CPAN and RRDs.pm of rrdtool

1. upgrade CPAN
cpan> install CPAN
cpan> reload cpan

2. install App::Cpan to use the `cpan -I` switch

3. then, local::lib can be compiled and installed!

4. #pkg_add p5-RRD

REFERENCE:

http://www.perlmonks.org/?node_id=637987
http://search.cpan.org/dist/local-lib/lib/local/lib.pm#The_bootstrapping_technique
http://my14all.sourceforge.net/install.html

manage default route/gateway as WAN backup

No matter using BSD, Linux, or any other Unix-like systems, we can always make use of managing default gateway settings, as manual WAN backup.

# edit /etc/mygate as default gateway.
# route show
# route del default
# route add default 10.10.1.1

batch adding users with perl

#!/usr/bin/perl
# The format is username:password:shell:homedir:groupname

open FILE, $ARGV[0] or die "Cannot open file: $!";

foreach $line (@lines=<FILE>){

chomp($line);
($name,$pass,$shel,$dirc,$grup)=split(/:/,$line);
chomp($epas=`encrypt $pass`);
system "useradd -s $shel -d $dirc -g $grup -p '$epas' $name";
#print $epas,"\n";

$pattern="^".$name."\$";
open CHROOTFILE, "/etc/ftpchroot" or die "Cannot open file: $!";
open APPENDFILE, ">>/etc/ftpchroot" or die "Cannot append file: $!";
if(!grep (/$pattern/,<CHROOTFILE>)) {print APPENDFILE "$name\n";}

}

apache simple setup

1. edit /var/www/conf/httpd.conf. change DocumentRoot and Directory according to your needs. since apache is chrooted, contents cannot set outside /var/www.

2. apachectl start.

PF Stateful Tracking Limitation Options

An example rule:

pass in on $ext_if proto tcp to $web_server \
    port www keep state \
    (max 200, source-track rule, max-src-nodes 100, max-src-states 3)

The rule above defines the following behavior:

• Limit the absolute maximum number of states that this rule can create to 200
• Enable source tracking; limit state creation based on states created by this rule only
• Limit the maximum number of nodes that can simultaneously create state to 100
• Limit the maximum number of simultaneous states per source IP to 3

A separate set of restrictions can be placed on stateful TCP connections that have completed the 3-way handshake.

max-src-conn number

Limit the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make.

max-src-conn-rate number / interval

Limit the rate of new connections to a certain amount per time interval.

Both of these options automatically invoke the source-track rule option and are incompatible with source-track global.
Since these limits are only being placed on TCP connections that have completed the 3-way handshake, more aggressive actions can be taken on offending IP addresses.

overload <table>

Put an offending host's IP address into the named table.

flush [global]

Kill any other states that match this rule and that were created by this source IP. When global is specified, kill all states matching this source IP, regardless of which rule created the state.

An example:

table <abusive_hosts> persist
block in quick from <abusive_hosts>

pass in on $ext_if proto tcp to $web_server \
    port www flags S/SA keep state \
    (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts> flush)

This does the following:

• Limits the maximum number of connections per source to 100
• Rate limits the number of connections to 15 in a 5 second span
• Puts the IP address of any host that breaks these limits into the <abusive_hosts> table
• For any offending IP addresses, flush any states created by this rule.

REFERENCES:

http://www.openbsd.org/faq/pf/filter.html#stateopts

http://kestas.kuliukas.com/pf.conf/

Ruby on Rails package for OpenBSD

Ruby on Rails 3 can be simply installed on OpenBSD via pkg_add:

# pkg_add -v ruby-rails

However, Javascript Runtime (ex. node.js) and sqlite3-dev should also be required.

# pkg_add -v sqlite3
# pkg_add -v libexecinfo gmake python (for compiling node.js)

sftp subsystem request failed

subsystem request failed on channel 0
Couldn't read packet: Connection reset by peer

This happened when using sshd chrooting on Linux.

This was sorted after changing

Subsystem sftp /usr/lib/openssh/sftp-server

to

Subsystem sftp internal-sftp

REFERENCE:
http://forums.debian.net/viewtopic.php?f=5&t=42818