i use snapshots on 16th May .
8GB micro SDは セルモーターのようなもので
rootは 32G USB にあります。
WWWのファイルは sata ハードディスク にあります。
# ./comment-out.bat /etc/rc.local
/start.bat
そして
./comment-out.bat /start.bat
umount /WWW
mount /dev/sd1a /WWW
rm /etc/resolv.conf
echo 'nameserver 8.8.8.8' > /etc/resolv.conf
cat /etc/resolv.conf
swapon /dev/sd1b
swapctl -d /dev/sd0b
/etc/rc.d/nginx restart
一応
# ./comment-out.bat /etc/fstab
c87666335bcb7b91.b none swap sw
c87666335bcb7b91.a / ffs rw,wxallowed 1 1
WWWサーバー with basic auth
cat /etc/rc.conf.local
httpd_flags=""
cat /var/www/htdocs/index.html
123
/etc/httpd.conf
ext_addr="*"
server "default" {
listen on $ext_addr port 80
}
i was greatly helped by william at openbsd arm mailing list .
# htpasswd /var/www/htpasswd.conf user-X
Password:
Retype Password:
# chown www /var/www/htpasswd.conf
# chmod 600 /var/www/htpasswd.conf
# /etc/httpd.conf
ext_addr="*"
server "default" {
listen on * port 80
authenticate "secure area" with "/htpasswd.conf"
}
以下の NGINX は 今はうまく行かない
httpd_flags=""
cat /var/www/htdocs/index.html
123
/etc/httpd.conf
ext_addr="*"
server "default" {
listen on $ext_addr port 80
}
i was greatly helped by william at openbsd arm mailing list .
# htpasswd /var/www/htpasswd.conf user-X
Password:
Retype Password:
# chown www /var/www/htpasswd.conf
# chmod 600 /var/www/htpasswd.conf
# /etc/httpd.conf
ext_addr="*"
server "default" {
listen on * port 80
authenticate "secure area" with "/htpasswd.conf"
}
以下の NGINX は 今はうまく行かない
# ./comment-out.bat /etc/nginx/nginx.conf
worker_processes 1;
worker_rlimit_nofile 1024;
events {
worker_connections 800;
}
http {
include mime.types;
default_type application/octet-stream;
index index.html index.htm;
keepalive_timeout 65;
server_tokens off;
server {
listen 80;
server_name straw-berry.mydns.jp;
root /WWW/d1;
auth_basic "Restricted";
auth_basic_user_file /var/www/.htpasswd;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /WWW/d1;
}
}
}
後述のwifiルーター狙いで
# ./comment-out.bat /etc/pf.conf
ext=smsc0
icmp_types = "{echoreq, unreach}"
set block-policy return
set loginterface $ext
set skip on lo0
match in all scrub (no-df max-mss 1440)
match out on $ext inet from !($ext:network) to any nat-to ($ext:0)
block log all
pass out quick
pass in on $ext inet proto tcp from any to ($ext:network) port 22 flags S/SA keep state
pass in on $ext inet proto tcp from any to ($ext:network) port 80 flags S/SA keep state
pass in quick inet proto { tcp udp gre } from any to any
pass in quick inet proto icmp all icmp-type $icmp_types keep state
どうなってるかというと
# pfctl -sr
match in all scrub (no-df max-mss 1440)
match out on smsc0 inet from ! (smsc0:network) to any nat-to (smsc0:0)
block return log all
pass out quick all flags S/SA
pass in on smsc0 inet proto tcp from any to (smsc0:network) port = 22 flags S/SA
pass in on smsc0 inet proto tcp from any to (smsc0:network) port = 80 flags S/SA
pass in quick inet proto icmp all icmp-type echoreq
pass in quick inet proto icmp all icmp-type unreach
pass in quick inet proto tcp all flags S/SA
pass in quick inet proto udp all
pass in quick inet proto gre all
# ./comment-out.bat /etc/rc.conf.local
#dhcpd_flags=
pf=YES # Packet filter / NAT
sshd_flags=
wifi ルーター
wifi-AP.bat で wifi ルーターを作ります
PCs--(wifi)-->rum0:OpenBSD:smsc0--(wired)-->router-->internet
ですね。
# ./comment-out.bat /etc/dhcpd.interfaces
rum0
# ./comment-out.bat /etc/dhcpd.conf
option domain-name-servers 8.8.8.8;
subnet 192.168.120.0 netmask 255.255.255.0 {
option routers 192.168.120.1;
range 192.168.120.11 192.168.120.15;
}
# ./comment-out.bat ./wifi-AP.bat
sh /etc/netstart
pfctl -f /etc/pf.conf
pfctl -sr
ifconfig rum0 inet 192.168.120.1 netmask 255.255.255.0 \
media autoselect mediaopt hostap nwid openbsdAP wpakey 1234567890 \
chan 1 up
/etc/rc.d/dhcpd restart
finally
Rpi3 serves as sshd server , www server and wifi router .
この変更を うっかり忘れてはまった
# ./comment-out.bat /start.bat sysctl net.inet.ip.forwarding=1
rm /etc/resolv.conf
echo 'nameserver 8.8.8.8' > /etc/resolv.conf
cat /etc/resolv.conf
/etc/rc.d/httpd -f restart
sh /etc/netstart
pfctl -f /etc/pf.conf
pfctl -sr
ifconfig rum0 inet 192.168.120.1 netmask 255.255.255.0 \
media autoselect mediaopt hostap nwid openbsdAP wpakey 100100100 \
chan 1 up
/etc/rc.d/dhcpd -f restart
# head /etc/pf.conf
ext_if=smsc0
int_if=rum0
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.1.0/24 \
198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 \
1.0.1.0/24 \
# tail -30 /etc/pf.conf
block in quick on ext_if from <martians> to any
icmp_types = "{echoreq, unreach}"
set block-policy return
set loginterface $ext_if
set skip on lo0
match in all scrub (no-df max-mss 1440)
match out on $ext_if inet from !($ext_if:network) to any nat-to ($ext_if:0)
block log all
pass out quick
pass in on $ext_if inet proto tcp from any to ($ext_if:network) port 22 flags S/SA keep state
pass in on $ext_if inet proto tcp from any to ($ext_if:network) port 80 flags S/SA keep state
pass in quick inet proto { tcp udp gre } from any to any
pass in quick inet proto icmp all icmp-type $icmp_types keep state
# ./comment-out.bat /etc/rc.local
/start.bat
# ./comment-out.bat /etc/dhcpd.interfaces
rum0
# ./comment-out.bat /etc/dhcpd.conf
option domain-name-servers 8.8.8.8;
subnet 192.168.120.0 netmask 255.255.255.0 {
option routers 192.168.120.1;
range 192.168.120.11 192.168.120.15;
}
# ./comment-out.bat /etc/httpd.conf
ext_addr="*"
server "default" {
listen on * port 80
authenticate "secure area" with "/htpasswd.conf"
}
/var/www/htdocs/index.html をみてる
# ./comment-out.bat /etc/rc.conf.local
pf=YES # Packet filter / NAT
sshd_flags=
httpd_flags=
# df
Filesystem 512-blocks Used Avail Capacity Mounted on
/dev/sd0a 57683640 1541704 53257756 3% /
Rpi3 serves as sshd server , www server and wifi router .
# ./comment-out.bat /start.bat sysctl net.inet.ip.forwarding=1
rm /etc/resolv.conf
echo 'nameserver 8.8.8.8' > /etc/resolv.conf
cat /etc/resolv.conf
/etc/rc.d/httpd -f restart
sh /etc/netstart
pfctl -f /etc/pf.conf
pfctl -sr
ifconfig rum0 inet 192.168.120.1 netmask 255.255.255.0 \
media autoselect mediaopt hostap nwid openbsdAP wpakey 100100100 \
chan 1 up
/etc/rc.d/dhcpd -f restart
# head /etc/pf.conf
ext_if=smsc0
int_if=rum0
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.1.0/24 \
198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 \
1.0.1.0/24 \
# tail -30 /etc/pf.conf
block in quick on ext_if from <martians> to any
icmp_types = "{echoreq, unreach}"
set block-policy return
set loginterface $ext_if
set skip on lo0
match in all scrub (no-df max-mss 1440)
match out on $ext_if inet from !($ext_if:network) to any nat-to ($ext_if:0)
block log all
pass out quick
pass in on $ext_if inet proto tcp from any to ($ext_if:network) port 22 flags S/SA keep state
pass in on $ext_if inet proto tcp from any to ($ext_if:network) port 80 flags S/SA keep state
pass in quick inet proto { tcp udp gre } from any to any
pass in quick inet proto icmp all icmp-type $icmp_types keep state
# ./comment-out.bat /etc/rc.local
/start.bat
# ./comment-out.bat /etc/dhcpd.interfaces
rum0
# ./comment-out.bat /etc/dhcpd.conf
option domain-name-servers 8.8.8.8;
subnet 192.168.120.0 netmask 255.255.255.0 {
option routers 192.168.120.1;
range 192.168.120.11 192.168.120.15;
}
# ./comment-out.bat /etc/httpd.conf
ext_addr="*"
server "default" {
listen on * port 80
authenticate "secure area" with "/htpasswd.conf"
}
# ./comment-out.bat /etc/rc.conf.local
pf=YES # Packet filter / NAT
sshd_flags=
httpd_flags=
# df
Filesystem 512-blocks Used Avail Capacity Mounted on
/dev/sd0a 57683640 1541704 53257756 3% /
と 32GUSBメモリだけでも スカスカ!
監視
1)簡易./comment-out.bat atack.bat
pfctl -f /etc/pf.conf
tail -20 /var/log/authlog
read X
echo $X
awk '/.*\..*\..*\..*$/ {print $10 $11 }' /var/log/authlog | sed "s/from//g" |sed "s/port//g" \
|sed "s/root//g" | sed "s/exceededfor//g" | sed "s/.*:11://g"
2)snort
ls -l /etc/snort/
total 181268
-rw-r--r-- 1 _snort wheel 3757 May 21 10:06 classification.config
drwxr-xr-x 2 _snort wheel 512 May 18 11:27 etc
-rw-r--r-- 1 _snort wheel 31971 May 21 10:06 gen-msg.map
-rw-r--r-- 1 _snort wheel 2060 May 21 10:06 generators
-rw-r--r-- 1 _snort wheel 687 May 21 10:06 reference.config
drwxr-xr-x 4 _snort wheel 3584 May 21 17:51 rules
-rw-r--r-- 1 _snort wheel 27941 May 21 10:06 snort.conf
-rw-r--r-- 1 _snort wheel 27941 May 21 10:17 snort.conf-ori
-rw-r--r-- 1 _snort foge 46027008 May 21 17:32 snortrules-snapshot-2983.tar.gz
-rw-r--r-- 1 _snort foge 46448896 May 21 17:22 snortrules-snapshot-2990.tar.gz
-rw-r--r-- 1 _snort wheel 2335 May 21 10:06 threshold.conf
-rw-r--r-- 1 _snort wheel 160606 May 21 10:06 unicode.map
/etc/rc.d/snort -f restart
./comment-out.bat /etc/snort/snort.conf | grep RULE
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules以下略
........
0 件のコメント:
コメントを投稿