Ted Unangst said:
> states are only allocated on demand. you could set the limit to a billion
> with no problem until you actually start using too many states. the limit
> is there to protect you from the firewall imploding.
thanks for all the info, very useful! hopefully such info can
get add
On Fri, Sep 23, 2005 at 08:24:15PM -0700, Bryan Irvine wrote:
> > Some intelligent scripts look at tcp responses to port scans, ssh
> > responds with SSH-2.0, which isn't too hard to identify. I don't know if
> > changing the greeting would break the protocol, but I suspect it might
> > break certa
Might be nice to get a packet trace of it, and add filters to
SealingWafter LKM to just discard packets that match.
-Ober
On Fri, 23 Sep 2005, Bryan Irvine wrote:
Some intelligent scripts look at tcp responses to port scans, ssh
responds with SSH-2.0, which isn't too hard to identify. I don
> Some intelligent scripts look at tcp responses to port scans, ssh
> responds with SSH-2.0, which isn't too hard to identify. I don't know if
> changing the greeting would break the protocol, but I suspect it might
> break certain clients.
I wonder if it's possible to "fingerprint" these programs
On Fri, 23 Sep 2005, nate wrote:
> ok thats the kind of info I wanted to hear, so kernel
> space can go up to ~300MB ? is this a tunable
> paramter anywhere or is it hard coded?
it is actually 768MB on i386, but you can't use anywhere close to all of
it for pf states. it is hard coded.
> is th
On Friday 23 September 2005 14:40, John Marten wrote:
> You know what i mean? Every day I get some script kiddie, or adult
> trying to guess usernames or passwords.
> I've installed the newest version of SSH, so i'm covered there. But I
> still get a dozen or 2 of the
> "sshd Invalid user somename
Budhi Setiawan wrote:
> dear all
>
> i guess this is stupid question, but since i very young in the openbsd land,
> i have a lof of question :
>
> 1. how important to make our system (OS and packages) always up-to-date (
> except with security reason of course ), because some people says "
> yo
mistakenl did not send this to the list originally --
Ted Unangst said:
> if it's 1k states per MB RAM, you're into trouble at 300k. the kernel
only has so much space to play in.
ok thats the kind of info I wanted to hear, so kernel
space can go up to ~300MB ? is this a tunable
paramter anywher
On Fri, Sep 23, 2005 at 11:40:36AM -0700, John Marten wrote:
> "input_userauth_request: ivalid user somename"
> "Failed password for invalid user somename"
haven't read the entire thread yet, so doubtless this has
come up, but i use:
--
e = sis2
tablepersist
Hi Ed thx for the reply. First I should mention that all non-ssl ftp traffic
works great through the firewall (setup according to FAQ on openbsd site).
My setup is:
my client -> my nat'd OpenBSD -> internet -> remote ftp-ssl server
I don't have any control over the remote server. The clien
dear all
i guess this is stupid question, but since i very young in the openbsd land, i
have a lof of question :
1. how important to make our system (OS and packages) always up-to-date (
except with security reason of course ), because some people says "
you should update your system at least o
L. V. Lammert wrote:
> I have been working with a local OS friendly hosting company to add support
> for OpenBSD. Unfortunately, they also support with Red Hat, SuSE, and
> Apple, and these vendors offer an 'Open Source Indemnification', ostensibly
> protecting against legal action from contribu
"Spruell, Darren-Perot" <[EMAIL PROTECTED]> writes:
> From: Wolfgang S. Rupprecht
>> 2) Forging the source IP in a TCP packet and succeeding in negotiating
>>the 3-way handshake isn't all that simple any more. I wouldn't
>>worry about it. If someone could forge that reliably, there is
>>
From: Wolfgang S. Rupprecht
> 2) Forging the source IP in a TCP packet and succeeding in negotiating
>the 3-way handshake isn't all that simple any more. I wouldn't
>worry about it. If someone could forge that reliably, there is
>much better game to go after (like breaking into machin
just to add my $0.02. The best they could hope for would be disallowing your
default gateway from connecting to your ssh server... whoop-de-doo.
On 9/23/05, Wolfgang S. Rupprecht <
[EMAIL PROTECTED]> wrote:
>
> <[EMAIL PROTECTED]> writes:
> > My only question is what if I traceroute to you, find o
'tcpdump -r /var/log/pflog' shows a lot of entries like this:
14:31:38.279681 33:0:0:0:0:0 > 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=98
14:31:41.794668 33:0:0:0:0:0 > 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=98
14:31:42.464382 33:0:0:0:0:0 > 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=98
14:31:42.614922 33:0
Oh no!
My eyes must have slipped up the page! (I have the docs open on my
other machine, and I am going back and forth). I have been at this too
long! Thank you Mitja!
I actually did do it right the first time.. but it errored out.
Interesting that using the current didn't error out in the sam
On 9/23/05, John Marten <[EMAIL PROTECTED]> wrote:
> There's got to be a better way, and I'm open to suggestions.
This is really something well dealt with in the archives, so please
search those for other suggestions. I'm sure there are better options.
Personally, I use the following combination
Achtung: Wenn Sie ein Skeptiker und f|r neue innovative Mvglichkeiten nicht
aufgeschlossen sind, dann sollten Sie diese Webseite verlassen!
Anderenfalls bewahren Sie sich einfach Ihr gesundes Ma_ an Misstrauen und
starten Sie.
That4s Business
450.000 Euro
in 7 Monaten mvglich!
Durch Networ
Hello.
I am still relatively new to openbsd.
I have followed the docs pretty closely, and seem to have a vice nice
system going. I have a couple snags, however.
One of them is that I am not getting any sound while I am running KDE.
I had the same problem running 3.6, I thought I would try upg
<[EMAIL PROTECTED]> writes:
> My only question is what if I traceroute to you, find out the IP number of
> your upstream router? Then I make a bunch of connection attempts to your IP
> but forge the packets to make them look like they came from your upstream.
> Don't *you* end up blacklisting
On Fri, 23 Sep 2005 13:45:45 -0700 (PDT)
Daniel Smereka <[EMAIL PROTECTED]> wrote:
> Is it possible to get such a client running in passive mode using pf
> rdr/rules?
>
> I understand that I can't use ftp-proxy for this b/c the PORT command
> coming back from the FTP server is encrypted. Is the
John Marten wrote:
> You know what i mean? Every day I get some script kiddie, or adult
> trying to guess usernames or passwords.
> I've installed the newest version of SSH, so i'm covered there. But I
> still get a dozen or 2 of the
> "sshd Invalid user somename from ###.##.##.###"
> "input_userau
--On 23 September 2005 15:05 -0500, [EMAIL PROTECTED] wrote:
My only question is what if I traceroute to you, find out the IP
number of your upstream router? Then I make a bunch of connection
attempts to your IP but forge the packets to make them look like they
came from your upstream.
The su
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> My only question is what if I traceroute to you, find out the
> IP number of your upstream router? Then I make a bunch of
> connection attempts to your IP but forge the packets to make
> them look like they came from your upstream. Don't *you
From: J.D. Bronson [mailto:[EMAIL PROTECTED]
> Is there any way to accomplish this:
>
> 1. Use ssh with passwords internally (lan to lan connections)
> 2 Use ssh with publickeys externally (wan to lan connections)
>
> ...thanks!
I can't think of a way to do it with the same user account, but yo
John Marten wrote:
There's got to be a better way, and I'm open to suggestions.
Use public key authentication to start with. It's very easy to setup and
much more secure than password authentication. With public key
authentication, passwords will never work. You might also want to make
it a
On Fri, 23 Sep 2005 21:55:12 +0200
Tomasz Baranowski <[EMAIL PROTECTED]> wrote:
> You can change the port number in /etc/ssh/sshd_config . It's 100%
> effective against that kind of bots.
Some intelligent scripts look at tcp responses to port scans, ssh
responds with SSH-2.0, which isn't too hard
[EMAIL PROTECTED] wrote:
My only question is what if I traceroute to you, find out the IP number of your
upstream router? Then I make a bunch of connection attempts to your IP but
forge the packets to make them look like they came from your upstream. Don't
*you* end up blacklisting your defa
Is it possible to get such a client running in passive mode using pf rdr/rules?
I understand that I can't use ftp-proxy for this b/c the PORT command coming
back from the FTP server is encrypted. Is there any way to do this? thanks
Tired of spam? Yahoo! Mail has the best spam protection aroun
No. Its not answering wrong. It crossed my mind...but I am not sure I
can actually do this and if so, how do I specify the alternate config?
start is as 'sshd -f BLAH' ?
At 03:27 PM 9/23/2005, you wrote:
just a guess, but can you run two instances of sshd with
different conf files? .. each bi
just a guess, but can you run two instances of sshd with
different conf files? .. each binding to a specific interface?
is this answering a question with a question?
J.D. Bronson wrote:
Is there any way to accomplish this:
1. Use ssh with passwords internally (lan to lan connections)
2 Use
On Friday 23 September 2005 03:15 pm, Mr.Slippery wrote:
> That's how I handle this type of annoyance:
> http://data.homeip.net/projects/ssh_wall.php
Slick. Er...slippery, that is.
Roy Morris wrote:
> why not use max-connections ? and dump them into a
> table with no access. Or if this is a home machine just
> move the port to some high port, most scripts wont bother
> looking.
Yup, I forgot to add that you can put another thing in that max-conn...
that handles the overflow
Use the tarpit patch that I wrote
http://www.linbsd.org/openssh-samepasswd.patch
-Ober
-Ober
On Fri, 23 Sep 2005, Abraham Al-Saleh wrote:
You could use connection throttling, it won't eliminate them, but it will
make it take longer. If you don't need ssh on that host (although, you
probably
On Fri, 23 Sep 2005 11:40:36 -0700
"John Marten" <[EMAIL PROTECTED]> wrote:
> You know what i mean? Every day I get some script kiddie, or adult
> trying to guess usernames or passwords.
> I've installed the newest version of SSH, so i'm covered there. But I
> still get a dozen or 2 of the
> "sshd
J.D. Bronson wrote:
No. Its not answering wrong. It crossed my mind...but I am not sure I
can actually do this and if so, how do I specify the alternate config?
start is as 'sshd -f BLAH' ?
At 03:27 PM 9/23/2005, you wrote:
just a guess, but can you run two instances of sshd with
different
You could use pf to block linux ssh access.
block in log quick on $EXT_IF inet proto tcp from any os "Linux" to port
22 label "Blocked Linux ssh access: "
That'll reduce it quite a lot.
John Marten wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess u
On Fri, 2005-09-23 at 14:44:20 -0500, J.D. Bronson proclaimed...
> Is there any way to accomplish this:
>
> 1. Use ssh with passwords internally (lan to lan connections)
Yes.
> 2 Use ssh with publickeys externally (wan to lan connections)
Yes!
> ...thanks!
Thank you!
On Fri, Sep 23, 2005 at 08:28:29PM +0200, [EMAIL PROTECTED] wrote:
> Hi all,
>
> Is atheros driver supported under Alpha platform on OpenBSD 3.7??
>
no, but i would be really happy about a donated alpha to port ath(4)
to this platform ;).
reyk
On Fri, 23 Sep 2005, L. V. Lammert wrote:
> so WE all know this isn't an issue here, but, unfortunately, the hosting
> company has lawyer(s) asking for similar 'Indemnification' for OBSD before
> they will officially allow OBSD on premesis.
We've solved this in the past by running 'FooBSD' and si
My only question is what if I traceroute to you, find out the IP number of your
upstream router? Then I make a bunch of connection attempts to your IP but
forge the packets to make them look like they came from your upstream. Don't
*you* end up blacklisting your default route and you become 's
Is there any way to accomplish this:
1. Use ssh with passwords internally (lan to lan connections)
2 Use ssh with publickeys externally (wan to lan connections)
...thanks!
J.D. Bronson
Off The Hook Phone Repair, Inc.
24 Hour Service // Free Estimates
For Fast Repairs: CALL US - IF YOU CAN
On Fri, Sep 23, 2005 at 11:40:36AM -0700, John Marten wrote:
> You know what i mean? Every day I get some script kiddie, or adult
> trying to guess usernames or passwords.
You can change the port number in /etc/ssh/sshd_config . It's 100%
effective against that kind of bots.
Greetings,
Tomasz Bar
Thanks, my question was exactly about that, the lack of some hardware
support on 3.7 :-)
Nick Holland wrote:
Mariano Benedettini wrote:
I wrote last week, about some problems I've experienced with 3.7 GENERIC.MP
on a PowerEdge 1850 dual Xeon [1].
Some people suggested to try a 3.8 snapshot, a
Use the tarpit patch that I wrote
http://www.linbsd.org/openssh-samepasswd.patch
-Ober
On Fri, 23 Sep 2005, Marcos Latas wrote:
On 23/09/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Hi all,
Is atheros driver supported under Alpha platform on OpenBSD 3.7??
--
CL Martinez
carlopmart {a
-
Original Message:
From: Bryan Irvine <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Date: Friday, September 23 2005 09:55 AM
Subject: Re: is there a way to block sshd trolling?
>Have snort or portsentry add those ips to a table in pf.conf.
>
>--Bryan
>
>On 9/23/05, John Marten
You could use connection throttling, it won't eliminate them, but it will
make it take longer. If you don't need ssh on that host (although, you
probably do, I'd be lost without it) disable it. You could bind sshd to a
different port, and disable port 22 (most of these attacks are automated
bots).
John Marten wrote:
>You know what i mean? Every day I get some script kiddie, or adult
>trying to guess usernames or passwords.
>I've installed the newest version of SSH, so i'm covered there. But I
>still get a dozen or 2 of the
>"sshd Invalid user somename from ###.##.##.###"
>"input_userauth_re
On Friday 23 September 2005 02:40 pm, John Marten wrote:
> There's got to be a better way, and I'm open to suggestions.
Use a non-standard port and/or public key exchange.
Chris
why not use max-connections ? and dump them into a
table with no access. Or if this is a home machine just
move the port to some high port, most scripts wont bother
looking.
cheers
rm
John Marten wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernam
> On 9/23/05, John Marten <[EMAIL PROTECTED]> wrote:
> > You know what i mean? Every day I get some script kiddie, or adult
> > trying to guess usernames or passwords.
> > I've installed the newest version of SSH, so i'm covered there. But
I
> > still get a dozen or 2 of the
> > "sshd Invalid user
John Marten ([EMAIL PROTECTED]) dixit:
> You know what i mean? Every day I get some script kiddie, or adult
> trying to guess usernames or passwords.
> I've installed the newest version of SSH, so i'm covered there. But I
> still get a dozen or 2 of the
> "sshd Invalid user somename from ###.##.##.
Have snort or portsentry add those ips to a table in pf.conf.
--Bryan
On 9/23/05, John Marten <[EMAIL PROTECTED]> wrote:
> You know what i mean? Every day I get some script kiddie, or adult
> trying to guess usernames or passwords.
> I've installed the newest version of SSH, so i'm covered there.
IIRC there are scripts what will automatically add lines to your
hosts.deny file. Sorry, but I can't remember the names. I suggest you
also create some keys for yourself to use and disable password
authentication. With password auth disabled the attacks won't go be
more than an annoyance for the mo
On 23/09/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> Is atheros driver supported under Alpha platform on OpenBSD 3.7??
>
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
>
Why didn't you check, at least, www.openbsd.org/alpha.html?
Hi,
there is a problem with Intel ICH6-M chipset support in current snapshot
(2005-09-22), it doesn't recognize devices (eg. sata controller).
I've checked, that it should be supported in current.
dmesg
--
OpenBSD 3.8 (RAMDISK_CD) #794: Sat Sep 10 15:58:32 MDT 2005
[EMAIL PROTECTED]:/usr
Martin SchrC6der <[EMAIL PROTECTED]> writes:
> On 2005-09-23 00:05:14 -0700, Wolfgang S. Rupprecht wrote:
>> appreciable added risk. The only loose end is that sshd doesn't
>> currently log the RSA/DSA key that is used to gain access. Ideally it
>
> Hu? Try
> LogLevel VERBOSE
Your eloquent repl
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
"sshd Invalid user somename from ###.##.##.###"
"input_userauth_request: ivalid user somenam
Hi all,
Is atheros driver supported under Alpha platform on OpenBSD 3.7??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Hi Stuart,
> Who knows, if you don't write much to disk, you
> might be alright for weeks at a time.
i cannot confirm that the AAC problems were related to load.
To the contrary, my impression was that the crashes
caused by my Adaptec AAC 2410-SA occurred at random,
even when there was no load w
Marco Peereboom wrote:
On Wed, Sep 21, 2005 at 02:05:31PM -0600, Tom Geman wrote:
I was hoping someone here could answer a few questions.
Can I install OpenBSD on this PV 220, or is it just a bunch of disks with
no processor?
This question is very ambiguous. You can't install OpenBS
I have been working with a local OS friendly hosting company to add support
for OpenBSD. Unfortunately, they also support with Red Hat, SuSE, and
Apple, and these vendors offer an 'Open Source Indemnification', ostensibly
protecting against legal action from contributors.
Of course, the OBSD p
On Fri, Sep 23, 2005 at 09:08:28AM -0500, eric wrote:
> First of all, thanks everyone for your replies. They are much appreciated.
>
> On Thu, 2005-09-22 at 18:53:23 -0500, Marco Peereboom proclaimed...
>
> > Have you tried by any chance tried a 3.8 with aac enabled?
> > This seems to go wrong in
Any chance the em's are on a switch doing spanning tree? Or that the
fxp port (on the master is set to port fast)? Sounds like STP locking
out the em ports on the master to me.
--Bill
On 9/23/05, Stephan A. Rickauer <[EMAIL PROTECTED]> wrote:
> Hello,
>
> is there any known problem related to e
I checked OpenBSD/i386, saw MegaRAID 320 was supported.
I intend to get a MegaRAID SCSI 320-1 Kit(3201064KIT) - per LSI LOGIC catalog.
Supported by 3.7 stable ?
Thanks.
First of all, thanks everyone for your replies. They are much appreciated.
On Thu, 2005-09-22 at 18:53:23 -0500, Marco Peereboom proclaimed...
> Have you tried by any chance tried a 3.8 with aac enabled?
> This seems to go wrong in em and not aac.
I haven't, yet. I'll just checkout a 3.8-BETA fr
Hi list,
I have a odd problem with clamav.
I am following the openbsd 3.7 (release + fix) and i have clamav-0.86.2p0,
smtp-vilter and sendmail.
When a mail with a zip attachment arrives sometime i have the following
message in /var/log/maillog :
Milter: data, reject=451 4.3.2 Please try again
Hello,
is there any known problem related to em interfaces and carp? They take
25 seconds longer to switch status from master to backup compared to an
fxp one ...
Output of 'while true; do date; ifconfig| grep "carp:"; sleep 1;done'
while rebooting the master (=advskew 50):
Fri Sep 23 14:2
on 3.7-STABLE ...
--
Stephan A. Rickauer
Institut f|r Neuroinformatik
Universitdt / ETH Z|rich
Winterthurerstriasse 190
CH-8057 Z|rich
Tel: +41 44 635 30 50
Sek: +41 44 635 30 52
Fax: +41 44 635 30 53
http://www.ini.ethz.ch
hmm, on Thu, Sep 22, 2005 at 07:09:12PM -0600, Theo de Raadt said that
> It IS POSSIBLE to set something up and have it be secure and NOT TOUCH
> IT, because many people have OpenBSD machines running older releases
> running without any modification for YEARS now, RISK FREE, without
> having to upd
Making is a process.
Toast is not a process.
>- --- Original Message --- -
>From: [EMAIL PROTECTED]
>To: misc@openbsd.org
>Sent: Fri, 23 Sep 2005 02:30:10
>
>[EMAIL PROTECTED] wrote:
>
>>> Security is everything you've ever said, plus a
>process.
>>
>> If it is secure, it doesn't
[EMAIL PROTECTED] wrote:
Security is everything you've ever said, plus a process.
If it is secure, it doesn't need a process. So why would security be a
process again? Because of the vendors making "mistakes" and fix it later?
Jimmy Scott
It is a "process" in the same way that "making toast
On 2005-09-23 00:05:14 -0700, Wolfgang S. Rupprecht wrote:
> appreciable added risk. The only loose end is that sshd doesn't
> currently log the RSA/DSA key that is used to gain access. Ideally it
Hu? Try
LogLevel VERBOSE
Best
Martin
--
http://www.tm.oneiros.de
Tim Hammerquist <[EMAIL PROTECTED]> writes:
> [*] I would consider leaving PermitRootLogin enabled a firing
> offense in itself.
PermitRootLogin is needed for rdisting. Without that you end up
having to maintain N systems.
/etc/ssh/sshd_config:
Protocol 2
PermitRootLogin without-password
Pa
75 matches
Mail list logo
