Problem with sshd2 package ssh2
This begins with a disk migration I did some time ago, since then when ever I try to conect from any server to this host I recive a error and get disconect. Then the logs show me this: Oct 30 04:26:49 morquio sshd2[17065]: FATAL ERROR: Executing ssh1 in compatibility mode failed. The other problen hapens when any no-root user try to create open a terminal under X a Eterm or any other or print an error, saying that the user has no rights to access the terminal. The rights were preserv when the disk cp was made and all the rest look good. Thank's rak -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Making packages apt-get able.
Hi All, I have so far not been able to find any resources describing how to set up a ftp or http server so that you can add it to sources.list and use apt-get to install new packages. If anyone could direct me to some docs describing this I would be most grateful. Regards, Fred. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Forced DHCP setup
Hey... I want to tie up users to ip addresses and machines. This way i can easyly mangle bandwith, squid acls and lots of stuff through my woody box So im thinking maybe the solution is to force users to obtain ip's from dhcp and, i users take an ip for which they have no lease, bloack them with iptables or somwthing... Im thinking this is probably an old trick so im asking here for pointers and stuff as i parallely STFW for this setup... ne ideas? -- Alex (Lex) Borges Software Engineer Step One Group www.sogrp.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Forced DHCP setup
On Wed, Oct 30, 2002 at 03:39:01PM -0600, Alex Borges (lex) wrote: Hey... I want to tie up users to ip addresses and machines. This way i can easyly mangle bandwith, squid acls and lots of stuff through my woody box So im thinking maybe the solution is to force users to obtain ip's from dhcp and, i users take an ip for which they have no lease, bloack them with iptables or somwthing... Im thinking this is probably an old trick so im asking here for pointers and stuff as i parallely STFW for this setup... ne ideas? -- Alex (Lex) Borges Software Engineer Step One Group www.sogrp.com Alex, It is possible to set up DHCP so that a client always gets the same IP address by using it's MAC address. If you set up DHCP to only have reserved IP's using the MAC address and no other IP pool then they can't pick up any other address. Of course, someone can spoof a MAC and they can still set up their system with a fixed IP but casual users generally don't know how. It does require that you know their MAC address they can then only use that particular NIC unless you make the change. Man dhcpd.conf for more details. Many universisties and some ISPs do this. I don't believe it's possible to have a user log in to get an IP. Hope this helps. Kourosh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Making packages apt-get able.
apt-get to install new packages. If anyone could direct me to some docs describing this I would be most grateful. The commands you'll have to use are 'dpkg-scanpackages' and 'dpkg-scansources'. I don't remember the details, but it's really not too complicated. Just read the man pages and try them a few times and you should be well off. - Jarno -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Forced DHCP setup
I don't believe it's possible to have a user log in to get an IP. It is possible, in hotels that have broadband in rooms, and on some university campuses I've been too they have a DHCP server setup to serve addresses from a private block. On that network there is a webserver setup to intercept any http request coming from a client in the private block and redirect the user to a page where he/she has to login. On login a cgi (or some such) makes a change in the DHCP database to allocate the user a real IP. The user gets instructions on the ensuing webpage to do a release/renew and boom they are setup. Sorry, I don't know of any opensource packages to do this, but it shouldn't be too hard. Of course, unless you setup your routers to block packets based on MAC address this won't prevent someone from guessing a valid IP and setting it up static. -- C. R. Oldham Director of Technology NCA CASI -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Forced DHCP setup
Telus' entire ADSL setup across Western Canada requires you to login and register your MAC address or you don't get a valid IP... At 01:59 PM 10/30/02, you wrote: I don't believe it's possible to have a user log in to get an IP. It is possible, in hotels that have broadband in rooms, and on some university campuses I've been too they have a DHCP server setup to serve addresses from a private block. On that network there is a webserver setup to intercept any http request coming from a client in the private block and redirect the user to a page where he/she has to login. On login a cgi (or some such) makes a change in the DHCP database to allocate the user a real IP. The user gets instructions on the ensuing webpage to do a release/renew and boom they are setup. Sorry, I don't know of any opensource packages to do this, but it shouldn't be too hard. Of course, unless you setup your routers to block packets based on MAC address this won't prevent someone from guessing a valid IP and setting it up static. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Forced DHCP setup
Mangling arround and all, maybe its good to discuss this idea here... 1.- Suppose i give you a list of mac addresses and the assigned ips they should have 2.- If one makes that assumption, u guys think this would be a good way to go at it (admin wise, mantainership...etc.): a) Make a script that generates dhcpd3.conf b) Make a script that generates iptables commands like: iptables -A input -s $IP_USER -m mac --mac-source $MAC_USER -j accept #all others reject c) Have your squid rules reflect the change: #dont remember, but squid blocks by mac acl accepted_macs $MAC_USER1...$MAC_USER_N acl accepted_ips $IP_USER1.$IP_USER_N http_access allow auth_pam acceed_macs accepted_ips http_access deny Mhm... not shure if squid works that way but u get the idea it looks horrible from the admin POV, maybe u guys can think of a better way... El mié, 30-10-2002 a las 15:39, Alex Borges (lex) escribió: Hey... I want to tie up users to ip addresses and machines. This way i can easyly mangle bandwith, squid acls and lots of stuff through my woody box So im thinking maybe the solution is to force users to obtain ip's from dhcp and, i users take an ip for which they have no lease, bloack them with iptables or somwthing... Im thinking this is probably an old trick so im asking here for pointers and stuff as i parallely STFW for this setup... ne ideas? -- Alex (Lex) Borges Software Engineer Step One Group www.sogrp.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Alex (Lex) Borges Software Engineer Step One Group www.sogrp.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Forced DHCP setup
Alex, I suppose you could parse your leases file and create your firewalls ruleset from that. I know that it's possible to have DHCP notify a DDNS server to update its records so maybe it would be possible to have the DHCP server update a firewall ruleset on the fly. Of course, that doesn't stop someone from setting their own IP to that of another user. Joe Average Windows user won't know how but it's not very strong security. Other than that, you could try setting up a proxy forwarding requestes to a login page as another poster suggested but that may be _too_ cumbersome for an ISP. Regards, Kourosh On Wed, Oct 30, 2002 at 03:55:45PM -0600, Alex Borges (lex) wrote: Tx for the fast response:)... Now, i know i can assign static ip's through macs and i already have some ways to collect all macs from everybody, no problem. The thing is, what if the user changes his ip address? How can i ensure that, if you dont have a lease in dhcp (if you didnt get it from dhcp) then youre blocked. Im a checking the mans of coursetx a lot ... Lex El mi?, 30-10-2002 a las 15:57, Kourosh escribi?: On Wed, Oct 30, 2002 at 03:39:01PM -0600, Alex Borges (lex) wrote: Hey... I want to tie up users to ip addresses and machines. This way i can easyly mangle bandwith, squid acls and lots of stuff through my woody box So im thinking maybe the solution is to force users to obtain ip's from dhcp and, i users take an ip for which they have no lease, bloack them with iptables or somwthing... Im thinking this is probably an old trick so im asking here for pointers and stuff as i parallely STFW for this setup... ne ideas? -- Alex (Lex) Borges Software Engineer Step One Group www.sogrp.com Alex, It is possible to set up DHCP so that a client always gets the same IP address by using it's MAC address. If you set up DHCP to only have reserved IP's using the MAC address and no other IP pool then they can't pick up any other address. Of course, someone can spoof a MAC and they can still set up their system with a fixed IP but casual users generally don't know how. It does require that you know their MAC address they can then only use that particular NIC unless you make the change. Man dhcpd.conf for more details. Many universisties and some ISPs do this. I don't believe it's possible to have a user log in to get an IP. Hope this helps. Kourosh -- Alex (Lex) Borges Software Engineer Step One Group www.sogrp.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Forced DHCP setup
NoCatAuth (nocat.net) does exactly this. Although I think NoCat is designed with wireless in mind. Not sure if it works with normal wired network cards, but I can't see any reason why it wouldn't. On Wed, 30 Oct 2002, C. R. Oldham wrote: I don't believe it's possible to have a user log in to get an IP. It is possible, in hotels that have broadband in rooms, and on some university campuses I've been too they have a DHCP server setup to serve addresses from a private block. On that network there is a webserver setup to intercept any http request coming from a client in the private block and redirect the user to a page where he/she has to login. On login a cgi (or some such) makes a change in the DHCP database to allocate the user a real IP. The user gets instructions on the ensuing webpage to do a release/renew and boom they are setup. Sorry, I don't know of any opensource packages to do this, but it shouldn't be too hard. Of course, unless you setup your routers to block packets based on MAC address this won't prevent someone from guessing a valid IP and setting it up static. -- C. R. Oldham Director of Technology NCA CASI -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DNS zone file audit tool
On October 29, 2002 08:30 am, the fabulous I. Forbes wrote: Particularly I need something that checks that their are still upstream NS records pointing to our server for each domain that we host. Also I would like to check that our NS records point to valid name servers (particularly with secondary nameservers) and that our reverse DNS PTR records point to domains with valid A records. I am looking for a Debian friendly utility to help with this. I have had a look at nslint but it does not seem to do what we need it to do. I wrote a simple perl script that did most of the things you're looking for just wrapping around the nslookup command (or perhaps it was host). My checks (from memory) went something like this: - find nameservers for domain, this involves working right to left through the hostname until no NS records are returned, it might look something like this: fraser@shieldaig:~$ host -t NS ca. ca NS ns1cira.ca ca NS ns2.uunet.ca ca NS rs0.netsol.com ca NS merle.cira.ca ca NS relay.cdnnet.ca ca NS clouso.risq.qc.ca fraser@shieldaig:~$ host -t NS gc.ca. gc.ca NS ns1.drenet.dnd.ca gc.ca NS relay.srv.gc.ca gc.ca NS relay.cdnnet.ca gc.ca NS rusty.srv.gc.ca fraser@shieldaig:~$ host -t NS ec.gc.ca. ec.gc.caNS castor.cmc.ec.gc.ca ec.gc.caNS pollux.cmc.ec.gc.ca ec.gc.caNS dowsv01.tor.ec.gc.ca ec.gc.caNS dns1.cmc.ec.gc.ca ec.gc.caNS dns2.cmc.ec.gc.ca - at each step along the way confirm that all nameservers contain the same zone information and are authoritative The exact things you want to check should be pretty easy to wrap into a script as well. It's hard to find canned scripts that do everything you want so it's usually easier to roll your own. If you like I can try and track down my script for you. I've never checked for a canned solution to this problem mostly because I wanted to really understand and analyse every detail myself ... there might be something out there. Fraser -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[RE: Forced DHCP setup]
- Forwarded message from C. R. Oldham [EMAIL PROTECTED] - Subject: RE: Forced DHCP setup Date: Wed, 30 Oct 2002 14:59:50 -0700 Thread-Topic: Forced DHCP setup thread-index: AcKAXvIhf9+r261WRXev1Z9laq2INAAAKyng I don't believe it's possible to have a user log in to get an IP. It is possible, in hotels that have broadband in rooms, and on some university campuses I've been too they have a DHCP server setup to serve addresses from a private block. On that network there is a webserver setup to intercept any http request coming from a client in the private block and redirect the user to a page where he/she has to login. On login a cgi (or some such) makes a change in the DHCP database to allocate the user a real IP. The user gets instructions on the ensuing webpage to do a release/renew and boom they are setup. A lot of hotels and public areas use a box from Nomadix that will accept ANY ip that a client has, even duplicates, and allow the client to maintain the ip that's set. This is particularly excellent when Joe Traveller plugs into the wall outlet with his laptop from the office that's configured for 172.16.104.12/24 and the hotel uses 192.168.34.0/20 for it's normal DHCP range. These nomadix boxes do nearly all their work based on MAC address and don't really care what ip anyone has. Same for DNS queries, it sees a DNS query anywhere on the network? It answers. Sending mail? Port 25 gets pushed through the Nomadix too. It's all at the MAC layer for those devices. That would be a great way to make what you want work, is at the MAC layer instead of the IP layer. Of course, it's a lot more work as it's less common, but I think someone mentioned NoCatAuth in the thread - pursue that - it might be helpful. The Nomadix info is proprietary and not Open Source can't use that. HTH j -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
subscribe
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
AW: Ok, I'm sold!
-Ursprüngliche Nachricht- Von: Craig Sanders [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 29. Oktober 2002 23:31 An: Scott St. John Cc: debian-isp@lists.debian.org Betreff: Re: Ok, I'm sold! On Tue, Oct 29, 2002 at 05:07:52PM -0500, Scott St. John wrote: Thanks to a friend very familiar with Debian I have my first Debian server up and running on a Dual Processor IBM Netfinity Server. One word: ROCKS! Just in playing around I see what I was hoping for with RH, speed, stability, performance! NICE :) Moving user accounts over tonight and will start the tests for it to become a replacement email server. btw, i strongly recommend switching from sendmail to postfix as part of the upgrade. Or just stick to exim, debians defualt MTA. It's rock solid, meant as a drop in replacement for sendmail, extremely flexible and the best part: one can read AND understand its configuration file. kind regards, Michael Kaiser -- HDI V.a.G. Zentrale Systemtechnik / ZIVP3 Podbielskistr. 396 30659 Hannover Tel.: +49 (511) 645 3491 Fax: +49 (511) 645 4400 E-Mail: [EMAIL PROTECTED]
Re: apache broke
On 29 Oct 2002, Michael Knorra wrote: any additional info, please do not hesitate to contact me. Yes, I hope so. It is the imap.so. You can comment out the entry extension=imap.so in the php.ini file and start the apache. Ah ok thankx, I'll check that. Too bad the main site which I host on that machine is a webmail application using php+imap :( For now, I've downgraded libc6, which was a lot of fun ;-) Teun
pam_userdb and version of .db-file
(I'm not really sure this belongs here, but it seems at least as fitting as -user, where I didn't get an answer. If this is the wrong place, just tell me to shut the f**k up ;) - although in that case I'd appreciate pointers on where to best ask this) Hi! One of the latest updates to my i386/stable-box gave me severe headaches wrt the subject. I run cyrus for providing a small handful of users with POP3/ IMAP4-access, and since I do not want all of them to have shells on my box, I authenticate them via pam_userdb and a separate password-file. Until recently this just worked. I'd create the .db-file with sendmails makemap from a keywhitespacevalue\n-style source. Now makemap produces Version 8 (libdb3?) files, which pam_userdb cannot read. After much debugging I've now resorted to creating a Version 5 .db-file with db_load (from libdb2-util). This seems like an ugly kludge (it's far from intuitive, and db_load wants paired lines of input which means I have to rewrite all my little helper-scripts). Is there a standard or preferred way of doing this? Maybe one which has some probability of surviving the next libdb-/sendmail-upgrade? TIA+cheers, rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ [EMAIL PROTECTED] | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / signature.ng Description: PGP signature
Re: apache broke
Teun Vink [EMAIL PROTECTED] writes: Ah ok thankx, I'll check that. Too bad the main site which I host on that machine is a webmail application using php+imap :( Bjoern.Falkenhagen said, that he has got a fixed imap.so module at ftp://ftp.falkenhagen.net. Didn't check it.. perhaps you can try this. For now, I've downgraded libc6, which was a lot of fun ;-) That was the first thing I have done, but the emacs didn't work anymore with that :-( -- still under construction..
Re: apache broke
On 30 Oct 2002, Michael Knorra wrote: Teun Vink [EMAIL PROTECTED] writes: Ah ok thankx, I'll check that. Too bad the main site which I host on that machine is a webmail application using php+imap :( Bjoern.Falkenhagen said, that he has got a fixed imap.so module at ftp://ftp.falkenhagen.net. Didn't check it.. perhaps you can try this. Thanks, I will look into that. For now, I've downgraded libc6, which was a lot of fun ;-) That was the first thing I have done, but the emacs didn't work anymore with that :-( Hehe I saw postfix, ssh, proftpd and imap die after downgrading libc6 and some other packages. Luckily, restarting those services did the trick. Teun -- If an infinite number of monkeys sit at an infinite number of typewriters and randomly press keys, they will eventually produce the source code of MS-Windows.
Postfix + SASL Authentication failed
Hi, The problem is I can not get authentication successful in my Postfix + SASL server. SASL is enabled in the server, as you can see in the attached syslog fragment. It fails. I would like know what is the cause?. Posibilities / Rationale A) /etc/passwd, /etc/shadow Bad permisions. B) /usr/lib/sasl/smtpd.conf Mistaken. C) Bad configuration of main.cf?You can see it attached. D) Bad configuration of master.cf?You can see it attached. Any other posibility?. Rationale: A) I have set read access to all users, only to check it is not the cause. B) I have realized serveral checks, with both shadow and pwcheck. pwcheck_method: shadow pwcheck_method: pwcheck My host use /etc/shadow to keep the passwords. I know I have to use 'shadow'. Anyway I have always checked both shadow and pwcheck. I have copied the file in both /usr/lib/sasl/ and /usr/local/lib/sasl/ directories. A special thing which I have noted is that if I remove all the smtpd.conf files in the system I get the same Authentication failed message!. Note: I have removed the chrooted option in the master.cf file. Regards, Davi Leal -- The system is a Debian GNU/Linux 3.0 (woody) Oct 30 14:18:06 excalibur postfix/smtpd[341]: 80-25-136-215.uc.nombres.ttd.es[80.25.136.215]: 220 excalibur.ene.es ESMTP Postfix (Debian/GNU) Oct 30 14:18:06 excalibur postfix/smtpd[341]: connect from 80-25-136-215.uc.nombres.ttd.es[80.25.136.215] Oct 30 14:19:09 excalibur postfix/smtpd[341]: 80-25-136-215.uc.nombres.ttd.es[80.25.136.215]: EHLO 80-25-136-215.uc.nombres.ttd.es Oct 30 14:19:09 excalibur postfix/smtpd[341]: 80-25-136-215.uc.nombres.ttd.es[80.25.136.215]: 250-excalibur.ene.es Oct 30 14:19:09 excalibur postfix/smtpd[341]: 80-25-136-215.uc.nombres.ttd.es[80.25.136.215]: 250-PIPELINING Oct 30 14:19:09 excalibur postfix/smtpd[341]: 80-25-136-215.uc.nombres.ttd.es[80.25.136.215]: 250-SIZE 20480 Oct 30 14:19:09 excalibur postfix/smtpd[341]: 80-25-136-215.uc.nombres.ttd.es[80.25.136.215]: 250-VRFY Oct 30 14:19:09 excalibur postfix/smtpd[341]: 80-25-136-215.uc.nombres.ttd.es[80.25.136.215]: 250-ETRN Oct 30 14:19:09 excalibur postfix/smtpd[341]: 80-25-136-215.uc.nombres.ttd.es[80.25.136.215]: 250-AUTH LOGIN PLAIN CRAM-MD5 GSSAPI Oct 30 14:19:09 excalibur postfix/smtpd[341]: 80-25-136-215.uc.nombres.ttd.es[80.25.136.215]: 250-AUTH=LOGIN PLAIN CRAM-MD5 GSSAPI Oct 30 14:19:09 excalibur postfix/smtpd[341]: 80-25-136-215.uc.nombres.ttd.es[80.25.136.215]: 250-XVERP Oct 30 14:19:09 excalibur postfix/smtpd[341]: 80-25-136-215.uc.nombres.ttd.es[80.25.136.215]: 250 8BITMIME Oct 30 14:19:26 excalibur postfix/smtpd[341]: 80-25-136-215.uc.nombres.ttd.es[80.25.136.215]: AUTH PLAIN aGVsbG8AaGVsbG8AaGVsbG8= Oct 30 14:19:26 excalibur postfix/smtpd[341]: smtpd_sasl_authenticate: sasl_method PLAIN, init_response aGVsbG8AaGVsbG8AaGVsbG8= Oct 30 14:19:26 excalibur postfix/smtpd[341]: smtpd_sasl_authenticate: decoded initial response hello Oct 30 14:19:26 excalibur postfix/smtpd[341]: warning: 80-25-136-215.uc.nombres.ttd.es[80.25.136.215]: SASL PLAIN authentication failed Oct 30 14:19:26 excalibur postfix/smtpd[341]: 80-25-136-215.uc.nombres.ttd.es[80.25.136.215]: 535 Error: authentication failed Oct 30 14:19:36 excalibur postfix/smtpd[341]: 80-25-136-215.uc.nombres.ttd.es[80.25.136.215]: quit Oct 30 14:19:36 excalibur postfix/smtpd[341]: 80-25-136-215.uc.nombres.ttd.es[80.25.136.215]: 221 Bye Oct 30 14:19:36 excalibur postfix/smtpd[341]: disconnect from 80-25-136-215.uc.nombres.ttd.es[80.25.136.215] etc-postfix-main.cf Description: Binary data etc-postfix-master.cf Description: Binary data
Problem with sshd2 package ssh2
This begins with a disk migration I did some time ago, since then when ever I try to conect from any server to this host I recive a error and get disconect. Then the logs show me this: Oct 30 04:26:49 morquio sshd2[17065]: FATAL ERROR: Executing ssh1 in compatibility mode failed. The other problen hapens when any no-root user try to create open a terminal under X a Eterm or any other or print an error, saying that the user has no rights to access the terminal. The rights were preserv when the disk cp was made and all the rest look good. Thank's rak
Making packages apt-get able.
Hi All, I have so far not been able to find any resources describing how to set up a ftp or http server so that you can add it to sources.list and use apt-get to install new packages. If anyone could direct me to some docs describing this I would be most grateful. Regards, Fred.
Forced DHCP setup
Hey... I want to tie up users to ip addresses and machines. This way i can easyly mangle bandwith, squid acls and lots of stuff through my woody box So im thinking maybe the solution is to force users to obtain ip's from dhcp and, i users take an ip for which they have no lease, bloack them with iptables or somwthing... Im thinking this is probably an old trick so im asking here for pointers and stuff as i parallely STFW for this setup... ne ideas? -- Alex (Lex) Borges Software Engineer Step One Group www.sogrp.com
Re: Forced DHCP setup
On Wed, Oct 30, 2002 at 03:39:01PM -0600, Alex Borges (lex) wrote: Hey... I want to tie up users to ip addresses and machines. This way i can easyly mangle bandwith, squid acls and lots of stuff through my woody box So im thinking maybe the solution is to force users to obtain ip's from dhcp and, i users take an ip for which they have no lease, bloack them with iptables or somwthing... Im thinking this is probably an old trick so im asking here for pointers and stuff as i parallely STFW for this setup... ne ideas? -- Alex (Lex) Borges Software Engineer Step One Group www.sogrp.com Alex, It is possible to set up DHCP so that a client always gets the same IP address by using it's MAC address. If you set up DHCP to only have reserved IP's using the MAC address and no other IP pool then they can't pick up any other address. Of course, someone can spoof a MAC and they can still set up their system with a fixed IP but casual users generally don't know how. It does require that you know their MAC address they can then only use that particular NIC unless you make the change. Man dhcpd.conf for more details. Many universisties and some ISPs do this. I don't believe it's possible to have a user log in to get an IP. Hope this helps. Kourosh
Re: Making packages apt-get able.
apt-get to install new packages. If anyone could direct me to some docs describing this I would be most grateful. The commands you'll have to use are 'dpkg-scanpackages' and 'dpkg-scansources'. I don't remember the details, but it's really not too complicated. Just read the man pages and try them a few times and you should be well off. - Jarno
RE: Forced DHCP setup
I don't believe it's possible to have a user log in to get an IP. It is possible, in hotels that have broadband in rooms, and on some university campuses I've been too they have a DHCP server setup to serve addresses from a private block. On that network there is a webserver setup to intercept any http request coming from a client in the private block and redirect the user to a page where he/she has to login. On login a cgi (or some such) makes a change in the DHCP database to allocate the user a real IP. The user gets instructions on the ensuing webpage to do a release/renew and boom they are setup. Sorry, I don't know of any opensource packages to do this, but it shouldn't be too hard. Of course, unless you setup your routers to block packets based on MAC address this won't prevent someone from guessing a valid IP and setting it up static. -- C. R. Oldham Director of Technology NCA CASI
RE: Forced DHCP setup
Telus' entire ADSL setup across Western Canada requires you to login and register your MAC address or you don't get a valid IP... At 01:59 PM 10/30/02, you wrote: I don't believe it's possible to have a user log in to get an IP. It is possible, in hotels that have broadband in rooms, and on some university campuses I've been too they have a DHCP server setup to serve addresses from a private block. On that network there is a webserver setup to intercept any http request coming from a client in the private block and redirect the user to a page where he/she has to login. On login a cgi (or some such) makes a change in the DHCP database to allocate the user a real IP. The user gets instructions on the ensuing webpage to do a release/renew and boom they are setup. Sorry, I don't know of any opensource packages to do this, but it shouldn't be too hard. Of course, unless you setup your routers to block packets based on MAC address this won't prevent someone from guessing a valid IP and setting it up static.
Re: Forced DHCP setup
Mangling arround and all, maybe its good to discuss this idea here... 1.- Suppose i give you a list of mac addresses and the assigned ips they should have 2.- If one makes that assumption, u guys think this would be a good way to go at it (admin wise, mantainership...etc.): a) Make a script that generates dhcpd3.conf b) Make a script that generates iptables commands like: iptables -A input -s $IP_USER -m mac --mac-source $MAC_USER -j accept #all others reject c) Have your squid rules reflect the change: #dont remember, but squid blocks by mac acl accepted_macs $MAC_USER1...$MAC_USER_N acl accepted_ips $IP_USER1.$IP_USER_N http_access allow auth_pam acceed_macs accepted_ips http_access deny Mhm... not shure if squid works that way but u get the idea it looks horrible from the admin POV, maybe u guys can think of a better way... El mié, 30-10-2002 a las 15:39, Alex Borges (lex) escribió: Hey... I want to tie up users to ip addresses and machines. This way i can easyly mangle bandwith, squid acls and lots of stuff through my woody box So im thinking maybe the solution is to force users to obtain ip's from dhcp and, i users take an ip for which they have no lease, bloack them with iptables or somwthing... Im thinking this is probably an old trick so im asking here for pointers and stuff as i parallely STFW for this setup... ne ideas? -- Alex (Lex) Borges Software Engineer Step One Group www.sogrp.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Alex (Lex) Borges Software Engineer Step One Group www.sogrp.com
Re: Forced DHCP setup
Alex, I suppose you could parse your leases file and create your firewalls ruleset from that. I know that it's possible to have DHCP notify a DDNS server to update its records so maybe it would be possible to have the DHCP server update a firewall ruleset on the fly. Of course, that doesn't stop someone from setting their own IP to that of another user. Joe Average Windows user won't know how but it's not very strong security. Other than that, you could try setting up a proxy forwarding requestes to a login page as another poster suggested but that may be _too_ cumbersome for an ISP. Regards, Kourosh On Wed, Oct 30, 2002 at 03:55:45PM -0600, Alex Borges (lex) wrote: Tx for the fast response:)... Now, i know i can assign static ip's through macs and i already have some ways to collect all macs from everybody, no problem. The thing is, what if the user changes his ip address? How can i ensure that, if you dont have a lease in dhcp (if you didnt get it from dhcp) then youre blocked. Im a checking the mans of coursetx a lot ... Lex El mi?, 30-10-2002 a las 15:57, Kourosh escribi?: On Wed, Oct 30, 2002 at 03:39:01PM -0600, Alex Borges (lex) wrote: Hey... I want to tie up users to ip addresses and machines. This way i can easyly mangle bandwith, squid acls and lots of stuff through my woody box So im thinking maybe the solution is to force users to obtain ip's from dhcp and, i users take an ip for which they have no lease, bloack them with iptables or somwthing... Im thinking this is probably an old trick so im asking here for pointers and stuff as i parallely STFW for this setup... ne ideas? -- Alex (Lex) Borges Software Engineer Step One Group www.sogrp.com Alex, It is possible to set up DHCP so that a client always gets the same IP address by using it's MAC address. If you set up DHCP to only have reserved IP's using the MAC address and no other IP pool then they can't pick up any other address. Of course, someone can spoof a MAC and they can still set up their system with a fixed IP but casual users generally don't know how. It does require that you know their MAC address they can then only use that particular NIC unless you make the change. Man dhcpd.conf for more details. Many universisties and some ISPs do this. I don't believe it's possible to have a user log in to get an IP. Hope this helps. Kourosh -- Alex (Lex) Borges Software Engineer Step One Group www.sogrp.com
RE: Forced DHCP setup
NoCatAuth (nocat.net) does exactly this. Although I think NoCat is designed with wireless in mind. Not sure if it works with normal wired network cards, but I can't see any reason why it wouldn't. On Wed, 30 Oct 2002, C. R. Oldham wrote: I don't believe it's possible to have a user log in to get an IP. It is possible, in hotels that have broadband in rooms, and on some university campuses I've been too they have a DHCP server setup to serve addresses from a private block. On that network there is a webserver setup to intercept any http request coming from a client in the private block and redirect the user to a page where he/she has to login. On login a cgi (or some such) makes a change in the DHCP database to allocate the user a real IP. The user gets instructions on the ensuing webpage to do a release/renew and boom they are setup. Sorry, I don't know of any opensource packages to do this, but it shouldn't be too hard. Of course, unless you setup your routers to block packets based on MAC address this won't prevent someone from guessing a valid IP and setting it up static. -- C. R. Oldham Director of Technology NCA CASI -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DNS zone file audit tool
On October 29, 2002 08:30 am, the fabulous I. Forbes wrote: Particularly I need something that checks that their are still upstream NS records pointing to our server for each domain that we host. Also I would like to check that our NS records point to valid name servers (particularly with secondary nameservers) and that our reverse DNS PTR records point to domains with valid A records. I am looking for a Debian friendly utility to help with this. I have had a look at nslint but it does not seem to do what we need it to do. I wrote a simple perl script that did most of the things you're looking for just wrapping around the nslookup command (or perhaps it was host). My checks (from memory) went something like this: - find nameservers for domain, this involves working right to left through the hostname until no NS records are returned, it might look something like this: [EMAIL PROTECTED]:~$ host -t NS ca. ca NS ns1cira.ca ca NS ns2.uunet.ca ca NS rs0.netsol.com ca NS merle.cira.ca ca NS relay.cdnnet.ca ca NS clouso.risq.qc.ca [EMAIL PROTECTED]:~$ host -t NS gc.ca. gc.ca NS ns1.drenet.dnd.ca gc.ca NS relay.srv.gc.ca gc.ca NS relay.cdnnet.ca gc.ca NS rusty.srv.gc.ca [EMAIL PROTECTED]:~$ host -t NS ec.gc.ca. ec.gc.caNS castor.cmc.ec.gc.ca ec.gc.caNS pollux.cmc.ec.gc.ca ec.gc.caNS dowsv01.tor.ec.gc.ca ec.gc.caNS dns1.cmc.ec.gc.ca ec.gc.caNS dns2.cmc.ec.gc.ca - at each step along the way confirm that all nameservers contain the same zone information and are authoritative The exact things you want to check should be pretty easy to wrap into a script as well. It's hard to find canned scripts that do everything you want so it's usually easier to roll your own. If you like I can try and track down my script for you. I've never checked for a canned solution to this problem mostly because I wanted to really understand and analyse every detail myself ... there might be something out there. Fraser
[RE: Forced DHCP setup]
- Forwarded message from C. R. Oldham [EMAIL PROTECTED] - Subject: RE: Forced DHCP setup Date: Wed, 30 Oct 2002 14:59:50 -0700 Thread-Topic: Forced DHCP setup thread-index: AcKAXvIhf9+r261WRXev1Z9laq2INAAAKyng I don't believe it's possible to have a user log in to get an IP. It is possible, in hotels that have broadband in rooms, and on some university campuses I've been too they have a DHCP server setup to serve addresses from a private block. On that network there is a webserver setup to intercept any http request coming from a client in the private block and redirect the user to a page where he/she has to login. On login a cgi (or some such) makes a change in the DHCP database to allocate the user a real IP. The user gets instructions on the ensuing webpage to do a release/renew and boom they are setup. A lot of hotels and public areas use a box from Nomadix that will accept ANY ip that a client has, even duplicates, and allow the client to maintain the ip that's set. This is particularly excellent when Joe Traveller plugs into the wall outlet with his laptop from the office that's configured for 172.16.104.12/24 and the hotel uses 192.168.34.0/20 for it's normal DHCP range. These nomadix boxes do nearly all their work based on MAC address and don't really care what ip anyone has. Same for DNS queries, it sees a DNS query anywhere on the network? It answers. Sending mail? Port 25 gets pushed through the Nomadix too. It's all at the MAC layer for those devices. That would be a great way to make what you want work, is at the MAC layer instead of the IP layer. Of course, it's a lot more work as it's less common, but I think someone mentioned NoCatAuth in the thread - pursue that - it might be helpful. The Nomadix info is proprietary and not Open Source can't use that. HTH j
