Page 2 - My FreeBSD weblog

getting proftpd to work with IPFIlter specifying certain IP addresses was challenging. I ended up adding some rules in the /etc/ipf.conf to keep state outbound tcp connections. was the rule that did the trick. <br><br>pass out proto tcp all keep state<br><br>Here are the readings.<br><br>http://home.earthlink.net/~jaymzh666/ipf/IPFprob.html#14<br><br>I have an FTP server behind an IPF firewall, and I'm having problems serving passive FTP. <br>The IPF How-To gives a good explination of this. The client will try to connect to the server's internal IP address because that's the way passive FTP works: the server tells the client it's IP address in the payload and the client connects to it.<br><br>The solution is to explicitly tell your FTP server what to report as it's IP address, and give it a range of ports to give out as well. You will then need to redirect traffic from those ports on your IPF box to the FTP server. Each FTP server is different, and you'll need to read the manual for your specific software, but to give an example, you can specificy this information in WU-FTPd's configuration file as follows: passive ports 0.0.0.0/0 32768 49151<br>passive address your.pub.IP.addr 0.0.0.0/0<br><br>At the time of writing it's been reported that Microsoft IIS's FTP server is not capable of being configured this way. However, most Unix FTP servers should have an option for this somewhere. <br><br><br>Running an FTP Server <br><br>http://www.obfuscation.org/ipf/ipf-howto.html<br>In running an FTP server, handling Active FTP sessions is easy to setup. At the same time, handling Passive FTP sessions is a big problem. First we'll cover how to handle Active FTP, then move on to Passive. Generally, we can handle Active FTP sessions like we would an incoming HTTP or SMTP connection; just open the ftp port and let keep state do the rest:<br>pass in quick proto tcp from any to 20.20.20.20/32 port = 21 flags S keep state<br>pass out proto tcp all keep state<br>These rules will allow Active FTP sessions, the most common type, to your ftp server on 20.20.20.20.<br><br><br><br>The next challenge becomes handling Passive FTP connections. Web browsers default to this mode, so it's becoming quite popular and as such it should be supported. The problem with passive connections are that for every passive connection, the server starts listening on a new port (usually above 1023). This is essentially like creating a new unknown service on the server. Assuming we have a good firewall with a default-deny policy, that new service will be blocked, and thus Passive FTP sessions are broken. Don't despair! There's hope yet to be had.<br><br><br><br>A person's first inclination to solving this problem might be to just open up all ports above 1023. In truth, this will work:<br>pass in quick proto tcp from any to 20.20.20.20/32 port > 1023 flags S keep state<br>pass out proto tcp all keep state<br>This is somewhat unsatisfactory, though. By letting everything above 1023 in, we actually open ourselves up for a number of potential problems. While 1-1023 is the designated area for server services to run, numerous programs decided to use numbers higher than 1023, such as nfsd and X.<br><br><br><br>The good news is that your FTP server gets to decide which ports get assigned to passive sessions. This means that instead of opening all ports above 1023, you can allocate ports 15001-19999 as ftp ports and only open that range of your firewall up. In wu-ftpd, this is done with the passive ports option in ftpaccess. Please see the man page on ftpaccess for details in wu-ftpd configuration. On the ipfilter side, all we need do is setup corresponding rules:<br>pass in quick proto tcp from any to 20.20.20.20/32 port 15000 >< 20000 flags S keep state<br>pass out proto tcp all keep state<br>If even this solution doesn't satisfy you, you can always hack IPF support into your FTP server, or FTP server support into IPF.

remember to stop and start proftpd for new settings<br><br>ProFTPd, http://www.proftpd.net, is an increasingly popular FTP server due to its modularity and Apache-style configuration directives. ProFTPd also supports virtual hosts "out of the box", causing it to become one of the most common FTP servers used by web hosting companies. <br><br>As of version 1.20RC3 and later (current version as of this writing is 1.2.4), ProFTPd supports a directive called PassivePorts. The PassivePorts directive is usually used in a global context in the proftpd.conf file (the location of which varies depending on how ProFTPd was configured and installed). PassivePorts takes two arguments, the minimum port number and the maximum port number, as in the below example: <br><br>PassivePorts 51000 51999<br><br>The ProFTPd documentation has the following to say about the PassivePorts directive: <br><br>PassivePorts restricts the range of ports from which the server will select when sent the PASV command from a client. The server will randomly choose a number from within the specified range until an open port is found. Should no open ports be found within the given range, the server will default to a normal kernel-assigned port, and a message logged.

"/usr/local/bin/cvsup -g -L 2 /etc/cvsupfile" ¦<br> ¦ or put the command in your /etc/daily.local file for automatic updates. ¦<br> +-

its saturday and i'm setting up a second server with BSD. the system date/time is 5 years in the past and KDE won't let me logged in as root to reset it. it was easy once finding an example. for more info type in man date <br><br>http://www.gsp.com/cgi-bin/man.cgi?section=1&topic=date is the link.<br><br> The command:<br><br> date -v1d -v3m -v0y -v-1d<br><br> will display the last day of February in the year 2000:<br><br> Tue Feb 29 03:18:00 GMT 2000<br><br> The command:<br><br> date -v1d -v+1m -v-1d -v-fri<br><br> will display the last Friday of the month:<br><br> Fri Aug 29 04:31:11 BST 1997<br><br> where it is currently Mon Aug 4 04:31:11 BST 1997.<br><br> The command:<br><br> date 8506131627<br><br> sets the date to ``June 13, 1985, 4:27 PM''.<br><br> The command:<br><br> date 1432<br><br> sets the time to 2:32 PM, without modifying the date.

tried installing php-4.3.0 and the libphp4.so didn't get extracted and put in /usr/local/libexec/ directory when i downloaded php-4.3.0.tar.gz version, the <br><br>i redownloaded this version and the libphp4.so was extracted after running make and make install<br>http://www.php.net/get_download.php?df=php-4.3.0.tar.bz2

tried installing php-4.3.0 and the libphp4.so didn't get extracted and put in /usr/local/libexec/ directory when i downloaded php-4.3.0.tar.gz version, the <br><br>i redownloaded this version and the libphp4.so was extracted after running make and make install<br>http://www.php.net/get_download.php?df=php-4.3.0.tar.bz2

When unpacked, the distribution creates a subdirectory called webmin-1.050 under the current directory. So, if you want to install Webmin into /usr/local/webmin-1.050 you should do something like: <br><br>[root@futplex ~]# cp webmin-1.050.tar.gz /usr/local<br>[root@futplex ~]# cd /usr/local<br>[root@futplex local]# gunzip webmin-1.050.tar.gz<br>[root@futplex local]# tar xf webmin-1.050.tar<br>[root@futplex local]# cd webmin-1.050<br>[root@futplex webmin-1.050]# ./setup.sh<br><br> When the setup.sh script is run, it will ask the following questions :

to set the date on a FreeBSD box<br><br>'this command<br>date 0301190138<br><br>'makes this the server date/time<br>Sun Jan 19 01:38:00 EST 2003

Until i learn this file system, the /etc stores most all of the configuration files. /usr/ stores all the programs that are installed. I'd like to learn more how to control where all the ports get installed. this is part of my in-experience of the BSD file structure but seems to put various files everywhere. the path to the CVSUP example files are <br><br>/usr/local/share/examples/ path.<br><br>to update the ports i use just the ports-cvsup file.<br><br>/usr/local/bin/cvsup -g -L 2 /etc/ports-supfile is the command once you've copied the example file and changed to an appropriate cvsup server. http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html#CVSUP-MIRRORS has a list of links to sites that maintain updated ports

HA! I found the magic command to scan the file system to do searchs from a command line.<br>http://www.washington.edu/R870/Tools.html#HDR7<br><br>find starting directory -name nameoffile -print //what to do with it.<br>'This does a search starting the root directory and print out the ports-supfile file.<br>find / -name ports-supfile -print<br><br>'here are the results<br>/usr/share/examples/cvsup/ports-supfile<br>/usr/src/share/examples/cvsup/ports-supfile<br>/usr/src/ports-supfile<br><br>3.4 ps command (BSD)<br>Common options:<br><br>-a print all processes involving terminals<br><br>-e print environment and arguments<br><br>-l long listing<br><br>-u print user information<br><br>-xi nclude processes with no terminals<br><br>Meaning of user information columns:<br><br>%CPU percentage use of CPU<br><br>SZ total size (in 1024 byte pages) of the process<br><br>RSS total resident size (in pages) of the process<br><br>STAT state of the process<br><br>TIME time, including both user and system time<br><br>Here is an example of the output of ps under SunOS (System V style).<br><br>3.5 find command<br># find starting-dir(s) matching-criteria-and-actions<br><br>Matching criteria<br><br>-atime n file was accessed n days ago<br><br>-mtime n file was modified n days ago<br><br>-size n file is exactly n 512-byte blocks<br><br>-type c file type (e.g., f=plain, d=dir)<br><br>-name nam file name (e.g., `*.c')<br><br>-user usr file's owner is usr<br><br>-perm p file's access mode is p<br><br>Actions<br><br>-print display pathname<br><br>-exec cmd execute command ({} expands to file)<br><br>3.6 find examples<br># find . -name *.c -print<br># find / -size +1000 -mtime +30 <br> -exec ls -l {} ;<br># find / ( -name a.out -o -name core <br> -o -name '#*#' ) -type f -atime +14 <br> -exec rm -f {} ; -o -fstype nfs -prune<br><br>(Removes unnecessary files that are older than two weeks old, but doesn't descend NFS mounted file systems while searching)<br><br># find / ( -perm 2000 -o -perm 4000 ) <br>-print | diff - files.secure<br><br>(Does a difference on all file names that have SUID or SGID permissions against a pre-defined list of files)

procmail basics<br>http://www.onlamp.com/pub/a/bsd/2001/12/06/FreeBSD_Basics.html<br><br>filtering spam with procmail<br>http://www.onlamp.com/pub/a/bsd/2002/01/10/FreeBSD_Basics.html<br><br>Several FreeBSD basic articles<br>http://www.onlamp.com/pub/ct/15<br><br>################################################## ######################<br>##<br>#<br><br>NOTE: No content/virus scanner was found on your system - so only the<br>internal perlscaner will be available for you to use.<br><br>Hope that's what you expected <img src="/forum/emoticons/smile.gif" alt=":-)"><br><br>#<br>##<br>################################################## ######################<br><br><br><br> ****** FINAL TEST ******<br><br>Please log into the "qmaild" account and run<br>/var/qmail/bin/qmail-scanner-queue.pl -g<br><br>If you see the error "Can't do setuid", or "Permission denied", then<br>refer to the FAQ.<br><br>(e.g. "setuidgid qmaild "/var/qmail/bin/qmail-scanner-queue.pl -g"<br>or "su qmaild -c "/var/qmail/bin/qmail-scanner-queue.pl -g")<br><br><br>That's it! To report success:<br><br> % (echo 'First M. Last'; cat SYSDEF)|mail jhaar-s4vstats@crom.trimble.co.nz<br>Replace First M. Last with your name.<p> </p><p><hr size="1" width="50%" align="left" />*----------------------------------------*<br>* Steve Schofield<br>* steve@aspfree.com<br>*<br>* Microsoft MVP - ASP.NET<br>* http://www.aspfree.com<br>* <br>*----------------------------------------*</p><p><i>Last Edited : 2/25/2003 1:28:20 AM GMT</i></p>

Qmail and FreeBSD have been up for 2 weeks straight, i'm liking this as a backup mail solution but would like to take it further and use it for filtering, stripping attachments. Qmail-scanner seems to have this functionality but it has several requirements that i have no idea where to start, guess its time to go googlin!<br><br>'Link how to install this perl module<br>http://search.cpan.org/author/JHI/Time-HiRes-1.42/HiRes.pm<br><br>'Link to download qum<br>http://prdownloads.sourceforge.net/qmail-scanner/qmail-scanner-1.15.tgz?use_mirror=telia<br><br>Here are the requirements, when I try to run ./configure it bombs Perl module Time::HiRes missing. Ok time to figure this out! Arg!<br> <br><br>Qmail 1.03 (there's a patched src RPM for Linux users available that contains the QMAILQUEUE patch amongst other things - just "rpm --rebuild" as root to build your own i386.rpm. NOTE: I cannot vouch for it - I do not use it. Please ensure you know how it works before installing Qmail-Scanner.) <br>reformime from Maildrop 1.3.8+ <br>Perl 5.005_03+ <br>Perl module Time::HiRes <br>Perl module DB_File (most distributions come with it pre-installed, although the latest Perl doesn't) <br>Perl module Sys::Syslog (most distributions come with it pre-installed) <br>Barely Optional: Mark Simpson's TNEF unpacker. Can decode those annoying MS-TNEF MIME attachments that Microsoft mail servers just love to use. If you don't have this, there are several classes of Email that you basically won't be able to detect viruses in.<p> </p><p><hr size="1" width="50%" align="left" />*----------------------------------------*<br>* Steve Schofield<br>* steve@aspfree.com<br>*<br>* Microsoft MVP - ASP.NET<br>* http://www.aspfree.com<br>* <br>*----------------------------------------*</p>

Check the ports, i own subdue this bit of advice, i had to install the HI:Res port and maildrop and qmail-scanner worked, now just reading the docs how to configure it! <p> </p><p><hr size="1" width="50%" align="left" />*----------------------------------------*<br>* Steve Schofield<br>* steve@aspfree.com<br>*<br>* Microsoft MVP - ASP.NET<br>* http://www.aspfree.com<br>* <br>*----------------------------------------*</p>

Spent the evening trying to get http://www.courier-mta.com working and was able to install using the ports collection. trying to configure the webadmin says its 3 easy steps to install OK sure! NOT! says to type make install-webadmin-password should prompt you for a password, all i get is an error. Spent an evening in the groups.google.com and found others having the same issue. they say read the docs, come on i don't mind reading when it actually does work! guess i'm still stupid when it comes to baking my own config. Really pisses me off when i can't get something to work, this package has imap, spam control, pop3, smtp along with a web interface. i'll continue read docs, to try to figure out get this functional. when i do a ps -ax all the processes that seemed to be associated with courier but i can't get the webadmin to install, i get the login page to come up but can't get the password to go. Stay tuned i guess! Good things i was able to get apache 1.3.27 with ssl install funny that the default cert that comes with it says its from www.snakeoil.dom ole well another evening of being humbled by FreeBSD, suppose i should get Red Hat and become productive but that would be no fun not learning.<p> </p><p><hr size="1" width="50%" align="left" />*----------------------------------------*<br>* Steve Schofield<br>* steve@aspfree.com<br>*<br>* Microsoft MVP - ASP.NET<br>* http://www.aspfree.com<br>* <br>*----------------------------------------*</p>

HA! I said screw trying to get courier loaded and try something else. I've always relied on cheapy free scanners/hacker cracker things to insure servers were patched. Friend of mine told me about nmap and nessus. I checked out nmap was a port scanner but nessus contained a boatload of plug-ins (1100+ ) and had nmap integrated. There is a port for nessus for FreeBSD so I thought it would be a worthwhile evening to try get it going. look under /usr/ports/security directory there are a few ports i installed nessus, nessus-libnasl, nessus-libraries, nessus-plugins. <br>make sure once its installed run /usr/local/etc/nessus-adduser this will allow a local or remote login. Also before launching the client launch nessusd to get the server up and going, then launch nessus. This will launch a java GUI client to login and run the test. Before running the test I'd not recommend running on any random hosts. This is intended to use as a test against your own machines it could potentially take down a remote host not ready for this type of scanning traffic. so run at your own risk! There are two clients to run nessus, a windows client you can get at <br>http://nessuswx.nessus.org/index.htm#download also you can download nessus its released under GNU http://www.nessus.org Also check out groups.google.com for additional help. One thing i noticed you have to log in before any of the plug-ins list will show up. Enjoy...<br><br>' various ports listed under BSD.<br> nessus<br> nessus-devel<br> nessus-libnasl<br> nessus-libnasl-devel<br> nessus-libraries<br> nessus-libraries-devel<br> nessus-plugins<br> nessus-plugins-devel<p> </p><p><hr size="1" width="50%" align="left" />*----------------------------------------*<br>* Steve Schofield<br>* steve@aspfree.com<br>*<br>* Microsoft MVP - ASP.NET<br>* http://www.aspfree.com<br>* <br>*----------------------------------------*</p>