Archive

Archive for the ‘NetBSD’ Category

Booting NetBSD on Mac (iMac DV+)

December 17th, 2008 No comments

This is what to use to boot NetBSD MacPPC CD on an iMac DV+ (at least):

boot cd:,ofwboot.xcf netbsd.macppc

or

boot cd:0,ofwboot.xcf netbsd.macppc

You may not need to put netbsd.macppc depending of the CD


To boot on HD try this:

boot cd:,ofwboot.xcf hd:/nebtsd

or

boot cd:,ofwboot.xcf hd:13/nebtsd

Where 13 is the number of the netbsd partition (usualy near 13)

Categories: NetBSD Tags: ,

Add IPF rule automatically from log files

December 17th, 2008 No comments

Here is a very simple command to add a rule to your firewall (IPF in my example) when you match something in a log file (apache in this case)

for item in `tail -n 150 access_log | grep "c+dir" | awk '{print $1}'` ;
  do echo "block in quick on ne0 proto ip from $item to any" >> /etc/ipf.conf ;
done

This read 150 last line of access_log using tail, use grep as matching operator, use awk to catch ip (note that you could do /c+dir/{print $1} in awk to don’t use grep) then add a blocking rule in /etc/ipf.conf

You may want to add a comment to the end of the blocking rule saying why it was blocked.

Don’t forget to reload the firewall, /sbin/ipf -Fa -f /etc/ipf.conf for ipf, from time to time with cron to active the rule.

You may reload the firewall each time with

for item in `tail -n 150 access_log | grep "c+dir" | awk '{print $1}'` ;
  do echo "block in quick on ne0 proto ip from $item to any" >> /etc/ipf.conf; /sbin/ipf -Fa -f /etc/ipf.conf ;
done

This system has 2 problems:

  • You must run tail from cron as -f can’t work with the for statement.
  • Rules are added at the end of ipf.conf, this is very useless if you have pass in quick proto ip any to any port 80 before.

So, here is a Perl script that will do a better job.

my $IPF_FILE="/etc/ipf.conf";
my $TMP_FILE="/tmp/ipf.new.rules";
my %h;
open (FILE,"tail -fn 1 /usr/local/apache/logs/access_log|") || die "can't open FILE: $!";
 while (<FILE>) {
  if ($_ =~ /^(.*)s-s-.*c+dir/) {
   if(exists($h{"$1"})) { $h{"$1"}++ }
   else {
    $h{"$1"} = 1;
    open(IPF, "< $IPF_FILE") or die "can't open $IPF_FILE: $!";
    open(TMP, "> $TMP_FILE") or die "can't open $TMP_FILE: $!";
    print TMP "block in log quick on ne0 from $1 to anyn" or die "can't write to $TMP_FILE: $!";
    while (<IPF>) { (print TMP $_) or die "can't write to $TMP_FILE: $!"; }
    close(IPF)                  or die "can't close $IPF_FILE: $!";
    close(TMP)                  or die "can't close $TMP_FILE: $!";
    rename("$TMP_FILE", "$IPF_FILE") or die "can't rename $TMP_FILE to $IPF_FILE: $!";
    system("ipf -Fa -f $IPF_FILE");
   }
  }
 }
close (FILE);
}

Incrementation of $h{“$1”} is totally useless here but you may use it for something (like waiting more than one attemp of the IP before adding it to IPF). $h is used to don’t firewall two time the same IP.

You may think that $h is not usefull because as we have blocked the IP, we will not get any new request from it. Not really

  • Tail is not working really in live, it check time to time for new line then print them, so between the first request of the IP and the reload of the firwall, you may have more than one request (don’t forget that reloading ipf take time also);
  • My IPF rule is very strict, you may only block port 80, so you can still get request on port 443, or things like that.
Categories: NetBSD, Perl, Unix Tags: , , ,

Reminder to add an user on NetBSD

December 17th, 2008 No comments

This is just a little reminder about adding user on NetBSD.
The basic way is to use :

# useradd -G <group_2> -b /home -g <group_1> -k /etc/skel -m -s /usr/pkg/bin/bash -v <user>

This add <user> in primary group <group_1> and secondary group <group_2>, create is home in /home/<user> using /etc/skel as skeleton. It also set the shell to bash.

N.B: in /etc/passwd you will see the primary group of each user.
In /etc/group you will find, for each group, the list of user that are inside the group as secondary group.
N.B: You can also use id command to see all group of an user, it will display uid, gid (primary group) then all secondary group

Categories: NetBSD Tags: ,

One Time Password authentication system

December 17th, 2008 No comments

S/key is an one time password authentication (OTP) system that prevent you from sending password in clear.
It’s especially useful with system like telnet.

It’s quite easy to setup on NetBSD. To start, run

# skeyinit -s <user>
[Adding user]
You need the 6 english words generated from the "skey" command.
Enter sequence count from 1 to 10000: Enter anything you want
Enter new seed [default NetB14423]: Just press return or enter something else
otp-md4 <sequence count> <seed>
s/key access password: <Follow instruction bellow>

To get the s/key access password, you have to run the following command but be careful to do not run it on the remote host through telnet, run it locally !

# skey <sequence count you entered for skeyinit> <seed you use in skeyinit>

This will ask you for a password (use a secure one) and give you 6 english word, use them to complete the “s/key access password:” question.

Your S/Key authentification is ready !


Next time you do a telnet connexion to the host you will get this prompt

login: <put your username>
Password [otp-md4 <random number> <seed you use in skeyinit>]:

To know the 6 english word password to use, you have to run the following command (on you local computer for example)

# skey <random number> <seed you use in skeyinit>

In fact the random number will be incremented by one each time you log in. You can easily generate (in advance) all 6 english word password for number X to Z, with the following command (another time, run this locally) :

skey -n (Z-X) Z <seed you use in skeyinit>

Z-X is the number of password to generate. Z mean the last generated password is for random number Z

N.B: You clear password will still work if you use it.


Related link: S/Key on Wikipedia

Categories: NetBSD, Unix Tags: