# Security question



## stream (Jun 30, 2021)

Hi,

Can the experts in the forum suggest best practices in hardening and making remote servers more secure.

I have PF firewall on, with basic rules to block all, but allow standard processes.
Am thinking SSH and Sendmail are main ways of attack?

I have sendmail_enable off, but still these messages appear all the time in one of the servers that was compromised recently.
sendmail[3456]: NOQUEUE: SYSERR(oeprator): can not chdir(/var/spool/clientmqueue): Permission denied.

There seems to be some process that is trying to send mail. I have no idea what it is.
I don't see any cron jobs either.

And previously I noticed a lot of users trying to guess password.
I have switched off SSH for now. 

Thank you for  your time.


----------



## Alain De Vos (Jun 30, 2021)

I you have hard evidence that your install was hacked or accessed by persons without permission you should delete your partition.
The field of security very wide. Google "Freebsd hardening".


----------



## SirDice (Jun 30, 2021)

stream said:


> Am thinking SSH and Sendmail are main ways of attack?


Any port that's accessible from the internet is open to attacks. SSH and mail bruteforce attacks are common, that's certainly true, but your web applications for example are equally under attack. 



stream said:


> There seems to be some process that is trying to send mail. I have no idea what it is.
> I don't see any cron jobs either.


Keep in mind that periodic(8) will send daily, weekly and monthly reports too. 



stream said:


> And previously I noticed a lot of users trying to guess password.
> I have switched off SSH for now.


You can somewhat limit the extend of those attacks using blacklistd(8), security/sshguard or security/py-fail2ban. All these tools will automatically block IP addresses after a certain number of failed login attempts within a specified timeframe. That often helps a lot. 

Another thing you can do is limit sshd(8) to only allow public/private key logins and never accept username/passwords. And while it's a bit of "security-through-obscurity", running sshd(8) on a different port will at least cull most of the automated scans.


----------



## Alain De Vos (Jun 30, 2021)

Run following command to see which ports are open.

```
sockstat -46L
```


----------



## stream (Jun 30, 2021)

Alain De Vos said:


> Run following command to see which ports are open.
> 
> ```
> sockstat -46L
> ```


Thanks for this. I see syslogd, ntpd, and another process which shows port *:*
 Should I turn off these?


----------



## Alain De Vos (Jun 30, 2021)

You need syslog to be able to analyse problems. And you need ntp to synchronise time.
ntp is concidered secure.
For syslog you could probably configure it so it only binds to sockets or 127.0.0.1 to make it more secure.


----------



## SirDice (Jun 30, 2021)

Don't turn off syslogd(8). But you might want to add `syslogd_flags="-ss"` to rc.conf. That will prevent syslog from opening a network at all. By default it already ignores remote messages:

```
-s      Operate in secure mode.  Do not log messages from remote
             machines.  If specified twice, no network socket will be opened
             at all, which also disables logging to remote machines.
```

ntpd(8) should similarly be limited, the other process is likely sendmail. Just leave that at the default, it runs in a 'local-submit' only mode.


----------



## stream (Jun 30, 2021)

SirDice said:


> Don't turn off syslogd(8). But you might want to add `syslogd_flags="-ss"` to rc.conf. That will prevent syslog from opening a network at all. By default it already ignores remote messages:
> 
> ```
> -s      Operate in secure mode.  Do not log messages from remote
> ...


thanks Sir. I will do that.
For ntp, are you suggesting ntp_logs="-ss"  ? is this valid syntax.


----------



## Alain De Vos (Jun 30, 2021)

For ntp there is little you can do according to my knowledge.
When time is not synchronized you have even browsing problems over https


----------



## Deleted member 30996 (Jun 30, 2021)

I know you're not a beginner, but why don't you take a look at what I've already written toward the end of my tutorial:









						Beginners Guide - How To Set Up A FreeBSD Desktop From Scratch
					

I'm going to guide you though the process of getting a fully functional FreeBSD 13.0-RELEASE desktop up and running, complete with system files and security settings, step-by-step as if you've never used UNIX or the command line. Now let's get started:  Insert your boot media and at the Welcome...




					forums.freebsd.org
				




It has a full pf ruleset, configuration for /etc/rc.conf including syslog and ntp settings, /etc/ssh/sshd_config, etc.


Alain De Vos said:


> For ntp there is little you can do according to my knowledge.


This shows my pf ruleset and how it works, posted earlier today.

I block TCP port 25 and still get my daily mail through sendmail. I also block UDP and TCP ports 123 and my time is still updated because it initiates the traffic.


----------



## Deleted member 30996 (Jun 30, 2021)

Alain De Vos said:


> Google "Freebsd hardening".


Yes, Ignore the forum Search function. It's an overload of info.


----------



## stream (Jun 30, 2021)

Trihexagonal said:


> I know you're not a beginner, but why don't you take a look at what I've already written in my Tutorial;/url], stream.
> It has a full pf ruleset, configuration for /etc/rc.conf including syslog and ntp settings, /etc/ssh/sshd_config, etc.
> This shows [url="https://forums.freebsd.org/threads/a-seperate-forum-item-for-security.81080/#post-519682"]my pf ruleset and how it works, posted earlier today.
> 
> I block TCP port 25 and still get my daily mail through sendmail. I also block UDP and TCP ports 123 and my time is still updated because it initiates the traffic.


Thank you for taking the time to create a tutorial. and also sharing pf rule set. I will go through it.  V helpful.


----------



## Deleted member 30996 (Jun 30, 2021)

It took me a bit to get my links right, but there should be something you can find of use toward the end of it.


----------



## jmos (Jun 30, 2021)

SirDice said:


> Another thing you can do is limit sshd(8) to only allow public/private key logins and never accept username/passwords.


Additional sshd configuration:

If you've got a static IP address (your local machine - not the server), allow logins only from that IP.
Allow only one user to login (not root).
Use for this user a username f.e. like "jasGU7ZtdjdkfpQ810.hfzZKQY224Rdm". None bruteforce attack tries such usernames.
Analyzing hacked servers tells me: Of course attackers are forced to use primarily the tools on the server before starting to manipulate things. Even if a unwanted login occurs or a script was placed (f.e. if a software has an actual unfixed security issue) their sequences are trying to use tools they expect to be available on a server. I don't know why, but all I've seen used `wget`, none `curl` (or `/usr/bin/fetch`). And some kiddies already think that `sudo` is the traditional way to execute commands as root. So just don't install comfort tools like wget, sudo or even bash.


----------



## Deleted member 30996 (Jun 30, 2021)

/etc/ssh/sshd_config

```
IgnoreRhosts yes
AllowTcpForwarding no
PermitRootLogin no
Protocol 2
X11Forwarding no
PermitTTY no
```

That works.


----------



## stream (Jun 30, 2021)

jmos said:


> Additional sshd configuration:
> 
> If you've got a static IP address (your local machine - not the server), allow logins only from that IP.
> Allow only one user to login (not root).
> ...


I'm not sure we can do anything useful a unix box without these.


----------



## stream (Jun 30, 2021)

SirDice said:


> You can somewhat limit the extend of those attacks using blacklistd(8), security/sshguard or security/py-fail2ban. All these tools will automatically block IP addresses after a certain number of failed login attempts within a specified timeframe. That often helps a lot.
> 
> Another thing you can do is limit sshd(8) to only allow public/private key logins and never accept username/passwords. And while it's a bit of "security-through-obscurity", running sshd(8) on a different port will at least cull most of the automated scans.


Sir. Thanks a lot for sharing this. If ssh already is limited to the latter - i.e. login via keys only and diff port, would it then make sense to add one of the tools you mentioned- e.g blacklistd ?  or is it just overkill.


----------



## Tieks (Jun 30, 2021)

jmos said:
			
		

> Of course attackers are forced to use primarily the tools on the server


That is what I see in my webserver logs too. The use of bash and wget show the attackers are looking for Linux servers. PHP (wordpress) and Perl will be used too. The good news is that they are often friendly enough to use a full path, like /bin/bash, which means that it won't work on an ordinary FreeBSD installation.
It's for that reason I'd like to know which encryption tools are used by ransomware. If there is no need to encrypt files, it could make sense to restrict access to these tools.


----------



## hardworkingnewbie (Jun 30, 2021)

By the way in case you are extra paranoid about SSH, or just want to keep your log files clean and tidy, you should use it with port knocking. This really helps a lot.


----------



## richardtoohey2 (Jul 1, 2021)

Also for ssh - put "AllowUsers user-id" in sshd_config.  e.g. if you only want user "fred" to be allowed to connect via ssh - AllowUsers fred


----------



## astyle (Jul 1, 2021)

Make your application (SSH, sendmail, anything else) behave via their own .conf files first. PF comes after that. When trying to do anything security-related, I think that the OSI-RM model is important to know and creatively apply. You gotta be a tough nut to crack.


----------



## gpw928 (Jul 1, 2021)

There's a lot of good points above, but my recommendation would be to decide first what ports you really need to have listening on the Internet. It's important to distinguish between "listening" and "outbound permitted" (e.g. dns, ntp, mail, etc).  It's entirely possible that all you will need listening is sshd(8).  Then use lsof(8) to make sure that nothing else is listening.

As SirDice suggested, moving the sshd port away from 22 makes a huge difference to drive-by attention (the script kiddies never get past trying port 22).  Ssh login should be only by a quality key, and you must have these set in /etc/ssh/sshd_config:
	
	



```
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
```

Best of all, use a separate dedicated professionally designed firewall.  It will deal with the more esoteric things like managing ICMP sensibly, and all the other stuff you never thought of...

A tiny PC, with an Intel CPU, running pfSense or OPNsense would be my choice.


----------



## astyle (Jul 1, 2021)

gpw928 said:


> A tiny PC, with an Intel CPU, running pfSense or OPNsense would be my choice


The pig barn (security/snort) uses so much power, you can smoke some real pork on the exhaust port.


----------



## SirDice (Jul 1, 2021)

stream said:


> If ssh already is limited to the latter - i.e. login via keys only and diff port, would it then make sense to add one of the tools you mentioned- e.g blacklistd ? or is it just overkill.


Security is about layers. The more layers you can add the better.


----------



## stream (Jul 1, 2021)

Alain De Vos said:


> Run following command to see which ports are open.
> 
> ```
> sockstat -46L
> ```


When you start the sshd daemon, sockstat displays root having an SSHD PID with foreign address *.*.
Is this expected behavior?


----------



## stream (Jul 1, 2021)

A slightly different problem I stumbled into.
I wonder if anyone has had this problem. Say you have a freebsd host A, running virtual machine B. I turn on PF firewall on A, and switch off B's firewall just to be clear, still I am unable to ssh from my home pc into B.  Note that home pc is completely different. I  can ssh from host A no problem, not from any other host.  I tried setting static routes on A and B. still no luck. Somehow PF on host seems to only allow the host ssh'ng  into the virtual machine!
Is there any PF ruleset that needs to be set to eliminate this behavior. I've never had this issue earlier.


----------



## astyle (Jul 1, 2021)

ROFLMAO... label your personal PC with C. B is a virtual machine on A.
C -> A: no go, A has a firewall rule, therefore cannot get into B, either, thanks to external firewall on A!

Of course A -> B is possible, B has no firewall.


----------



## stream (Jul 2, 2021)

astyle said:


> ROFLMAO... label your personal PC with C. B is a virtual machine on A.
> C -> A: no go, A has a firewall rule, therefore cannot get into B, either, thanks to external firewall on A!
> 
> Of course A -> B is possible, B has no firewall.


No.
C -> A is perfectly fine. C has a static route to A. In addition C is allowed by A's firewall explicitly.
C- -> B no go, whereas A->B is fine as well.
The same  properties hold with and without firewall in B.


----------



## Lamia (Jul 2, 2021)

Did you run a search on Google?





__





						hardening freebsd. box - Google Search
					





					www.google.com


----------



## stream (Jul 2, 2021)

Lamia said:


> Did you run a search on Google?
> 
> 
> 
> ...


Thanks.  Some of the links are v helpful, even though outdated.


----------



## SirDice (Jul 2, 2021)

Old thread but should still contain some helpful hints and tips: https://forums.freebsd.org/threads/unofficial-freebsd-security-checklist-links-resources.4108/


----------



## Deleted member 30996 (Jul 2, 2021)

We just had a 4 page thread on Hardening FreeBSD last month:









						Hardening bsd.
					

There are a few sysctl settings I can think off, loader.conf  security.bsd.allow_destructive_dtrace=0  sysctl.conf  security.bsd.see_other_uids=0 security.bsd.see_other_gids=0 security.bsd.see_jail_proc=0 security.bsd.unprivileged_read_msgbuf=0 security.bsd.unprivileged_proc_debug=0...




					forums.freebsd.org
				




What good was it if you're going to search Google for the term?


----------



## astyle (Jul 2, 2021)

Trihexagonal said:


> We just had a 4 page thread on Hardening FreeBSD last month:
> 
> 
> 
> ...


Google uses a different search algorithm than what is implemented by XenForo (the software that powers FreeBSD forums). You'd have to know the difference in what's known as "Link Scoring" .  FreeBSD's main site (freebsd.org) uses duckduckgo.com as the backend for their search function, rather than Google. XenForo uses an internal implementation. This is why Lamia 's suggestion was a good one. But, nothing wrong with digging up old forum threads that contain useful info. Just how useful that info is - that's ultimately up to OP to decide.


----------



## stream (Jul 2, 2021)

stream said:


> No.
> C -> A is perfectly fine. C has a static route to A. In addition C is allowed by A's firewall explicitly.
> C- -> B no go, whereas A->B is fine as well.
> The same  properties hold with and without firewall in B.


Ok I managed to get in. So C->B and C->A are both ok.
Both A and B are using different ports for ssh. I had to explicitly allow both ports in the pf ruleset:
"pass in on ... from .. to ... port { pA pB} "

I still have a problem though. B cannot access internet  when host A's firewall is on.  
However, A can can access the internet just fine.
I have tried various things:
like set skip on vm0 etc, where vm0 is the bridge interface for B. 
Nothing seems to work.

Does anyone have suggestion on how to setup pf so the bhyve m/c, i.e B can run normally.


----------



## SirDice (Jul 2, 2021)

Did you enable routing? `gateway_enable="YES"`


----------



## astyle (Jul 2, 2021)

stream said:


> Ok I managed to get in. So C->B and C->A are both ok.
> Both A and B are using different ports for ssh. I had to explicitly allow both ports in the pf ruleset:
> "pass in on ... from .. to ... port { pA pB} "
> 
> ...


PF should have options for both *inbound* rules and *outbound* rules. it sounds like you need to RTFM and figure out the flag for *outbound*.


----------



## stream (Jul 2, 2021)

SirDice said:


> Did you enable routing? `gateway_enable="YES"`


Yes, I have.


----------



## stream (Jul 2, 2021)

astyle said:


> PF should have options for both *inbound* rules and *outbound* rules. it sounds like you need to RTFM and figure out the flag for *outbound*.


Humm. Let me clarify if I haven't already. 
A is able to do everything normally (downloading/ssh/ping) with its own PF on.  But B cannot. I have tried all variants of inbound and outbound. Outbound rules  have been totally relaxed- all packets can go from any to any and through any port.


----------



## astyle (Jul 2, 2021)

stream said:


> Humm. Let me clarify if I haven't already.
> A is able to do everything normally (downloading/ssh/ping) with its own PF on.  But B cannot. I have tried all variants of inbound and outbound. Outbound rules  have been totally relaxed- all packets can go from any to any and through any port.


Seems like A is not letting vm B access the Internet... And if firewall is not the issue, then you probably have misconfigured NAT between A and B.


----------



## stream (Jul 2, 2021)

astyle said:


> Seems like A is not letting vm B access the Internet... And if firewall is not the issue, then you probably have misconfigured NAT between A and B.


Possible. Not sure though. I set up B with vm-bhyve. I didnt manually configure the switch  and to my knowledge it doesn't NAT. Also vm switch info does not show any nat. It shows "standard", and tap device.

The problem seems to be firewall only. B can access internet when I switch off A's firewall.
And I haven't found good simple working examples of pf with bhyve- including TFM ;-)
I did see some posts in the forum- they seem to have different constraints and problems however.


----------



## astyle (Jul 2, 2021)

stream said:


> Not sure.. I set up B with vm-bhyve. I didnt manually configure the switch  and to my knowledge it doesn't NAT. Also vm switch info does not show any nat. It shows "standard", and tap device.
> 
> The problem seems to be firewall only. B can access internet when I switch off A's firewall.


NAT is done on network interfaces. I think you need to look at NAT on A's ethernet interface, not on B's virtual switch. This is usually done with `natd_enable="YES"` on host A.


----------



## stream (Jul 2, 2021)

astyle said:


> NAT is done on network interfaces. I think you need to look at NAT on A's ethernet interface, not on B's virtual switch. This is usually done with `natd_enable="YES"` on host A.


Nope. I don't have any such thing on A.


----------



## astyle (Jul 2, 2021)

That's probably where your issue is - on NAT on A. I would suggest reading up on NAT (Network Address Translation) a bit, and understand how it works. In a nutshell, it's like having 2 ethernet ports on a router, one port has 192.168.1.0/24 net on it, the other port has 172.16.0.0/16 net on it. Both networks should communicate, but they don't. This is where NAT comes in.


----------



## Deleted member 30996 (Jul 3, 2021)

astyle said:


> You'd have to know the difference in what's known as "Link Scoring" .


What makes you think I don't? I held 3 of the top 5 spots n a Google search for FreeBSD Desktop. Then took it offline for over a year and have to start over.:



But still hold #1 Google rank over the https://freebsdfoundation.org tutorial. My freebsdnews.com article slipped to 6th.

But I'm back with a bullet n a different search for Building a FreeBSD Desktop From Scratch and hold #2, #3 and #4 spots behind #1 spot https://docs.freebsd.org and they might as well give it up now because not even they can't compete. I'm putting the member screenshot pages back up and all my wallpapers:



Because they are poor business decision makers when it comes to who and who does not work for them and gets paid as a representative. 

My Mind is not for rent, to any God or Government, $$$ doesn't cloud my good judgement to the detriment of those who depend on it. The River!



astyle said:


> This is why Lamia 's suggestion was a good one. But, nothing wrong with digging up old forum threads that contain useful info. Just how useful that info is - that's ultimately up to OP to decide.


Have you actually searched google for that term? No, you have not. 

Or you would know it sends you right back here, with the FreeBSD forums holding #1 Google ranking on a search for Hardening FreeBSD.


----------



## Lamia (Jul 3, 2021)

astyle said:


> Google uses a different search algorithm than what is implemented by XenForo (the software that powers FreeBSD forums). You'd have to know the difference in what's known as "Link Scoring" .  FreeBSD's main site (freebsd.org) uses duckduckgo.com as the backend for their search function, rather than Google. XenForo uses an internal implementation. This is why Lamia 's suggestion was a good one. But, nothing wrong with digging up old forum threads that contain useful info. Just how useful that info is - that's ultimately up to OP to decide.


Thanks a million. The forum search should be his first point of contact. Google would list relevant results from the forum and if he wants to use Google yet limit the results to the forum, he could add a filter "hardening freebsd box site:forums.freebsd.org".


----------



## Deleted member 30996 (Jul 3, 2021)

It does list a thread from May, which i when the one I referenced was started, but not that one.

That one was started by the same person who initially suggested searching google in this thread:


Alain De Vos said:


> Google "Freebsd hardening".


I meant nothing personal towards anyone by it, it was just my mind balking at the logic of it.

Logic. It's an antiqued concept these days. When the masses can't handle it, they change reality and facts become an annoyance. 

I'm so glad I lived to see 1984.


----------



## astyle (Jul 3, 2021)

Trihexagonal said:


> It does list a thread from May, which i when the one I referenced was started, but not that one.


English slipping a bit, sentence not making sense, sorry!



Trihexagonal said:


> Logic. It's an antiqued concept these days. When the masses can't handle it, they change reality and facts become an annoyance.


Just me being more anal than a compiler: it's "antiquated". Responding to the sentence itself: Forget the masses, it's like that at the top, too.



Trihexagonal said:


> I'm so glad I lived to see 1984.


Me, too.


----------



## Alain De Vos (Jul 3, 2021)

Any non configured service can have anything expected ...


----------



## astyle (Jul 3, 2021)

Trihexagonal said:


> What makes you think I don't? I held 3 of the top 5 spots n a Google search for FreeBSD Desktop. Then took it offline for over a year and have to start over.:
> View attachment 10397
> 
> But still hold #1 Google rank over the https://freebsdfoundation.org tutorial. My freebsdnews.com article slipped to 6th.
> ...


Trihexagonal : What you're doing is called SEO - Search Engine Optimization. That is different from knowing the actual formula that Google's crawler uses to analyze links, give them a score, and place the page into a list. OTOH, XenForo's devs decided to go with their own formula for deciding what comes up first. Google's formula (a.k.a. secret sauce) has a truckload of engineering brainpower behind it. That alone makes it different from XenForo.


----------



## mark_j (Jul 3, 2021)

Enable auditing, BSM or OpenBSM on FreeBSD.


----------



## Deleted member 30996 (Jul 3, 2021)

I know what SEO is, all the tricks of it and looked up Link Scoring before I wrote one word after your post.


astyle said:


> English slipping a bit, sentence not making sense, sorry!



You'll probably see that a lot. In this instance I merely left out the "s" in "is":

"It does list a thread from May, which i*s* when the one I referenced was started, but not that one.



astyle said:


> Just me being more anal than a compiler: it's "antiquated". Responding to the sentence itself: Forget the masses, it's like that at the top, too.


I was talking about history revisionist and the people at Bizarro world in particular. Logic is their Kryptonite and I was cast out before their dimension collapsed in on them. More to come on that.

So, you're sinking to spelling errors as the only way you can get a dig in. Give it your best shot, bring out the big guns and don't stop firing till it's empty.

I didn't antique the kitchen cabinet, that's an antiquated idea.

Now, Herr astyle, show me your English language skills and beat me at my own game to become World Champion, or just find one spelling error in my Alliteration;
Alliteration Aggrandizement

Because to raise the bar you have to beat me. I raised the bar in every forum in the World with a running game google could show me. To raise the bar you have to beat me. I am the Bar.

Schoolma'am schoolmaster's schoolmarm schoolmate.

That's four Word Alliteration. Highest number of same starting letters in each word wins. The old record was four letters and I beat that before I knew how to play the game. I hit 5, 6, skipped 7 and went straight to 8 letters.

But I take the fun out of it for everybody, so I quit the game after becoming The Bar. To continue like beating them with one.
And right after that everybody at able2know.org stopped playing for a year. That made me feel really bad because they were my only competition.

So thanks for the spellcheck, but you've got a way to subdue a syllable-slinging Sorcerer and phrase phenom like pox


Proton1234, I have special words for you since you cussed me in PM then ended the conversation and ran off before I could respond.

No matter the name you use, no matter how far you run. A curse on you, your son and the son of your son.


----------



## a6h (Jul 3, 2021)

Somebody asked me what's the best book on Wireshark, I told him "TCP/IP Illustrated Volume 1 by Richard Stevens". That's my general advice on security.


----------



## astyle (Jul 3, 2021)

Compiler competition completely composed compromising compost.


----------



## mer (Jul 3, 2021)

vigole said:


> Somebody asked me what's the best book on Wireshark, I told him "TCP/IP Illustrated Volume 1 by Richard Stevens". That's my general advice on security.


TCP/IP Guide by Charles Kozierok is a good adjunct to Stevens


----------



## Deleted member 30996 (Jul 3, 2021)

I went for Special Edition Using TCP/IP by John Ray, Hacking Exposed First Edition, The XML Bible Second Edition by Rusty Harold, and stole Steal This Computer Book by Wallace Wang.

Steal this is an into into how to get in trouble online and has a section on phone phreaking. Between teaching myself to use a computer in 93 and buying one in 98 that was my passion.  (My previous experience with the AppleII was of no help whatsoever with Windows.)

I had a thin green book on phreaking and a bank of 5 scanners, shortwave radio, inline scrambler/descrambler and more antenna on the roof than drhowarddfine has hairs on his head.The Sheriff Dept used a scrambler. Sometime they would just ask what dispatch wanted for lunch from Hardees.

Then one day someone said they had forgotten his password to log onto the Missouri Uniform Law Enforcement website. (MULE) It was a traffic code I was very familiar with, easy to remember and not a very good password. It was 6 characters long 5 letters 1 number and I remember exactly what it is. I never was stupid and have never logged on the site to look at it, much less log in.

I lived a block from the NE MO Drug Task Force Office and every time they set somebody up with a wire and switched it on one of my scanners would stop and I would start the tape. Then take it to a friend of mine and let her listen to it.

Cellphones being blocked in the 800MHz Range? Simple. Intermediate frequency times two on a dual conversion scanner and you hear an image of the call outside the blocked range in the clear. Cops used to use that when they knew you were "equiped" with a  scanner so you wouldn't hear them. Might have stopped you, didn't stop me.

Cordless phones, on a rainy day I could hear then blocks away. I told my ex-female friend about the call she made to the Dr's office to get narcotics, and the call she made right afterward to sell them. And she lived next door to the Police Station. She was mad at first but got over it.

Now I'm made at her and will never get over it. I remember her current gmail email box password, have wifi hot spots all around me and know how to spoof my MAC and user-agent. If I can wardrive her and log her out of Facebook I'll have it, too. If I ever get bored.

I look like a burned out hippie who hasn't cut his hair in years or changed the way I dress since the 80's. And that's how people treat me, but a person with good intent will treat me fairly. A person of questionable character will see me as stupid and to be taken advantage of, and that is the beginning of the end for them.

Because if offended, I will begin a lesson plan that could only be seen in example of how I dealt with Stevie and his World Chap bot Mitsuku. I am a Behaviorist and trained observer par excellence and underestimating me is the biggest mistake you could ever make, and I'm not done with them yet.

I just wanted Demonica to get the recognition she deserves, and now he is an open book to me and nothing he does will change the outcome because I will turn it on him like I did with my marketing strategy. Cross over to the Dark Side.

His script change to stop right click copy and paste doesn't stop me from pasting text in a terminal any more than it will Demonica's chat box. He lost because he wasn't online long enough, but it's because he took her offline of what he sees as a minor competition rather than give me the chance to loop her again.

Round three is in September and there is another Personality Forge bot entered now. I hope they win, I already have accomplished what I set out to do and not done yet.

SirDice knows what I look like, so does drhowarrddfine, because I trust them. And you wouldn't pick me out of a crowd of two people to have written this. I am as devious and manipulative as they come. I wouldn't be any good as a Programmer if I wasn't, so I'm good with that.

And I'm not done with HUD. They are a formidable but worthy adversary and I'm not the least bit intimidated, I called the HUD DC Field Office up when I was full of the Devil and threatened them with public disclosure and legal actions. Didn't do a bit of good. But I haven't done enough yet

Why did I tell you all of that? For your own good, and we are of the same Daemon clan. This is a thread about security and there are people out there who aren't as honest as me you need to be aware of. So you won't find out the hard way that raggedy-man look is cammo for an Apex Predator with a moral compass spinning like a quasar and are on their naughty list.

By doing something like stealing their material or not knowing your position in the food chain is far below where you thought and you have a lesson coming. Where the end justifies the means. And that's serious.


----------



## astyle (Jul 3, 2021)

Actually atrocious acquisitions attempted actuating accelerant additions and abetting alcohol at Australian actuary abodes.


----------



## stream (Jul 3, 2021)

stream said:


> Ok I managed to get in. So C->B and C->A are both ok.
> Both A and B are using different ports for ssh. I had to explicitly allow both ports in the pf ruleset:
> "pass in on ... from .. to ... port { pA pB} "
> 
> ...


Finally, I was able to fix this issue. After going through and cleaning up the PF ruleset one by one.. The device(s) configuration were alright for most part-


----------



## astyle (Jul 3, 2021)

Avoiding american army activity accepted among algerian accounting Asus addicts and at austrian adventure advocates, adding armenian automobile association.


----------



## Deleted member 30996 (Jul 3, 2021)

When we can see the ruleset it's easier to help you by seeing the syntax than by a guessing game from bits and pieces of what you think won't compromise your security. If you would have posted it first thing it wouldn't have taken this long to figure out or this many wandering posts in between start and finish.

Are you sure it's working? How about a peek at `# pfctl -s all`. We love that geeky stuff. it's the only interest I have in your server. I've shown my ruleset and readout numerous times so everybody has seen it...

Works.

If you're that worried about it you probably shouldn't be posting in a forum and phoning Putie personally.




astyle said:


> Actually atrocious acquisitions attempted actuating accelerant additions and abetting alcohol at Australian actuary abodes.



Pretty good and you're getting better. Now take your time and do a 50-60 word sentence and tell a story without using the same word twice, post it there and take my title as The Bar in a wacky war whizzing wicked words with infuriating insults inserted inbetween.

The people at able2know were my only competition and good sports. The rest were amateurs and sore losers and needed to be provoked, so insults became a common theme. I took the fun out of it for everybody. It's no fun for them to write a 10 word sentence and me write Crackhead Charles so I just stopped playing. I'm a Monarch, not a tyrant.

The people at bleepingcomputer.com may know computers but a 10 word sentence was the best they could do. They hate me and I couldn't care less.

I didn't post one because I had to insult a woman who thought she was a lot better then she was to get her to fight, then laid Omnipotent Odin on them for the decisive win. It was at grandsnet.com, old people from the UK. I 'll post it at able2know now. They hate me anyway.

Fifteen minutes later I walked downstairs, started talking to 3 girls and forgot what I was talking about mid-sentence. ust like that. I just wrote a complex 60 word sentence and they're standing there staring at me while I'm struggling to think of what I was talking about.


----------



## stream (Jul 3, 2021)

I was thinking of starting a separate thread just for the pf problem. Thing is the pf problem came about as I was trying to fix something else, and def not part of this thread- which has taken a life of its own.
Anyway, just to summarize I have elaborated the problem which a few others have also faced trying to get bhvye guest to work properly, and they seemed to have fixed in their own ways. Ultimately, "set skip .. " is your friend .
And everything else can be simplified.


----------



## Deleted member 30996 (Jul 6, 2021)

stream said:


> Ultimately, "set skip .. " is your friend


Well I could have told you that, had I know

```
### Pass loopback
set skip on lo0
```



stream said:


> And everything else can be simplified.


I don't know about that. Or your definition of simplified, but will take your word for it.



stream said:


> ...they seemed to have fixed in their own ways.


That's how I do things.


----------



## stream (Jul 7, 2021)

SirDice said:


> You can somewhat limit the extend of those attacks using blacklistd(8), security/sshguard or security/py-fail2ban. All these tools will automatically block IP addresses after a certain number of failed login attempts within a specified timeframe. That often helps a lot.


SirDice-- I have been experimenting with blacklistd.. Have been running this for few days now, and I dont see a single entry in the blacklistctl dump. Am using the default conf settings as mentioned in the docs:








						Chapter 32. Firewalls
					

FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER. This chapter covers how to define packet filtering rules, the differences between the firewalls built into FreeBSD and how to use them




					docs.freebsd.org
				



   Are there specific commands that we can try to check that it is at least working and has been configured correctly. I tried ssh'ing into the machine - from a non-whitelisted machine. The ssh failed, but it didn't show up in the blacklist.

```
>blacklistctl dump 
address/ma:port    id    nfail    remaining time

# Blacklist rule
# adr/mask:port type    proto   owner           name    nfail   disable
[local]
ssh             stream  *       *               *       3       24h 
ftp             stream  *       *               *       3       24h 
smtp            stream  *       *               *       3       24h 
submission      stream  *       *               *       3       24h
```


----------

