Re: jail() for Linux ?
Is this the same software? http://sourceforge.net/projects/jail/ http://www.gsyc.inf.uc3m.es/~assman/jail/index.html -- Sonny At 07:12 PM 4/9/2003 +0200, you wrote: Hi ! I developed a software (will be in 1-2 weeks available as opensource) for managing virtual Systems which are using the jail-functionality of FreeBSD - now I ask myself if the jail-functionality is also available for linux systems. jail() is a combination of the chroot()-functionality and limited access to syscalls. Further Information: http://www.daemonnews.org/200109/jailint.html Does anybody know anything about a patch which implements the same functionality on Linux ? Best regards Marc Schoechlin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: jail() for Linux ?
On Thu, 10 Apr 2003 03:12, Marc Schöchlin wrote: > I developed a software (will be in 1-2 weeks available as opensource) > for managing virtual Systems which are using the jail-functionality of > FreeBSD - now I ask myself if the jail-functionality > is also available for linux systems. > > Does anybody know anything about a patch which implements the same > functionality on Linux ? For the closest match to the functionality you requested see kernel-patch-ctx and vserver packages. kernel-patch-2.4-grsecurity implements secure chroot environments and many other useful security enhancements, but (as of my last tests) does not do everything jail does. SE Linux is my preferred security option. I have written policy for it to implement secure chroot environments, but it can't restrict which IP addresses the jailed process can bind to (the same limitation as grsecurity, vserver does not have this problem). I wanted to implement IP restrictions for SE Linux, but changes to the core code made my chosen method impossible and I have not done any serious work on this since. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: jail() for Linux ?
Marc Schöchlin wrote: Hi ! I developed a software (will be in 1-2 weeks available as opensource) for managing virtual Systems which are using the jail-functionality of FreeBSD - now I ask myself if the jail-functionality is also available for linux systems. [snip] Does anybody know anything about a patch which implements the same functionality on Linux ? Best regards Marc Schoechlin I do not believe jail() itself is available to linux, though you could try the user-mode-linux project. http://user-mode-linux.sourceforge.net/. It's patch for the linux kernel to spawn a new patched kernel. The only problem so far with me has been that it's a bit tricky to get the network working. When it's not what you're looking for, it is fun to toy with. Greetings, Arend van Waart
jail() for Linux ?
Hi ! I developed a software (will be in 1-2 weeks available as opensource) for managing virtual Systems which are using the jail-functionality of FreeBSD - now I ask myself if the jail-functionality is also available for linux systems. jail() is a combination of the chroot()-functionality and limited access to syscalls. Further Information: http://www.daemonnews.org/200109/jailint.html Does anybody know anything about a patch which implements the same functionality on Linux ? Best regards Marc Schoechlin
sendmail connection timeout problem
Hi there, i have a problem on my primary mail server. it runs debian woody and sendmail. it is forwarding mails with the mailertable feature to our customers mailservers. the customers are connected to our PoP via leased-lines. here the error from the mail.log Apr 9 15:06:11 mx1 sm-mta[2220]: h39D1BoU002214: timeout waiting for input from [customer mailserver's ip] during client greeting after 2 to 3 retries the mails are delivered ... so the messages get deferred for 1 to 3 times and so the mail delay is 5-15 minutes, wich is not acceptable for out customer. Have played with the timeouts but this doesn't improve the mail delivery. Every time i telneted to port 25 of the customer server the greeting from the customer's server took not longer than 1 second. So it has to be a problem of the sendmail configuration. It happens not only to our customer, as i can also see this problem happening with other internet mailservers. The leased-lines are up and I run netsaint to check the customers smtp server. The banwidth usage on the leased lines is never obove 50% so smtp traffic should go through without problems. The bandwidth is between 2 and 6 Mbit/s Thanks in advance for any advice you can give me! Regards, mfl --- Appendix --- dpkg --list | grep sendmail ii sendmail 8.12.3-6.3 ii sendmail-doc 8.12.3-6.3 OK, here my sendmail.mc VERSIONID(`$Id: sendmail.mc, v 8.12.3-4 2002-04-15 17:35:56 cowboy Exp $') OSTYPE(`debian')dnl DOMAIN(`debian-mta')dnl dnl # dnl # General defines dnl # LOCAL_CONFIG FEATURE(`use_cw_file')dnl FEATURE(`use_ct_file')dnl FEATURE(`nouucp', `reject')dnl FEATURE(`mailertable')dnl FEATURE(`smrsh')dnl FEATURE(`virtusertable')dnl dnl # added 20030225 by mfl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn')dnl define(`confMAX_DAEMON_CHILDREN', `1000')dnl define(`confMAX_QUEUE_CHILDREN', `500')dnl define(`confMAX_RUNNERS_PER_QUEUE', `150')dnl define(`confTO_QUEUEWARN', `1h')dnl dnl # timeouts # added by mfl define(`confTO_CONNECT', `5m')dnl define(`confTO_ICONNECT', `3m')dnl define(`confTO_MISC', `5m')dnl define(`confTO_HOSTSTATUS', `5m')dnl define(`confTO_IDENT', `1s')dnl define(`confSEPARATE_PROC', `true')dnl define(`confDIAL_DELAY', `15s')dnl dnl # dnl # Dialup/LAN connection overrides dnl # include(`/etc/mail/dialup.m4')dnl include(`/etc/mail/provider.m4')dnl MAILER_DEFINITIONS MAILER(local)dnl MAILER(smtp)dnl define(`confSMTP_LOGIN_MSG', ``$j Sendmail; ready to serve... ; $b'')
Re: which dns server to use ?
--On Tuesday, April 08, 2003 5:42 PM +0200 Thomas Lamy <[EMAIL PROTECTED]> wrote: PowerDNS seems to be pretty decent. BIND is more sendmail then apache (3-5 years ago): most used DNS server software, bloated code (IMHO), and a remote exploit every now and then. Just because most of the internet uses it, it may (is) not the best software around. On the other hand, it does a lot and you don't need 99 other little pieces with it. If you use something like bind-dlz and run named in a chroot jail, the security risk is fairly minimal. Your data will be in a whatever database you select and named can't change it. Data for authoritative answers is not cached, so there's no risk of poisoning. The chroot jail keeps an exploit from trashing the server. Is it perfect? No, but none of the alternatives are perfect either. Pick what you like. :-) I don't think DJB will change his mind in this life, so I choose _free_ software with open development. Most of the issues with djb software boil down to philosophy or personality. They can do the job and work well. As for licenses - yes, his license is "restrictive." But then your definition of "free" is restrictive too since it won't allow qmail to be part of Debian. And the problem is only with binary packages, so it really doesn't involve "open source" concepts. It involves packaging. But I see your point and we'll leave it at that. things I look at when it comes to missin critical software). Note that mydns is _not_ a caching server, but there are other free packages that do this job. Like dnscache? :-)
Re: which dns server to use ?
What kind of invalid data? - You have to make sure that invalid data doesn't get into the database. There's no point in having a database otherwise. I didn't express myself very well ... meant more like corruption-checking (shouldn't happen but happend once afaik), etc. The language itself isn't really important. You have to be comfortable with your choice, that's all. True ... still I'd like to practice Perl a bit :-)
Re: which dns server to use ?
On 09 Apr 2003, Markus Welsch wrote: > So you are using the approach I am currently working on. I'll be doing > extensive error checking since ... sql server(s) not responding/no > access, invalid data, etc and after the update i'll send out an email > report with all the details. What kind of invalid data? - You have to make sure that invalid data doesn't get into the database. There's no point in having a database otherwise. > I'm thinking of using Perl for that, although I'm no Perl expert. The > only other solution would be using commandline PHP ... > What do you suggest ? The language itself isn't really important. You have to be comfortable with your choice, that's all. Cheers, Oliver
Re: using spamassassin in an isp environment ?
On Wednesday 09 April 2003 11:42, Tomàs Núñez Lirola wrote: > Hi > I've thought several times about using DNSRBLs, but I don't know nothing > about them... Do you recommend them to me? Are they difficult to add to my > sendmail? Any doc where I can get more info about them? http://spews.org has a number of links - about spam in general, and also to all important DNSRBLs. Most DNSRBLs have a website with instructions how to set them up with popular MTAs, IIRC it's just a FEATURE(blah blah, rbl_address) or so (I use postfix, so I don't know such things exactly). Before you use them: carefully read what the policies are on the balcklists you'll be using. Understand how a host may end up on a blacklist and how it goes off. So you can properly guess how much legitimate mail will be bounced for your system. When you have a few hundred users, you're quite certain that at least one of your users will expect some mail from addresses you block. (the SPEWS list has recently blocked most of yahoo groups, for instance). I have also set up my abuse@ and postmaster@ address to accept mail from everywhere, so people having problems can reach me (under the assumption that they or their admin will try my postmaster address.) As I've said, I had not problems so far, but I don't have a big system here, so I'd not expect it. I haven't made the statistics, but I roughly, rejected spam is - 10% rejected because of bad EHLO hostname (I don't require it to be correct, only that it is a FQDN and that it resolves) - 35% rejected because of bad (unresolvable) MAIL From domain - 10% rejected because of protocol errors (spammers use extremely broken software, I'm really amazed) - 10% rejected because of my private blacklist - 35% rejected because of the DNS blacklists Note that the tests are done in the order they're listed above, so mail rejected by the early checks is likely to be in some blacklist, too, but it doesn't appear as such in the stats. cheers -- vbi -- get my gpg key here: http://fortytwo.ch/gpg/92082481 pgp5BbPlkbZmY.pgp Description: signature
Re: which dns server to use ?
Interesting. I see you're prepared for the worst case :-) However, since I am somewhat lazy, I prefer to have all my services work with standard apt-get'able packages. This may also prevent possible security related problems. I am using the 'database-export-approach' to maintain the configuration files of the various services. This has proved very stable for 3 years now and it allows me to do upgrades the 'apt-get way', without recompiling or modifying source code. So you are using the approach I am currently working on. I'll be doing extensive error checking since ... sql server(s) not responding/no access, invalid data, etc and after the update i'll send out an email report with all the details. I'm thinking of using Perl for that, although I'm no Perl expert. The only other solution would be using commandline PHP ... What do you suggest ?
Re: which dns server to use ?
On 09 Apr 2003, Thomas Lamy wrote: > - Three db-servers (2 in active-active replication, and a third running from > the last daily db export) > - the mysql connection procedure in mission critical programs (mydns, snmp > gatherer) is hacked to try both main servers in r/w mode, and then the third > one in r/o mode. Interesting. I see you're prepared for the worst case :-) However, since I am somewhat lazy, I prefer to have all my services work with standard apt-get'able packages. This may also prevent possible security related problems. I am using the 'database-export-approach' to maintain the configuration files of the various services. This has proved very stable for 3 years now and it allows me to do upgrades the 'apt-get way', without recompiling or modifying source code. Oliver
Re: using spamassassin in an isp environment ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Well... heh, I made a simple query to Google that lead me to (guess it) dnsrbl.com, where I found that using its lists is as simple as adding a line to sendmail.mc FEATURE(dnsbl,`spam.dnsrbl.net')dnl So having solved the question of how to use DNSRBLs, only remains the other question: Do you recommend them? Any 'false positive'? Thank you El Miércoles, 9 de Abril de 2003 11:42, Tomàs Núñez Lirola escribió: > Hi > I've thought several times about using DNSRBLs, but I don't know nothing > about them... Do you recommend them to me? Are they difficult to add to my > sendmail? Any doc where I can get more info about them? > > Thanks in advance > > El Miércoles, 9 de Abril de 2003 09:48, Adrian 'Dagurashibanipal' von > Bidder > > escribió: > > On Tuesday 08 April 2003 20:25, Markus Welsch wrote: > > [spamassassin] > > > > > since it's written in perl it will be a huge performance decrease, > > > right? > > > > The biggest problem with spamassassin is the startup delay until the > > interpreter is loaded and the perl program is compiled. Running with > > spamd/spamc should make the load manageable in most cases, given enough > > RAM. > > > > Depending on your setup, you may want to use spamassassin in the delivery > > agent instead of content_filter and allow your users to tune spamassassin > > (ask on their mailing list, IIRC there were some webfrontends under > > development). > > > > Filtering for only some domains: you probably can do it by defining a > > content_filter enabled transport in master.cf and a transport without, > > and using a transport table to direct mail to the relevant transport > > agent depending on the domain. > > > > I recommend putting some DNSRBLs in front of the system; for me the > > blacklists catch >80% of the spam and only the remainder is piped through > > spamassassin, this lessens the load massively (I think I can say that > > although load is not a problem in my system - too small). > > > > DNS lists I use right now: > > sbl.spamhaus.org, > > list.dsbl.org, > > relays.ordb.org, > > spam.dnsrbl.net, > > proxies.blackholes.wirehub.net, > > korea.blackholes.us, > > china.blackholes.us, > > ipwhois.rfc-ignorant.org > > > > No false positives that I know of, so far. I think about adding spews > > (spews.relays.osirusoft.com, IIRC), but you probably don't want this as > > they are quite aggressive. I also don't recommend using the spamcop list > > to block (I use it from spamassassin to tag mail), as they are too > > trigger happy (OTOH erroneous blocks disappear quickly, too). > > > > Depending on your policy, you may want to add some of the dialup > > blocklists. As I send mail from my dialup link regularly myself, I don't > > use these. OTOH I can understand people who do this. > > > > If you have some very important people you never want to lose > > connectivity, make sure to whitelist them, so you'll not get trouble if > > they land on one of the blacklists. > > > > cheers > > -- vbi -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+k/RPGOU6HQZ81TcRAuLIAJ9VaiCuNVmKAfBKZxxyU6b2BQNreACeNyHc Y2JARbyyBgc/nK0FEpEHkgE= =TFSh -END PGP SIGNATURE-
Re: using spamassassin in an isp environment ?
On Wed, 09 Apr 2003 11:42:48 +0200, =?iso-8859-1?q?Tom=E0s=20N=FA=F1ez=20Lirola >I've thought several times about using DNSRBLs, but I don't know nothing ab= >out=20 >them... Do you recommend them to me? Are they difficult to add to my=20 >sendmail? Any doc where I can get more info about them? http://www.google.com/search?q=sendmail.mc+dnsbl+blackholes.mail-abuse.org cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / signature.ng Description: PGP signature
Re: using spamassassin in an isp environment ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi I've thought several times about using DNSRBLs, but I don't know nothing about them... Do you recommend them to me? Are they difficult to add to my sendmail? Any doc where I can get more info about them? Thanks in advance El Miércoles, 9 de Abril de 2003 09:48, Adrian 'Dagurashibanipal' von Bidder escribió: > On Tuesday 08 April 2003 20:25, Markus Welsch wrote: > [spamassassin] > > > since it's written in perl it will be a huge performance decrease, right? > > The biggest problem with spamassassin is the startup delay until the > interpreter is loaded and the perl program is compiled. Running with > spamd/spamc should make the load manageable in most cases, given enough > RAM. > > Depending on your setup, you may want to use spamassassin in the delivery > agent instead of content_filter and allow your users to tune spamassassin > (ask on their mailing list, IIRC there were some webfrontends under > development). > > Filtering for only some domains: you probably can do it by defining a > content_filter enabled transport in master.cf and a transport without, and > using a transport table to direct mail to the relevant transport agent > depending on the domain. > > I recommend putting some DNSRBLs in front of the system; for me the > blacklists catch >80% of the spam and only the remainder is piped through > spamassassin, this lessens the load massively (I think I can say that > although load is not a problem in my system - too small). > > DNS lists I use right now: > sbl.spamhaus.org, > list.dsbl.org, > relays.ordb.org, > spam.dnsrbl.net, > proxies.blackholes.wirehub.net, > korea.blackholes.us, > china.blackholes.us, > ipwhois.rfc-ignorant.org > > No false positives that I know of, so far. I think about adding spews > (spews.relays.osirusoft.com, IIRC), but you probably don't want this as > they are quite aggressive. I also don't recommend using the spamcop list to > block (I use it from spamassassin to tag mail), as they are too trigger > happy (OTOH erroneous blocks disappear quickly, too). > > Depending on your policy, you may want to add some of the dialup > blocklists. As I send mail from my dialup link regularly myself, I don't > use these. OTOH I can understand people who do this. > > If you have some very important people you never want to lose connectivity, > make sure to whitelist them, so you'll not get trouble if they land on one > of the blacklists. > > cheers > -- vbi -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+k+sbGOU6HQZ81TcRApSZAJ9pzsn1ZlZ6CZB1f6aoQGQVNXNBhQCgpJma aA3HwyA3n92th4OEP6pyQcQ= =b1Av -END PGP SIGNATURE-
Re: using spamassassin in an isp environment ?
On Tuesday 08 April 2003 20:25, Markus Welsch wrote: [spamassassin] > since it's written in perl it will be a huge performance decrease, right? The biggest problem with spamassassin is the startup delay until the interpreter is loaded and the perl program is compiled. Running with spamd/spamc should make the load manageable in most cases, given enough RAM. Depending on your setup, you may want to use spamassassin in the delivery agent instead of content_filter and allow your users to tune spamassassin (ask on their mailing list, IIRC there were some webfrontends under development). Filtering for only some domains: you probably can do it by defining a content_filter enabled transport in master.cf and a transport without, and using a transport table to direct mail to the relevant transport agent depending on the domain. I recommend putting some DNSRBLs in front of the system; for me the blacklists catch >80% of the spam and only the remainder is piped through spamassassin, this lessens the load massively (I think I can say that although load is not a problem in my system - too small). DNS lists I use right now: sbl.spamhaus.org, list.dsbl.org, relays.ordb.org, spam.dnsrbl.net, proxies.blackholes.wirehub.net, korea.blackholes.us, china.blackholes.us, ipwhois.rfc-ignorant.org No false positives that I know of, so far. I think about adding spews (spews.relays.osirusoft.com, IIRC), but you probably don't want this as they are quite aggressive. I also don't recommend using the spamcop list to block (I use it from spamassassin to tag mail), as they are too trigger happy (OTOH erroneous blocks disappear quickly, too). Depending on your policy, you may want to add some of the dialup blocklists. As I send mail from my dialup link regularly myself, I don't use these. OTOH I can understand people who do this. If you have some very important people you never want to lose connectivity, make sure to whitelist them, so you'll not get trouble if they land on one of the blacklists. cheers -- vbi -- featured link: http://fortytwo.ch/time pgprXOG4yopjc.pgp Description: signature
Problems using Gateway/Routing
hey list! i've setup a linux router/firewall based on debian 3.0 kernel release 2.4.19 at one of our customers networks. the netfilter package (iptables) is used (rc. 1.2.6a). this box has a DSL connection to the internet. the problem is now, that the clients can't connect sometimes to the internet. when a ping is done on the client workstation to an internet address, the message "192.168.23.1: target-host not reachable". the router is the one with the ip address "192.168.23.1". the strange thing is: in the moment this message appears at the client workstation, the server IS ABLE to ping the desired host the client is trying to ping. i am not sure what this problem can be... any tips/hints welcome... thank you! regards, tobias -- BiTKRAFT, IT SOLUTIONS Tobias Kuhrmann, Technischer Leiter Jülicher Str. 17 50674 Köln fon. 0221 / 8016571 fax. 0221 / 8016573 http://www.bitkraft.net
Re: which dns server to use ?
Oliver Hitz wrote: > > On 08 Apr 2003, Thomas Lamy wrote: > > I recently switched to mydns (http://mydns.bboy.net/). As > all data is stored > > in a mysql (or pgsql) backend, it's easy to edit > zones/resource records. And > > While I see that it may be useful to have zone data in an sql > backend, I don't like the idea of plugging a mission-critical > service such as a dns server directly to an sql database. A dns > server has to be as simple as possible, with as few dependencies as > possible. Serving zone data directly from an sql database increases > the complexity of your system and adds new points of failure, what > is especially undesirable in the case of a dns server. > Your are right (in part); I had the same concerns, and not only with DNS. Most of our services depend on MySQL right now: customer-db, webserver config, mail users, dns records, radius db. I did take some counter-measures again SPOF's: - Three db-servers (2 in active-active replication, and a third running from the last daily db export) - the mysql connection procedure in mission critical programs (mydns, snmp gatherer) is hacked to try both main servers in r/w mode, and then the third one in r/o mode. I'm also prepared to build a tretetary dns based on whatever software, with zone files generated from the database, if our current doesn't prove to be stable. But it has worked for months now w/o a problem. Thomas
Re: which dns server to use ?
I use tinydns for a company that serves over one billion web hits per day (not visitors, hits, and no I'm not exaggerating). The authoritative nameservers serve between 100 and 300 queries/sec on each of five nameservers, for between 50 and 90 million queries answered per day. Hardware on those servers ? Resource usage ? I'd use tinydns first, then probably nsd, then something else before BIND (maybe powerDNS). I know BIND better than most people, I did a technical review for the "DNS & BIND Coobook" at the request of Cricket Liu, and I still don't use it anywhere I'm not forced to. I'll take a extensive look at tinydns ...
Re: which dns server to use ?
While I see that it may be useful to have zone data in an sql backend, I don't like the idea of plugging a mission-critical service such as a dns server directly to an sql database. A dns server has to be as simple as possible, with as few dependencies as possible. Serving zone data directly from an sql database increases the complexity of your system and adds new points of failure, what is especially undesirable in the case of a dns server. Well you can always write a small program to read out the data from a sql server and create zone data in the format required by your dns server :-)