Re: Restoring /etc
G'day, - Original Message - From: "Mark Bucciarelli" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, August 07, 2004 12:17 AM Subject: Restoring /etc > I screwed up my /etc directory bigtime. I wanted to put it under CVS to > maintain a history, but didn't realize that CVS does not honor symbolic > links. Of course, I didn't backup before rm -rf /etc; cvs co etc. Doh! I use PRCS, and there are debs. PRCS keeps everything, including empty directories. It's propper branch/merge/rename etc support mean I keep all my machines in the one project as seperate branches, and I can merge changes across between them painlessly. It has some limitations, like no network transport (I use rsync instead), but it is ideal for something like this; simple, easy to use, reliable, and nothing more. Donovan Baardahttp://minkirri.apana.org.au/~abo/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
IIS worms and apache
Is there a debian package wherein the app recognizes IIS worm attacks? Then blocks these IPs in real time? Would also be nice if it'll unblock those IPs after a certain amount of time. Thanks! Shannon __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
[Swiftdsl Network Support #138772]: Mail Delivery (failure adslsupp...@swiftel.com.au)
This is an automatic message to let you know your request of support has been received by our helpdesk and you have been assigned a ticket ID - 138772. Once you have received this confirmation email, you do not need to call again, our clock is ticking and we will respond as soon as possible. The helpdesk target response time is within four (4) business hours. The above ticket number should be referenced in any written, virtual or verbal communications with Swiftel support relating to the case you have submitted. Please see the text at the end of this message for additional help and tips. Sincerely, Swiftel Support Team [EMAIL PROTECTED] == + Swiftel ADSL technical support is Forum based. + + Many of the questions you may have, have also + + been asked by many other people. Please visit + ++ + http://forum.swiftdsl.com.au + ++ + and join the forum - you can post any question + + you have there. It's friendly, quick and + + helpful, and an answer to what you what to + + know is most likely already there. + == Useful Tips: Under normal circumstances your ADSL connection is 'always on' and the line only drops if you turn off the modem. If your line drops out more than very infrequently the most common cause is some fault with the Telstra line or at the exchange to which your line is connected. However it might also be the case that the settings on your modem are incorrect; even if they are the default settings shipped from the factory. Before reporting your line drop outs as a line/ADSL service problem please take the time to look at the settings that can be changed in your ADSL modem that may make the connection more stable. These are: 1) Set your modem to PPPoA/LLC (rather than PPPoE). 2) Set your modem ADSL modulation to G.dmt (not 'Auto' and not G.dmt/lite). 3) Make sure you have the latest firmware; for instance both Netcomm and D-Link have both released firmware updates that help with line drop out problems. If you have ensured that these settings are correct and that you have the latest firmware then please email us with the line drops you have experienced and we will get the line checked for you. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Can of Worms
Hi I'm not an ISP but I keep getting this kind of activity on my modem: +--+ omni:~# tcpdump -i ppp0 | grep unreachable tcpdump: listening on ppp0 07:48:29.447038 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 135 unreachable [tos 0xc0] 07:48:29.459207 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 1025 unreachable [tos 0xc0] 07:48:29.479183 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 445 unreachable [tos 0xc0] 07:48:32.669674 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 445 unreachable [tos 0xc0] 07:48:32.687687 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 1025 unreachable [tos 0xc0] 07:48:32.709139 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 135 unreachable [tos 0xc0] 07:48:38.469164 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 445 unreachable [tos 0xc0] 07:48:38.499919 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 1025 unreachable [tos 0xc0] 07:48:38.500154 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 135 unreachable [tos 0xc0] +--+ Omni is my Debian (Woody2.2.20 ipchains TrinityOS firewall) gateway for my natted LAN. I realise I can save bandwidth by ignoring incoming requests, but there aren't that many and it's a convenient method of watching worm activity, mostly I add from within my own dialup pool. Was curious as to the lists thoughts on some method of email notification back to the ip doing the worm like port scanning? I assume that the compromised machine's owner is basically clueless as to what is going on. All well and true some tool like AntiVir could be utilized and another user brought a bit more upto lightspeed... Ross -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
postfix, spamassassin and spam ~ blocking cable and adsl modems
We seem to be, being hit with in excess of 12,000 spam emails per day from adsl and cable modems in the US alone. Then we get brute force attackedthe server at times gets somewhat stretched... What would ppl suggest it the most efficient way to block such addresses? I cannot simply block entire class B's and blocking individual IPs will probably get out of date... I do not really want to process the email, I want to decrease the load on spam assassin by stopping the initial connect. By analysin the mails I am finding they are all spam so I want to block say strings like dsl..swbell.com access list? IPtables rule? What would be most efficient? The goal here is to minimise disk i/o as that is the item being stretched, iostat -x 5 shows over 450% utilisation.delays are geting to 4+ hours...and they bitch if its over 5 minutes I have 4 cpu's and spare capacity on these and I am only using 2.5 gig out of 4gig of ram so have spare herethe box only processes incoming smtp only, outgoing takes another route. At present I am running ext3 on the logging and spool directories but considering reiserFS, a good idea? Also I am aiming to get more disks as I ahve only 2, so I can either raid 0 over the 3 new disks or split the queuesto 3 disks, which might be better? Would a scsi hwraid based cache controller be worth it? If I raid 0 what stripe size would be a good starting point with ReiserFS? advice appreciated... regards Thing <>
Re: IDS
The only problem with tripwire is that u have to set up the snapshot file on write protected media to have true security. If somebody hacks ur box they can just reupdate tripwire themselves and u'll be none the wiser. This can be an administrative hassle to update the snapshot and move it to something write protected (nfs, floppy, cd) everytime u change anything on the system. What's more is that even if u have it write protected somebody can just hack the tripwire executable to send u dummy alls-well messages while they're infilitrating ur box even more. For this reason every tripwire (or any like package) file needs to also be on the write protected media and preferably run remotely. U can do this by setting up an ultra secure "security box" somewhere on ur network and then mount all file spaces of all ur production boxes on it with nfs or samba or something. That way u can scan the files without regard to whether the box is compromised or not. And obviously if the mount goes down, indicating a possible hacker, alerts would be sent out. And when u do update the snapshot, don't just do a global update whenever u change /etc/passwd, only update for the files that u actually modified, otherwise some hacker can slide some hacked files into the snapshot if he hacks u at that same time. It's a security race condition. So in summary, just be paranoid, and think like a hacker. -- REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=-- "...ne cede males" 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IDS
> I also want to use something like tripwire to set up file intregity. apt-cache search tripwire apt-cache show aide On Fri, 6 Aug 2004, Tinus Nijmeijers wrote: > I'm looking at securing a new server. > > i'll be using iptables to restrict acces and i want to install SNORT to > watch the network. > I also want to use something like tripwire to set up file intregity. > > however: tripwire seems OLD, last version (2.3.1) is from march 3, 2001 > > i've also seen AIDE mentioned, same thing, aide version 0.10 is from > november 2003 > > is that a problem? > any other apps I should look into concerning file intregity? > > eg: > -samhain > -integrit > -tiger > > any experiences? > > thanks, tinus > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Restoring /etc
On Sat, 7 Aug 2004 00:17, Mark Bucciarelli <[EMAIL PROTECTED]> wrote: > Is there some clever way I can recreate the /etc dir? (A dpkg-reconfigure > trick?) Or can I just copy the symbolic links from the working box over > to the non-working box? How about the following: tar cf /tmp/foo.tar `find /etc -type l` -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Restoring /etc
I screwed up my /etc directory bigtime. I wanted to put it under CVS to maintain a history, but didn't realize that CVS does not honor symbolic links. Of course, I didn't backup before rm -rf /etc; cvs co etc. Doh! I have another Debian stable box and I tried recreating the rc.? and alternatives directories based on this working box, but when I rebooted, the network interface didn't come up. So I missed something. Is there some clever way I can recreate the /etc dir? (A dpkg-reconfigure trick?) Or can I just copy the symbolic links from the working box over to the non-working box? Regards, Mark who has a habit of learning things the hard way ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
IDS
I'm looking at securing a new server. i'll be using iptables to restrict acces and i want to install SNORT to watch the network. I also want to use something like tripwire to set up file intregity. however: tripwire seems OLD, last version (2.3.1) is from march 3, 2001 i've also seen AIDE mentioned, same thing, aide version 0.10 is from november 2003 is that a problem? any other apps I should look into concerning file intregity? eg: -samhain -integrit -tiger any experiences? thanks, tinus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]