Wednesday, August 29, 2012
Setting up ftpd
1) edit /etc/rc.conf as below then reboot, or:
ftpd_flags="-DllUSA" # for non-inetd use: ftpd_flags="-D"
2) manually fire up your ftpd:
# /usr/libexec/ftpd -DllUSA
3) edit files as below for setting up details of ftpd, such as welcome message, hostname, denied users, and site-wide nologin. Remember that ftp user shell should be set to /sbin/nologin.
/etc/ftpchroot (important!!)
/etc/shells
/etc/ftpwelcome
/etc/myname
/etc/ftpusers
/etc/nologin
REFERENCES:
http://www.tongatapu.net.to/nix/OpenBSD/ftpServer.htm
http://www.twbsd.org/cht/book/ch15.htm
Monday, August 27, 2012
access logging with pf
1) edit /etc/pf.conf, then run #pfctl -f /etc/pf.conf. Of course you also have to determine $ and <> variables first.
# Ignore IGMP log
# You can add this line if many IGMP packets bothering you.
pass in on $int_if proto igmp all allow-opts
# Port mapping
pass in log on $ext_if proto tcp from <access_list> to $ext_ip port 22 rdr-to $inside_server_ip port 22
2) view pf log as follows.
# tcpdump -n -e -ttt -r /var/log/pflog
# Ignore IGMP log
# You can add this line if many IGMP packets bothering you.
pass in on $int_if proto igmp all allow-opts
# Port mapping
pass in log on $ext_if proto tcp from <access_list> to $ext_ip port 22 rdr-to $inside_server_ip port 22
2) view pf log as follows.
# tcpdump -n -e -ttt -r /var/log/pflog
Port mapping & NAT with pf
1) edit /etc/sysctl.conf to enable packet forwarding first. Then reboot.
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
2) edit /etc/pf.conf, and run #pfctl -f /etc/pf.conf.
# Port mapping
pass in on $ext_if proto tcp from any to $ext_ip port 80 rdr-to $inside_server_ip port 80
# NAT rules
# This is not necessary because the stateful pf will add it automatically with rdr-to rules.
# pass out on $ext_if from $inside_server_ip port 80 to any nat-to $ext_if
Sunday, August 26, 2012
using Perl and CPAN
OpenBSD ships with recent version of Perl. For example, 5.12 with OpenBSD 5.1.
Therefore, we can simple code in Perl with its powerful CPAN library if you lack of anything in your OpenBSD box!
Therefore, we can simple code in Perl with its powerful CPAN library if you lack of anything in your OpenBSD box!
using xterm with copy/paste & X forwarding
xterm coming with OpenBSD default installation is basically enough for heavy terminal users. after you login xdm, an xterm popups for you, under the environment of Fvwm window manager. it supports copy (highlight text with your mouse), paste (middle-click your mouse), and X forwarding from other unix-like machines.
Of course you have to turn on Forwarding options in /etc/ssh/ssh_config first to make X forwarding work.
Of course you have to turn on Forwarding options in /etc/ssh/ssh_config first to make X forwarding work.
write and publish your work with vi, lynx, and apache
It's pretty interesting to find out that lynx is installed by default, and it's Homepage was set to openbsd.org, which is also a well-written HTML website without annoying scripts and cookies. Therefore, an ideal process to write and publish your own work simple on an OpenBSD box could be suggested below.
1) edit HTML files with vi. it's the pen to write down our work.
2) put the HTML files into /var/www/htdocs, and fire up apache. edit /etc/rc.conf if needed. that's how we publish our work.
3) use lynx to view our web pages. that's how we view our work. if there's anything needs to e corrected, go back to step 1 and do the whole process again.
1) edit HTML files with vi. it's the pen to write down our work.
2) put the HTML files into /var/www/htdocs, and fire up apache. edit /etc/rc.conf if needed. that's how we publish our work.
3) use lynx to view our web pages. that's how we view our work. if there's anything needs to e corrected, go back to step 1 and do the whole process again.
shell prompt & web browsing tips
1) enable xdm in /etc/rc.conf for starting X-Window at system startup.
2) after login via X, edit .profile and add PS1 for tuning shell prompt.
export PS1="simplebsd \w # "
3) Lynx text web browser is pre-installed. we can surf the net by typing #lynx !
2) after login via X, edit .profile and add PS1 for tuning shell prompt.
export PS1="simplebsd \w # "
3) Lynx text web browser is pre-installed. we can surf the net by typing #lynx !
Saturday, August 25, 2012
keep it simple to keep it secure
If you really want to keep your OpenBSD box secure, always keep it simple. DO NOT install any packages or ports unless you REALLY need it.
The packages and ports collection does NOT go through the same thorough security audit that is performed on the OpenBSD base system.
As mentioned in the official FAQ here.
The packages and ports collection does NOT go through the same thorough security audit that is performed on the OpenBSD base system.
As mentioned in the official FAQ here.
monitor real-time connections with pftop
1) edit .profile in /root, add the following line. And also execute it immediately. Change the version and architecture according to your situation.
export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/5.1/packages/amd64/
2) run #pkg_add -r pftop.
3) run #pftop, then you get all tcp/udp connections through your openbsd box!
export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/5.1/packages/amd64/
2) run #pkg_add -r pftop.
3) run #pftop, then you get all tcp/udp connections through your openbsd box!
a simple http transparent proxy with relayd
1) edit /etc/pf.conf, then run #pfctl -f /etc/pf.conf.
# anchor for relayd(8)
anchor "relayd/*"
pass in quick inet proto tcp to port www divert-to 127.0.0.1 port 8080
dest = "cnn.com"
http protocol httpfilter {
# Return HTTP/HTML error pages to the client
return error
# Block some well-known Instant Messengers
label "Instant messenger disallowed!"
response header filter "application/x-msn-messenger" from "Content-Type"
response header filter "app/x-hotbar-xip20" from "Content-Type"
response header filter "application/x-icq" from "Content-Type"
response header filter "AIM/HTTP" from "Content-Type"
response header filter "application/x-comet-log" from "Content-Type"
}
relay httpproxy {
# Listen on localhost, accept diverted connections from pf(4)
listen on 127.0.0.1 port 8080
protocol httpfilter
forward to $dest port 80
}
3) change the $dest above to wherever you want. edit /etc/rc.conf.local for relayd bootup if needed!
Subscribe to:
Posts (Atom)