Hey came today a great news of FreeBSD 8.0 release. Cant wait to put my hand on it. But I will hold on till the initial rush runs down and any issues prop up and settle down.
So here is the news we all are waiting for!
http://www.freebsd.org/releases/8.0R/relnotes.html
Whats interesting for me in that?
OK here they are
1. FreeBSD 8.0-RELEASE
2. A new virtualization container named “vimage” has been implemented.
3. The FreeBSD netisr framework has been reimplemented for parallel threading support.
4. The FreeBSD TTY layer has been replaced with a new one
5. The FreeBSD Linux emulation layer has been updated
6. Includes Trusted BSD MAC
7. The FreeBSD USB subsystem
8. The ZFS file system has been updated
9. The FreeBSD NFS v4 subsystem
10. The wireless network support layer (n
11. The GCC stack protection
12. Gnome and KDE
These are some of them though many I wont be using as for me whats interesting
will be something I can use it in Server side
Anyway Ejnoy
Thursday, November 26, 2009
Wednesday, November 18, 2009
Server under attack, How to deal with it by the help of bsd PF
Hammering those Hammers
If your server gets under attack what can be done and how we will be able to prevent server going down with hammering from the attackers
Few simeple steps with pf can do magic instead of some high fi pocket crashing firewalls
Say the server we want to protect is our web server
Add the following to the /etc/pf.conf
# Ok all the attackers goes to presistant mode with a file in /etc/pf.blocklist so
table persist file "/etc/pf.blocklist"
# block all incoming connections from attackers on FTPD
block in quick on $ext_if from
# Allow we server access with protection from hammering
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 80 keep state (max-src-conn-rate 5/40, overload flush global)
So what the previous lines gona do
i.e if any ip produces more than 5 connections in 40 seconds time, that ip gona end up in pf table of hammers and who are in pf table of hammers are blocked with block in command bfore that
But this work as long as system doesnt restart or pf looses the table so lets make it permanent by adding it to rc.shutdown
# echo '/sbin/pfctl -t ftp-attacks -T show > /etc/pf.blocklist' >> /etc/rc.shutdown
Woah! Next time even if the system reboots we have the list of those guys who tried to hammer our web server.
See how easy and cool it is
Yes ofcoz I came across from the net and used it for my purpose
If your server gets under attack what can be done and how we will be able to prevent server going down with hammering from the attackers
Few simeple steps with pf can do magic instead of some high fi pocket crashing firewalls
Say the server we want to protect is our web server
Add the following to the /etc/pf.conf
# Ok all the attackers goes to presistant mode with a file in /etc/pf.blocklist so
table
# block all incoming connections from attackers on FTPD
block in quick on $ext_if from
# Allow we server access with protection from hammering
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 80 keep state (max-src-conn-rate 5/40, overload
So what the previous lines gona do
i.e if any ip produces more than 5 connections in 40 seconds time, that ip gona end up in pf table of hammers and who are in pf table of hammers are blocked with block in command bfore that
But this work as long as system doesnt restart or pf looses the table so lets make it permanent by adding it to rc.shutdown
# echo '/sbin/pfctl -t ftp-attacks -T show > /etc/pf.blocklist' >> /etc/rc.shutdown
Woah! Next time even if the system reboots we have the list of those guys who tried to hammer our web server.
See how easy and cool it is
Yes ofcoz I came across from the net and used it for my purpose
Monday, November 9, 2009
Setting Fixed IP for Specific Hosts
When you need to have to fix ip for some systems but supplied through DHCP
We need to add specific sections in /usr/local/etc/dhcp.conf
Add the following to /usr/local/etc/dhcp.conf
host {
hardware ethernet;
fixed-address;
option domain-name-servers;
option domain-name "";
option routers;
}
Ok save and quit the file
restart dhcpd
#/usr/local/etc/rc.d/isc-dhcpd restart
Ok there you go!
Enjoy! :)
We need to add specific sections in /usr/local/etc/dhcp.conf
Add the following to /usr/local/etc/dhcp.conf
host
hardware ethernet
fixed-address
option domain-name-servers
option domain-name "
option routers
}
Ok save and quit the file
restart dhcpd
#/usr/local/etc/rc.d/isc-dhcpd restart
Ok there you go!
Enjoy! :)
Sunday, November 8, 2009
Changing network settings without rebooting
Did ever wondered how to get the network settings change to applied immediately in Freebsd?
In Linux we had much easier service network restart
So after a few searches I found we have two commands in our help
Any changes to /etc/rc.conf
just run
#/etc/rc.d/netif restart
Any changes to routing to take place
#/etc/rc.d/routing restart
Yeah that two commands are my best friends when fiddling around with network settings
Enjoy :)
In Linux we had much easier service network restart
So after a few searches I found we have two commands in our help
Any changes to /etc/rc.conf
just run
#/etc/rc.d/netif restart
Any changes to routing to take place
#/etc/rc.d/routing restart
Yeah that two commands are my best friends when fiddling around with network settings
Enjoy :)
Tuesday, November 3, 2009
Mounting ISO files
Often we come across a situation where it would be great if we can peak into an ISO file content.
In freebsd things have changed these days on how we can mount a ISO file. Previously we were mounting that ISO file to a loopback device which no longer works now
So the steps to mount a ISO file are as follows
We gona take help of mdconfig
But bfore doing anything lets create a directory at root for mounting purpose
#mkdir /cddump
Ok lets create the md device file the iso file mounting
#mdconfig -a -t vnode -f
Once you are successful with it lets mount it to tle directory we created
#mount -t cd9660 /dev/md0 /cddump
Ok thats it, change the directory to /cddump and have a look at the content.
Enjoy
In freebsd things have changed these days on how we can mount a ISO file. Previously we were mounting that ISO file to a loopback device which no longer works now
So the steps to mount a ISO file are as follows
We gona take help of mdconfig
But bfore doing anything lets create a directory at root for mounting purpose
#mkdir /cddump
Ok lets create the md device file the iso file mounting
#mdconfig -a -t vnode -f
Once you are successful with it lets mount it to tle directory we created
#mount -t cd9660 /dev/md0 /cddump
Ok thats it, change the directory to /cddump and have a look at the content.
Enjoy
Saturday, October 31, 2009
Rock Solid Ultra Fast & Light Caching DNS with Unbound
Okie, Today we are going to make a caching dns to do all DNS query handling instead of our ISP's sicko DNS servers.
Why caching DNS?
Why not caching DNS where the queries can get resolved at my network itself instead every time I open a site the dns queries traverse all the way from my network to ISP DNS Servers?
Dont you think its gona save some time and make my browsing faster?
Small doubt??? Ok lets try dns query with ISP DNS servers and our local caching DNS and see the time it can take once we have the local caching DNS server ready
So ingredients for this local caching DNS are as follows
As usual all my notes are FreeBSD specific
My gateway -> FreeBSD 7.2 running squid and pf for basic firewalling and transparent proxying
my /etc/resov.conf
search.com
nameserver
Now that ISP DNS ip address will be changed to 127.0.0.1 once our caching dns starts
Ok Now the actual dns cache software that is Unbound
Now why unbound???
All we needed to run was a caching DNS and I don’t want an heavy full DNS server to implement just a small feature i.e. caching
Ok now lets get out hand dirty
My way of installation is always starts with compiling my own instead of installing from binary
Now custom compiling?
Ans: I love to see my system churning out some crap compiling msgs LOL
Ok leave it there
Lets go to the ports and install from there
#cd /usr/ports/dns/unbound
make install clean
wait for some time to get it compiled and installed
Ok time to get configuration modified for our requirement
# cd /usr/local/etc/unbound
# cp unbound.conf.sample unbound.conf
#vi unbound.conf
Modify the following
Ok that must be enough to get the unbound working
Lets modify the /etc/rc.conf to get unbound loads every time when we restart the system
add at the end of /etc/rc.conf
unbound_enable="YES"
save and quit
Now lets check how much time our crapy ISP takes to resolve our dns query
#dig freebsd.org
note the Query time in msec it takes
Lets modify the /etc/resolv.conf
Remove the name server enrty and add
nameserver 127.0.0.1
Save and Quit
Lets start the unbound manually for the first time
/usr/local/etc/rc.d/unbound start
Ok if that starts without an error message then we are successful with unbound
Ok Here we go lets dig again
#dig netbsd.org
See the time it took? Not happy? How about querying again
#dig netbsd.org
See the Query Time it took????
So thats all for now
Enjoy and safe computing
Why caching DNS?
Why not caching DNS where the queries can get resolved at my network itself instead every time I open a site the dns queries traverse all the way from my network to ISP DNS Servers?
Dont you think its gona save some time and make my browsing faster?
Small doubt??? Ok lets try dns query with ISP DNS servers and our local caching DNS and see the time it can take once we have the local caching DNS server ready
So ingredients for this local caching DNS are as follows
As usual all my notes are FreeBSD specific
My gateway -> FreeBSD 7.2 running squid and pf for basic firewalling and transparent proxying
my /etc/resov.conf
search
nameserver
Now that ISP DNS ip address will be changed to 127.0.0.1 once our caching dns starts
Ok Now the actual dns cache software that is Unbound
Now why unbound???
All we needed to run was a caching DNS and I don’t want an heavy full DNS server to implement just a small feature i.e. caching
Ok now lets get out hand dirty
My way of installation is always starts with compiling my own instead of installing from binary
Now custom compiling?
Ans: I love to see my system churning out some crap compiling msgs LOL
Ok leave it there
Lets go to the ports and install from there
#cd /usr/ports/dns/unbound
make install clean
wait for some time to get it compiled and installed
Ok time to get configuration modified for our requirement
# cd /usr/local/etc/unbound
# cp unbound.conf.sample unbound.conf
#vi unbound.conf
Modify the following
- Interface
- eg. Interface 192.168.1.1
- Outgoing-interface:
- Cache-min-ttl
- Do-ip6
set if want ip 6 - Access-control: 192.168.0.0/16 allow
- Private-address: <192.168.0.0/16>
- Private-domain:
Ok that must be enough to get the unbound working
Lets modify the /etc/rc.conf to get unbound loads every time when we restart the system
add at the end of /etc/rc.conf
unbound_enable="YES"
save and quit
Now lets check how much time our crapy ISP takes to resolve our dns query
#dig freebsd.org
note the Query time in msec it takes
Lets modify the /etc/resolv.conf
Remove the name server enrty and add
nameserver 127.0.0.1
Save and Quit
Lets start the unbound manually for the first time
/usr/local/etc/rc.d/unbound start
Ok if that starts without an error message then we are successful with unbound
Ok Here we go lets dig again
#dig netbsd.org
See the time it took? Not happy? How about querying again
#dig netbsd.org
See the Query Time it took????
So thats all for now
Enjoy and safe computing
Friday, October 23, 2009
Wanted to have Elevated privilages with su
from a normal user you wanted to switch to be a super user and at time you may find the su says sorry
Ok the issue is the current logged in user is not a member of wheel group.
Add the user to the wheel group by issueing the following command as root
#pw usermod -g wheel
eg. #pw usermod testuser -g wheel
Now try to login as the user and try to issue su, it must work now
So thats another tip I learned and sharing with you
Babs
Ok the issue is the current logged in user is not a member of wheel group.
Add the user to the wheel group by issueing the following command as root
#pw usermod
eg. #pw usermod testuser -g wheel
Now try to login as the user and try to issue su, it must work now
So thats another tip I learned and sharing with you
Babs
Tuesday, October 20, 2009
Building Custom Kernel for a General Server in FreeBSD
The easiest way to to compile a system kernel is by installing source through running sysinstall as root then choose Configure -> Distribution -> Src and Choose only base and sys
Once the source is installed
Lets make customization to our kernel for this we will not modify the GENERIC options files instead lets copy it to another location and link it here and make all necessary modifications
#cd/usr/src/sys/i386/conf
#mkdir /root/kernel
#cp GENERIC /root/kernel/CUSTKERNL
#ln -s /root/kernel/CUSTKERNL
Open the file and make all necessary modifications
#vi CUSTKERNL
Below is the kernel options file I used while compiling for my squid proxy ( yeah I know its not perfect, but any suggestions are always welcome)
Ok done with customizing your kernel config?
Lets start the roll
First Lets Move to /usr/src directory
# cd /usr/src
Then issue the make command to build the kernel
# cd /usr/src
Then issue the make command to build the kernel
#make -j4 buildkernel KERNCONF=CUSTKERNL
Q. why j?
A. Why not j? when I have a quad core system at my disposal why should I take a nap after giving make buildkernel command??
Ok Now its time to grab a coffee and snacks and watch some soccer on tv or browse some crap in net
Did you get the # prompt without any error? Then You are with me on right path
Lets install the kernel!!
#make -j4 installkernel KERNCONF=CUSTKERNL
Whoa!!!!!! Thats all it takes
Now if this is not exactly you got on ur screen then google is ur
So thats all for for
Just my 2 cents to compiling kernel under freebsd 7.2
Subscribe to:
Posts (Atom)
