Re: Sendmail Relay Problems
If you are using the latest and greatest, look for a line in your sendmail.cf for DaemonPortOptions This tells sendmail which IP addresses and ports it should run on. Make sure your configuration did not set this for. :-) Larry Sorry Michael, for send just to you the last time. :-( At 04:49 PM 8/15/2001 -0400, Gene Grimm wrote: If anyone can point me in the right direction, it would be appreciated. We recently changed IP addresses in one of our facilities because of changes in upline providers. Even after adding the new IP addresses to the sendmail configurations (both with Linuxconf and manually) we get an error that we cannot relay from the new addresses (in the remote facility). Does anyone know what I may be missing? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I thought everyone would be interested in this
You are correct. There is always a possibility of bugs. I normally always log to a different machine so I have a record of activity that cannot be erased. My logging server will not allow a telnet or other network connecting, other than syslog. I normally connect from a hardwired serial connection to another system that is not on the same network. We can then review everything. As I stated I have not had a chance to really review this, but the concept is a good one and should be reviewed for implementation. I will go through it before January 1st and report back to the list my findings (evaluations only). Larry At 01:17 PM 12/23/2000 +1100, Jeremy Lunn wrote: On Fri, Dec 22, 2000 at 11:41:23AM -0500, Larry Morrow wrote: I have not gone completely through the site to review it, but based on its stated purpose, it has great merit. TO answer your question, yes there is a point to running it on a firewalled box. Information is key. As a sysadmin you always want to be one step ahead of an attacker. Just having certain ports closed is good, but also knowing when and who is attacking is better. I like the idea of this thing but what happens if there's a bug in those scripts that fakes the vulnerabillities? Then couldn't it just be vulnerable too? -- Jeremy Lunn Melbourne, Australia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chroot
Have you tried adding the users you want to limit to the file /etc/ftpchroot? Larry At 04:23 PM 12/26/2000 +, Martin WHEELER wrote: Can anyone on this list help me to get defined users logging in to be automatically chrooted to a restricted area in the fs? (/home/... ) Using wu-ftpd under 2.2r2 + KDE 2.0.1 does this for ftp logins, so I know that chroot actually does work on this system -- but all my own attempts to trigger the call from the passwd file, or from a script triggered by the system passwd file pointing to a restricted-area passwd file (set suid -- which I don't care for) result in failure of various kinds -- can't run chroot; can't find /bin/bash (which? system or restricted area?), etc. Have never attempted this before, and am now at the end of my own creative solutions -- so ... Anyone been down this path already, with a set of working instructions for a Debian installation? (Maybe the way I'm trying to do it -- a la Spafford Garfinkel "/home/gaol/" model -- is all wrong; and man chroot isn't giving me much help, either. Nor the FTP mini-HOWTO.) TIA -- Martin Wheeler -StarTEXT - Glastonbury - BA6 9PH - England [1] [EMAIL PROTECTED] http://www.startext.co.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: I thought everyone would be interested in this
Hi All, my $.02 :-) I have not gone completely through the site to review it, but based on its stated purpose, it has great merit. TO answer your question, yes there is a point to running it on a firewalled box. Information is key. As a sysadmin you always want to be one step ahead of an attacker. Just having certain ports closed is good, but also knowing when and who is attacking is better. Larry At 09:11 AM 12/22/2000 -0400, Chris Mason wrote: Is there any point in running this on a firewalled box. I have use pmfirewall to configure IPCHAINS and almost all the ports are closed. Chris Mason Box 340, The Valley, Anguilla, British West Indies Tel: 264 497 5670 Fax: 264 497 8463 USA Fax (561) 382-7771 Take a virtual tour of the island http://net.ai/ The Anguilla Guide Find out more about NetConcepts www.netconcepts.ai Talk to me in real time with Instant Messenger: [EMAIL PROTECTED] -Original Message- From: Dave Adams [mailto:[EMAIL PROTECTED]] Sent: Friday, December 22, 2000 7:47 AM To: [EMAIL PROTECTED] Subject: I thought everyone would be interested in this Have any of you seen the Deception Tool Kit? It's worth a read, very clever intrusion detection and hacker confusion, or should i say nightmare ;-) http://www.all.net/dtk/ let me know what you think of it, i'm going to put it on a couple of my servers to try out. Dave Adams M-Web Zimbabwe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Virtual Domain Solution
Hi All, I (we) are writing some customized additions to Webmin for ISPs. We should be finished in about 2 weeks. Send me a request if you want to be on the beta trial and can commit to giving us some feed back so we can get it to release by Aug 15. Larry At 06:38 PM 7/7/00 -0500, Ryan Hayle wrote: Yes, that approach makes a lot of sense--what I was asking was whether some such system exists already. Unfortunately, I've also got to try to train NT-monkeys to do this, and so I need some type of GUI or web interface, which was why I was considering qmail, and the qmailadmin program. I guess I'm just looking for some simple solution to avoid having to write and do all of this myself. Definitely an area where Linux is lacking...perhaps it is something I could work on--a Debian-specific solution of some kind.
Re: pppd problem, authentication doesn't seem to work.
Make the following change in /etc/pap-secrets In /etc/ppp/pap-secrets and /etc/ppp/chap-secrets I have a line like so: * * "" * username* "" * This file controls which users are able to dial-in with ppp. The very first * is what has your system open. Larry -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: pppd problem, authentication doesn't seem to work.
Make the following change in /etc/pap-secrets In /etc/ppp/pap-secrets and /etc/ppp/chap-secrets I have a line like so: * * * username* * This file controls which users are able to dial-in with ppp. The very first * is what has your system open. Larry
Re: SMB over public network
Hi, Are you saying they want to use SAMBA across the Internet? Samba is not designed for that. Use the pptp client/server to connect MS clients to your Linux server. It is more reliable, more secure and does not broadcast all the time using excess bandwidth. Larry At 08:58 AM 6/14/00 -0500, Gregory Wood wrote: There is a 'host' file on the pc running Win9x. That is where you have to enter your info so that you can attach to a remote network. However, I have had customers who have tried that and would loose their network connection. I believe its a weakness in the MS client. Same connection with Novell client fixed the problem. There may be 'retry' options under MS that I never found. You may want to try NFS. I was told that NFS was available for Windows but never looked. If you do get this to work reliably, I'd like to hear from you. Greg Wood *** REPLY SEPARATOR *** On 6/14/00 at 9:34 AM Technical Support wrote: I have a client who want so co-lo a server and has asked me to set it up. The problem is that they want to use samba to share directories to remote users at various locations NOT on the local network. I know this is possible, but as of yet have been unsuccessfull in getting it to work. Set up is stock potato. Clients are Win9x via RoadRunner or other cable systems. TIA - Jaysen O'Dell Oatka Data Solutions Technical Support -- [EMAIL PROTECTED] AcornWorld Internet Services System Administrator [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SMB over public network
Yes, Let me put together a configuration checklist. We do this routinely. But we do it on a customized version of Linux. Let me look at it on a stock Debian installation. I will drop a note tomorrow as today will be quite full. Larry At 10:35 AM 6/14/00 -0400, Technical Support wrote: Forgive the ignorence, but last essentially create a IP/IP tunnel to the linux box from the 98 client? Any configuration suggestions? On Wed, Jun 14, 2000 at 10:27:58AM -0400, Larry Morrow wrote: Hi, Are you saying they want to use SAMBA across the Internet? Samba is not designed for that. Use the pptp client/server to connect MS clients to your Linux server. It is more reliable, more secure and does not broadcast all the time using excess bandwidth. Larry At 08:58 AM 6/14/00 -0500, Gregory Wood wrote: There is a 'host' file on the pc running Win9x. That is where you have to enter your info so that you can attach to a remote network. However, I have had customers who have tried that and would loose their network connection. I believe its a weakness in the MS client. Same connection with Novell client fixed the problem. There may be 'retry' options under MS that I never found. You may want to try NFS. I was told that NFS was available for Windows but never looked. If you do get this to work reliably, I'd like to hear from you. Greg Wood *** REPLY SEPARATOR *** On 6/14/00 at 9:34 AM Technical Support wrote: I have a client who want so co-lo a server and has asked me to set it up. The problem is that they want to use samba to share directories to remote users at various locations NOT on the local network. I know this is possible, but as of yet have been unsuccessfull in getting it to work. Set up is stock potato. Clients are Win9x via RoadRunner or other cable systems. TIA - Jaysen O'Dell Oatka Data Solutions Technical Support -- [EMAIL PROTECTED] AcornWorld Internet Services System Administrator [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- - Jaysen O'Dell Oatka Data Solutions Technical Support -- [EMAIL PROTECTED] AcornWorld Internet Services System Administrator [EMAIL PROTECTED]
Re: Returned mail: User unknown (fwd)
If you are trying to run FULL DUPLEX 100BaseT make sure of your cables and switch port settings. Also I am not sure the CISCO router will run FULL Duplex. Larry At 12:14 PM 6/7/00 -0400, Allen Ahoffman wrote: Return-Path: MAILER-DAEMON Received: from localhost (localhost) by announce.com (8.9.1/8.9.1) with internal id MAB25116; Wed, 7 Jun 2000 12:14:21 -0400 Date: Wed, 7 Jun 2000 12:14:21 -0400 From: Mail Delivery Subsystem [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary=MAB25116.960394461/announce.com Subject: Returned mail: User unknown Auto-Submitted: auto-generated (failure) The original message was received at Wed, 7 Jun 2000 12:14:21 -0400 from [EMAIL PROTECTED] - The following addresses had permanent fatal errors - debian-isp.lists.debian.org - Transcript of session follows - 550 debian-isp.lists.debian.org... User unknown Reporting-MTA: dns; announce.com Arrival-Date: Wed, 7 Jun 2000 12:14:21 -0400 Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.1.1 Last-Attempt-Date: Wed, 7 Jun 2000 12:14:21 -0400 Return-Path: ahoffman Received: (from [EMAIL PROTECTED]) by announce.com (8.9.1/8.9.1) id MAA25116 for debian-isp.lists.debian.org; Wed, 7 Jun 2000 12:14:21 -0400 From: Allen Ahoffman ahoffman Message-Id: [EMAIL PROTECTED] Subject: icmp losses To: debian-isp.lists.debian.org Date: Wed, 7 Jun 100 12:14:21 -0400 (EDT) X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit question: we have a cisco 7206, and a Samsung 10/100 managed switch. the 7026 has a fastethernet 100MBPS port. we are seeing losses of 1 to 8% when pinging the router. I can't find errors in the router configs, its set to full duplex 100mbps. the switch however doesn't show a full duplex light, shoudl I change the switch port and tell it to be full duplex? I can ping cleanly thru the switch from host to host but host to router. If I move the port for the router the losses follow we see input errors and crc errors on the fastethernet0/0 port. some giants also.
Re: grepping in ps output
Hi , Just use eax with =out the - for linux. example for named ps eax | grep named | sed -e 's/^ *//' -e 's/ .*//' Larry At 12:18 AM 4/29/00 +0200, Paul van Empelen wrote: Hi, I am working on a bourne script that can restart services if they hang. If the process does not respond, I want to kill and restart it, but I haven't found a good way to locate it's process ID from the ps output. And not all processes use a /var/run/file.pid. With the commands ps ax | grep process, you sometimes see the 'grep process' in the output. That's not what I want. The following command works pretty well on Solaris. Does anybody know the Debian equivalent? PID=`ps $PSOPTION | grep $SERVICE| sed -e 's/^ *//' -e 's/ .*//'` (where $PSOPTION is -e for Solaris, and probably ax for Linux) Thanks, Paul. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Ethernet card recommendations?
I second this. Been using them at full blast for at least 8 months and not one problem. Larry At 11:14 AM 4/5/00 +0200, you wrote: 10/100, Full-duplex, PCI prefered (what else would you use in a serious server?). maybe some kind of SUNs or DECs 100 NICs :) but they are very expensive. i'm using SMC1211TX, it's based on RTL8139 chipset and working fine in my 100mbit Cisco network but when the default ethernet driver (by Donald Becker) is loaded then both the 10mbit and 100mbit LED is turned permanently on, but communicating at 100mbit fullduplex. so, SMC1211TX is a good choice for you! NP. --- The NEPTUN has you. 1999(c)2000 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: IP masquerading rules
Hi Jeremy, You have to do some port forwarding on the Linux router. Look for ipportfw on your debian box. If not search it out on the net and install it. Look in the man pages and set up a rule that forwards things coming in on port 80 to the internal webserver. As far as ssh is concerned, if you want to connect to both the router and the internal web server, you will have to forward another port on the router to the ssh port on the internal webserver. Basically you redirect from, lets say port 1717 on the router to port 22 on the internal webserver. Then when you connect to port 22 from the outside you will connect to the router and when you connect to port 1717 you will be redirected to ssh on the internal webserver. Hope this all helps and not confuses the issue. Larry At 11:57 PM 3/24/00 -0800, Jeremy C. Reed wrote: I am trying to setup a webserver that has only an internal (non-world) IP of 10.2.1.235. The router is a Debian 2.1 (with Linux 2.0.36 kernel) box. The Linux router has: route add -net 10.2.1.0 netmask 255.255.255.0 eth1:0 ifconfig eth1:0 10.2.1.1 netmask 255.255.255.0 up (10.2.1.1 is the default gateway for the webserver.) My workstation (which has a regular world-routeable IP) can ping to the webserver through the Linux router. Plus it can browse webpages served from the 10.2.1.235 webserver. Also, from the workstation I can ssh into the webserver, but it takes over a minute to complete, because the webserver has no access to any dns server. (It has no internet access.) When I do a: ipfwadm -F -a m -S 10.2.1.0/24 -D 0.0.0.0/0 on the Linux router, the webserver has access to the world. But then I can no longer ssh to it from my workstation. I can also no longer get webpages from it. I CAN still ping it. I guess this happens because now all packets coming from the 10.2.1.235 webserver are masqueraded as the Linux router's IP. I am not sure why the ping packets from the webserver get back to me, but the ssh/http responses never get back. (A new sshd never starts up.) (Also, when I assign a an additional regularly routed IP on the interface on the webserver, I can access it via ssh, http, ping and it can access the world fine. Even though I connect to it every time using the same 10.2.1.235 address, plus everything else is still the same. I do not even use this new IP. This does not make sense to me!) 1) How can I set it up so any of my internal machines which use the Linux router can happily communicate with the webserver? In other words, how can I setup some ipfwadm policy so that the router won't masquerade packets if it is communicating from within our lan? 2) How do I set it up so my router will route all (from the outside world) traffic to one of its IPs to the 10.2.1.235 internal IP? If you have any specific URLs, I'd appreciate it. Thanks. Jeremy C. Reed BSD software, documentation, resources, news... http://bsd.reedmedia.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
