Re: Fwd: iptables and networking
Jerry Stuckle writes: >> > > OK, that makes a lot of sense. However, there are two problems with > fail2ban, also. The first one is it requires an authentication failure. > Port probing will not trigger it (but recent can). The second being > it depends on log entries, which can be buffered. I have it monitoring > my email (smtp/imap/pop3) ports. Even though it is set to trigger after > two failures, I have seen as many as 50+ failures logged from the same > ip address within seconds before fail2ban is triggered. > To address your first problem with fail2ban, the sshd-ddos filter for fail2ban does not require authentication failures. sshd will log a message of the form "Did not receive identification string from " if someone makes a TCP connection and then disconnects without going through the SSH handshake. > I'm not so worried about SYN attacks from spoofed IP addresses as I am > attempts to break in (despite several security measures). I want to > shut them off ASAP. > -- regards, kushal -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d11e9f.e4d8420a.7b72.2...@mx.google.com
Re: trouble formatting 3TB Seagate external HDrives. need help
Chris Bannister writes: > On Fri, Jun 28, 2013 at 10:24:33PM +, Hendrik Boom wrote: >> What I do for every new disk before I use it is an exhaustive read/write >> check with badblocks. It reads and writes every block multiple times >> with various bitpatterns and random bitpatterns, and check that they can >> be read correctly. >> >> If there's anything wrong with the drive, I return it to the store for a >> replacement. And yes, I have had to return drives sometimes. Those >> turned out to have thousands of bad blocks, so good riddance. > > And they replace it, no questions asked? I've a feeling they'd want some > sort of proof? > The couple of times I've returned a drive after badblocks-reported failures, Seagate wanted a report from their diagnostic tool (basically equivalent to "smartctl --all" output) before they would issue a RMA number, and Western Digital didn't care. I've only returned drives directly to manufacturers. The stores where I live don't take returns, and direct you to the manufacturers themselves. -- regards, kushal -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d1185f.c402440a.2165.1...@mx.google.com
Re: strange execute-command-as dialog pops up
Joel Rees wrote: > After the reboot, I decided to install the flashrom package, and after the > install finishes, I find in front of me what appears to be an > execute-command-as dialog. > > No command. User selection popup list showing root. > > I assume it's the execute-as dialog, but I don't recall doing anything to > get the dialog, so it's strange to see it. (Maybe my fingers moving by > themselves when I find I can't stay awake?) This sounds like Bug#708548. This thread on debian-devel is concerning this problem. http://lists.debian.org/debian-devel/2013/06/msg00341.html No resolution yet. But it is a big problem because it is training people to fall prey to phishing attacks. Bob signature.asc Description: Digital signature
Re: strange execute-command-as dialog pops up
On Lu, 01 iul 13, 11:23:56, Joel Rees wrote: > After the reboot, I decided to install the flashrom package, and after the > install finishes, I find in front of me what appears to be an > execute-command-as dialog. > > No command. User selection popup list showing root. I've read discussions about such a pop-up, triggered by Gnome's new package management tool (PackageKit). I was hoping it would be fixed for 7.1... Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic m signature.asc Description: Digital signature
Re: strange execute-command-as dialog pops up
On Du, 30 iun 13, 20:27:22, David Christensen wrote: > On 06/30/13 19:23, Joel Rees wrote: > >After the reboot, I decided to install the flashrom package, and after the > >install finishes, I find in front of me what appears to be an > >execute-command-as dialog. > > Every time I see people posting messages "upgrading from major > version N to N+1", I just shake my head. That used to be me. > > I now back up/ archive my data, move my data to different system(s), > reconfigure my back up/ archive scripts, back up/ archive my data, > take an image of the system drive, wipe the system drive, do a fresh > install, take an image of the system drive, move my data back, > reconfigure my back up/ archive scripts, and back up/ archive my > data. > > As I gain experience with N+1, I repeat the process until I'm > satisfied with the result. This is Debian, dist-upgrade actually work ;) Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: kernel not upgraded to wheezy
On Lu, 01 iul 13, 09:19:31, Joel Rees wrote: > Short story: upgraded squeeze to wheezy, kernel did not. But OS seems to > run, so I'm using synaptic to install the kernel. (I know I should use > apt-cache and apt-get, but I'm lazy and trying to do some other work that > needs to be done today.) > > Wondering why, wondering how big a hole-in-my-foot I'm going to end up > with. We'll see. Wondering if this has happened to anyone else. ... > Comments? Two: 1. Since the kernel packages have different names they are not upgrades in the sense of the package manager (like installing package foo version 1.2.3 to upgrade from foo version 0.1.2 is). If you want/need this to be handled by the package manager have a look at the linux-image- packages. 2. The method of installing is irrelevant, the kernel will not be used until you reboot anyway ;) You should only avoid synaptic when the upgrade may involve parts of your GUI infrastructure (*dm, DE/WM, etc.), otherwise I'm sure it might be a viable alternative for the dist-upgrade. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: Holy Gnome3 Invasion, Batman! - Testing Upgrades 06/30/2013
[JFTR, I hit the same issue a while ago in unstable, and it took a while to clean via aptitude's interactive interface] On Du, 30 iun 13, 17:49:13, Jape Person wrote: > > So...my problem was that I was just using my package manager improperly. > (Self-inflicted wounds are always the most irksome, aren't they?) The aptitude > default setting of installing recommends probably works okay for Gnome and > KDE, > but perhaps a little less so for Xfce or the even more minimalist DEs. I don't think it's a matter of DE, but what you are using the system for, available resources and admin knowledge. If the point of the installation is to be, let's say, multifunctional, then installing Recommends (except maybe specific packages) is useful. If your system is designed for quite specific needs or even has to run with limited resources (e.g. a Raspberry Pi class machine), then turning Recommends off and installing them only as needed is probably more practical. Beware though that, as with every non-default setting, you may be using your system in a way that is not as thoroughly tested or supported as the default setting. And don't even bother to report bugs about missing functionality before checking the Recommends. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: strange execute-command-as dialog pops up
On 06/30/13 19:23, Joel Rees wrote: After the reboot, I decided to install the flashrom package, and after the install finishes, I find in front of me what appears to be an execute-command-as dialog. Every time I see people posting messages "upgrading from major version N to N+1", I just shake my head. That used to be me. I now back up/ archive my data, move my data to different system(s), reconfigure my back up/ archive scripts, back up/ archive my data, take an image of the system drive, wipe the system drive, do a fresh install, take an image of the system drive, move my data back, reconfigure my back up/ archive scripts, and back up/ archive my data. As I gain experience with N+1, I repeat the process until I'm satisfied with the result. Good luck, David -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d0f71a.1090...@holgerdanske.com
strange execute-command-as dialog pops up
After the reboot, I decided to install the flashrom package, and after the install finishes, I find in front of me what appears to be an execute-command-as dialog. No command. User selection popup list showing root. I assume it's the execute-as dialog, but I don't recall doing anything to get the dialog, so it's strange to see it. (Maybe my fingers moving by themselves when I find I can't stay awake?) Probably not important, but if others are seeing such a dialog when they don't expect it, I'd like to hear about it. On Mon, Jul 1, 2013 at 10:47 AM, Joel Rees wrote: > FWIW, upgrading the kernel via synaptic seems to have worked. > > The shell is much more responsive, and doesn't get strange video glitches > like it had been getting since the upgrade to wheezy. > > Still need to check the rest of /etc. > [...] > -- Joel Rees
Re: kernel not upgraded to wheezy
FWIW, upgrading the kernel via synaptic seems to have worked. The shell is much more responsive, and doesn't get strange video glitches like it had been getting since the upgrade to wheezy. Still need to check the rest of /etc. On Mon, Jul 1, 2013 at 9:19 AM, Joel Rees wrote: > Short story: upgraded squeeze to wheezy, kernel did not. But OS seems to > run, so I'm using synaptic to install the kernel. (I know I should use > apt-cache and apt-get, but I'm lazy and trying to do some other work that > needs to be done today.) > > Wondering why, wondering how big a hole-in-my-foot I'm going to end up > with. We'll see. Wondering if this has happened to anyone else. > > Long story: > > I have an AMD sempron 32 bit CPU, three disks. Currently only two OSses, > both Debian, both were squeeze last week. > > > One is on the first hard disk, it controls the dual-boot process. (This > was for when I was mostly running Fedora and sometimes playing with other > stuff. I still plan to play with other stuff, if I can figure out how to > chain grub to non-MSWindows OSses.) > > The other is the working OS on the second disk, both the family accounts > and some of my work accounts. > > The first disk is a very small install, single partition, minimal set of > apps. I upgraded it using apt-get update with no problems. (That I've > noticed yet. Haven't tried sound and some other not-so-simple stuff.) > > In other words, I got into /etc/apt/sources.list and commented out the > squeeze lines and added wheezy lines, per the documented procedures at > > > http://www.debian.org/releases/stable/amd64/release-notes/ch-upgrading.en.html > > Since that went fairly well, I tried the same thing on my working OS. Lots > of things show that I need to tune settings, I expected that. > > I may have missed it in the middle of the night, but I didn't see any > messages about not being able to install the kernel. No holds show up > anywhere, either. > > While restoring the PAM settings that keep my kids from logging in after > 11:00 at night (not the right solution, I know.), I noticed that the kernel > was still at 2.6.32. No sign of 3.2 in /boot or anywhere. Synaptic says > it's not loaded. > > So, I'm just doing the point-and-click install of the 3.2 kernel, hoping > nothing too strange happens. > > Comments? > > -- > Joel Rees > -- -- Joel Rees
kernel not upgraded to wheezy
Short story: upgraded squeeze to wheezy, kernel did not. But OS seems to run, so I'm using synaptic to install the kernel. (I know I should use apt-cache and apt-get, but I'm lazy and trying to do some other work that needs to be done today.) Wondering why, wondering how big a hole-in-my-foot I'm going to end up with. We'll see. Wondering if this has happened to anyone else. Long story: I have an AMD sempron 32 bit CPU, three disks. Currently only two OSses, both Debian, both were squeeze last week. One is on the first hard disk, it controls the dual-boot process. (This was for when I was mostly running Fedora and sometimes playing with other stuff. I still plan to play with other stuff, if I can figure out how to chain grub to non-MSWindows OSses.) The other is the working OS on the second disk, both the family accounts and some of my work accounts. The first disk is a very small install, single partition, minimal set of apps. I upgraded it using apt-get update with no problems. (That I've noticed yet. Haven't tried sound and some other not-so-simple stuff.) In other words, I got into /etc/apt/sources.list and commented out the squeeze lines and added wheezy lines, per the documented procedures at http://www.debian.org/releases/stable/amd64/release-notes/ch-upgrading.en.html Since that went fairly well, I tried the same thing on my working OS. Lots of things show that I need to tune settings, I expected that. I may have missed it in the middle of the night, but I didn't see any messages about not being able to install the kernel. No holds show up anywhere, either. While restoring the PAM settings that keep my kids from logging in after 11:00 at night (not the right solution, I know.), I noticed that the kernel was still at 2.6.32. No sign of 3.2 in /boot or anywhere. Synaptic says it's not loaded. So, I'm just doing the point-and-click install of the 3.2 kernel, hoping nothing too strange happens. Comments? -- Joel Rees
[SOLVED] Gnome3 HS after update
On Sun, 30 Jun 2013 12:59:51 +0200 Jean-Marc wrote: > Hi everybody, > > I updated my jessie and Gnome3 does not start anymore. > Actually, it starts but I never got any menu. > > Do other people got the same ? > > -- > Jean-Marc For your info : updating to gnome-shell 3.4.2-9 (Sid version) solved this problem. Jean-Marc pgpi0lgs15iTm.pgp Description: PGP signature
Re: TRIM support with XFS
On 6/29/2013 11:45 PM, John Andreasson wrote: > On Sun, Jun 30, 2013 at 1:47 AM, Stan Hoeppner wrote: >> Post the XFS mount entry(s) in dmesg and any errors. > > [2.119489] SGI XFS with ACLs, security attributes, realtime, large > block/inode numbers, no debug enabled > [2.119716] SGI XFS Quota Management subsystem > [2.120753] XFS (sda2): Mounting Filesystem > [2.150708] XFS (sda2): Ending clean mount > >> Paste the exact line from /etc/fstab. > > UUID=-/boot/efi vfat > defaults0 1 > UUID=---- / xfs > defaults,discard,noatime 0 1 > UUID=---- noneswapsw >0 0 > >> I should have remembered this sooner. You're using initrd I assume >> since this is a stock install. The problem here is that the rootfs is >> being mounted via initrd. If you didn't rebuild it after adding discard >> to /etc/fstab, this explains your problem. >> >> Rebuilding initrd should fix it. > > Apart from the change in default file system it's pretty much a stock > install. I've rebuilt the inird and rebooted the machine; but no > change in /proc/mounts. Hmm... Last thing to try is rootflags. To your kernel line in menu.lst add root=/dev/sdXX rootflags=discard ro If that doesn't do it maybe there's a bug here. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d0ab97.8060...@hardwarefreak.com
Re: Holy Gnome3 Invasion, Batman! - Testing Upgrades 06/30/2013
On 06/30/2013 04:01 PM, Jochen Spieker wrote:
> Patrick Wiseman:
>> On Sun, Jun 30, 2013 at 10:06 AM, Jape Person wrote:
>>>
>>> Forgive the facetious thread title, please. I just about got knocked out of
>>> my
>>> socks this morning when I ran my daily upgrade checks in aptitude.
>>>
>>> I run Debian testing with Xfce, and I'd like to keep it that way.
>>
>> Me, too.
>
> I know it is nitpicking and slightly beside the point, but still: only
> because apt wants to install (parts of) Gnome, it doesn't force you to
> run it.
>
> Sure, you should be able to install exactly what you want and nothing
> more, but even a few hundred megabytes don't really need to bother you
> on a desktop system less than ten years old. Even if you install KDE,
> Gnome, Xfce and every other desktop system you can think of, the Debian
> installation does not necessarily use more than, say, 10-12GB.
>
> I don't even use one of the big desktop environments but like to have at
> least Gnome and Xfce installed, just in case someone else wants to use
> my computer. (I usually use the „awesome“ window manager which is
> awkward to use for the uninitiated).
>
>> […] The way I avoid what you saw this
>> morning is to tell aptitude NOT to install by default packages
>> recommended by other packages. That seems to prevent a lot of
>> unnecessary installations. So I recommend setting that option in
>> aptitude! You always have the option, after scanning what's
>> recommended, to install what you want.
>
> ACK, I do that too. From my /etc/apt/apt.conf.d/local:
>
> APT {
> Install-Recommends "false";
> }
>
> Aptitude {
> Recommends-Important"false";
> Keep-Recommends "true";
> Keep-Suggests "true";
> }
>
> J.
Certainly, I think I get your point here. But 117 packages is truly a bit much
for a curmudgeon like me to buy. This appeared to be the bulk of the Gnome
desktop. And I have seen "competing" DEs installed on the same system interfere
with each other in some pretty annoying ways. It's not as though they have no
effect whatsoever on each other. The most irritating interactions I've dealt
with personally are the ways in which the DEs can (I should say "could",
perhaps, since this was some time ago.) affect each other through things like
update-alternatives. What works for one may not work so well for another.
And then there's the fact that stuff I don't need is stuff I don't need. I might
be able to put up with a little avoirdupois on my system, I suppose. But the
added weight plus even the possibility that I might encounter an unwanted
interaction is more than enough to get me to avoid wholesale introduction of new
packages onto my systems. If I don't need the function, I don't need or want the
packages.
But -- if, like you -- I had a system on which I used a window manager like
awesome and which I wanted to be able to share with users who wanted or needed a
DE, it would certainly make sense to install a couple of the more popular DEs.
It's not like they'd be likely to get in my way when I was just using the window
manager.
BTW, I told aptitude to not install recommends as Patrick suggested, then
re-installed gnome-bluetooth. It just pulled in the data package plus a couple
of orphaned packages that I removed this morning after blowing away
gnome-bluetooth. This outcome is much superior from my standpoint (and, I
assume, Patrick's) to the landslide of additional packages I was looking at this
morning.
So...my problem was that I was just using my package manager improperly.
(Self-inflicted wounds are always the most irksome, aren't they?) The aptitude
default setting of installing recommends probably works okay for Gnome and KDE,
but perhaps a little less so for Xfce or the even more minimalist DEs.
Regards,
J.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51d0a7d9.70...@comcast.net
Re: Switching to 64 bit
200 browser tabs /and/ a gmail account. That figures ... On 06/30/2013 04:22 PM, Kelly Clowers wrote: Can't speak for him of course, but my SeaMonkey is currently using 4.2 GB RES and 5.3 GB VIRT (probably north of 200 tabs)
Dovecot sieve plugin global rules
Hi all,
I use Dovecot 2.1.7 on debian squeeze with Sieve plugin. Sieve rules are
working nicely if I use the rules in user directories. But if I want to
use global rule it's not working. My configuration is below,
/etc/dovecot/conf.d/90-sieve.conf :
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_global_dir = /etc/dovecot/sieve/
}
/etc/dovecot/sieve/dovecot.sieve :
require ["fileinto"];
# rule:[test]
if header :contains "From" "abc.com"
{
fileinto "INBOX.Junk";
}
This rule is working in the user directory.
Regards,
--
M.Atıf CEYLAN
Yurdum Yazılım
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51d096cd.4000...@atifceylan.com
Re: Switching to 64 bit
On Fri, Jun 28, 2013 at 11:05 PM, Stan Hoeppner wrote: > On 6/28/2013 2:49 PM, Frank McCormick wrote: > >> For now I will run regular 32-bit Sid..realizing I am wasting >> the opportunity to utilize more memory and perhaps faster operations. > > Your 32 bit PAE Sid kernel can address 64GB. Since your new machine > will have less than 64GB RAM you're wasting no opportunity. Your only > limitation is 2GB per process. How many of your apps consume more than > 2GB of RAM? Can't speak for him of course, but my SeaMonkey is currently using 4.2 GB RES and 5.3 GB VIRT (probably north of 200 tabs) Cheers, Kelly Clowers -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAFoWM=_ekugdoudpp6b9onec7ror-mjbydherwhp-o__qjc...@mail.gmail.com
Re: Holy Gnome3 Invasion, Batman! - Testing Upgrades 06/30/2013
Patrick Wiseman:
> On Sun, Jun 30, 2013 at 10:06 AM, Jape Person wrote:
>>
>> Forgive the facetious thread title, please. I just about got knocked out of
>> my
>> socks this morning when I ran my daily upgrade checks in aptitude.
>>
>> I run Debian testing with Xfce, and I'd like to keep it that way.
>
> Me, too.
I know it is nitpicking and slightly beside the point, but still: only
because apt wants to install (parts of) Gnome, it doesn't force you to
run it.
Sure, you should be able to install exactly what you want and nothing
more, but even a few hundred megabytes don't really need to bother you
on a desktop system less than ten years old. Even if you install KDE,
Gnome, Xfce and every other desktop system you can think of, the Debian
installation does not necessarily use more than, say, 10-12GB.
I don't even use one of the big desktop environments but like to have at
least Gnome and Xfce installed, just in case someone else wants to use
my computer. (I usually use the „awesome“ window manager which is
awkward to use for the uninitiated).
> […] The way I avoid what you saw this
> morning is to tell aptitude NOT to install by default packages
> recommended by other packages. That seems to prevent a lot of
> unnecessary installations. So I recommend setting that option in
> aptitude! You always have the option, after scanning what's
> recommended, to install what you want.
ACK, I do that too. From my /etc/apt/apt.conf.d/local:
APT {
Install-Recommends "false";
}
Aptitude {
Recommends-Important"false";
Keep-Recommends "true";
Keep-Suggests "true";
}
J.
--
We are lining up to see you fall flat on your face.
[Agree] [Disagree]
signature.asc
Description: Digital signature
Re: Fwd: iptables and networking
On 6/30/2013 2:20 PM, Pascal Hambourg wrote: staticsafe a écrit : On Sun, Jun 30, 2013 at 03:15:47PM +0200, Pascal Hambourg wrote: Redalert Commander a écrit : -- Forwarded message -- From: Igor Cicimov You can block repeated attempts to log in with iptables using the 'recent' module, an alternative is 'fail2ban', which monitors your server logs (ssh, apache, and others) for failed login attempts and then adds an iptables rule for the offending IP. The 'recent' match is vulnerable to source IP address spoofing and can be abused to cause a DoS for the spoofed address. fail2ban is much less vulnerable to such attacks. Jerry Stuckle a écrit : I don't understand this statement. How is 'recent' more vulnerable to source IP address spoofing than fail2ban? Both depend only on the supplied address. The ruleset using the 'recent' match is based only on TCP packets with the NEW state, i.e. the initial SYN. A single SYN packet can be easily forged with a spoofed source address. Fail2ban is based on authentication failures, which first requires a TCP connection to be established with the 3-way handshake. As it involves a positive reply from the spoofed address, this is much harder to achieve, unless the attacker is in a special position on the network. And how can recent 'be abused to cause a DoS...' any more than fail2ban? This is just the consequence of the above. IP address spoofing with TCP, what? Yes. That only works with UDP. No. It works with any mechanism which is based on a simple packet instead of a real "stateful" connection (including a positive reply). Which is the case here, see below. (Hint - three way handshake for TCP). As I wrote above, the proposed rulesets using the 'recent' and 'limit' matches are only based on the initial SYN packets. They do not care about the 3-way handshake. OK, that makes a lot of sense. However, there are two problems with fail2ban, also. The first one is it requires an authentication failure. Port probing will not trigger it (but recent can). The second being it depends on log entries, which can be buffered. I have it monitoring my email (smtp/imap/pop3) ports. Even though it is set to trigger after two failures, I have seen as many as 50+ failures logged from the same ip address within seconds before fail2ban is triggered. I'm not so worried about SYN attacks from spoofed IP addresses as I am attempts to break in (despite several security measures). I want to shut them off ASAP. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d08841.9040...@attglobal.net
Re: Fwd: iptables and networking
On Sun, Jun 30, 2013 at 08:20:48PM +0200, Pascal Hambourg wrote: > staticsafe a écrit : > > On Sun, Jun 30, 2013 at 03:15:47PM +0200, Pascal Hambourg wrote: > >> Redalert Commander a écrit : > >>> -- Forwarded message -- > >>> From: Igor Cicimov > >>> > You can block repeated attempts to log in with iptables using the > 'recent' module, an alternative is 'fail2ban', which monitors your > server logs (ssh, apache, and others) for failed login attempts and then > adds an iptables rule for the offending IP. > >> > >> The 'recent' match is vulnerable to source IP address spoofing and can > >> be abused to cause a DoS for the spoofed address. fail2ban is much less > >> vulnerable to such attacks. > > Jerry Stuckle a écrit : > > I don't understand this statement. How is 'recent' more vulnerable to > > source IP address spoofing than fail2ban? Both depend only on the > > supplied address. > > The ruleset using the 'recent' match is based only on TCP packets with > the NEW state, i.e. the initial SYN. A single SYN packet can be easily > forged with a spoofed source address. Fail2ban is based on > authentication failures, which first requires a TCP connection to be > established with the 3-way handshake. As it involves a positive reply > from the spoofed address, this is much harder to achieve, unless the > attacker is in a special position on the network. > > > And how can recent 'be abused to cause a DoS...' any more than fail2ban? > > This is just the consequence of the above. > > > IP address spoofing with TCP, what? > > Yes. > > > That only works with UDP. > > No. It works with any mechanism which is based on a simple packet > instead of a real "stateful" connection (including a positive reply). > Which is the case here, see below. > > > (Hint - three way handshake for TCP). > > As I wrote above, the proposed rulesets using the 'recent' and 'limit' > matches are only based on the initial SYN packets. They do not care > about the 3-way handshake. > Ah, that clarifies quite a bit, thanks. On that topic, if you are getting flooded with SYNs, it is a good idea to enable syncookies (kernel option). -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. Please don't CC! I'm subscribed to whatever list I just posted on. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130630190405.gl1...@uriel.asininetech.com
Re: Fwd: iptables and networking
staticsafe a écrit : > On Sun, Jun 30, 2013 at 03:15:47PM +0200, Pascal Hambourg wrote: >> Redalert Commander a écrit : >>> -- Forwarded message -- >>> From: Igor Cicimov >>> You can block repeated attempts to log in with iptables using the 'recent' module, an alternative is 'fail2ban', which monitors your server logs (ssh, apache, and others) for failed login attempts and then adds an iptables rule for the offending IP. >> >> The 'recent' match is vulnerable to source IP address spoofing and can >> be abused to cause a DoS for the spoofed address. fail2ban is much less >> vulnerable to such attacks. Jerry Stuckle a écrit : > I don't understand this statement. How is 'recent' more vulnerable to > source IP address spoofing than fail2ban? Both depend only on the > supplied address. The ruleset using the 'recent' match is based only on TCP packets with the NEW state, i.e. the initial SYN. A single SYN packet can be easily forged with a spoofed source address. Fail2ban is based on authentication failures, which first requires a TCP connection to be established with the 3-way handshake. As it involves a positive reply from the spoofed address, this is much harder to achieve, unless the attacker is in a special position on the network. > And how can recent 'be abused to cause a DoS...' any more than fail2ban? This is just the consequence of the above. > IP address spoofing with TCP, what? Yes. > That only works with UDP. No. It works with any mechanism which is based on a simple packet instead of a real "stateful" connection (including a positive reply). Which is the case here, see below. > (Hint - three way handshake for TCP). As I wrote above, the proposed rulesets using the 'recent' and 'limit' matches are only based on the initial SYN packets. They do not care about the 3-way handshake. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d07700.1090...@plouf.fr.eu.org
Re: Apache2
Understood. For purpose test, try to move SXXapache2 to other location and see if dpkg recreate a new (stable) init symbolic link. Pol === Pol - Beautiful!! Worked!! Thanks a million Ethan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d06150.2060...@fuckaround.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d079b3.4000...@hygeiabiomedical.com
Re: Apache2
Understood. For purpose test, try to move SXXapache2 to other location and see if dpkg recreate a new (stable) init symbolic link. Pol -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d06150.2060...@fuckaround.org
Re: Holy Gnome3 Invasion, Batman! - Testing Upgrades 06/30/2013
On 06/30/2013 11:06 AM, Jape Person wrote: > On 06/30/2013 10:40 AM, Patrick Wiseman wrote: >> On Sun, Jun 30, 2013 at 10:06 AM, Jape Person wrote: >>> Hi! >>> >>> Forgive the facetious thread title, please. I just about got knocked out of >>> my >>> socks this morning when I ran my daily upgrade checks in aptitude. >>> >>> I run Debian testing with Xfce, and I'd like to keep it that way. >> >> Me, too. >> >>> About a year ago I switched out Wicd for network-manager-gnome so that I >>> could >>> make use of the latter package's ability to control VPN connections. I guess >>> that's the root cause of this little adventure. (However, IIRC, Xfce has >>> started >>> using network-manager-gnome instead of Wicd anyway.) >>> >>> This morning the usual upgrades included a gnome-bluetooth updgrade that >>> wanted >>> to pull in what appeared to be just about everything from the Gnome DE -- >>> roughly 117 packages. The gnome-bluetooth package was apparently on the >>> system >>> because the network manager wants it there. >>> >>> This was easy enough to prevent. I just held everything while I got rid of >>> gnome-bluetooth and its playmates, then put a forbid on gnome-bluetooth. The >>> ensuing upgrade attempt was a lot more reasonable. >>> >>> I don't suppose this really qualifies as a bug -- particularly since >>> network-manager-gnome really is a part of the Gnome DE. But I imagine a few >>> folks who use it in other DEs are going to be a little consternated by >>> today's >>> upgrades if they don't pay fairly close attention before committing to them. >>> >>> Thanks for reading my tale of woe (whoa?). >> >> I think this happened because gnome-bluetooth recommends >> gnome-control-center which in its turn depends on a bunch of stuff I >> don't need (and most of which is not on my system) and recommends a >> bunch more unnecessary stuff. The way I avoid what you saw this >> morning is to tell aptitude NOT to install by default packages >> recommended by other packages. That seems to prevent a lot of >> unnecessary installations. So I recommend setting that option in >> aptitude! You always have the option, after scanning what's >> recommended, to install what you want. >> >> Patrick > > That's a good point. Back when I decided to use Debian testing I decided to > stick with the default aptitude setting, which -- as you have indicated -- may > not be a great idea for those of us who prefer to keep things a little > simpler. > It does seem as though some of the recommends are a little excessive and > certainly shouldn't be treated as though they were hard dependencies. > > I'm not sure which will result in me doing less fiddling around in aptitude -- > not having recommends set to be installed by default and adding them manually > as > desired, or having aptitude set to install them by default and keeping a > watchful eye. It's really pretty easy to spot 117 new installations with the > aptitude TUI. But I often see smaller lists of new installations being brought > in and might end up installing stuff I don't need if I'm not on my toes. > > I think I'll take your advice. This (no recommends) is the way I used to use > aptitude. > > And you are exactly right about gnome-panel. The gnome-bluetooth package > itself > didn't require addition of all of the dross, but it's request for gnome-panel > is > what caused the landslide of recommended installations. > > J. > > ...and by gnome-panel I, of course, meant gnome-control-center... Yeesh, I'm muddle-headed today! J. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d05d8f.7090...@comcast.net
Re: Apache2
dpkg --configure -a Setting up apache2 (2.4.4-6) ... * Restarting web server apache2 [fail] invoke-rc.d: initscript apache2, action "restart" failed. dpkg: error processing apache2 (--configure): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: apache2 Maybe... try to check init script /etc/rc2.d --> apache2 (try to move that file to other location) and do again apt-get install -f Tell me Pol = Pol - apt-get install -f -- did it, no luck. try to check init script /etc/rc2.d --> apache2 (try to move that file to other location) and do again Here is what happened: rosenberg:/media/Linux_part# ls /etc/rc2.d README S20anacron S20pcscd S22gdm S01decnet S20atd S20rsync S22gdm3 S01motdS20clamav-freshclam S20slpd S22pulseaudio S01nvidia-kernel S20dbus S20smartmontools S22saned S15portmap S20gdomapS20speech-dispatcher S23bootlogs S15rpcbind S20gpm S20sshS23cups-browsed S16nfs-common S20kerneloopsS21avahi-daemon S24winbind S18binfmt-support S20knockdS21bluetooth S25minissdpd S18jetty S20loadcpufreq S21cpufrequtils S25rc.local S18rsyslog S20lpd S21exim4 S25rmnologin S18sudoS20mdadm S21network-managerS25stop-bootlogd S19apache2 S20mysql S22cron S20acpid S20openbsd-inetd S22cups rosenberg:/media/Linux_part# cd /etc/rc2.d rosenberg:/etc/rc2.d# cat README The scripts in this directory are executed each time the system enters this runlevel. The scripts are all symbolic links whose targets are located in /etc/init.d/ . To disable a service in this runlevel, rename its script in this directory so that the new name begins with a 'K' and a two-digit number, and run 'update-rc.d script defaults' to reorder the scripts according to dependencies. A warning about the current runlevels being enabled not matching the LSB header in the init.d script will be printed. To re-enable the service, rename the script back to its original name beginning with 'S' and run update-rc.d again. For a more information see /etc/init.d/README. rosenberg:/etc/rc2.d# update-rc.d S19apache2 update-rc.d: using dependency based boot sequencing update-rc.d: error: not enough arguments usage: update-rc.d [-n] [-f] remove update-rc.d [-n] defaults [NN | SS KK] update-rc.d [-n] start|stop NN runlvl [runlvl] [...] . update-rc.d [-n] disable|enable [S|2|3|4|5] -n: not really -f: force The disable|enable API is not stable and might change in the future. Ethan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d05c2a.8080...@hygeiabiomedical.com
Re: Apache2
> dpkg --configure -a > Setting up apache2 (2.4.4-6) ... > * Restarting web server apache2 [fail] > invoke-rc.d: initscript apache2, action "restart" failed. > dpkg: error processing apache2 (--configure): > subprocess installed post-installation script returned error exit status 1 > Errors were encountered while processing: > apache2 Maybe... try to check init script /etc/rc2.d --> apache2 (try to move that file to other location) and do again apt-get install -f Tell me Pol -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d05a5b.20...@fuckaround.org
Apache2
Dear List - There is an error with Apache2, I cannot remove it or install it. From the terminal: dpkg --configure -a Setting up apache2 (2.4.4-6) ... * Restarting web server apache2 [fail] invoke-rc.d: initscript apache2, action "restart" failed. dpkg: error processing apache2 (--configure): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: apache2 rosenberg:/media/Linux_part# apt-get install -f apache2 Reading package lists... Done Building dependency tree Reading state information... Done apache2 is already the newest version. The following packages were automatically installed and are no longer required: dbconfig-common ksh libdrm-nouveau1a libgnome-bluetooth10 libjs-codemirror libjs-jquery-cookie libjs-jquery-event-drag libjs-jquery-metadata libjs-jquery-mousewheel libjs-jquery-tablesorter libjs-jquery-ui libjs-underscore libmcrypt4 libsystemd-daemon0 php-gettext python-packagekit Use 'apt-get autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 348 not upgraded. 1 not fully installed or removed. After this operation, 0 B of additional disk space will be used. Do you want to continue [Y/n]? y Setting up apache2 (2.4.4-6) ... * Restarting web server apache2 [fail] invoke-rc.d: initscript apache2, action "restart" failed. dpkg: error processing apache2 (--configure): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: apache2 E: Sub-process /usr/bin/dpkg returned an error code (1) Any ideas? Thanks. Ethan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d05852.1010...@hygeiabiomedical.com
Re: Fwd: iptables and networking
On Sun, Jun 30, 2013 at 03:15:47PM +0200, Pascal Hambourg wrote: > Redalert Commander a écrit : > > > > -- Forwarded message -- > > From: Igor Cicimov > > > >> You can block repeated attempts to log in with iptables using the > >> 'recent' module, an alternative is 'fail2ban', which monitors your > >> server logs (ssh, apache, and others) for failed login attempts and then > >> adds an iptables rule for the offending IP. > > The 'recent' match is vulnerable to source IP address spoofing and can > be abused to cause a DoS for the spoofed address. fail2ban is much less > vulnerable to such attacks. > > >> In some cases the 'limit' module for iptables might be useful, for > >> example (not really a good one): > > The limit match is even worse as it can be easily abused to cause a DoS > for all clients. > > >> iptables -A INPUT -i $EXTIF -p tcp --dport 21 -m state --state NEW -m > >> limit --limit 1/min --limit-burst 3 -j ACCEPT > >> > >> This will only allow 1 connection attempt on an FTP server per minute, > >> with an initial burst of 3 before limiting. > > So an attacker just needs to send 3 packets per minute to block all > access for anyone to the server. Great. > > > Another option is the hashlimit module. Its based simply on the fact > > that ddos sends bursts of traffic over the connection. Example below > > for port 80 but can be applied to 22 or any othet service. > > Hashlimit won't protect against DDoS attacks or DoS attacks using source > IP address spoofing. > IP address spoofing with TCP, what? That only works with UDP. (Hint - three way handshake for TCP). -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. Please don't CC! I'm subscribed to whatever list I just posted on. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130630155344.gh1...@uriel.asininetech.com
Re: KDE digital clock NTP server time adjust.
Franco Martelli wrote: > Bob Proulx ha scritto: > > Franco Martelli wrote: > >> I installed both ntpdate and rdate packages but automatic date > >> and time update of KDE digital clock on the desktop doesn't > >> work. Do I need package like kdesudo in order to make things > >> working? > > > > No. Your choice of packages is unfortunate. A mistake. Instead > > install 'ntp'. > > But I used strings command to looking for in kcm_clock.so (for > investigation) and its output suggest me to install ntpdate or rdate > in order to obtain digital clock automatically updated. > > # strings /usr/lib/kde4/kcm_clock.so|sort|less > > then hit "/" to enter in search mode and type "ntpdate" less will > point to the following string: > > No NTP utility has been found. Install 'ntpdate' or 'rdate' command to > enable automatic updating of date and time. I am impressed that you used strings to find the text notes in that library! Very clever. However those are just hints left there by the programmer of that library. And those are notes that are buried quite deep. They won't have had as much review. > Should I ask to KDE or QT related mailing list? I would file a bug against that library asking that the hints included in it be updated. The hints are providing bad advice. Because "stepping" the clock is never desirable. However the way you found that hint is unusual. I don't know how that hint would be shown to the user normally. It might never be shown to the user. In which case it would be hard to call that a bug. > Thanks in advance for any answer. In my not so humble opinion the hint advice offered by kcm_clock.so is bad advice. It advises to install programs that are designed to step the clock. Stepping the clock during normal runtime operation of the system is bad and causes other problems. I think it should advise correcting the clock more generically. Because any specific advise today may be stale and obsolete in the future. Packages change and technologies move forward. Embedding high level system advise in a low level library seems prone to becoming out of sync. I would purge rdate and ntpdate and install ntp as I recommended in the previous email. # apt-get purge ntpdate rdate # apt-get install ntp Bob signature.asc Description: Digital signature
apache (debian 7) missed chroot module
Hey all :-) Installing apache on debian 7 there isn't any chroot module for apache. Also searching out I didn't found any... any idea to put apache to chroot? thanks! Pol -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d04da3.5070...@fuckaround.org
Re: Holy Gnome3 Invasion, Batman! - Testing Upgrades 06/30/2013
On 06/30/2013 10:40 AM, Patrick Wiseman wrote: > On Sun, Jun 30, 2013 at 10:06 AM, Jape Person wrote: >> Hi! >> >> Forgive the facetious thread title, please. I just about got knocked out of >> my >> socks this morning when I ran my daily upgrade checks in aptitude. >> >> I run Debian testing with Xfce, and I'd like to keep it that way. > > Me, too. > >> About a year ago I switched out Wicd for network-manager-gnome so that I >> could >> make use of the latter package's ability to control VPN connections. I guess >> that's the root cause of this little adventure. (However, IIRC, Xfce has >> started >> using network-manager-gnome instead of Wicd anyway.) >> >> This morning the usual upgrades included a gnome-bluetooth updgrade that >> wanted >> to pull in what appeared to be just about everything from the Gnome DE -- >> roughly 117 packages. The gnome-bluetooth package was apparently on the >> system >> because the network manager wants it there. >> >> This was easy enough to prevent. I just held everything while I got rid of >> gnome-bluetooth and its playmates, then put a forbid on gnome-bluetooth. The >> ensuing upgrade attempt was a lot more reasonable. >> >> I don't suppose this really qualifies as a bug -- particularly since >> network-manager-gnome really is a part of the Gnome DE. But I imagine a few >> folks who use it in other DEs are going to be a little consternated by >> today's >> upgrades if they don't pay fairly close attention before committing to them. >> >> Thanks for reading my tale of woe (whoa?). > > I think this happened because gnome-bluetooth recommends > gnome-control-center which in its turn depends on a bunch of stuff I > don't need (and most of which is not on my system) and recommends a > bunch more unnecessary stuff. The way I avoid what you saw this > morning is to tell aptitude NOT to install by default packages > recommended by other packages. That seems to prevent a lot of > unnecessary installations. So I recommend setting that option in > aptitude! You always have the option, after scanning what's > recommended, to install what you want. > > Patrick That's a good point. Back when I decided to use Debian testing I decided to stick with the default aptitude setting, which -- as you have indicated -- may not be a great idea for those of us who prefer to keep things a little simpler. It does seem as though some of the recommends are a little excessive and certainly shouldn't be treated as though they were hard dependencies. I'm not sure which will result in me doing less fiddling around in aptitude -- not having recommends set to be installed by default and adding them manually as desired, or having aptitude set to install them by default and keeping a watchful eye. It's really pretty easy to spot 117 new installations with the aptitude TUI. But I often see smaller lists of new installations being brought in and might end up installing stuff I don't need if I'm not on my toes. I think I'll take your advice. This (no recommends) is the way I used to use aptitude. And you are exactly right about gnome-panel. The gnome-bluetooth package itself didn't require addition of all of the dross, but it's request for gnome-panel is what caused the landslide of recommended installations. J. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d0497a.4050...@comcast.net
Re: Fwd: iptables and networking
On 6/30/2013 9:15 AM, Pascal Hambourg wrote: Redalert Commander a écrit : -- Forwarded message -- From: Igor Cicimov You can block repeated attempts to log in with iptables using the 'recent' module, an alternative is 'fail2ban', which monitors your server logs (ssh, apache, and others) for failed login attempts and then adds an iptables rule for the offending IP. The 'recent' match is vulnerable to source IP address spoofing and can be abused to cause a DoS for the spoofed address. fail2ban is much less vulnerable to such attacks. I don't understand this statement. How is 'recent' more vulnerable to source IP address spoofing than fail2ban? Both depend only on the supplied address. And how can recent 'be abused to cause a DoS...' any more than fail2ban? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d04849.2020...@attglobal.net
Re: RAID 1, SMART error, hot spare
Hello, Gregory Seidman a écrit : > I have two eSATA drives in a RAID 1, and smartd has started reporting > errors on it: > > Device: /dev/sdb [SAT], 9 Currently unreadable (pending) sectors > Device: /dev/sdb [SAT], 9 Offline uncorrectable sectors > > The first message, on June 11, was 6 sectors. I ordered a new HD and > enclosure that day. It went up to 8 sectors on June 12. By June 14 I had > installed the new HD and added it to the RAID as a hot spare. On June 28 it > went up to 9 sectors. > > Given that I have the hot spare in place, do I need to do anything? Should > I fail /dev/sdb with mdadm preemptively? Yes. > Or just wait until it fails on its own? It has already failed. At least three times. Do you prefer to wait until the other disk fails too ? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d04086.7000...@plouf.fr.eu.org
Re: Holy Gnome3 Invasion, Batman! - Testing Upgrades 06/30/2013
On Sun, Jun 30, 2013 at 10:06 AM, Jape Person wrote: > Hi! > > Forgive the facetious thread title, please. I just about got knocked out of my > socks this morning when I ran my daily upgrade checks in aptitude. > > I run Debian testing with Xfce, and I'd like to keep it that way. Me, too. > About a year ago I switched out Wicd for network-manager-gnome so that I could > make use of the latter package's ability to control VPN connections. I guess > that's the root cause of this little adventure. (However, IIRC, Xfce has > started > using network-manager-gnome instead of Wicd anyway.) > > This morning the usual upgrades included a gnome-bluetooth updgrade that > wanted > to pull in what appeared to be just about everything from the Gnome DE -- > roughly 117 packages. The gnome-bluetooth package was apparently on the system > because the network manager wants it there. > > This was easy enough to prevent. I just held everything while I got rid of > gnome-bluetooth and its playmates, then put a forbid on gnome-bluetooth. The > ensuing upgrade attempt was a lot more reasonable. > > I don't suppose this really qualifies as a bug -- particularly since > network-manager-gnome really is a part of the Gnome DE. But I imagine a few > folks who use it in other DEs are going to be a little consternated by today's > upgrades if they don't pay fairly close attention before committing to them. > > Thanks for reading my tale of woe (whoa?). I think this happened because gnome-bluetooth recommends gnome-control-center which in its turn depends on a bunch of stuff I don't need (and most of which is not on my system) and recommends a bunch more unnecessary stuff. The way I avoid what you saw this morning is to tell aptitude NOT to install by default packages recommended by other packages. That seems to prevent a lot of unnecessary installations. So I recommend setting that option in aptitude! You always have the option, after scanning what's recommended, to install what you want. Patrick -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAJVvKsPvMT5F97wQWXwFb65tdqQW5NtAMFhFyOoZD8G=kr0...@mail.gmail.com
Re: KDE digital clock NTP server time adjust.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Il 29/06/2013 20:24, Bob Proulx ha scritto: > Franco Martelli wrote: >> I installed both ntpdate and rdate packages but automatic date >> and time update of KDE digital clock on the desktop doesn't >> work. Do I need package like kdesudo in order to make things >> working? > > No. Your choice of packages is unfortunate. A mistake. Instead > install 'ntp'. > But I used strings command to looking for in kcm_clock.so (for investigation) and its output suggest me to install ntpdate or rdate in order to obtain digital clock automatically updated. # strings /usr/lib/kde4/kcm_clock.so|sort|less then hit "/" to enter in search mode and type "ntpdate" less will point to the following string: No NTP utility has been found. Install 'ntpdate' or 'rdate' command to enable automatic updating of date and time. ... Should I ask to KDE or QT related mailing list? Thanks in advance for any answer. Regards. - -- Franco Martelli. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJR0EELAAoJEFM/ma7n+T+7pHUIAImoQfDr8diTdxp+NOmFG+DJ jCkSIxLpD+ePdMfLBInMUeGXbr80QTohT88vSX7w1gno7cd+LYnCA9M3B8cLHKKz FgRxxgY2LPod8TyXXF5+TybSVIdT72SLMTIaxucspjENY25KXZS3DY5V51qmMfjG ELyX/EeWLvv3i8rcxBMr4YpMIXMG4ypisjOuiROXqermftuMTI7FTJQUNfLL5e0W x48G+QMPd4hE8eNN9WUw+06FF93y936MjzOUpfvEv6Jhbl31EQbL2PZfFmu2fBGi LBgPaT+MNH6Ur40rOrpndDOGfw7gSN/cHsxAmGkfk2/OXTclHBNun+uWfdT+nFI= =YNMF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d0410c.4000...@gmail.com
Holy Gnome3 Invasion, Batman! - Testing Upgrades 06/30/2013
Hi! Forgive the facetious thread title, please. I just about got knocked out of my socks this morning when I ran my daily upgrade checks in aptitude. I run Debian testing with Xfce, and I'd like to keep it that way. About a year ago I switched out Wicd for network-manager-gnome so that I could make use of the latter package's ability to control VPN connections. I guess that's the root cause of this little adventure. (However, IIRC, Xfce has started using network-manager-gnome instead of Wicd anyway.) This morning the usual upgrades included a gnome-bluetooth updgrade that wanted to pull in what appeared to be just about everything from the Gnome DE -- roughly 117 packages. The gnome-bluetooth package was apparently on the system because the network manager wants it there. This was easy enough to prevent. I just held everything while I got rid of gnome-bluetooth and its playmates, then put a forbid on gnome-bluetooth. The ensuing upgrade attempt was a lot more reasonable. I don't suppose this really qualifies as a bug -- particularly since network-manager-gnome really is a part of the Gnome DE. But I imagine a few folks who use it in other DEs are going to be a little consternated by today's upgrades if they don't pay fairly close attention before committing to them. Thanks for reading my tale of woe (whoa?). J. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d03b7d.9080...@comcast.net
RAID 1, SMART error, hot spare
I have two eSATA drives in a RAID 1, and smartd has started reporting errors on it: Device: /dev/sdb [SAT], 9 Currently unreadable (pending) sectors Device: /dev/sdb [SAT], 9 Offline uncorrectable sectors The first message, on June 11, was 6 sectors. I ordered a new HD and enclosure that day. It went up to 8 sectors on June 12. By June 14 I had installed the new HD and added it to the RAID as a hot spare. On June 28 it went up to 9 sectors. Given that I have the hot spare in place, do I need to do anything? Should I fail /dev/sdb with mdadm preemptively? Or just wait until it fails on its own? --Greg -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130630130428.ga...@anthropohedron.net
Re: Fwd: iptables and networking
Redalert Commander a écrit : > > -- Forwarded message -- > From: Igor Cicimov > >> You can block repeated attempts to log in with iptables using the >> 'recent' module, an alternative is 'fail2ban', which monitors your >> server logs (ssh, apache, and others) for failed login attempts and then >> adds an iptables rule for the offending IP. The 'recent' match is vulnerable to source IP address spoofing and can be abused to cause a DoS for the spoofed address. fail2ban is much less vulnerable to such attacks. >> In some cases the 'limit' module for iptables might be useful, for >> example (not really a good one): The limit match is even worse as it can be easily abused to cause a DoS for all clients. >> iptables -A INPUT -i $EXTIF -p tcp --dport 21 -m state --state NEW -m >> limit --limit 1/min --limit-burst 3 -j ACCEPT >> >> This will only allow 1 connection attempt on an FTP server per minute, >> with an initial burst of 3 before limiting. So an attacker just needs to send 3 packets per minute to block all access for anyone to the server. Great. > Another option is the hashlimit module. Its based simply on the fact > that ddos sends bursts of traffic over the connection. Example below > for port 80 but can be applied to 22 or any othet service. Hashlimit won't protect against DDoS attacks or DoS attacks using source IP address spoofing. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d02f83.6080...@plouf.fr.eu.org
Re: iptables and networking
Hello, Pol Hallen a écrit : > > This is my full iptables config: > > iptables -F > iptables -t nat -F > iptables -t mangle -F > iptables -X OK. > iptables -P OUTPUT ACCEPT Should be DROP as well. > iptables -P FORWARD DROP > iptables -P INPUT DROP OK. > iptables -A INPUT -f -j DROP Useless. IPv4 connection tracking (needed by the 'state' match) reassembles packets so iptables won't see any fragments. > iptables -A INPUT -m state --state INVALID -j DROP Useless if policy is already DROP and further rules accept only state NEW, ESTABLISHED or RELATED. > iptables -A OUTPUT -f -j DROP See above. > iptables -A OUTPUT -m state --state INVALID -j DROP See above. > iptables -A INPUT -i lo -j ACCEPT OK. > iptables -A OUTPUT -o lo -j ACCEPT Useless if policy is left to ACCEPT. > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT OK. > iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT Useless if policy is left to ACCEPT. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d02d80.7020...@plouf.fr.eu.org
Gnome3 HS after update
Hi everybody, I updated my jessie and Gnome3 does not start anymore. Actually, it starts but I never got any menu. Do other people got the same ? -- Jean-Marc pgpc9uGfx8fvJ.pgp Description: PGP signature
Re: Haswell Core i5 4670 & Asus H87-PRO
On 2013-06-30 10:23 +0200, Georgi Naplatanov wrote: > I'm going to replace my 6 years old desktop computer with new one, but > I wonder if Haswell Core i5 4670 & Asus H87-PRO combination is > compatible with Debian Wheezy (7.1) so I have some question : > > - is integrated GPU in Haswell Core i5 compatible with Debian 7.1 ( I > mean Linux kernel and X.org driver) ? At this time Linux 3.9.6-1 is > available in backports. In other words is kernel upgrading enough for > using Intel® HD Graphics 4600 with X in Wheezy? Probably not, you will likely need a newer X.org driver (xserver-xorg-video-intel) and Mesa (libgl1-mesa-dri), and possibly a newer libdrm. Unfortunately, the xserver-xorg-video-intel package is way behind upstream even in experimental, and libgl1-mesa-dri in unstable requires a newer libc6 than is available in Wheezy. > - is Asus H87-PRO compatible with Debian 7.1 (even with Linux kernel > from backports) ? > > - http://www.asus.com/Motherboards/H87PRO/#specifications > > on this link is mentioned "Integrated Graphics Processor", what does > it mean - integrated Intel® HD Graphics 4600 in i5 processor or > separate video card integrated into that motherboard ? The Graphics on the motherboard. You can of course buy a separate Radeon or NVidia card. Cheers, Sven -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87vc4w7zpu@turtle.gmx.de
Haswell Core i5 4670 & Asus H87-PRO
Hi all, I'm going to replace my 6 years old desktop computer with new one, but I wonder if Haswell Core i5 4670 & Asus H87-PRO combination is compatible with Debian Wheezy (7.1) so I have some question : - is integrated GPU in Haswell Core i5 compatible with Debian 7.1 ( I mean Linux kernel and X.org driver) ? At this time Linux 3.9.6-1 is available in backports. In other words is kernel upgrading enough for using Intel® HD Graphics 4600 with X in Wheezy? - is Asus H87-PRO compatible with Debian 7.1 (even with Linux kernel from backports) ? - http://www.asus.com/Motherboards/H87PRO/#specifications on this link is mentioned "Integrated Graphics Processor", what does it mean - integrated Intel® HD Graphics 4600 in i5 processor or separate video card integrated into that motherboard ? Thanks in advance. Best regards Georgi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51cfeb15.4000...@oles.biz
