Connecting To FreeBSD On AWS

This is a short post on a gotcha for connecting to a FreeBSD AWS instance.  After creating a FreeBSD AWS instance and tying an SSH .pem key to it, you will find that it is not possible to connect.  This is not a problem with the SSH key, but with the user account.  The "connect" menu has one try to connect as root, this however is incorrect.  Simply change the user to "ec2-user@WhateverYourHostnameIs" and you should be able to connect.

Once you log on you will notice there is no `sudo` command available.  One may ask "But then how to I become root?".  Fret not, the default ec2-user account has permissions to run `su` without a password.

After using `su` to become root, new accounts can be created using the adduser command.

Hopefully this article helps save some time from trying to troubleshoot an issue that seems to be causing some confusion with AWS FreeBSD users.

New Zero Day in Wordpress

A new article on Securiblog, informs of a zero day exploit in Wordpress.  This exploit comes from the WP Mobile Detector plugin.  It allows easy exploit through requests to resize.php and timthumb.php.  See Securiblog for request samples they gathered.

It was twenty years ago you see...

OpenBSD's source tree just turned 20 years old.

I recall the import taking about 3 hours on an EISA-bus 486 with two
ESDI drives. There was an import attempt a few days earlier, but it
failed due to insufficient space. It took some time to repartition
the machine.

It wasn't terribly long before David Miller, Chuck Cranor and Niklas
Hallqvist were commiting... then more people showed up.

The first developments were improvements to 32-bit sparc.

Chuck and I also worked on setting up the first 'anoncvs' to make sure
noone was ever cut out from 'the language of diffs' again. I guess
that was the precursor for the github concept these days :-). People
forget, but even FSF was a walled garden at the time -- throwing tar
files with vague logs over the wall every couple months.

I was lucky to have one of the few 64Kbit ISDN links in town,
otherwise this would not have happened. My desktop was a Sparcstation
10; the third machine I had was a very slow 386.

The project is now at:

~322,000 commits
~44 commits/day average
~356 hackers through the years

--

On this day, is my pleasure to give you a song written for the
release by Todd Miller.

http://www.openbsd.org/lyrics.html#58a

It was twenty years ago you see
Theo opened a cvs tree
Made commits to many a file
Joined by others in a very short while

Take a moment to view
The source of all this code
The openbsd cvs repo...

We're the openssh repository
We hope you will enjoy the code
The openntpd repository
But that's not all that's here oh no...
The mandoc 'pository, smtpd 'tory
The libressl repo too

It's wonderful to see the code
Re-used far and wide
The license is so liberal
We'd love for you to code with us
We'd love for you to code...

I don't really want to have to go
But it's hackathon time and so
The coder will commit the code
That he wants all of you to load

So let me introduce to you the one and only Puffy Fish
And the openbsd cvs repo...

B... S... D...

--

(The 5.8 release will be announced and released in a few hours.)

Ian Mudock Passes

Sad news. The creator of Debian, the lead for Project Indiana at Sun Microsystems, and currently part of the Docker team, Ian Mudock has passed away. See the Docker announcement here.

How To Waste Money on DDoS Mitigation

DDoS mitigation services can be very costly depending on scale and circumstance. Why then go through the trouble and expense of employing these services if it is not going to be used to its full potential? Listen to the recommendations of the people in the industry who stake their reputation on protecting you. Stop being lazy and whitelist nothing but the CBSP's IPs. It is naive to think a motivated knowledgeable attacker will not find out what your origin is. Talk to anyone in the space and odds are they have at least one example of this kind of oversight being taken advantage of. A paper was recently published by The Department of Computer Science at Stony Brook University on the topic here. As can be seen by reading the paper, it is easy for anyone with the knowledge of certain tools existence, to determine the origin completely bypassing any benefit of DDoS mitigation services. Hopefully this serves to educate and protect.

Shebang, the Key to Portable Scripts

Although most Unix like operating systems these days have a port of the Bash shell, whether it is installed by default, where it is installed, and it's implementation does differ. For example, Linux installs Bash in /usr/bin where FreeBSD installs it in /usr/local/bin. When booting into Ubuntu, it may seem one is running Bash at first, but upon inspection one will notice that it is actually the Dash shell. The reason for changing to Dash can be found here.

To help improve compatibility across the growing number of OS' and distributions, a simple change can be applied. Enter the shebang! A shebang tells the OS what shell to use for the script by providing the absolute path to its executable, preceded by #! (shebang). As was mentioned above, the default path can vary depending on a few factors. There is a commonality among distributions which can eliminate this issue, and that is the env command. All this program does is look for the requested executable in all locations listed in $PATH. In other words, as long as bash is in one of the locations in $PATH, it will find it.  A shebang can also use env's absolute path instead of the shell's absolute path. All of the distributions I've looked at have env in the same location. So in conclusion, changing

#!/bin/bash

to

#!/usr/bin/env bash

 to your Bash shell script should solve most problems. An extremely simple solution to what may be a big headache otherwise.

Globally Enable UTF-8 (Unicode) on FreeBSD

One nice thing about FreeBSD is that it doesn't make many assumptions. This of course can lead to a bit of elbow grease being required, but at least the end result is an OS tailored to the need. One such instance is the lack of a set locale. A Google search produces quite a few results for setting locale on a per user basis, but setting locale globally is covered a little less.

First verify that locale is not set with:

$ locale


If no result is returned locale is not set. In order to set it /etc/login.conf must be modified as root. Open the file using your preferred editor and add the following lines:

:charset=UTF-8:\
:lang=en_US.UTF-8:


It is then necessary to update the system using:

# cap_mkdb /etc/login.conf
Logout and log back in. You should now see en_US.UTF-8 as follows:

$ locale
LANG=en_US.UTF-8
...