A BSD Jail is a container which provides isolated environment for applications to run. Ezjail simplifies the process of installing and managing Jails.

Most of the posts on ezjail focus on downloading a FreeBSD basejail/template from internet.

I was curious on how can I use what is with me – a DVD .iso image of FreeBSD 10.2 RELEASE. Turns out it is not that hard and ezjail does support this.

This post is aimed to help users who are on a low bandwidth link or lack internet connectivity. I have used version 10.2 here, this might not work with earlier releases, and the following commands are executed as root user.

In the end we will have something like:

Logical diagram of what we will achieve.

Logical diagram of what we will achieve.

The diagram is a logical representation of what we will get.

Now to start with, after installing FreeBSD(ZFS recommended for production servers), and installing ezjail from the FreeBSD repo(http://pkg.freebsd.org/)  (in case you lack internet, you can download the ezjail package) mount the CD/DVD .iso image you have:

# mount -t cd9660 /dev/cd0 /media/optical/

OR

# mount_cd9660 /dev/cd0 /media/optical/

/dev/cd0 is for both CD or a DVD. You may have to create the optical/ directory under /media or /mnt.

If  there were no error messages then the disc was mounted.

Execute following to verify:

# mount
.
.
.
/dev/cd0 2.6G 2.6G 0B 100% /media/optical

OR

# df
.
.
.
/dev/cd0 2675856 2675856 0 100% /media/optical

The FreeBSD distribution which contains the base OS(in file base.txz) is  under usr/freebsd-dist on the optical media.

root@Zfreebsd:/media/optical/usr/freebsd-dist # ls
MANIFEST base.txz doc.txz games.txz kernel.txz lib32.txz ports.txz src.txz

root@Zfreebsd:/media/optical/usr/freebsd-dist # pwd
/media/optical/usr/freebsd-dist

Supply the above (absolute/full) path to ezjail-admin to create a basejail:

# ezjail-admin install-h file:///media/optical/usr/freebsd-dist

This will extract and install a base jail necessary to create other jails, to install man pages supply (-m):

# ezjail-admin install -m-h file:///media/optical/usr/freebsd-dist
.
.
.
/usr/jails/basejail/usr/lib32/libutempter.a
/usr/jails/basejail/usr/lib32/libuutil_p.a
146888 blocks
Note: a non-standard /etc/make.conf was copied to the template jail in order to get the ports collection running inside jails.

After this you can see the base jail created by ezjail under /usr/jails:

# ls -l /usr/jails/
total 18
drwxr-xr-x   9 root  wheel   9 Dec 12 15:28 basejail
drwxr-xr-x   3 root  wheel   3 Dec 12 15:28 flavours
drwxr-xr-x  12 root  wheel  22 Dec 12 15:28 newjail

You environment is now ready to create jails using this base jail.

Optional, update the basejail to latest patches:

# ezjail-admin update  -u

Creating a test jail

# ezjail-admin create testjail1 ’em0|10.0.2.16′
.
.
.
/usr/jails/testjail1/./.profile
6287 blocks
Warning: Some services already seem to be listening on all IP, (including 10.0.2.16)
This may cause some confusion, here they are:
root     ntpd       655   20 udp6   *:123                 *:*
root     ntpd       655   21 udp4   *:123                 *:*
root     syslogd    493   6  udp6   *:514                 *:*
root     syslogd    493   7  udp4   *:514                 *:*

To resolve the warning shown we need to limit what these services can listen on the host.

For ntpd it is difficult to do this, so either install net/openntpd or disable it in /etc/rc.conf:

#sysrc ntpd_enable=”NO”

 

# service ntpd onestop

 

For syslod there are flags to pass which will will bind it to the host address:
In /etc/rc.conf

syslogd_enable=”YES”
syslogd_flags=”-s -b 127.0.0.1″
#-s causes it to be in secure mode, -b to bind it to
#an address

Restart syslogd:

# service syslogd restart

Also change ssh configuration to listen only one select IP addresses:

ListenAddress xxx.xxx.xxx.xxx

Restart SSH after checking for errors:

# sshd -t

# service sshd restart

 

Now start the jail you created:

# ezjail-admin start testjail1

# ezjail-admin list

Get a shell in your new jail with the:

# ezjail-admin console testjail1

You can now install applications inside the jail. It is just like another FreeBSD machine.
Optional, To allow ping from inside jail:
You need to change settings on your host and on the jail.

On host:

# sysctl security.jail.allow_raw_sockets=1

For setting it permanently, modify /etc/sysctl.conf.

For the Jail on host:
Edit the ezjail config of the jail on the host:
For me it is /usr/local/etc/ezjail/testjail1, add following:

export jail_testjail1_parameters=”allow.raw_sockets”

OR

export jail_testjail1_parameters=”allow.raw_sockets=1″

To make this effective restart jail from the host:

# ezjail-admin restart testjail1

You can ping the jail from the host, and if the jail was assigned an IP address on the same subnet as other machines on the network, you can ping this IP from the machines.

In the next post I will detail on how to provide NAT connections to the jails, NAT is required to provide internet access the jails and redirection to provide access to external world to the service running on your jail.

 

olimex

10

A64-OLinuXino Laptop idea becomes with better shape, we managed to find supplier for the laptop plastic ABS body with 11.6″, 1366*768 LCD and keyboard where we can embed our A64-OLinuXino motherboard.

7

the body have power supply jack, 2x USB hosts, HDMI, SD card connector, headphones 3.5 mm jack, four speakers,camera, touchpad, power button

1

8

needless to mention this window button will become Tux 😀

View original post

Hopefully this will support FreeBSD…

olimex

laptop-kit

Few weeks ago I blogged about the idea to make OSHW Laptop based on Allwinner A64 64-bit SoC.

Today we received the first samples of the laptop plastic body.

The quality of the plastic parts is very good!

As you can see we have already sourced the plastic body, the battery, LCD display, keyboard, touchpad, speakers, camera, microphone and all fittings.

What’s left is to design the motherboard to fit inside the plastic body.

The feeling of building your very own laptop by yourself is incredible.

Every one can go to the shop and buy laptop, but to build one with your hands, and to know every component inside is different experience.

We start seriously thinking to make Do-It-Yourself kit version where you get all components and instructions and can build your laptop.

Why not choose different boards with different SOCs and configurations which you put up to your choice.

These…

View original post 40 more words

Just a list of ideas for securing the servers.

I try to make sure that the first line of defense is not breached, if the attacker can breach that, then he is determined and can overcome any other defense you may have. Most of the “spray and pray” attacks on the internet are not that complicated and kiddies try to attack the nodes which do not patch known vulnerabilities or lack basic protection, like having easy to guess passwords.

Another point to be aware is that the more restrictive security measures we have(SELinux, etc), it may work against us, when we try to troubleshoot, implement a feature, or some software might not work etc.

Only you can decide what level of protection you need and what is at stake. Following are the absolute minimum which are highly effective, use other software(IDS, HIDS) on top of this if you can afford to spend time and effort

* Keep the server patched at regular intervals, like weekly/bi-weekly. This is very important, helps to plug any application level vulnerabilities.

* Setup a firewall allowing access to ports that are needed, like TCP:80/443 for HTTP/s, UDP:53 for DNS, etc.

* Do a netstat query on the node to check if any other services are active, either disable them permanently using /etc/rc.conf on BSD, chkconfig on CentOS, update-rc.d on Debian. Reboot the node and check whether they are disabled.

* Do not expose database services over public internet, restrict them to local network, or better yet to restrict which local IPs can connect.

* SSH access can be limited to a particular network/subnet/IP at firewall level, like only from company network, admin team, etc.

* Prefer to have non root based SSH login and then user using sudo/doas to perform actions which require root privileges.

* If direct root based SSH is required, then set “PermitRootLogin without-password” in sshd_config and restart the SSH daemon, this ensures that users having a key can connect as root. Also make sure select people have key to login as root, it makes them responsible, accountable.

* If you want to monitor the login attempts, health, use something like logwatch.

* If password based authentication is necessary to be exposed to public(which is not recommended) use a tool like fail2ban or SSHGuard. This delays the brute force attack. If the incorrect attempts are indefinitely blocked along with password expiration(+ password complexity like diceware) then brute attacks can be stopped.  As this involves many variables which can go wrong this is not recommended.

* Do not block ping unless you have experienced flood attacks, ping is necessary to troubleshoot.

The aim of having security measure is to frustrate a prospective attacker to give up, not frustrate the Admin. 😉

The other day(some months ago!) I had a task to store old Apache logs instead of discarding them.

Logrotate is a utility to rotate logs in a manageable size.  Depending upon the options logs can be rotated at a fixed interval on size, age of log, etc

There were two options:

  1. Either increase the old log retention period in logrotate
  2. Copy the logs to a separate location and archive them, with the default log retention period which removes old log files

In the first option the default log directory will get cluttered because of old logs, in the second option, however, the directory stays neat and you have a different location where you would be dumping old logs.

In this post I will be editing file under /etc/logrotate.d/httpd, I won’t be modifying the default settings in /etc/logrotate.conf, which is recommended.

Contents of /etc/logrotate.conf:

###START-of-config###

# see "man logrotate" for details
 # rotate log files weekly
 weekly

# keep 4 weeks worth of backlogs
 rotate 4

# create new (empty) log files after rotating old ones
 create

# use date as a suffix of the rotated file
 dateext

# uncomment this if you want your log files compressed
 #compress

# RPM packages drop log rotation information into this directory
 include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
 /var/log/wtmp {
 monthly
 create 0664 root utmp
 minsize 1M
 rotate 1
 }

/var/log/btmp {
 missingok
 monthly
 create 0600 root utmp
 rotate 1
 }

 

###END-of-config###

And the default contents of /etc/logrotate.d/httpd:

###START-of-httpd###

/var/log/httpd/*log {
 missingok
 notifempty
 sharedscripts
 delaycompress
 postrotate
 /sbin/service httpd reload > /dev/null 2>/dev/null || true
 endscript
 }

###END-of-httpd###

After modification the file will be:

###START-of-NEW-httpd###

/var/log/httpd/*log {
 missingok
 notifempty
 sharedscripts
 delaycompress
 postrotate
 /sbin/service httpd reload > /dev/null 2>/dev/null || true
 /usr/bin/rsync -a /var/log/httpd/* /srv/backup/
  /usr/bin/rsync -a /var/log/httpd/* /srv/backup/
 endscript
 }

###END-of-NEW-httpd###

As you can see, I have used rsync to move the files, using rsync is necessary as this will skip overwriting the files which were already copied.

In India some of the IT companies, universities have restrictive firewalls and you are forced to use a proxy server which they maintain.

As a system admin/engineer you might want to connect to servers, but this will be not be possible from such networks.

Sites like youtube, gmail, etc are blocked. I have been in networks which block even technical blog sites which apparently are harmless/helpful for the company. This might not be a problem if you are using it for entertainment, but platforms like edx,make use of youtube and blocking an educational platform works against you. Blocking technical blogs does not help employees.

I am writing this post which might help you to have private access. Use the following steps at your own risk, as every company has its own policy, you might want to check it once, and if they are sane enough or have provision for exceptions, you might want to talk to them and ask them to relax the unnecessary restrictions than bypassing.

Ok,  first, we need following prerequisites:

1) A server running BSD or GNU/Linux on an external network with a public IP address.

2)  The above server running ssh on port 443.

3) SSH client + tunnel software application on your PC which is on the restricted network allowing at least 443(https). On BSD/Linux you will have openssh, proxytunnel, corkscrew, on Windows use Putty.

Without the above, the following steps in this post won’t work for you. There are multiple ways of achieving a tunnel, but the post focuses on specific way.

==Get a remote server==

You will need a remote server running ssh, you can get one from digitalocean or vultr, both of them offer VPSs with Unix-like operating systems on which you can configure ssh.

==Configure ssh to listen on port 443 on remote server==

Now that you have this server, configure ssh, which by default listens on port 22, make it to listen on both 22, 443.

In file “/etc/ssh/sshd_config”, look for line “Port 22”, and add  “Port 443”.

You will need to have:

Port 22

Port 443

Once this is edited restart the ssh daemon after checking for possible errors in the config file.

As a privileged user run “sshd -t” and fix any error it outputs, then restart the service, using “service sshd restart”. If you restart when there are errors, you risk loosing connection to the server. If necessary, check and change firewall settings to let port 443 be accessible.

==Configure and create a tunnel on FreeBSD client PC ==

Install tunneling software like proxytunnel, corkscrew, httptunnel along with openssh client.

shell> pkg install proxytunnel

Configure proxytunnel to use http proxy for connecting to the remote ssh server running on port 443. For this edit the “~/.ssh/config” file which your ssh client uses.

And add:

Host <ip_address_of_remote_server_here>

ProxyCommand proxytunnel -p http.proxy.server.here:port_number_here -d remote_server_ip_here:443

ServerAliveInterval 60  #Optional, ensures the connection stays alive when connection is not being used.

GSSAPIAuthentication no  #Optional, speeds up the authentication.

For instance it could be following,

Host 1.2.3.4

ProxyCommand proxytunnel -p proxy.example.com:8080 -d 1.2.3.4:443

What this does is, when you issue the command “ssh user@1.2.3.4” it reads the config file and applies the directives for this particular host/ip. Which in this case directs to use the “proxytunnel” command to tunnel your connection over the proxy mentioned with “-p” and to the destination mentioned using “-d“.

It works, as the remote destination is listening on port 443 and  the restrictive proxy allows 443, which now thinks that you are initiating an https connection.

With this you can now ssh to the remote host 1.2.3.4.

If you have a proxy which requires authentication, use -P option of proxytunnel, like:

ProxyCommand proxytunnel -p proxy.example.com:8080 -P user_name:password_here  -d 1.2.3.4:443

==Create a socks poxy==

When you can create a ssh connection, with openssh you can take it further to create a socks proxy which can be used by applications which support socks, like web browsers. Before following open canihazip.com in your browser and note down the ip address you currently have.

Next, from the command line on shell

“ssh -D localhost:8888 <remote_server_ip>:443”

With this ssh now listens on localhost (which is 127.0.0.1) on port 8888, all communication on this port will be passed/originate through the remote_server_ip on port 443.

Now change the proxy settings of the application to use this tunnel. With a browser set the socks proxy and open canihzip.com, your IP must be different.

Limitations:

This might not work,

If the network is using a packet analyzer and they actively block ssh packets.

If the http proxy does not support connect method.

If https is not supported over the proxy.

These are unlikely to happen, as this cripples the network access for normal usage and unless you have a paranoid admin.

An application running on client must support socks. Or you can configure a http proxy which uses socks proxy, for this you need privoxy, proxychains, polipo, etc.

Further reading:

https://wiki.archlinux.org/index.php/HTTP_tunneling

https://wiki.archlinux.org/index.php/Privoxy

When I first started with GNU/Linux it was GNOME 2.30 that I got introduced to, it was the time when having 512MB of ram was considered average or below average, people were moving to 1GB or more, 2GB was like you had lot of money or were a gamer.

I also discovered KDE 3.1x which was beautiful, I was charmed by it and made a decision that when I install another gigabyte of ram I will move to KDE.

By the time I got into a job and purchased 2GB of ram, KDE 4.x was out and it was heavy. Though my AMD laptop could run it, it was getting hot and slow.

I then got the recommendation to move to XFCE. Which after much research I started using it. I was still a newbie learning my way around DEs and afraid of command line. As I got used to XFCE, command line, I was still not satisfied with the response of this new DE. I wanted something more faster yet similar to the DE that I was used to or the stacking windows paradigm ( https://en.wikipedia.org/wiki/Stacking_window_manager ) and must be looking like windows styled with a bar which comes with applications menu, system notification, etc. All the things which a typical PC user might be accustomed to. You know GNU/Linux is for everyone not just me. It needs to be usable by non technical people too!

That is when my journey started with me having rigid opinion on having a bar and after discovering the older Unix style tiling managers.

Anyways, I saw Puppy Linux using something similar to Win 98, I went after it and found two Window Mangers(WM) which look like Desktop Environments! And with some effort you can make them function exactly like DEs.

They were IceWM and JWM, both support one mode – Stacking.

I disliked the way they looked, but had to trade off looks for efficiency, speed, resource usage. But still the effort, time it took to make them work was not desirable, rather than editing some config files I wanted something which I can just point, click and configure.

This journey then led me to enlightenment, which in release 17 offered both stacking and tiling modes, speed, low resource utilization, system modules, eye candy, point, click and configure menus!

Wow! It had everything, it is not just a WM but a hybrid, a mix of a DE + WM.

I saw a trend in the way DEs have evolved, today you have GNOME 3.x and KDE 5.x XFCE 4.x and LXDE will be merged with Razor-qt to become LXQT.

I noticed that all of them were coming out with nice features at the cost of resources. This made me wonder will this ever end? No. It continues, so users like me who prefer not to upgrade machines for whatever reasons can stick to WMs, and in them you have choicet to choose from, they remain lean yet functional and some of them are better than the DEs in many ways. Enlightenment looked like it and is still is my choice.
PS- In case you are longing for the old KDE 3.x like I still do, it is now TDE -> https://www.trinitydesktop.org/ I hope the developer ports it to FreeBSD.