Re: Find duplicate files
On Sun, Dec 14, 2008 at 02:25:48PM +0100, Pc Nicolas wrote: > Do you know a command line utility to find duplicate files with OpenBSD ? fdupes - Henri Salo
Re: Setting up a bidirectional (1:1) firewall
On Wed, Mar 11, 2009 at 10:57:43PM -0400, Sam Carleton wrote: > In my small company, we already have a SonicWALL firewall that handles all > the workstation traffic to the Internet. We have an block of public IP > Addresses, but the SonicWALL only allows us to make use of two of them. I > am trying to setup a OpenBSD machine as a firewall for the rest of the IP > addresses. If you are interested on the subject you definately should buy "The Book of PF - A No-Nonsense Guide to the OpenBSD Firewall" from http://openbsd.org/books.html I have used it as an example in several bridged and firewalled networks and it has been a great guide. --- Henri Salo
Re: Limiting CPU to a process or process group?
On Mon, 14 Jan 2008 16:10:12 +0100 "Martin SchrC6der" <[EMAIL PROTECTED]> wrote: > 2008/1/14, Andreas Kahari <[EMAIL PROTECTED]>: > > What I mean is what I wrote in my first email: "For example, I would > > want the build of the qt4 port to use a maximum of 25% of the > > available CPU, leaving the CPU 75% idle if nothing else is happening > > on the machine." > > This not possible in OpenBSD (and AFAIK no Unix scheduler does that). > > Best >Martin What about Solaris or plan9? I remember those could do something tricky with CPU. Do I remember wrong or was I asleep? -- Henri Salo +358407705733 GPG ID: 2EA46E4F fp: 14D0 7803 BFF6 EFA0 9998 8C4B 5DFE A106 2EA4 6E4F [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: most secure graphical browser
On Thu, 17 Jan 2008 15:42:38 -0500 "Douglas A. Tutty" <[EMAIL PROTECTED]> wrote: > I have a box that I want to keep as secure as I can but I also need to > be able to use a graphical browser from it (I know that this is a > trade-off). > > There is no graphical browser in base. I don't need or want this > browser to do javascript or flash (I have a different box for > entertainment). Of the browsers in packages, which browser would > people think is likely the most secure? > > Here are my assumptions on the issue: > > Firefox development is focused on new features to keep up with the > latest web sites and technology. I don't know if they have time for > super security in the midst of that. > > Konqueror seems to have fewer security updates but still seems to > handle any sites I need (from my other box). I don't know if the > fewer number of security updates is because it is better written or > it doesn't get looked at as much. This is my normal browser, except > for one site that doesn't work (due to invalid html on the site). > > elinks or links are lightweight and work fine (no tabs though). Get > few updates. Don't know the security quality. > > dillo. Also works fine, but I haven't seen an update in quite a > while. Don't know if it continues to get security audits up-stream. > > Any suggestions? > > Doug. For your information dillo2 is in development-phase. As far as I know there isn't any open security problems with dillo and that mostly comes from simplicity. If there is security holes dillo's development sure will patch all of those right away. They are pretty active nowadays. Dillo-project has been mentioned ( as in adverticed ) as fast and secure www-browser. I'm using it daily i.e. in my email-client. I'll bet dillo is a very good choise for you. -- Henri Salo +358407705733 GPG ID: 2EA46E4F fp: 14D0 7803 BFF6 EFA0 9998 8C4B 5DFE A106 2EA4 6E4F [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: There's something about OpenBSD...
On Thu, 21 Feb 2008 21:53:43 +0530 "Mayuresh Kathe" <[EMAIL PROTECTED]> wrote: > What is it about OpenBSD that I can't resist it? > > After the past long exchange about "our ultimate goal" and a lot of > people advising me to go over to Solaris 10, I did, I removed OpenBSD > from one of my machines and installed "Solaris Express Developers > Edition". > It was slick looking, very graphical with most of things you want to > do, had Java SE 5/6 preinstalled, and had everything thing that I was > expecting from OpenBSD. > > But yet, after 2 hours of fooling around, I came back to OpenBSD. > > For one thing, it took me almost 1.5 hours to install Solaris, compare > that to 30 minutes with OpenBSD, including 'packages', 'src' and > 'ports'. > > The second thing was probably the knowledge that things are simple > with OpenBSD, none of the complicated layouts thing as with Solaris. > You could follow instructions from ancient books like "Practical Unix > and Internet Security - Second Edition" to the T. > > Given all that, inspite of all the hammering I've taken over my > comments, I'd prefer to stick with OpenBSD. > > Thanks to Theo and the core gang for delivering such a good, clean > operating environment. > > Best, > > ~Mayuresh Mind your heads fellow hackers. It can cause addiction. -- Henri Salo +358407705733 GPG ID: 2EA46E4F fp: 14D0 7803 BFF6 EFA0 9998 8C4B 5DFE A106 2EA4 6E4F [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: ssh_config, chroot, or user rights to restrict user access?
On Thu, 21 Feb 2008 14:03:40 +0100 Hannah Schroeter <[EMAIL PROTECTED]> wrote: > Hi! > > On Thu, Feb 21, 2008 at 01:49:02PM +0200, Lars Noodin wrote: > >1) What is the timeline for completely dropping scp? > > I hope never. > > >[...] > > Kind regards, > > Hannah. Where did you get this information? I'm using scp every day and in few scripts. I hope it's not going to be dropped -- ever! -- Henri Salo +358407705733 GPG ID: 2EA46E4F fp: 14D0 7803 BFF6 EFA0 9998 8C4B 5DFE A106 2EA4 6E4F [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
4.4 arrived
My box (4.4 CD + The Book Of PF + Secure Architectures With OpenBSD) arrived to Espoo, Finland today. Thank you very much. Great books by the way. -- Henri Salo +358407705733 GPG ID: 2EA46E4F fp: 14D0 7803 BFF6 EFA0 9998 8C4B 5DFE A106 2EA4 6E4F
My dear cat
http://hack.fi/~fgeek/fke_bsd.jpg <3 -- Henri Salo +358407705733 GPG ID: 2EA46E4F fp: 14D0 7803 BFF6 EFA0 9998 8C4B 5DFE A106 2EA4 6E4F
Re: pf and hosts.deny
On Sat, 19 Apr 2008 10:02:50 -0400 "Vikas N Kumar" <[EMAIL PROTECTED]> wrote: > Hi > > I have OpenBSD 4.2 on a Pentium II laptop running fine, with its ssh > port 22 open to the web. However, there are a lot of attacks on that > port from various IP addresses across the globe. Even though I have > set maximum number of tries to just 2, I would like to be able to > note down the IP address (after say 10 unsuccessful login attempts) > from where the attacks are coming in and then dynamically add them to > hosts.deny for the next few days or permanently. > > Can pf do this ? I read the manual but could not find such a feature. > > I can always write a cron script that reads the messages log file and > does this sort of thing, but I was hoping that if such a feature > pre-exists I wouldn't have to do it. > > Any help will be appreciated. > > Thanks & Regards > Vikas There was a topic in a misc 2008-04-16 with subject "PF ssh bruteforce logging and blocking". You should read it. -- Henri Salo +358407705733 GPG ID: 2EA46E4F fp: 14D0 7803 BFF6 EFA0 9998 8C4B 5DFE A106 2EA4 6E4F
Re: Snort on OpenBSD
On Thu, 8 Oct 2009 11:46:09 -0400 Brad Tilley wrote: > On Thu, Oct 8, 2009 at 10:57 AM, Joachim Schipper > wrote: > > > There is no support for the "queue packets to userspace" required by > > Snort's IPS mode in any released OpenBSD version... > > I have never seen Snort deployed in IPS mode, only IDS mode for > monitoring purposes. IMO, too many things break in IPS mode. The old > ISS systems from IBM did "virtual patching" when in IPS mode. It > basically altered the packets before sending them to the dest. You can > imagine the stuff that broke. I have setup several IPS-systems for companies and I have nothing to complain. Those work as good as IDS-systems and you get more out of the system. Of course there are very good reasons to use IDS in some cases. The best setup is to have fail-open network-cards. If one is interested in some highend-hardware one should look at Sourcefire 3D sensors, but of course those aren't cheap, which sucks. --- Henri Salo
