Discussion:
[rescue] Sun V240
Lionel Peterson
2017-11-01 01:23:00 UTC
Permalink
Hello all,

After getting annoyed with my lack of progress on the T5220, my V240 from a
few years ago caught my eye.

It fired up great, has 8 Gigs Ram, 2x 72G, 2x 146G drives, and a framebuffer!

Hooked it up in place of the T5220 on the workbench, after several tries I
remembered the root password, system is up and running. I have to replace the
clock battery, it seems trivial - is it a CR2032 like a PC?

Oh, herebs a little V240 video:



And remember this thread?

http://www.sunhelp.org/pipermail/rescue/2013-April/thread.html#133399

Lionel
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Lionel Peterson
2017-11-01 02:37:58 UTC
Permalink
Well, I replaced the battery and reset the root and ALOM admin user passwords,
now I need to read up on ALOM and re-installing Solaris - I assume Solaris 11
isnbt an option, but Ibll have to look into it...

Lionel
Post by Lionel Peterson
Hello all,
After getting annoyed with my lack of progress on the T5220, my V240 from a
few years ago caught my eye.
Post by Lionel Peterson
It fired up great, has 8 Gigs Ram, 2x 72G, 2x 146G drives, and a framebuffer!
Hooked it up in place of the T5220 on the workbench, after several tries I
remembered the root password, system is up and running. I have to replace the
clock battery, it seems trivial - is it a CR2032 like a PC?
Post by Lionel Peterson
http://youtu.be/cDK1EjX0BgI
And remember this thread?
http://www.sunhelp.org/pipermail/rescue/2013-April/thread.html#133399
Lionel
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Lionel Peterson
2017-11-01 02:52:17 UTC
Permalink
The Oracle HCL says the V240 is good to Solaris 10 1/13, and other info on
web tells me that it was dropped for Solaris 11.

That makes my OS decision easy... Solaris 10 baby!

Probably should do a fresh install... itbs s three year-old install.

Lionel
Post by Lionel Peterson
Well, I replaced the battery and reset the root and ALOM admin user
passwords, now I need to read up on ALOM and re-installing Solaris - I assume
Solaris 11 isnbt an option, but Ibll have to look into it...
Post by Lionel Peterson
Lionel
Post by Lionel Peterson
Hello all,
After getting annoyed with my lack of progress on the T5220, my V240 from a
few years ago caught my eye.
Post by Lionel Peterson
Post by Lionel Peterson
It fired up great, has 8 Gigs Ram, 2x 72G, 2x 146G drives, and a framebuffer!
Hooked it up in place of the T5220 on the workbench, after several tries I
remembered the root password, system is up and running. I have to replace the
clock battery, it seems trivial - is it a CR2032 like a PC?
Post by Lionel Peterson
Post by Lionel Peterson
http://youtu.be/cDK1EjX0BgI
And remember this thread?
http://www.sunhelp.org/pipermail/rescue/2013-April/thread.html#133399
Lionel
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Jerry Kemp
2017-11-01 02:59:32 UTC
Permalink
ummmmmm.......not quite.

If you want all that Solaris 11 goodness, but only have a system powered by
Sun4u CPU(s), I'm a big fan of Solaris 11 Express.

8Gb+ of RAM is a great place to be for any OS + ZFS.

BTW, how is your new T-series box progressing?

Jerry
Post by Lionel Peterson
The Oracle HCL says the V240 is good to Solaris 10 1/13, and other info on
web tells me that it was dropped for Solaris 11.
That makes my OS decision easy... Solaris 10 baby!
Probably should do a fresh install... itbs s three year-old install.
Lionel
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Lionel Peterson
2017-11-01 03:11:05 UTC
Permalink
The T5220 is on hold, canbt get it to stay powered up, Ibve reseated Ram,
removed SATA drives, etc.

Ibm working on bringing the V240 bback on the airb, hopefully it will
get my Solaris brain back in gear.

My V240 has 8 Gig and a reasonable set of drives, but Ibm not familiar with
Solaris 11 Express... everything I find points to Solaris 11.3, Solaris 11
Express appears to have been wiped off the web...

Lionel
Post by Jerry Kemp
ummmmmm.......not quite.
If you want all that Solaris 11 goodness, but only have a system powered by
Sun4u CPU(s), I'm a big fan of Solaris 11 Express.
Post by Jerry Kemp
8Gb+ of RAM is a great place to be for any OS + ZFS.
BTW, how is your new T-series box progressing?
Jerry
Post by Lionel Peterson
The Oracle HCL says the V240 is good to Solaris 10 1/13, and other info on
web tells me that it was dropped for Solaris 11.
That makes my OS decision easy... Solaris 10 baby!
Probably should do a fresh install... itbs s three year-old install.
Lionel
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Jerry Kemp
2017-11-01 03:36:57 UTC
Permalink
Here are a couple of Wikipedia pages that discuss Solaris 11 Express

<https://en.wikipedia.org/wiki/Solaris_(operating_system)#Development_release>

<https://en.wikipedia.org/wiki/OpenSolaris>

In short, it was a preview release of Solaris 11, prior to the actual GA release.

The reason that I continue to find value in it, is that it (S11Express) not only
turned out to be a very stable and feature rich release, it (again S11Express)
was release prior to Oracle pulling all the drivers for pre T and M series
equipment, meaning, if your hardware ran fine on S10 and/or OpenSolaris, chances
are that it also ran Solaris 11 Express fine also.

During my time at Verizon, my workstation was a (Sun4u based) SunBlade 2000
running Solaris 11 Express, and I never had any problems.

You probably are not going to find a download link for Solaris 11 Express at
Oracle, especially not without a support contract. However, it is available in
the darker corners of the Internet.

Jerry
Post by Lionel Peterson
My V240 has 8 Gig and a reasonable set of drives, but Ibm not familiar with
Solaris 11 Express... everything I find points to Solaris 11.3, Solaris 11
Express appears to have been wiped off the web...
Lionel
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Lionel Peterson
2017-11-01 04:54:15 UTC
Permalink
However, it is available in the darker corners of the Internet.
Oh my, a challenge!

In the meantime, based on the hour of the night, I decided to
bsys-unconfigb the system and put it on the internet as a web server.

Itbs up on a static IP,
I added a user account,
activated the bundled Apache2 server,
created a bcustomb index.html page and
tested SSHing into the new account and
viewing the web server home page.

Whew!

It is sucking down 348 Watts every hour itbs up, but Ibm OK with that...
for now.

I got a notice of a failed SSH2 login attempt as brootb from a 190.?.?.?
IP address while editing a default hone page...
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Jerry Kemp
2017-11-01 10:01:08 UTC
Permalink
FYI, using SunSSH, which is the only ssh that ships with Solaris 10uXX, I do
very well using the denyhost application.

Solaris 11 ships with both SunSSH and OpenSSH, its an either/or situation. FYI,
if you do choose to use denyhost, it (denyhost) works with TCP wrappers. You
are probably already aware, but OpenSSH no longer supports TCP Wrappers.

Jerry
Post by Lionel Peterson
However, it is available in the darker corners of the Internet.
Oh my, a challenge!
In the meantime, based on the hour of the night, I decided to
bsys-unconfigb the system and put it on the internet as a web server.
Itbs up on a static IP,
I added a user account,
activated the bundled Apache2 server,
created a bcustomb index.html page and
tested SSHing into the new account and
viewing the web server home page.
Whew!
It is sucking down 348 Watts every hour itbs up, but Ibm OK with that...
for now.
I got a notice of a failed SSH2 login attempt as brootb from a 190.?.?.?
IP address while editing a default hone page...
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Lionel Peterson
2017-11-01 12:22:42 UTC
Permalink
The SSH attempt as root was rejected, Ibm not to worried about it. As I
recall, you canbt SSH in as root, which only leaves one non-root user on
system.

Security will be an issue, but not yet...

Lionel
Post by Jerry Kemp
FYI, using SunSSH, which is the only ssh that ships with Solaris 10uXX, I do
very well using the denyhost application.
Post by Jerry Kemp
Solaris 11 ships with both SunSSH and OpenSSH, its an either/or situation.
FYI, if you do choose to use denyhost, it (denyhost) works with TCP wrappers.
You are probably already aware, but OpenSSH no longer supports TCP Wrappers.
Post by Jerry Kemp
Jerry
Post by Lionel Peterson
However, it is available in the darker corners of the Internet.
Oh my, a challenge!
In the meantime, based on the hour of the night, I decided to
bsys-unconfigb the system and put it on the internet as a web server.
Itbs up on a static IP,
I added a user account,
activated the bundled Apache2 server,
created a bcustomb index.html page and
tested SSHing into the new account and
viewing the web server home page.
Whew!
It is sucking down 348 Watts every hour itbs up, but Ibm OK with that...
for now.
I got a notice of a failed SSH2 login attempt as brootb from a 190.?.?.?
IP address while editing a default hone page...
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Dave McGuire
2017-11-01 15:42:17 UTC
Permalink
Post by Jerry Kemp
FYI, using SunSSH, which is the only ssh that ships with Solaris 10uXX,
I do very well using the denyhost application.
Solaris 11 ships with both SunSSH and OpenSSH, its an either/or
situation.B FYI, if you do choose to use denyhost, it (denyhost) works
with TCP wrappers.B You are probably already aware, but OpenSSH no
longer supports TCP Wrappers.
What...?! Why did they remove support for TCP Wrappers? I depend on
OpenSSH supporting TCP Wrappers on several networks. WTF?!

-Dave
--
Dave McGuire, AK4HZ
New Kensington, PA
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Doug McIntyre
2017-11-01 15:50:50 UTC
Permalink
Post by Dave McGuire
Post by Jerry Kemp
FYI, using SunSSH, which is the only ssh that ships with Solaris 10uXX,
I do very well using the denyhost application.
Solaris 11 ships with both SunSSH and OpenSSH, its an either/or
situation.B FYI, if you do choose to use denyhost, it (denyhost) works
with TCP wrappers.B You are probably already aware, but OpenSSH no
longer supports TCP Wrappers.
What...?! Why did they remove support for TCP Wrappers? I depend on
OpenSSH supporting TCP Wrappers on several networks. WTF?!
OpenSSH version 6.7 changelog

http://www.openssh.com/txt/release-6.7


* sshd(8): Support for tcpwrappers/libwrap has been removed.


They've also removed protocol 1 support altogether by now, several old
key exchanges (DH1), keytypes (eg. DSS), etc. It's getting hard to
maintain old boxes over SSH sometimes.

Since linux boxes pretty much need to be firewalled off from the world
to protect themselves from self-destruction now-a-days, I think people
figure that a firewall is in use for all systems.
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Lionel Peterson
2017-11-01 15:52:12 UTC
Permalink
Yup, see right here:

https://www.openssh.com/txt/release-6.7

Dropped after 6.6 it seems...

Lionel
Post by Dave McGuire
Post by Jerry Kemp
FYI, using SunSSH, which is the only ssh that ships with Solaris 10uXX,
I do very well using the denyhost application.
Solaris 11 ships with both SunSSH and OpenSSH, its an either/or
situation.B FYI, if you do choose to use denyhost, it (denyhost) works
with TCP wrappers.B You are probably already aware, but OpenSSH no
longer supports TCP Wrappers.
What...?! Why did they remove support for TCP Wrappers? I depend on
OpenSSH supporting TCP Wrappers on several networks. WTF?!
-Dave
--
Dave McGuire, AK4HZ
New Kensington, PA
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Jerry Kemp
2017-11-01 16:01:23 UTC
Permalink
Yep, others already gave you the specifics, but I couldn't have said it better
myself, WTF.

I'm not a developer, although I took *a lot* of programming classes in college.

I certainly understand the desire to tighten up and optimize code, but I don't
think I will ever understand the desire to pull out functionality from code that
people need and depend on. It just doesn't make sense, at least to me.

Doug,

I don't disagree with your comment, and I'm certainly as happy as anyone to
throw losers-unix under the bus as frequently as possible, but, OpenSSH comes
from our fine *BSD friends.

Jerry
Post by Dave McGuire
Post by Jerry Kemp
FYI, using SunSSH, which is the only ssh that ships with Solaris 10uXX,
I do very well using the denyhost application.
Solaris 11 ships with both SunSSH and OpenSSH, its an either/or
situation.B FYI, if you do choose to use denyhost, it (denyhost) works
with TCP wrappers.B You are probably already aware, but OpenSSH no
longer supports TCP Wrappers.
What...?! Why did they remove support for TCP Wrappers? I depend on
OpenSSH supporting TCP Wrappers on several networks. WTF?!
-Dave
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Mouse
2017-11-01 16:15:03 UTC
Permalink
Post by Doug McIntyre
Post by Dave McGuire
[...] OpenSSH no longer supports TCP Wrappers.
What...?! Why did they remove support for TCP Wrappers? I depend
on OpenSSH supporting TCP Wrappers on several networks. WTF?!
They've also removed protocol 1 support altogether by now, several
old key exchanges (DH1), keytypes (eg. DSS), etc. It's getting hard
to maintain old boxes over SSH sometimes.
(a) SSH != OpenSSH. There are lots of other implementations.

(b) Nothing says you have to heatseek OpenSSH even if you do use it.

(c) You can always add TCP wrappers support back in. If you're feeling
quixotic and/or want to make a point, you could even send them the
patches to do so.

/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
David Brownlee
2017-11-01 16:33:40 UTC
Permalink
Post by Jerry Kemp
Yep, others already gave you the specifics, but I couldn't have said it
better myself, WTF.
I'm not a developer, although I took *a lot* of programming classes in college.
I certainly understand the desire to tighten up and optimize code, but I
don't think I will ever understand the desire to pull out functionality from
code that people need and depend on. It just doesn't make sense, at least
to me.
Doug,
I don't disagree with your comment, and I'm certainly as happy as anyone to
throw losers-unix under the bus as frequently as possible, but, OpenSSH
comes from our fine *BSD friends.
I'm sure all the cool kids are using something like
https://www.sshguard.net/ or blacklistd
anyway :)

The rationale for dropping tcpwrappers was that it was a subset of
OpenSSH's built in Match functionality, and dropped a dependency
http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
- I think someone even submitted a small patch back to trigger
tcpwrappers from Match.

and thankfully there are also other ssh client implementations which
support sshv1 or similar to connect to older boxes :)

David
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Jerry Kemp
2017-11-01 20:06:43 UTC
Permalink
Hello David,

Thank you for the post. I haven't looked at these directly, but I'm assuming
that since you suggested them, that they work well, both with Solaris or
Solaris-distro's, and work with OpenSSH.

Several years back, I explored quite a few of these SSH blocking/firewalling
utilities. My discovery, at the time, was that the vast majority of the ones I
reviewed were written to interact only with the proprietary lunix built in
firewall application.

Regarding the "match" functionality in current OpenSSH releases, I seem to
recall looking at that, and not pursuing that further. Can't remember as to why.

One of the things I liked about the denyhost application, was that it would both
add entries to the /etc/hosts.deny file, which was very useful for when being
hit by a dictionary attack very rapidly, but, also, I can set a timeout which
would remove entries. Helpful if you make multiple bad attempts and get
yourself blocked from your own box.

Lionel,

Regarding observing remote root login attempts, regardless of root being
disabled, it is just the fact they are occurring. I would speculate that if you
have just stuck your box out on the Internet, the (ssh) login attempts are
probably low at the present. I have a (Solaris) box that is in a COLO for more
than a decade (upgraded several times), and I am just continually being hit by
random & continual ssh remote login attempts.

Although I mostly use ssh keys, and not passwds, I'm a big believer in the Bob
Beck method of managing administrative accounts.

<https://web.archive.org/web/20160310190935/http://archives.neohapsis.com/archives/openbsd/2005-03/2878.html>

My big concern is that, due to numbers of hits, that properly managing and
addressing events that do end up logged. I already mentioned that I use
denyhost to limit dictionary attacks that hit hard and heavy. It didn't take
long to start wondering what credentials the script kiddies were using to
attempt to log into my system.

To address that, I am using a utility called 'kippo'. Here is some sample log
output, and you can see that frequently, passwds are simple, although sometimes
they can be long and complex. Big fan of kippo.

.................................................
2017-11-01 15:00:02-0500 [SSHService ssh-userauth on
HoneyPotTransport,70340,198.98.60.52] mother trying auth password
2017-11-01 15:00:02-0500 [SSHService ssh-userauth on
HoneyPotTransport,70340,198.98.60.52] login attempt [mother/admin] failed
2017-11-01 15:00:03-0500 [-] mother failed auth password
2017-11-01 15:00:03-0500 [-] unauthorized login:
2017-11-01 15:00:03-0500 [SSHService ssh-userauth on
HoneyPotTransport,70340,198.98.60.52] mother trying auth password
2017-11-01 15:00:03-0500 [SSHService ssh-userauth on
HoneyPotTransport,70340,198.98.60.52] login attempt [mother/root] failed
2017-11-01 15:00:04-0500 [-] mother failed auth password
2017-11-01 15:00:04-0500 [-] unauthorized login:
2017-11-01 15:00:05-0500 [SSHService ssh-userauth on
HoneyPotTransport,70340,198.98.60.52] mother trying auth password
2017-11-01 15:00:05-0500 [SSHService ssh-userauth on
HoneyPotTransport,70340,198.98.60.52] login attempt [mother/ubnt] failed
2017-11-01 15:00:06-0500 [-] mother failed auth password
2017-11-01 15:00:06-0500 [-] unauthorized login:
2017-11-01 15:00:06-0500 [SSHService ssh-userauth on
HoneyPotTransport,70340,198.98.60.52] mother trying auth password
2017-11-01 15:00:06-0500 [SSHService ssh-userauth on
HoneyPotTransport,70340,198.98.60.52] login attempt [mother/user] failed
2017-11-01 15:00:07-0500 [-] mother failed auth password
2017-11-01 15:00:07-0500 [-] unauthorized login:
2017-11-01 15:00:07-0500 [HoneyPotTransport,70340,198.98.60.52] connection lost
.................................................

as I log and archive this stuff, I have literally thousands of passwd's to play
with, for use in other security tool explorations.

enjoy,

Jerry
Post by David Brownlee
I'm sure all the cool kids are using something like
https://www.sshguard.net/ or blacklistd
http://youtu.be/fuuf8G28mjs anyway :)
The rationale for dropping tcpwrappers was that it was a subset of
OpenSSH's built in Match functionality, and dropped a dependency
http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
- I think someone even submitted a small patch back to trigger
tcpwrappers from Match.
and thankfully there are also other ssh client implementations which
support sshv1 or similar to connect to older boxes :)
David
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Andrew M Hoerter
2017-11-01 22:31:05 UTC
Permalink
Post by Jerry Kemp
Regarding observing remote root login attempts, regardless of root being
disabled, it is just the fact they are occurring.B I would speculate
that if you have just stuck your box out on the Internet, the (ssh)
login attempts are probably low at the present.B I have a (Solaris) box
that is in a COLO for more than a decade (upgraded several times), and I
am just continually being hit by random & continual ssh remote login
attempts.
[...]
My big concern is that, due to numbers of hits, that properly managing
and addressing events that do end up logged.B I already mentioned that I
use denyhost to limit dictionary attacks that hit hard and heavy.
Running ssh on a non-standard port is the easiest way to cut out 99% of
the logfile noise from bots and scanners. In my experience, they don't
bother to check for alternate ports if 22 doesn't work. Obviously, this
is no substitute for securely configuring SSH but it will make the more
determined attackers stand out in your logs.

If you're in the happy situation of knowing the valid client source
addresses in advance, you can also use a firewall to default-deny
incoming traffic to the ssh port and then allow only the those known hosts.

Finally, on the more complex end, you could implement a simple
authorization scheme that manipulates firewall rules on the fly. In one
case, a webserver was running on the same machine already so I wrote a
simple CGI script whose URL was protected via required TLS certificate
authorization. Clients hitting that URL with a valid cert would cause
their source IP to be added to a dynamic table connected to a firewall
pass rule for port 22 as well as IMAP. After some time that entry would
time out and expire.
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Jonathan Patschke
2017-11-01 23:40:55 UTC
Permalink
Post by Andrew M Hoerter
Running ssh on a non-standard port is the easiest way to cut out 99% of
the logfile noise from bots and scanners. In my experience, they don't
bother to check for alternate ports if 22 doesn't work.
It's the easiest, but the least fun.

I use rate-limiting in pf to automatically mark hosts that spam
interesting ports. Those hosts, once marked, spend an hour or so in a pf
table that sends their ssh traffic somewhere harmless.

I also have a cron job that looks for bad ssh authentication and updates a
separate pf table for diverting that ssh traffic somewhere harmless.

This method is more useful to me than libwrap because of the diversion
aspect and because my system accumulates data about interesting attacks
over time. Also, because there exist honeypot daemons to serve as the
destination for potentially-harmful traffic.

Spammers (and IMAP password-scanners), in particular, get sent to daemons
that look somewhat like SMTP and IMAP, but only respond to commands with
rude messages sent barely fast enough to avoid timing the connection out.

Someday I'd like to work on making those daemons maliciously non-compliant
in the hopes of tripping up up the zombies. Or maybe serving up via IMAP
(open to any credentials at all) all the spam malware I've ever gotten
would be sufficient.
Post by Andrew M Hoerter
If you're in the happy situation of knowing the valid client source
addresses in advance, you can also use a firewall to default-deny
incoming traffic to the ssh port and then allow only the those known hosts.
Strict whitelisting was great in the days before so many mobile devices.
I'd always intended to close off _everything_ except an OpenVPN
connection, but that quickly proved impractical.
Post by Andrew M Hoerter
Finally, on the more complex end, you could implement a simple
authorization scheme that manipulates firewall rules on the fly. In one
case, a webserver was running on the same machine already so I wrote a
simple CGI script whose URL was protected via required TLS certificate
authorization. Clients hitting that URL with a valid cert would cause
their source IP to be added to a dynamic table connected to a firewall
pass rule for port 22 as well as IMAP. After some time that entry would
time out and expire.
That's a pretty elegant solution, to be honest.
--
Jonathan Patschke
Austin, TX
USA
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Mouse
2017-11-02 01:05:57 UTC
Permalink
Post by Jonathan Patschke
Post by Andrew M Hoerter
Running ssh on a non-standard port is the easiest way to cut out 99%
of the logfile noise from bots and scanners. [...]
It's the easiest, but the least fun.
Agreed. :-)
Post by Jonathan Patschke
Post by Andrew M Hoerter
Finally, on the more complex end, you could implement a simple
authorization scheme that manipulates firewall rules on the fly. In
one case, a webserver was running on the same machine already so I
wrote a simple CGI script [...]
That's a pretty elegant solution, to be honest.
Well, I'd hesitate to call anything depending on a webserver "elegant",
but otherwise, yeah.

In my case, I have my ssh daemon watching for a particular detail of
the protocol; client connections not configured to present that bit of
magic (a) get stuck in an environment in which there are no host keys
at all and thus kex can never succeed, so they never even get a chance
to try to authenticate, and (b) get blacklisted by IP at my border
router for 24 hours. (The latter meaning they don't get to rattle any
of my other doorknobs.) There are a few other doorknob-rattling
behaviours that will also get an IP blacklisted - and sending me
anything at all while blacklisted restarts the 24h timer. (For those
interested in such trivia, the blacklist is cruising at about 2500 IPs
these days. Historically, it's spiked as high as about 6500, back on
2016-11-07, though I think the details of my defenses were different
then so I'm not sure how comparable the numbers are.)

I'm being deliberately vague about the magic detail; not that my
security depends on it - even clients that do pass that test still need
to authenticate, and my servers are configured to never support
password authentication - but it greatly reduces the noise in my logs.

/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Kris Kirby
2017-11-09 21:45:11 UTC
Permalink
Post by Dave McGuire
What...?! Why did they remove support for TCP Wrappers? I depend
on OpenSSH supporting TCP Wrappers on several networks. WTF?!
CSWossh? OpenSSH from OpenCSW?
Jerry Kemp
2017-11-09 23:27:24 UTC
Permalink
OpenSSH maintainers. Wouldn't matter who compiled it.

Jerry
Post by Kris Kirby
Post by Dave McGuire
What...?! Why did they remove support for TCP Wrappers? I depend
on OpenSSH supporting TCP Wrappers on several networks. WTF?!
CSWossh? OpenSSH from OpenCSW?
--
Kris Kirby, KE4AHR
Disinformation Architect, Systems Mangler, & Network Mismanager
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue

Meelis Roos
2017-11-01 06:03:40 UTC
Permalink
Post by Lionel Peterson
The T5220 is on hold, canbt get it to stay powered up, Ibve reseated Ram,
removed SATA drives, etc.
I have had less experience with T5xxx about diagnosing problems but with
slightly older ALOM machines, it was useful to attach serial cable to
ALOM and see any diagnostic messages in real time. Maybe worth a try.
--
Meelis Roos (***@linux.ee)
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Lionel Peterson
2017-11-01 12:19:58 UTC
Permalink
That is the only way I am accessing the box, with a terminal session on a
laptop with a USB Cisco-styled cable jacked in to Ser Mgmt port.

I power on the system with:

start /SYS

And within 10 seconds it powers down.

Sometimes when I power it up I attempt:

start /SYS

and then:

start /SP/console

But see nothing other that the spinning bar for about two rotations, then it
freezes.

I am assuming that when the fans bdieb the system is off, not just taking
a long time to do something, correct?

Sort of at a stopping point, I guess itbs time to contact the seller,
hopefully he knows enough to help me get past this...

Lionel
Post by Meelis Roos
Post by Lionel Peterson
The T5220 is on hold, canbt get it to stay powered up, Ibve reseated Ram,
removed SATA drives, etc.
I have had less experience with T5xxx about diagnosing problems but with
slightly older ALOM machines, it was useful to attach serial cable to
ALOM and see any diagnostic messages in real time. Maybe worth a try.
--
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Mark Linimon
2017-11-01 03:20:39 UTC
Permalink
I've pulled my v240s out of service (replaced by v215s/v245s) but they are
pretty solid beasts once you get them up and going.

mcl
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Lionel Peterson
2017-11-01 03:27:54 UTC
Permalink
Mine survived a move half-way cross country at the top of a rather empty
rack...

The battery was dead (it thought it was 1999), but I recently bought a 9 pack
of CR2032 batteries to put some old desktops back in service, so it looks good
now.

I think Ibm going to do a fresh Solaris 10 install tonight, get this beastie
up and on the network...

Lionel
Post by Mark Linimon
I've pulled my v240s out of service (replaced by v215s/v245s) but they are
pretty solid beasts once you get them up and going.
mcl
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
_______________________________________________
rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
Continue reading on narkive:
Loading...