sounds like a weird ask, to have a jail with its own network stack, have it's firewall not be in said stack.

why is that weird? if a jail is compromised then its much better if any blocked outbound connections are not configurable from within the jail

this is how NSX works vmware.com/products/cloud-infrastructure/vdefend-distributed-firewall

have you tried setting rules referencing the jail's host-side interface?

mjp: isn't this the other way around? my firewall is done at the host.

llua: no still making a plan at this stage, interface names seems logical providing each jail has a fixed interface name on the host system

luke_jobless_sb: are you using vnet jails? they have their own network stack and can run pf inside

how do I log failed login attempts in /var/log/auth.log?

bjorn3: is it a remote login failure or a local one?

local

local - typically handled in syslog.conf

remote - sshd_config (if ti is remote ssh)

there is a configuration file update, should have notes within those files. then a simple restart of the logging service and should be good to go

auth.info;authpriv.info is used for /var/log/auth.log in /etc/syslog.conf already. what should i add to log auth failures?

bjorn3: you want to increase the logging levels from INFO

voy4g3r2: with auth.debug;authpriv.debug i don't see any difference

let me step back a second.. what error logging are you trying to capture.. local / console or you doinmg through ssh?

if there is a local login failure, i would like to get a log message for this.

hav eyou tried to move from DEBUG (as that is low level stuff) to say ERR? I am referencing this section, as i am helping out: docs.freebsd.org/en/books/handbook/config/#configtuning-syslog

auth.err;authpriv.err doesn't help, nor does auth.*;authpriv.*

and you are restarting the service?

yes, i'm doing "service syslogd restart" every time.

try adding this.. sysrc syslogd_flags="-vv"

and do again.. maybe it will "show" something

this will add flags in /etc/rc.conf for the syslogd service

so when you do a restart, it will "append" these flags to it

did that, i'm now getting a authpriv.notice for the sudo cat that i used to read auth.log, but still nothing for the failed login attempts.

you seeing anything in /var/log/security?

Oct  9 15:09:15  newsyslog[713]: logfile first created

is the only line in /var/log/security

do you see ANY entries in auth.log, like this: Oct 20 16:21:28 momas su[49873]: chrisdavidson to root on /dev/pts/3

yes, successful sudo usage and successful logins are logged just fine.

Oct 25 15:37:43 <auth.info>  login[25821]: login on pts/0 as bjorn

Oct 25 15:37:49 <authpriv.notice>  sudo[25825]:    bjorn : TTY=pts/0 ; PWD=/home/bjorn/ ; USER=root ; COMMAND=/bin/cat /var/log/auth.log

Oct 25 09:39:57 momas su[60461]: BAD SU chrisdavidson to root on /dev/pts/2

when you do a 'su' and give a bad password.. does it show this?

for the record, i have NOT touched the basic configuration /etc/syslong.conf

hmm it works on my box

Oct 25 09:40:35 bsdrock5 sshd[1946]: error: PAM: Authentication error for illegal user na2 from

Tenkawa: thanks for confirmation

i am getting the error messages, so it is odd you are not bjorn3

if i do su i get a BAD SU message already without entering a password as i'm not in wheel.

hence your question :)

sudo also seems to log a message, but login doesn't.

cperciva: ping

voy4g3r2: I didn't have to change anything... I am curious to ask bjorn3 this: what version of FreeBSD is this?

(unrelated, but i just noticed that you can ctrl-z login on a tty and brick said tty until you send SIGCONT to login as root)

Tenkawa: 14.1-RELEASE

interesting indeed...

i installed it a couple of weeks ago and i don't think i changed anything related to this.

Tenkawa: agree, it helps with context, while it sucks for bjorn3.. i am thinking to myself.. did I change anything

bjorn3: maybe i missed it, but if you ssh into box and give a bad password.. does it log?

voy4g3r2: yeah I just installed these 2 boxes a week ago

i am looking at this right now... man.freebsd.org/cgi/man.cgi?query=login&sektion=1&format=html

because the login(1) should be sending the error message to that auth.log

Both are arm64 boxes of various types that I'm working on

this should be cpu independent.. i confirmed on a raspberry pi and an x86 box

yeah.. it was just context that these were new installs...

(nothing really facy)

always important to know about

er fancy

bjorn3: i am sorry, i think i am "stuck" at this time and maybe someone with more knowledge than me, can step in

I did look and my auth.log is logging a lot

bjorn3: I will "assume" there is a syslogd -s process running right?

is every program supposed to log auth failure individually on freebsd or is there an option for pam_unix to log auth failure like is the default on at least the debian family of linux systems?

Tenkawa: yes, syslogd -vv is running

hmm I wonder if I'm getting the messages then because I'm running in debug mode... let me change and check

(web.libera.chat disconnected me and then picked a different nick when reconnecting as bjorn3 is already in use)

bjorn52: not sure if you saw last msg

[09:52:38] Tenkawa: hmm I wonder if I'm getting the messages then because I'm running in debug mode... let me change and check

testing now

yeah, that message i saw

my syslogd was running with -s

just turned off.. restarting and about to try again

Nah still logs it

ct 25 09:58:32 bsdrock5 sshd[1914]: Failed keyboard-interactive/pam for invalid user na2 from

and if you enter a wrong password in the `login` program?

that was on console

let me trry ssh

why does it say sshd if you were on a console?

oh no you right

I had the uart on other con

just a sec... no display so I have to login then uart over

yeah nothing on that one

Let me oh.. think I found it... just a sec

half of it worked... it logs everything but the login attempt still...

very odd

yeah. i also tried the pam_unix debug option, but that is way too verbose and still doesn't show the authentication failure and the target user on a single line, so it is effectively useless when multiple people are logging in at the same time.

oh.. it worked that time

Oct 25 10:13:35 bsdrock5 login[1902]: 1 LOGIN FAILURE ON ttyu0, na

I used adding console to syslog.conf

there's this part

# uncomment this to log all writes to /dev/console to /var/log/console.log

# touch /var/log/console.log and chmod it to mode 600 before it will work

that ended up in both console.log and auth.log now

doesn't work for me

Very odd indeed

grep ttyu0 auth.log | grep -i login | wc -l

17

I've beenusing it a fair bit over the last 2 days lol

never mind, i made the wrong syslog.conf change.

with console.info /var/log/console.log it shows up in console.log just fine.

yeah it took a few minutes here

the dates/clock seemed out of sync

is it allow to have multiple syslog.conf lines for different filters with the same output log file?

That I do not know

I'm out of date on editing syslog by hand...

also it seems to be possible to bypass the logging for sudo by doing ctrl-z and then kill -9 %1

ah, auth.log still logs it in that case.

How do I know I'm not a robot? All these tech companies seem sure of it. How do /you/ know your not a robot for that matter?

We could all be robots and not even know it.

sfox: as a robot, would you run FreeBSD or something else ?

He'd probably run QNX

Why is that?

ahh QNX...really miss having it in my pocket

Are you sure your not a robot?

Heh.. QNX.. I haven't ran that in years

hello

my antispoof interferes with my local client to its bouncer. what

is this something common?\

luke_jobless_sb: can you re-explain.. somebody should be able to help

I have a bouncer in my server. I enabled antispoofing. Antispoofing on loop and NIC distrupted my bouncer. I want to know if this is something to do with the nature of a bouncer before troubleshooting.

I meant that bouncer alone works fine but I cannot get my client to connect

When you say you "enabled antispoofing" to me that means you have "antispoof quick for { $ext_if, lo0 } inet" in your /etc/pf.conf file. Does it mean the same thing to you?

Antispoofing blocks packets that arrive on an interface with a source that should not be arriving on that interface. If enabling it blocks something then something on your network is misconfigured.

Hi! I'm trying to do a refresh of a replication using zrep but I get an error after issuing the command zrep refresh zroot/jails/ubuntu2. "cannot set property for 'zroot/jails/ubuntu2': permission denied"

I ran the command via sudo.

rwp: sounds like worth to fix my network instead of disabling antispoof

luke_jobless_sb, At the least understanding what's happening.

does anyone know the security implications of setting net.inet6.icmp6.nd6_onlink_ns_rfc4861=1? apparently this is required for certain kinds of PtP Ethernet interfaces that cause FreeBSD to use GUA addresses for NS/NA instead of link local, but i can't find any specific documentation