Re: phpBB vulnerability exploited

2004-12-13 Thread Boris Pavlov 
better look at your php4 settings: 

limit with php opendir. make another tmp directory, and set php temp dir, 
with all permissions you want. limit the system function, if you don't need 
it. they are a per-vhost apache settings, check the manuals. 

wwell edi 

Fraser Campbell writes: 

On Sunday 12 December 2004 17:46, Marek Podmaka wrote:
  I don't want to give hints on how to exploit this, but the attacker
  did wget the .tgz file, unpacked it in /tmp and run the program. 

  So update all your phpBB installations ASAP (and of course all
  installations of your customers).
On a somewhat related note ... 

I have the habit of mount /tmp with noexec,nosuid,nodev.  I also mount /usr 
and /boot ro.  These minor changes can prevent common automated attacks 
(probably the one you encountered) and don't cause any problems. 

--
Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/
Georgetown, Ontario, Canada   Debian GNU/Linux 


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: status of VLAN support in Debian/Linux in general

2004-09-08 Thread Boris Pavlov 
in general, something works with most of the switches that "have vlans", 
but if you do not mix the different brands;)
(no, in fact they aren't standartized in real life.)

check before you buy, if it is possible.
if not - buy one-vendor-only
...and check at least google to see if someone managed to kick your 
supposed configuration working; (_i am NOT joking_)

otherwise, you may run into quite big troubles.
wwell edi
Adrian 'Dagurashibanipal' von Bidder wrote:
Hi,
I've some questions regarding VLAN support in Debian and in Linux. First: is 
 still the main page? Google 
makes me think so, but there are some references to 2.2 kernels and none to 
2.6 kernels, so I'm a bit unsure.

2.6 kernels: are they ready in general? The kernel.org and/or the debian 
kernels? kernel-patch-vlan is only in woody, so I guess recent 2.4 kernels 
don't need patches.

Which ethernet cards are working? I'm interested in both fast ethernet and 
gigabit ethernet.

VLAN is an IEEE standard - is it a real standard, or is it a 'it may work 
with some switches and not work with others'? (The simple format of the 
VLAN tag in the ethernet header makes me hope for the former...)

Debian: Ok, I see there's the package 'vlan', so I guess it contains all I 
need.

(Yes, some of the questions could be solved by experimenting - however, I 
don't have a VLAN capable switch yet. In fact, all I have is a 5 port 10M 
hub, an a couple of Realtek 10M network cards. Go figure...)

greetings
-- vbi

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Ceriftication?

2004-08-30 Thread Boris Pavlov 
and if you are asking for an "official" specific debian-only 
course/test/certificate i think there is not such thing (like redhat's). 
and maybe there will not be, because testing (preparing semi-secret and 
agreement-protected test questions "bank"),  issuing certificates and 
taking money (you can not deal with someone like vue or prometrics)... i 
dunno how this will fit with the debian cotnract 
(http://www.debian.org/social_contract.html) ;)


wwell edi
Adrian 'Dagurashibanipal' von Bidder wrote:
On Monday 30 August 2004 08.36, DJ wrote:
 

Ok, i am sick of windows. But due to the fact that i have been using it
for so long, i still persist with it and dont get to spend as much time
as i would like in linux(too much time fixing windoze.). Is there a
debian course of some description that i can do so that i can get more of
understanding regarding the nuts and bolts of the operating system. I
believe this is what is stopping me from being able to use Debian to its
full potential and finally being rid of the windoze virus.
   

Since you ask about a course, I'm guessing that you'd be willing to spend 
some money.  I'm not aware of anything like it, but if you know some other 
people who might attend such a course, I'd try asking the people listed in 
 if somebody (close to your location) 
would organize such a course.

What you get gratis is, of course, all the information contained on the 
Debian web page etc., but you know this already. To know the nuts and bolts 
of Debian,  is a good starting point - but 
you probably should know quite a lot about Unix and Linux in general before 
you can profit much from this highly Debian-specific information.

For general Linux information, try the top results of this google search: 
 and perhaps you can find a 
page matching your level of knowledge. Just remember when you got your 
first computer and had to learn everything: this will be the same, you'll 
spend lots of time learning things before you feel at home in the system.

greetings
-- vbi

Re: managing syslog

2004-08-27 Thread Boris Pavlov 

Frode Haugsgjerd wrote:
On Fri, Aug 27, 2004 at 06:20:27PM -0400, Stephen Gran wrote:
Hello all,
I am sorry to have to ask this here - it seems like it just should be
working, but it's not, and I am now starting to get frustrated.
At work we have several machines that output a lot of garbage to syslog,
most of which we don't need to see.  The programs responsible for the
garbage are also capable of sending admin emails for alerts, so I thought
that a nice idea might be to have syslog log all of the messages to a
seperate file that we don't logcheck, and look them over if there's an
email or a problem (don't worry - these are non-mission critical type
apps, and are not network accessible, so I am not too worried about
missing a message for a little while).
I can configure the loglevel that the apps log to, fortunately, but it
doesn't seem to be working correctly.  So, if I am logging to syslog
level local7, I add this to syslog.conf as the first uncommented line:
local7.*  /var/log/noisy.log
and hup syslog.  I now see the messages from the apps in noisy.log, but
I still see the chatter in syslog :(  Does anyone see anything obviously
wrong with this, to help save me from tearing hair out?
Thanks,
--
-
|   ,''`.Stephen Gran |
|  : :' :[EMAIL PROTECTED] |
|  `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
-
syslog.conf don't work as a filter (check line for line, stop at first match)
like iptables or sisco accesslists do. 
If you stil got the default catch all ine:
*.*;auth,authpriv.none  -/var/log/syslog
in syslog.conf, the messsages goes there too.
--
Frode Haugsgjerd
Norway


stephen,
just give a try to some other syslog daemon (syslog-ng, there is 
official debian package) or, change the logcheck to ignore the garbage.

on some machines , i'm using syslogd only to send the messages over the 
net to other host (with a daily-rotated all-in-one local file, kept 
.gziped few days, just for my paranoia), where syslog-ng captures them 
and then filter etc.

so if you can not change the daemon,you can do it in a similar way.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: imap before smtp grace period timeout ???

2004-07-15 Thread Boris Pavlov 
Konstantin Kostadinov wrote:
but not practical. btw, you can check courier's config settings for a 
much more interesting/exotic method, sending mail via imap. if you so 
desperately want to live (in) interesting times.

wwell edi
[cut]
Oo yes i know this way but the other is interesting ! :)
 

[cut]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Graphical software to control networks

2004-04-15 Thread Boris Pavlov 
Andrew Miehs wrote:
I like to have OpenView under Linux ;-)

Why? What functionality do you need in OpenView that you don't have in
other freeware products. Openview is only expensive... and IF you can
affore openview, you can definitely afford a cheap Sun box to run it on.

YES!:) in fact, not so cheap (6pack of beer or something;), but when you
see the prices for the OV, the box will seem cheap.
[cut]
HP Openview gives you a pretty picture of your network.
BUT its costs a LOT of money, and it is a PAIN to keep updated.
YES!
Spectrum if it still exists was a great product in Enterprise environements,
BUT for a service provider
a) SLOW
b) Unable to deal with different subnet masks on the same interface...
and BOTH had the bad habit of trying to read the complete routing table
YEP!!! my first encounter with this VERY BAD habbit, about 4 years ago,
finished with the comments like "openview is the most expensive way to
overload a router". OV tried to fetch the whole table using SNMP;) and
the fault, in fact, was mine, i did not know about this OV feature - it
is a robust software, and can be very dangerous. but this does not mean
that OV is bugware.and, anyway, this is some kind of standard in the
corporate world. and if it is working under linux,  it means something -
good for linux.
per default from a router... NOT very good if most of your boxes have a
full bgp feed
Cheers
Andrew



BUT: the pretty picture is often needed. sometimes, customers trust OV
and don't trust free/open source things. and the customer pays. but, you
should consider do you need such investment carefully, the term
"nation-wide" may hide behind something easier to maintain that a
mid-sized corporate network. OV is not cheap, there is lots of things to
learn if you want to use it well. BUT: i think that in some situations
it pays back well - but choose carefully. that's why the tryout/demos are;)
boris pavlov
PS anyway, if someone have the time (and reasonable network) to try out
OV on linux, it is good to put back some info about that. Let's not try
to start flames about that;)

Re: Graphical software to control networks

2004-04-15 Thread Boris Pavlov 
hi michelle;
there is something for linux at the openview site, these below seem to 
be linux downloads. you must fill two forms who you are what you are et 
cetera, to get there try first searching for linux (starting from the 
link mentioned 1-2 letters ago) and then click on tryout/demo links).

btw, does anybody tried this?
---cut---   
Linux
»	nnm 7.01 download for the Linux Red Hat AS 2.1 operating system
»	nnm 7.01 installation guide for the Linux Red Hat AS 2.1 operating 
system (pdf)*
»	nnm 7.01 download and installation instructions for the Linux Red Hat 
AS 2.1 operating system (pdf)*
---cut---

greetings,
boris
PS highly interested, if you started to develop such thing.;)

Re: Graphical software to control networks

2004-04-15 Thread Boris Pavlov 
Andrew Miehs wrote:

I like to have OpenView under Linux ;-)


Why? What functionality do you need in OpenView that you don't have in
other freeware products. Openview is only expensive... and IF you can
affore openview, you can definitely afford a cheap Sun box to run it on.


YES!:) in fact, not so cheap (6pack of beer or something;), but when you
see the prices for the OV, the box will seem cheap.
[cut]

HP Openview gives you a pretty picture of your network.
BUT its costs a LOT of money, and it is a PAIN to keep updated.
YES!

Spectrum if it still exists was a great product in Enterprise environements,
BUT for a service provider
a) SLOW
b) Unable to deal with different subnet masks on the same interface...
and BOTH had the bad habit of trying to read the complete routing table
YEP!!! my first encounter with this VERY BAD habbit, about 4 years ago,
finished with the comments like "openview is the most expensive way to
overload a router". OV tried to fetch the whole table using SNMP;) and
the fault, in fact, was mine, i did not know about this OV feature - it
is a robust software, and can be very dangerous. but this does not mean
that OV is bugware.and, anyway, this is some kind of standard in the
corporate world. and if it is working under linux,  it means something -
good for linux.
per default from a router... NOT very good if most of your boxes have a
full bgp feed
Cheers

Andrew







BUT: the pretty picture is often needed. sometimes, customers trust OV
and don't trust free/open source things. and the customer pays. but, you
should consider do you need such investment carefully, the term
"nation-wide" may hide behind something easier to maintain that a
mid-sized corporate network. OV is not cheap, there is lots of things to
learn if you want to use it well. BUT: i think that in some situations
it pays back well - but choose carefully. that's why the tryout/demos are;)
boris pavlov
PS anyway, if someone have the time (and reasonable network) to try out
OV on linux, it is good to put back some info about that. Let's not try
to start flames about that;)




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Graphical software to control networks

2004-04-15 Thread Boris Pavlov 
hi michelle;

there is something for linux at the openview site, these below seem to 
be linux downloads. you must fill two forms who you are what you are et 
cetera, to get there try first searching for linux (starting from the 
link mentioned 1-2 letters ago) and then click on tryout/demo links).

btw, does anybody tried this?

---cut---   
Linux
»	nnm 7.01 download for the Linux Red Hat AS 2.1 operating system
»	nnm 7.01 installation guide for the Linux Red Hat AS 2.1 operating 
system (pdf)*
»	nnm 7.01 download and installation instructions for the Linux Red Hat 
AS 2.1 operating system (pdf)*
---cut---

greetings,
boris
PS highly interested, if you started to develop such thing.;)


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]