[nycbug-talk] fave BSD tips/tricks?

George Rosamond george at ceetonetechnology.com
Mon Aug 24 15:59:44 EDT 2009

Charles Sprickman wrote:
> On Mon, 24 Aug 2009, Dru Lavigne wrote:
>> I'm finishing up an article for BSD mag on BSD tips and tricks. Anyone 
>> have a favourite tip or trick they'd like to see in this article?
> I have two non-spectacular "tips" relating to jails:
> -Shamelessly stolen from George R., /usr/ports/ports-mgmt/jailaudit a very 
> handy tool to report on all vulnerabilities in all jails.  Output comes 
> with the main host's daily run.

nice :)

It's specifically useful in the context that you have jail admins who 
don't check their dailies.

There's lots more in terms of FBSD jail-specific stuff. . . but I'm not 
sure if that's what Dru wants.

> -Up until FBSD 7.1, multiple IPs in a jail were not possible without a set 
> of external patches.  As of 7.2 this is included.  It works flawlessly 
> (tested a box with a few hundred IPs in two jails).  Additionally, ezjail 
> can deal with this, just add the IPs, separated by commas, to the "export 
> jail_php4_web_bway_net_ip=" line.


DL, are you looking for general Unix/bsd stuff?

How about some stuff on how people handle their dailies?  I'd be curious 
to hear.  I mean, for those who actually *read* them :)

off the top of my head. . .


I get lots of dailies. . . and always add the following to cron on its 
own: status of RAIDs on the local box.  Every blob or BSD software raid 
solution has its 'status' check, and seeing an email specific on that 
makes me sleep better.


I also use logger(1) more and more now. . . it's great put into scripts 
to see when certain stages were hit, like in updating the base source.

So I might have:

/usr/bin/logger -i -t SOURCE "starting buildworld"

after running buildworld.


I also like to have lots of verbosity when not unwieldy. . . for 
instance, on FreeBSD, I always have


in /etc/rc.conf


As some people know (and sometimes mock:), I don't run sshd on tcp/22 in 
general. . . The load of brute force zombies can be high. . . using an 
alternate port for sshd isn't about more security, since I hardly fear 
brute force zombies since I use keys, but about not wasting CPU on them.

Another thing I regularly do is put the netblocks of countries not being 
ssh'd from that are also frequently hosting zombie'd boxes, and use 
tcp-wrappers to block them.


Servers don't usually need X11 . . . so make sure you put:


in /etc/make.conf

before you install ports.

Post 7.0 FreeBSD, man src.conf


It's nice to know when certain tasks or scripts are completed when 
you're not local to the box.

So often I'll "&& mail. . ." to the end of single instance rsyncs, etc., 
to know when something is done.

Gee.  I love the toolbox-ishness of Unix.

And while spork gave credit to me on jailaudit, I'm sure there are 
others out there who deserve credit on at least some of these. . . eg, 
ike with logger.


More information about the talk mailing list