BSD Computer Linux micro

If you need a pdf viewer on your open source-OS (I tested it on Linux and FreeBSD), you should try PDF studio viewer. Very fast and can do stuff like removing layers from the PDF

BSD Computer

Script to “centralize” checking for updates on FreeBSD

I have to administrate several FreeBSD-servers and I need to know which servers need updates. Eveen though I have a poudriere running, I also have a local ports-tree on the machines because they are either not using the poudriere because they are not migrated to it yet or there was some reason to have a locally compiled package.
Now I want to know daily which servers need package-updates and if any server has packages that have known CVEs. Thus I update the index of the portstree daily with the following cronjob for root:

0 3 * * * portsnap -I cron updateI have several “classes” of servers, thus I want mails for every class of server. For each class I have a cronjob like this in my personal crontab (or you could put it on one of your servers):
0 6 * * 1-5 /usr/local/scripts/ class1The user needs to be able to log into each server with an ssh-key.


case $1 in
SERVERS="server1 server2"
SERVERS="server3 server4 server5"
SERVERS="privateserver1 privateserver2"

for i in $SERVERS; do
  echo "$i:" >> $TMPFILE
  update_count=`ssh $i "pkg version" | grep \< | wc -l`
  if [ $update_count -gt 0 ]; then
    echo "$i needs $update_count updates" >> $TMPFILE
    ssh $i "pkg version" | grep \< >> $TMPFILE
    echo "" >> $TMPFILE
    echo "" >> $TMPFILE
    ssh $i "pkg audit" >> $TMPFILE
    echo "$i needs no updates" >> $TMPFILE
  echo "" >> $TMPFILE
  echo "" >> $TMPFILE

mail -s "$1 update status" $MAILADDRESS < $TMPFILE

mail -s "$1 update status" $MAILADDRESS < $TMPFILE
BSD Computer

Blacklistd and pf on FreeBSD

In FreeBSD 11.0 there was a new daemon delivered in base that helps to blacklist IPs on unsuccessful logins called blacklistd. Its advantage over fail2ban: it works with IPv6 and it is part of base. Its disadvantage is that as far as I understand it applications have to be linked against blacklistd, so that they can work with it.

With the recently released FreeBSD 11.1 sshd got linked against blacklistd. Therefore there is a new option in sshd_config: UseBlacklist. Per default it is set to no. Uncomment it, set it to yes and then reload sshd.

The config is in /etc/blacklistd.conf. Usually you define blocking rules in the [local]-section and whitelisting in [remote]. The sample file and the man page are good enough to explain that part.

In addition you need to start the blacklistd-service and enable it in rc.conf or even better in a file in /etc/rc.conf.d.

In /etc/pf.conf you need to add the following line:

 anchor "blacklistd/*" in on $ext_if

Then you need to reload pf with the new rule:

 pfctl -f /etc/pf.conf

Now blocking should already work. To get the blocked IPs use the following command

 blacklistctl -b

If there are IPv6-adresses blocked, you need to add -w, so it is then

 blacklistctl -bw

If you want to unblock an IP you can look into the tables with pfctl. To see for example the table for sshd, the command is:

 pfctl -a blacklistd/22 -t port22 -T show

Now let’s say you want to unblock the IP, then you could issue a:

 pfctl -a blacklistd/22 -t port22 -T delete

This will remove the IP from the table and it is now unblocked. blacklistctl will still show the IP as blocked though. But if the IP tries again to log in and fails often enough, it will get blocked again.

BSD Computer iPhone Linux Productivity

Some plaintext-productivity love with Taskpaper

I finally got my plaintext-todo-system together. It was a bit cumbersome because I did and could not want to use Dropbox, but it works now. The problem is that some of my machines either run FreeBSD or OpenBSD and all the plaintext-productivity apps on iOS either require Dropbox or iCloud1. I have a Nextcloud but the Nextcloud-client on iOS does not really integrate into iOS and nearly no one offers to sync with something else than iCloud or Dropbox on iOS.

But there is a really good git-client on iOS: Working Copy. And there is a really good markdown-editor, that also has taskpaper-support and integrates with some workarounds with Working Copy: Editorial2.

The final piece that was missing where some reminders which work somehow automagically. There is a way to create iOS-reminders in Editorial from Taskpaper-files but there I would need to run a workflow in Editorial manually to create them. And I wouldn’t get a mail in the morning with a summary of tasks that are due, overdue etc. But I have now some scripts and cronjobs which create the mail and will send out push notifications via Pushover3.

How does it work?

I created a git-repo on my server. And have it checked out on my clients and in the home-directory of my user on the server. When I change something on the clients, I commit and push to the server. On the server there is cronjob in the crontab of my user running every minute to pull the repo. Additionally there is a cronjob running a python-script that checks if a task has an alarm set. If one is set, it will send the task as message to pushover, which sends a push notification to my iPhone. At 4 am in the morning there is an additional cronjob that runs a script that will generate a summary mail and sends it to me via e-mail.

The scripts expect the following tags, so that they can work:

  • @today or @due[YYYY-MM-DD]
  • @alarm[YYYY-MM-DD HH:MM]

The basis is the Taskpaper-Parser from github-user kmarchand. My push-script is a derivate from the script4:


from datetime import datetime, timedelta
from collections import namedtuple
from dateutil import parser
import sys
import re
import httplib
import urllib

tpfile = sys.argv[1]

with open(tpfile, 'rb') as f:
    tplines = f.readlines()

Flagged = namedtuple('Flagged', ['type', 'tasktime', 'taskdate', 'project', 'task'])
flaglist = []
errlist = []

project = ''

for line in tplines:
        if '@done' in line:
        if ':\n' in line:
            project = line.strip()[:-1]
        if '@alarm' in line:
            alarmtag ='\@alarm\((.*?)\)', line).group(1)
            tasktime = datetime.time(parser.parse(alarmtag))
            taskdate =
                    Flagged('alarm', tasktime, taskdate, project, line.strip()))
    except Exception, e:
        errlist.append((line, e))

today = alarm = overdue = duethisweek = startthisweek = None
today_date =
today_time = datetime.time(
time_tmp = - timedelta(minutes = 1)
today_time_less1min = time_tmp.time()

for task in flaglist:
    if task.type == 'alarm' and today_date == task.taskdate and today_time > task.tasktime and today_time_less1min < task.tasktime:
        alarm = True
        #print '\t[%s] %s' % (task.project, task.task)
        conn = httplib.HTTPSConnection("")
        conn.request("POST", "/1/messages.json",
            "token": "APP-Token",
            "user": "User-Token",
            "message": task.project + " " + task.task,
          }), { "Content-type": "application/x-www-form-urlencoded" })
if not alarm:
    print '\t (none)'

It is simple, it could be probably far more elegant but it works for me™.

In addition there is a simple shell-script5:

/usr/local/bin/python2 /home/user/python/ /home/user/taskpaper/Work.taskpaper > /tmp/taskpaper.mail
/usr/local/bin/python2 /home/user/python/ /home/user/taskpaper/Personal.taskpaper >> /tmp/taskpaper.mail
mail -s 'Your Daily Taskpaper Summary' < /tmp/taskpaper.mail

And here is my crontab:

* * * * * /bin/sh -c 'cd ~user/taskpaper && /usr/local/bin/git pull -q origin master' >> ~/git.log
* * * * * /usr/local/bin/python2 /home/user/bin/ /home/user/taskpaper/Work.taskpaper
* * * * * /usr/local/bin/python2 /home/user/bin/ /home/user/taskpaper/Personal.taskpaper
0 4 * * * /home/user/bin/

Since I am running FreeBSD on my server I have to rely on a crontab and cannot use systemd-timers.

On my computers I am an avid vim-user and I use taskpaper.vim for having syntax highlighting and some additional shortcuts for marking tasks as done or today etc.

In Editorial I use the Working Copy-workflow.

It is all very simple and not very elegant. But it works and brings me the funtcionality I was missing from using apps like Todoist or on the “local” level Taskmator. And everything runs on my own machines except the delivery for the push notifications. But the only chance to get there my own solution would be to develop an iOS-app because you can’t get in any other way push notifications to your iOS-device. And if I should switch back to Android at any point, I still can use pushover. I pushover goes down, I hope there are alternatives… 😉

  1. To be honest, I do not understand why so many iOS-apps expect a Mac on the desktop. Do so many iOS-owners also own a Mac? I would expect that most actually own a Windows-machine

  2. It does not integrate as Textastic but that might come in the future

  3. I use Pushover because our Icinga2, the monitoring system we use at work, already uses pushover to send notifications when an alert is coming up.

  4. Please forgive me since I am not very knowledgable in the arts of programming and just hacked around to get a works-for-me-thing

  5. I am running it on my FreeBSD-server, thus the path to python is /usr/local/bin/python2 – when you are running Linux the path is probably /usr/bin/python2

BSD Computer

OpenVPN, pf and alias-IP-adresses

Recently I had to build an OpenVPN-server on a FreeBSD-machine that uses already port 443. But I wanted to use port 443 because its reachability is usually guaranteed. So I added a second IP-address to the interface. Let’s say for this example the adresses are and And then I followed the few hints I found on the net for NATing through the interface. Since it is FreeBSD and I have pf available, I use it of course. And after that I opened up certain hosts to on the other hosts.

What is the rule you find when you google?

nat on $ext_if inet from $vpn_clients to any -> $ext_if

ext_if is your interface to the outside world. In my case the one with the two IP-adresses. $vpn_clients is the openvpn-network2.

And then I was up to a surprise. When I connected to the VPN and then tried to connect to the hosts I wanted to reach through the NAT via ssh the following happened: ssh host1 – connection denied, ssh host1 – please log in. If I waited a short moment instead of trying to connect immediately a second time the connection was denied again. And some other strange behavior like that was observable.

What happend? FreeBSD NATed all the time through either address 1 or address 2 but never through the same.

What you can do is define the address for the NATing you want to rewrite to. So it becomes:

nat on $ext_if inet from $vpn_clients to any -> $vpn_nat_ip

In this case vpn_nat_ip is

Another side-note: you don’t want to add a second interface for the second IP-address but use an alias-IP on the first network card. Otherwise you have to start use routing tables etc. for getting your traffic correctly moved through your system.

  1. Yes, I know…the original host has routable adresses there

  2. by default

BSD Computer Linux micro

Current state: looking into a book about shell scripts and I wonder which she’ll they use. sh or do I need bash? How about other shells?

BSD micro

I really wonder why there is no ‘ssh-copy-id’ for OpenBSD…

BSD Computer micro

The Podlove Podcast Publisher works again. The team reacted quite fast on the issue (the package php71-filter was missing). Thanks a lot.

BSD Computer micro

Moved from ports to pkg…besides being a bit of pita, it broke Podlove. I have no idea why but suddenly having podlove activated will blank out this site. I wonder why…Well, I’ve opened an issue…

But moving to ports allows me faster updates I have to think about less. And I don’t have special options activated anyways. I use up a bit more space but that’s it. I am running RELEASE anyways…

BSD Computer micro

What did you do sunday evening?

I installed mosh, which updated OpenSSL which meant that I took the shotgun and shot myself into the foot