FreeBSD 10 – sFTP setup

May 21, 2014


First off, sFTP doesnt actually use FTP protocol or associate with it.  It’s pretty much like SCP but with other features.  It uses port 22 as well.  The one unique thing about it is that the user or group you specify in the sshd_config for sFTP will not be able to log in with SSH.  That user will only be able to sFTP into the server.

Pretty simple to setup.

ee /etc/ssh/sshd_config

scroll down to the bottom and put this in…

Match User sftpuser                (specify “group” instead of user if you wanted)
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp


Thats it.

# service sshd restart.

Create your user.

Root must be the owner of the home directory.  It should be by default.

Create another directory inside the new users home for them to access.

mkdir /home/sftpuser/files

chown sftpuser:sftpuser /home/sftpuser/files


You are done!  Have fun!

FreeBSD 10 ssh key authenication

May 21, 2014


# ssh-keygen -t rsa  (uses default 2048, want higher?  use -b 4096)

Enter a passphrase.

cat >> .ssh/authorized_keys

ee /etc/ssh/sshd_config  

Comment out (#) the line ChallengeResponseAuthenication and change it to "no" (without the quotes)

service sshd restart

Copy the id_rsa (private key) to your laptop/desktop or whatever computers you use.   drop it into the .ssh directory of your system directory.  Have Windows?  point to it in Putty.  I believe most distro's will read the id_rsa as a default key file so you may need to change its name if you SSH to other servers.  for example...I have a server named I would ssh user@web01 -i web01.priv  <--- is my private key.  

FreeBSD 10 USB 3.0

May 19, 2014

Just an FYI.  I have an ASUS motherboard with USB 3.0.  I had an issue with FreeBSD 10 and using a USB 3 device.  It would fail to allocate a resource or an assignment of sorts.   I had to go into the BIOS, disable “USB Legacy”.  Now USB 3 works on my PC.

FreeBSD 10 / PCBSD 10 and Edimax 7811un

March 5, 2014

FreeBSD 10 supports the Edimax 7811un (RTL8188CUS chipset, FreeBSD calls the device “urtnw0″) right off the bat.  BUT…there is a small trick to get it working if you don’t see the error message.  Plug in your 7811un to your PC.  Install FreeBSD.

**** if you are using PC-BSD, do the same steps as below.  You’ll have to go into /boot/loader.conf.pcbsd file and edit out the step 3 options.

Do the following:

1. setup your /etc/rc.conf with the following…
ifconfig_wlan0=”WPA DHCP”

2. setup your /etc/wpa_supplicant.conf with the following…(my network is WPA2)


3. setup your /boot/loader.conf file with the following…

***The last line is the most important.  If you don’t add that it won’t work.  

4. REBOOT  –  this is a must.

Thats it.  It should come up on its own.  This is if you have your network setup with a WPA2 encryption.  If you need additional help, consult the FreeBSD Handbook wireless section.

ASA Rommon mode – image issue

February 18, 2014

If you accidentally erased the whole flash drive and killed any images you had.  Here is how you restore.  Create a TFTP server


Rommon mode:

  • ADDRESS=192.168.1.x
  • GATEWAY=192.168.1.x
  • SERVER=192.168.1.x)
  • IMAGE= (IMAGE file)
  • Tftpdnld -> hit enter
  •  do a reset

Make sure you confreg is 0x0000001

Windows 2003 to Windows 2008R2 CA server migration

February 15, 2014


We use Windows CA server at work for our Cisco ASA’s.  We wanted to upgrade to 2008R2.  Below are the links or instructions to setting that up.  We use a SinglePassword setup due to us deploying ASA’s all the time to new locations.

- Migration of the CA’s to from old Server to new Server.  Follow this document.  FYI:  give the new server the same name and same CA name.  The default setup in 2008 will try to attach a “CA” at the end of the server name.  In windows 2003, this didnt happen.  So be careful.

-  setting up SinglePassword setup.   FYI:  instructions are wrong for the Registry path, its HKEY_LOCAL_MACHINE\System\Microsoft\…..

Access your CA server to get password info.
http://<ip address>/certsrv/mscep_admin/

Also, you may need to restart IIS or the system.  The first initial time during setup it took it a bit to come up.

PF Firewall settings

February 7, 2014

Here are my PF settings.  Very basic for a firewall on one PC.  I’m not running a router or gateway off my PC.

What this does is block everything coming in, allow anything out and remember its state status so it can come back in.  I do allow SSH to come from the outside and to protect me from hackers I have enabled <ssh_bruteforce> and made it add IP address that have 3 bad login attempts in 60 seconds to be added to the list.  They will be blocked indefinitely.


# Steve’s PF Firewall Rules

ext_if = “ale0″
ext_ip = “( ” $ext_if ” )”
tcp_services = “{ 22 }”
#icmp_types = “echoreq”

# Tables
table <ssh_bruteforce> persist

# Return a reset for all blacks
set block-policy return

# Ignore the loopback
set skip on lo0

# Anything in the blacklist should be stopped here
block in quick on $ext_if from <ssh_bruteforce> to any

block in all
pass proto icmp all
pass out all keep state
pass in on $ext_if proto tcp from any to $ext_ip port $tcp_services flags S/SA keep state (max-src-conn-rate 3/60, overload <ssh_bruteforce> flush global)

Cisco 2900 voice router – Unavailable Resource erro

February 7, 2014

Cisco 2900 router with T1 setup.  Calls were coming in but we were getting a “unavailable resources” error.  The error made it seem like our router was generating the error and it was but it was due to the telco’s router/equipment.   It would then disconnect the call but first it seemed like it transferred it back to the local telco switch.

#debug isdn q931

Cause i = 0x82AF – Resource unavailable, unspecified

Found the error code HERE.

We rebooted the telco equipment and all works well.  What seems to have happened is the telco router was trying to use a channel we do not use when it set up the call.

IP SLA config sample

January 3, 2014

Simple setup with two ISP’s.   One ISP plugs directly into the router (mpls network), the second ISP plugs into an ASA, the ASA then plugs into the router.

We have set all traffic other than destined for the MPLS network to go out thru the ASA connected ISP.  If that link fails, the default route for the MPLS network, which is OSPF, will kick in until the ISP connected to the ASA comes up.

IPADDRESS = Any IP address pingable on that ISP’s side.  Preferably use the ISP’s DNS server.
INTERFACE = Interface connected to the second ISP, or in my case the ASA.

(*) = optional

##### config ######

ip sla 1
icmp-echo {IPADDRESS} source-interface {INTERFACE}
* frequency 10
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
* delay down 10 up 1

ip route track 1
ip route track 1

Bash backup script

December 15, 2013

Just a simple back up script and my cron entry.  This script will check to see if your USB device exist.  If so, it mounts, it rsyncs, it echo’s a date and a “complete” string into a file then unmounts the drive.  If the USB device don’t exist, it echos a fail into a file.

My script runs every night 1 minute after 3am.

*Reason I have unmount is so I can just yank it out whenever I want.  Also, with any *nix, there is more than one way to skin a cat, this is my way I figured out on my own.

#######  SCRIPT ########


if [ -e '/dev/da0p1' ] ; then

/sbin/mount /dev/da0p1 /backup

/usr/local/bin/rsync -a –delete /data/ /backup/

echo “$(date) COMPLETE” >> /home/user/backup.log

/sbin/umount -f /backup


echo “$(date) FAILED” >> /home/user/backup.log


##############  CRONTAB ENTRY ##########

1 3 * * * root cd /home/user && ./



Get every new post delivered to your Inbox.