Computer Stuff
Installing an OpenBSD VirtualPC on a Mac
by Brian on Jan.22, 2006, under Mac OSX, OpenBSD
The following directions are for OpenBSD and Virtual PC on the Macintosh, and assume familiarity with the installation and use of both. Note that if you have OpenBSD CDs, you may boot off the i386 CD to perform the installation. Please refer to either the OpenBSD/i386 installation documentation or the Virtual PC documentation in case of questions, as documenting the installation of either is beyond the scope of this document.
- Grab(buy) the latest OpenBSD release. (there’s a link on the Links page)
- Create a Virtual PC hard disk image file of the size you want your OpenBSD hard disk to be, at least a gigabyte if you want to unpack the source tree and have a usable system. However, you can get away with a hard disk as small as 300MB or so for a complete installation.
- Change the VirtualPC partition to use a fixed file size on your local disk. You *CANNOT* use a dynamically re-sizable partition. The only drawback to this is that a 10gb partition takes up 10gb, even if most of it is empty space. OpenBSD does not like dynamically resizing partitions, and installing OpenBSD on one of these will hang while extracting base3x.tgz. (or it will hang on misc3x.tgz if it makes it through base3x.tgz)
- Capture your OpenBSD CD or the cd38.iso image to the VirtualPC’s cdrom drive.
- Start up the VirtualPC, and boot to the captured CD image.
- Perform OpenBSD install as usual.
- Shut down the virtual machine with halt… Welcome to OpenBSD: The proactively secure Unix-like operating system.
Using Multiple Pre-Shared Keys with OpenBSD ISAKMPD
by Brian on Jan.02, 2006, under OpenBSD
Having an Open Source IPSec VPN into the office is nifty. It usually also means others will want to appreciate it’s niftiness… (and use your bandwidth to check their Exchange calendars). So, do you want 30 or so other users out there with their perpetually un-locked, spyware and virus-vulnerable XtraPenetrable laptops, holding the only pre-shared key to your VPN? Of course not. (you really don’t). So, implement one pre-shared key per user, or one key per group, depending on your policy of access revocation.
We really like OpenBSD around here, and may sound like men with a hammer thinking everything is a nail, but it really does do *everything* well as far as we use it. So here’s the setup.
First, you must create the config files for ISAKMPD.
$ sudo touch /etc/isakmpd/isakmpd.conf
$ sudo touch /etc/isakmpd/isakmpd.policy
Then, turn on the AH and ESP protocols by editing the /etc/sysctl.conf.
net.inet.esp.enable=1 # 0=Disable the ESP IPsec protocol
net.inet.ah.enable=1 # 0=Disable the AH IPsec protocol
Or, just do it from the shell-
$ sudo su
# sysctl -w net.inet.esp.enable=1
# sysctl -w net.inet.ah.enable=1
Now, we’ll set up a basic road-warrior configuration in /etc/isakmpd/isakmpd.conf .
Here’s an example.
Next, we’ll set up the multiple pre-shared keys in the policy file.
Here’s another example.
After we edit these files, you’ll need to change the permissions on them.
$ sudo su
# chmod 0500 /etc/isakmpd/isakmpd.conf /etc/isakmpd/isakmpd.policy
Now allow the VPN traffic through your packet filter-
Here’s another example.
Apply the new packet filter configuration:
# pfctl -f /etc/pf.conf -F all -d -e
Fire up ISAKMPD in debug mode so you can see any incoming connections
$ sudo su
# isakmpd -d -DA=75
Once your road-warrior connects successfully, kill the debug mode ISAKMPD and start it in normal daemon mode.
$ sudo su
# pkill -9 isakmpd && isakmpd
Now, connect a road-warrior machine to the outside of your firewall, and check for your security associations.
$ sudo su
# ipsecadm show
If you have a valid VPN connection, you should see something like this:
sadb_dump: satype esp vers 2 len 40 seq 0 pid 0
sa: spi 0x80655c1b auth hmac-sha1 enc 3des-cbc
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 0 add 1136234418 first 0
lifetime_soft: alloc 0 bytes 0 add 0 first 0
lifetime_hard: alloc 0 bytes 0 add 28800 first 0
address_src: 192.168.245.2
address_dst: 192.168.209.2
identity_src: type prefix id 0: 192.168.245.2/32
identity_dst: type prefix id 0: 192.168.209.2/32
key_auth: bits 160: 9dfde94cd9708d6a995a4d238
key_encrypt: bits 192: 3bc2f3f7f0fbce8a12ae73966c5
sadb_dump: satype esp vers 2 len 40 seq 0 pid 0
sa: spi 0x895dcf4b auth hmac-sha1 enc 3des-cbc
state larval replay 0 flags 4
lifetime_cur: alloc 0 bytes 0 add 1136261627 first 0
lifetime_soft: alloc 0 bytes 0 add 25920 first 0
lifetime_hard: alloc 0 bytes 0 add 28800 first 0
addres_src: 192.168.245.2
addres_dst: 192.168.209.2
identity_src: type prefix id 0: 192.168.245.2/32
identity_dst: type prefix id 0: 192.168.209.2/32
key_auth: bits 160: 9d8c52703983b1497b655a9
key_encrypt: bits 192: 39875c4b8fd77ec740f37da27d
You can also check the VPN connections with netstat-
$ sudo su
# netstat -rn
Should output something like this-
Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
192.168.0/24 0 192.168.10/24 0 0 192.168.245.2/50/use/in
192.168.10/24 0 192.168.0/24 0 0 192.168.209.2/50/require/out
I realise this is short, (I wasn’t paid to write this book) ;) so please feel free to post any questions or comments.
KDE 4 to support Apple's Dashboard Widgets!
by Brian on Jan.02, 2006, under Mac OSX
As seen here, the KDE project is working on the integration of Apple’s Dashboard widgets. One more reason to run *nix on PPC hardware.
Snort Reports with SnortALog
by Brian on Dec.27, 2005, under Networking, OpenBSD
SnortALog v2.4.0 is a really nice Snort logfile reader/parser/perl script written by Jeremy Chartier. Thank you Jeremy! It’s an *incredible* piece of work! Get a copy from his website. I installed mine on OpenBSD-3.8-STABLE, but I also needed the p5-GD-Graph package from the ports tree.
$ cd /usr/ports/graphics/p5-GD-Graph
$ sudo make install
Then, I made the script to run SnortALog, and set it to run from root’s crontab.
Here’s a screenshot of the HTML output.
Graphing packet traffic with pf & pfstat
by Brian on Dec.21, 2005, under Networking, OpenBSD
Getting a good visual representation of your network traffic has never been easier. We use OpenBSD for most of our firewalling applications, and for VoIP/VPN solutions. As a result, we (as well as our customers) need to closely track the bandwidth utilization of some of the endpoints for quality of (VoIP) service reasons. RRDTool and MRTG are both very excellent tools, but what to do when snmp is not an option? Pfstat, available in the OpenBSD ports tree, solves this problem, and is *considerably* easier to install and configure.
First, install pfstat.
$ cd /usr/ports/net/pfstat
$ sudo make install
Now, set it up.
you need to create a few files first.
$ sudo touch /var/log/pfstat
$ sudo touch /etc/pfstat.conf
Now, set up the /etc/pfstat.conf file you just created.
$ sudo vi /etc/pfstat.conf
Here’s an example pfstat.conf I found on benzedrine.cx, (the homepage of the author of pf & pfstat) and modified just slightly.
Thank you, Mr. Hartmeier. Your work is amazing.
Speaking of Pf, we need to edit the packet filter configuration, to set the log interfaces.
$ sudo vi /etc/pf.conf
Now, find your interface names. (Mine are $ext_if=rl0 and $int_if=fxp0)
So, I added the following lines to the /etc/pf.conf
set loginterface rl0
(It has been pointed out that this is incorrect.
set loginterface fxp0
The last interface listed is the one that will get used. Thanks, Jon.)
Fetch the new packet filter configuration:
$ sudo pfctl -f /etc/pf.conf
Now, edit root’s crontab to run pfstat and update your graphs.
$ sudo su
# crontab -e -u root
and add the following two lines to it:
* * * * * /usr/local/bin/pfstat -q >>/var/log/pfstat
*/5 * * * * /usr/local/bin/pfstat -c /etc/pfstat.conf -d /var/log/pfstat >/dev/null
Hold “Shift” and hit “ZZ” to save and exit root’s crontab.
To force the creation of the graph images, run this:
$ sudo /usr/local/bin/pfstat -q >>/var/log/pfstat
$ sudo /usr/local/bin/pfstat -c /etc/pfstat.conf -d /var/log/pfstat >/dev/null
Now, you just need an HTML document to display your nifty new graphs.
Here’s the one I use.
Save it to /var/www/htdocs/traffic_stats.html, and start up apache:
$ sudo apachectl start
and check out your traffic:
http://your.web.server/traffic_stats.html
.
Mike Lynn was right.
by Brian on Dec.06, 2005, under Networking
According to this article, Mike Lynn has found 15 new, more dangerous flaws in Cisco IOS software.
“Essentially there are more bugs, and they’ve gagged me from telling anyone the details of what they are,” Lynn said.
RoundCube Webmail is BEAUTIFUL!
by Brian on Nov.30, 2005, under OpenBSD
I have a fully functional Postfix server running Apache and MySQL.
As RoundCube’s webmail requires IMAP, I also installed the Dovecot IMAP server from the OpenBSD ports tree. Then, I unzipped RoundCube’s webmail package to my webroot, and in 5 minutes it was running and working properly on an OpenBSD-3.8-STABLE server. Check it out at RoundCube’s website.
This is a must-have webmail interface. (even tho it’s kinda RedHat-ish, I still like it!)
Plus, it’s completely skinnable with XHTML and CSS2.
OpenBSD 3.7 to 3.8 upgrade is *simple*
by Brian on Nov.06, 2005, under OpenBSD
I’ve just spent a few days out of town, and realised upon my return, that OpenBSD 3.8 has been released! yay!
I chose to use the “Upgrade without install media”,
not cause I couldn’t access the machine, but I can’t stand being in the server closet, standing there, installing something. waiting…
I should be able to supply the media, manually overwrite the system files, and re-boot to my new OS. (from the couch ; ) Well, now I can. (and I did!)
So, to begin, I verified that my 3.7-STABLE install was running all necessary patches, then followed this document found on OpenBSD’s site regarding upgrading from OpenBSD 3.7 to 3.8. It worked flawlessly, and now my dmesg happily reports:
OpenBSD 3.8 (PRINCETON) #0: Sun Nov 6 01:17:15 CST 2005 root@cryptednets.org:/usr/src/sys/arch/i386/compile/PRINCETON cpu0: Intel Pentium III ("GenuineIntel" 686-class, 128KB L2 cache) 565 MHz real mem = 132489216 (129384K) avail mem = 114262016 (111584K)
Need a cross-platform Unix command cribsheet?
by Brian on Oct.28, 2005, under OpenBSD
Here it is!
These UNIX Commands will help out if you need to log in to a foreign system,
and pkg_info just doesn’t work for you!
Thanks Unixguide! Who knew that ” instfix -i ” shows all installed patches on AIX? (not me)
The WordPressDash – It’s really too easy…
by Brian on Oct.22, 2005, under Mac OSX
This was posted using WordPressDash version 0.3.
It was written by the obviously talented Paniris Web development
It’s a very cool must-have widget for OS X 10.4. (aka. Tiger)
So, making use of the very cool Expose, (which gives the overlayed panel of tools you see in the screenshot below)
Now, posting to a WordPress blog is as easy as mousing into the right corner of my screen to bring up the dash board, and clicking “New Post”.
Thank you, Paniris, for your very excellent widget!