https://unix.stackexchange.com/questions/23579/how-to-apply-updates-on-openbsd-netbsd-and-freebsd/103661#103661
http://undeadly.org/cgi?action=article&sid=20130509120042
https://stable.mtier.org/
Archive for the ‘Uncategorized’ Category
OpenBSD -stable upgrade
Tuesday, June 26th, 2018pptp client linux: quick and dirty
Tuesday, June 26th, 2018root@lexus:~# cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
user_name PPTP PpTpPaSs 85.233.x.x
Create connection config file /etc/ppp/peers/SLC
pty "pptp 85.233.x.x --nolaunchpppd"
name user_name
remotename PPTP
require-mppe-128
file /etc/ppp/options.pptp
Create a script to auto-add route to the target host, to which you want to connect via VPN (172.24.10.13) /etc/ppp/ip-up.d/routes
#!/bin/sh
/bin/ip route add 172.24.10.13 dev ppp0
Fire!
pppd call SLC
Disconnect:
killall pppd
rsyslog: do not collect logs from some application
Tuesday, June 26th, 2018If there’s no settings in the application itself, you can configure rsyslog not to write apps logs.
CentOS 6.6, rsyslog 5.8.10-10.el6_6:
Asterisk is configured to write logs to remote syslog server (syslog02.core) but still writes not only there but also locally.
To prevent this:
create ‘/etc/rsyslog.d/10-asterisk.conf’ with lines
:syslogtag, contains, "asterisk" @syslog02.core
& stop
Debian 9.4 Stretch, rsyslog 8.24.0-1:
Asterisk is nt configured to write to remote syslog, but also writes everything to local rsyslog.
Create ‘/etc/rsyslog.d/10-asterisk.conf’:
if $programname == "asterisk" then {
stop
}
https://www.rsyslog.com/doc/v8-stable/configuration/filters.html
https://www.rsyslog.com/discarding-unwanted-messages/
Debian 9: permanent iptables rules
Tuesday, May 29th, 2018Just an example for Debian 9.
1. Install ‘iptables-persistent’ package. Agree during installation the rules to be saved to /etc/iptables/rules.v4 .
2. Add rules (e.g. from console):
iptables -P OUTPUDT DROP
iptables -A OUTPUT -d 192.168.0.1 -j ACCEPT
3. Save rules:
netfilter-persistent save
4. Reboot and enjoy.
5. If you need to add/delete/edit rules, edit /etc/iptables/rules.v4 and then run ‘netfilter-persistent start’ to re-read the file.
SIP flood vs OpenSIPS armed with pike.so, exec.so, ipset and iptables
Wednesday, May 23rd, 2018Preface: the PIKE module itself blocks SIP requests (just stops sending any replies) in case of flood. This article is about going on – adding flooding IP addresses to ipset for further rejecting any traffic to the OpenSIPS server using iptables.
1. Create an ipset with auto removing addresses after 120 seconds and ability to add comments.
ipset create SIPFLOOD hash:ip timeout 120 comment
2. An iptables rule, which will drop incoming traffic from src IP addresses from created ipset table:
iptables -A INPUT -m set --match-set SIPFLOOD src -j DROP
3. Allow OpenSIPS’ run-user (usually ‘opensips’) executing ‘ipset’ command without a password (add this line to /etc/sudoers using ‘visudo’ command):
opensips ALL= NOPASSWD: /sbin/ipset
4. OpenSIPS configuration.
Part of modules section of config:
#### exec
loadmodule "exec.so"
#### antiflood module
loadmodule "pike.so"
modparam("pike", "sampling_time_unit", 2)
modparam("pike", "reqs_density_per_unit", 10)
modparam("pike", "remove_latency", 120)
Part of OpenSIPS script, assuming that somebody sends us too much OPTIONS requests:
if(is_method("OPTIONS")) {
pike_check_req();
switch($retcode) {
case -2: # detected once - simply drop the request
exit;
case -1: # detected again - ban the IP and drop request
exec("/usr/bin/sudo ipset -exist add SIPFLOOD $si");
exit;
}
sl_send_reply("200", "OK");
exit;
}
5. You may test all this with ‘sipp’ tool.
This is for generating 10 requests (-r) in 2 seconds (-rp 2000) and exiting sipp after sending 10 requests (-m):
sipp 172.16.0.222 -r 10 -rp 2000 -m 10 -sf OPTIONS.xml
This – for generating 70 requests (-r) in 2 seconds (-rp 2000) and exiting sipp after sending 70 requests (-m):
sipp 172.16.0.222 -r 70 -rp 2000 -m 70 -sf OPTIONS.xml
The OPTIONS.xml is as follows:
UPD 2019-july-30: pike writes log messages (at least in automatic mode, but I’m sure that also in the manual ):
Jul 30 06:59:05 ... /opensips[15531]: PIKE - BLOCKing ip 46.166.151.117, node=0x7f6dec201c08
Jul 30 06:59:05 ... /opensips[15533]: PIKE - UNBLOCKing node 0x7f6dec201b38
Jul 30 06:59:07 ... /opensips[15531]: PIKE - BLOCKing ip 46.166.151.163, node=0x7f6dec201d40
If you do not need all these messages (in case of SIP flood it may be too many), just set the log_level for pike.so module:
modparam("pike", "pike_log_level", 3)
And then set the log_level for your OpenSIPS to be not so verbose (pike’s log_level must be greater than global):
opensips-cli -x mi log_level 2
… or/and in config file:
log_level=2
iptables: a rule with expiration
Tuesday, May 22nd, 2018If you need an automated way of deleting iptables rules after some time, use this:
iptables -A INPUT -s 9.8.7.6 -j DROP && { echo "iptables -D INPUT -s 9.8.7.6 -j DROP" | at now + 1 min; }
This rule will be deleted in a 1 minute.
OpenBSD PF: limit incoming connections per time period
Wednesday, November 8th, 2017In iptables there is a nice module called hashlimit.
Being in love with OpenBSD and PF, I decided to find if this wonderful firewall has the same feature.
As a minimal example, you can use this rule to allow =< 2 SSH connections per 60 seconds:
pass in on $ext_if proto tcp from any to any port 22 keep state (max-src-conn-rate 2/60)
Note that you have to use parentheses, even using just one option (max-src-conn-rate), otherwise you’ll get an error while parsing the ruleset.
Keep in mind that one of keep state, modulate state, or synproxy state must be specified explicitly to apply this option to a rule.
For more information read the documentation for pf.conf syntax.
OpenBSD: lack of RAM, reordering libraries at boot time and pkg_add errors
Saturday, October 28th, 2017Freshly installed (in VirtualBox) OpenBSD 6.2 spent too much time during boot, on the ‘reordering libraries’ step. Several minutes, not less.
I havent’ seen such a behavior in prior releases.
As usual, thanks to guys from daemonforums.org.
And here are some explanations from Theo de Raadt: https://marc.info/?l=openbsd-tech&m=146159002802803&w=2.
But the problem was in lack of free memory: the VM had only 64 mb (default value in VirtualBox setting for OBSD) and it was not enough.
After adding more memory the boot process became quicker.
pkg_add(1) and pkg_info(1) havent’ worked properly either, until I added extra memory to the configuration.
Lighttpd: mod_access
Thursday, October 12th, 2017
I faced a problem when it was needed to allow access to certain url (x.x.x.x/zabbix/) for 2 fixed IP-addresses and one /16 subnet, and deny to anybody else.
The old examples from the official documentation worked not so perfect as I wanted https://redmine.lighttpd.net/boards/2/topics/1279
But the users helped me in the same topic.
This is how it’s done:
$HTTP["url"] =~ "^/zabbix/" {
$HTTP["remoteip"] == "55.222.0.0/16" {
}
else $HTTP["remoteip"] == "11.22.33.44" {
}
else $HTTP["remoteip"] == "55.66.77.88" {
}
else $HTTP["remoteip"] != "" { # (dummy match everything)
url.access-deny = ( "" )
}
}
Now anybody accessing /zabbix/ will get “403” error except 11.22.33.44 , 55.66.77.88 and 55.222.0.0/16.
OpenSIPS battle: REGISTER requests vs permissions module
Thursday, October 12th, 2017UPDATE: this post restricts access based on source IP address. A new article shows how to restrict access (registrations) based on username.
Sutuation: you have to check the source address of REGISTER messages, going to your OpenSIPS server and decide wether to allow them or to deny.
Use permissions module for this.
You can use it in two variants:
1. with OpenSIPS’ text config files register.allow and register.deny (similar to Unix hosts.allow and hosts.deny).
In this case you should use module’s function ‘allow_register‘
Example of blocking REGISTERs from 10.145.13.49 IP address:
register.deny file:
ALL : "^sip:.*10\.145\.13\.49"
ALL : "^sip:.*0*10\.145\.0*13\.0*49" # this is to prevent bypassing
# by the insertion of one or more '0' in the IP address
register.allow file is empty (allow everything except those in .deny file).
OpenSIPS script snippet:
if ( is_method("REGISTER") ) {
if (allow_register("register")) {
save("location");
exit;
} else {
sl_send_reply("403", "Forbidden registration from your IP v2");
exit;
}
}
But this method has one big disadvantage – you need to restart OpenSIPS each time you edit register.allow/register.deny.
OpenSIPS ‘permissions’ module has a MI function ‘address_reload‘ but it reloads the table (see below), not the allow/deny files.
So, it’s more cool to use the second variant, go on reading!..
2. with DB table ‘address‘.
In this case you should use modules’ function ‘check_address‘
– register.allow and register.deny files are empty.
– add entries to ‘address’ table. In our case we’re using not real SQL DB but dbtext. So, this is how ‘/etc/opensips/dbtext/address’ file looks like:
voip-pbx-sbc ~ # cat /etc/opensips/dbtext/address id(int,auto) grp(int) ip(string) mask(int) port(int) proto(string) pattern(string,null) context_info(string,null) 1:0:10.84.2.0:24:0:any 2:0:10.145.13.5:32:0:any 3:0:10.145.13.49:32:0:any 4:0:10.145.14.0:24:0:any
WARNING: every time you add any new table, do not forget to add it’s version to another table ‘version’:
voip-pbx-sbc ~ # cat /etc/opensips/dbtext/version table_name(string) table_version(int) dispatcher:8 load_balancer:2 address:5
Firstly, I haven’t done it, and that’s why OpenSIPS could not start and I had this message in the system log:
ERROR:core:db_check_table_version: invalid version 0 for table address found, expected 5
So, the script snippet with the ‘check_address’ function:
if ( is_method("REGISTER") ) {
if(check_address("0","$si","0","any")) {
save("location");
exit;
} else {
sl_send_reply("403", "Forbidden registration from your IP v2");
exit;
}
}
And here’s the magic! You may add IP-addresses or subnets to your DB or dbtext file and then run a MI command ‘address_reload‘ without restarting your high-loaded OpenSIPS.
Now the policy is “if address is in the table – allow it, otherwise block”. Look at the images below.
IP is not in the table – REGISTER is forbidden:
IP has been added to dbtext table and table reloaded – registrations passed successfully:
You can also look the table’s contents with MI commands ‘opensipsctl fifo address_dump‘ and ‘opensipsctl fifo subnet_dump‘.
UPD: OpenSIPS core developer’s answer to my question http://lists.opensips.org/pipermail/users/2017-October/038169.html .