Check out fail2ban - it's a great way of securing your system using firewall rules (to block offending IPs) when hack attempts like numerous failed ssh logins occur.
To set it up on NetBSD, install it from source - it's Python so you can just:
$ sudo python setup.py install
Then add an rc script:
#!/bin/sh
#
# PROVIDE: fail2ban
# REQUIRE: NETWORKING syslogd
. /etc/rc.subr
name="fail2ban"
rcvar=$name
command="/usr/pkg/bin/fail2ban-client"
pidfile="/var/run/${name}/${name}.pid"
extra_commands="reload"
fail2ban_start()
{
if [ -n "${the_fail2ban_pid}" ]; then
echo "${command} already running as pid ${the_fail2ban_pid}."
return 1
fi
echo "Starting ${name}"
${command} start
}
fail2ban_stop()
{
if [ -z "${the_fail2ban_pid}" ]; then
echo "${command} not running? (check ${pidfile})."
return 1
fi
echo "Stopping ${name}"
${command} stop
}
fail2ban_status()
{
if [ -z "${the_fail2ban_pid}" ]; then
echo "${command} is not running? (check ${pidfile})."
else
echo "${command} is running as pid ${the_fail2ban_pid}."
fi
}
fail2ban_reload()
{
if [ -z "${the_fail2ban_pid}" ]; then
echo "${command} not running? (check ${pidfile})."
return 1
fi
echo "Reloading fail2ban"
${command} reload
}
start_cmd="fail2ban_start"
stop_cmd="fail2ban_stop"
status_cmd="fail2ban_status"
reload_cmd="fail2ban_reload"
the_fail2ban_pid=`check_pidfile ${pidfile} /usr/pkg/bin/python`
load_rc_config $name
run_rc_command "$1"
(don't forget to add fail2ban=YES to your /etc/rc.conf)
And setup your jail.conf with a section like this:
[ssh-ipfilter]
enabled = true
filter = sshd
action = sendmail-whois[name=SSH, dest=youremail@email.com, sender=fail2ban@yourbox]
ipfilter[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/authlog
maxretry = 5
(Read the fail2ban docs or the message after installation to determine where your jail.conf and other conf files are. Mine are in /etc/fail2ban/)
Then start it up like this:
$ sudo /etc/rc.d/fail2ban start
Check out all the other actions and filters too... fail2ban is not just for blocking failed ssh authentications!
I get an email whenever fail2ban is started or stopped - and also whenever it blocks a possible attacking IP. It works great!
If you want to use sup and you get an error like this:
SUP: Can't find my host entry '(null)'
You need to:
Here are my notes from installation. I used these resources: NetBSD on a Mac Mini, Notes from installing on a G4 Mac Mini and the INSTALL.html from the ISO.
I will clean these up shortly (hopefully.)
Here's my configure line:
./configure --prefix=/usr/local/nginx --with-pcre=/full/path/to/pcre/src --with-http_ssl_module
I've tried fink and macports but found both of them very broken at some stages. They have quite recent ports in them though which is good... but not good enough when you look at how frequently they fell over.
It turns out the NetBSD port tree (pkgsrc) can be used on Mac OS X!
This page describes the process you need to install it.
Very nice!
My host is Mac OS X, and my guest is a NetBSD VM running on the host. This will show you how I forward X apps from guest to the host.
On Mac OS X you can install X11 from the OS install disk that came with your computer.
On Mac OS X, start /Applications/X11.app
In the xterm that was opened up on Mac:
host$ xauth list
YourBox.local/unix:0 MIT-MAGIC-COOKIE-1 dfa82d25b775957b7571f76727e51f3c
10.1.1.2:0 MIT-MAGIC-COOKIE-1 dfa82d25b775957b7571f76727e51f3c
We are interested in the one that does not have "unix" in it, i.e. the second line. Copy this line, we will be using it below. (The above is an example, yours will look different.)
guest$ grep X11Forwarding /etc/ssh/sshd_config
X11Forwarding yes
... change if it's not enabled, and remember to restart sshd.
host$ ssh -X guest
... the X flag enables X11Forwarding over this ssh connection.
guest$ export DISPLAY=10.1.1.2:0 # use the IP:Number combination that you got from xauth list
guest$ xauth add 10.1.1.2:0 MIT-MAGIC-COOKIE-1 dfa82d25b775957b7571f76727e51f3c
guest$ xlogo
... and watch it appear on your host.
To setup mdns on NetBSD you need to:
... the package net/mDNSResponder-nss (which also installs net/mDNSResponder)
... the daemon, mdnsd
... the /etc/nsswitch.conf file - just put the text mdns on the hosts line, between files and dns
... an rc script /etc/rc.d/mdnsd - or (naughty, naughty!) just add a line to /etc/rc.local that starts the mdnsd daemon.
... and the new NetBSD VM is working. pkgsrc is the packages system for NetBSD. If you are looking for mod_perl it is in www/ap2-perl. pkgsrc has a cool feature with sysutils/open-vm-tools being their port of VMWare tools. So you can just:
# cd /usr/pkgsrc/sysutils/open-vm-tools
# make && make install
... instead of installing the VMWare tools normally by mounting the fake CD image. NetBSD isn't officially supported by VMWare anyway, though they reckon the normal tools will work if you pretend it is a FreeBSD system and have FreeBSD emulation on.
Here is an XF86Config that I stole from somewhere (see the comments section, thanks guy.) It works great for the MacBook:
# xorg.conf to get OpenBSD 4.4-beta (2008/07/11 18:54 snapshot) to display the
# screen at 1280x800 resolution on VMware Fusion 1.1.3 on a late 2007 MacBook
# running Mac OS X 10.5.4
#
# Modified from http://blog.durables.org/wp-content/uploads/2007/03/xorgconf.txt
# Context: http://blog.durables.org/2007/03/02/vmware-fusion-beta-2-is-out/
#
# MacBook refresh rates and 1280x800 modeline from:
# http://rubenerdshow.com/blog/x11-freebsd-parallels/
Section "ServerLayout"
Identifier "Default Layout"
Screen 0 "Screen0" 0 0
InputDevice "Keyboard0" "CoreKeyboard"
EndSection
Section "InputDevice"
Identifier "Keyboard0"
Driver "kbd"
Option "XkbModel" "pc105"
Option "XkbLayout" "us"
EndSection
Section "Monitor"
Identifier "vmware"
VendorName "VMWare, Inc"
ModelName "Monitor"
HorizSync 31.5 - 100.0
VertRefresh 59.0 - 75.0
Modeline "1280x800" 83.46 1280 1344 1480 1680 800 801 804 828
EndSection
Section "Device"
Identifier "Videocard0"
Driver "vmware"
EndSection
Section "Screen"
Identifier "Screen0"
Device "Videocard0"
Monitor "vmware"
DefaultDepth 24
SubSection "Display"
Viewport 0 0
Depth 24
Modes "1280x800"
EndSubSection
EndSection
Django Python 960.gs Git Vim NetBSD Nginx
This is the blog of Brad Willis, a software engineer living in Brisbane.
Help
Latest entries
*BSD Agile Apache Apple apt Athletics Best-Practice Censorship Comedy Cool Crosswords Deployment Django English Exim Firefox Git Hardcore Health irssi Javascript Jira Languages Linux Makefile Mathematics Mobile Broadband Mutt MySQL NetBSD nginx Nokia OpenVZ OSX Perl Privacy Python Rant Requirements rsync Ruby Shell Slackware SQL SQLite SSH Standards Subversion Television Testing ThisBlog Vim VMWare (Fusion) VPN X zsh
Checking for exceptions in doctests
Homer's Curling Speech
retry in Python
Vim Makefile tabs
Centos (or RH) IPTables
Converting ssh2 public keys to openssh
Vim comment hints
Context managers in Perl
Dish rotation
Git - fixing commit user
apt stuff
Using shell variables in AWK
Linux - Too many open files
Tell gvim to save and quit... remotely
Vim - automatically remove whitespace at EOL
Python - relative paths from within modules
TV Aspect Ratios
Git - Which commits are in your branch only?
Subversion setup cheat sheet
Force detach a screen session
Modify sudo's use of environment variables
Install all Perl modules
Mutt - delete old messages
OpenVZ VPS and swap space
fail2ban on NetBSD for ssh
NetBSD - Using sup
Python - testing for a sys.exit
Python Best Practice Link Dump
Python script names
Perl - Using an expensive module
Speed of git clone
Perl Modules with Custom Prefix
Perl: tr vs. s
Brilliant sysadmin Reference
Why is GRUB better than LILO?
Why is swap space important?
Perldoc Output
Git's Index
Jira Project Keys
Git GUI