Latest Phrack
Anyone tested this against OpenBSDs stack? http://www.phrack.com/issues.html?issue=66&id=9#article //Jonas
Re: apache DOS tool
Aiko Barz wrote: > On Mon, Jun 22, 2009 at 09:32:56PM +1200, Richard Toohey wrote: >> The solution, like the problem, lies in the network layer. See iptables >> and similar network stack filters to provide protection against this >> vector. >> >> Seems like they (and you) are saying are Apache is not the place for the >> fix? > > The apache would be the right place to fix the issue IMHO since other > webservers are not affected that much. Maybe something like not counting > an unfinished request as an active workerthread. But this is up to the > people who know the program internals, which I don't. > > So long, > Aiko This is more intresting: http://www.phrack.com/issues.html?issue=66&id=9#article //Jonas
High Load - t/s
I have a OpenBSD 3.9 server with courier imapd-ssl running. The load on the server is heavy from transactions on the disk where I store the emails. I'm using a Adaptec 2010S SCSI RAID card. I have tried and tweaked the courier imap server the best I can without any luck. >From iostat. ttycd0 fd0 sd0 sd1 cpu tin tout KB/t t/s MB/s KB/t t/s MB/s KB/t t/s MB/s KB/t t/s MB/s us ni sy in id 01 0.00 0 0.00 0.00 0 0.00 50.72 4 0.19 9.92 16 0.15 1 0 0 0 99 0 268 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 14.51 144 2.04 0 0 1 0 99 0 89 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 14.10 143 1.97 1 0 0 0 99 0 89 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 12.40 139 1.68 0 0 2 0 98 0 89 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 11.40 146 1.62 1 0 1 0 98 0 89 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 12.03 140 1.64 0 0 0 1 99 0 89 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 10.97 141 1.51 0 0 0 0100 The sd1 disk has 140 t/s. CPU-load is nothing. w: 12:35PM up 46 days, 6:15, 1 user, load averages: 7.11, 5.46, 3.09 Any ideas? Regards Jonas
Re: High Load - t/s
> What's the actual problem? high load average in itself is not > necessarily a problem. > > --- > Lars Hansson > The problem is the t/s on the sd1 device where I have the email-storage. Have less than 10 accounts and clients on a Xeon 3.0 Ghz server with 1 Gb RAM. I have tried to see why I have so many t/s on the disk but I can not figure it out. The disks are SCSI-disks 15 000 rpm. /Jonas
Re: Cannot upgrade from 3.8
I have several servers with the same problem. The solution has always been to
disable
one or two drivers that conflicts. To be able to upgrade the servers (DL380 G4)
we have that uses
Adaptec 2101S cards we had to disable iopsp* driver on boot. Before we had to
disable
the ciss driver on some servers. One server that uses LSI MegaRAID 310-1 we
haven't been able
to find the correct driver that conflicts. So we had to switch RAID-card :-(
/Jonas
Antti Harri wrote:
> Hello,
>
> I have a machine that I'm not able to upgrade
> because the machine won't boot newer kernels.
> They're hanging right after SATA init and it
> also displays different SATA/pciide chip model
> (VT6420) than with 3.8.
>
> I've tried 3.9-release from official CD, 4.0-release
> and 4.1-release kernels and some snapshots.
>
> hw.machine=i386
> hw.model=AMD Athlon(TM) XP 1700+ ("AuthenticAMD" 686-class, 256KB L2 cache)
> hw.ncpu=1
> hw.byteorder=1234
> hw.physmem=267988992
> hw.usermem=267653120
> hw.pagesize=4096
> hw.disknames=wd0,cd0,fd0
> hw.diskcount=3
> hw.sensors.3=it0, VCORE_A, volts_dc, 1.84 V
> hw.sensors.4=it0, VCORE_B, volts_dc, 0.00 V
> hw.sensors.5=it0, +3.3V, volts_dc, 3.22 V
> hw.sensors.6=it0, +5V, volts_dc, 4.92 V
> hw.sensors.7=it0, +12V, volts_dc, 11.97 V
> hw.sensors.8=it0, Unused, volts_dc, -8.60 V
> hw.sensors.9=it0, -12V, volts_dc, -17.00 V
> hw.sensors.10=it0, +5VSB, volts_dc, 5.00 V
> hw.sensors.11=it0, VBAT, volts_dc, 4.08 V
> hw.sensors.12=it0, Temp1, temp, 47.00 degC / 116.60 degF
> hw.sensors.13=it0, Temp2, temp, 37.00 degC / 98.60 degF
> hw.sensors.14=it0, Temp3, temp, 127.00 degC / 260.60 degF
> hw.cpuspeed=1467
>
>
> OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: AMD Athlon(TM) XP 1700+ ("AuthenticAMD" 686-class, 256KB L2 cache)
> 1.47 GHz
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
>
> cpu0: AMD Powernow: FID
> real mem = 267988992 (261708K)
> avail mem = 237649920 (232080K)
> using 3296 buffers containing 13500416 bytes (13184K) of memory
> mainbus0 (root)
> bios0 at mainbus0: AT/286+(48) BIOS, date 06/28/05, BIOS32 rev. 0 @ 0xf1940
> apm0 at bios0: Power Management spec V1.2
> apm0: AC on, battery charge unknown
> apm0: flags 30102 dobusy 0 doidle 1
> pcibios0 at bios0: rev 2.1 @ 0xf/0x1ff2
> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf1f20/208 (11 entries)
> pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT82C586 ISA" rev 0x00)
> pcibios0: PCI bus #1 is the last bus
> bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xcc000/0x4400!
> cpu0 at mainbus0
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> pchb0 at pci0 dev 0 function 0 "VIA VT8377 PCI" rev 0x80
> ppb0 at pci0 dev 1 function 0 "VIA VT8377 PCI-PCI" rev 0x00
> pci1 at ppb0 bus 1
> vga1 at pci0 dev 10 function 0 "Matrox MGA Millennium II 2164W" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> fxp0 at pci0 dev 12 function 0 "Intel 82557" rev 0x08, i82559: irq 10,
> address 00:90:27:93:85:c2
> inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
> pciide0 at pci0 dev 15 function 0 "VIA VT8237 SATA" rev 0x80: DMA
> pciide0: using irq 3 for native-PCI interrupt
> wd0 at pciide0 channel 0 drive 0:
> wd0: 16-sector PIO, LBA48, 190782MB, 390721968 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
> pciide1 at pci0 dev 15 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133,
> channel 0 configured to compatibility, channel 1 configured to
> compatibility
> atapiscsi0 at pciide1 channel 0 drive 0
> scsibus0 at atapiscsi0: 2 targets
> cd0 at scsibus0 targ 0 lun 0: SCSI0
> 5/cdrom removable
> cd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 2
> pciide1: channel 1 disabled (no drives)
> uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x81: irq 12
> usb0 at uhci0: USB revision 1.0
> uhub0 at usb0
> uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
> uhub0: 2 ports with 2 removable, self powered
> uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x81: irq 12
> usb1 at uhci1: USB revision 1.0
> uhub1 at usb1
> uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1
> uhub1: 2 ports with 2 removable, self powered
> uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0x81: irq 3
> usb2 at uhci2: USB revision 1.0
> uhub2 at usb2
> uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1
> uhub2: 2 ports with 2 removable, self powered
> uhci3 at pci0 dev 16 function 3 "VIA VT83C572 USB" rev 0x81: irq 3
> usb3 at uhci3: USB revision 1.0
> uhub3 at usb3
> uhub3: VIA UHCI root hub, rev 1.00/1.00, addr 1
> uhub3: 2 ports with 2 removable, self powered
> ehci0 at pci0 dev 16 function 4 "VIA VT6202 USB" rev 0x86: irq 5
> usb4 at ehci0: USB revision 2.0
> uhub4 at usb4
> uhub4: VIA EHCI root hub, rev 2.00/1.00, addr 1
> uhub4: 8 ports with 8 removable, self powered
> pcib0 at pci0 dev 17 function 0 "VIA VT8237 ISA" rev 0x00
> auvia0 at
Re: creating a vpn tunnel to all
Chris Bullock wrote: > Background: > We are using Metro Ethernet to connect several sites to our main office. In > order to save money the telco has a couple of sites riding the same vlan > coming into us. One of these sites is one of our remote offices and the > other is a competing office. > > Problem: > Since we are on the vlan there is no way I can route without the possibility > of someone running a sniffer and sniffing my packets, so my goal is I want > all my traffic from my remote office to come through my main office even > Internet. To map this tunnel using isakmpd would I just create a tunnel to > 0.0.0.0? > Regards, > Chris > Setup VPN between the remote offices and your main site. Aggregate all the traffic to your main site where you have internet connectivity using an IGP or static routes. Should solve your ethernet snooping-problem. /Jonas
Problem upgrading to 3.9 - Proliant dl380 g2 with LSI MegaRAID 320-1 RAID-card
Hello list, I'm having problem upgrading a 3.8 stable to 3.9 stable. The server is a Prolian dl380 g2 with a LSI MegaRAID 320-1. When booting the CD it stops right after ami driver is loaded: ami0 at pci3 dev 4 function 0 "Symbios Logic MegaRAID" rev 0x01: irq 7 Under 3.8 it works great. I have tested to diables the ciss-driver when booting and also disable the onboard smart array card in bios just to see if it changes things. Proliant bios Im using is P29 and MegaRAID bios is from mid 2004. Anyone with same problem? /Jonas
Re: Problem upgrading to 3.9 - Proliant dl380 g2 with LSI MegaRAID 320-1 RAID-card
David Gwynne wrote: > On 24/08/2006, at 7:39 PM, Jonas Thambert wrote: > >> Hello list, >> >> I'm having problem upgrading a 3.8 stable to 3.9 stable. The server is >> a Prolian dl380 g2 with a LSI MegaRAID 320-1. When booting the >> CD it stops right after ami driver is loaded: > > can you try a snapshot and see if the problem still exists? > > dlg I will try and upgrade the MegaRAID bios first, as Henning has suggested. Might be a BIOS problem. Another user with Bios problem: http://archives.neohapsis.com/archives/openbsd/2006-08/1120.html /Jonas
Re: OpenBSD/Networking noobie: home micro-server setup?
I would use a Via Mini-ITX motherboard. The one I have has 600 Mhz Fanless Eden CPU, integrated graphics and dual 10/100 Mbit NICs. Have a 120 Gb 3,5" IDE disk as storage. Works great with OpenBSD! /Jonas Neoklis wrote: > Hi all, > > I have opened an account with an ISP that provides me with a fixed IP > address and this tempts me to set up a micro server at home for my > website etc. I must confess I am a Linux user but consider OpenBSD > the best choice for a secure server, so will install soon on my desktop > to learn and then install on a suitable device. > > I have searched the web extensively and seems that a Soekris device > might be suitable, however I have no experience in this type of device > or running a web server or router so with apologies I post this article > hoping for advice on the following: > > Can I use a Soekris board to run the OpenBSD+Apache web server and > put my web site on line from home? Which is most suitable? > > I would like (must!) share my ADSL line with at least the web server and > my desktop and possibly a laptop. The ADSL modem has an Ethernet > connection and I wonder, could I use the Soekris board to act as a router, > preferably wireless, as well as running the server? > > My thanks in advance!
Re: SSH login slow troubleshoot Techniques
Check your resolv.conf/hosts file. Might be reverse-lookup that fails. /Jonas
Question regarding mailserver setup
Hi, Im using postfix,amavisd,clamav,spamassassin on a OpenBSD 3.9 server. The setup works great. The problem I have is that I would like to use Razor or Pyzor. I tried and installed razor but it doesnt seem to work very well. On another Linux server I have Pyzor and it catches almost all spam I get. What is the best anti-spam solution to use for OpenBSD? Regards Jonas
Re: Problem upgrading to 3.9 - Proliant dl380 g2 with LSI MegaRAID 320-1 RAID-card
I have now upgraded my HP DL380 G3 with latest P29 bios and my MegaRAID bios with latest LSI bios. 3.8 boots perfect, 3.9 stable and 4.0-beta snapshop doesnt work. Locks up when loading the ami-driver on cd. 4.0-beta even makes the server powercycle when loading the ami-driver. Next I will try with the Dell bios. No one else with the same problem? /Jonas Jonas Thambert wrote: > David Gwynne wrote: >> On 24/08/2006, at 7:39 PM, Jonas Thambert wrote: >> >>> Hello list, >>> >>> I'm having problem upgrading a 3.8 stable to 3.9 stable. The server is >>> a Prolian dl380 g2 with a LSI MegaRAID 320-1. When booting the >>> CD it stops right after ami driver is loaded: >> can you try a snapshot and see if the problem still exists? >> >> dlg > > I will try and upgrade the MegaRAID bios first, as Henning has suggested. > Might be a BIOS problem. > > Another user with Bios problem: > http://archives.neohapsis.com/archives/openbsd/2006-08/1120.html > > > /Jonas
Re: breeding developers
Well, seems hard to breed the developers when OpenBSD EU store does not accept large orders when I tried to check out :( "Sorry, we are not able to accept orders over 250 GBP." //Jonas On 2010-03-14 08.52, Antoine Jacoutot wrote: > Hi. > > I'm usually not very active on misc@ but since pre-order for 4.7 have > started, I think it is the right time to remind us all that CD sales are > not only important but critical to the project. > > First, lack of money means less hackathons, which renders hacking less > fun, and fun is the number 1 motivation for most people imho. > No money -> no hackathon -> no fun -> no hack... you see the point. > Also a project this big (yes, a hobby can be huge) does not rules itself > out of the air and money is needed for infrastructure, administration, > hardware and tons of other things. > > So if you like OpenBSD, don't forget its biannual bithday and buy CDs. > If you don't like OpenBSD, then buy even more CDs because having > competition is good for other projects. > > Thank you all.
pf and fragmented IPv6 packets
Like a month ago we got a complain from a user that our website was unreachable over IPv6. We have 2x Native Ipv6 transits. The user had bought IPv6 from an ISP thay uses tunneling to deliver it to the organization. After some packet traces we found out that the problem was in PF and that it doesn't seem to handle fragmented IPv6 packets. Sure enough, from the man page of pf.conf: "Currently, only IPv4 fragments are supported and IPv6 fragments are blocked unconditionally." The problem is that some of Swedens largest ISPs uses tunneling for IPv6 to their customers so we can't just say, ditch em. Terredo seems to work fine. Is there a workaround or plans to implement support for this is pf? We have multiple firewalls and the others have no problems with ipv6 + fragmented packets. //Jonas
Re: pf and fragmented IPv6 packets
Thanks Rod for your input. We use pf as a firewall, and when we get the users IPv6 packets they are already fragmented. Native IPv6 and Terredo tunnels does not get fragmented on the way to us. I will read up on your links ;) // Jonas > I have an IPv6 over IPv4 connection. I once had two, one using a hexago > tunnel and the other I still have using a Hurricane Electric one. > > I have never had a problem connecting through OpenBSD with a pf > firewall to native IPv6 sites like Google's v6 or the hosts on the /32 > IPv6 netblock I maintain using an OpenBSD / OpenBGPd router. > > Maybe I'm just lucky. I'm a bit confused as to why packets need to be > fragmented on IPv6 other than to play DDOS games. Nobody needs packets > bigger than the specified minumum (1280B) and the usual problem is a > PMTUD blackhole anyway. > > Don't you just love all those cretins that block all ICMP packets on > IPv4? They can stuff up IPv6 too. > > There is some advice about debugging this kind of problem in van > Beijnum's "Running IPv6". Try starting with that or finding out why > there are oversized packets there anyway. > > The real fly in the ointment is the stupid way one can frag packets > madly in IPv6 with mayhem in mind. * > > If you want to allow reassembly you have to figure out what to do about > mailicious frags which can exhaust your RAM quite easily. > > * See http://www.ruxcon.org.au/files/2006/dowd_ipv6.ppt > > I'm too tired to reread this to see if it all makes sense but if I left > it until I was fresher I'd have forgotten to reply ;-) Hope you can get > some good out of it ??? > > Regards, > > > > *** NOTE *** Please DO NOT CC me. I subscribed to the list. > Mail to the sender address that does not originate at the list server is > tarpitted. The reply-to: address is provided for those who feel compelled to > reply off list. Thankyou. > > Rod/ > --- > This life is not the real thing. > It is not even in Beta. > If it was, then OpenBSD would already have a man page for it. > -- Jonas Thambert CISSP, CISA, CISM Swedish IT Incident Centre, GovCERT-SE AS41884 National Post and Telecom Agency P O Box 5398, SE-102 49 Stockholm, Sweden Office address: Birger Jarlsgatan 16, Stockholm Tel dir: +46 8 678 57 65 Mob: +46 706 25 57 65 Op: +46 8 678 55 00 Fax: +46 8 678 55 05 SITIC: +46 8 678 5799 Mailto: jonas.thamb...@sitic.se http://www.sitic.se http://www.pts.se -- Get my PGP-Key at: http://www.sitic.se/jonas.thambert_at_sitic.se.asc
