Archive for January, 2010

freebsd Compile kernel and enable pf

Posted: January 30, 2010 in Freebsd

How to compile kernel on freebsd in simple way and enable pf on kernel.

# cd /usr/src/sys/i386/conf

# cp GENERIC MYBSD

# pico MYBSD

edit and put this on last paragraph

for pf :

———————————————————————

device          pf
device          pflog
device          pfsync

———————————————————————

# config MYBSD

# cd ../compile/MYBSD

# make cleandepend && make depend

# make && make install

before you reboot to new kernel put this on rc.conf

firewall_enable=”YES”

firewall_type=”OPEN”

I have test and running nuxeo for pkink data managemant

and i get this error..

GadgetException: Unable to retrieve gadget xml. HTTP error 504

This is the solutions

locate this file opensocial.properties

or you will fine it here

/opt/nuxeo-jboss/server/default/deploy/nuxeo.ear/config/opensocial.properties

chnage all localhost to your ip

lmshindig.deploy.host=localhost / change to xxx.xxx.xxx.xxx

lmgadgets.deploy.host=localhost / change to xxx.xxx.xxx.xxx

gadgets.host=localhost / change to xxx.xxx.xxx.xxx

tips and trick for nuxeo!!

Minimal install freebsd

Posted: January 12, 2010 in Freebsd

This how to is complete to install freebsd 7.X

http://lonurhazve.wordpress.com/2009/10/15/minimal-installation-configuration-freebsd-7-2/

thanks!!

How to hidden apache full detect that will expose you server os and apache version.

use this

rania:/etc/apache2# pico apache2.conf

change

ServerTokens Full

to

ServerTokens Prod

/etc/init.d/apache2 restart

test your server using this url

web server detections

http://www.dotcomunderground.com/web-tools/web-server/

http-header

http://www.dotcomunderground.com/web-tools/http-header/

SSHFS on Windows

Posted: January 7, 2010 in archlinux, Debian, Freebsd, My live, Slackware

ahaks dah ramai yg mengaku pakai linux ( ubuntu ) tapi windows tak boleh tinggal

apa2 keje mesti pakai windows hahaa nak menaip lah konon tak secure tapi nak menaip kena pakai word lah plak… ;p

nih mcm mana nak pakai sshfs dalam windows

benda alah ni senang rupanya dalam windows

download jer kat sini pastu install

dokan sshfs

dokan library

download 2 file tersebut install dan pakai…

Mcm mana nak remote fail? kalau ftp tak bukak?

selain pakai winscp atau scp dalam linux kita boleh pakai apa yer secure dan mudah?

SSHFS: Super Easy File Access over SSH

Adalah jawapan bagi semua kemuskilan.

install sshfs untuk remote fail dalam linux dan edit mcm korang edit dalam partions windows / linux.

install sshfs dalam debian / ubuntu

aptitude install sshfs

####### red hat / centos @ fedora

yum install fuse-sshfs

(jangan lupa install utiliti fuse)

aptitude install fuse-utils

add user utk pakai fuse

adduser casper fuse

####### red hat / centos @ fedora

usermod -a -G fuse casper

dah tu boleh lah buat folder utk si hantu casper nih masuk / remote server.

mkdir -p /web/casper

chown casper:casper /web/casper

utk mount folder nih dalam linux sesapa yg pakai ubuntu (mentang2 ubuntu popular sekarang heheeh ramai yg mengaku pakai linux ;p)

atau sebarang linux distro.

sshfs username@domainname/ip:folder /web/casper

example :

sshfs casper@123.123.123.123:d /web/casper

@

sshfs casper@345.345.345.345:

dia akan mintak password

casper@123.123.123.123’s password : **********

dah tuh list kan folder

ls -l /d/casper

########### sshfs without password ####################

This is not recomended for server remote / use on LAN server only

ssh-keygen -t rsa

enter for all questions

than copy the id.rsa.pub to your subfolder .ssh home folder

mv id.rsa.pub /home/casper.ssh/

cat id.rsa.pub >> authorized_keys

chmod 600 authorized_keys

than key in this command on your fstab

sshfs#casper@123.123.123.123:/folder/ /web/casper

exam : sshfs#casper@1.2.3.4:/d/ /web/casper

to unmount this folder

fusemount -u /mountpoint/

Sejarah Unix/Linux.

Unix dibangunkan dan hakcipta milik

AT & T Bell Laboratories.

http://www.bell-labs.com/

Pada tahun 1969

Ken Thompson, ahli kepada pasukan pembagunan

Bell Laboratories, telah menulis semula

“SPACE TRAVEL” daripada mesin GE-645 ke

mesin DEC PDP-11/20. Maka lahirlah Unix.

1970. Bell sanggup memberikan sumbangan kecil

jika applikasi memproses perkataan juga turut dibangunkan.

1973. Unix ditulis semula dalam bahasa C. Ia juga

mula diberikan kepada universiti. Untuk syarikat

dan kerajaan pula dengan bayaran minima.

1974. Unix edisi ke 4, menandakan penerimaannya

di Bell Labs.

1975. Thompson telah membawa Unix edisi ke 6 ke UC

Berkeley. Maka lahirlah BSD. Berkeley Software

Distribution.

http://www.bsd.org/

1978. Lebih 600 mesin menggunakan Unix. Kebanyakannya

di Bell Labs dan universiti.

1980. Microsoft keluarkan XENIX. Unix yang dibina

untuk komputer micro (komputer desktop).

1982. Unix System III dikeluarkan.

1983. Unix System V Release 1.

1985. Release 2.

1987. Release 3. Release 3.2 XENIX digabungkan.

1990. Release 4.

Sejarah penuh disini

http://www.bell-labs.com/history/unix/

Unix mempunyai pelbagai variasi yang dibangunkan oleh

pelbagai syarikat komputer. Antaranya AIX oleh IBM, HPUX

oleh HP, Sun Solaris oleh Sun.

Kepelbagaian jenis Unix ini menimbulkan pelbagai masalah

kepada pengguna. Namun begitu dengan wujudnya POSIX

http://www.ieee.org/ gunakan search cari POSIX

Yang menarik

http://standards.ieee.org/announcements/opengroup.html

perkara dapat diatasi dengan cara membangunkan applikasi

untuk Unix supaya ia boleh digunakan dipelbagai jenis

Unix.

Applikasi dibangunkan akan menurut standard yang telah

ditentukan. Pengguna hanya perlu “compile” semula applikasi

yang didapati.

5 Oktober 1991

Linux pula bermula dengan satu projek universiti oleh

Linus Torvalds yang bertujuan untuk membaiki satu OS

lain MINIX. Linus bertanggungjawab pada kernel Linux

dan kemudiannya mengajak beberapa rakan di Internet

untuk sama-sama membangunkan Linux.

http://www.linux.org/ atau http://www.linux.com/

Oleh kerana Linux mengikut standard POSIX untuk Unix,

maka pelbagai applikasi daripada Unix dapat dibawa

masuk ke Linux. Pelbagai applikasi ini memperkembangkan

lagi Linux dan kerana ia dibentuk dan dibangunkan untuk

PC dan chip INTEL maka ia lebih segera berkembang

mengikut perkembangan PC.

Dengan bantuan jurutera-jurutera pelbagai pembangun

Unix, secara rahsia atau tidak, mereka menyumbang

“driver” untuk pelbagai perkakas komputer.

Pada awal pembagunan mereka terpaksa “hack” perkakas-perkakas

ini kerana sukar bagi mereka untuk mendapat kerjasama

syarikat pengeluar perkakas.

Unix dan Linux adalah dua OS yang berlainan. Yang menjadikan

mereka sama adalah standard POSIX yang Linux ikut.

Ada yang menyatakan Linux adalah clone Unix. Namun begitu

persamaan yang banyak dengan unix menyebabkan ia diterima sebagai

keluarga Unix.

Kesimpulan. Moyang kepada Unix adalah Unix System V, pecahan

keluarga ke dua besar adalah BSD. (Lahirlah FreeBSD

NetBSD dan OpenBSD).

Namun begitu kita boleh lihat kepelbagai cara dan applikasi

Unix telah diambil daripada 2 keluarga ini dalam Unix ada

sekarang seperti AIX, HPUX dan Sun Solaris.

Lawat laman ini untuk melihat pelbagai variasi Unix.

http://www.ugu.com/

Linux sebenarnya adalah kernel OS Linux sahaja. Kernel

adalah engin sesuatu OS. (Haris akan cerita selepas

bab ini). Linux mempunyai

pelbagai pengedar atau Distrobution atau Distro. Yang sama

antara Distro hanyalah kernel Linux sahaja (mungkin beza

pada patch). Setiap syarikat tentukan sendiri apa cara dan

applikasi yang akan digabungkan sekali dengan kernel Linux.

Maka lahir Distro Redhat, Mandrake, Debian, Slakware dan

pelbagai lagi yang boleh peningkan mereka yang baru dengan

Linux.

Jangan pening. Distro adalah Distro. Anda tetap akan

dapat “command line” yang sama dan X yang sama.

Anda boleh fahamkan begini, bagaikan sebuah kereta proton

yang setiap pengedar akan meletakkan pelbagai accessories

untuk membuat ia lebih menarik dan mahal. Hakikatnya ia

masih kereta proton. Engin 1.3 cc dengan gear 5 kelajuan.

X pula adalah engin kepada GUI Unix dan Linux. X dibangunkan

sezaman dengan Unix. Seperti juga konsep kernel Linux.

X server umpama kernel kepada GUI Unix/Linux.

Windows Manager pula adalah apa yang kita nampak pada “screen’

komputer”. KDE, Gnome dan Sawmill adalah contoh Windows Manager.

http://www.x.org/

http://www.xfree.org/

CREDIT TO hizb@hizbi.net

Freebsd Color In .cshrc

Posted: January 4, 2010 in Freebsd

Color your live using .cshrc on freebsd

bsd# pico .cshrc

alias ls ls -G
alias la ls -aG
alias lf ls -FAG
alias ll ls -lAG
bsd# exit
than su – again
will see color ;p

FreeBSD firewall using PF

Posted: January 2, 2010 in Freebsd

By Click Death Squad

Step 1: Ensure your firewall script will start when the server boots.

The first step to setting up your firewall is to ensure that PF starts when your box boots up. Edit your rc.conf file to set this up.
“sudo nano /etc/rc.conf” ### edit the boot time configuration file.

pf_enable=”YES” ### turn PF on when the computer boots.
pf_rules=”/etc/pf.conf” ### define the rules for the firewall.
pf_flags=”” ### additional flags (none).
pflog_enable=”YES” ### turn on packet logging support.
pflog_logfile=”/var/log/pflog” ### where to log data to, used with pflogd daemon.
pflog_flags=”” ### additional flags (none).

Step 2: Edit the PF configuration file.
Now edit your PF config file and setup some rules that will protect your home network. Utilized in the provided example are various options that can be set to prevent your box from being passively OS fingerprinted, subject to DDoS attacks and spoofing. Here is a configuration that you may wish to use.

“sudo nano /etc/pf.conf” ### edit the PF configuration file.

######################################
# Click Death Squad’s PF Ruleset
# iztehsux@gmail.com
# optimized for paranoia and freebsd
# revision 1.3
######################################

### macro name for external interface.
ext_if = “sis0”

### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled.
scrub in on $ext_if all fragment reassemble

### set a default deny everything policy.
block all

### exercise antispoofing on the external interface, but add the local
### loopback interface as an exception, to prevent services utilizing the
### local loop from being blocked accidentally.
set skip on lo0
antispoof for $ext_if inet

### block anything coming from sources that we have no back routes for.
block in from no-route to any

### block packets that fail a reverse path check. we look up the routing
### table, check to make sure that the outbound is the same as the source
### it came in on. if not, it is probably source address spoofed.
block in from urpf-failed to any

### drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255

### block packets claiming to come from reserved internal address blocks, as
### they are obviously forged and cannot be contacted from the outside world.
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### block probes that can possibly determine our operating system by disallowing
### certain combinations that are commonly used by nmap, queso and xprobe2, who
### are attempting to fingerprint the server.
### * F : FIN  – Finish; end of session
### * S : SYN  – Synchronize; indicates request to start session
### * R : RST  – Reset; drop a connection
### * P : PUSH – Push; packet is sent immediately
### * A : ACK  – Acknowledgement
### * U : URG  – Urgent
### * E : ECE  – Explicit Congestion Notification Echo
### * W : CWR  – Congestion Window Reduced
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

### keep state on any outbound tcp, udp or icmp traffic. modulate the isn of
### outgoing packets. (initial sequence number) broken operating systems
### sometimes don’t randomize this number, making it guessable.
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

### normally, a client connects to the server and we handshake with them, then
### proceed to exchange data. by telling pf to handshake proxy between the client
### and our server, tcp syn flood attacts from ddos become uneffective because
### a spoofed client cannot complete a handshake.

### set a rule that allows inbound ssh traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state

### set a rule that allows inbound www traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state

### setup a table and ruleset that prevents excessive abuse by hosts
### that attempt to brute force the ssh daemon with repeated requests.
### any host that hammers more than 3 connections in 5 seconds gets
### all their packet states killed and dropped into a blackhole table.
table <ssh_abuse> persist
block in quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)


Step 3: Start the PF service immediately to have the firewall take effect.
Once your rules have been saved and you have enabled PF to run at boot time, it might be advisable to start PF up with the ruleset you created right away. This isn’t difficult to do, just utilize the rc.d script and fire it up. You will also want to enable the PF logging daemon as well.

“sudo /etc/rc.d/pf start” ### start PF.
“sudo /etc/rc.d/pflog start” ### start the PF logging daemon.


Step 4: Double check your rules and view the firewall stats.
PF is running, and your rules have been defined. It would be wise to use “pfctl” the control program, to manually reload your ruleset and check to verify that all the rules are being applied correctly. Use pfctl to reload the rules, and then check your current status.

The rules are in place, and your PF firewall should be actively tracking state connections and dealing with brute force attacks as needed. PF is a very powerful piece of software and offers limitless possibilities for configuring your network setup. For more information regarding PF, you should check out the FAQ on OpenBSD’s website.. Happy safe server hosting to you, and remember to always check your logfiles.