ssh -fNR 2222:localhost:22 me@MyServer
similar to -fNL for for reverse tunneling instead.
REFERENCE:
http://portable.easylife.tw/2043 (Chinese)
Monday, December 31, 2012
ssh keep-alive
/etc/ssh/sshd_config:
ClientAliveInterval 60
as well as other 'KeepAlive' should be turned on.
REFERENCE:
http://madphilosopher.ca/2005/07/an-ssh-keep-alive-tip/
ClientAliveInterval 60
as well as other 'KeepAlive' should be turned on.
REFERENCE:
http://madphilosopher.ca/2005/07/an-ssh-keep-alive-tip/
Sunday, December 9, 2012
Match Group ssh/sftp chroot
[...]
Match Group users
ChrootDirectory /home
AllowTCPForwarding no
X11Forwarding no
REFERENCE:
http://www.howtoforge.com/restricting-users-to-sftp-plus-setting-up-chrooted-ssh-sftp-debian-squeeze
Tuesday, November 27, 2012
ifconfig alias
# cat /etc/hostname.dc0
inet 192.168.0.2 255.255.255.0 NONE media 100baseTX
inet alias 192.168.0.3 255.255.255.255
inet alias 192.168.0.4 255.255.255.255
Once you've made this file, it just takes a reboot for it to take effect. You can, however, bring up the aliases by hand using the ifconfig(8) utility. To bring up the first alias you would use the command:
# ifconfig dc0 inet alias 192.168.0.3 netmask 255.255.255.255
REFERENCE:
http://www.openbsd.org/faq/faq6.html#Setup.aliases
Thursday, November 15, 2012
snmpd setup
It's pretty easy to enable snmpd on OpenBSD. Simply edit /etc/snmpd.conf to configure the interface which snmpd should listen on, and left other settings by default. Fireup snmpd and it will listen on udp port 161.
Then you can use snmp tools such as MRTG or Cacti to retrieve info via SNMP version 2.
Then you can use snmp tools such as MRTG or Cacti to retrieve info via SNMP version 2.
Tuesday, November 6, 2012
get packages for current & previous version of OpenBSD
http://ftp.openbsd.org/pub/OpenBSD/ftplist
Only packages of current three versions available on the official FTP. Some of other mirror FTPs also have packages of very early versions.
Only packages of current three versions available on the official FTP. Some of other mirror FTPs also have packages of very early versions.
Tuesday, October 30, 2012
SSH: Agent Admitted Failure To Sign...
When you encounter error message of "SSH: Agent Admitted Failure To Sign..." with your new ssh key, just simply log off current session and re-login again.
Another way to fix this issue within the current session is to type # ssh-add, then the new key will be added to ssh-agent.
REFERENCE:
http://www.cyberciti.biz/faq/unix-appleosx-linux-bsd-agent-admitted-failuretosignusingkey/
Another way to fix this issue within the current session is to type # ssh-add, then the new key will be added to ssh-agent.
REFERENCE:
http://www.cyberciti.biz/faq/unix-appleosx-linux-bsd-agent-admitted-failuretosignusingkey/
ssh port-forwarding in the background
$ ssh -fNL 2222:localhost:2222 pride
REFERENCE :
Lucas, M. W. SSH Mastery: OpenSSH, Tunnels and Keys
REFERENCE :
Lucas, M. W. SSH Mastery: OpenSSH, Tunnels and Keys
Monday, October 29, 2012
chmod -R 700 ~/.ssh for authorized_keys
permission of 700 may be required for correct setup of ssh key authorization!
Sunday, October 28, 2012
chroot sftp & batch it!
1) edit /etc/ssh/sshd_config:
REFERENCES:
http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny
Match User backup
ChrootDirectory /var/backup
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
2) # kill -HUP `cat /var/run/sshd.pid`
3) create the new user, generate key, and set permissions:
# mkdir -p /home/backup/.ssh
# useradd backup
# ssh-keygen -t dsa
# cp id_dsa.pub /home/backup/.ssh/authorized_keys
# mkdir -p /var/backup/dir1
# chown root:wheel /var/backup
# chmod 755 /var/backup
# chown backup /var/backup/dir1
3) edit a batch file, sftp_batch for sftp:
cd dir1
put myfile
4) then, fireup sftp client for batch processing now!
# sftp -b sftp_batch backup@localhost
REFERENCES:
http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny
Saturday, September 15, 2012
syslog to a remote central log host
# vi /etc/syslog.conf
*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none @loghost
auth,daemon,syslog,user.info;authpriv,kern.debug @loghost
=> save then reboot!
*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none @loghost
auth,daemon,syslog,user.info;authpriv,kern.debug @loghost
=> save then reboot!
Wednesday, August 29, 2012
Setting up ftpd
1) edit /etc/rc.conf as below then reboot, or:
ftpd_flags="-DllUSA" # for non-inetd use: ftpd_flags="-D"
2) manually fire up your ftpd:
# /usr/libexec/ftpd -DllUSA
3) edit files as below for setting up details of ftpd, such as welcome message, hostname, denied users, and site-wide nologin. Remember that ftp user shell should be set to /sbin/nologin.
/etc/ftpchroot (important!!)
/etc/shells
/etc/ftpwelcome
/etc/myname
/etc/ftpusers
/etc/nologin
REFERENCES:
http://www.tongatapu.net.to/nix/OpenBSD/ftpServer.htm
http://www.twbsd.org/cht/book/ch15.htm
Monday, August 27, 2012
access logging with pf
1) edit /etc/pf.conf, then run #pfctl -f /etc/pf.conf. Of course you also have to determine $ and <> variables first.
# Ignore IGMP log
# You can add this line if many IGMP packets bothering you.
pass in on $int_if proto igmp all allow-opts
# Port mapping
pass in log on $ext_if proto tcp from <access_list> to $ext_ip port 22 rdr-to $inside_server_ip port 22
2) view pf log as follows.
# tcpdump -n -e -ttt -r /var/log/pflog
# Ignore IGMP log
# You can add this line if many IGMP packets bothering you.
pass in on $int_if proto igmp all allow-opts
# Port mapping
pass in log on $ext_if proto tcp from <access_list> to $ext_ip port 22 rdr-to $inside_server_ip port 22
2) view pf log as follows.
# tcpdump -n -e -ttt -r /var/log/pflog
Port mapping & NAT with pf
1) edit /etc/sysctl.conf to enable packet forwarding first. Then reboot.
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
2) edit /etc/pf.conf, and run #pfctl -f /etc/pf.conf.
# Port mapping
pass in on $ext_if proto tcp from any to $ext_ip port 80 rdr-to $inside_server_ip port 80
# NAT rules
# This is not necessary because the stateful pf will add it automatically with rdr-to rules.
# pass out on $ext_if from $inside_server_ip port 80 to any nat-to $ext_if
Sunday, August 26, 2012
using Perl and CPAN
OpenBSD ships with recent version of Perl. For example, 5.12 with OpenBSD 5.1.
Therefore, we can simple code in Perl with its powerful CPAN library if you lack of anything in your OpenBSD box!
Therefore, we can simple code in Perl with its powerful CPAN library if you lack of anything in your OpenBSD box!
using xterm with copy/paste & X forwarding
xterm coming with OpenBSD default installation is basically enough for heavy terminal users. after you login xdm, an xterm popups for you, under the environment of Fvwm window manager. it supports copy (highlight text with your mouse), paste (middle-click your mouse), and X forwarding from other unix-like machines.
Of course you have to turn on Forwarding options in /etc/ssh/ssh_config first to make X forwarding work.
Of course you have to turn on Forwarding options in /etc/ssh/ssh_config first to make X forwarding work.
write and publish your work with vi, lynx, and apache
It's pretty interesting to find out that lynx is installed by default, and it's Homepage was set to openbsd.org, which is also a well-written HTML website without annoying scripts and cookies. Therefore, an ideal process to write and publish your own work simple on an OpenBSD box could be suggested below.
1) edit HTML files with vi. it's the pen to write down our work.
2) put the HTML files into /var/www/htdocs, and fire up apache. edit /etc/rc.conf if needed. that's how we publish our work.
3) use lynx to view our web pages. that's how we view our work. if there's anything needs to e corrected, go back to step 1 and do the whole process again.
1) edit HTML files with vi. it's the pen to write down our work.
2) put the HTML files into /var/www/htdocs, and fire up apache. edit /etc/rc.conf if needed. that's how we publish our work.
3) use lynx to view our web pages. that's how we view our work. if there's anything needs to e corrected, go back to step 1 and do the whole process again.
shell prompt & web browsing tips
1) enable xdm in /etc/rc.conf for starting X-Window at system startup.
2) after login via X, edit .profile and add PS1 for tuning shell prompt.
export PS1="simplebsd \w # "
3) Lynx text web browser is pre-installed. we can surf the net by typing #lynx !
2) after login via X, edit .profile and add PS1 for tuning shell prompt.
export PS1="simplebsd \w # "
3) Lynx text web browser is pre-installed. we can surf the net by typing #lynx !
Saturday, August 25, 2012
keep it simple to keep it secure
If you really want to keep your OpenBSD box secure, always keep it simple. DO NOT install any packages or ports unless you REALLY need it.
The packages and ports collection does NOT go through the same thorough security audit that is performed on the OpenBSD base system.
As mentioned in the official FAQ here.
The packages and ports collection does NOT go through the same thorough security audit that is performed on the OpenBSD base system.
As mentioned in the official FAQ here.
monitor real-time connections with pftop
1) edit .profile in /root, add the following line. And also execute it immediately. Change the version and architecture according to your situation.
export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/5.1/packages/amd64/
2) run #pkg_add -r pftop.
3) run #pftop, then you get all tcp/udp connections through your openbsd box!
export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/5.1/packages/amd64/
2) run #pkg_add -r pftop.
3) run #pftop, then you get all tcp/udp connections through your openbsd box!
a simple http transparent proxy with relayd
1) edit /etc/pf.conf, then run #pfctl -f /etc/pf.conf.
# anchor for relayd(8)
anchor "relayd/*"
pass in quick inet proto tcp to port www divert-to 127.0.0.1 port 8080
dest = "cnn.com"
http protocol httpfilter {
# Return HTTP/HTML error pages to the client
return error
# Block some well-known Instant Messengers
label "Instant messenger disallowed!"
response header filter "application/x-msn-messenger" from "Content-Type"
response header filter "app/x-hotbar-xip20" from "Content-Type"
response header filter "application/x-icq" from "Content-Type"
response header filter "AIM/HTTP" from "Content-Type"
response header filter "application/x-comet-log" from "Content-Type"
}
relay httpproxy {
# Listen on localhost, accept diverted connections from pf(4)
listen on 127.0.0.1 port 8080
protocol httpfilter
forward to $dest port 80
}
3) change the $dest above to wherever you want. edit /etc/rc.conf.local for relayd bootup if needed!
Subscribe to:
Posts (Atom)