Re: Accessing windows share throught http
Sure it's feasible, I've done it. Actually these are all good reasons *to* do it this way. U retain more control over who can see what. Call me paranoid. Not knocking smbwebclient, this is just more locked-down. At 09:50 AM 12/27/04 +0100, Leonardo Boselli wrote: This is not feasible for three good reasons: 1. i would need to authenticate the access page so giving an username/password to anuy possible user, each one with its permissions. 2. I do not know in advance not only the users, but neither what are the possible shares to be used. 3. Even if I knew all the data i would need to know the user password for access to any share ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Accessing windows share throught http
You can also do it by mounting the share with samba as part of the regular file system. Then it's just another directory under the document root (or alias). If u ask me this is safer than using smbwebclient because I wouldn't trust giving random people free reign into the NT environment. As an added benefit shell users and server daemons can also access the NT share. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: What stripe size for mail server?
Ah, ok that changes everything. mailboxes ;) At 12:30 AM 11/11/04 +0100, Marcin Owsiany wrote: If u still need RAID 5 then I would make the stripe size equal to average file size / number of data disks up to no more than 32KB stripe. Since avg file size would be something around 2500 bytes, and we have 5 disks, that would give us a 500 byte stripe. I don't think that is even possible. Since you (happy Adrian??) have lots of small essentially static files the limiting factor will probably be the disk I/O. Optimizing for I/O is a trade off for optimizing for non-wasteful disk usage. To bring down the number of I/O's needed to get a file u want to make the stripe larger. But making the stripe larger can slow down writes and waste space in the form of latent space. If u have 32KB stripes so that almost every file fits in 1 stripe, the leftover space is wasted. So a 2.5KB file written in a 32 KB stripe wastes 30.5 KB. This could be ok if space is no object in the face of fast I/O speed. Given how cheap hard disks are now it could be worth it to err on the large side. The other caveat there is the read-recompute-write cycle of a large stripe. Smaller stripes speed this up. So all in all, for ur microscopic little files, I would make the stripe 4 KB. If ur having trouble with the stripe concept it is identical in practical use to a cluster on a normal partition. RAID:stripe::partition:cluster. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: What stripe size for mail server?
Oh yeah ur right. :) The file system itself is written in the stripes and stripe boundaries don't have to correspond to cluster boundaries although I think this would be advantageous. 1 cluster - 1 stripe would be the optimum speed configuration I think. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: What stripe size for mail server?
I would say that RAID 5 is probably overkill for a mail queue. Unless ur mail queue is running hundreds of gigabytes and overloading a single disk, a normal single hard drive is sufficient. Based on ur graph it looks like ur queue is under half a gig. If you want redundancy for the mail queue then a RAID 1 (mirroring) will give u everything u need. RAID 5 is for extremely high usage like large file servers and stuff. Adding RAM to beef up the file cache can give u a significant speedup (Ur entire queue can be RAM cache). If u still need RAID 5 then I would make the stripe size equal to average file size / number of data disks up to no more than 32KB stripe. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RAID-1 to RAID-5 online migration?
At 08:07 PM 9/7/04 +0800, Jason Lim wrote: Currently only supports Windows XP, 2000, 2003 I'm guessing since it is completely OS transparent it should work... not that I have used it. I have been wondering about the merits of using OS-transparent RAID solutions as that would allow easy migration between systems. Any thoughts on this? I think the supports line refers to the management software, not the card itself. I can't think of any reason why an OS transparent RAID would cause any problems since it presents itself as a standard IDE controller. Such a RAID could in effect become a modular storage subsystem capable of being shuffled between any system with a PCI slot. Of course I would confirm this with NetCell. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: IDS
At 06:55 PM 8/9/04 -0600, Nate Duehr wrote: Tripwire bills itself as a defensive tool, but if tripwire alerts are going off, it's FAR too late. Better to keep untrusted people out in the first place. Most people spend the majority of their security efforts on that first. Yes. Tripwire etc. is a last desperate line of defense against a silently hacked box becoming a launch pad into the rest of ur network. But if and only if it is implemented securely itself. Meaning like how Nate and I described. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: IDS
The only problem with tripwire is that u have to set up the snapshot file on write protected media to have true security. If somebody hacks ur box they can just reupdate tripwire themselves and u'll be none the wiser. This can be an administrative hassle to update the snapshot and move it to something write protected (nfs, floppy, cd) everytime u change anything on the system. What's more is that even if u have it write protected somebody can just hack the tripwire executable to send u dummy alls-well messages while they're infilitrating ur box even more. For this reason every tripwire (or any like package) file needs to also be on the write protected media and preferably run remotely. U can do this by setting up an ultra secure security box somewhere on ur network and then mount all file spaces of all ur production boxes on it with nfs or samba or something. That way u can scan the files without regard to whether the box is compromised or not. And obviously if the mount goes down, indicating a possible hacker, alerts would be sent out. And when u do update the snapshot, don't just do a global update whenever u change /etc/passwd, only update for the files that u actually modified, otherwise some hacker can slide some hacked files into the snapshot if he hacks u at that same time. It's a security race condition. So in summary, just be paranoid, and think like a hacker. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Problems with a perl script for postfix
That indicates an unquoted string, apparently on line 184. That buglet has apparently been fixed; or u can look in the file urself and fix the quotes. At 06:10 PM 6/17/04 +0200, =?iso-8859-1?q?Carlos=20L.M.?= wrote: Bareword DB_AUTO_COMMIT not allowed while strict subs in use at /usr/sbin/postgrey line 184. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: Problems with a perl script for postfix
That indicates an unquoted string, apparently on line 184. That buglet has apparently been fixed; or u can look in the file urself and fix the quotes. At 06:10 PM 6/17/04 +0200, =?iso-8859-1?q?Carlos=20L.M.?= wrote: Bareword DB_AUTO_COMMIT not allowed while strict subs in use at /usr/sbin/postgrey line 184. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: spam from an auto-responder
An auto-responder has no way of knowing who or what emailed it. How can u blame him for some spammer emailing it using ur address as a source? It seems like the only recourse is to try to find out who or what was using ur address and blow that person off the net. At 02:52 PM 6/16/04 +1000, [EMAIL PROTECTED] wrote: Could someone please help educate this person. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: spam from an auto-responder
The only thing I will grant is that it should only respond once to each email address. Responding repeatedly to the same person is useless and potentially annoying. With all due respect Russell should've suggested that from the get go instead of the bland quit message. ;) At 11:58 PM 6/15/04 -0700, Ward Willats wrote: How can u blame him for some spammer emailing it using ur address as a source? He is the responsible party for mail originated from the pduck.com domain. The minute his auto-responder fired off incorrectly, he became a spammer. When he ignored requests to stop, he became a _willful_ spammer. This is how I can blame him, and why an un-programmable auto-responder is now pretty useless. -- Ward -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: spam from an auto-responder
An auto-responder has no way of knowing who or what emailed it. How can u blame him for some spammer emailing it using ur address as a source? It seems like the only recourse is to try to find out who or what was using ur address and blow that person off the net. At 02:52 PM 6/16/04 +1000, [EMAIL PROTECTED] wrote: Could someone please help educate this person. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: spam from an auto-responder
The only thing I will grant is that it should only respond once to each email address. Responding repeatedly to the same person is useless and potentially annoying. With all due respect Russell should've suggested that from the get go instead of the bland quit message. ;) At 11:58 PM 6/15/04 -0700, Ward Willats wrote: How can u blame him for some spammer emailing it using ur address as a source? He is the responsible party for mail originated from the pduck.com domain. The minute his auto-responder fired off incorrectly, he became a spammer. When he ignored requests to stop, he became a _willful_ spammer. This is how I can blame him, and why an un-programmable auto-responder is now pretty useless. -- Ward -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: reject non-enlish email body messages
At 04:56 PM 5/29/04 +1000, [EMAIL PROTECTED] wrote: There's plans to do so. We've been stopped from doing this as we'd need a different configuration file on spamassassin for every list, and that represents a lot of duplicated work. I don't think looking at a language header will do any good. Not all mailers put in a language code and even if it says en-us that doesn't mean the body will be English. And there will be cases where people with non-English tags will be in fact posting in English. And I would greatly question trying to determine the language by interpreting the message text. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: reject non-enlish email body messages
At 04:56 PM 5/29/04 +1000, [EMAIL PROTECTED] wrote: There's plans to do so. We've been stopped from doing this as we'd need a different configuration file on spamassassin for every list, and that represents a lot of duplicated work. I don't think looking at a language header will do any good. Not all mailers put in a language code and even if it says en-us that doesn't mean the body will be English. And there will be cases where people with non-English tags will be in fact posting in English. And I would greatly question trying to determine the language by interpreting the message text. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: You can start saving now
14MB per session? I haven't admined email for a while so I may be out of touch, but it seems like that server should be able to process gigantic volumes of mail. Not just a lot or even really a lot. What mail setup is it running? Throttling connections is the right way to go though. Spooling in an email should take nearly nothing. On this spamd, spamassasin, etc. capacity thread, it really seems to me that the current generation's whole operating paradigm is outdated. With more and more mail to be scanned, and more rules to be checked, traditional search tactics fail. Linearly scanning for triggers takes forever and the effect just multiplies on itself the more u do it. This spam problem is evolving into one of massive data processing and data mining. So I think we need to update our whole thinking to this new level. Yahoo somehow manages to search the entire Internet in milliseconds for whatever obscure word or phrase we want. They're doing this somehow, and we need to adapt this type of technology to spam recognition. (I know they have rooms of servers to speed this up but the fundamental technology is also superior) Using advanced algortihms like B-trees, hashes, digests, etc. spam tools would be processing emails in microseconds. I don't know if anything out there is using anything like this. If I had the time I would write a tool myself but alas not. I've become interested in pattern matching technology recently since my current programming job involves digesting large quantities of textual data. It's interesting in that with large pattern sets you're in effect no longer matching the pattern to the plain text, but in fact matching the plain text to the pattern set. At 10:29 AM 5/24/04 -0400, Dale E Martin wrote: ?! We have 20 users on our mailserver, hopefully it can handle that load on that hardware... I do think that more RAM is the answer - it takes 14M per concurrent incoming message for the processing time. Once you start swapping you're hosed. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: You can start saving now
14MB per session? I haven't admined email for a while so I may be out of touch, but it seems like that server should be able to process gigantic volumes of mail. Not just a lot or even really a lot. What mail setup is it running? Throttling connections is the right way to go though. Spooling in an email should take nearly nothing. On this spamd, spamassasin, etc. capacity thread, it really seems to me that the current generation's whole operating paradigm is outdated. With more and more mail to be scanned, and more rules to be checked, traditional search tactics fail. Linearly scanning for triggers takes forever and the effect just multiplies on itself the more u do it. This spam problem is evolving into one of massive data processing and data mining. So I think we need to update our whole thinking to this new level. Yahoo somehow manages to search the entire Internet in milliseconds for whatever obscure word or phrase we want. They're doing this somehow, and we need to adapt this type of technology to spam recognition. (I know they have rooms of servers to speed this up but the fundamental technology is also superior) Using advanced algortihms like B-trees, hashes, digests, etc. spam tools would be processing emails in microseconds. I don't know if anything out there is using anything like this. If I had the time I would write a tool myself but alas not. I've become interested in pattern matching technology recently since my current programming job involves digesting large quantities of textual data. It's interesting in that with large pattern sets you're in effect no longer matching the pattern to the plain text, but in fact matching the plain text to the pattern set. At 10:29 AM 5/24/04 -0400, Dale E Martin wrote: ?! We have 20 users on our mailserver, hopefully it can handle that load on that hardware... I do think that more RAM is the answer - it takes 14M per concurrent incoming message for the processing time. Once you start swapping you're hosed. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Jesus Help Me !
Well I'ld call that divine sanction for Debian if there ever was one! We should put that one on the flyer! At 06:57 PM 3/24/04 +1100, Tarragon Allen wrote: On Wed, 24 Mar 2004 06:36 pm, Comcast Mail wrote: well... I am confused...I typed Jesus help me live got a website.. I only respond because I am a lost sheep..Do you understand?? ..c Y'know, if you actually go to google and type in jesus help me, the second hit is this mailing list. Go figure. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Jesus Help Me !
Well I'ld call that divine sanction for Debian if there ever was one! We should put that one on the flyer! At 06:57 PM 3/24/04 +1100, Tarragon Allen wrote: On Wed, 24 Mar 2004 06:36 pm, Comcast Mail wrote: well... I am confused...I typed Jesus help me live got a website.. I only respond because I am a lost sheep..Do you understand?? ..c Y'know, if you actually go to google and type in jesus help me, the second hit is this mailing list. Go figure. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: Fwd: Inconsistency in bonnie++ results for repeated runs
Hmm, that's a sticky widget. Have you tried any other HD benchmarks and gotten similar results? I think we need that to narrow it down to either a Bonnie or hardware issue. It could be that some of ur disks are preparing to die. I have seen that before, a disk that's getting flaky will do strange things. If you can get your ear near the disk or put your finger on it you should be able to tell if it starts thrashing. If it's thrashing when you know it shouldn't, I'ld pop that sucker ASAP. If the unnatural thrashing coincides with the throughput drop then I think you have ur culprit. (do this with all the relevent disks of course) Now if the hardware's fine then there's almost no telling where the problem lies without extensive trial and error testing. Russell you might want to make a super debug version of Bonnie that gathers statistics from each step in the pipeline from the application to the platter. I would look very closely at the RAID controller driver. I'm in the middle of a fight right now with Adaptec over file corruption and I eventually narrowed it down to the driver. They want to blame everything except themselves. Incidentally, if ur thinking of upgrading ur storage system check this mugga out: http://www20.tomshardware.com/storage/20030425/index.html Good luck, let me know if you discover anything. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: Inconsistency in bonnie++ results for repeated runs
Hmm, that's a sticky widget. Have you tried any other HD benchmarks and gotten similar results? I think we need that to narrow it down to either a Bonnie or hardware issue. It could be that some of ur disks are preparing to die. I have seen that before, a disk that's getting flaky will do strange things. If you can get your ear near the disk or put your finger on it you should be able to tell if it starts thrashing. If it's thrashing when you know it shouldn't, I'ld pop that sucker ASAP. If the unnatural thrashing coincides with the throughput drop then I think you have ur culprit. (do this with all the relevent disks of course) Now if the hardware's fine then there's almost no telling where the problem lies without extensive trial and error testing. Russell you might want to make a super debug version of Bonnie that gathers statistics from each step in the pipeline from the application to the platter. I would look very closely at the RAID controller driver. I'm in the middle of a fight right now with Adaptec over file corruption and I eventually narrowed it down to the driver. They want to blame everything except themselves. Incidentally, if ur thinking of upgrading ur storage system check this mugga out: http://www20.tomshardware.com/storage/20030425/index.html Good luck, let me know if you discover anything. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: Fwd: Inconsistency in bonnie++ results for repeated runs
Can you tell some more about the hard drive/ controller/ driver setup? My first guess is a driver or cacheing issue. What is the commonality between the 1-way and 2-way systems? Do you have a host that u've *not* seen this on. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: Inconsistency in bonnie++ results for repeated runs
Can you tell some more about the hard drive/ controller/ driver setup? My first guess is a driver or cacheing issue. What is the commonality between the 1-way and 2-way systems? Do you have a host that u've *not* seen this on. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: yahoo problems
At 12:37 AM 2/5/04 +1100, [EMAIL PROTECTED] wrote: On Wed, 4 Feb 2004 23:43, brinderpurwaha [EMAIL PROTECTED] wrote: on the chat room whenever i try to access mine or someone else profiles i get a screen saying this user is not avaible on this url. this is always occuring on every occasion i try to accesss a users profiles It could be a virus. Have you tried re-installing Windows? Yes, I've seen this virus before. It's called Yahoo-HaaHaa. There's also a Scandinavian variant called Yahoo-Fåne. This is a multi-partite polymorphic stealth virus. It can't be detected or cleaned because it's too clever. Even Linux and BSD are affected. To get rid of it requires a three step process. First delete all your files. Second fdisk your drive. Third reformat your drive with the /s option. This part is important. That will ensure that all copies of the virus have been eliminated and your boot sector reconstructed. Ok, HAHAHAH, in case you have't realized it yet this is all a joke. Either your browser is misconfigured or you have the wrong url. Either way it's off topic. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: yahoo problems
At 12:37 AM 2/5/04 +1100, [EMAIL PROTECTED] wrote: On Wed, 4 Feb 2004 23:43, brinderpurwaha [EMAIL PROTECTED] wrote: on the chat room whenever i try to access mine or someone else profiles i get a screen saying this user is not avaible on this url. this is always occuring on every occasion i try to accesss a users profiles It could be a virus. Have you tried re-installing Windows? Yes, I've seen this virus before. It's called Yahoo-HaaHaa. There's also a Scandinavian variant called Yahoo-Fåne. This is a multi-partite polymorphic stealth virus. It can't be detected or cleaned because it's too clever. Even Linux and BSD are affected. To get rid of it requires a three step process. First delete all your files. Second fdisk your drive. Third reformat your drive with the /s option. This part is important. That will ensure that all copies of the virus have been eliminated and your boot sector reconstructed. Ok, HAHAHAH, in case you have't realized it yet this is all a joke. Either your browser is misconfigured or you have the wrong url. Either way it's off topic. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: Jesus Help Me !
While flaming off topic posts is appropriate, flaming religion is not. By posting ur own rant u are now guilty of the same off topic violation as the original poster. It is clear from the tone of your post that you've been chomping at the bit for a while to write such a religion based rant. You gladly followed the afore mentioned troll and in doing so betrayed ur own prejudices. Open foot, insert mouth. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Jesus Help Me !
While flaming off topic posts is appropriate, flaming religion is not. By posting ur own rant u are now guilty of the same off topic violation as the original poster. It is clear from the tone of your post that you've been chomping at the bit for a while to write such a religion based rant. You gladly followed the afore mentioned troll and in doing so betrayed ur own prejudices. Open foot, insert mouth. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: Best Practices: CGI.pm CSS2 ???
Speaking of templates have you considered PHP? I would consider that the ultimate template system and the ultimate customization vehicle. Instead of relying on unreliable client side interpretation of style sheets and javascript you have a controllable environment on the server side. Think about it like this, if you are embedding some html into ur script application use Perl, if you are embedding some scripting into your website use PHP. They have this yin-yang relationship. If you know how to use server side includes then you basically already know how to use PHP. At 07:07 PM 1/2/04 -0600, [EMAIL PROTECTED] wrote: If you want to see a site that uses poor HTML/CSS, view http://www.buybordenmilk.com (it's a site my company designed and we host, so I can slam it if I want). The designer did some good stuff, but she also did absolute positioning with the CSS. Try it at 1280x1024. (We're getting ready to do a re-write). Heh, that site's not *that* bad, I've seen far worse. One page doesn't even show up because of basic html mistakes. Ok no rants today ;) -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Best Practices: CGI.pm CSS2 ???
Speaking of templates have you considered PHP? I would consider that the ultimate template system and the ultimate customization vehicle. Instead of relying on unreliable client side interpretation of style sheets and javascript you have a controllable environment on the server side. Think about it like this, if you are embedding some html into ur script application use Perl, if you are embedding some scripting into your website use PHP. They have this yin-yang relationship. If you know how to use server side includes then you basically already know how to use PHP. At 07:07 PM 1/2/04 -0600, [EMAIL PROTECTED] wrote: If you want to see a site that uses poor HTML/CSS, view http://www.buybordenmilk.com (it's a site my company designed and we host, so I can slam it if I want). The designer did some good stuff, but she also did absolute positioning with the CSS. Try it at 1280x1024. (We're getting ready to do a re-write). Heh, that site's not *that* bad, I've seen far worse. One page doesn't even show up because of basic html mistakes. Ok no rants today ;) -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: Best Practices: CGI.pm CSS2 ???
I can tell you some stuff about that right now. CGI.pm is just a quick and dirty module that will save on some typing in your perl script. Emphasis on some. If you're doing anything more than basic html tags it quickly becomes not worth it anymore. Writing tag attributes takes up more time and space than just writing out the html itself. The one thing it's really good for is writing out tables. If you have an array with all your row data you can write something like print Tr( td([EMAIL PROTECTED]) ). That saves a lot of typing. The perldoc has most of the gritty details. Cascading Style Sheets. Deprecated. I have seen so many bad uses of style sheets it makes me want to cry out in anger. So just don't use them unless there's no other way to do it. They are almost guaranteed to cause compatibility problems. The problem is that some bonehead writes a style sheet that makes a webpage look good on *their* computer. To hell with everybody else who doesn't have the same monitor, resolution, fonts, browser, etc. The one thing they are good for is making themes but be careful that it's still ledgible on other machines. I have them turned off in my browser. At 10:50 PM 12/29/03 -0600, Michael D Schleif wrote: Please, somebody point me to URL's that provide examples and best practices of using CSS2, CGI.pm and XHTML v1.x. -- Best Regards, -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Best Practices: CGI.pm CSS2 ???
Heheh, nah no flamewar. Everything you said was strictly speaking true. But at this stage style sheets are like giving a random person off the street a loaded gun. Style sheets can be used to great effect but just be sure u truly know what ur doing. And do testing testing testing. A good regimin would be making sure it looks right in: All used versions of Netscape(47), Opera, IE; Text based browsers(Palm, Lynx); Moniters from 15 to 19; Resolutions from 800x600 to 1600x1200; Various system font sizes from 90-120dpi, handicapped settings can go to 200dpi. These last two have particularly infuriated me. Also make sure the site is still usable with style sheets disabled. Turning off style sheets should not fatally hobble ur website. At 06:05 PM 12/30/03 +0100, Erik Grinaker wrote: For an example of the truly amazing things you can accomplish with css, check out http://www.csszengarden.com/ Just as an aside, the truly amazing things I've seen done with web pages were DHTML. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Best Practices: CGI.pm CSS2 ???
Ah, together. Well there's nothing that I know of that would cause a problem simply by virtue of them being used together. CGI.pm is nothing more than html shorthand so that can't really interfere with anything else, unless there's some bug that spits out bad code. They're pretty much self contained so I wouldn't worry about it. Once you start putting alot of css attributes into your tags you'll probly want to drop CGI.pm because it's less typing to just do it the old fashioned way. It's no good for anything complex. At 12:53 PM 12/30/03 -0600, Michael D Schleif wrote: Yes, I am quite familiar with all three tools -- separately. I believe that they are all the right choices for my project. However, I do not fully understand how they play together -- and, when they do not play well together ; -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Best Practices: CGI.pm CSS2 ???
Heheh, nah no flamewar. Everything you said was strictly speaking true. But at this stage style sheets are like giving a random person off the street a loaded gun. Style sheets can be used to great effect but just be sure u truly know what ur doing. And do testing testing testing. A good regimin would be making sure it looks right in: All used versions of Netscape(47), Opera, IE; Text based browsers(Palm, Lynx); Moniters from 15 to 19; Resolutions from 800x600 to 1600x1200; Various system font sizes from 90-120dpi, handicapped settings can go to 200dpi. These last two have particularly infuriated me. Also make sure the site is still usable with style sheets disabled. Turning off style sheets should not fatally hobble ur website. At 06:05 PM 12/30/03 +0100, Erik Grinaker wrote: For an example of the truly amazing things you can accomplish with css, check out http://www.csszengarden.com/ Just as an aside, the truly amazing things I've seen done with web pages were DHTML. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: Best Practices: CGI.pm CSS2 ???
Ah, together. Well there's nothing that I know of that would cause a problem simply by virtue of them being used together. CGI.pm is nothing more than html shorthand so that can't really interfere with anything else, unless there's some bug that spits out bad code. They're pretty much self contained so I wouldn't worry about it. Once you start putting alot of css attributes into your tags you'll probly want to drop CGI.pm because it's less typing to just do it the old fashioned way. It's no good for anything complex. At 12:53 PM 12/30/03 -0600, Michael D Schleif wrote: Yes, I am quite familiar with all three tools -- separately. I believe that they are all the right choices for my project. However, I do not fully understand how they play together -- and, when they do not play well together ; -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: duplicating servers - remote backup to HD
Do you mean that you want to send a backup (i.e. tarball) to the remote storage or do you mean that you want to keep a live synchronized copy (rsync) on the remote storage? The former is easier and will probably give u everything u want. I don't really see any need for an rsync unless you want some kind of hot standby setup. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: duplicating servers - remote backup to HD
Do you mean that you want to send a backup (i.e. tarball) to the remote storage or do you mean that you want to keep a live synchronized copy (rsync) on the remote storage? The former is easier and will probably give u everything u want. I don't really see any need for an rsync unless you want some kind of hot standby setup. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
test 123
-- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
test 123
-- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: mysql problem
You just can't connect or the daemon doesn't run at all? Is the process running? What does the access/error log say? Did you create a mysql user with network privledges? -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: ISP is just too fascist
At 01:34 PM 8/18/03 +0200, Petrisor Marian wrote: So I have to setup a proxy on my PC that I will go through rather than going directly through my ISP's proxy? I mean the net will be like: PC - MYProxy - ISP's Proxy - Internet ? Yeah. But I don't think I fully understand how this serpentine proxying system you're using works. WinXP? ISP? If you want a way to circumvent their controls we need more details. But if it's just a transfer limit per MAC that you need to get around then you can just setup something to keep changing your MAC (to other legal values of course). Or you can setup a virtual interface, set your NIC to promiscuous mode and have requests sent out with rotating MAC's. As long as you keep it on one segment you'll be able to communicate. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mysql admin user problem
I can tell you why the purge worked. It destroyed your corrupted MySQL user database. :) At 04:42 PM 7/08/03 -0600, David Wilk wrote: Howdy all, just wanted to say what worked. Dominik's suggestion to 'purge' the mysql packages with apt-get did the trick. One final reinstall had everything working fine. Not sure where the sanfu was... -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mysql admin user problem
I can tell you why the purge worked. It destroyed your corrupted MySQL user database. :) At 04:42 PM 7/08/03 -0600, David Wilk wrote: Howdy all, just wanted to say what worked. Dominik's suggestion to 'purge' the mysql packages with apt-get did the trick. One final reinstall had everything working fine. Not sure where the sanfu was... -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: Anyone willing to relay for me for a price?
Ah yes, that's right I remember now. This is exactly the kind of situation as to why you shouldn't use CNAME's for MX names or for any official machine name for that matter. CNAME's are just for human convenience, a host should never try to pass itself off by one. Screws up the double reverse lookup. But what ur saying is that there simply is no PTR record for the IP at all. At 01:14 AM 7/09/03 -0400, Jesse Molina wrote: If I remember right, you should never make an MX record direct to a CNAME, for reasons that I can't remember right now. All the same, you are right, I could just make my MX be the PTR and most MTAs would be happy. Unfortunately, the record does not exist, so no help there. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Anyone willing to relay for me for a price?
But does a PTR record exist? The double reverse lookup should succeed so long as there is a valid A - PTR pair. Regardless of whether it was launched into from another A or CNAME or IP. Unless I'm way off base here, it goes presented name - IP lookup - PTR lookup - IP lookup. If the two IP lookups match, the test is passed. At 07:35 PM 7/08/03 -0400, Jesse Molina wrote: I have similar problems with mail servers that do reverse DNS SMTP session checking. Short of paying for a T1 at $800 USD a month, there is no way that I can get an IP allocation with reverse DNS delegation so that I can make my mail server's MX record match up with the PTR record. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: Anyone willing to relay for me for a price?
Ah yes, that's right I remember now. This is exactly the kind of situation as to why you shouldn't use CNAME's for MX names or for any official machine name for that matter. CNAME's are just for human convenience, a host should never try to pass itself off by one. Screws up the double reverse lookup. But what ur saying is that there simply is no PTR record for the IP at all. At 01:14 AM 7/09/03 -0400, Jesse Molina wrote: If I remember right, you should never make an MX record direct to a CNAME, for reasons that I can't remember right now. All the same, you are right, I could just make my MX be the PTR and most MTAs would be happy. Unfortunately, the record does not exist, so no help there. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: Anyone willing to relay for me for a price?
But does a PTR record exist? The double reverse lookup should succeed so long as there is a valid A - PTR pair. Regardless of whether it was launched into from another A or CNAME or IP. Unless I'm way off base here, it goes presented name - IP lookup - PTR lookup - IP lookup. If the two IP lookups match, the test is passed. At 07:35 PM 7/08/03 -0400, Jesse Molina wrote: I have similar problems with mail servers that do reverse DNS SMTP session checking. Short of paying for a T1 at $800 USD a month, there is no way that I can get an IP allocation with reverse DNS delegation so that I can make my mail server's MX record match up with the PTR record. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mysql admin user problem
Actually this is a very common problem. Either mysql doesn't know about a user called debian-sys-maint or it doesn't have localhost permission. Mysql has it's own user db independant of the system. You'll need to go into mysql command prompt as root and do a GRANT to create debian-sys-maint and give it whatever access you want it to have. These permissions are host specific so user@'anywhere' is not the same as [EMAIL PROTECTED], blame the regex. If you already fiddled around with this and it still doesn't work then destroy any references to the user with some REVOKE's or manually beat the db entry and start over. This prob is actually well documented in the MySQL html manual. At 09:42 AM 7/01/03 +0200, [EMAIL PROTECTED] wrote: Tcp port: 0 Unix socket: /var/run/mysqld/mysqld.sock Time Id CommandArgument 030630 16:59:47 1 Connect Access denied for user: '[EMAIL PROTECTED]' (Using password: YES) -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mysql admin user problem
Actually this is a very common problem. Either mysql doesn't know about a user called debian-sys-maint or it doesn't have localhost permission. Mysql has it's own user db independant of the system. You'll need to go into mysql command prompt as root and do a GRANT to create debian-sys-maint and give it whatever access you want it to have. These permissions are host specific so user@'anywhere' is not the same as [EMAIL PROTECTED], blame the regex. If you already fiddled around with this and it still doesn't work then destroy any references to the user with some REVOKE's or manually beat the db entry and start over. This prob is actually well documented in the MySQL html manual. At 09:42 AM 7/01/03 +0200, [EMAIL PROTECTED] wrote: Tcp port: 0 Unix socket: /var/run/mysqld/mysqld.sock Time Id CommandArgument 030630 16:59:47 1 Connect Access denied for user: '[EMAIL PROTECTED]' (Using password: YES) -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re:
I think I hear the need for a mySQL enabled mailbox system/mail reader. ;-) At 01:27 AM 8/3/02 +0100, Phillip Baker wrote: Yes, but having a long wait when opening your folder a couple of times a year because you've been away on vacation is another thing entirely to willingly subjecting yourself once (or several times) a day to having to sit and wait for some mailing list folder to open just because you have every email since you joined the list in there still :) -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100
Re: Weird stuff
Occasionally subscriber bounce messages get reflected back to the entire list. At 06:46 PM 7/25/02 -0400, Jeremy May wrote: i got this when mailing debian-testing@lists.debian.org No such user: [EMAIL PROTECTED] -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- ...ne cede males 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: call me
The nomail option was mentioned. I'm not familiar with that, could someone explain how to use it? I assume it means that you are still a member of the list but you are not in the redistibution list. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: call me
I never got a password when I signed up, which was years upon years ago. And what is the URL? Are we even running mailman?? At 07:34 AM 7/12/02 -0400, Joe Block wrote: Go to the administration web page, enter your email address and the password you got sent when you joined the list, and you can set a variety of parameters about your subscription - whether you're in digest mode, whether you get acknowledgements from mailman when it receives a posting from you, and yes, whether that email address actually receives list mail. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: call me
The nomail option was mentioned. I'm not familiar with that, could someone explain how to use it? I assume it means that you are still a member of the list but you are not in the redistibution list. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: call me
I never got a password when I signed up, which was years upon years ago. And what is the URL? Are we even running mailman?? At 07:34 AM 7/12/02 -0400, Joe Block wrote: Go to the administration web page, enter your email address and the password you got sent when you joined the list, and you can set a variety of parameters about your subscription - whether you're in digest mode, whether you get acknowledgements from mailman when it receives a posting from you, and yes, whether that email address actually receives list mail. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Extended find an replace SOS
Like do you want to replace something in the html files, or alter their names systematically somehow... At 02:33 PM 7/10/02 +0200, Craig wrote: Hi Guys I need to do an extended find and replace for a few .htm files spanning a couple of subdirectories to change some things. Anyone have a quick command to achieve this ? -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Extended find an replace SOS
Like do you want to replace something in the html files, or alter their names systematically somehow... At 02:33 PM 7/10/02 +0200, Craig wrote: Hi Guys I need to do an extended find and replace for a few .htm files spanning a couple of subdirectories to change some things. Anyone have a quick command to achieve this ? -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Users deleting public_html and log causing Apache to fail startup
You can make 3 predefined directories for each customer that they can't delete. One htdocs, logs, and stuff or something, for them to put all the non web accessible stuff in. Another thing you can do is create a wrapper script for the Apache startup that checks for the existence of all the essential directories and creates them if missing. At 11:38 AM 7/5/02 +1000, Jason Lim wrote: Since client1/site1 is owned by root, and only client1/site1/cgi-bin and client1/site1/htdocs are owned by the user, the user could only create directories in those 2 directories, and anywhere else they cannot? If that were true, that wouldn't be an optimal solution, because the clients tend to also want to put stuff in directories not accessable by the web at all. Sometimes, for example, they mkdir client1/site1/creditcarddetails or something like that, so it is outside the htdocs directory, but accessable to them via SSH or FTP or something. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
lpr/samba
Hey guys. I've been trying to setup samba to be a print server to Windows clients. However I keep running into error messages and there doesn't seem to be any place in the documentation to find out what the various errors mean. I tried LPRng and CUPS but get basically the same thing. I've got samba showing the printers in network neighborhood. The only way I can get something out of the printer now is cat /dev/lp0. :) Not even lpr filename works anymore. Does anybody know a good documentation/troubleshooting source? Poor documentation is still the one great bane of the Linux world. ;) Thanks. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT] Re: AVI stream
LOL dude! :) If u think I was calling anyone a thief u read something that I didn't type. The idea of what is thievery or allowed use rests solely in the mind of his customers. In this arena whatever *they* say goes. Forgive me if I used overly colloquial meanings of steal and thief. :) At 08:54 AM 3/19/02 +0100, Emile van Bergen wrote: Hi, I really object to the idea that I am a thief if I want to view the streamed content again, or show it to my wife, or if I want to convert it to format Foo for display with player Bar which I happen to like a lot. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT] Re: AVI stream
At 09:29 AM 3/19/02 +0100, Emile van Bergen wrote: In this arena whatever *they* say goes. Not when we're talking about what's criminal and what's not. Yes, that's true, but is irrelevant for his situation. His web hosts are coming to him saying we want X. Whatever X is, whether that's streaming video people can't copy, etc, he has to provide that or they walk. That's why discussions of rightness or wrongness in these situations is moot. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: AVI stream
Sure, any media format can be streamed over Apache. The secret is the use of meta files. The streaming is a function accomplished by the client, not the server. All the so called streaming protocols out there are just glorified TCP/UDP data transfers with some bells and whistles thrown in. If you want something streamed into Media Player you just create a .asx metafile with it's contents pointing to the http location of the media. Media player automatically knows how to pace the download. Real Player works on the same principle. An example asx file: ASX VERSION =3 ENTRY TitleBoss's Speach/Title CopyrightCopyright Blah/Copyright REF HREF =http://wherever.com/something.avi; /ENTRY /ASX You mentioned copyright issues. It is impossible to keep someone from stealing *any* streamed content if they're determined. It wouldn't take much for someone to take apart your asx file and copy the URL into their browser and simply download it. One thing you can do is configure Apache to only serve the content if the browser id string matches the known media player browser types. This would prevent anyone from accessing the file from Netscape or IE or whatever. You'ld have to check your access logs to see what kind of id string it sends. One other thing to consider is that I think, but am not sure, that media player will keep a temp file of content received over http in the system temp directory. You'll have to test it to make sure. I think you can also embed copyrighted material tags in the file itself to tell media player that it can't be saved off. But like I said before, it is flat out impossible to safeguard streamed media from a true hacker. :) So all you will really be doing is keeping away the casual thief. That goes for Real Player too. So how many in your audience are going to think to look in %temp% for a copy of this?? At 11:29 AM 3/18/02 +0100, Michal Novotny wrote: Hello! Is there a chance to stream avi/wma file from Debian box? For now I'm using RealServer for Linux, but (for clients) I need to add support for Windows Media Player (standard player in MS Windows) :-( I cannot use download, but stream. Copyright issues... Could anyone help me? -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: byte counts differ
Never touched IIS, but you never know. If you uploaded the file in text mode, IIS could be translating the LF's into CRLF's. At 07:05 PM 3/14/02 -0700, Kevin wrote: I'm uploading from Linux to an IIS FTP. After the file is sent, if I check the byte count on the remote side and the byte count on the local side they differ slightly. Anyone know why this is? -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: new photos from my party!
FYI, no one bother decoding this, it's not a photo, actually a program/trojan. Malicious no doubt... At 10:24 PM 1/27/02 -0800, [EMAIL PROTECTED] wrote: Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks! begin 666 www.myparty.yahoo.com M35J0``,$__\``+@`0``` M@`X?N@X`M`G-(;@!3,TA5AIR!PF]GF%M -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: xinetd /etc/host.deny ALL:PARANOID
Well, the rationale behind this is as you touched on, preventing spoofed address attacks. A paranoid lookup essentially verifies that the connecting system is a known legit host. In effect you're using your DNS system as another level of authentication. Say somebody wants to covertly log on or attack your system, so they give themselves a bogus ip. A paranoid lookup will stop that because there's no DNS entry. (I won't get into the mechanisms of these spoof type attacks) Now for connections originating from the internet this is little help since there are so many ways to spoof traffic/hack/attack/etc. What it can make a difference in is from traffic originating within your own network. Because that is a known entity and paranoid lookups should ALWAYS succeed. I don't know all the details of how it passes or fails you given RR DNS but it does something... At 01:29 AM 1/11/02 +0100, martin f krafft wrote: yes, but *what* exactly does ALL:PARANOID prevent? establishing the authenticity of the domain name is surel a good point, but that's for finger/who/w and co. only because i don't even want to deal with/know about a system administrator that parses logs based on domain names rather than IPs... -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: xinetd /etc/host.deny ALL:PARANOID
At 10:01 PM 1/10/02 -0600, Nathan E Norman wrote: Congratulations ... you just set up your DNS incorrectly. Every PTR entry should resolve to a _unique_ name, and that name should resolve to a _unique_ IP. That doesn't mean you can't have additional A records doing load balancing. To give a POTS analogy, say you have 10 lines coming into your modem bank in a hunt group. That's when you have one number that scrolls over onto all 10 of the lines based on which ones are busy. However, all 10 of those lines have to have individual unique phone numbers even though they are reached through the common hunt group number. They all have unique phone number/circuit id pairs. zone IN 3.2.1.in-addr.ARPA: 4 IN PTR host4.netblk1-2-3.madduck.net. 4 IN PTR host5.netblk1-2-3.madduck.net. I assume you meant to write 5 there. ;) zone IN netblk1-2-3.madduck.net: host4.netblk1-2-3.madduck.net. IN A 1.2.3.4 host5.netblk1-2-3.madduck.net. IN A 1.2.3.5 zone IN madduck.net: mail.madduck.net. IN A 1.2.3.4 IN A 1.2.3.5 Not all A records need PTR records. It never fails to amaze me how many people don't understand this. This is sort of the function of canonical names. Other names for the IP besides the absolute name (or Loopback name in our parlance). But CNAME's are deprecated for other reasons. I personally never had any problems using them. All the people who say but I don't control the reverse for my IP(s) don't understand the issue ... it's up to the registered contact for the block to make sure reverse resolution works. Of course that means resolving to A records that the contact also controls. This is all spelled out in the RFCs and best practice documents. It has been possible for some time now to allocate really really small IP blocks. I had a /27 allocated to me in ARIN once. I controlled my own reverse lookups that way. I don't know how small they will go though. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: xinetd /etc/host.deny ALL:PARANOID
At 06:01 AM 1/11/02 +0100, martin f krafft wrote: okay, why libwrap then? Once the network is compromised, it makes no difference what's on the box. If done properly, the compromised network is indistinguishable from the uncompromised network. That box is totally on it's own. :) /29, although i've seen /30's. problem is that with that much of a subnet, you are wasting a lot of IPs. the efficiency in terms of IP usage for /30 is 50%!!! Come on... there are only 4 ip numbers in a /30!!! The only conceivable use for a /30 is as a point-to-point. /29 maybe for cable modem LANs... -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: xinetd /etc/host.deny ALL:PARANOID
Well, the rationale behind this is as you touched on, preventing spoofed address attacks. A paranoid lookup essentially verifies that the connecting system is a known legit host. In effect you're using your DNS system as another level of authentication. Say somebody wants to covertly log on or attack your system, so they give themselves a bogus ip. A paranoid lookup will stop that because there's no DNS entry. (I won't get into the mechanisms of these spoof type attacks) Now for connections originating from the internet this is little help since there are so many ways to spoof traffic/hack/attack/etc. What it can make a difference in is from traffic originating within your own network. Because that is a known entity and paranoid lookups should ALWAYS succeed. I don't know all the details of how it passes or fails you given RR DNS but it does something... At 01:29 AM 1/11/02 +0100, martin f krafft wrote: yes, but *what* exactly does ALL:PARANOID prevent? establishing the authenticity of the domain name is surel a good point, but that's for finger/who/w and co. only because i don't even want to deal with/know about a system administrator that parses logs based on domain names rather than IPs... -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100
Re: xinetd /etc/host.deny ALL:PARANOID
At 10:01 PM 1/10/02 -0600, Nathan E Norman wrote: Congratulations ... you just set up your DNS incorrectly. Every PTR entry should resolve to a _unique_ name, and that name should resolve to a _unique_ IP. That doesn't mean you can't have additional A records doing load balancing. To give a POTS analogy, say you have 10 lines coming into your modem bank in a hunt group. That's when you have one number that scrolls over onto all 10 of the lines based on which ones are busy. However, all 10 of those lines have to have individual unique phone numbers even though they are reached through the common hunt group number. They all have unique phone number/circuit id pairs. zone IN 3.2.1.in-addr.ARPA: 4 IN PTR host4.netblk1-2-3.madduck.net. 4 IN PTR host5.netblk1-2-3.madduck.net. I assume you meant to write 5 there. ;) zone IN netblk1-2-3.madduck.net: host4.netblk1-2-3.madduck.net. IN A 1.2.3.4 host5.netblk1-2-3.madduck.net. IN A 1.2.3.5 zone IN madduck.net: mail.madduck.net. IN A 1.2.3.4 IN A 1.2.3.5 Not all A records need PTR records. It never fails to amaze me how many people don't understand this. This is sort of the function of canonical names. Other names for the IP besides the absolute name (or Loopback name in our parlance). But CNAME's are deprecated for other reasons. I personally never had any problems using them. All the people who say but I don't control the reverse for my IP(s) don't understand the issue ... it's up to the registered contact for the block to make sure reverse resolution works. Of course that means resolving to A records that the contact also controls. This is all spelled out in the RFCs and best practice documents. It has been possible for some time now to allocate really really small IP blocks. I had a /27 allocated to me in ARIN once. I controlled my own reverse lookups that way. I don't know how small they will go though. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100
Re: xinetd /etc/host.deny ALL:PARANOID
At 04:22 AM 1/11/02 +0100, martin f krafft wrote: a bogus IP won't even make it past OSI layer 4 on debian... rp_filter... There are ways of doing it such that the box has NO WAY of knowing that the traffic is spoofed. Granted, that is hard to do. Even paranoid lookups can be overcome. But it's just one more layer of defense and one more thing an attacker has to contend with. interesting signature. serious or not? But of course. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100
Re: xinetd /etc/host.deny ALL:PARANOID
At 06:01 AM 1/11/02 +0100, martin f krafft wrote: okay, why libwrap then? Once the network is compromised, it makes no difference what's on the box. If done properly, the compromised network is indistinguishable from the uncompromised network. That box is totally on it's own. :) /29, although i've seen /30's. problem is that with that much of a subnet, you are wasting a lot of IPs. the efficiency in terms of IP usage for /30 is 50%!!! Come on... there are only 4 ip numbers in a /30!!! The only conceivable use for a /30 is as a point-to-point. /29 maybe for cable modem LANs... -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100
Re: netscape o cosa ?
Purtroppo nè Netscape nè lo IE è molto stabile. Opera è Mozilla sono altri quei unici di che sappia. Potete spegnere sempre appena il Javascript. :) Forse il vostro sistema e instabile. At 07:37 PM 1/8/02 +0100, [EMAIL PROTECTED] wrote: cosa usate voi per navigare in internet senza problemi ? (e non mi dite lynx perche non supporta ne java ne tutte le altre cose !!!) io ho provato sia netscape che opera e con tutti e due ho problemi nella magior parte dei siti che quindi mi tocca vederli con IE (soto W$) -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: netscape o cosa ?
Purtroppo nè Netscape nè lo IE è molto stabile. Opera è Mozilla sono altri quei unici di che sappia. Potete spegnere sempre appena il Javascript. :) Forse il vostro sistema e instabile. At 07:37 PM 1/8/02 +0100, [EMAIL PROTECTED] wrote: cosa usate voi per navigare in internet senza problemi ? (e non mi dite lynx perche non supporta ne java ne tutte le altre cose !!!) io ho provato sia netscape che opera e con tutti e due ho problemi nella magior parte dei siti che quindi mi tocca vederli con IE (soto W$) -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100
Re: LinkWalker
Bwahahaha!! Man, that is low. Advertising to sysadmins through the access logs Sheesh. But now that you mention 7-24, I think I recognize that. I think they are a spam marketing outfit. At 02:31 PM 1/7/02 -0800, Nathan Strom wrote: Personally, I think this is a rogue organization -- there was an entry from this spider in our logs coming from a Seven24 IP with a HTTP referrer of www.adultinterracialsexvideos.com/interracialsex/interracialgroupsexsen.html. Needless to say, we do not run an adult web site and that referrer site does NOT have a link to us. Likely Seven24 is trying to clutter people's logs with references as a form of advertising. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: LinkWalker
Bwahahaha!! Man, that is low. Advertising to sysadmins through the access logs Sheesh. But now that you mention 7-24, I think I recognize that. I think they are a spam marketing outfit. At 02:31 PM 1/7/02 -0800, Nathan Strom wrote: Personally, I think this is a rogue organization -- there was an entry from this spider in our logs coming from a Seven24 IP with a HTTP referrer of www.adultinterracialsexvideos.com/interracialsex/interracialgroupsexsen.html. Needless to say, we do not run an adult web site and that referrer site does NOT have a link to us. Likely Seven24 is trying to clutter people's logs with references as a form of advertising. -- REMEMBER THE WORLD TRADE CENTER ---= WTC 911 =-- 0100
Re: LinkWalker
You should be able to tell if it cares about robots.txt by looking in the logs to see if it's downloading /robots.txt. If it is then something like: User-agent: LinkWalker Disallow: / will keep it off your site. If it doesn't, then iptables will keep it away. Robots info: http://www.global-positioning.com/robots_text_file/index.html The fact that it downloads binaries too makes me think it's a site sucker and not a legit spider. At 12:30 PM 12/23/01 -0800, Nick Jennings wrote: On Sun, Dec 23, 2001 at 09:17:54PM +0100, Russell Coker wrote: I wasn't aware that there was any format to robots.txt, I thought that the mere presense of such a file would prevent robots from visiting. ---=REMEMBER THE WORLD TRADE CENTER=--- ___/` WTC 911 `\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: LinkWalker
You should be able to tell if it cares about robots.txt by looking in the logs to see if it's downloading /robots.txt. If it is then something like: User-agent: LinkWalker Disallow: / will keep it off your site. If it doesn't, then iptables will keep it away. Robots info: http://www.global-positioning.com/robots_text_file/index.html The fact that it downloads binaries too makes me think it's a site sucker and not a legit spider. At 12:30 PM 12/23/01 -0800, Nick Jennings wrote: On Sun, Dec 23, 2001 at 09:17:54PM +0100, Russell Coker wrote: I wasn't aware that there was any format to robots.txt, I thought that the mere presense of such a file would prevent robots from visiting. ---=REMEMBER THE WORLD TRADE CENTER=--- ___/` WTC 911 `\___ 0100
Re: rogue Chinese crawler
The best way would be to block it at your router with an access list. Blocking it at the box is ok too but that takes a little bit of your resources. And you have to do it on each box on your network you want protected. The router block will protect your entire network in one fell swoop and cost your boxes no resources. You can block just his ip address with a deny statement, or if he's scanning from multiple ip's you can chunk his whole network. But that ip (139.175.250.23) is under a huge Seed-net /16. You might end up blocking legitimate traffic. You can try to guess his local subnet mask and block that, like a /27 or something. On a related topic I've been receiving an enormous amount of spam coming through Asian mx's. Is there any effort underway to try and get these people to lock down their networks? We've got a bunch of rogue mailservers over there. At 05:32 PM 11/23/01 +, Martin WHEELER wrote: Is anyone else having problems with the robot from openfind.com.tw -- an intrusive, irritating, hard-to-get-rid-of crawler that completely paralyses my system *every day*? Despite what I put in any robots.txt, this one disregards all rules and just jams up my system, downloading every damn' thing in sight. Mails to the owners are totally disregarded. Anyone know of a sure-fire robot killer under woody? Who should this thing be reported to to get it stopped? PS, the first time around I accidently only sent this to debian-security. :) ---=REMEMBER THE WORLD TRADE CENTER=--- ___/` WTC 911 `\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rogue Chinese crawler
The best way would be to block it at your router with an access list. Blocking it at the box is ok too but that takes a little bit of your resources. And you have to do it on each box on your network you want protected. The router block will protect your entire network in one fell swoop and cost your boxes no resources. You can block just his ip address with a deny statement, or if he's scanning from multiple ip's you can chunk his whole network. But that ip (139.175.250.23) is under a huge Seed-net /16. You might end up blocking legitimate traffic. You can try to guess his local subnet mask and block that, like a /27 or something. On a related topic I've been receiving an enormous amount of spam coming through Asian mx's. Is there any effort underway to try and get these people to lock down their networks? We've got a bunch of rogue mailservers over there. At 05:32 PM 11/23/01 +, Martin WHEELER wrote: Is anyone else having problems with the robot from openfind.com.tw -- an intrusive, irritating, hard-to-get-rid-of crawler that completely paralyses my system *every day*? Despite what I put in any robots.txt, this one disregards all rules and just jams up my system, downloading every damn' thing in sight. Mails to the owners are totally disregarded. Anyone know of a sure-fire robot killer under woody? Who should this thing be reported to to get it stopped? PS, the first time around I accidently only sent this to debian-security. :) ---=REMEMBER THE WORLD TRADE CENTER=--- ___/` WTC 911 `\___ 0100
Re: connecting to an ISP which runs windoze NT
There are proprietary Microsoft login schemes that they might be using. I'ld call them up and ask. If you can't connect then they are not PPP compliant. If it's asking for any domain information that would be a tipoff. You can always try sniffing the login sequence. Try sniffing from both Linux and Windows. Also were you able to able to directly dial in with a terminal program and receive an IP address? Another possibility is that they have your account screwed up. At 05:09 PM 9/3/01 -0700, Paul Scott wrote: Hi, I'm trying to connect to my ISP which runs on NT. I have tried several configurations with pppconfig and verified a lot with minicom. I believe I have the correct combination of username and password since other variations of username which include the ISP domain as suggested by things I have read all give invalid username/password. The response I get with the logical choice of username and password give me Requested Service Denied. The default response to CONNECT is \d\c which I have tried as well as CLIENT which was suggested by http://axion.physics.ubc.ca/ppp-linux.html I have tried both PAP and CHAP and static and dynamic DNS. ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Suspect Web Server has been hacked :(
I think it's probably too late for that. The only way to be 100% about your disinfected system is to fdisk it and rebuild from scratch. You can save your config files and data files, if you're sure they too haven't been altered. But say somebody relaxed an obscure security setting in some config file that will make it easy for them to get right back in. The only sure fire way of detecting what was done is to use something like tripwire to take a snapshot of the system *before* it goes online again. Then save that snapshot off-system on write protected media. Like a floppy disk with the write protect tab set or a CD. Then do a nightly comparison of the system to the snapshot. But keep in mind that the comparison software itself can be hacked so it should run off-system too. Periodically do manual scans, because if you just have a cron job running to alert you to instrusion, somebody can just change the crontab to send you bogus alls-well status reports, when in fact the thing ain't even running!! At 09:34 AM 8/30/01 +0200, Craig wrote: Hi debian fellas I need to know if there is any software for debian to detect the presence of backdoors or rootkits. I suspect that our old debian web server has been compromised. ..Craig ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: FTP thro' firewall
The WS FTP thingy you're refering to is for going through proxies. Some folks just don't know the difference between firewalls and proxies. :) To do this just set up port forwarding on the firewall. Use ipchains or something and only allow ftp connections from your known boxes to pass through. Allow nothing from the jungle side. You should then be able to transparently connect to the outside world. At 12:58 PM 8/28/01 +, Martin WHEELER wrote: Given a small local network, with nodes using a variety of OSes (Winx; SuSE; Debian), and a firewall using Mandrake SNF, how does one FTP thro' the firewall (safely) from one of the Debian (kernel 2.2.19) nodes? Or is this a complete no-no? Apparently the Win version of WS FTP has some sort of arrangement to allow this -- I can't seem to find any documentation to allow it under Debian 2.2r3+testing. Any help appreciated. -- Martin Wheeler -StarTEXT - Glastonbury - BA6 9PH - England [EMAIL PROTECTED] http://www.startext.co.uk/ www.gateway.gov.uk -- the UK government's £18M Microsoft-only website -- all your government database are belong to us -- Nice sig. :) Er, I mean Zig. ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: FTP thro' firewall
Are you also permitting the ftp-data port to go through? Ftp is 21, and I sorta forget the number for ftp-data. :) At 10:32 PM 8/28/01 +, Martin WHEELER wrote: 230 User logged in, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp pwd 257 /u/x/x/x/ is current directory. ftp cd docs 250 CWD command successful. ftp ls 200 PORT command successful. . . . . . 425 Can't build data connection: Operation timed out. ftp Huh? [snip] ISP (UK's biggest) now claims that Un*x is not supported by them; and on being upbraided at supporting only Evil Empire boxen, responded : At the end of the day, all things said and done, it is _the_ standard, isn't it?. Gawdelpus. ] LOL!, Ya, the standard. The standard for lamers who don't know what they're doing. Ever hear of the three monkeys? Hear no evil see no evil speak no evil. ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Anyone know what this file is?
I found a reference to it in a zsh changelog. It appears to be a C directive but as to why it's showing up in weblogs... maybe bad code? :) Here's the URL: http://www.bme.jhu.edu/resources/whitaker/doc/zsh-doc-3.1.6dev22/Documentati on/ChangeLog And the excerpt: 2000-01-19 Peter Stephenson [EMAIL PROTECTED] * Sven: 9373: Src/Modules/parameter.c: missing keys with special parameters. * Sven: 9371: Completion/Core/_files, Completion/Core/_path_files, Doc/Zsh/compsys.yo: file-patterns style for overriding choices for file completion built into completion functions. * Sven: 9370: Src/text.c: missing tstack initialisation. * pws: 9367: Src/cond.c, Src/parse.c, Test/04redirect.ztst, Test/07cond.ztst: fixes for 9332: `[' tests didn't work, skipping conditions with `' and `||' didn't work, always use WC_END marker to terminate code. * Tanaka Akira: 9360: Completion/User/_cvs: new -C option to cvs update, better descriptions. * Tanaka Akira: 9359: Completion/Debian/_apt, Completion/Base/_regex_arguments: argument handling for apt-cache. At 08:20 AM 8/19/01 -0400, Peter Billson wrote: Hey all, I am getting requests for a file named: __wc_end_ in my Web server logs. Anyone know what this file is? Code Red makes me think this is another Windoze exploit that I am unaware of. A search on google only returns a handful of results and they are all server stats with this file being requested but not found. ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: sniffer
Larry, that's a good solution but it was a little cryptic on the explanation. Let me expound some for Ann's benefit. Ann, what we're talking about is using the console on the router to do all administration, and *never* telneting to it. But physically going to all the routers and setting up a laptop is a little cumbersome. The solution is to essentially set up a totally independent serial network for the administration of the routers and switches. A serial cable is run from the console port on the router back to a central, and *heavily secured*, server. The server has to have atleast as many serial ports as you have routers so you might need to buy a serial card, like Cyclades or Comtrol or something. Comtrol supports 128 serial ports per box, last time I checked. With all this hooked up, each tty on the server corresponds to a specific router. Now just fire up your favorite terminal emulator and you can open a serial connection to any router you want. And since you're ssh'ed into the server, no one can see what you're doing or steal passwords. If you want it even more secure, don't put the server on the network at all. If this server is in a convenient location you can just walk over to it and log on it's console for the ultimate in unsniffable security! There is another option that Cisco and some switches support call AAA (triple-A) authentication. I forget what it stands fore but basically your off loading the authentication from the router to a remote server called an ACE server. That stands for Access Control Encryption. It's made by a company called Security Dynamics (recently acquired by RSA). To access something protected by AAA auth you have to have a physical card that generates auth tokens. To log in you type in the token from the card plus a PIN. The router sends this information back to the ACE server and if it's valid lets you access the resource. This method is extremely secure because there's essentially no fixed password to steal! Even if someone sniffs your PIN they still can't get in because they don't have the card. If they steal the card it's useless without your secret PIN! Combine AAA with ssh and you have a nearly impregnable line of security. At 02:21 PM 8/14/01 -0400, Larry Morrow wrote: Just my $02. AND how we do it. Connect a serial cable to the console port of your routers./switches and then ssh into your debian server and use minicom. Larry At 11:05 AM 8/14/2001 -0700, ann kok wrote: Dear all I learnt that sniffer program can steal password and secure shell can prevent it But how do I do it in Cisco router? and Do I have any methods to prevent the sniffer program to my router and servers? TIA Cheers ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Power down
That is a function of the bios. Some support it, some don't. Either your bios's don't support it (my suspicion) or shutdown isn't sending the signal. 'man shutdown' might have some useful insight. I'ld also call the motherboard manufacturer to make sure they support self power off. Also check the bios config to see if it's there and/or enabled. At 07:22 PM 7/6/01 -1000, D wrote: Please excuse the simple question, but it's something that's been bothering me. I've been running various debian machines as servers for quite some time now. The problem started when I got two new servers. All of the other machines (excluding the two new ones) were on the older side ( = P2 ). The problem is that when I shut down the servers.. they don't turn off. It's particularly irritating to me because all of my servers run headless. With my older machines, I never gave a second thought to the shut down process as they'd always turn themselves off as soon they finished wrapping things up. The new ones just halt and stay on. To make things even worse.. the hard drives in the new machines are so quiet I can't tell if they've finished everything. Anyway, does this have something to do with newer power management stuff in the bios? Something changed in the debian configs? All i'd like is for the servers to turn themselves off at system halt like my old servers do. Thanks for your time ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100
Re: users bypassing shaper limitation
One possible way to defeat this would be to use those metal security chains that they use to keep people from carrying off computers. Use a very short one, about 2 long. Affix one side to the computer case, and the other to the ethernet cable. Now, even this can be overcome if the crafty hacker should bring an extension cable with them. But there is still one method that will prevent anyone from stealing cable ports. Enclose the CPU case in an outer steel case. That way the cable head isn't accessible to anyone, hence, they can't unplug it. The only way to defeat that lockup is to physically cut the cable and attach a new jack head. But if you need that kind of security, you're in sad shape. :) Do they make steel braided ethernet cables? :P At 03:07 PM 7/3/01 +0200, Holger Lubitz wrote: Jeff S Wheeler proclaimed: cards around. If I do not, they will grumble and/or disable the ethernet ports that unknown MAC addresses appear on. In some areas (e.g. student labs) they do that automatically so kids can't just bring their laptop in and hop on napster at 100Mbit. Easy. Disconnect any machine, set your MAC/IP-addresses to its addresses, connect your laptop. Don't know its addresses? Just sniff around on the port for a while, but make sure you keep quiet. ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: users bypassing shaper limitation
One possible way to defeat this would be to use those metal security chains that they use to keep people from carrying off computers. Use a very short one, about 2 long. Affix one side to the computer case, and the other to the ethernet cable. Now, even this can be overcome if the crafty hacker should bring an extension cable with them. But there is still one method that will prevent anyone from stealing cable ports. Enclose the CPU case in an outer steel case. That way the cable head isn't accessible to anyone, hence, they can't unplug it. The only way to defeat that lockup is to physically cut the cable and attach a new jack head. But if you need that kind of security, you're in sad shape. :) Do they make steel braided ethernet cables? :P At 03:07 PM 7/3/01 +0200, Holger Lubitz wrote: Jeff S Wheeler proclaimed: cards around. If I do not, they will grumble and/or disable the ethernet ports that unknown MAC addresses appear on. In some areas (e.g. student labs) they do that automatically so kids can't just bring their laptop in and hop on napster at 100Mbit. Easy. Disconnect any machine, set your MAC/IP-addresses to its addresses, connect your laptop. Don't know its addresses? Just sniff around on the port for a while, but make sure you keep quiet. ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100
Re: users bypassing shaper limitation
My first choice is also what the other Chris said, use a large LART on the offending [computer|user]. You can use smart switches to base the ip on pre-authorized MAC addresses. That way you are effectivly shaping based on MAC address. But in true hacker form, even that can be overcome. Some (most?) NIC's can have their MAC addresses set by software. So all some crafty luser has to do is change MAC addresses. The only sure fire way is to hard code the MAC and ip address into each port on a smart switch. That way even if they swap ethernet cables they won't be able to bypass the shaper, unless of course they know what MAC address the absconded cable goes with. :) At 12:07 PM 6/30/01 +0100, Karl E. Jorgensen wrote: On Sat, Jun 30, 2001 at 06:23:19AM +0200, Maurice Verhagen wrote: On Fri, 29 Jun 2001, anon wrote: my problem is that some local users are changing their own local ip numbers (like, 192.168.1.40 to 192.168.1.50) then bypassing the Traffic shaper bandwidth limitation. (that was set on 192.168.1.40) anyone know how can i prevent this ? This first that pops into mind is use DHCP and give a IP-lease to the machines in your local network based on the NIC's Mac address. I guess the only way out for the bad guys is to swap the NICs from another machine to get the same effect as changing the IPs now. Nope. DHCP does not prevent people from changing their IP addresses, it merely makes it marginally more difficult. Besides, the bad guys may choose not to use DHCP - this is entirely up to the config on the client machines. ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100
Re: ATT public router
Revisiting traceroute.org, I see that they have a whole list of route servers. :) At 01:09 PM 6/27/01 +0200, Russell Coker wrote: Here's a machine that used to provide such a service, not sure if it still does: route-views.oregon-ix.net ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100
Re: ATT public router
Revisiting traceroute.org, I see that they have a whole list of route servers. :) At 01:09 PM 6/27/01 +0200, Russell Coker wrote: Here's a machine that used to provide such a service, not sure if it still does: route-views.oregon-ix.net ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ATT public router
A while back, ATT had a publicly accessible router for doing route lookups and stuff like that. It supposedly knew about the whole world. The special thing about this router was that you didn't need a user name or password to log on with. It just gave you the IOS prompt. I haven't been on this router for a long time and I can't remember the exact name of it. It was something like ip-router.att.net or route.world.att.net. Does anybody remember this thing and have the host name? Thanks. ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100
ATT public router
A while back, ATT had a publicly accessible router for doing route lookups and stuff like that. It supposedly knew about the whole world. The special thing about this router was that you didn't need a user name or password to log on with. It just gave you the IOS prompt. I haven't been on this router for a long time and I can't remember the exact name of it. It was something like ip-router.att.net or route.world.att.net. Does anybody remember this thing and have the host name? Thanks. ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Ping - what the hell ?
I'm sorry, but ROFLMAO!!! At 05:18 PM 6/3/01 +0200, Przemyslaw Wegrzyn wrote: On Sat, 2 Jun 2001, Craig Sanders wrote: On Wed, May 30, 2001 at 09:41:54PM +0200, Przemyslaw Wegrzyn wrote: Anyway, my problem seems to be hardware: czajnik@earth:~$ more /proc/misc Segmentation fault czajnik@earth:~$ some possible causes: 1. bad memory - most likely. 2. bad swap partition (or bad disk controller causing the swap partition to not work) 3. other bad hardware 4. bad libc6 or other library - not very likely. It' solved, there were 2 reasons. Core dumps - hmmm, our admin borken the kernel by incorrectly patching it. Ping times - some stupid guy inserted two different CPUs PII 400 and 450. It's a miracle it was working all together... -=Czaj-nick=- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Ping - what the hell ?
I'm sorry, but ROFLMAO!!! At 05:18 PM 6/3/01 +0200, Przemyslaw Wegrzyn wrote: On Sat, 2 Jun 2001, Craig Sanders wrote: On Wed, May 30, 2001 at 09:41:54PM +0200, Przemyslaw Wegrzyn wrote: Anyway, my problem seems to be hardware: [EMAIL PROTECTED]:~$ more /proc/misc Segmentation fault [EMAIL PROTECTED]:~$ some possible causes: 1. bad memory - most likely. 2. bad swap partition (or bad disk controller causing the swap partition to not work) 3. other bad hardware 4. bad libc6 or other library - not very likely. It' solved, there were 2 reasons. Core dumps - hmmm, our admin borken the kernel by incorrectly patching it. Ping times - some stupid guy inserted two different CPUs PII 400 and 450. It's a miracle it was working all together... -=Czaj-nick=- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100
Re: routing routable IPs over non-routable IPs
While we're on this subject, does anyone know what IANA plans to do with the vast number of reserved ip ranges. There are atleast 75 reserved class A ranges that I don't know what they're reserved for. People are claiming we're running out of ip addresses but as far as I can see there's more than enough left for decades to come. At 09:28 PM 6/1/01 +0200, Marc Haber wrote: On Tue, 22 May 2001 08:00:01 +0200, Robert Waldner [EMAIL PROTECTED] wrote: On Tue, 22 May 2001 01:26:56 EDT, Chris Wagner writes: We should probably clarify non-routable by saying non-publicly routable. Well, we could also say RFC1918, couldn´t we ;-? I prefer to say site local which is both almost accurate and terse. This is not offical terminology, but there is an RFC that calls the 169.254.0.0/16 link local, so site local seems fine. Greetings Marc ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100
Re: routing routable IPs over non-routable IPs
At 07:27 AM 5/21/01 +0200, Robert Waldner wrote: On Mon, 21 May 2001 13:46:14 +1000, Jeremy Lunn writes: I know this isn't Debian specific. But I'm just wondering if it's fine to route routable IP addresses over non-routable IP addresess. Yes, although many would consider it bad practice (I am an example), because you´ll face trouble when you have to debug something, and have non-routable IPs on some path. We should probably clarify non-routable by saying non-publicly routable. Routers have no concept of restricted ip ranges other than what is programed into them. As long as you are debugging from a place that knows about your private ip's, there shouldn't be a problem. At GE we cross privates to go from public to public all the time. ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100
Re: routing routable IPs over non-routable IPs
At 08:00 AM 5/22/01 +0200, Robert Waldner wrote: On Tue, 22 May 2001 01:26:56 EDT, Chris Wagner writes: We should probably clarify non-routable by saying non-publicly routable. Well, we could also say RFC1918, couldn´t we ;-? LOL - DNS, you´ll have to set up split DNS for your RFC1918- and external IPs I consider that to be good sense from a security standpoint regardless. - in Real Life, you sometimes _will_ have to debug from the outside of your network - in Real Life, someone else _will_ debug from the outside (and quite probably complain about the RFC1918-IPs or simply be fed up) Hehe, yeah I receive complaints from those people from time to time. :D But it's a moot point since the firewalls filter anything useful... ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100
Re: routing routable IPs over non-routable IPs
At 07:27 AM 5/21/01 +0200, Robert Waldner wrote: On Mon, 21 May 2001 13:46:14 +1000, Jeremy Lunn writes: I know this isn't Debian specific. But I'm just wondering if it's fine to route routable IP addresses over non-routable IP addresess. Yes, although many would consider it bad practice (I am an example), because you´ll face trouble when you have to debug something, and have non-routable IPs on some path. We should probably clarify non-routable by saying non-publicly routable. Routers have no concept of restricted ip ranges other than what is programed into them. As long as you are debugging from a place that knows about your private ip's, there shouldn't be a problem. At GE we cross privates to go from public to public all the time. ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: routing routable IPs over non-routable IPs
At 08:00 AM 5/22/01 +0200, Robert Waldner wrote: On Tue, 22 May 2001 01:26:56 EDT, Chris Wagner writes: We should probably clarify non-routable by saying non-publicly routable. Well, we could also say RFC1918, couldn´t we ;-? LOL - DNS, you´ll have to set up split DNS for your RFC1918- and external IPs I consider that to be good sense from a security standpoint regardless. - in Real Life, you sometimes _will_ have to debug from the outside of your network - in Real Life, someone else _will_ debug from the outside (and quite probably complain about the RFC1918-IPs or simply be fed up) Hehe, yeah I receive complaints from those people from time to time. :D But it's a moot point since the firewalls filter anything useful... ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]