toad-one.org

I doubt that anybody will notice but I have moved an old FreeBSD blog onto this site. I will try to move the tools over when I have time.

Qmail, Chkuser, FreeBSD Ports.

Long time, no post.

I was looking for a way to get the chkuser patch compiled into qmail-smtpd while still using the FreeBSD Ports system.

I found another article here, but when I tried it, the compile failed during the patching process. I’m not sure exactly what is happening, but from what I can tell the other patches I chose during the qmail compile dialog changed qmail-smtpd.c to the extent that the chkuser patch failed.

The only way I was able to get it to work was to stop selecting so many other patches from the dialog.
This is my /var/db/ports/qmail/options file:

# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for qmail-1.03_7
_OPTIONS_READ=qmail-1.03_7
WITHOUT_SMTP_AUTH_PATCH=true
WITH_QMAILQUEUE_PATCH=true
WITHOUT_BIG_TODO_PATCH=true
WITHOUT_BIG_CONCURRENCY_PATCH=true
WITHOUT_OUTGOINGIP_PATCH=true
WITHOUT_LOCALTIME_PATCH=true
WITHOUT_QMTPC_PATCH=true
WITHOUT_MAILDIRQUOTA_PATCH=true
WITHOUT_BLOCKEXEC_PATCH=true
WITH_DISCBOUNCES_PATCH=true
WITHOUT_SPF_PATCH=true
WITHOUT_TARPIT_PATCH=true
WITHOUT_EXTTODO_PATCH=true
WITHOUT_QEXTRA=true
WITH_RCDLINK=true


So in summary.

cd /usr/local/src
wget http://www.interazioni.it/opensource/chkuser/download/archives/chkuser-2.0.9-release.tar.gz
tar xzvf chkuser-2.0.9-release.tar.gz
cd /usr/ports/mail/qmail/files
cp /usr/local/src/chkuser-2.0.9-release.patch .

Follow this selecting the patches I have listed above.

make
cd /usr/ports/mail/qmail/work/qmail-1.03/
cp qmail-smtpd /var/qmail/bin/


If anybody has any ideas on how to do this better, especially with the spf and tarpit patch I would love to hear about them.

Add a password to an ssh key

If you would like to change the password of an ssh private key, or add a password after the fact.

$ ssh-keygen -p -f id_dsa
Enter old passphrase:
Key has comment 'id_dsa'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
$


Portupgrade Timesaver

Every once in a while I run across a machine that is not as fast as I would like it to be.

As you know upgrading ports by having portupgrade compile them from source can take quite a while.
FreeBSD tries to compile as many of the ports as they can and then put the packages on their ftp server.


export PACKAGESITE=ftp://ftp.$MIRROR.freebsd.org/pub/FreeBSD/ports/i386/packages-$VERSION-stable/Latest/

Replace $MIRROR with your country code, and $VERSION with your version of FreeBSD, ie 7.


portupgrade -PP portname(To upgrade one port)
or
portupgrade -PPa(To upgrade all your ports)

The -PP will force portupgrade to use only compiled packages, it will fail if there is no compiled version of that port.


portupgrade -P portname(To upgrade one port)
or
portupgrade -Pa(To upgrade all your ports)

Using only one -P will cause portupgrade to try to download the package, but if it fails it will revert to compiling from source as usual.

Portupgrade Problems

Recently I noticed a problem doing a portsdb -Uu.

Portupgrade was complaining about a missing bsd.port.options.mk.
I tried cvsuping the ports, a make fetchindex, deleting all the ports and re cvsuping, but nothing worked.

I’m not sure what the problem was, but it seemed to fix itself by upgrading to FreeBSD 7 from 6.3.

Long time, no articles.

Wow, has it been that long?

I have been pretty busy at work lately, but I need to get off my ass and start loading up some boxes with FreeBSD 7.0.

I guess there isn’t much to write about when things aren’t broken.

Portaudit Tip

If you are still using it you will have noticed that there have been several security problems with PHP4 lately.

Trying to do a portupgrade php4 with portaudit installed will fail because of known problems in the port.
Unfortunately if you have a old version of the port installed that stops you from upgrading to the latest version of the port(even if it is vulnerable).

To get past this simply
# portupgrade -m "DISABLE_VULNERABILITIES=yes" php4

SSHD brute force attacks

Tested on FreeBSD 6.2

Normally I just use hosts.allow to control SSH guessing attacks by white listing IPs that should be connecting to my box, but it is not always an option. I’m also not just going to let people just pound away for hours trying to guess random passwords even though I use only keys for authentication.

I had tried several solutions before I found sshguard.
It is simple yet powerful and supports ipfw, pf, iptables, and tcp wrappers.

The only problem is that the version in the ports has a bug that causes the program to drop a core. ie
kernel: pid 1665 (sshguard), uid 0: exited on signal 6 (core dumped)

The solution which I found from here is to edit a few quick lines in sshguard.c.

It’s not ideal, but it works.

# cd /usr/ports/security/sshguard
# make fetch extract
# cd work/sshguard-1.0/src
# vi sshguard.c


Make the changes listed above.

# cd ../../..
# make install clean
# vi /etc/syslog.conf


You will notice a line like:
#auth.info;authpriv.info |exec /usr/local/sbin/sshguard
Uncomment this line and restart syslogd

# /etc/rc.d/syslogd restart


Make sure that /etc/hosts.deny has a ALL: ALL (If you don’t have anything else using wrappers), and hosts.allow has SSHD: ALL.

hosts.allow should end up looking like this:

###sshguard###
###sshguard###
SSHD: ALL


sshguard will add the first two lines after a the first ssh login.

That is it for this quick howto but there is support for white listing and a whole slew of other options in the manpages.

# man sshguard


Good luck

Portupgrade Problem

I noticed that after the portupgrade port was moved from sysutils/portupgrade to ports-mgmt/portupgrade that portupgrade complains with:

cd: can’t cd to /usr/ports/sysutils/portupgrade

I’m not sure if I fixed this the right way, but what I did was

# pkg_delete portupgrade-X.X.X_X
# cd /usr/ports/ports-mgmt/portupgrade
# make install clean
# portsdb -uU
# portversion -l “<”

Everything seemed to work after that.

A little spyware protection.

I’m probably not the only person out there who has Windows XP on their network(gasp).
Trying to get my wife to use FreeBSD is not worth the effort.

Besides using FreeBSD as a firewall for my entire home network, I also use it as our DNS server.
In comes Blackhole DNS. The basic idea is to not resolve any sites that are known to be associated with malware.

FreeBSD already comes with BIND installed so we just have to activate it and work on the config files to get this to work.

First add this to /etc/rc.conf
named_enable=”YES”

# cd /etc/namedb
# wget http://www.bleedingsnort.com/blackhole-dns/files/blockeddomain.hosts
# wget http://www.bleedingsnort.com/blackhole-dns/files/spywaredomains.zones
# wget http://www.bleedingsnort.com/blackhole-dns/files/update.sh
# chmod 755 update.sh
# cp /etc/namedb/named.conf /etc/namedb/named.bak

Add this to /etc/named.conf
include “/etc/namedb/spywaredomains.zones”;

I don’t use my DNS server for anything but a local caching server and my firewall doesn’t allow lookups from anywhere but my local network. If you have a different situation then your will have to worry about recursion and numerous other things in your named.conf. Here is what my named.conf looks like after the changes.

Restart or start BIND
# /etc/rc.d/named restart

Now test your nameserver
# nslookup
> server localhost
Default server: localhost
Address: ::1#53
Default server: localhost
Address: 127.0.0.1#53
> google.com
Server: localhost
Address: 127.0.0.1#53

Non-authoritative answer:
Name: google.com
Address: 72.14.207.99
Name: google.com
Address: 64.233.167.99
Name: google.com
Address: 64.233.187.99
> scenicreflections.com
Server: localhost
Address: 127.0.0.1#53

Name: scenicreflections.com
Address: 127.0.0.1
> exit

As you can see scenicreflections.com which was listed as a bad domain now resolves to 127.0.0.1.

Change the interpretor in update.sh to the correct location, which is /usr/local/bin/bash then update the options to make the script work.

admin=”youremail@address.com”
stopBind=”/etc/rc.d/named stop”
startBind=”/etc/rc.d/named start”
killBind=”/etc/rc.d/named zap”

Test to make sure that the update.sh script works
# /etc/namedb/update.sh

Finally point your Windows machines to your new DNS server, and surf away.
You should start to notice missing ads in pages.

If everything is okay add this to your /etc/crontab to update the domains everyday.
1 2 * * * root /etc/namedb/update.sh