Re: Webmail configuration for schools
El mar, 01 de 07 de 2003 a las 07:35, Ross, Chris escribió: > I need to provide email access for 13,000 to 14,000 K12 > students. Last school year we used Microsoft > Exchange BY GOD, did he really say that? > >with extremely > 1. Postfix with either mysql or LDAP for virtual user delivery. > 2. Courier-imap with a web interface (squirrelmail, sqwebmnail etc.) > (Courier-imap authentication is the tricky bit.) Sounds great! > Since we have been using a SQL database to track user account > information, I thought that mysql would be the best means of dealing > with Postfix. It would be trivial to load mysql with the information > that Postfix needs. My experience with active directory LDAP is not > great. When using active directory as an LDAP server, it seams like > there is always more fiddling than there should be. Would mysql hold up > well in this sort of environment? (load, speed etc.) Hell, postfix/courier wont even need the database to scale to that (but you will for peace of mind and easy of reporting), it aint that big. Properly tunned mysql would work very well, postgress would also do the job very well. Hell, ive a 10K accounts system, it runs all of it on a single host with webmail (yeah, i know i push it too hard), and it doesnt even use the database and its nowhere near saturation. Course, its a qmail based system, not postfix, but there shouldnt be much of a difference. > Courier-imap authentication is the big question in my mind. It > would be great if we could use active directory to do authentication > here. LDAP authentication probably won't work correctly. There is no > compatible password available and LDAP bind authentication is > problematic. Microsoft lets you do an LDAP bind even if your account is > locked, your password has expired etc. Would Kerberos be a reasonable > solution? I have no direct experience with Kerberos. Im not shure ms kerberos plays nice with other's kerberos. > Would it be possible to authenticate the user by having the courier > authentication > daemon request a Kerberos ticket? It is my understanding that the imap > server would not be granted a ticket if the client credentials were not > authentic. It would also be possible to set up RADIUS authentication. > Would RADIUS be a better solution? USE THE PAM. I mean it, use pam, youll be able to even do NT domain based autentication (albeit with some tweaking and lots and lots of stress testing). Id go with SQL authentication+pam, or even courier mysql standard authentication, then dump from the activedir from time to time. You can also use pam and kerberos i think, so you dont need courier to do kerberos itself. > The only remaining issue is a policy related one. Students and > or parents have to sign an Internet acceptable use policy for a student > to get access to the Internet. (The person that has to sign depends on > the age/grade level of the student.) If they have a signed form, we > enter this in the SQL database along with their other account info. > Currently, we provide email accounts to all students. If they don't > have a singed form, they can only send email internally. Can postfix be > configured to allow virtual users access to specific domains based on > the user? Um... not shure cool idea though.
Re: closing exims open relay - something to do with the percent hack
On Tue, 01 Jul 2003 at 16:09:38 +0100, Shri Shrikumar wrote: > Hi, > > I just did an open relay test on one of my servers and to my surprise > found that it in an open relay. In particular, it accepts emails to the > form of > > [EMAIL PROTECTED] > > where here.com is a local domain within exim. > > I have tried setting > > percent_hack_domains="" > > but that has not helped. I have also tried adding the line > Won't commenting it entirely out (adding # in front of this) help? > no_relay_match_host_or_sender > > as recommended in the docs but I dont actually know what it doesn. Little using exim, neither do I. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros.
Re: mysql admin user problem
Actually this is a very common problem. Either mysql doesn't know about a user called "debian-sys-maint" or it doesn't have localhost permission. Mysql has it's own user db independant of the system. You'll need to go into mysql command prompt as root and do a GRANT to create debian-sys-maint and give it whatever access you want it to have. These permissions are host specific so user@'anywhere' is not the same as [EMAIL PROTECTED], blame the regex. If you already fiddled around with this and it still doesn't work then destroy any references to the user with some REVOKE's or manually beat the db entry and start over. This prob is actually well documented in the MySQL html manual. At 09:42 AM 7/01/03 +0200, [EMAIL PROTECTED] wrote: >> Tcp port: 0 Unix socket: /var/run/mysqld/mysqld.sock >> Time Id CommandArgument >> 030630 16:59:47 1 Connect Access denied for user: >> '[EMAIL PROTECTED]' (Using password: YES) -- REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=-- "...ne cede males" 0100
Re: Anyone running Exim 3.3x + Mysql Virtual users?
I had a similar experience, decided to look at postfix and then never looked back. On Mon, 30 Jun 2003, Dustin Douglas wrote: > I've got the chance to set up a brand new email server for one of our > clients, and being the forward thinking sysadmin that I am, I don't > want to go with the old standby Sendmail, I've got 2 of the beasts > already, and don't want another. > > I've been looking at Exim in Debian Stable and it looks pretty good, > but I'm getting bogged down trying to get everything configured > properly, and I want to give Exim a fair shot. I don't want to give up > on it just because I'm missing something. > > So, anyone have any good pointers to cookbook/HOWTO type docs about > setting up Mysql& Exim with an eye towards virtual users? I've seen > some guides for Exim 4.1x, but Stable uses the older 3.3x line, and > I'd very much like to keep the install as stock as possible. > > Thanks for any pointers... > > Have a good one. > >
Re: Webmail configuration for schools
El mar, 01 de 07 de 2003 a las 07:35, Ross, Chris escribió: > I need to provide email access for 13,000 to 14,000 K12 > students. Last school year we used Microsoft > Exchange BY GOD, did he really say that? > >with extremely > 1. Postfix with either mysql or LDAP for virtual user delivery. > 2. Courier-imap with a web interface (squirrelmail, sqwebmnail etc.) > (Courier-imap authentication is the tricky bit.) Sounds great! > Since we have been using a SQL database to track user account > information, I thought that mysql would be the best means of dealing > with Postfix. It would be trivial to load mysql with the information > that Postfix needs. My experience with active directory LDAP is not > great. When using active directory as an LDAP server, it seams like > there is always more fiddling than there should be. Would mysql hold up > well in this sort of environment? (load, speed etc.) Hell, postfix/courier wont even need the database to scale to that (but you will for peace of mind and easy of reporting), it aint that big. Properly tunned mysql would work very well, postgress would also do the job very well. Hell, ive a 10K accounts system, it runs all of it on a single host with webmail (yeah, i know i push it too hard), and it doesnt even use the database and its nowhere near saturation. Course, its a qmail based system, not postfix, but there shouldnt be much of a difference. > Courier-imap authentication is the big question in my mind. It > would be great if we could use active directory to do authentication > here. LDAP authentication probably won't work correctly. There is no > compatible password available and LDAP bind authentication is > problematic. Microsoft lets you do an LDAP bind even if your account is > locked, your password has expired etc. Would Kerberos be a reasonable > solution? I have no direct experience with Kerberos. Im not shure ms kerberos plays nice with other's kerberos. > Would it be possible to authenticate the user by having the courier authentication > daemon request a Kerberos ticket? It is my understanding that the imap > server would not be granted a ticket if the client credentials were not > authentic. It would also be possible to set up RADIUS authentication. > Would RADIUS be a better solution? USE THE PAM. I mean it, use pam, youll be able to even do NT domain based autentication (albeit with some tweaking and lots and lots of stress testing). Id go with SQL authentication+pam, or even courier mysql standard authentication, then dump from the activedir from time to time. You can also use pam and kerberos i think, so you dont need courier to do kerberos itself. > The only remaining issue is a policy related one. Students and > or parents have to sign an Internet acceptable use policy for a student > to get access to the Internet. (The person that has to sign depends on > the age/grade level of the student.) If they have a signed form, we > enter this in the SQL database along with their other account info. > Currently, we provide email accounts to all students. If they don't > have a singed form, they can only send email internally. Can postfix be > configured to allow virtual users access to specific domains based on > the user? Um... not shure cool idea though. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: closing exims open relay - something to do with the percent hack
On Tue, 01 Jul 2003 at 16:09:38 +0100, Shri Shrikumar wrote: > Hi, > > I just did an open relay test on one of my servers and to my surprise > found that it in an open relay. In particular, it accepts emails to the > form of > > [EMAIL PROTECTED] > > where here.com is a local domain within exim. > > I have tried setting > > percent_hack_domains="" > > but that has not helped. I have also tried adding the line > Won't commenting it entirely out (adding # in front of this) help? > no_relay_match_host_or_sender > > as recommended in the docs but I dont actually know what it doesn. Little using exim, neither do I. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mysql admin user problem
Actually this is a very common problem. Either mysql doesn't know about a user called "debian-sys-maint" or it doesn't have localhost permission. Mysql has it's own user db independant of the system. You'll need to go into mysql command prompt as root and do a GRANT to create debian-sys-maint and give it whatever access you want it to have. These permissions are host specific so user@'anywhere' is not the same as [EMAIL PROTECTED], blame the regex. If you already fiddled around with this and it still doesn't work then destroy any references to the user with some REVOKE's or manually beat the db entry and start over. This prob is actually well documented in the MySQL html manual. At 09:42 AM 7/01/03 +0200, [EMAIL PROTECTED] wrote: >> Tcp port: 0 Unix socket: /var/run/mysqld/mysqld.sock >> Time Id CommandArgument >> 030630 16:59:47 1 Connect Access denied for user: >> '[EMAIL PROTECTED]' (Using password: YES) -- REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=-- "...ne cede males" 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Anyone running Exim 3.3x + Mysql Virtual users?
On Mon, Jun 30, 2003 at 02:40:12PM -0500, Dustin Douglas wrote: > I've been looking at Exim in Debian Stable and it looks pretty good, > but I'm getting bogged down trying to get everything configured > properly, and I want to give Exim a fair shot. I don't want to give up > on it just because I'm missing something. I've got that setup running fine since about 6 months. The main stopper is you have to recompile exim from woody to include support for mysql. I hacked up a small script to download the new exim source package, patch the required files and build a exim-mysql .deb so I don't procastinate security updates for exim. If you are interrested, mail me offlist and I'll send you the scripts and our table setup. I also use courier-popd with mysql support for the virtual users (no recompiling required here). bye, Vinai -- Secure eMail with gnupg: See http://www.gnupg.org/ Please avoid sending me Word, Excel or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html pgprwxCoMQZRN.pgp Description: PGP signature
Re: Anyone running Exim 3.3x + Mysql Virtual users?
I had a similar experience, decided to look at postfix and then never looked back. On Mon, 30 Jun 2003, Dustin Douglas wrote: > I've got the chance to set up a brand new email server for one of our > clients, and being the forward thinking sysadmin that I am, I don't > want to go with the old standby Sendmail, I've got 2 of the beasts > already, and don't want another. > > I've been looking at Exim in Debian Stable and it looks pretty good, > but I'm getting bogged down trying to get everything configured > properly, and I want to give Exim a fair shot. I don't want to give up > on it just because I'm missing something. > > So, anyone have any good pointers to cookbook/HOWTO type docs about > setting up Mysql& Exim with an eye towards virtual users? I've seen > some guides for Exim 4.1x, but Stable uses the older 3.3x line, and > I'd very much like to keep the install as stock as possible. > > Thanks for any pointers... > > Have a good one. > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
closing exims open relay - something to do with the percent hack
Hi, I just did an open relay test on one of my servers and to my surprise found that it in an open relay. In particular, it accepts emails to the form of [EMAIL PROTECTED] where here.com is a local domain within exim. I have tried setting percent_hack_domains="" but that has not helped. I have also tried adding the line no_relay_match_host_or_sender as recommended in the docs but I dont actually know what it doesn. Any help in resolving this appreciated. Shri -- Shri Shrikumar U R Byte Solutions Tel: 0845 644 4745 I.T. Consultant Edinburgh, Scotland Mob: 0773 980 3499 Web: www.urbyte.com Email: [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: Anyone running Exim 3.3x + Mysql Virtual users?
On Mon, Jun 30, 2003 at 02:40:12PM -0500, Dustin Douglas wrote: > I've been looking at Exim in Debian Stable and it looks pretty good, > but I'm getting bogged down trying to get everything configured > properly, and I want to give Exim a fair shot. I don't want to give up > on it just because I'm missing something. I've got that setup running fine since about 6 months. The main stopper is you have to recompile exim from woody to include support for mysql. I hacked up a small script to download the new exim source package, patch the required files and build a exim-mysql .deb so I don't procastinate security updates for exim. If you are interrested, mail me offlist and I'll send you the scripts and our table setup. I also use courier-popd with mysql support for the virtual users (no recompiling required here). bye, Vinai -- Secure eMail with gnupg: See http://www.gnupg.org/ Please avoid sending me Word, Excel or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html pgp0.pgp Description: PGP signature
Webmail configuration for schools
I need to provide email access for 13,000 to 14,000 K12 students. Last school year we used Microsoft Exchange with extremely tight quotas. There are currently ~5500 mailboxes. We had no idea what the utilization was going to be, teachers normally don't pick up new services too quickly and Exchange was the simplest implementation in our environment. They didn't use email at all for half of the year and some schools didn't want to use email at all. Since the usage was not too high, the system held up to load well. My guess is that the utilization will jump next school year. Pennsylvania will have technology education standards that will have to meet. Email is one of the standards that will have to be dealt with. We have a native mode active directory implementation. When student accounts are created, we store their information in a SQL database for various uses. Every student has their own account. I have been looking at a configuration like this: 1. Postfix with either mysql or LDAP for virtual user delivery. 2. Courier-imap with a web interface (squirrelmail, sqwebmnail etc.) (Courier-imap authentication is the tricky bit.) Since we have been using a SQL database to track user account information, I thought that mysql would be the best means of dealing with Postfix. It would be trivial to load mysql with the information that Postfix needs. My experience with active directory LDAP is not great. When using active directory as an LDAP server, it seams like there is always more fiddling than there should be. Would mysql hold up well in this sort of environment? (load, speed etc.) Courier-imap authentication is the big question in my mind. It would be great if we could use active directory to do authentication here. LDAP authentication probably won't work correctly. There is no compatible password available and LDAP bind authentication is problematic. Microsoft lets you do an LDAP bind even if your account is locked, your password has expired etc. Would Kerberos be a reasonable solution? I have no direct experience with Kerberos. Would it be possible to authenticate the user by having the courier authentication daemon request a Kerberos ticket? It is my understanding that the imap server would not be granted a ticket if the client credentials were not authentic. It would also be possible to set up RADIUS authentication. Would RADIUS be a better solution? The only remaining issue is a policy related one. Students and or parents have to sign an Internet acceptable use policy for a student to get access to the Internet. (The person that has to sign depends on the age/grade level of the student.) If they have a signed form, we enter this in the SQL database along with their other account info. Currently, we provide email accounts to all students. If they don't have a singed form, they can only send email internally. Can postfix be configured to allow virtual users access to specific domains based on the user?
Re: PPP-= SERVER and RADIUS
On Tue, 1 Jul 2003 16:38, Emile van Bergen wrote: > Use my RADIUS patch for pppd at http://www.xs4all.nl/~evbergen (supports > PAP, CHAP, MSCHAPv2, accounting and Framed-IP-Address) or use the > built-in RADIUS support in portslave. Last time I checked it only > supported PAP, but this may no longer be true. Portslave supports CHAP too, accounting, framed-IP-Address, framed-route, filters, and all the usual stuff. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
closing exims open relay - something to do with the percent hack
Hi, I just did an open relay test on one of my servers and to my surprise found that it in an open relay. In particular, it accepts emails to the form of [EMAIL PROTECTED] where here.com is a local domain within exim. I have tried setting percent_hack_domains="" but that has not helped. I have also tried adding the line no_relay_match_host_or_sender as recommended in the docs but I dont actually know what it doesn. Any help in resolving this appreciated. Shri -- Shri Shrikumar U R Byte Solutions Tel: 0845 644 4745 I.T. Consultant Edinburgh, Scotland Mob: 0773 980 3499 Web: www.urbyte.com Email: [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: Server hacked - next...?
On Tue, 2003-07-01 at 03:07, Jason Lim wrote: > What would the advantage of mounting /tmp with noexec be?? You wont be able to execute anything that is in /tmp. This would of have prevented your attach altogether since the file was being executed from /tmp. > Definitely looking into running a hardend kernel now... especially after > all this crap. Only thing that's been holding me back is the amount of > work it would entail. The first thing I did for the server is to remove module support. This renders quite a few of the exploits useless. It might be a stopgap solution until you get the hardened kernels deployed. HTH, Shri -- Shri Shrikumar U R Byte Solutions Tel: 0845 644 4745 I.T. Consultant Edinburgh, Scotland Mob: 0773 980 3499 Web: www.urbyte.com Email: [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: Server hacked - next...?
On Tue, 1 Jul 2003 12:07, Jason Lim wrote: > > Mount /tmp with noexec > > Run a hardened kernel like NSA or Grsecurity. > > etc. > > What would the advantage of mounting /tmp with noexec be?? If you have /tmp, /var/tmp, /home, and any other place the user can possibly write to be noexec then it is more difficult for them to increase their access. It won't stop them, but it will make things more difficult. > Definitely looking into running a hardend kernel now... especially after > all this crap. Only thing that's been holding me back is the amount of > work it would entail. It's not that difficult. The SE Linux sourceforge project has some docs on installing it. For Debian it's reasonably easy, the only difficult parts are compiling a new kernel with support, and writing any necessary policy. The #selinux IRC channel on irc.debian.org can be used for advice. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Webmail configuration for schools
I need to provide email access for 13,000 to 14,000 K12 students. Last school year we used Microsoft Exchange with extremely tight quotas. There are currently ~5500 mailboxes. We had no idea what the utilization was going to be, teachers normally don't pick up new services too quickly and Exchange was the simplest implementation in our environment. They didn't use email at all for half of the year and some schools didn't want to use email at all. Since the usage was not too high, the system held up to load well. My guess is that the utilization will jump next school year. Pennsylvania will have technology education standards that will have to meet. Email is one of the standards that will have to be dealt with. We have a native mode active directory implementation. When student accounts are created, we store their information in a SQL database for various uses. Every student has their own account. I have been looking at a configuration like this: 1. Postfix with either mysql or LDAP for virtual user delivery. 2. Courier-imap with a web interface (squirrelmail, sqwebmnail etc.) (Courier-imap authentication is the tricky bit.) Since we have been using a SQL database to track user account information, I thought that mysql would be the best means of dealing with Postfix. It would be trivial to load mysql with the information that Postfix needs. My experience with active directory LDAP is not great. When using active directory as an LDAP server, it seams like there is always more fiddling than there should be. Would mysql hold up well in this sort of environment? (load, speed etc.) Courier-imap authentication is the big question in my mind. It would be great if we could use active directory to do authentication here. LDAP authentication probably won't work correctly. There is no compatible password available and LDAP bind authentication is problematic. Microsoft lets you do an LDAP bind even if your account is locked, your password has expired etc. Would Kerberos be a reasonable solution? I have no direct experience with Kerberos. Would it be possible to authenticate the user by having the courier authentication daemon request a Kerberos ticket? It is my understanding that the imap server would not be granted a ticket if the client credentials were not authentic. It would also be possible to set up RADIUS authentication. Would RADIUS be a better solution? The only remaining issue is a policy related one. Students and or parents have to sign an Internet acceptable use policy for a student to get access to the Internet. (The person that has to sign depends on the age/grade level of the student.) If they have a signed form, we enter this in the SQL database along with their other account info. Currently, we provide email accounts to all students. If they don't have a singed form, they can only send email internally. Can postfix be configured to allow virtual users access to specific domains based on the user? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Urgent] Samba problem
Thanks for ur reply,Sure! === << smb.conf >> [global] workgroup = WORKGROUP security = share encrypt passwords = yes domain master = yes ldap suffix = "dc=ezmap,dc=com" ldap admin dn =cn=root,dc=ezmap,dc=com ldap port =389 ldap server = localhost ldap ssl = no server string = Samba Server %v log file = /var/log/samba/log.%m max log size = 50 log level = 50 smb passwd file = /etc/samba/private/smbpasswd client code page = 950 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no [webdata] path = /mnt/hdb2-Public public = yes writable = yes guest ok = no create mask = 0777 <> include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba.schema schemacheck off pidfile /var/lib/slapd.pid argsfile /var/lib/slapd.args database ldbm suffix "dc=ezmap,dc=com" rootdn "cn=root,dc=ezmap,dc=com" rootpw {MD5}QRU2vXIZVBqiM/sAqpy2qo== loglevel 128 directory "/var/lib/ldap" index objectClass eq access to attribute=userPassword by dn="cn=root,dc=olemap,dc=com" write by dn="cn=replicator,dc=ezmap,dc=com" write by dn="cn=authldap,dc=ezmap,dc=com" read by self write by * auth access to * by self write by dn="cn=root,dc=ezmap,dc=com" read by * read == << slapd.conf >> host 127.0.0.1 base dc=ezmap,dc=com ldap_version 2 binddn cn=root,dc=olemap,dc=com bindpw d38ks#9 pam_password exop = However,it's working fine when i used proftpd and ssh through ldap auth! i'm NOT sure this error impute LDAP problem And, when i use netneighbor ,i had used legal account for ldap auth. i passed ldap authenticationbut i copy a file into share folder , i will got Can not copy ipsec.txt The specified network name is no longer available @@ -- Trust & Unique ... axacheng <[EMAIL PROTECTED]>
Re: PPP-= SERVER and RADIUS
On Tue, 1 Jul 2003 16:38, Emile van Bergen wrote: > Use my RADIUS patch for pppd at http://www.xs4all.nl/~evbergen (supports > PAP, CHAP, MSCHAPv2, accounting and Framed-IP-Address) or use the > built-in RADIUS support in portslave. Last time I checked it only > supported PAP, but this may no longer be true. Portslave supports CHAP too, accounting, framed-IP-Address, framed-route, filters, and all the usual stuff. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Server hacked - next...?
On Mon, 2003-06-30 at 23:41, Russell Coker wrote: > On Mon, 30 Jun 2003 16:12, Donovan Baarda wrote: > > In then end it is nearly always easier to re-install than to just clean > > the system without it, even if the hacker did leave .bash_histories > > behind that show everything he/she did. > > Besides, just because a script-kiddie got in first does not mean that a > skilled and experienced person didn't follow them. Or maybe a skilled person > cracked the machine months or years before the script-kiddie... I almost added that the .bash_history's could have been forged by a more skilled cracker to hide something more subtle... -- Donovan Baardahttp://minkirri.apana.org.au/~abo/
Anyone running Exim 3.3x + Mysql Virtual users?
I've got the chance to set up a brand new email server for one of our clients, and being the forward thinking sysadmin that I am, I don't want to go with the old standby Sendmail, I've got 2 of the beasts already, and don't want another. I've been looking at Exim in Debian Stable and it looks pretty good, but I'm getting bogged down trying to get everything configured properly, and I want to give Exim a fair shot. I don't want to give up on it just because I'm missing something. So, anyone have any good pointers to cookbook/HOWTO type docs about setting up Mysql& Exim with an eye towards virtual users? I've seen some guides for Exim 4.1x, but Stable uses the older 3.3x line, and I'd very much like to keep the install as stock as possible. Thanks for any pointers... Have a good one. -- Dustin Douglas -- Free The Lapland Six!!! http://www.freethelaplandsix.com
Re: Server hacked - next...?
On Tue, Jul 01, 2003 at 10:07:01AM +0800, Jason Lim wrote: > > > As Russell Coker points out, the attaccer probably got in trough -snipp- > DOH... I just posted saying that in my previous email before reading his > message! Bah... Russell gets credit for it ;-) Not easy to say who said that first, as my previous mail took a day and a half to get troug the list. > > > > Mount /tmp with noexec > > Run a hardened kernel like NSA or Grsecurity. > > etc. > > > > What would the advantage of mounting /tmp with noexec be?? An attacker can't upload his ptrace or whatever exploit to tmp and execute it. A recent automated attack against Apache (1.3 something) failed because i have /tmp mounted noexec. Another cool, and hopefully effective restraining of apache and others that i implemented in iptables yesterday: # This stops apache from connecting to anything else than imap2 $IPTABLES -P OUTPUT ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 143 -d localhost \ -m owner --uid-owner www-data -m state \ --state NEW -j ACCEPT $IPTABLES -A OUTPUT -m owner --uid-owner www-data -m state \ --state NEW -j REJECT This requires a custom kernel with ipt_owner as module or static. > > Definitely looking into running a hardend kernel now... especially after > all this crap. Only thing that's been holding me back is the amount of > work it would entail. I run Grsecurity for /proc restrictons, safer chroot, and protection against kernel exploits like the ptrace bug. That didn't take too long to get running. Disclaimer: I have not tested any of this in production, as i am a student. -- Frode Haugsgjerd Norway
Re: Server hacked - next...?
On Tue, 2003-07-01 at 03:07, Jason Lim wrote: > What would the advantage of mounting /tmp with noexec be?? You wont be able to execute anything that is in /tmp. This would of have prevented your attach altogether since the file was being executed from /tmp. > Definitely looking into running a hardend kernel now... especially after > all this crap. Only thing that's been holding me back is the amount of > work it would entail. The first thing I did for the server is to remove module support. This renders quite a few of the exploits useless. It might be a stopgap solution until you get the hardened kernels deployed. HTH, Shri -- Shri Shrikumar U R Byte Solutions Tel: 0845 644 4745 I.T. Consultant Edinburgh, Scotland Mob: 0773 980 3499 Web: www.urbyte.com Email: [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: Server hacked - next...?
On Tue, 1 Jul 2003 12:07, Jason Lim wrote: > > Mount /tmp with noexec > > Run a hardened kernel like NSA or Grsecurity. > > etc. > > What would the advantage of mounting /tmp with noexec be?? If you have /tmp, /var/tmp, /home, and any other place the user can possibly write to be noexec then it is more difficult for them to increase their access. It won't stop them, but it will make things more difficult. > Definitely looking into running a hardend kernel now... especially after > all this crap. Only thing that's been holding me back is the amount of > work it would entail. It's not that difficult. The SE Linux sourceforge project has some docs on installing it. For Debian it's reasonably easy, the only difficult parts are compiling a new kernel with support, and writing any necessary policy. The #selinux IRC channel on irc.debian.org can be used for advice. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Urgent] Samba problem
Thanks for ur reply,Sure! === << smb.conf >> [global] workgroup = WORKGROUP security = share encrypt passwords = yes domain master = yes ldap suffix = "dc=ezmap,dc=com" ldap admin dn =cn=root,dc=ezmap,dc=com ldap port =389 ldap server = localhost ldap ssl = no server string = Samba Server %v log file = /var/log/samba/log.%m max log size = 50 log level = 50 smb passwd file = /etc/samba/private/smbpasswd client code page = 950 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no [webdata] path = /mnt/hdb2-Public public = yes writable = yes guest ok = no create mask = 0777 <> include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba.schema schemacheck off pidfile /var/lib/slapd.pid argsfile /var/lib/slapd.args database ldbm suffix "dc=ezmap,dc=com" rootdn "cn=root,dc=ezmap,dc=com" rootpw {MD5}QRU2vXIZVBqiM/sAqpy2qo== loglevel 128 directory "/var/lib/ldap" index objectClass eq access to attribute=userPassword by dn="cn=root,dc=olemap,dc=com" write by dn="cn=replicator,dc=ezmap,dc=com" write by dn="cn=authldap,dc=ezmap,dc=com" read by self write by * auth access to * by self write by dn="cn=root,dc=ezmap,dc=com" read by * read == << slapd.conf >> host 127.0.0.1 base dc=ezmap,dc=com ldap_version 2 binddn cn=root,dc=olemap,dc=com bindpw d38ks#9 pam_password exop = However,it's working fine when i used proftpd and ssh through ldap auth! i'm NOT sure this error impute LDAP problem And, when i use netneighbor ,i had used legal account for ldap auth. i passed ldap authenticationbut i copy a file into share folder , i will got Can not copy ipsec.txt The specified network name is no longer available @@ -- Trust & Unique ... axacheng <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PPP-= SERVER and RADIUS
Many possibilities: man inittab, man crontab, ip-up/down (man pppd) Moreover, if u're describing a dial-in box: man mgetty Hello, I'm looking the way to configure a debian box as a PPP-server. Today, I have to run `pppd call myscript' everytime I want someone to connect. What is the way to automaticaly rerun pppd to accept new connections. Then, is there any way use radius server with pppd ? Thanks a lot. François
Re: mysql admin user problem
I have had a similar problem some time ago, too. I succeded by purging* the mysql-packages before reinstalling them. The reason why you can't stop the mysql-server is obvious: The debian-sys-maint user can't login so the init-script which utilizes this mysql-user can't shutdown the server. * "apt-get --purge remove mysql-server mysql-common" (I don't know if it's necessary to remove mysql-common, too) David Wilk <[EMAIL PROTECTED]> wrote on Mon, 30 Jun 2003 17:03:36 -0600: > Howdy folks, > > I have installed mysql a few times (from debian packages) and never had > any trouble, but this one just stumpes me. I installed debian woody and > mysql on a server. I screwed up /var/lib/mysql trying to copy over some > databases so I reinstalled mysql to bring things back to normal. I > removed /var/lib/mysql first of course, but once installed, I would get > this error when trying to start mysql: > > > Starting MySQL database server: mysqld...failed. > > > cat /var/log/mysql/mysql.err gives: > > > 030630 16:59:46 mysqld started > /usr/sbin/mysqld: ready for connections > > > but, cat /var/log/mysql.log gives: > > > /usr/sbin/mysqld, Version: 3.23.49-log, started with: > Tcp port: 0 Unix socket: /var/run/mysqld/mysqld.sock > Time Id CommandArgument > 030630 16:59:47 1 Connect Access denied for user: > '[EMAIL PROTECTED]' (Using password: YES) > 030630 16:59:48 2 Connect Access denied for user: > '[EMAIL PROTECTED]' (Using password: YES) > 030630 16:59:49 3 Connect Access denied for user: > '[EMAIL PROTECTED]' (Using password: YES) > 030630 16:59:50 4 Connect Access denied for user: > '[EMAIL PROTECTED]' (Using password: YES) > 030630 16:59:51 5 Connect Access denied for user: > '[EMAIL PROTECTED]' (Using password: YES) > 030630 16:59:52 6 Connect Access denied for user: > '[EMAIL PROTECTED]' (Using password: YES) > > > The process list shows 4 mysql processes running (when none were running > before). '/etc/init.d/mysql stop' does nothing. > > I have removed mysql-server, and mysql-client and then removed > /etc/mysql and /var/lib/mysql before reinstalling both mysql-server and > mysql-client. yet, still I get these errors. > > if anyone has any ideas I'd love to hear them! > > thanks, > Dave > > > -- > *** > David Wilk > System Administrator > Community Internet Access, Inc. > [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] Mit freundlichen Gruessen / Best regards Dominik Schulz
Re: Server hacked - next...?
On Mon, 2003-06-30 at 23:41, Russell Coker wrote: > On Mon, 30 Jun 2003 16:12, Donovan Baarda wrote: > > In then end it is nearly always easier to re-install than to just clean > > the system without it, even if the hacker did leave .bash_histories > > behind that show everything he/she did. > > Besides, just because a script-kiddie got in first does not mean that a > skilled and experienced person didn't follow them. Or maybe a skilled person > cracked the machine months or years before the script-kiddie... I almost added that the .bash_history's could have been forged by a more skilled cracker to hide something more subtle... -- Donovan Baardahttp://minkirri.apana.org.au/~abo/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Exim
Hi Guys Does anyone know how I can have a list of specific local users in a file that will get forwarded to another internal mail server ? Thanks Craig
Re: PPP-= SERVER and RADIUS
Hi, On Mon, Jun 30, 2003 at 05:04:29PM +0200, François Chenais wrote: > Hello, > > I'm looking the way to configure a debian box as a PPP-server. > > Today, I have to run `pppd call myscript' everytime I want > someone to connect. What is the way to automaticaly rerun pppd to > accept new connections. To run it behind mgetty or portslave. These will handle the modem part for you and spawn pppd when needed. > Then, is there any way use radius server with pppd ? Use my RADIUS patch for pppd at http://www.xs4all.nl/~evbergen (supports PAP, CHAP, MSCHAPv2, accounting and Framed-IP-Address) or use the built-in RADIUS support in portslave. Last time I checked it only supported PAP, but this may no longer be true. Cheers, Emile. -- E-Advies - Emile van Bergen [EMAIL PROTECTED] tel. +31 (0)70 3906153 http://www.e-advies.nl pgp2O1m92KAzP.pgp Description: PGP signature
Anyone running Exim 3.3x + Mysql Virtual users?
I've got the chance to set up a brand new email server for one of our clients, and being the forward thinking sysadmin that I am, I don't want to go with the old standby Sendmail, I've got 2 of the beasts already, and don't want another. I've been looking at Exim in Debian Stable and it looks pretty good, but I'm getting bogged down trying to get everything configured properly, and I want to give Exim a fair shot. I don't want to give up on it just because I'm missing something. So, anyone have any good pointers to cookbook/HOWTO type docs about setting up Mysql& Exim with an eye towards virtual users? I've seen some guides for Exim 4.1x, but Stable uses the older 3.3x line, and I'd very much like to keep the install as stock as possible. Thanks for any pointers... Have a good one. -- Dustin Douglas -- Free The Lapland Six!!! http://www.freethelaplandsix.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Server hacked - next...?
On Tue, Jul 01, 2003 at 10:07:01AM +0800, Jason Lim wrote: > > > As Russell Coker points out, the attaccer probably got in trough -snipp- > DOH... I just posted saying that in my previous email before reading his > message! Bah... Russell gets credit for it ;-) Not easy to say who said that first, as my previous mail took a day and a half to get troug the list. > > > > Mount /tmp with noexec > > Run a hardened kernel like NSA or Grsecurity. > > etc. > > > > What would the advantage of mounting /tmp with noexec be?? An attacker can't upload his ptrace or whatever exploit to tmp and execute it. A recent automated attack against Apache (1.3 something) failed because i have /tmp mounted noexec. Another cool, and hopefully effective restraining of apache and others that i implemented in iptables yesterday: # This stops apache from connecting to anything else than imap2 $IPTABLES -P OUTPUT ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 143 -d localhost \ -m owner --uid-owner www-data -m state \ --state NEW -j ACCEPT $IPTABLES -A OUTPUT -m owner --uid-owner www-data -m state \ --state NEW -j REJECT This requires a custom kernel with ipt_owner as module or static. > > Definitely looking into running a hardend kernel now... especially after > all this crap. Only thing that's been holding me back is the amount of > work it would entail. I run Grsecurity for /proc restrictons, safer chroot, and protection against kernel exploits like the ptrace bug. That didn't take too long to get running. Disclaimer: I have not tested any of this in production, as i am a student. -- Frode Haugsgjerd Norway -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Application
- Original Message - From: To: <[EMAIL PROTECTED]> Sent: Monday, June 30, 2003 3:06 PM Subject: Re: Application > Please see the attached zip file for details.
Re: PPP-= SERVER and RADIUS
On Tue, 1 Jul 2003 01:04, François Chenais wrote: > Then, is there any way use radius server with pppd ? Portslave. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: PPP-= SERVER and RADIUS
Many possibilities: man inittab, man crontab, ip-up/down (man pppd) Moreover, if u're describing a dial-in box: man mgetty Hello, I'm looking the way to configure a debian box as a PPP-server. Today, I have to run `pppd call myscript' everytime I want someone to connect. What is the way to automaticaly rerun pppd to accept new connections. Then, is there any way use radius server with pppd ? Thanks a lot. François -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mysql admin user problem
I have had a similar problem some time ago, too. I succeded by purging* the mysql-packages before reinstalling them. The reason why you can't stop the mysql-server is obvious: The debian-sys-maint user can't login so the init-script which utilizes this mysql-user can't shutdown the server. * "apt-get --purge remove mysql-server mysql-common" (I don't know if it's necessary to remove mysql-common, too) David Wilk <[EMAIL PROTECTED]> wrote on Mon, 30 Jun 2003 17:03:36 -0600: > Howdy folks, > > I have installed mysql a few times (from debian packages) and never had > any trouble, but this one just stumpes me. I installed debian woody and > mysql on a server. I screwed up /var/lib/mysql trying to copy over some > databases so I reinstalled mysql to bring things back to normal. I > removed /var/lib/mysql first of course, but once installed, I would get > this error when trying to start mysql: > > > Starting MySQL database server: mysqld...failed. > > > cat /var/log/mysql/mysql.err gives: > > > 030630 16:59:46 mysqld started > /usr/sbin/mysqld: ready for connections > > > but, cat /var/log/mysql.log gives: > > > /usr/sbin/mysqld, Version: 3.23.49-log, started with: > Tcp port: 0 Unix socket: /var/run/mysqld/mysqld.sock > Time Id CommandArgument > 030630 16:59:47 1 Connect Access denied for user: > '[EMAIL PROTECTED]' (Using password: YES) > 030630 16:59:48 2 Connect Access denied for user: > '[EMAIL PROTECTED]' (Using password: YES) > 030630 16:59:49 3 Connect Access denied for user: > '[EMAIL PROTECTED]' (Using password: YES) > 030630 16:59:50 4 Connect Access denied for user: > '[EMAIL PROTECTED]' (Using password: YES) > 030630 16:59:51 5 Connect Access denied for user: > '[EMAIL PROTECTED]' (Using password: YES) > 030630 16:59:52 6 Connect Access denied for user: > '[EMAIL PROTECTED]' (Using password: YES) > > > The process list shows 4 mysql processes running (when none were running > before). '/etc/init.d/mysql stop' does nothing. > > I have removed mysql-server, and mysql-client and then removed > /etc/mysql and /var/lib/mysql before reinstalling both mysql-server and > mysql-client. yet, still I get these errors. > > if anyone has any ideas I'd love to hear them! > > thanks, > Dave > > > -- > *** > David Wilk > System Administrator > Community Internet Access, Inc. > [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] Mit freundlichen Gruessen / Best regards Dominik Schulz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Exim
Hi Guys Does anyone know how I can have a list of specific local users in a file that will get forwarded to another internal mail server ? Thanks Craig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PPP-= SERVER and RADIUS
Hi, On Mon, Jun 30, 2003 at 05:04:29PM +0200, François Chenais wrote: > Hello, > > I'm looking the way to configure a debian box as a PPP-server. > > Today, I have to run `pppd call myscript' everytime I want > someone to connect. What is the way to automaticaly rerun pppd to > accept new connections. To run it behind mgetty or portslave. These will handle the modem part for you and spawn pppd when needed. > Then, is there any way use radius server with pppd ? Use my RADIUS patch for pppd at http://www.xs4all.nl/~evbergen (supports PAP, CHAP, MSCHAPv2, accounting and Framed-IP-Address) or use the built-in RADIUS support in portslave. Last time I checked it only supported PAP, but this may no longer be true. Cheers, Emile. -- E-Advies - Emile van Bergen [EMAIL PROTECTED] tel. +31 (0)70 3906153 http://www.e-advies.nl pgp0.pgp Description: PGP signature
Re: Application
- Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 30, 2003 3:06 PM Subject: Re: Application > Please see the attached zip file for details. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PPP-= SERVER and RADIUS
On Tue, 1 Jul 2003 01:04, François Chenais wrote: > Then, is there any way use radius server with pppd ? Portslave. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]