[SLUG] OpenRG v's m0n0wall
Hi folks, can someone offer an educated opinion on the benefits/disadvantages of OpenRG's firewall over m0n0wall and/or vice versa pls. I have the choice of either sticking with a Linksys RV082 (which apparently runs OpenRG) or moving to a m0n0 based firewall. I know m0n0 is highly regarded, but have yet to find any community opinions on OpenRG (Only commercial reviews which focus on the whole as opposed to the firewall). Does someone here have any experience pls? -- Kind Regards Kyle -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Thanks Re: Disk Full Message
Thanks to all that provided suggestions and advice. I learned quite a lot from your comments. Problem however was due to errant line in /etc/mtab - once line was removed, there was no longer a problem - its apparently a know problem wit Ubuntu. Thanks again Bill -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Thanks Re: Disk Full Message
Bill, No worries. Any chance of letting the list know what the errant line was? It might help others for next time Martin On Thu, Apr 17, 2008 at 4:32 PM, bill [EMAIL PROTECTED] wrote: Thanks to all that provided suggestions and advice. I learned quite a lot from your comments. Problem however was due to errant line in /etc/mtab - once line was removed, there was no longer a problem - its apparently a know problem wit Ubuntu. Thanks again Bill -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Regards, Martin Martin Visser -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS
On Thu, Apr 17, 2008 at 09:05:33 +0545, Howard Lowndes wrote: Howard, I don't want to start fiddling with dhclient, nor with /etc/resolv.conf, but I would like to get at least some of the internal zone presented to If you don't want to use resolvconf to sort it out (and I'm not recommending you do, just noting it as an option), here are a couple of solutions I've used with openvpn: If you only want localhost to be able to resolve the internal zone, do a zone transfer from the remote name server after the vpn comes up and populate /etc/hosts. When the vpn goes down (or the machine is rebooted), remove the extra hostnames from /etc/hosts. If you want other hosts on the LAN to see the internal zone, have a second bind config file (with /etc/bind9/named.conf.local as a symlink to the one you're actually using) with the appropriate config to use the remote servers, then switch the symlink and reload bind when the vpn comes up. This requires that you either run the vpn client on the same host as the local name server, or you have some way to signal to the name server that the vpn is up/down. Cheers, John -- Object-[dis]oriented INTERCAL. I have seen the compiler, and it runs. Why do I now feel like the hero in one of those H. P. Lovecraft stories who has seen something no mortal man was ever meant to see, and who is marginally less sane thereafter? -- Charlie Stross -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Bi-directional ssh
Is it possible to use ssh as a type of dynamic vpn so that when I connect to a remote machine the remote machine has access to the initiating machine? rgh -- +61 (0) 410 646 369 [EMAIL PROTECTED] You're worried criminals will continue to penetrate into cyberspace, and I'm worried complexity, poor design and mismanagement will be there to meet them - Marcus Ranum !DSPAM:4807159a198721784069284! -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Bi-directional ssh
quote who=Richard Heycock Is it possible to use ssh as a type of dynamic vpn so that when I connect to a remote machine the remote machine has access to the initiating machine? See the man page section for the -R option to map a remote port to a local port. It complements the -L option, which does the opposite. I don't believe there's a reverse analogue to the -D option though (SOCKS proxy through the remote end), so you're stuck with port mapping. You can also do sick stuff like ppp-over-ssh. Or sensible stuff like OpenVPN. :-) - Jeff -- OSCON 2008: Portland OR, USA http://conferences.oreilly.com/oscon/ I believe in true love. But I am easily satisfied. - Miguel de Icaza -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Bi-directional ssh
On Thu, 2008-04-17 at 19:17 +1000, [EMAIL PROTECTED] wrote: Is it possible to use ssh as a type of dynamic vpn so that when I connect to a remote machine the remote machine has access to the initiating machine? From your machine: ssh -L 1200:localhost:22 [EMAIL PROTECTED] ssh -p 1200 [EMAIL PROTECTED] usually useful in this context ssh -L 1200:another.local.machine:22 [EMAIL PROTECTED] From other machine: ssh -R 1200:localhost:22 [EMAIL PROTECTED] and from your machine ssh -p 1200 [EMAIL PROTECTED] To stop localhost bitching frome ssh .ssh/config Host localhost StrictHostKeyChecking no James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Bi-directional ssh
Excerpts from Jeff Waugh's message of Thu Apr 17 19:58:57 +1000 2008: quote who=Richard Heycock Is it possible to use ssh as a type of dynamic vpn so that when I connect to a remote machine the remote machine has access to the initiating machine? See the man page section for the -R option to map a remote port to a local port. It complements the -L option, which does the opposite. I don't believe there's a reverse analogue to the -D option though (SOCKS proxy through the remote end), so you're stuck with port mapping. You can also do sick stuff like ppp-over-ssh. Or sensible stuff like OpenVPN. I was hoping to avoid using OpenVPN I use that in lots of places as it is and given that I only need this for deployment it seemed like overkill. rgh :-) - Jeff -- +61 (0) 410 646 369 [EMAIL PROTECTED] You're worried criminals will continue to penetrate into cyberspace, and I'm worried complexity, poor design and mismanagement will be there to meet them - Marcus Ranum !DSPAM:480737c5198721863999174! -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Re: looking for a command to composite sequentially numbered files
Hi Glenn, Tried that just now...nope. I'm clueless as to what the problem is. I'm running: Kubuntu (Dapper) 6.06 imagemagick 6.2.4.5-0.6ubuntu0 I've no idea why this is not working. Regards, Patrick [EMAIL PROTECTED] Wed, 16 Apr 2008 06:36:25 -0700 (PDT) G'Day. Removing the second echo might help. Glenn -- Registered GNU/Linux User 368634 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Can I be comfortable with this log message
On Thu, 2008-04-17 at 14:01 +1000, Michael Chesterton wrote: On 17/04/2008, at 6:09 AM, Rick Phillips wrote: 1 possible successful probes /long_path_to_file/../../../etc/passwd HTTP Response 200 With the environment (described above) in place, should I be worried or should I be confident that I have taken every precaution I can take? I would be a little concerned if they can download /etc/passwd, they could download a more sensitive file. Have you tried to download passwd yourself? does it actually work? What's your DocumentRoot, out of curiosity? Thanks to all who have replied and reinforced my confidence in what I have been doing. I don't have much gold but I have been through the pain of having my server hacked twice in quick succession some years ago when I was wetter behind the ears. Those events alone caused me to be somewhat paranoid. The server in question is a small commercial server but I maintain several others following the same rules I have outlined in my original email. It is not convenient for me to have to restore from any backups as some sites are inconeniently too far away. I do like one respondent said, keep mirror a image on a spare disk and when I was hacked that got me up again in minutes but this is not always convenient, especially when sites and email accounts change frequently. I think the exclusion of all connectivity except for a single IP address is my greatest protection along with frequently changing complex passwords and a non standard port. I was looking also to see if anyone had something to offer that I had not thought of but I am resting much easier now. Thanks again to all who responded. Rick -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Thanks Re: Disk Full Message
Martin Visser wrote: Hi Martin, Ooops - I usually put the solution into my posts - forgot this time. Errant line was overflow /tmp tmpfs rw,size=1048576,mode=1777 0 0 Info obtained from Ubuntu Forums http://ubuntuforums.org/showthread.php?t=677185page=2 Bill Bill, No worries. Any chance of letting the list know what the errant line was? It might help others for next time Martin -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Still looking for speakers
Hello SLUGgers! We are still in need of a speaker for our In-Depth slot at the next SLUG meeting on May 2. I've copied the announcement below. For more information on speaking at SLUG, please see these resources: * http://www.slug.org.au/cfp.html * http://www.slug.org.au/meetings/guide.html Thanks! Sridhar -- Forwarded Message -- Subject: SLUG Monthly Meeting, Friday 2 May Our last announcement contained an error in the subject line. Please accept our apologies. == April SLUG Monthly Meeting == You can read the full version of this announcement on the Web at http://www.slug.org.au/node/97 When: 18.30 - 20.30, Friday, 2 May, 2008 NOTE: Due to a clash with ANZAC Day, the April SLUG meeting has been deferred by one week to 2 May. The official May meeting will not be affected. We start at 18:30 but we ask that people arrive 15 minutes early so we can all get into the building and start on time. Please do not arrive before 18:00, as it may hinder business activities for our host! Appropriate signage and directions will be posted on the building. Where: Atlassian[0], 173-185 Sussex Street, Sydney (corner of Sussex and Market Street) Entry is via the rear on Slip Street. There are stairs going down along the outside of building from Sussex St to near the entrance. A map of the area and directions can be found here[1]. = Talks = General Talk: Matthew Palmer - Deploying and Managing large scale Linux deployments In-Depth Talk: TBA We will release another announcement after we confirm our speakers. = Meeting Schedule = See here[2] for an explanation of the segments. * 18:15 : Open Doors * 18:30 : Announcements, News, Introductions * 18:45 : General Talk (see above) * 19:30 : Intermission * 19:45 : Split into two groups for * In-depth Talk (see above) * SLUGlets: Linux QA and other miscellany * 20:30 : Dinner Dinner is at Golden Harbour Restaurant, in Chinatown. We will be having the $24 Banquet[3], but we will be collecting $25 per head for ease of accounting and to cover a tip. We will be taking numbers during the break to confirm the reservation size. If you have any particular dietary requirements (e.g. vegetarian), or if you would prefer to order separately, let us know beforehand. Dinner is a great way to socialise and learn in a relaxed atmosphere :) We hope to see you there! [0] http://www.atlassian.com [1] http://tinyurl.com/35fxes [2] http://www.slug.org.au/meetings/meetingformat [3] http://www.goldenharbour.com.au/specials.html --- -- Sridhar Dhanapalan President Sydney Linux Users Group http://www.slug.org.au signature.asc Description: This is a digitally signed message part. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS
On Thu, Apr 17, 2008 at 4:56 PM, John Clarke [EMAIL PROTECTED] wrote: On Thu, Apr 17, 2008 at 09:05:33 +0545, Howard Lowndes wrote: Howard, I don't want to start fiddling with dhclient, nor with /etc/resolv.conf, but I would like to get at least some of the internal zone presented to If you don't want to use resolvconf to sort it out (and I'm not recommending you do, just noting it as an option), here are a couple of solutions I've used with openvpn: If you only want localhost to be able to resolve the internal zone, do a zone transfer from the remote name server after the vpn comes up and populate /etc/hosts. When the vpn goes down (or the machine is rebooted), remove the extra hostnames from /etc/hosts. I was wondering about exactly that problem with my use of our company's vpn from my Ubuntu 7.10 laptop. I never got around to check this but we use an internal domain company.local for the internal IP address, wouldn't it be possible to configure a DNS server (bind9) on the laptop to forward .company.local to the internal DNS server and the rest to the 'default' DNS server? It looks like the zone statement with type forward would achieve just that. For Howards's original question, maybe he can just setup a forward zone for soho.lannet.com which forwards to the internal DNS server, and forwards the rest of the zones to the default upstream. (ref: http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html#zone_statement_grammar) If someone comes up with the exact incantation to do that I'd appreciate to see a copy of such a config. --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Bi-directional ssh
On Thu, 2008-04-17 at 19:58 +1000, Jeff Waugh wrote: quote who=Richard Heycock Is it possible to use ssh as a type of dynamic vpn so that when I connect to a remote machine the remote machine has access to the initiating machine? See the man page section for the -R option to map a remote port to a local port. It complements the -L option, which does the opposite. I don't believe there's a reverse analogue to the -D option though (SOCKS proxy through the remote end), so you're stuck with port mapping. You can also do sick stuff like ppp-over-ssh. Or sensible stuff like OpenVPN. For what you're trying to do, autossh would be useful - keeps a -L/-R tunnel alive permanently. I've used it with success to solve *cough* various firewall issues at POE's. $ sudo aptitude install autossh $ dpkg -L autossh | less -- Thanks, Sonia Hamilton http://soniahamilton.wordpress.com http://www.linkedin.com/in/soniahamilton -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS
On Fri, 2008-04-18 at 09:23 +1000, Amos Shapira wrote: I never got around to check this but we use an internal domain company.local for the internal IP address, wouldn't it be possible to configure a DNS server (bind9) on the laptop to forward .company.local to the internal DNS server and the rest to the 'default' DNS server? It looks like the zone statement with type forward would achieve just that. Slightly OT question here: given that zeroconf now uses .local, is using .local for internal domains via bind the right way to do things, or should another name be used? -- Thanks, Sonia Hamilton http://soniahamilton.wordpress.com http://www.linkedin.com/in/soniahamilton -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Can I be comfortable with this log message
since you've professed a renewed confidence, this may be quite moot, but you
can always look at mod_security which will, amongst other things, stop the
directory traversal attacks which you have been suffering from.
Here's an article you may be interested in
http://www.securityfocus.com/infocus/1739
On Thu, Apr 17, 2008 at 5:33 PM, Rick Phillips [EMAIL PROTECTED] wrote:
On Thu, 2008-04-17 at 14:01 +1000, Michael Chesterton wrote:
On 17/04/2008, at 6:09 AM, Rick Phillips wrote:
1 possible successful probes
/long_path_to_file/../../../etc/passwd HTTP Response 200
With the environment (described above) in place, should I be
worried or
should I be confident that I have taken every precaution I can take?
I would be a little concerned if they can download /etc/passwd, they
could
download a more sensitive file. Have you tried to download passwd
yourself?
does it actually work?
What's your DocumentRoot, out of curiosity?
Thanks to all who have replied and reinforced my confidence in what I
have been doing.
I don't have much gold but I have been through the pain of having my
server hacked twice in quick succession some years ago when I was wetter
behind the ears. Those events alone caused me to be somewhat paranoid.
The server in question is a small commercial server but I maintain
several others following the same rules I have outlined in my original
email. It is not convenient for me to have to restore from any backups
as some sites are inconeniently too far away.
I do like one respondent said, keep mirror a image on a spare disk and
when I was hacked that got me up again in minutes but this is not always
convenient, especially when sites and email accounts change frequently.
I think the exclusion of all connectivity except for a single IP address
is my greatest protection along with frequently changing complex
passwords and a non standard port.
I was looking also to see if anyone had something to offer that I had
not thought of but I am resting much easier now.
Thanks again to all who responded.
Rick
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS
quote who=Sonia Hamilton Slightly OT question here: given that zeroconf now uses .local, is using .local for internal domains via bind the right way to do things, or should another name be used? Avoid using local, because otherwise most mDNS systems will basically bail out of helping you with local lookups. I generally use 'home' for, uh, home. :-) - Jeff -- OSCON 2008: Portland OR, USA http://conferences.oreilly.com/oscon/ It's not sufficient to 'use simple words to explain things'. Things must actually *be* simple, which is much harder. - Martin Pool -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS - some progress to report
$quoted_author = Howard Lowndes ; I then went and looked at the man page for dhclient and saw that there can be such a thing as a dhclient.conf file. I don't have one in /etc/ so I created /etc/dhclient.conf with the following lines: SNIP which seems to accord with the man page, but it appears (judging by a strace) that neither dhclient nor dhclient-script looks at that file. the man page should have provided some guidance but see if you have a directory /etc/dhcp/ or /etc/dhcp3/ that dhclient might be looking in. cheers marty -- Skirwan - And if pigs can fly, and I can ride one, and they fly me to hell, and it just froze over, and we all have ice cream... [1] talonyx - I really need to stop reading Slashdot while on codeine. [2] [1] - http://slashdot.org/comments.pl?sid=28984cid=3113144 [2] - http://slashdot.org/comments.pl?sid=28984cid=3113355 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS - some progress to report
$quoted_author = Howard Lowndes ; Nuffink, just /etc/dhcpd.conf (which I only use when I have interface eth1 running), and /etc/dhclient.conf which I have just created. I might try creating a /etc/dhcp/ directory and the symlinking into it. I tried that but it didn't do the trick. which distribution? what dhclient version? cheers marty -- I simply tell them If _I_ don't have a ticket number then _you_ don't have a problem. Call the helpdesk. Repeat as many times as necessary. - Jay Mottern alt.sysadmin.recovery - [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Manipulating DNS - got it!!
On Fri, Apr 18, 2008 at 3:06 PM, Howard Lowndes [EMAIL PROTECTED] wrote:
I did this and it was successful, both for internal and external domains
(tks Amos for that suggestion), and here are the lines from /etc/named.conf:
And how does it work when the VPN is NOT connected? Is it smart enough
to figure out not to try 10.2.2.{1,41} when the VPN is down and go
directly to the external DNS?
What I'm worried about is that the VPN-relevant setup will slow
everything down when the VPN is not connected, timing out on the
internal DNS servers.
Thanks for the update, it's a great help.
--Amos
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
