Re: phpBB vulnerability exploited
Francesco P. Lovergine said: I run apache using dchroot to avoid the most common problems. Breaking a chroot is possible, but not so easy and it's more difficult within dchroot which _should_ drops privileges properly AFAIK
Re: Legal aspects of greylisting in Europe
Christian Storch said: So I would assume storing the greylist-triple it's neccessary (-1) for greylistd which is part of the mail server. You need to collect the greylist tripels only until the mail has been received for the second and final time. After the first message would be accepted within(!) the open window of suggested 1 - 4 hours after initial trial it should be I've gotten great results by: greylisting after it scores over a 6 spamassassin score, greylisting for only 3 minutes, and whitelisting permanently after that. This should block upwards of 90% of what you would block by greylisting for 1-4 hours. You will also delay a lot less legitimate email... I measure an user complaint at around 60,000 -80,000 emails. So one if I get more than 1 user complaint per 60,000 I lower my thresholds so I block less spam, until my fp rate goes down. -- --Luke http://www.rightnow.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: patch request
Christian Hammers said: Hello On 2004-09-17 Wieslaw wrote: I seek patch which makes possible making the virtual ervers. Debian supports this nativelly. Search the debian archives. apt-cache search vserver. then subscribe to the vserver mailing list. I've been using the debian vserver product for increase reliability, easier administration,etc,etc, on my production servers for 8 months or so. make system cloning much easier, and system setup easier, tested upgrades, etc. If for example your running a software raid system, and a disk dies, just rsync your vserver over, and stop the existing vserver instance, and start up the new vserver instance. Total downtime, with full remote recovery, perhaps 30 seconds. This has saved my bacon twice in the last few months. I've been using the vserver+grsecurity 2.4.25 patch to include grsecurity with the vserver product for increase security. Never had a system crash on the 5 servers I've been running for a couple of months, ever synce 2.4.25 came out. I say this is production quality stable, even under high loads,etc. One of my vserver moves gigs of mail/ftp/proxy/apt traffic every day with tons of users and it has trivial performance slowdown. If you combine this with ha+drbd you can get active,active ha-cluster with full failover, for automatic high availability clustering. This is going to be my next alioth documentation project, assuming I work on it for my job, which is the tentative plan. (6 cluster HP drbd+ha+vserver+grsecurity active active debian cluster) Exciting! Ask on the mailing list and read the web page for more help. Their is a lot of documentation on how to do this. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: patch request
Donovan Baarda said: See the util-vserver, kernel-patch-ctx, and vserver-debiantools packages for details. I'm not sure how up-to-date the debs are though... About a 2% performance slowdown versus a non vserver. Worth the performance slowdown, imo. The debs are maintained pretty well, the bugs I file get fixed, and the debian dev's are fast to put new versions up.(but not too fast...these are for production systems.) -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
sendmail error message not collected
I am trying to resolve an error message I am seeing on some mail passing through my external mail server, running mimedefang 2.39 and sendmail 8.12.3 to our internal mail server. Users are seeing the following message in their mailbox: no Message Collected It appears via the changelog from sendmail 8.11.0/8.11.0 as of 2000/07/19 http://www.sendmail.org/ftp/RELEASE_NOTES this particular problem was fixed: If a message data file can't be opened at delivery time, panic and abort the attempt instead of delivering a message that states No Message Collected . My questions: Any idea how this could be occuring on 8.12.3? This is the first I have seen of it, but I've seen it on 3 or more messages in the last day. The logfiles don't show any strange delivery error messages, so I am not sure how to resolve it. If you have ANY ideas, contact me on or off the list...thanks. This particular machine has processed upwards of 1.2M messages without problems, so I am at a loss to determine why this error has started occuring. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apt upgrade
Norbert Tretkowski said: * Ivan Adams wrote: My quiestion is how I can avoid that kind of problems when on some Debian I have that kind of apt scripts. Disable those kind of scripts, and use apt-cron to let you inform by mail when updates are available. I'de also reccomend running apt-cacher as you get: fast local updates, your packages are as current as the remote servers, you don't have to wait to sync. uses less space then a full mirror. saves lots of bandwidth for you and for the debian servers. With 10 clients running off 1 apt-cacher server you should see 9/10 bandwidth savings. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Boot on 'RAID 1' with 'LILO' and 'mdadm'
Arnt Karlsen said: ..play with this: #!/bin/sh /bin/cp -f /usr/share/grub/i386-pc/* /boot/grub /usr/sbin/grub --batch EOT /dev/null 2 /dev/null # device (hd0) /dev/hda # device (hd1) /dev/hdc device (md0) /dev/md0 root (md0,0) # setup (hd0) #installs onto /dev/hda # setup (hd2) #installs onto /dev/hdc setup (md0) #installs onto /dev/md0 quit EOT These is the commands to install grub on the system? I am not too familiar with grub, I've always used lilo on my systems. So the generalized fix for this particular situation is to use grub? (I wrote the rootraiddoc.alioth.debian.org, and want to update it if necessary.) -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to get hpasm module on HP Proliant?
Try this mailing list, it talks about HP+Linux stuff: To unsubscribe, e-mail: [EMAIL PROTECTED] with the phrase unsubscribe compaqandlinux in the message body For additional commands, e-mail: [EMAIL PROTECTED] with the phrase help compaqandlinux in the message body For the archives : http://www.van-dijk.netNOSPAM I've been looking at solving these same sort's of problems. We need a page for debian+hp solutions. I'm sure the information is out their, as many debian machines run on hp hardware, but damn if I can track it down to one logical location... --Luke Emmanuel Halbwachs said: Hello again, More on the HP Proliant ML350G3. It seems that to get a fully-fonctionnal woody on Proliant, we need the hpasm kernel module. E. g. some colleagues reported that without it fans will be stuck at high speed. I suppose that there is no RAID disk failure logging either. These hpasm and a collection of other tools are supplied by HP only for supported distros (RH, SuSE, UL) in RPM format, tailored for these distros. The only tip I found about that is http://www.sk-tech.net/support/HPrpm2deb.sh.html As I understand, it is a script that does alien to have a .deb and then does some adaptations. Does anyone here running HP Proliant: - tested the above script? - succeeded in adaptating the HP RPM stuff to woody? Any remarks welcome. Cheers, -- Emmanuel Halbwachs Labo. de Photonique et Nanostructures tel : (+33)1 69 63 61 34 CNRS UPR 20 fax : (+33)1 69 63 60 06 Route de Nozay F 91460 Marcoussis -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
run apt-get upgrade via ssh batch login doesn't work
I have a script that connects to all my machines and runs: apt-get update. If instead I run apt-get upgrade, it gives an error about: Not being able to find the path, correctly. dpkg: `ldconfig' not found on PATH. dpkg: `start-stop-daemon' not found on PATH. dpkg: `install-info' not found on PATH. dpkg: `update-rc.d' not found on PATH. dpkg: 4 expected program(s) not found on PATH. NB: root's PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin. How to set the path correctly for a batch run of an ssh login for an apt-get upgrade? If you connect to a machine with a command listed as part of hte ssh command it will connect non-interactivelly and run the command and exit when the command completes. like such: ssh foo.example.com apt-get upgrade -y -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: LILO Software RAID1 boot= raid-boot-extra
I have directions on grub and lilo config for software raid systems. Switching to software raid from non-raid and setting lilo.conf and grub.conf correctly. This might help: http://rootraiddoc.alioth.debian.org -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
recent php security update
Are most people running php stable? Or are you upgrading php to 4.38 from unstable? I'm stuck running 4.3.4 because I needed better pear support, and am leery of upgrading to 4.3.8 because stupidly enough it requires apache 1.3.31 as part of the upgrade. I was considering using the dotdeb backports, but have not yet decided. Still looking at what to do. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cloning disks with dd and netcat
Giles Nunn said: Hi all, I tried the dd route to do exactly the same thing. I wanted to recreate a server or a variation of it quickly and easily. Eventually I gave up and used systemimager instead. It is quick and simple. It is based on rsync and it is in woody. I have it working using network boot and it takes ~3 minutes to boot, partition and install a complete base server - fully automatically. I am still playing with it as I want to script the autoconfig of multiple copies of a base server, but it works brilliantly for a simple clone as it is. Why reinvent fire Systemimager works beautifully. I use it to deply to a bunch of lab computers, completelly hands off via a bootable cd. And also use to backup/restore my servers when and if an upgrade or system goes bad. I use the deb files from systemimager.org... -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
acidlab configuration for portscan detection
I have been using snort-mysql with acidlab for intrusion monitoring of the
computers on my network.
It has been working great.
I've also been using bleedingsnort.org for some updated rule sets for
virus threats and similar.
I have been unable to configure the portscan detection to work correctly.
My software versions are:
snort-mysql:2.1.2-2
acidlab:0.9.6b20-2
Could someone please send me the configuration they used to get the
portscanning to work correctly?
I've played around with the examples and similar and am not sure why it is
not working correctly.
The open source book:
bruce peren's open source series: Advanced IDS techniques using
snort,apache, mysql php, and acidlab
does not cover this.
my snort.conf file:
var HOME_NET
[xx.xx.195.0/24,xx.xx.196.0/24,xx.xx.197.0/24,xx.xx.198.0/24,xx.xx.199.0/24]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0
/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts detect_scans
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80
8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor flow-portscan: talker-sliding-scale-factor 0.50
talker-fixed-threshold 30 talker-sliding-threshold 30
talker-sliding-window 20 talker-fixed-window 30 scoreboard-rows-talker
3 server-watchnet $HOME_NET server-ign
ore-limit 200 server-rows 65535 server-learning-time 14400
server-scanner-limit 4 scanner-sliding-window 20 scanne
r-sliding-scale-factor 0.50 scanner-fixed-threshold 15
scanner-sliding-threshold 40 scanner-fixed-window 15 scoreb
oard-rows-scanner 3 src-ignore-net xx.xx.199.62 dst-ignore-net
[xx.0.0.0/30] alert-mode once output-mode msg tcp-penalties on
output log_tcpdump: snort.log
output database: log, mysql, user=xx password=xxx dbname=snort host=localhost
output database: alert, mysql, user=xx password=xxx dbname=snort
host=localhost
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/bleeding.rules
include threshold.conf
--
--Luke CS Sysadmin, Montana State University-Bozeman
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
configure squid to cache sites
Thought I would share my squid configuration to allow caching of windowsupdate/mcafee and similar for clients. Needs ims config to work correctly. Sure saves bandwidth, and vastly speeds up updates, for windows clients. Not a transparent configuration. http://www.mail-archive.com/[EMAIL PROTECTED]/msg107772.html -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
acidlab configuration for portscan detection
I have been using snort-mysql with acidlab for intrusion monitoring of the
computers on my network.
It has been working great.
I've also been using bleedingsnort.org for some updated rule sets for
virus threats and similar.
I have been unable to configure the portscan detection to work correctly.
My software versions are:
snort-mysql:2.1.2-2
acidlab:0.9.6b20-2
Could someone please send me the configuration they used to get the
portscanning to work correctly?
I've played around with the examples and similar and am not sure why it is
not working correctly.
The open source book:
bruce peren's open source series: Advanced IDS techniques using
snort,apache, mysql php, and acidlab
does not cover this.
my snort.conf file:
var HOME_NET
[xx.xx.195.0/24,xx.xx.196.0/24,xx.xx.197.0/24,xx.xx.198.0/24,xx.xx.199.0/24]
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0
/24,205.188.5.0/24,205.188.9.0/24]
var RULE_PATH /etc/snort/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts detect_scans
preprocessor stream4_reassemble
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default profile all ports { 80
8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor flow-portscan: talker-sliding-scale-factor 0.50
talker-fixed-threshold 30 talker-sliding-threshold 30
talker-sliding-window 20 talker-fixed-window 30 scoreboard-rows-talker
3 server-watchnet $HOME_NET server-ign
ore-limit 200 server-rows 65535 server-learning-time 14400
server-scanner-limit 4 scanner-sliding-window 20 scanne
r-sliding-scale-factor 0.50 scanner-fixed-threshold 15
scanner-sliding-threshold 40 scanner-fixed-window 15 scoreb
oard-rows-scanner 3 src-ignore-net xx.xx.199.62 dst-ignore-net
[xx.0.0.0/30] alert-mode once output-mode msg tcp-penalties on
output log_tcpdump: snort.log
output database: log, mysql, user=xx password=xxx dbname=snort host=localhost
output database: alert, mysql, user=xx password=xxx dbname=snort
host=localhost
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/bleeding.rules
include threshold.conf
--
--Luke CS Sysadmin, Montana State University-Bozeman
configure squid to cache sites
Thought I would share my squid configuration to allow caching of windowsupdate/mcafee and similar for clients. Needs ims config to work correctly. Sure saves bandwidth, and vastly speeds up updates, for windows clients. Not a transparent configuration. http://www.mail-archive.com/debian-user@lists.debian.org/msg107772.html -- --Luke CS Sysadmin, Montana State University-Bozeman
monitor hardware for failure on hp proliant servers.
I currently have 2 compaq systems: 1 running rhel3 hp proliant ml350 and the other debian3.0r2. proliant ml 330. I have been unable to find a consistent listing of where I can get the software to do, disk and various hardware monitoring on the system. I am planning to purchase a rackmount, DL360G3 6 cluster system, running debian 3.0r2. What hardware monitoring tools are available: I've only see this so far: http://starbreeze.knoware.nl/~spark/compaq/ I need something to monitor both systems similar to smartmontools, and tell me if a disk fails. Smartmontools won't work on the megaide raid system on the ml330. What do you use for hardware monitoring for your hp proliant systems? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
monitor hardware for failure on hp proliant servers.
I currently have 2 compaq systems: 1 running rhel3 hp proliant ml350 and the other debian3.0r2. proliant ml 330. I have been unable to find a consistent listing of where I can get the software to do, disk and various hardware monitoring on the system. I am planning to purchase a rackmount, DL360G3 6 cluster system, running debian 3.0r2. What hardware monitoring tools are available: I've only see this so far: http://starbreeze.knoware.nl/~spark/compaq/ I need something to monitor both systems similar to smartmontools, and tell me if a disk fails. Smartmontools won't work on the megaide raid system on the ml330. What do you use for hardware monitoring for your hp proliant systems?
reject non-enlish email body messages
Would it break things to reject completelly non-english messages. That is messages in which the body was completelly non english for the debian-isp mailing list? This SA rule: UNWANTED_LANGUAGE_BODY I realize we have posters posting from all over the world, but they are all posting in english. And therefore it should not prevent any of them from posting. -- --Luke CS Sysadmin, Montana State University-Bozeman
Re: You can start saving now
Dale E Martin said: Perhaps SA would be better implemented in something else, but like everyone else says, memory is cheap. Whatever makes the SA developers most effective is fine by me at this point. As the other post mentioned, try SA+mimedefang if you need to run it on a box with low amounts of memory. It should run faster and user less memory. That is of course, only if it does not work well enough for you now... In completelly unrelated news 3.0 should have native plugin support for dspam/crm114/bogofilter. So you can run all the spam filters as splugins to SA. That will definitally increase the load on SA. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: You can start saving now
Dale E Martin said: Perhaps SA would be better implemented in something else, but like everyone else says, memory is cheap. Whatever makes the SA developers most effective is fine by me at this point. As the other post mentioned, try SA+mimedefang if you need to run it on a box with low amounts of memory. It should run faster and user less memory
Re: You can start saving now
Michelle Konzack said: I do not know about 'surbl' but which files are the same ? Why not renaming the binaries ? On the other side I had a very little program which check IP's with rbl but unfortunately I have lost it... I had a procmail recipe like for SA and it has marked the RBLed Messages... guten tag, Surbl is a plugin for SA: SURBL differs from most other RBLs in that it's used to block messages based on the domain names in message body URIs (usually web sites), for example those which have been previously reported to SpamCop. Some of the recent domains are visible on SpamCop's Spamvertised sites page. So SURBL is not used to block spam mail servers like most other RBLs; instead it allows you to block messages based on spam domains that occur in the message body. http://www.surbl.org It recompiled surbl with dh-make to generate a deb file from the perl package. It replaces some SA files on the install. So you need to use dpkg-divert if you wish to install surbl via deb. I've very conservative about customizing rules on my external mx, but surbl has had 0 false positives over the past 30,000 mails it has marked as spam, based on the additional score surbl provides SA. The default scoring is 3.0, but I've moved it up to 7.0 on my external mail relays. I run my mail rejection at 10.5 on my external mail relay to minimze false positives. It has raised my detected spam volume by a factor of 1/3. From approximatelly 2000 to 3000 spam per day. I reccomend you try it out, using the default score of 3.0 and raise it once you become comfortable with it's accuracy. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SOLVED Sendmail::Milter
Dirk Tamme said: The solution was to install mod_perl: cd /usr/local/src wget http://perl.apache.org/dist/mod.perl-1.0-current.tar.gz tar -xzf mod.perl-1.0-current.tar.gz cd /usr/local/src/mod_perl-1.29 perl Makefile.PL NO_HTTPD=1 make make install Just install it from apt, via: apt-cache search packagename to find the package name. or: dh-make-perl --cpan --build CPAN_PACKAGENAME Then do an install from apt based on the generated package name. Or just install the generated deb file. I install everything from deb now. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: You can start saving now
Install spamassassin 2.63 which had filtered last night around 480 SPAMS from 78 Mailinglists... and then enable surbl, and set it to score at 6.0. Then submit 1-10 spam's that slip by per day to spamcop. I just enabled surbl on my external debian mail relay, and it is grabbing around 30% more spam with that surbl enabled. I'll have to watch the logs to authoritavially state surbl is grabbing a larger percentage of spam. I just wish the 2.53 Debian SA had surbl as part of it. I have to install sa, and then do a make install on surbl. I tried to make the surbl package as a deb file but it conflicted with sa files. Obviously, because they provide the same files. -- --Luke CS Sysadmin, Montana State University-Bozeman
Re: You can start saving now
Rod Rodolico said: 2) spamassassin uses some processing power, so I am only running it against unknown senders What is your mail volume? You really need a serious amount of mail for SA to bog down. As you all realized, mail volume is relative. From what I've seen you can handle 100-200K messages per day on a single 2-3GHZ mimedefang+sa box with no problem. Then throw in greylisting if sa is slowing you down. That should work well at reducing the number of messags you need to run content-analysis on with sa. Greylisting has worked well at blocking drive by spammers from one shot ip addresses. I've used it on my production servers with never a complaint. -- --Luke CS Sysadmin, Montana State University-Bozeman
RE: LILO + boot raid1 (software)
Marek Bra¾ina said: http://www.tldp.org/HOWTO/Boot+Root+Raid+LILO.html I always do it acording to this howto and it works.. Marek I wrote this raid howto it might help. http://rootraiddoc.alioth.debian.org It has a section on lilo entries specific to raid. I have not encountered your specific problem, before. -- --Luke CS Sysadmin, Montana State University-Bozeman
Re: debian on HP proliant
Nathan Eric Norman said: This is true, but d-i doesn't support booting off the SmartArray because the cciss driver is a module. I already installed onto a DL360, but couldn't install a bootblock. Hu? I installed Woody (bf24) on a couple of DL380G3 without a hitch - the cciss works just fine and you can of course boot from it. The only special thing I do is to load the module for the installed NIC (Broadcom bcm57xx - tg3.o) so I can download a new kernel as soon as the base-system is installed... We are planning to get some proliant DL380G2 systems. With the HP Smart Array HP Smart Array 6402 controller. You installed onto this system using sarge? Or drivers disks with bf24? I'm very interested in your setup steps. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail::Milter
I've also had a lot of success using mimefang on our external mail server. It's easy to configure for any of your mail filtering needs. Bojens, Kai said: I don't have a solution for your particular problem but i am using the milter interface via MIMEdefang which provides a nice way to use it via perl. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
bonnie benchmarking
I've been unable to find some good numbers to use with the bonnie benchmark program. What is a good mix of values to benchmark against? I'm trying to benchmark some software raid configurations on a production server. Could someone please post a starting point for bonnie benchmark runs they use to test their typical server? I looked on google and could not find any information on what to select as a good starting point for bonnie benchmarking. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail::Milter
I've also had a lot of success using mimefang on our external mail server
bonnie benchmarking
I've been unable to find some good numbers to use with the bonnie benchmark program. What is a good mix of values to benchmark against? I'm trying to benchmark some software raid configurations on a production server. Could someone please post a starting point for bonnie benchmark runs they use to test their typical server? I looked on google and could not find any information on what to select as a good starting point for bonnie benchmarking. -- --Luke CS Sysadmin, Montana State University-Bozeman
Re: debian on HP proliant
I really wish HP would get off their chairs and provide support for debian installer for all their HP proliants. HP to expand Debian Linux support (December 04, 2003) http://www.infoworld.com/article/03/12/04/HNhpdebian_1.html They haven't done anything to support debian. They just need to make a driver disk for their systems. They say they support debian, but they don't have __ANY__ debian install disks for __ANY__ of their proliant systems on __ANY__ of their webpages. It was a bitch to recompile support for raid on the ml-330 proliant system I had. Reach archives for my silly story. Install Redhat, recompile kernel, install chroot debian...blah..blah...blah. Christopher Sharp said: On Sat, 17 Jan 2004 16:11:26 +0100, Markus Oswald [EMAIL PROTECTED] wrote: Having said that, the ProLiant ML330 come with an ATA-RAID which is based on an LSI chipset (MegaIDE) which is not supported by Debian - the only driver available is a half GNU, half closed-source driver. Furthermore the drives attached to those IDE-Ports are not accessible as normal IDE devices (i.e. /dev/hda) so you basically get a machine without any usable IDE interface except for one which is attached to the CD-ROM. If you buy one of these machines you'll either have to use a model with SCSI controller or install an extra IDE-controller. I got this booting in a lab with the on-board ATA-RAID using a bf2.4 kernel some weeks ago (February). I was using an HP DL320 server. The only issue with the bf2.4 kernel was requiring a net module for the NIC which I managed to succesfully extracate from the rpm and insmod. I'm now trying to do the same using the new debian-installer and testing distribution but notice that there's no megaide.o module/driver in the new three-floppy testing distribution. I've got the shim source for the driver from LSI but having compiled it on another 2.4.25 testing box and copied it onto a floppy the module is refusing to insmod on my debian-installer box. Before I start building a custom debian-installer rescue floppy with a customised kernel including this module I wondered if anyone knew of a module floppy that might have a working LSI ATA-RAID kernel module on it. I can't believe I'd really need to install Woody using bf2.4 and then upgrade just to get an ATA-RAID driver! Thanks, C. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: debian on HP proliant
I really wish HP would get off their chairs and provide support for debian installer for all their HP proliants. HP to expand Debian Linux support (December 04, 2003) http://www.infoworld.com/article/03/12/04/HNhpdebian_1.html They haven't done anything to support debian. They just need to make a driver disk for their systems. They say they support debian, but they don't have __ANY__ debian install disks for __ANY__ of their proliant systems on __ANY__ of their webpages. It was a bitch to recompile support for raid on the ml-330 proliant system I had. Reach archives for my silly story. Install Redhat, recompile kernel, install chroot debian...blah..blah...blah. Christopher Sharp said: On Sat, 17 Jan 2004 16:11:26 +0100, Markus Oswald [EMAIL PROTECTED] wrote: Having said that, the ProLiant ML330 come with an ATA-RAID which is based on an LSI chipset (MegaIDE) which is not supported by Debian - the only driver available is a half GNU, half closed-source driver. Furthermore the drives attached to those IDE-Ports are not accessible as normal IDE devices (i.e. /dev/hda) so you basically get a machine without any usable IDE interface except for one which is attached to the CD-ROM. If you buy one of these machines you'll either have to use a model with SCSI controller or install an extra IDE-controller. I got this booting in a lab with the on-board ATA-RAID using a bf2.4 kernel some weeks ago (February). I was using an HP DL320 server. The only issue with the bf2.4 kernel was requiring a net module for the NIC which I managed to succesfully extracate from the rpm and insmod. I'm now trying to do the same using the new debian-installer and testing distribution but notice that there's no megaide.o module/driver in the new three-floppy testing distribution. I've got the shim source for the driver from LSI but having compiled it on another 2.4.25 testing box and copied it onto a floppy the module is refusing to insmod on my debian-installer box. Before I start building a custom debian-installer rescue floppy with a customised kernel including this module I wondered if anyone knew of a module floppy that might have a working LSI ATA-RAID kernel module on it. I can't believe I'd really need to install Woody using bf2.4 and then upgrade just to get an ATA-RAID driver! Thanks, C. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- --Luke CS Sysadmin, Montana State University-Bozeman
Re: using hp proliant ml 330
I got it work, but I was trying to make boot floppies so I could load the drivers from the install cd, so I could install direct on it. Could not find directions on this anywhere, or how to compile it statically in the kernel. Markus Oswald said: The Controller used in the ProLiant ML330 series is an IDE-RAID and most of the logic is not done by the controller but by the driver itself. So performance will probably suck... My links refer to source to compile the drivers as a module. It's gpl released. The controller will need proprietary drivers as AMI wants to protect their intellectual property - despite RAID0/1 being quite simple... As Lucas wrote, you CAN use it with Debian, but I would advise against it. Updating the kernel will be more work and you cannot even quickly recover your system with Knoppix (or something alike) because of the proprietary modules. We ditched our ML330 after a few days and replaced it with a DL380 - a little bit more expensive, but worth the money. It seems to have good enough performance for us. We are using for weather modeling website, which just requires mysql and php. -- --Luke CS Sysadmin, Montana State University-Bozeman
Re: Apache banner
you can turn if off with mod_rewrite so it does not show product type at all. I couldn't get it to work, but you could do it Fraser Campbell said: the ServerSignature directive to switch it off. ServerSignature On ServerTokens Prod -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
using hp proliant ml 330
I recently received a hp proliant ml 330 which I installed redhat and then debian linux on it. I requires the megaide modules to see the raid disks correctly. They can be compiled from source, from this location.(see below.) I could not determine how to compile them statically into the kernel, or create driver disks for a bf24 install. So I had to intall redhat linux and then debootstrap into a debian install, after I had recompiled the kernel and loaded the driver module via initrd. directions: install redhat linux boot machine install debootstrap install debian download megaide kernel http://www.stevehardy.info/ http://support.megaraid.com/support/dlresult.cfm download 2.4.25 kernel copy extra megaide directory to /usr/src/linux/drivers/scsi so it's a subdirectory of scsi. edit makefile to include megaide section config kernel, make megaide include and cramfs,initrd ext3 scsis support. compile megaide kernel make dep bzImage megaide modules modules_install install kernel boot debian install. configure debian -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Apache banner
you can turn if off with mod_rewrite so it does not show product type at all. I couldn't get it to work, but you could do it Fraser Campbell said: the ServerSignature directive to switch it off. ServerSignature On ServerTokens Prod
Re: backup software: Legato's Networker, Veritas' NetBackup, or IBM's Tivoli?
How else is it going to have permissions to backup everything on the system? The port it locked to a particular backup server... So only that ip address can connect to that port. we use legato to backup: suse 8x,redhat 6x,7x clients,windows nt2k,xpwin2k clients. sgi Works great!, we love it. Have not used it for debian yet, but I think I just need to alienize the package and play around with it. Ed Thomson said: I didn't like Veritas' software at all -- it worked (moderately) under Linux by running as root and opening a port up. There was little documentation at all, and absolutely nothing about its security. That scares me. -Ed -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: backup software: Legato's Networker, Veritas' NetBackup, or IBM's Tivoli?
How else is it going to have permissions to backup everything on the system? The port it locked to a particular backup server... So only that ip address can connect to that port. we use legato to backup: suse 8x,redhat 6x,7x clients,windows nt2k,xpwin2k clients. sgi Works great!, we love it. Have not used it for debian yet, but I think I just need to alienize the package and play around with it. Ed Thomson said: I didn't like Veritas' software at all -- it worked (moderately) under Linux by running as root and opening a port up. There was little documentation at all, and absolutely nothing about its security. That scares me. -Ed -- --Luke CS Sysadmin, Montana State University-Bozeman
Re: Sendmail access restrictions
Stephen Gran said: relay). What I want to do is not accept mail unless it comes from one of a few IP's, or is authenticated. Say the domain is foo.com, and this servers hostname is mail.foo.com. It is not listed as an MX record, so no legitimate emails should ever arrive there, only spams and viruses and whatnot. However, any mail that arrives for [EMAIL PROTECTED] is accepted, since sendmail knows that it _is_ mail.foo.com. I want to reject these, and only accept mail that is authed, or coming in through one of the frontend machines. I can't just do it with iptables, because of the roaming users. This is trivial to do with mimedefang-sendmail. I do it already. You can also verify that all mail sent from your domain actually is from a user that exists in your domain. and mimedefang can use clam too! -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail access restrictions
Stephen Gran said: relay). What I want to do is not accept mail unless it comes from one of a few IP's, or is authenticated. Say the domain is foo.com, and this servers hostname is mail.foo.com. It is not listed as an MX record, so no legitimate emails should ever arrive there, only spams and viruses and whatnot. However, any mail that arrives for [EMAIL PROTECTED] is accepted, since sendmail knows that it _is_ mail.foo.com. I want to reject these, and only accept mail that is authed, or coming in through one of the frontend machines. I can't just do it with iptables, because of the roaming users. This is trivial to do with mimedefang-sendmail. I do it already. You can also verify that all mail sent from your domain actually is from a user that exists in your domain. and mimedefang can use clam too! -- --Luke CS Sysadmin, Montana State University-Bozeman
Re: Need help understand the development env (gcc, binutils etc)
Ole-Christian S. Hagenes said: So you see, it shows every package that is going to be installed and it shows that the mysql-doc package is sugested to. You might want that one I usually do a debootstrap chroot build environment, so apache users don't have access to any of the build tools. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Need help understand the development env (gcc, binutils etc)
Ole-Christian S. Hagenes said: So you see, it shows every package that is going to be installed and it shows that the mysql-doc package is sugested to. You might want that one I usually do a debootstrap chroot build environment, so apache users don't have access to any of the build tools. -- --Luke CS Sysadmin, Montana State University-Bozeman
RE: How do you deploy a new system ?
I would deploy debian on more desktops, but the hardware detections is just not up to par compared to fedora 1. only 1 in 4 does it successfuly detects and configures x. I would like to replace my 140 boxes of redhat with debian, but the hardware detection configuration is just not as good. Systemimager works great for loading master images, but it still requires hardware detection on the bootup, as the machine differ. Works great on my backend servers. I am slowly migrating all of my redhat 7.x 9.x FC1 boxes to debian. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
protecting mail server from DOS
Just recently I had my mail server swamped by a single virus machine that kept resending a virus message, ignoring my 5xx rejection code. Is it possbile to block this via an iptables smtp max connection throttle code? How do you handle this? Via iptables?, or via qmail/postfix/exim/sendmail internal coding? Does anyone else encounter this problem on a regular basis? How do you solve this? -- --Luke CS Sysadmin, Montana State University-Bozeman
protecting mail server from DOS
Just recently I had my mail server swamped by a single virus machine that kept resending a virus message, ignoring my 5xx rejection code. Is it possbile to block this via an iptables smtp max connection throttle code? How do you handle this? Via iptables?, or via qmail/postfix/exim/sendmail internal coding? Does anyone else encounter this problem on a regular basis? How do you solve this? -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How do you manage Perl modules?
Angus D Madden said: Assuming you have a working cpan cofniguration, you can use dh-make-perl. dh-make-perl --cpan module I have used this before and it just worked. ymmv. I use mimedefang testing, spamaassassing unstable, and kernel 2.4.23, on my production external mx server. Everything else is stable. The only externally exposed service, sendmail is stable. I tried unstable sendmail, but TLS didn't work. And I would not have timelly updates. (I was trying to resolve milter sock issues.) Works great, using perl 5.8 instaed of 5.6.1 is a much better choice for mimedefang. Use clamdscan instead of clamscan, I got the clamd from the clam site, in deb format. Clamdscan is approximatelly 200 times faster then running clamscan. You also need to hack the mimedefang restart script, so it puts a 3 second delay in a restart, otherwise the multiplexor will generate a socket error on the restart. I've spent literally hundreds of hours messing around with mimedefang on redhat/ and less amount of time with debian since then. You also want to run a swatch script to watch for milter errors, so it can restart the process when it pukes. I saw this approximatelly every 60-70 days on some boxes. If you use the embedded multiplexor for mimedefang you MUST use perl 5.8. I backported mimedefang from testing to stable, and it did not require any change in the debian file. I just had to recompile the src on a woody box. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How do you manage Perl modules?
Angus D Madden said: Assuming you have a working cpan cofniguration, you can use dh-make-perl. dh-make-perl --cpan module I have used this before and it just worked. ymmv. I use mimedefang testing, spamaassassing unstable, and kernel 2.4.23, on my production external mx server. Everything else is stable. The only externally exposed service, sendmail is stable. I tried unstable sendmail, but TLS didn't work. And I would not have timelly updates. (I was trying to resolve milter sock issues.) Works great, using perl 5.8 instaed of 5.6.1 is a much better choice for mimedefang. Use clamdscan instead of clamscan, I got the clamd from the clam site, in deb format. Clamdscan is approximatelly 200 times faster then running clamscan. You also need to hack the mimedefang restart script, so it puts a 3 second delay in a restart, otherwise the multiplexor will generate a socket error on the restart. I've spent literally hundreds of hours messing around with mimedefang on redhat/ and less amount of time with debian since then. You also want to run a swatch script to watch for milter errors, so it can restart the process when it pukes. I saw this approximatelly every 60-70 days on some boxes. If you use the embedded multiplexor for mimedefang you MUST use perl 5.8. I backported mimedefang from testing to stable, and it did not require any change in the debian file. I just had to recompile the src on a woody box
Re: configure anomy sanitizer to drop not defang ?
Dan MacNeil said: anomy sanitizer works well with postfix, but as far as I can tell, it can't be configured to drop messages instead of defanging them. I plan to configure sanitizer to add a tag to bad messages and then use procmail to quarantine messages with that tag. Is there better way? Is there something that does what sanitizer, works with postfix and allows me to drop messages completely? Mimedefang seems ideal, but it only works with sendmail. What's wrong with sendmail? I use it with mimedefang, and it works awesome. I can do spam filtering, greylisting, ptr-helo checking, virus scanning, extension filtering, mimetype-filtering, zipfile extension blocking,etc. The correct behavior with mimedefang is to generate a bounce for rejected spam, and discard for detected virus's. This is all at the 5xx level. You can also query internal mail servers/ldap servers to determine if an account exists before accepting mail from that sender or recipient. So you only accept mail from a sender, if that sender exists on one of your internal systems. My external mx is a debian sendmail 8.12.3, mimedefang 2.38 system and it handles all department mail load fine. -- --Luke CS Sysadmin, Montana State University-Bozeman
Re: debian-specific machine cloning
I use systemimager for complete image backups of machines. You can upgrade a system completelly remotely. Has deb files. And configure it so the network address is set for each machine. I use it for 140 linux desktops. I also use it for my servers, my primary webserver went down...so I grabbed a new machine off the storage bin, plopped in the cd and voila I had a complete copy up and running in 15 minutes. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: debian-specific machine cloning
I use systemimager for complete image backups of machines. You can upgrade a system completelly remotely. Has deb files. And configure it so the network address is set for each machine. I use it for 140 linux desktops. I also use it for my servers, my primary webserver went down...so I grabbed a new machine off the storage bin, plopped in the cd and voila I had a complete copy up and running in 15 minutes. -- --Luke CS Sysadmin, Montana State University-Bozeman
sendmail configure for backup mx record.
I am working on setting up a backup mx mailer for domain. It will be our first debian system we will be using for a main production system. I have read through the documentation, and it appears I have everything configured correctly. I am planning to set it up as a relay for an exchange server and a sendmail server. My original plan is to have it as a very high mx number like 99 and just verify it appears to be working on the few MTA's that attempt to relay through it. Am I missing any additional items I need to configure to keep addresses carrying over correctly to their destination machines? I really appreciate any feedback you can give on items I might be overlooking. If you can think of ANYTHING I am overlooking, let me know. As you well know when the mailserver for 800 people stop working, people get ugly. I have read existing documentation on setting up a mail hub. If you know of any documentation you think I might find useful, then let me know. Ignore additional security items such as: dnsvalid/ipvalid,connection_throttle,bad_recip_throttle as I am aware of them. mailterable and sendmail.mc listed below: /etc/mail/sendmail.mc generated using sendmailconfig in sendmail stable. divert(0)dnl # # Copyright (c) 1998-2002 Richard Nelson. All Rights Reserved. # # This file is used to configure Sendmail for use with Debian systems. define(`_USE_ETC_MAIL_')dnl include(`/usr/share/sendmail/cf/m4/cf.m4')dnl VERSIONID(`$Id: sendmail.mc, v 8.12.3-6.6 2003-09-17 18:35:09 cowboy Exp $') OSTYPE(`debian')dnl DOMAIN(`debian-mta')dnl LOCAL_CONFIG FEATURE(`nocanonify')dnl LOCAL_CONFIG Cwtraffic.cs.montana.edu FEATURE(`use_cw_file')dnl FEATURE(`use_ct_file')dnl FEATURE(`nouucp', `reject')dnl FEATURE(`mailertable')dnl FEATURE(`smrsh')dnl FEATURE(`mailertable')dnl INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m') include(`/etc/mail/dialup.m4')dnl include(`/etc/mail/provider.m4')dnl MAILER_DEFINITIONS MAILER(local)dnl MAILER(smtp)dnl LOCAL_CONFIG ## Custom configurations below (will be preserved) include(`/etc/mail/tls/starttls.m4')dnl define(`confLOG_LEVEL',`13')dnl define(`relay_hosts_only')dnl I have configured mailertable entries: FEATURE(`mailertable')dnl define(`relay_hosts_only')dnl /etc/mail/mailertable xxx.montana.edu esmtp:[xxx.montana.edu] xxx.montana.edu esmtp:[xxx.coe.montana.edu] /etc/mail/relay-domains xxx.montana.edu xxx.montana.edu -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
sendmail configure for backup mx record.
I am working on setting up a backup mx mailer for domain. It will be our first debian system we will be using for a main production system. I have read through the documentation, and it appears I have everything configured correctly. I am planning to set it up as a relay for an exchange server and a sendmail server. My original plan is to have it as a very high mx number like 99 and just verify it appears to be working on the few MTA's that attempt to relay through it. Am I missing any additional items I need to configure to keep addresses carrying over correctly to their destination machines? I really appreciate any feedback you can give on items I might be overlooking. If you can think of ANYTHING I am overlooking, let me know. As you well know when the mailserver for 800 people stop working, people get ugly. I have read existing documentation on setting up a mail hub. If you know of any documentation you think I might find useful, then let me know. Ignore additional security items such as: dnsvalid/ipvalid,connection_throttle,bad_recip_throttle as I am aware of them. mailterable and sendmail.mc listed below: /etc/mail/sendmail.mc generated using sendmailconfig in sendmail stable. divert(0)dnl # # Copyright (c) 1998-2002 Richard Nelson. All Rights Reserved. # # This file is used to configure Sendmail for use with Debian systems. define(`_USE_ETC_MAIL_')dnl include(`/usr/share/sendmail/cf/m4/cf.m4')dnl VERSIONID(`$Id: sendmail.mc, v 8.12.3-6.6 2003-09-17 18:35:09 cowboy Exp $') OSTYPE(`debian')dnl DOMAIN(`debian-mta')dnl LOCAL_CONFIG FEATURE(`nocanonify')dnl LOCAL_CONFIG Cwtraffic.cs.montana.edu FEATURE(`use_cw_file')dnl FEATURE(`use_ct_file')dnl FEATURE(`nouucp', `reject')dnl FEATURE(`mailertable')dnl FEATURE(`smrsh')dnl FEATURE(`mailertable')dnl INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m') include(`/etc/mail/dialup.m4')dnl include(`/etc/mail/provider.m4')dnl MAILER_DEFINITIONS MAILER(local)dnl MAILER(smtp)dnl LOCAL_CONFIG ## Custom configurations below (will be preserved) include(`/etc/mail/tls/starttls.m4')dnl define(`confLOG_LEVEL',`13')dnl define(`relay_hosts_only')dnl I have configured mailertable entries: FEATURE(`mailertable')dnl define(`relay_hosts_only')dnl /etc/mail/mailertable xxx.montana.edu esmtp:[xxx.montana.edu] xxx.montana.edu esmtp:[xxx.coe.montana.edu] /etc/mail/relay-domains xxx.montana.edu xxx.montana.edu -- --Luke CS Sysadmin, Montana State University-Bozeman
Re: shell access exploits (was Re: upgrading to MySQL 4 on woody)
I'm no expert. I run chkrootkit on a regular basis. Run a virus scanner it will find some exploits. Hacafee found a few rootkits and known kernel exploits. I use mcafee for linux. Analyze history files for certain keywords. The best way would be to analyze command frequency in history files and look for infrequently occuring commands that are good indications of hack attempts. Look at anyone running command: uname -a Install grsecurity, and laugh at the attempts to do buffer overruns. Enable grsecurity acl subsystem and continue laughing. Analyze login frequency, what country are they logging in from? Have they logged in from this address before? Analyze login time, 2-6am is when most exploits occur. Look at tripwire or sash logs. (still use tripwire have not learned how to use sash) Look at when root logins. Check for processes initiating outgoing connections, hackers love to wget their files. Check for process using a lot of memory or processor time. Jason Lim said: One of my hats is a junior sys admin in an academic environment. I'm curious as to how you know when shell users are trying to exploit a kernel hole. chkrootkit? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: shell access exploits (was Re: upgrading to MySQL 4 on woody)
I'm no expert. I run chkrootkit on a regular basis. Run a virus scanner it will find some exploits. Hacafee found a few rootkits and known kernel exploits. I use mcafee for linux. Analyze history files for certain keywords. The best way would be to analyze command frequency in history files and look for infrequently occuring commands that are good indications of hack attempts. Look at anyone running command: uname -a Install grsecurity, and laugh at the attempts to do buffer overruns. Enable grsecurity acl subsystem and continue laughing. Analyze login frequency, what country are they logging in from? Have they logged in from this address before? Analyze login time, 2-6am is when most exploits occur. Look at tripwire or sash logs. (still use tripwire have not learned how to use sash) Look at when root logins. Check for processes initiating outgoing connections, hackers love to wget their files. Check for process using a lot of memory or processor time. Jason Lim said: One of my hats is a junior sys admin in an academic environment. I'm curious as to how you know when shell users are trying to exploit a kernel hole. chkrootkit? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- --Luke CS Sysadmin, Montana State University-Bozeman
Re: upgrading to MySQL 4 on woody
Rod Rodolico said: Becoming a firm believer that you CAN have it all, stability and the latest packages :) There are other places to get backports, BTW. This one works for me. Rod, Yes I agree with your statements. Thanks for the link I'll use it on one of my systems... But you don't explicitly have security, you have the testing delay for security updates, combined with the propagation time to backports from testing. I'm still leery of using testing for any publicly exposed service, or for machines with shell access. I have at most a week from a known kernel exploit to when one of my users tries to exploit via shell access. --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: upgrading to MySQL 4 on woody
Rod Rodolico said: Becoming a firm believer that you CAN have it all, stability and the latest packages :) There are other places to get backports, BTW. This one works for me. Rod, Yes I agree with your statements. Thanks for the link I'll use it on one of my systems... But you don't explicitly have security, you have the testing delay for security updates, combined with the propagation time to backports from testing. I'm still leery of using testing for any publicly exposed service, or for machines with shell access. I have at most a week from a known kernel exploit to when one of my users tries to exploit via shell access. --Luke CS Sysadmin, Montana State University-Bozeman
Re: debian on HP proliant
I am exposing another machine as http mirror, and am trying to secure it.
Done with iptables.
configured portsentry to auto-block portscans.
How to block TRACE in apache?
I believe you do it with rewriting rule like such, but does not work.
IfModule mod_rewrite.c
#security changes
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
/IfModule
How to restrict ALL product information?
I want to leak no webserver/os information, I've already configured:
ServerTokens ProductOnly
Anyone have a rule to restrict this via mod_rewrite or similar?
I have also been trying to prevent DOS attacks.
I used mod_throttle on the webserver but it had severe performance
problems. It just slowed the webserver down drastically.
What iptable rules or scripts, have you used to prevent DOS on the webserver?
I would be very interested in hearing how others do this.
For example last week I was being trawled by 20 bots from one of the
search engines. If I had an iptables throttle on simultaneous connections
or similar I would not have had problems.
6 weeks ago I had a user publish a movie file that maxed out my webserver
at 256 simultaneous connections and was using 40 megs of traffic a second.
This used up 2/3rds of our network bandwidth, and prevented anyone else
from viewing webpages on our webserver.
Our webserver kept working...joy joy.
Any ideas on how to prevent this particular DOS?
An scripts you use?
Thanks.
--
--Luke CS Sysadmin, Montana State University-Bozeman
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
secure apache webserver
I accidentally posted this with the last message i was replying to...
so reposting..., I apologize for the mistake.
Lucas Albers said:
I am exposing another machine as http mirror, and am trying to secure it.
Done with iptables.
configured portsentry to auto-block portscans.
How to block TRACE in apache?
I believe you do it with rewriting rule like such, but does not work.
IfModule mod_rewrite.c
#security changes
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
/IfModule
How to restrict ALL product information?
I want to leak no webserver/os information, I've already configured:
ServerTokens ProductOnly
Anyone have a rule to restrict this via mod_rewrite or similar?
I have also been trying to prevent DOS attacks.
I used mod_throttle on the webserver but it had severe performance
problems. It just slowed the webserver down drastically.
What iptable rules or scripts, have you used to prevent DOS on the
webserver?
I would be very interested in hearing how others do this.
For example last week I was being trawled by 20 bots from one of the
search engines. If I had an iptables throttle on simultaneous connections
or similar I would not have had problems.
6 weeks ago I had a user publish a movie file that maxed out my webserver
at 256 simultaneous connections and was using 40 megs of traffic a second.
This used up 2/3rds of our network bandwidth, and prevented anyone else
from viewing webpages on our webserver.
Our webserver kept working...joy joy.
Any ideas on how to prevent this particular DOS?
An scripts you use?
Thanks.
--
--Luke CS Sysadmin, Montana State University-Bozeman
--
--Luke CS Sysadmin, Montana State University-Bozeman
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Considering Debian (currently using Red Hat)
Matt Wehland said: So you just install a stable system, keep up with the security updates, build your own local repository (plenty of ways to do this) and build the few packages that you need newer versions of. This is what I am doing (just got apt-proxy working and it's great). This gives you a known secure system, and all you have to keep an eye on is security advisories that affect the packages you have built yourself. I keep my servers on stable, and run my workstations on testing. I have recently started the process of switching my computers from redhat to debian. I would very much appreciate step by step directions for creating a local repository for redistribution of kernel packages and locally built packages. I ran across basic directions on setting up mirror, but nothing about debianizing a package; if you just want it for a local package. eg, you don't need the full steps, just enough to convert a tar.gz file to a .deb file. I run the 2.4.23+ kernels on my servers as it supports the newest hardware. I don't run stable because they don't have drivers for my newer network card. I also recompile my kernel with grsecurity security patches. I am currently only running 4 debian boxes, but I have yet to encounter a single kernel crash. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
implementing software raid on server
I created directions on converting a system to run its rood on software raid. This doc will be included in the next mdadm software raid tools release. This can be done completelly remotelly with no loss of data. (assuming you have an extra disk just sitting in a remote computer.) I thought I would mention this as software raid or any redundancy is important for server's. http://www.cs.montana.edu/faq/faqw.admin.py?query=debian+software+raidquerytype=allkeywordscasefold=yesreq=search Please let me know if you find an errors and I will correct them. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Considering Debian (currently using Red Hat)
Robert Waldner said: Another advantage is that there's no integrated admin-tool which will destroy your precious hand-crafted config files, no yast or suseconfig or somesuch. The downside to that is that you have to know how to use an editor, of course, and there's mostly no setup wizards to guide you. Packages do, of course, come with mostly sensible (and secure) default configs, though. Should an upgrade have the necessity to change a config-file, it'll ask you if you want it to (it can also show you a diff first) or not. I really like the config tools it has: dpkg-reconfigure sendmail or sendmailconfig, or dpkg-reconfigure snort. I like the config tools better then rhat, very cool. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: debian on HP proliant
I am exposing another machine as http mirror, and am trying to secure it.
Done with iptables.
configured portsentry to auto-block portscans.
How to block TRACE in apache?
I believe you do it with rewriting rule like such, but does not work.
IfModule mod_rewrite.c
#security changes
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
/IfModule
How to restrict ALL product information?
I want to leak no webserver/os information, I've already configured:
ServerTokens ProductOnly
Anyone have a rule to restrict this via mod_rewrite or similar?
I have also been trying to prevent DOS attacks.
I used mod_throttle on the webserver but it had severe performance
problems. It just slowed the webserver down drastically.
What iptable rules or scripts, have you used to prevent DOS on the webserver?
I would be very interested in hearing how others do this.
For example last week I was being trawled by 20 bots from one of the
search engines. If I had an iptables throttle on simultaneous connections
or similar I would not have had problems.
6 weeks ago I had a user publish a movie file that maxed out my webserver
at 256 simultaneous connections and was using 40 megs of traffic a second
secure apache webserver
I accidentally posted this with the last message i was replying to...
so reposting..., I apologize for the mistake.
Lucas Albers said:
I am exposing another machine as http mirror, and am trying to secure it.
Done with iptables.
configured portsentry to auto-block portscans.
How to block TRACE in apache?
I believe you do it with rewriting rule like such, but does not work.
IfModule mod_rewrite.c
#security changes
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
/IfModule
How to restrict ALL product information?
I want to leak no webserver/os information, I've already configured:
ServerTokens ProductOnly
Anyone have a rule to restrict this via mod_rewrite or similar?
I have also been trying to prevent DOS attacks.
I used mod_throttle on the webserver but it had severe performance
problems. It just slowed the webserver down drastically.
What iptable rules or scripts, have you used to prevent DOS on the
webserver?
I would be very interested in hearing how others do this.
For example last week I was being trawled by 20 bots from one of the
search engines. If I had an iptables throttle on simultaneous connections
or similar I would not have had problems.
6 weeks ago I had a user publish a movie file that maxed out my webserver
at 256 simultaneous connections and was using 40 megs of traffic a second.
This used up 2/3rds of our network bandwidth, and prevented anyone else
from viewing webpages on our webserver.
Our webserver kept working...joy joy.
Any ideas on how to prevent this particular DOS?
An scripts you use?
Thanks.
--
--Luke CS Sysadmin, Montana State University-Bozeman
--
--Luke CS Sysadmin, Montana State University-Bozeman
Re: Considering Debian (currently using Red Hat)
Matt Wehland said: So you just install a stable system, keep up with the security updates, build your own local repository (plenty of ways to do this) and build the few packages that you need newer versions of. This is what I am doing (just got apt-proxy working and it's great). This gives you a known secure system, and all you have to keep an eye on is security advisories that affect the packages you have built yourself. I keep my servers on stable, and run my workstations on testing. I have recently started the process of switching my computers from redhat to debian. I would very much appreciate step by step directions for creating a local repository for redistribution of kernel packages and locally built packages. I ran across basic directions on setting up mirror, but nothing about debianizing a package; if you just want it for a local package. eg, you don't need the full steps, just enough to convert a tar.gz file to a .deb file. I run the 2.4.23+ kernels on my servers as it supports the newest hardware. I don't run stable because they don't have drivers for my newer network card. I also recompile my kernel with grsecurity security patches
implementing software raid on server
I created directions on converting a system to run its rood on software raid. This doc will be included in the next mdadm software raid tools release. This can be done completelly remotelly with no loss of data. (assuming you have an extra disk just sitting in a remote computer.) I thought I would mention this as software raid or any redundancy is important for server's. http://www.cs.montana.edu/faq/faqw.admin.py?query=debian+software+raidquerytype=allkeywordscasefold=yesreq=search Please let me know if you find an errors and I will correct them. -- --Luke CS Sysadmin, Montana State University-Bozeman
Re: Considering Debian (currently using Red Hat)
Robert Waldner said: Another advantage is that there's no integrated admin-tool which will destroy your precious hand-crafted config files, no yast or suseconfig or somesuch. The downside to that is that you have to know how to use an editor, of course, and there's mostly no setup wizards to guide you. Packages do, of course, come with mostly sensible (and secure) default configs, though. Should an upgrade have the necessity to change a config-file, it'll ask you if you want it to (it can also show you a diff first) or not. I really like the config tools it has: dpkg-reconfigure sendmail or sendmailconfig, or dpkg-reconfigure snort. I like the config tools better then rhat, very cool. -- --Luke CS Sysadmin, Montana State University-Bozeman
Re: Attempts to poison bayesian systems
Russell Coker said: Also it makes it slightly more difficult for good filters to catch the spam, but at the cost of making the spam less effective. Guys who will get their credit card out when reading a clear message offering to double their penis size probably won't do so if the penis message is mixed in with Shakespeare... I have played around a LOT with spamassassing filtering, and you can signifigantly raise your SA score by adding in extra checks. Custom CF rules, look at the evilrules (search google) for great rules on catching garbage html obfuscation. I have a 10,000 line custom local cf file. Razor+Pyzor+Dcc Checks: Adding in network checks will raise your score. Use the newest version of SA, it has signifigantly increased the bayes score. Stateful analysis of normal message traffic. I use mimedefang+sendmail+SA which allows me to do a more thorough analysis of message traffic considering all the components of the traffic, compared to just SA. Look up greylisting for some more ideas on blocking email. I also use greylisting, and it has cut my spam volume, and mail server utilization as I can reject before content analysis. To defeat bayes poisoning you need to determine if bayes poisoning has occurred by analyzing letter frequency in the first 400bytes and last 400 bytes of the email. From sa developers comments. You can determine the normal letter frequency, which letters come before and after each other, and how often. Then you can detect when this is not occuring which indicates bayes poisoning I believe this is a future feature of SA. -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Attempts to poison bayesian systems
Russell Coker said: Also it makes it slightly more difficult for good filters to catch the spam, but at the cost of making the spam less effective. Guys who will get their credit card out when reading a clear message offering to double their penis size probably won't do so if the penis message is mixed in with Shakespeare... I have played around a LOT with spamassassing filtering, and you can signifigantly raise your SA score by adding in extra checks. Custom CF rules, look at the evilrules (search google) for great rules on catching garbage html obfuscation. I have a 10,000 line custom local cf file. Razor+Pyzor+Dcc Checks: Adding in network checks will raise your score. Use the newest version of SA, it has signifigantly increased the bayes score. Stateful analysis of normal message traffic. I use mimedefang+sendmail+SA which allows me to do a more thorough analysis of message traffic considering all the components of the traffic, compared to just SA. Look up greylisting for some more ideas on blocking email. I also use greylisting, and it has cut my spam volume, and mail server utilization as I can reject before content analysis. To defeat bayes poisoning you need to determine if bayes poisoning has occurred by analyzing letter frequency in the first 400bytes and last 400 bytes of the email. From sa developers comments. You can determine the normal letter frequency, which letters come before and after each other, and how often. Then you can detect when this is not occuring which indicates bayes poisoning I believe this is a future feature of SA. -- --Luke CS Sysadmin, Montana State University-Bozeman
