/products/ungrey-robins/

(SPF lists are often not trustworthy.)

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: LibreNMS 500 Internal Server Error

[Predrag Punosevac]

Stuart Henderson wrote:

Hi Stuard,

Thank you so very much for your thoughtful insight. I have few follow up
questions.

> On 2016-12-14, Predrag Punosevac  wrote:
> > I followed pkg-readmes and mysql, php, and nginx are correctly
> > configured and working in the INSECURE mode(no chroot). Please no
> > remarks if you are not familiar with LibreNMS and the fact that it has
> > to be run in the insecure mode.
> 
> The pkg-readme only says to run php outside the chroot, nginx is OK as
> normal.
> 

Fair enough. I understand that part. Could you than please clarify to me
if I have to make changes to MariaDB's /etc/my.cnf file since Nginx will
have to access it from the chroot. I obviously know how to set up
MariaDB, PHP, and Nginx in chroot but LibreNMS is complicating things.

Also another thing about MariaDB is this paragraph

# Uncomment the following if you are using InnoDB tables
innodb_data_home_dir = /var/mysql
innodb_file_per_table=1
sql-mode=""
#innodb_data_file_path = ibdata1:10M:autoextend
#innodb_log_group_home_dir = /var/mysql
# You can set .._buffer_pool_size up to 50 - 80 %
# of RAM but beware of setting memory usage too high
#innodb_buffer_pool_size = 16M
#innodb_additional_mem_pool_size = 2M
# Set .._log_file_size to 25 % of buffer pool size
#innodb_log_file_size = 5M
#innodb_log_buffer_size = 8M
#innodb_flush_log_at_trx_commit = 1
#innodb_lock_wait_timeout = 50

Should I increase buffer pool for performance or any other parameters?
Any sugestions for MariaDB tuning?

At this point I do have a working LibreNMS server collecting info from
about 40 devices (mostly servers) but I think I need some serious
performance tuning. First off my CPU load is 100% on 4 cores (I have a
dedicated small Atom server). What do you see on your servers? I am
afraid something is miss-configured and it is just eating CPU time.

Regarding Collectd (since I am displaying Collectd RRD on this LibreNMS
server). Do you recommend that I turn on rrdcached? Should I enable
RRDCacheD plugin on the LibreNMS server?

https://collectd.org/wiki/index.php/Plugin:RRDCacheD 





> Try normal chrooted nginx (remove the -u flag) and undo your changes to
> the
> "location" block, I have it working on multiple installations like that.
> 
> For un-chrooted nginx you will have to make some other changes, though I
> don't
> see any reason to do that.
> 

Agreed! Could you just clarify if I need to use handle @librenms or
@lnms because my server name is lnms.int.autonlab.org. I will admit I
have to reread nginx rewrite module documentation Mihai Popescu
mentioned in the previous e-mail. Also in the term of PHP performances.
I have increased the number of children from 5 to 25 in
/etc/php-fpm.conf but more or less everything else is default. Any
suggestions. I feel based upon my previous experience on running TurnKey
Observium that I should be able to get better performance on this
hardware for 40 devices. 





> >  The one other thing I did different was my
> > /var/www/librenms is owned by _librenms:_librenms.
> 
> Only the logs/ and rrd/ directories should be writable by the user
> running
> the php code.


Thanks for clarifying this!

Best,
Predrag

Re: LibreNMS 500 Internal Server Error

[Stuart Henderson]

On 2016/12/14 14:27, Predrag Punosevac wrote:
> Stuart Henderson wrote:
> 
> Hi Stuard,
> 
> Thank you so very much for your thoughtful insight. I have few follow up
> questions.
> 
> > On 2016-12-14, Predrag Punosevac  wrote:
> > > I followed pkg-readmes and mysql, php, and nginx are correctly
> > > configured and working in the INSECURE mode(no chroot). Please no
> > > remarks if you are not familiar with LibreNMS and the fact that it has
> > > to be run in the insecure mode.
> > 
> > The pkg-readme only says to run php outside the chroot, nginx is OK as
> > normal.
> > 
> 
> Fair enough. I understand that part. Could you than please clarify to me
> if I have to make changes to MariaDB's /etc/my.cnf file since Nginx will
> have to access it from the chroot. I obviously know how to set up
> MariaDB, PHP, and Nginx in chroot but LibreNMS is complicating things.

My standard config for servers running mariadb + web is to create
/var/www/var/run/mysql, place this in my.cnf:

[mysqld]
socket  = /var/www/var/run/mysql/mysql.sock

and "ln -s /var/www/var/run/mysql /var/run/" in rc.local (because /var/run
is cleared at boot).

> Also another thing about MariaDB is this paragraph
> 
> # Uncomment the following if you are using InnoDB tables
> innodb_data_home_dir = /var/mysql
> innodb_file_per_table=1
> sql-mode=""
> #innodb_data_file_path = ibdata1:10M:autoextend
> #innodb_log_group_home_dir = /var/mysql
> # You can set .._buffer_pool_size up to 50 - 80 %
> # of RAM but beware of setting memory usage too high
> #innodb_buffer_pool_size = 16M
> #innodb_additional_mem_pool_size = 2M
> # Set .._log_file_size to 25 % of buffer pool size
> #innodb_log_file_size = 5M
> #innodb_log_buffer_size = 8M
> #innodb_flush_log_at_trx_commit = 1
> #innodb_lock_wait_timeout = 50
> 
> Should I increase buffer pool for performance or any other parameters?
> Any sugestions for MariaDB tuning?

I don't know much about mariadb tuning, I used my-medium.cnf,
uncommented those lines and changed the socket path, that's about
it I think.

> At this point I do have a working LibreNMS server collecting info from
> about 40 devices (mostly servers) but I think I need some serious
> performance tuning. First off my CPU load is 100% on 4 cores (I have a
> dedicated small Atom server). What do you see on your servers? I am
> afraid something is miss-configured and it is just eating CPU time.
> 
> Regarding Collectd (since I am displaying Collectd RRD on this LibreNMS
> server). Do you recommend that I turn on rrdcached? Should I enable
> RRDCacheD plugin on the LibreNMS server?
> 
> https://collectd.org/wiki/index.php/Plugin:RRDCacheD 

I haven't used collectd so can't comment on that.

I find most non-trivial use of rrdtool fairly heavy on the machine
without rrdcached. (Only tried it on OpenBSD so I don't know if this
is the same everywhere). On my librenms boxes I have rrdcached and still
found it pretty heavy, currently running it with delayed writes (-w 1800
-z 1800) with the files on SSD and it's not so bad, but I still wouldn't
really call it lightweight.

Permissions/ownership were a bit awkward for rrdcached, I currently
have rrd/* owned by _librenms:_rrdcached and _librenms is in groups
_librenms and _rrdcached (istr having some problems with new files
getting created with wrong ownership at some point though it seems
ok at the moment with current rrdtool+librenms versions).

> > Try normal chrooted nginx (remove the -u flag) and undo your changes to
> > the
> > "location" block, I have it working on multiple installations like that.
> > 
> > For un-chrooted nginx you will have to make some other changes, though I
> > don't
> > see any reason to do that.
> > 
> 
> Agreed! Could you just clarify if I need to use handle @librenms or
> @lnms because my server name is lnms.int.autonlab.org. I will admit I
> have to reread nginx rewrite module documentation Mihai Popescu
> mentioned in the previous e-mail. Also in the term of PHP performances.
> I have increased the number of children from 5 to 25 in
> /etc/php-fpm.conf but more or less everything else is default. Any
> suggestions. I feel based upon my previous experience on running TurnKey
> Observium that I should be able to get better performance on this
> hardware for 40 devices. 

It's just creating a location context to use in try_files, the name
doesn't matter - you can call it @rhubarb if you like :-) 

> > >  The one other thing I did different was my
> > > /var/www/librenms is owned by _librenms:_librenms.
> > 
> > Only the logs/ and rrd/ directories should be writable by the user
> > running
> > the php code.
> 
> Thanks for clarifying this!

One of the biggest problems with webapp security in general is to
have too many things writable by the uid running the webapp. All too
often people are told to chown things so they're writable by that
user as a quick fix, but it's often opening a door to remote code
execution (especially in any directories served by 

Re: Encrypted data partition

[OpenBSD lists]

Carsten Kunze wrote:

Gregor Best  wrote:


I just installed EncFS from ports, the version there is 1.7.4

With some short testing, it looks like it works nicely.


Thank you for this information and the test.
But it should be taken into account that this version is 6 years old, current 
release is 1.9.1.
(It would be great of course if the package maintainer would find the time to 
update the package to a somewhat newer version some day :)

Carsten



For sharing encrypted data between OpenBSD and Linux, I just use an 
OpenBSD-based file server and connect to it over NFS (using SSH to 
secure the connection)


The file server is an old Intel Core-2 box with 4x 1 TB hard drives in a 
softraid-5 configuration and a pair of 10 GB IDE disks for the OS using 
hardware RAID.  I shut the machine down each night to keep the data safe.



Much simpler configuration than hoping that the disk encryption software 
stays compatible between builds (EG, the Linux version may upgrade to 
use some kind of Linux-only technology that can't be adapted to work on 
OpenBSD) or that the disk encryption software is even secure in the 
first place.

.

Re: PC-Engines Wireless - PPPOE timeouts.

[Patrick Dohman]

Stuart

Please see below for more info:

Please note the 5.7 dmesg is subsequent to a reboot.


##

[patrick@Firewall etc]$cat hostname.athn0
up media autoselect mediaopt hostap mode 11a chan 56 nwid  wpa
wpaprotos wpa2 wpakey 
10.0.1.1 255.255.255.0

##

[patrick@Firewall etc]$cat hostname.pppoe0
!/sbin/ifconfig re1 up mtu 1500
inet 0.0.0.0 255.255.255.255 NONE mtu 1492 \
   pppoedev re1 \
   authproto chap \
   authname ‘###t' \
   authkey ‘##'
dest 0.0.0.1
inet6 eui64
!/sbin/route add 0.0.0.0/0 -ifp pppoe0 0.0.0.1
!/sbin/route add ::/0 -ifp pppoe0 fe80::

###

[patrick@Firewall etc]$sudo cat pf.conf
# Never touch loopback interfaces
set skip on lo0

# Normalise packets, especially IPv4 DF and Identification
match in all scrub (no-df random-id)

# Limit the MSS on PPPoE to 1440 octets
match in all scrub (max-mss 1440)

# Block all packets by default
block

### ~~~ Bulk pass rules ~~~ ###

# Pass all traffic on internal interfaces
pass in quick on { athn0 re2 } proto { tcp, udp, icmp }
pass out quick on { athn0 re2 } proto { tcp, udp, icmp }

# Pass all outbound IPv6 traffic
pass out quick on egress inet6 proto { tcp, udp } from { (pppoe0:network),
(athn0:network), (re2:network) } modulate state

# NAT all outbound IPv4 traffic from the rest of our network
pass out quick on egress inet proto { tcp, udp, icmp } from {
(pppoe0:network), (athn0:network), (re2:network) }  nat-to (egress) modulate
state

### ~~~ Block undesirable traffic ~~~ ###

# These rules must not precede the DHCPv6 client or NAT rules above
block quick on egress from { no-route }
block quick on egress to { no-route }

# Pass all inbound ICMP echo requests
pass in quick on egress inet proto icmp icmp-type echoreq

### --- Optional Runtime Options --- ###
set optimization conservative




[patrick@Firewall etc]$dmesg
OpenBSD 5.7 (GENERIC.MP) #881: Sun Mar  8 11:04:17 MDT 2015
   dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4245995520 (4049MB)
avail mem = 4129046528 (3937MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdf16d820 (7 entries)
bios0: vendor coreboot version "4.0" date 09/08/2014
bios0: PC Engines APU
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP SPCR HPET APIC HEST SSDT SSDT SSDT
acpi0: wakeup devices AGPB(S4) HDMI(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4)
PE20(S4) PE21(S4) PE22(S4) PE23(S4) PIBR(S4) UOH1(S3) UOH2(S3) UOH3(S3)
UOH4(S3) UOH5(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpihpet0 at acpi0: 14318180 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD G-T40E Processor, 1000.14 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,L
ONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC
cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line
16-way L2 cache
cpu0: 8 4MB entries fully associative
cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
cpu0: mwait min=64, max=64, C-substates=0.0.0.0.0, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD G-T40E Processor, 1000.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,L
ONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC
cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 64b/line
16-way L2 cache
cpu1: 8 4MB entries fully associative
cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins
acpiprt0 at acpi0: bus -1 (AGPB)
acpiprt1 at acpi0: bus -1 (HDMI)
acpiprt2 at acpi0: bus 1 (PBR4)
acpiprt3 at acpi0: bus 2 (PBR5)
acpiprt4 at acpi0: bus 3 (PBR6)
acpiprt5 at acpi0: bus -1 (PBR7)
acpiprt6 at acpi0: bus 5 (PE20)
acpiprt7 at acpi0: bus -1 (PE21)
acpiprt8 at acpi0: bus -1 (PE22)
acpiprt9 at acpi0: bus -1 (PE23)
acpiprt10 at acpi0: bus 0 (PCI0)
acpiprt11 at acpi0: bus 4 (PIBR)
acpicpu0 at acpi0: C2, PSS
acpicpu1 at acpi0: C2, PSS
acpibtn0 at acpi0: PWRB
cpu0: 1000 MHz: speeds: 1000 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "AMD AMD64 14h Host" rev 0x00
ppb0 at pci0 dev 4 function 0 "AMD AMD64 14h PCIE" rev 0x00: msi
pci1 at ppb0 bus 1
re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E (0x2c00),
msi, address 00:0d:b9:3b:db:30
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 4
ppb1 at pci0 dev 5 function 0 "AMD A

Hardware recommendations for compact 1U firewall

[Aaron Mason]

All

I'm looking for a 1U appliance that I can re-purpose into a firewall
using OpenBSD.  I've tried the near-free method by using an old Lacie
Ethernet Disk appliance I had lying around, but it turns out the
onboard SATA chipset is toast on this particular unit (it freezes at
CDBOOT when it detects hard drives and the BIOS freezes when I set it
to IDE mode with drives attached, plus it only has one onboard NIC and
one PCI slot, so I can't install another SATA card without removing
the other NIC I installed), so I'm looking for other options that fit
a limited budget.

The most important criteria are that it must be 1U and it must fit
within a 420mm (~16.5") space (for reasons I will explain below).  I
have a couple of Sun Netra X1s that meet the need, but I can't push
more than ~60mbps over the onboard FE ports and they run quite hot to
the point of causing kernel panics.

For a bit of context - I manage network and systems for a group that
run regular LAN parties at a local university, and our network
infrastructure lives in a 4RU flight case (with 420mm between the
front and rear vertical rails) currently occupied by three HP
switches.  We're currently using a Sun V20Z (admittedly running
pfSense, a decision made before I took over) but it's rather
cumbersome to carry along with three Dell 1950s (two VM hosts and a
Steam cache) and a Dell 2950 (NAS, provides iSCSI to VM hosts).  We
don't usually get more than 35 players and we don't do any complex
filtering on the firewall.

I've been considering looking at old firewall appliances like Nokias,
Sonicwalls, Watchguards or Barracudas - has anyone had any luck with
getting OpenBSD on any of those or other such appliances?

Gigabit ports would be nice (the university finally bought gigabit PoE
switches) but will accept Fast Ethernet if my budget says no.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse

Re: Hardware recommendations for compact 1U firewall

[Alex McWhirter]

I've had good luck with Sun Netra X1's. I use them for pretty much every
firewall / router I need. I prefer the 500mhz model as it seems to be
able to handle a full 100mbit link on both nics simultaneously. 

Re: Encrypted data partition

[Carsten Kunze]

OpenBSD lists  wrote:

> For sharing encrypted data between OpenBSD and Linux, I just use an 
> OpenBSD-based file server and connect to it over NFS (using SSH to 
> secure the connection)
> 
> The file server is an old Intel Core-2 box with 4x 1 TB hard drives in a 
> softraid-5 configuration and a pair of 10 GB IDE disks for the OS using 
> hardware RAID.  I shut the machine down each night to keep the data safe.
> 
> 
> Much simpler configuration than hoping that the disk encryption software 
> stays compatible between builds (EG, the Linux version may upgrade to 
> use some kind of Linux-only technology that can't be adapted to work on 
> OpenBSD) or that the disk encryption software is even secure in the 
> first place.

This is for two reasons not of use for me: The Linux and the OpenBSD
systems are kilometers apart and the OpenBSD system is in a network
which allows no access from the internet.  So I have to transfer data
with a USB flash drive.

Also in most cases ssh does not support changing mtime of symlinks,
which is required for fast data synchronization (compare mtime
instead of readlink).  For this reason I even use USB when the two
systems are in the same network.

So it would really be great to have an up-to-date EncFS...

Carsten