Re: Routingtable vulnerability
The fix has been fixed as 2.4.21-rc4 I believe. The original patch by redhat was in 2.4.21-rc3 Peace --- Peter Billson <[EMAIL PROTECTED]> wrote: > Thomas, > My brother tells me that there has been some > discussion about this on > the kernel list. RedHat's patch was applied to > 2.4.21 (plus 2.5.69) but > people are reporting that the patch breaks other > things so it is not yet > ready for prime time. > > At this point this remains only a theoretical flaw > which someone > noticed while hacking on the kernel. No one has > shown an actual exploit. > > Until the kernel hackers can do their thing, there > isn't much the > Debian project can do. You may want to monitor the > kernel list for more > up-to-date information. > > Pete > -- > http://www.elbnet.com > ELB Internet Service, Inc. > Web Design, Computer Consulting, Internet Hosting > > > > Thomas Hebinck wrote: > > > > Hi, > > > > is there really nobody who knows anything about > this vulnerability? > > We use Debian Woody as firewall ... > > > > Sincerely, > > Thomas > > > > >-Original Message- > > >From: www-data [mailto:[EMAIL PROTECTED] > Behalf Of > > >[EMAIL PROTECTED] > > >Sent: Wednesday, May 21, 2003 11:50 AM > > >To: debian-isp@lists.debian.org > > >Subject: Routingtable vulnerability > > > > > > > > > > > > > > >Due to the fact that I'm only subscribed to two > Debian related Mailinglists > > >(debian-isp and security-announce) I haven't > heard of any discussions about the > > >newly discoverd Kernel vulnerability > (Routingtables, > > >http://rhn.redhat.com/errata/RHSA-2003-172.html). > > >Has this been discussed on Debian-Lists and are > there any countermesasures > > >recommended? > > > > > >Best Regards, > > >Dominik Schulz > > > > > >- > > >This mail sent through IMP: http://horde.org/imp/ > > > > > > > > >-- > > >To UNSUBSCRIBE, email to > [EMAIL PROTECTED] > > >with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > > > > > > -- > > To UNSUBSCRIBE, email to > [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to > [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com
Re: Mail architecture for up 30.000 accounts
On Fri, 30 May 2003 19:34, Bart Matthaei wrote: > > For software, I would use this: > > > > SMTP: Postfix > > Postfix works fine. Sendmail or qmail would do the trick as well. Depends > on your personal preference. If you want to run a machine for years on end without needing an urgent security-related upgrade then Sendmail will not do the job. You can install Postfix or Qmail and expect that you can leave them run for a few years without incident. > > IMAP: Courier > > POP3: Courier > > Agreed. Yes, Courier is good. > > Authtentication and user preferences: MySQL > > You should check if both your MTA, IMAP/POP3, and delivery agent (procmail > for instance) will support MySQL authentication. I suggest LDAP. > > Webmail: IMP > > Don't use IMP for a large userbase. IMP is slow and bloated. The interface > is really slick, but it's a real CPU/MEM hog. CPU and RAM are getting cheap now. I was recently involved in moving a large ISP from Netscape to open source software. It had well over 1M accounts, over 500,000 accounts that were in active use, and something over 50,000 accounts in active use for webmail. When I finished working for them there were two IMP machines in the webmail cluster and a third was added later. One machine could handle the load on it's own if necessary (although at peak times one machine would be a bottleneck). The machines had 4G of RAM (excessive - 2G would have been plenty) and 2 * 1.8GHz P4 Xeon CPUs with Hyper-threading. Linux 2.4.x doesn't schedule things on hyper-threaded SMP machines as well as you may desire, so single-CPU machines are probably better value for money. I suggest having machines with a single Athlon or Xeon CPU that's as fast as possible for IMP servers. For 30,000 users then two machines that each have a fast Athlon or Xeon CPU and 1G of RAM should do fine. I'm not strictly advocating IMP here. But I found it to work fine when I had to run it. One problem with IMP is that you'll want the latest version which needs lots of things that aren't in woody. I ended up making my IMP servers run unstable for this. Also you need PHP 4.3 (or a patched PHP 4.2.3) for supporting quotas on the number of messages as well as the size of a user's mail box. Also don't run your webmail and your mail server on the same machine. > > Anti-virus: F-Prot > > I'm not into Anti-Virus, so I can't help you there. Amavis. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail architecture for up 30.000 accounts
On Fri, May 30, 2003 at 10:33:14AM +0200, Carlos L.M. wrote: > Hi all, > > I need a sample of mail architecture for up 30.000 > accounts. Can you help me ?? > > For software, I would use this: > > SMTP: Postfix Postfix works fine. Sendmail or qmail would do the trick as well. Depends on your personal preference. > IMAP: Courier > POP3: Courier Agreed. > Authtentication and user preferences: MySQL You should check if both your MTA, IMAP/POP3, and delivery agent (procmail for instance) will support MySQL authentication. > Webmail: IMP Don't use IMP for a large userbase. IMP is slow and bloated. The interface is really slick, but it's a real CPU/MEM hog. I'd go for squirrelmail if I were you. > Anti-spam: spamassassin Agreed. > Anti-virus: F-Prot I'm not into Anti-Virus, so I can't help you there. Cheers, Bart -- Bart Matthaei [EMAIL PROTECTED] There's no sex in struct sockaddr_in .. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Selecting source ip
hi, you could use iptables with SNAT to change your source ip. in combination with the owner match module you could eg match packets generated by specific pid or uid. OWNER match v1.2.7a options: [!] --uid-owner userid Match local uid [!] --gid-owner groupidMatch local gid [!] --pid-owner processid Match local pid [!] --sid-owner sessionid Match local sid [!] --cmd-owner name Match local command name should work for a ping: iptables -t nat -A POSTROUTING -m owner --cmd-owner ping -j SNAT --to-source a.b.c.d buz On Mit, 2003-05-28 at 23:02, Stefan Neufeind wrote: > Hi, > > when I request a file from a linux box using lynx the source ip of my > request is the ip of eth0. But how can I change the source ip to > other ips which are also bound to eth0 (via eth0:0 etc.)? Do I need > to change the default gate from eth0 to eth0:0 for example? Isn't > there a way to just change the source ip for all programs I will > execute in my current environment / bash without affecting other > programs / tasks? > > Yours sincerely, > Stefan > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Mail architecture for up 30.000 accounts
Hi all, I need a sample of mail architecture for up 30.000 accounts. Can you help me ?? For software, I would use this: SMTP: Postfix IMAP: Courier POP3: Courier Authtentication and user preferences: MySQL Webmail: IMP Anti-spam: spamassassin Anti-virus: F-Prot Any help are welcome, and sorry for my bad english. ___ Yahoo! Messenger - Nueva versión GRATIS Super Webcam, voz, caritas animadas, y más... http://messenger.yahoo.es -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
radiusd-freeradius
Can anyone briefly summarize the current state of the radiusd-freeradius packages? From what I can tell, the packages were withdrawn for some combination of immaturity/stability/maintainer interest, but there was also an issue with the rlm_pgsql module linking with SSL - was that ever resolved? I'm probably interested in reviving radiusd-freeradius if I'm not stepping on anyone's toes. Or have folks switched to other RADIUS servers? Is there anything else that authenticates from and logs to MySQL/PgSQL databases? using the same schema or a different schema? -- _ivan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Selecting source ip
On May 30, 2003 05:40 pm, Marc Haber wrote: > <[EMAIL PROTECTED]> wrote: > >As someone else already pointed not possible. You can accomplish this on > > an app-by-app basis, examples: > > > >- telnet and ssh option -b > > Which telnet package in Debian stable does have -b? You might have problems finding one (I did), obviously I remeber the -b from darker days ;-) -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Brampton, Ontario, Canada Debian GNU/Linux
Re: Selecting source ip
On Wed, 28 May 2003 20:26:51 -0400, Fraser Campbell <[EMAIL PROTECTED]> wrote: >As someone else already pointed not possible. You can accomplish this on an >app-by-app basis, examples: > >- telnet and ssh option -b Which telnet package in Debian stable does have -b? Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29
Re: Apache config database generated
> Dear List, > > I was wondering if there are tools/libs which handle the complete > apache config with all it's directives etc.. I found some apache > virtual host tools which can add but no tools/libs > which can do the whole thing except Webmin but that's not something I > can use. > > As Apache is the most used Webserver in the world, there must be some > good opensource libs/tools there for it's configuration file. Some > CPAN modules handle httpd.conf but those still require me to write > a lot for just parsing the file. > > Maybe I'm just lazy. Maybe.. create conf.tpl file # Main Configuration ServerType standalone User apache Group webmaster ... ... ... [% # BLOCK virtual_host %] ServerName [% ServerName %] [% IF ServerAlias %]ServerAlias [% ServerAlias %][% END %] DocumentRoot /usr/web/[% ServerName %]/data [% content %] [% END %] [% # BLOCK simple_virtual_host %] [% WRAPPER virtual_host %] [% INCLUDE standart_log %] [% content %] [% END %] [% END %] [% # BLOCK perl_virtual_host %] [% WRAPPER virtual_host %] RewriteEngine On #RewriteLogLevel 9 #RewriteLog /tmp/rewrite PerlPostReadRequestHandler My::ProxyRemoteAddr use lib qw(/usr/web/[% ServerName %]/modules); [% content %] [% END %] [% END %] ... other BLOCKs of your common config parts ... [% IF apache_type == 'production' %] [% PROCESS /usr/local/apache/conf/hosts.tpl %] [% ELSE %] [% PROCESS /usr/local/apache/conf/hosts_d.tpl %] [% END %] (END) create hosts.tpl file [% # ServerName='www.servername.com' %] [% WRAPPER perl_virtual_host %] [% INCLUDE stat_access %] [% INCLUDE standart_log %] [% INCLUDE authentication %] [% INCLUDE apache_jaf_handler ModuleName='Apache::JAF::Scat' %] [% INCLUDE apache_jaf_handler Location='/manager' ModuleName='Apache::JAF::Scat::Manager' ApacheJAFPrefix='/manager' ApacheJAFAdditionalTemplates='/manager' %] [% INCLUDE mod_rewrite_file_not_exists %] [% INCLUDE accel_no_cache %] [% END %] ... other host configs create httpbuild script tpage --define apache_type="production" ~apache/conf/conf.tpl > ~apache/conf/httpd.conf tpage is a program from Template::Toolkit package (http://www.template-toolkit.org) Restart Apache with httpdbuild && apachectl restart your can write httpbuild script as database driven... You can do anything... Sergey Polyakov aka "BeerBong" Chief of WebZavod http://www.webzavod.ru Tel. +7 (8462) 43-93-85 | +7 (8462) 43-93-86 mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Selecting source ip
On Thu, 2003-05-29 at 20:34, Bart Matthaei wrote: > On Wed, May 28, 2003 at 03:30:20PM -0700, brian moore wrote: > [snip] > > You could change how it behaves be swapping eth0 and eth0:1, assuming > > they are both on the same subnet. > > My guess is that linux doesn't decide which interface is closer to the > destination trough the interface number. It depends on your route to the > destination (default route in most cases) and the subnet of the interfaces. > > For instance, if you have 2 interfaces, eth0 and eth0:1, where eth0 has > ip 1.1.1.2 netmask 255.255.255.255, and where eth0:1 has ip 1.1.1.3 netmask > 255.255.255.0, and the default gateway is 1.1.1.1, the ip the kernel will > pick is 1.1.1.3, and not 1.1.1.2. > > I could be wrong though :-) I believe you are right... I have used this trick to force particular IP's to be use when connecting to other particular hosts. However, it only works for outgoing connections, not incoming, as programs by default only bind to the interface IP's, not including any aliases. You might also be able to do some ticky stuff using the iproute2 stuff to bind particular protocols or routes to particular interfaces. -- Donovan Baardahttp://minkirri.apana.org.au/~abo/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Selecting source ip
On 28 May 2003 at 15:30, brian moore wrote:
> On Wed, May 28, 2003 at 11:02:27PM +0200, Stefan Neufeind wrote:
> > when I request a file from a linux box using lynx the source ip of
> > my request is the ip of eth0. But how can I change the source ip to
> > other ips which are also bound to eth0 (via eth0:0 etc.)? Do I need
> > to change the default gate from eth0 to eth0:0 for example? Isn't
> > there a way to just change the source ip for all programs I will
> > execute in my current environment / bash without affecting other
> > programs / tasks?
>
> Not without rewriting the programs.
>
> In geekese, the programs open their socket with code like this:
>
> my_addr = sa_zero;
> my_addr.sin_family = AF_INET;
> my_addr.sin_addr.s_addr = INADDR_ANY;
> if ( ( bind( fd, (struct sockaddr *) &my_addr,
>sizeof(struct sockaddr_in))) < 0 ) {
> fprintf(stderr,"bind failed\n");
> exit(1);
> }
>
> (Pretty standard socket code...)
>
> The catch is the 'INADDR_ANY', which tells the kernel "hey, just grab
> any handy IP and use that!". On most systems (not just Linux, most
> Unix systems and probably Windows as well), that means "use the IP
> nearest to the destination", or for single-homed machines, the IP of
> eth0 or whatever your default gateway sits on.
>
> This value is filled in by the kernel, in other words.
>
> You could change how it behaves be swapping eth0 and eth0:1, assuming
> they are both on the same subnet.
You mean swapping through which "network card" the traffic goes out,
right? Hmm, are there kernel patches or something so you can set the
"right IP" for the current environment? Like setting it in a bash for
all subsequent programs? So you could have different settings in
different environments?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail architecture for up 30.000 accounts
On Fri, 30 May 2003 19:34, Bart Matthaei wrote: > > For software, I would use this: > > > > SMTP: Postfix > > Postfix works fine. Sendmail or qmail would do the trick as well. Depends > on your personal preference. If you want to run a machine for years on end without needing an urgent security-related upgrade then Sendmail will not do the job. You can install Postfix or Qmail and expect that you can leave them run for a few years without incident. > > IMAP: Courier > > POP3: Courier > > Agreed. Yes, Courier is good. > > Authtentication and user preferences: MySQL > > You should check if both your MTA, IMAP/POP3, and delivery agent (procmail > for instance) will support MySQL authentication. I suggest LDAP. > > Webmail: IMP > > Don't use IMP for a large userbase. IMP is slow and bloated. The interface > is really slick, but it's a real CPU/MEM hog. CPU and RAM are getting cheap now. I was recently involved in moving a large ISP from Netscape to open source software. It had well over 1M accounts, over 500,000 accounts that were in active use, and something over 50,000 accounts in active use for webmail. When I finished working for them there were two IMP machines in the webmail cluster and a third was added later. One machine could handle the load on it's own if necessary (although at peak times one machine would be a bottleneck). The machines had 4G of RAM (excessive - 2G would have been plenty) and 2 * 1.8GHz P4 Xeon CPUs with Hyper-threading. Linux 2.4.x doesn't schedule things on hyper-threaded SMP machines as well as you may desire, so single-CPU machines are probably better value for money. I suggest having machines with a single Athlon or Xeon CPU that's as fast as possible for IMP servers. For 30,000 users then two machines that each have a fast Athlon or Xeon CPU and 1G of RAM should do fine. I'm not strictly advocating IMP here. But I found it to work fine when I had to run it. One problem with IMP is that you'll want the latest version which needs lots of things that aren't in woody. I ended up making my IMP servers run unstable for this. Also you need PHP 4.3 (or a patched PHP 4.2.3) for supporting quotas on the number of messages as well as the size of a user's mail box. Also don't run your webmail and your mail server on the same machine. > > Anti-virus: F-Prot > > I'm not into Anti-Virus, so I can't help you there. Amavis. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Mail architecture for up 30.000 accounts
On Fri, May 30, 2003 at 10:33:14AM +0200, Carlos L.M. wrote: > Hi all, > > I need a sample of mail architecture for up 30.000 > accounts. Can you help me ?? > > For software, I would use this: > > SMTP: Postfix Postfix works fine. Sendmail or qmail would do the trick as well. Depends on your personal preference. > IMAP: Courier > POP3: Courier Agreed. > Authtentication and user preferences: MySQL You should check if both your MTA, IMAP/POP3, and delivery agent (procmail for instance) will support MySQL authentication. > Webmail: IMP Don't use IMP for a large userbase. IMP is slow and bloated. The interface is really slick, but it's a real CPU/MEM hog. I'd go for squirrelmail if I were you. > Anti-spam: spamassassin Agreed. > Anti-virus: F-Prot I'm not into Anti-Virus, so I can't help you there. Cheers, Bart -- Bart Matthaei [EMAIL PROTECTED] There's no sex in struct sockaddr_in ..
Re: Selecting source ip
hi, you could use iptables with SNAT to change your source ip. in combination with the owner match module you could eg match packets generated by specific pid or uid. OWNER match v1.2.7a options: [!] --uid-owner userid Match local uid [!] --gid-owner groupidMatch local gid [!] --pid-owner processid Match local pid [!] --sid-owner sessionid Match local sid [!] --cmd-owner name Match local command name should work for a ping: iptables -t nat -A POSTROUTING -m owner --cmd-owner ping -j SNAT --to-source a.b.c.d buz On Mit, 2003-05-28 at 23:02, Stefan Neufeind wrote: > Hi, > > when I request a file from a linux box using lynx the source ip of my > request is the ip of eth0. But how can I change the source ip to > other ips which are also bound to eth0 (via eth0:0 etc.)? Do I need > to change the default gate from eth0 to eth0:0 for example? Isn't > there a way to just change the source ip for all programs I will > execute in my current environment / bash without affecting other > programs / tasks? > > Yours sincerely, > Stefan >
Mail architecture for up 30.000 accounts
Hi all, I need a sample of mail architecture for up 30.000 accounts. Can you help me ?? For software, I would use this: SMTP: Postfix IMAP: Courier POP3: Courier Authtentication and user preferences: MySQL Webmail: IMP Anti-spam: spamassassin Anti-virus: F-Prot Any help are welcome, and sorry for my bad english. ___ Yahoo! Messenger - Nueva versión GRATIS Super Webcam, voz, caritas animadas, y más... http://messenger.yahoo.es
radiusd-freeradius
Can anyone briefly summarize the current state of the radiusd-freeradius packages? From what I can tell, the packages were withdrawn for some combination of immaturity/stability/maintainer interest, but there was also an issue with the rlm_pgsql module linking with SSL - was that ever resolved? I'm probably interested in reviving radiusd-freeradius if I'm not stepping on anyone's toes. Or have folks switched to other RADIUS servers? Is there anything else that authenticates from and logs to MySQL/PgSQL databases? using the same schema or a different schema? -- _ivan
Re: Apache config database generated
> Dear List, > > I was wondering if there are tools/libs which handle the complete > apache config with all it's directives etc.. I found some apache > virtual host tools which can add but no tools/libs > which can do the whole thing except Webmin but that's not something I > can use. > > As Apache is the most used Webserver in the world, there must be some > good opensource libs/tools there for it's configuration file. Some > CPAN modules handle httpd.conf but those still require me to write > a lot for just parsing the file. > > Maybe I'm just lazy. Maybe.. create conf.tpl file # Main Configuration ServerType standalone User apache Group webmaster ... ... ... [% # BLOCK virtual_host %] ServerName [% ServerName %] [% IF ServerAlias %]ServerAlias [% ServerAlias %][% END %] DocumentRoot /usr/web/[% ServerName %]/data [% content %] [% END %] [% # BLOCK simple_virtual_host %] [% WRAPPER virtual_host %] [% INCLUDE standart_log %] [% content %] [% END %] [% END %] [% # BLOCK perl_virtual_host %] [% WRAPPER virtual_host %] RewriteEngine On #RewriteLogLevel 9 #RewriteLog /tmp/rewrite PerlPostReadRequestHandler My::ProxyRemoteAddr use lib qw(/usr/web/[% ServerName %]/modules); [% content %] [% END %] [% END %] ... other BLOCKs of your common config parts ... [% IF apache_type == 'production' %] [% PROCESS /usr/local/apache/conf/hosts.tpl %] [% ELSE %] [% PROCESS /usr/local/apache/conf/hosts_d.tpl %] [% END %] (END) create hosts.tpl file [% # ServerName='www.servername.com' %] [% WRAPPER perl_virtual_host %] [% INCLUDE stat_access %] [% INCLUDE standart_log %] [% INCLUDE authentication %] [% INCLUDE apache_jaf_handler ModuleName='Apache::JAF::Scat' %] [% INCLUDE apache_jaf_handler Location='/manager' ModuleName='Apache::JAF::Scat::Manager' ApacheJAFPrefix='/manager' ApacheJAFAdditionalTemplates='/manager' %] [% INCLUDE mod_rewrite_file_not_exists %] [% INCLUDE accel_no_cache %] [% END %] ... other host configs create httpbuild script tpage --define apache_type="production" ~apache/conf/conf.tpl > ~apache/conf/httpd.conf tpage is a program from Template::Toolkit package (http://www.template-toolkit.org) Restart Apache with httpdbuild && apachectl restart your can write httpbuild script as database driven... You can do anything... Sergey Polyakov aka "BeerBong" Chief of WebZavod http://www.webzavod.ru Tel. +7 (8462) 43-93-85 | +7 (8462) 43-93-86 mailto:[EMAIL PROTECTED]
