あとでまとめなおす。
Routerを作成する前提での設定。
Install時には、Test系、X系、Sourceを除いて全部入れる。
/dev/cd0a /cdrom cd9660 ro,noauto
/var/log/authlog 600 7 * 24 Z /var/log/console root:wheel 600 7 * 24 Z /var/log/cron root:wheel 600 7 * 24 Z /var/log/kerberos.log 640 7 * 24 ZN /var/log/lpd-errs 640 7 * 24 Z /var/log/maillog 600 7 * 24 Z /var/log/messages 644 7 * 24 Z /var/log/wtmp root:utmp 664 7 * 24 ZBN /var/log/wtmpx root:utmp 664 7 * 24 ZBN /var/log/xferlog 640 7 * 24 Z
server 0.netbsd.pool.ntp.org server 1.netbsd.pool.ntp.org server 2.netbsd.pool.ntp.org server 3.netbsd.pool.ntp.org server time.asia.apple.com server ntp.jst.mfeed.ad.jp server 0.jp.pool.ntp.org server 1.jp.pool.ntp.org server 2.jp.pool.ntp.org server 3.jp.pool.ntp.org
*.err;kern.*;auth.notice;authpriv.none;mail.crit /var/log/console
rc_configured=YES wscons=YES hostname=foo.example.org defaultroute="192.0.2.6" # ----- Local configuration ----- sshd=YES sshd_flags="" ssh_keygen_flags="" ntpd=YES ntpd_flags="" # see below for ntpd_chrootdir ntpd_chrootdir="/var/chroot/ntpd" ntpdate=YES ntpdate_flags="-b -s" # May need '-u' thru firewall accounting=YES # uses /var/account/acct newsyslog=NO newsyslog_flags="" # trim log files quota=NO # check and enable quotas pf=NO pf_rules="/etc/pf.conf" pf_flags="" pflogd=NO ppp=NO ppp_peers="" # /etc/ppp/peers to call ifwatchd=NO # execute up/down scripts for in-kernel PPPoE interfaces ifwatchd_flags="-u /etc/ppp/ip-up -d /etc/ppp/ip-down pppoe0" altqd=NO altqd_flags="" inetd=NO inetd_flags="-l" # -l logs libwrap dhcpd=NO dhcpd_flags="-q" rtadvd=NO rtadvd_flags="" powerd=YES powerd_flags="" # power management daemon
touch /var/account/acct
を実行# cat ifconfig.re0 up media autoselect inet 192.0.2.1/29 inet6 2001:0DB8::1/64 tso4 ip4csum tcp4csum udp4csum # cat ifconfig.re1 up # cat ifconfig.vlan1 create up vlan 2 vlanif re1 inet 192.0.2.9/29 #
$NetBSD: MESSAGE.NetBSD,v 1.3 2007/07/11 12:25:53 martti Exp $
If you are running NetBSD 1.5 (or newer), the existing /etc/rc.d/postfix can be forced to start /usr/pkg/sbin/postfix instead of /usr/sbin/postfix, by adding the following lines to /etc/rc.conf.d/postfix:
postfix_command='/usr/pkg/sbin/postfix'
required_files='/usr/pkg/etc/postfix/main.cf' start_cmd='/usr/pkg/sbin/postfix start' stop_cmd='/usr/pkg/sbin/postfix stop' reload_cmd='/usr/pkg/sbin/postfix reload'
Please note that /etc/rc.conf.d/postfix does not exist by default so you need to create that file if you need to override the default settings.
</ccode>
最小限の設定をして再起動したら、以下を実施。
cvs -d :pserver:anoncvs@anoncvs.netbsd.org/cvsroot login
cvs -d :pserver:anoncvs@anoncvs.netbsd.org/cvsroot co src pkgsrc
/var/db/sshd.blacklist
に記録され、以後そのアドレスからのsshdへのアクセスを無条件に切断する。src/crypto/external/bsd/openssh
にdistディレクトリがあるので、そこに移動$ diff -c dist.org/ dist diff -c dist.org/auth.c dist/auth.c *** dist.org/auth.c Sat Mar 30 01:19:44 2013 --- dist/auth.c Mon May 6 01:35:59 2013 *************** *** 39,44 **** --- 39,46 ---- #include <stdarg.h> #include <stdio.h> #include <string.h> + #include <util.h> + #include <fcntl.h> #include <unistd.h> #include "xmalloc.h" *************** *** 602,607 **** --- 604,638 ---- "authorized principals"); } + static void remember_addr(void); + + void + remember_addr(void) + { + int fd; + struct iovec iov[2]; + const char *remote_ip; + char *black_addr; + size_t addrlen; + char terminate[] = "\n"; + + fd = open("/var/db/sshd.blacklist", O_APPEND|O_WRONLY); + if (fd == -1) + return; + + remote_ip = get_remote_ipaddr(); + addrlen = strlen(remote_ip); + black_addr = malloc(addrlen); + strncpy(black_addr, remote_ip, addrlen); + iov[0].iov_base = (void *)black_addr; + iov[0].iov_len = addrlen; + iov[1].iov_base = terminate; + iov[1].iov_len = 1; + + writev(fd, iov, 2); + close(fd); + } + struct passwd * getpwnamallow(const char *user) { *************** *** 618,624 **** --- 649,658 ---- parse_server_match_config(&options, ci); pw = getpwnam(user); + if (strcmp(user, "root") == 0) + pw = NULL; if (pw == NULL) { + remember_addr(); logit("Invalid user %.100s from %.100s", user, get_remote_ipaddr()); return (NULL); diff -c dist.org/sshd.c dist/sshd.c *** dist.org/sshd.c Sat Mar 30 01:19:45 2013 --- dist/sshd.c Sun May 5 23:10:31 2013 *************** *** 255,260 **** --- 255,262 ---- static void do_ssh1_kex(void); static void do_ssh2_kex(void); + static int check_blacklist(void *); + /* * Close all listening sockets */ *************** *** 1191,1196 **** --- 1193,1202 ---- usleep(100 * 1000); continue; } + if (check_blacklist(&from)) { + close(*newsock); + continue; + } if (unset_nonblock(*newsock) == -1) { close(*newsock); continue; *************** *** 2053,2058 **** --- 2059,2095 ---- exit(0); } + int + check_blacklist(s) + void *s; + { + FILE *fp; + struct sockaddr *sa = s; + char a[64], b[64], *p; + + if (getnameinfo(sa, sa->sa_len, a, sizeof a, NULL, 0, NI_NUMERICHOST)) + return 0; + + fp = fopen("/var/db/sshd.blacklist", "r"); + if (fp == NULL) + return 0; + + while (fgets(b, sizeof b, fp)) { + p = strchr(b, '\n'); + if (p == NULL) + continue; + *p = 0; + if (strcmp(a, b) == 0) { + fclose(fp); + logit("Blacklist %s", a); + return 1; + } + } + + fclose(fp); + return 0; + } + /* * Decrypt session_key_int using our private server key and private host key * (key with larger modulus first). $
sh build.sh kernel=ROUTER
mv sys/arch/amd64/compile/obj/ROUTER/netbsd /