ZeroBSD

Simple password generator

Mon, 22 Apr 2013 11:35:00 +0300

While reevaluating my security practices, I came up with the conclusion that my password system is a mess. For obvious reasons, I won’t talk about it much, but I realized that having a handy password generator will be a good idea. While searching a few minutes for hints and solutions, I came up with two methods that works out-of-the box on a OpenBSD machine, without needing any extra package to be installed than the default base system.

Here’s the first one:

dd if=/dev/urandom count=200 bs=1 2>/dev/null|tr “\n” ” “|sed ‘s/[^a-zA-Z0-9]//g’|cut -c-16

It’s a little cryptic for a newbie (due to sed), but what you have to remember is that it generates passwords with a length of 16 characters and modifying the last argument will modify your password length. It’s based on /dev/urandom device, so it should be safe enough.

The second method uses OpenSSL:

openssl rand -base64 16

Careful, sometimes the last two characters would always be “==”. if you use this command, but you can get rid of this by adjusting the length of it.

Now, you can use any of this commands to have a pretty secure password. But to increase the randomness of it, I use a bash script that generates a two strings, one with each method, and I’ve placed a special character between them (it can be “@”, “#”, “$”, “%”, anything you like).

Here’s my script:

part1=`openssl rand -base64 6`
part2=`dd if=/dev/urandom count=200 bs=1 2>/dev/null|tr “\n” ” “|sed ‘s/[^a-zA-Z0-9]//g’|cut -c-9`
echo $part1%$part2

You can easily tweak the length of the each two strings and the special character between them. The example from above gives you a 16 (6+1+9) characters password, with the “%” characters between the two strings.

The value of good documentation

Mon, 25 Mar 2013 09:53:00 +0200

One of the strengths of OpenBSD is its documentation. I’m really glad that developers really takes it seriously, since a good manual page can save you a lot of time and troubles. Here’s an example: I was trying to sort out a text file and remove duplicates. The file was above 200 MB. My first approach was the following:

cat list.txt | sort | uniq > list_m.txt

But after a few seconds, I received the following error:

sort: /var/tmp/sort.G2bEcvsPlX: Too many open files

Let’s break is down:

$ sort -o list_s.txt list.txt

Same error. So it’s related to sort, not to cat or uniq. First impluse: search if other had the same error. No relevant answers in the first minutes. Should I ask this on a forum? Maybe on the mailing list? That was my second impulse. But wait, let’s read the manual for sort. Tried with the following arguments:

$ sort -o list_s.txt list.txt

Same error.

Ok, let’s keep reading. The last paragraph reads:

BUGS

To sort files larger than 60Mb, use sort -H;
files larger than 704Mb must be sorted in smaller pieces, then merged.

There I have it! Good documentation doesn’t just provide a quick fix for a problem but in the same time reduces pollution and cacophony on forums and mailing lists. And it feels good finding out the answer all by yourself.

Setting your dpi

Wed, 20 Mar 2013 08:40:00 +0200

For a pleasant desktop experience, it’s generally a good idea to have your X server run with 96 dpi (dots per inch). Other values might work as well, but I found this to be the perfect choice for my machine. Usually, the system would set this dpi value correctly, but if it doesn’t or if you want to make sure it will not miss, look at your /etc/X11/xdm/Xservers file and find the line that looks something like this:

:0 local /usr/X11R6/bin/X :0 vt05

Modify it, to look like this (basically just insert the ‘-dpi 96’ switch, as shown):

:0 local /usr/X11R6/bin/X -dpi 96 :0 vt05

Restart your X server. Now you’ll surely have a desktop manager with 96 dpi resolution. Nice, isn’t it?

Permalinks and .htaccess

Wed, 23 Jan 2013 13:22:20 +0200

If you host a Wordpress blog, like I do, you may want to enable those pretty permalinks. Wordpress documentation will tell you what kin of .htaccess file you need in your base folder (meaning the same fodler where your index.php is located for your Wordpress webiste). That’s helpful, but you still need to do a few tricks to have it running on OpneBSD, if you don’t want to end up seeing 404 Errors all the time.

First of all, check if mod_rewrite is enabled for your httpd, by making sure that you have uncommented the following line from your /var/www/config/httpd.conf file:

LoadModule rewrite_module /usr/lib/apache/modules/mod_rewrite.so

Now you need to tell httpd to let you use .htaccess files on your webiste folder. You can do this by searching for this block:

AllowOverride None

and change it to

AllowOverride All

Make sure you are within <Directory “/var/www/htdocs”> directive when you do this.

Now restart (or reload) your httpd. Change your permalinks settings from Wordpress and see the results.

Enabling softupdates

Sun, 28 Oct 2012 21:15:00 +0200

This may be quite trivial and it can be found also in the FAQ with a simple Google search, but I’ve somehow missed it until now. Enabling softupdates can really boost your desktop performance. It’s not something I can measure and prove it, but the general feeling is that Xfce feels faster and this time it’s usable and not that laggy. There’s room for speed improvements still, especially in the video card department, but I’m happy with how the things are for the time being.

Enabling softupdates is very simple, just edit /etc/fstab, by adding the softdep keyword, as in the following example:

fec2653dbd41594a.a / ffs rw,softdep 1 1

This is an example from an /etc/fstab file with UUID, but it’s trivial for the other, older type:

/dev/sda0a / /ffs rw,softdep 1 1

Next time you reboot, you’ll enjoy the performance improvements it brings.

Empty tar.bz2 file (follow-up)

Tue, 04 Sep 2012 10:54:41 +0300

Remember this problem I had? Well, thanks to Andrei Mureșan, it’s fixed now. Apparently, cron has no idea of environmental variables when running the backup script, so I had to add the following line at the begining of my script:

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.

Works like a charm now. For future reference, he’s the full, corrected and working backup script:

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
NOWD=$(date +”%F”)
NOWT=$(date +”%T”)
/usr/local/bin/mysqldump -u root -password \
dbname > /root/databases/db.sql
/bin/tar cvfj /home/john/backup/backup-$NOWD-$NOWT.tar.bz2 \
/var/log /var/www /etc /root/databases
/bin/rm /root/databases/db.sql

Smart IP filter with pf

Sat, 30 Jun 2012 13:14:05 +0300

Not long ago I’ve talked about two ways of making a good IP filter with pf. The first methods involved a pf table created after failed ssh attempts, but the table was not persistent after reboot, and the second method had a static text file from where pf could load unwanted IP for filtering. Let’s merge the two methods.

Let’s say that we already have a text file, manually created, with a selection of unwanted IPs, called /etc/pf.blocked.ip.conf and you also want to filter the ones that keep knowcking on your ssh door. You’ll have to have this in your /etc/pf.conf:

# static text file
table <blockedips> persist file “/etc/pf.blocked.ip.conf”
block in on bnx0 from <blockedips> to any

# not persistent pf table
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp from any to any port \
ssh flags S/SA keep state (max-src-conn 5, \
max-src-conn-rate 5/30, overload <bruteforce> flush global)

Now we would like to dump the bruteforce table into the /etc/blocked.ip.conf file, to have a record of our unwated IPs. A simple dump command is this one:

# pfctl -t bruteforce -T show

but this creates unwanted spaces that must be eliminated. We’ll use sed for this:

# pfctl -t bruteforce -T show | sed ‘s/ //g’

Now the space is gone and we have a properly formatted list of blacklisted IPs. We cannot dumped it right into /etc/blocked.ip.conf, because there might be the same IPs on different lines and we don’t want to have a bloated file loaded by pf. Let’s crate a temporary file with both the content of the bruteforce table and /etc/blocked.ip.conf:

# pfctl -t bruteforce -T show | sed ‘s/ //g’ » /tmp/ip.conf
# cat /etc/blocked.ip.conf » /tmp/ip.conf

Not we have to eliminate the IPs that are found more than one time in that list. We can do this with uniq, but for this, our list have to be ordered with sort.

sort /tmp/ip.conf | uniq » /tmp/ip.final.conf

The file /tmp/ip.final.conf contains now a list with unique blacklisted IP form both out manual /etc/blocked.ip.conf and from what the system catched automatically. If an IP was found on both lists, at the end it will be present in our filter only once. So, after moving along some files and cleaning, we can have a nice procedure for pf IP filtering.

rm /etc/blocked.ip.conf
cp /tmp/ip.final.conf /etc/blocked.ip.conf
rm /tmp/ip.conf
rm /tmp/ip.final.conf

We can make a shell script out of these commands and have cron run it once a day for a manual and automatic, persistent pf IP filter.

Powering down your OpenBSD

Sat, 30 Jun 2012 11:40:00 +0300

After running halt command, the system shuts down nicely, but one thing bugged ever since I’ve first played with OpenBSD: the system did not powered down without pressing the power button. I can live with that, but it’s rather frustrating and I thought that’s probably because OpenBSD doesn’t love my motherboard, though every modern operating systems knows how to power down my system without having me pressing the button (since my hardware is not the most recent one, it has around six years already).

After a quick online search, the solution for my problem revealed itself: it wasn’t a driver problem, it was just a script, /etc/rc.shutdown with a lonely line in it that reads:

powerdown=NO # set to YES for powerdown

So, I obviously modified that into:

powerdown=YES # set to YES for powerdown

and voilà, my system now is powering down nicely.

And if you want to be able to restart or halt your system as normal user, without sudo, just add your user to operator group:

$ sudo user mod -G operator john

Making things pretty

Fri, 29 Jun 2012 18:10:28 +0300

As part of my OpenBSD workstation project, making things pretty is a vital task. I can’t work in an ugly environment, so things have to be simple, functional and more important, coherent.

One of the first things I do on a fresh OpenBSD system intended for desktop use is to install msttcorefonts pack. Probably due to license reasons, you can only install this from ports, so if you don’t have ports yet, just follow the FAQ and do this:

$ cd /tmp
$ ftp ftp://ftp.openbsd.org/pub/OpenBSD/5.1/ports.tar.gz
$ cd /usr
$ sudo tar xzf /tmp/ports.tar.gz

Now that we have the ports installed, do this:

# cd /usr/ports/fonts/msttcorefonts
# make install

It’s all on the FAQ, just pointing it out.

Now, for one reason or another, you may need some GTK3 application. I use Xfce and I’m actually pretty satisfied with it, but I also need gedit for reasons mentioned in another post. While gedit is a GTK3, if you don’t choose the right theme, it may fallback to an ugly GTK variant which looks weird. So while your daily GTK2 theme look nice (Firefox, gFTP, XChat), the gedit will be different. There’s nothing I hate most than inconsistency. You need to find themes with support for both GTK2 and GTK3 versions to have theme consistency. A good starting point is gnome-looks.com website, from where you can download them and put them in your ~/.themes folder. If you don’t have it, create it and copy theme’s folders, after you’ve extracted them from the archive. The form the Xfce menu, Setting, Appearance and you can have a look on your new themes.

These packages might be useful, before starting theme hunt:

# pkg_add -vi gtk-engines2
# pkg_add -vi gtk2-murrine-engine

I’ve settled for Clearwaita from the Clearlooks-Phenix package, it looks simple, clean and fresh on both GTK2 and GTK3 applications (I love the old Clearlooks for GTK2 back in the days).

Credit for this posts goes to Igneous, from Freenode’s #openbsd.

LaTeX in BSD

Fri, 29 Jun 2012 13:42:00 +0300

I was surprised to see that a TeX Live meta-package is missing for FreeBSD, but there is one for OpenBSD. And it also installs nicely as a dependency for gedit-latex, a plugin for gedit that is probably the best LaTeX editor I could find in GTK.

The magic of gedit-latex plugin is that it adds cite-autocompletion and it’s beyond me why this feature is not available in every other LaTeX editor, considering what an excruciating pain dealing with biography is and how much a simple feature like this can help. I think there is only one more editor with cite-autocompletion, namely TexStudio, but it won’t compile on OpenBSD nor FreeBSD and it’s Qt4 and too bloated for my taste. Also, gedit is a nice, clean, simple design application that integrates well in my Xfce’s GTK medium.

FreeBSD 9 has binaries of Gnome 2 while OpenBSD 5.1 got Gnome 3 already. Hence, the ugliness of gedit in OpenBSD, but some theme tweaking I guess could make it better, that’s the only annoyance of my current setup. gedit 2 looked way better in FreeBSD’s Xfce with GTK2 themes, but I’ll dig for some beauty tips in the following days. The gedit 3 is the way to go anyway, no reason to look back.

Although installing TeX Live from official ports in FreeBSD is not possible, there is an alternate solution but I find it convoluted and I prefer the OpenBSD way: installing it from packages. Just type:

pkg_add -vi gedit-latex

and the rest will follow automatically, the system will fetch and install texlive_texmf-minimal package with all the necessary dependencies and you’ll have a nice TeX environment on your OpenBSD 5.1 machine. Sweet. It took me a while to find out about this, as I thought there are no binary packages for TeX Live (don’t ask why I didn’t just look into the ports directory), so I compile it from ports not a few day ago.

gedit-latex package texlive_texmf-minimal and this could be enough for some tasks, but trying to compile my .tex files spilled out a lot of errors concerning special characters like ăîșțâ, so I knew that I needed ut8x and ucs package, which wasn’t in the installed Tex Live distribution. To fix this, we can install the following:

pkg_add -vi texlive_texmf-full

Now we’ll have utf8x, ucs (I know it’s not recommended to use ucs, but it’s the only way to type spcial characters directly in editor and not having to wrapt my fingers for LaTeX codes in each and every word) and mchem package for easily typing chemical symbols.

There are others editors besides gedit-latex that have syntax highlighting for LaTex, but they are either ugly, bloated, Qt4 and old (kile, texmaker, texmakerx) or just ugly (gummi). None of them, with the exception of TeXStudio, a newer one that won’t compile on BSD just yet, won’t have cite-autocompletion which for me is a must. So I guess I’ll stick with gedit-latex for a while, it seems to work just fine for my needs, although it uses to crash a lot.

/usr disk space problem

Mon, 25 Jun 2012 12:13:00 +0300

I use the proposed auto-layout of my OpenBSD disk that is suggested during install. The problem is that, while /home partition is generous enough, /usr might be to small for some operations. For example, on a 20 GB hard-disk drive, the OpenBSD installer thinks that 2 GB is enough for /usr. Well, probably it is for some stuff, but when trying to compile TexLive from ports I’ve noticed that those 2 GB gets filled up near the end, making impossible to complete install the needed packages. The probem can be overcome simply and the process is described in OpenBSD FAQ, section 15.3.3. All we have to do to ease the stress on the /usr partition is to move the package handling operations to a partition with plenty of space, say /home. So edit your /etc/mk.conf like I did (if the file doesn’t exist, create it and add the following lines):

WRKOBJDIR=/home/john/ports/obj/ports
DISTDIR=/home/john/ports/distfiles
PACKAGE_REPOSITORY=/home/john/ports/packages

Don’t worry if you don’t have the /home/<user>/ports directory, the scripts will create it for you.

That’s it, now TexLive compiled and installed gently. The process took a few hours on my Intel Core2 Duo E6300.

Installing Xfce 4.8 on OpenBSD 5.0

Fri, 27 Apr 2012 22:56:00 +0300

After playing with FreeBSD for a few days, I’m back on my OpenBSD. First time I tried installing Xfce I gave up, due to some mouse problems and window manager issues. Now I’m back on track for installing this simple desktop environment, ready to fix all the problems.

The mouse problem arise probably due to the fact that my moue is a PS2 mouse, but it connect to my PC trough a PS2-to-USB adapter. I needed that so that my OS X could run on my system, since Apple’s operating system doesn’t had drivers for PS2 mouses. In OpenBSD, everytime I exited Xorg, my mouse would disconnect and stayed that way. Frustrating. So I removed the adapter and plugged my mouse in it’s intended location. Problem solved.

So let’s get on installing Xfce. I’ve used this website as a guide, but with some modifications (some packages couldn’t be found and some of them have different name now). If you already have a clean OpenBSD installed, just run this commands to have your Xfce desktop ready (there is no meta-package for Xfce, so we have to manually install everything):

# pkg_add -vi xfce4-session

# pkg_add -vi gtk-xfce-engine

# pkg_add -vi xfdesktop

# pkg_add -vi xfce4-appfinder

# pkg_add -vi xfce4-battery

# pkg_add -vi xfce4-clipman

# pkg_add -vi xfce4-dict

# pkg_add -vi xfce4-diskperf

# pkg_add -vi xfce4-fsguard

# pkg_add -vi xfce4-genmon

# pkg_add -vi xfce4-mailwatch

# pkg_add -vi xfce4-modemlights

# pkg_add -vi xfce4-mount

# pkg_add -vi xfce4-mpc

# pkg_add -vi xfce4-netload

# pkg_add -vi xfce4-notes

# pkg_add -vi xfce4-notifyd

# pkg_add -vi xfce4-places

# pkg_add -vi xfce4-quicklauncher

# pkg_add -vi xfce4-screenshooter

# pkg_add -vi xfce4-smartbookmark

# pkg_add -vi xfce4-systemload

# pkg_add -vi xfce4-taskmanager

# pkg_add -vi xfce4-time-out

# pkg_add -vi xfce4-verve

# pkg_add -vi xfce4-wavelan

# pkg_add -vi xfce4-weather

# pkg_add -vi xfce4-wmdock

# pkg_add -vi xfce4-xkb

# pkg_add -vi xfce-utils

# pkg_add -vi xfce4-terminal

# pkg_add -vi mousepad

# pkg_add -vi orage

# pkg_add -vi xfce4-mixer

# pkg_add -vi xfwm4
# pkg_add -vi xfwm4-themes

My initial problem with window bars missing was caused by failing to install xfwm4. Now it works, beautifully.

Don’t forget to modify your .initrc file accordingly (and comment any other lines, if necessary):

$ echo 'exec startxfce4' > .xinitrc

$ chmod +x .xinitrc

I haven’t installed a login manager yet, but this operation should be trivial and I’ll let it as an exercise for the reader :)

Update: Same procedure works for OpenBSD 5.1 as well.

FreeBSD on my desktop

Tue, 24 Apr 2012 19:49:42 +0300

Since I haven’t tried FreeBSD in a long, long time (years), I gave it a shot these days and I must say I was surprised. After almost a day of using it, it didn’t feel different than any other modern Linux distribution. It even have a graphical update manager that didn’t work! Jokes aside, FreeBSD had made some huge progress in desktop usability and if we consider the server tools and its awesome documentation, it’s an interesting operating system.

Installing GNOME was so easy that I really have nothing to add. There’s no tips and trick, just follow the manual and you’ll have GNOME installed in like half an hour. If you want to have an enjoyable experience as a desktop, you have to read and apply these tips from the handbook and… there you have it, a fully usable FreeBSD desktop. With Flash, NVIDIA driver and Java support just a few pkg_add command away.

FreeBSD is so simple to install that offers really no challenge so if I made a blog about me using it, I’m afraid there wouldn’t be much to write about. On the server side, FreeBSD brings a few tools on the table that really worth taking a look at: ZFS, jails and virtualization. Not bad FreeBSD, not bad.

I was also tempted to install Solaris 11, but after a quick IRC chat I found out that Oracle doesn’t supply free security updates. That’s not funny. Open source implementation of Solaris and its features are spread between different projects (SmartOS, ProjectIndiana, etc) so until they stabilize and deliver an usable product, I think FreeBSD have it all: really good server tools, best desktop experience, without being owned by a ruthless corporation.

So back to our OpenBSD, after a wonderful trip trough FreeBSD realm. It’s nice to know there is an operating system like this and it continues to evolve. I will probably fail to make OpenBSD my desktop operating system, but I’m pretty sure I could get used to FreeBSD as quickly as I could with any other Linux distribution.

My .vimrc

Mon, 23 Apr 2012 09:21:00 +0300

I learned to love vim. In the first days of my *NIX adventures, I was using nano, since it reminded me of Norton Commander’s editor, but I soon realized that vim was more elegant and it seems I was more quicker using it then nano or, God forbids, Emacs (who uses an operating system to write a text file, anyway?). When in X, I prefer other, more fancy, editors, but when stuck to command line, vim is a great tool and usually the first package I install (if it’s not installed already).

While vanilla vim is quite usable after you get used to it, having some options turned on just makes it more friendly. So here’s my .vimrc file:

set ai
set background=dark
set showtabline=3
set smartindent
set smarttab
set backspace=indent,eol,start
set ruler
syntax on
command WQ wq
command Wq wq
command W w
command Q q

While I saw some very complex .vimrc settings, I like not to deviate to much from default options, but, in the same time, still using vim without frustration.

When in GNOME, I use gnome-terminal with a white background and the above setup doesn’t look very nice for most files, due to syntax color, so I modify the second line like this:

set background=light

That’s all about vim for now.

GNOME on OpenBSD

Sat, 21 Apr 2012 19:46:00 +0300

Once we’ve got X configured and running on our OpenBSD 5.0/amd64, getting GNOME 2.32 it’s not that hard. I just had to fetch and install a few packages.

# pkg_add -vi gnome-session
# pkg_add -vi metacity

Here, you will have to chose GTK2 variant of metacity, to avoid conflicts later on. Let’s continue our GNOME installation.

# pkg_add -vi gnome-panel
# pkg_add -vi nautilus
# pkg_add -vi gnome-terminal
# pkg_add -vi gnome-control-center
# pkg_add -vi gnome-menus
# pkg_add -vi gnome-settings-daemon
# pkg_add -vi gnome-themes
# pkg_add -vi gnome-themes-extras
# pkg_add -vi gnome-utils
# pkg_add -vi gnome-applets2
# pkg_add -vi gnome-system-monitor
# pkg_add -vi gnome-nettool

A restart is recommended. After that, if .xinitrc file doesn’t exist in your home directory, create it and add the following line:

exec gnome-session

That’s it, now we have GNOME installed and it should look like this, after running:

startx

If you look careful enough, you’ll see a few apps already installed. Before getting the snapshot, I’ve installed xmms, audacity, firefox, thunderbird, pidgin, vlc, mplayer and gFTP. The good news is that Libre Office installed and it’s running fine without any Java dependencies, that’s just great. Using GNOME’s keyboard layout tool, I was able to use localized keyboard layouts with special characters, like ăâșțî.

GNOME looks nice and polished, but I don’t have hardware acceleration and you can tell that by dragging a window on the screen. Its not that fast and almost annoying to have a video card and not being able to fully use it.

I also found out about mozilla-dicts-XX packages, with spell check dictionaries for various languages, accessible form Firefox and Thunderbird (and hopefully SeaMonkey too, but I didn’t check that). Identify your language and just type:

# pkg_add -vi mozilla-dicts-XX

replacing XX with your country code.

Now, if we want to login directly into GNOME, we should install gdm (GNOME Display Manager). There’s no trick here, just:

# pkg_add -vi gdm

After that, make sure yu add the following in /etc/rc.local:

if [ -x /usr/local/sbin/gdm ]; then
echo -n ’ gdm’; (sleep 5; /usr/local/sbin/gdm) &
fi

That’s it. Restart and you should be taken directly into gdm and from there to GNOME.

YouTube works in Firefox, using HTML5, since no Flash is available on OpenBSD, but it’s rather slow, almost unusable.

Another disappointment was to find out that OpenBSD does not mount HFS+ disks, leaving my entire 1TB storage HDD inaccessible on my shiny new operating system. ZFS would be nice, but since there is some hope with read-only NTFS, the situation is not catastrophic.

I’m not very enthusiastic about GNOME performance. I’d expected the system to be quicker and also, video performance on Firefox is really bad. I’ve also played with cwm, but about this, in a future post.

Desktop project: getting started

Sat, 21 Apr 2012 11:47:00 +0300

OpenBSD was installed on the following hardware: Asus P5B-E motherboard with Intel Core2 Duo E6300 CPU at 1.86 GHz with 4 GB RAM and on a WD 75 GB hard disk drive. NVIDIA 8600 GT video card was present on the system, but this will not affect our installation to much.

Installing was performed using the default options, giving the whole 75 GB disk to OpenBSD and installing all sets from the CD. Since I have a dedicated disk for this test, I won’t fiddle with dual boot just yet. The installation was fast, took only a few minutes, as expected.

Since I haven’t created an user during install, this was the first thing I did after booting into my clean OpenBSD system. I’ve also added him to the wheel group,

Next, pkg_add config, so that we can move on. Used vi to edit .profile, by adding the following lines:

export PKG_PATH=http://ftp5.eu.openbsd.org/ftp/pub/OpenBSD/5.0/ \
packages/`machine -a`/

Save, log out and log in again to avoid running the above mentioned command in the shell, then checked fore new packages by running:

pkg_add -u

MOving on installing basic tools:

pkg_add -vi vim
pkg_add -vi mc

The -v switch is for verbose and -i for interactive selection, if needed.

There are a few things we should check before starting X. You should check if machdep.allowaperture is correctly set for your platfrom. Its value should be 2 in case of i386 or amd64. My OpenBSD 5.0 had this value already correclty set up in /etc/sysctl.conf, so I woulnd’t have to modify a thing. Also, I had to set wsmoused_flags=”“ in /etc/rc.conf.local before I could use the mouse in X.

If any problems arise with X, just use another terminal to issue

pkill Xorg

that will bring down any non responsive Xorg setup, in case CTRL-ALT-Backspace fails to work.

Create .xinitrc file in your home folder, add just cvm on its first line, then you can manually start the X server and cwm window manager by typing:

startx

CTRL-ALT-Enter in cwm will spawn a new terminal window. You can read more about cwm in the manual. To be able to post this message, I had to install a web browser:

pkg_add -vi seamonkey

It’s not the latest release, but it’s all I need for now.

So we’ve installed OpenBSD on a new system and managed to get X up and running. That’s the first step towards a functional desktop for daily use. I haven’t figured out yet how to take a screenshot, so you’ll have to take my word on this. Our saga will continue next time, when we’ll probably play and configure with others window managers, since the current setup is not very pretty.

The great mistery of the empty tar.bz2 file

Fri, 20 Apr 2012 10:33:00 +0300

Nihil sine backup, and what better way to do backup than a script placed in crontab? The script is a simple one:

NOWD=$(date +”%F”)
NOWT=$(date +”%T”)
/usr/local/bin/mysqldump -u root -password \
dbname > /root/databases/db.sql
/bin/tar cvfj /home/john/backup/backup-$NOWD-$NOWT.tar.bz2 \
/var/log /var/www /etc /root/databases
/bin/rm /root/databases/db.sql

It dumps MySQL database in a folder than group a few folders in an archive with a proper name based on the date and time of its creation and finally cleans up. Nothing fancy, just your basic backup script. Running it by hand will start tar.bz2-ing the files and then carefully place the archive where it should. Nothing extraordinary here, just a script doing its job.

The problems appears when I place the script in crontab.

50 3 * * 3 /bin/sh /root/backup.sh

As expected, the script starts running when it should, but fails when it reaches the first file on the first folder that it needs to process. The resulted tar.bz2 file is in its right place, but it’s empty, with a size of 0 KB. Yes, the script is executable, like I said, running it by hand gives the expected behavior and results. I suspect some sort of permissions issue, but I couldn’t find a way to solve this yet. Until then, manual backup will do the job.

Edit: Problem fixed. See here.

Desktop project: evaluating requirements

Thu, 19 Apr 2012 14:38:00 +0300

The plan is to install OpenBSD at home, on my desktop and use it for exclusively for at least a week, to evaluate it’s usability for daily routine and how fit am I to use it like this. It will be an act of asceticism giving away the polished look of Mac OS X, but maybe I will end up enlightened after this experience :)

Before starting this thing, I need to evaluate my daily needs. Off course, first thing that came to mind is having X up and running. This would be fairly easy to achieve. The problem would be choosing the right desktop environment / window manager. Although I’m curious about simplistic tilled window managers, like cwm, it will probable get a while to adjust, so for starters I think I’ll try to install GNOME, since KDE4 is really not something I would enjoy, but who knows, maybe I’ll be on the mood for something new. And also a simple and pretty desktop (graphical login) manager, SLiM is a perfect candidate for this.

Basically, I think I would need the following to cover my daily needs:

web browser (with spell-check, Firefox, SeaMonkey)
office suite (OpenOffice, LibreOffice)
basic image processing (with resize and various format support)
instant messaging (pidgin)
IRC client (pidgin, X-Chat, Konversation in case of KDE)
Bittorent client (in terminal or in X)
SFTP client (gFTP)
video player with various codecs (VLC, mplayer)
audio player with MP3 and all (xmms, audacious)
possibility to mount HFS+/NTFS drive (read-only for the time being)
Dropbox beyond web interface (I think I’ll have to work hard for this one)
some games (OpenTTD and Minecraft will satisfy me, though I’ll need Java)
localized keyboard layout
optionally: email client (Thunderbird, SeaMonkey, Sylpheed)

Everything up there seems do-able in OpenBSD, so when time permits, I’ll start the project and keep you updated about my progress.

More fun with PF: blocking unwanted guests

Thu, 19 Apr 2012 13:34:00 +0300

Every once in a while, I check my /var/logs/auth to see people knocking on my port 22 door. While I do have a strong password for my user and “PermitRootLogin no” on my /etc/ssh/sshd_config, I’m still not very comfortable with people wanted to get in. Once again, PF came to rescue, delivering an elegant solution. Actually, two.

First, I tried the manual method. Looking in /var/logs/auth and putting the incriminated IPs into a text files. Them I would tell pf to look into that file and block all access for those IPs, like this:

table <blockedips> persist file “/etc/pf.blocked.ip.conf”
block in on bnx0 from <blockedips> to any

The first line defines a table with values in the specified file, then pf will block all connection from the matching IP (bnx0 being my network interface). Simple, but requires some daily maintenance. My next thought was: could I make this process automatic? It appears that I do, and this will be the second method of keeping your lawn clean.

The second solution was found on the web.

table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp from any to any port \
ssh flags S/SA keep state (max-src-conn 5, \
max-src-conn-rate 5/30, overload <bruteforce> flush global)

We create another table and block all the IPs from it. Then we populate the table with IPs from users that try connecting to the server and fails to often. If they connect with more then 5 clients to the SSH server and try reconnect 5 times within 30 secs they get added to the table.

Don’t forget to reload pf rules by running, as root:

# pfctl -f /etc/pf.conf

If you want to check the content of any table, just run the following, as root:

# pfctl -t bruteforce -T show

To remove an IP from the table, run:

# pfctl -t bruteforce -T delete <IP>

I think the second option is the most elegant way to keep unwanted guests away. Although I’m pretty sure that the content of the bruteforce table will empty on reboot, but that’s ok since it will be repopulated next time someone fails to properly login.

Fun with PF: blocking ports

Thu, 19 Apr 2012 08:21:00 +0300

Firsts things first: we have to close our unused ports. We surely need port 22 open for ssh connection and 80 for Apache. I would also use ntpd, so 123 will remain open. After a few Internet readings, port 53 should remain open, due to its use by bind for zone transfers and such.

I’ve learned that PF is a great OpenBSD tool, but it sure does require some reading before using it and it’s on my to-do list. The following example was found on the web and I adapted it to my needs. As I see it, we define a table in the first two rows, with information about TCP and UDP ports that we want open. After that, we block all connections, but create exceptions for the above mentioned ports. It works for me.

tcp_pass = “{ 53 80 22 123 }”
udp_pass = “{ 53 }”
block all
pass out proto tcp to any port $tcp_pass keep state
pass out proto udp to any port $udp_pass keep state
pass in proto tcp to port 22 keep state
pass in proto tcp to port 80 keep state