Gargleblaster.org

Keeping mission critical machines up2date is always a burden for a sysadmin.
Esp. if you are an allround sysadmin, responsible for all kind of servers.
On freeBSD, this has become quite easy.
There has is a new tool in town: portsnap.

Setup is easy. See this article on TaoSecurity.
After installing it boils down to this:

cd /usr/ports
portsnap fetch
portsnap update
make fetchindex
portsdb -u
portversion -v -l “<”
Check /usr/ports/UPDATING for information relating to my applications
portupgrade -varR

Total control :)

pfeeuw.

Transmit 3
Pix OS 7 (well, announced at least)
Wordpress 1.5

Transmit 3 have I bought today.
PIXos 7 will be a free upgrade (SMARTnet to the rescue)
Wordpress…2 out of 3 blogs already updated, gargleblaster will follow this weekend.

Transmit 3 kicks ass. Still clicking through the different new options. I know I’m going to love the “DockSend” option.
A year ago I thought that a graphical (s)FTP client was for lusers, but since my colo I couldn’t live without Transmit.

*sigh*

This took me more than 5 minutes. How to empty a postfix mailque completly:


postsuper -d ALL


It’s not in the manual.

I like simple solutions.
My sshd deamon is constantly hammered by Scriptkiddies using random dictionary attacks.
One simple way to prevent most is changing the port where sshd listens on, or use an unusual portmapping.
I don’t really like that however. Don’t ask me why, it has probably something to do with my bad memory. I keep forgetting those ports.

Two other simple mechanisms which you could implement are:

1) restricting allowed useraccounts. Esp. if you don’t have a very common username like Jack or John:

AllowUsers secretuser othersecretuser@192.168.3.*

By adding the ipaddress you only allow login from that particular ipaddress for that particular user.

2) rectrict the number of tries for password guessing

MaxStartups 10:30:60


From the manpages:

Specifies the maximum number of concurrent unauthenticated con-
nections to the sshd daemon. Additional connections will be
dropped until authentication succeeds or the LoginGraceTime
expires for a connection. The default is 10.

Alternatively, random early drop can be enabled by specifying the
three colon separated values “start:rate:full” (e.g.,
“10:30:60″). sshd will refuse connection attempts with a proba-
bility of “rate/100” (30%) if there are currently “start”
(10) unauthenticated connections. The probability increases lin-
early and all connection attempts are refused if the number of
unauthenticated connections reaches “full” (60).

read more at this blogentry at ap-lawrence.

NOTE: I submitted this post as a hint on macosxhints.com, You might check this link for any user comments.

Enabling serial console with panther is very easy. If you know where to look.


/System/Library/StartupItems/SerialTerminalSupport/SerialTerminalSupport


Read this file. It has lots of information about the serial port.

After reading it, enter:

/System/Library/StartupItems/SerialTerminalSupport/SerialTerminalSupport start


This should enable console access. However not in my case. I have to connect through a console server at my colo, which operates at 9600. Apple enables a 57600 baudrate by default.

vi /etc/ttys


Look for the following line:

tty.serial "/usr/libexec/getty serial.57600" vt100 on secure

And change this to

tty.serial "/usr/libexec/getty serial.9600" vt100 on secure


give a

/System/Library/StartupItems/SerialTerminalSupport/SerialTerminalSupport restart


And I was able to connect.

If I had discovered the above earlier, I had saved myself for driving to my CoLo serverroom a couple weeks ago when I made a mistake with remotly configuring my en0.