Member
IonutVanInstall XFCE in OpenBSD
$ cd /usr/ports/x11/xfce4
$ make show=PKGNAME | awk '$1 !~ /===>/' > foo
# pkg_add `cat foo`
# cd
# Xorg -configure
# cp xorg.conf.new /etc/X11/xorg.conf
$ echo "exec startxfce4" > ~user/.xinitrc
$ startx
Install ports collection in OpenBSD
$ cd /tmp
$ ftp ftp://ftp.openbsd.org/pub/OpenBSD/4.0/ports.tar.gz
$ cd /usr
$ sudo tar xzf /tmp/ports.tar.gz
To install a package for the 4.1 release on an i386 machine off the ftp site (including dependencies), do:
# export PKG_PATH=ftp://openbsd.ftp.fu-berlin.de/pub/OpenBSD/4.1/packages/i386
# pkg_add name.tgz
Ports and Packages Update for an OpenBSD Release
To grab the stable branch for the 4.1 release:
$ cd /usr/ports
$ cvs -q -d anoncvs@openbsd.spline.de:/cvs up -r OPENBSD_4_1 -Pd
Generating passwords with Perl
DES:
mkpasswd
perl -e 'printf "%s\n", crypt("pass", "two-letter-salt")'
MD5:
mkpasswd --hash=md5
perl -e 'printf "%s\n", crypt("pass", "\$1\$6-8-letter-salt\$")'
PLAIN-MD5:
perl -MDigest::MD5 -e 'printf "{PLAIN-MD5}%s\n", Digest::MD5::md5_hex("pass")'
DIGEST-MD5:
perl -MDigest::MD5 -e 'printf "{DIGEST-MD5}%s\n", Digest::MD5::md5_hex("user:realm:pass")'
Rails install on FreeBSD
Do you need Rails installation with FastCGI, MemCache-Client and native MySQL/PostgreSQL/SQLite support? It is very simple. Try this:
# cd /usr/ports/www/rubygem-rails
# make install clean
... that's all!
FreeBSD FTP tips & tricks
Q. Does anyone know if the default ftp server from FreeBSD allow me to give acces to users only for ftp, no shell access to upload files to there home directories?
A. The default ftpd will work with a little tweaking.
touch /bin/ftpshell
echo "/bin/ftpshell" >> /etc/shells
When you add your users, set their shell to /bin/ftpshell
echo USERNAME >> /etc/ftpchroot
The users will be able to login via ftp and nothing else because there
shell
is a crap fake shell. The ftpchroot will lock them into their home
directory very effectively.
Bandwidth management with FreeBSD (using ipfw)
You have FreeBSD installed on your server and you want to manage your bandwidth, here is a short example to start:
ipfw add pipe 1 ip from any to 192.168.2.x out
ipfw add pipe 2 ip from 192.168.2.x to any in
ipfw pipe 1 config bw 10KB/s queue 10 # download speed
ipfw pipe 2 config bw 5KB/s queue 10 # upload speed
How to clone an OpenVZ virtual machine
I need sometimes to clone a vps in an openvz environment, so here you can find three methods to do this task:
first option:
# vzctl stop 101
Stopping VE ...
VE was stopped
VE is unmounted
# cp -r /vz/private/101 /vz/private/202
# cp /etc/vz/conf/101.conf /etc/vz/conf/202.conf
# vzctl start 202
Starting VE ...
Initializing quota ...
VE is mounted
Setting CPU units: 1000
VE start in progress...
the second option:
#mkdir /vz/private/new_VEid
#cd /vz/private/old_VEID
#tar cf - * | ( cd /vz/private/new_VEid tar xfp -)
#cp old_VEID.conf new_VEID.conf
and the third option:
# OLDVE=222 NEWVE=333 # Just an example
# vzctl stop $OLDVE
# mkdir /vz/root/$NEWVE
# cp /etc/vz/conf/$OLDVE.conf /etc/vz/conf/$NEWVE.conf
# cp -a /vz/private/$OLDVE /vz/private/$NEWVE
# vzctl start $NEWVE; vzctl start $OLDVE
Backup in a single command line
If you want to do a simple backup of a directory, and also to send the archive over ssh on another machine, here is the useful command:
# tar czvf - /usr/local/etc/www/data | ssh user@IP "cat > www.tar.gz"
A Simple Firewall for Linux Server
The firewall below will let in SSH, HTTP and FTP. To avoid SSH brute force dictionary attacks it uses the iptables recent match module for connection rate limiting. It is intended for a Host with a single interface connected to the net, eg. a webserver.
Hint before enabling it add this to your /etc/crontab:
*/5 * * * * root /etc/init.d/simplefirewall stop >> /var/log/firewall.stop
And check /var/log/firewall.stop to make sure it runs. This will open
your firewall again after 5 minutes to avoid locking yourself out. When
everything works as expected comment it out.
#!/bin/bash
# Very simple firewall for a single interface
IF="eth0" #Interface
HIPORT="1024:65535" #Highports (dont change)
IPTABLES=`which iptables` || IPTABLES="/usr/sbin/iptables"
case $1 in
close)
$IPTABLES -F
$IPTABLES -X
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
echo "Firewall closed, all connections blocked"
exit 0
;;
stop)
$IPTABLES -F
$IPTABLES -X
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
echo "Firewall closed, all connections allowed"
exit 0
;;
start)
# First of all, flush all rules
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
# set default policy and create additional chains
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N dropchain
$IPTABLES -N ssh
$IPTABLES -N blacklist
# enable additional kernel security
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/$IF/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/$IF/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/$IF/bootp_relay
echo "1" > /proc/sys/net/ipv4/conf/$IF/log_martians
# tune tcp params see for info:
# http://www.ussg.iu.edu/hypermail/linux/kernel/0202.1/0436.html
echo "30" > /proc/sys/net/ipv4/tcp_keepalive_intvl
echo "5" > /proc/sys/net/ipv4/tcp_keepalive_probes
echo "900" > /proc/sys/net/ipv4/tcp_keepalive_time
# local processes:
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# icmp stuff:
$IPTABLES -A INPUT -i $IF -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -i $IF -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type source-quench -j ACCEPT
$IPTABLES -A INPUT -i $IF -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A INPUT -i $IF -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A INPUT -i $IF -p icmp --icmp-type fragmentation-needed -j ACCEPT
$IPTABLES -A OUTPUT -o $IF -p icmp --icmp-type fragmentation-needed -j ACCEPT
# let answers out:
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -o $IF -p tcp -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED -o $IF -p udp -j ACCEPT
# let all answers in:
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -i $IF -p tcp -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED -i $IF -p udp -j ACCEPT
# ssh rate limit support - iptables recent module needed!
# see http://www.e18.physik.tu-muenchen.de/~tnagel/ipt_recent/
# prepare blacklist
$IPTABLES -A blacklist -m recent --name blacklist --set
$IPTABLES -A blacklist -j LOG --log-level info --log-prefix "FW log BLACKLIST: "
$IPTABLES -A blacklist -j DROP
# drop everyone currently on the blacklist
$IPTABLES -A ssh -m recent --update --name blacklist --seconds 600 --hitcount 1 -j DROP
# count incomers
$IPTABLES -A ssh -m recent --set --name counting1
$IPTABLES -A ssh -m recent --set --name counting2
$IPTABLES -A ssh -m recent --set --name counting3
$IPTABLES -A ssh -m recent --set --name counting4
# add to blacklist on rate exceed
$IPTABLES -A ssh -m recent --update --name counting1 --seconds 20 --hitcount 5 -j blacklist
$IPTABLES -A ssh -m recent --update --name counting2 --seconds 200 --hitcount 15 -j blacklist
$IPTABLES -A ssh -m recent --update --name counting3 --seconds 2000 --hitcount 80 -j blacklist
$IPTABLES -A ssh -m recent --update --name counting4 --seconds 20000 --hitcount 400 -j blacklist
# accept at the end of SSH chain
$IPTABLES -A ssh -j ACCEPT
# put all SSH traffic in the ssh chain
$IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport ssh -j ssh
########### start of custom rules ############
# let HTTP in
$IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport http -j ACCEPT
# let FTP in (needs loaded ip_conntrack_ftp module)
$IPTABLES -A INPUT -m state --state NEW -i $IF -p tcp --sport $HIPORT --dport ftp -j ACCEPT
########### end of custom rules ############
# drop & log everything else
$IPTABLES -A INPUT -j dropchain
$IPTABLES -A OUTPUT -j dropchain
# dropchain: every packet will be dropped, and, if defined logged...
$IPTABLES -A dropchain -p icmp -j DROP #dont log outgoing icmp
$IPTABLES -A dropchain -p tcp -m state --state INVALID -j LOG --log-level info --log-prefix "FW log INVALID: "
$IPTABLES -A dropchain -j LOG --log-level info --log-prefix "FW log: " #log everything
$IPTABLES -A dropchain -j DROP
#done
echo "Firewall up and running..."
exit 0
;;
*)
echo "usage: start | stop | close"
exit 1
;;
esac
exit 1;
Play a MP3 list over HTTP
All my mp3s are stored on my filesever. Normally I just mount the mp3 directory on my current workstation (either via NFS or Samba). I have some playlists too which store all files with relative paths (relative to the playlist location). This works fine.
But sometimes I want to have an easy way to listen to a playlist without mounting anything (eg. when using the laptop). So I made the mp3 files and playlists available on my local Apache webserver and use the following short CGI to get a playlist with http adresses to the file.
#!/usr/bin/perl
$WEBDIR = '/var/www';
$WEBSERVER = 'xerxes';
use CGI;
use File::Basename;
print "Content-type: audio/x-mpegurlrnrn";
$q = new CGI();
$list = $q->param('list');
$dir = dirname($list);
$list = $WEBDIR.'/'.$list;
open (LIST, $list) or die("Could not read $list");
@m3u = <LIST>;
close LIST;
foreach $file (@m3u){
$file = 'http://'.$WEBSERVER.$dir.'/'.$file;
chomp($file);
print "$filen";
}