Re: [expert] Some process changing groups permissions
On Mon, 2003-09-01 at 18:10, Jack Coates wrote: On Mon, 2003-09-01 at 13:08, James Sparenberg wrote: ... I like Todd's method rpm -e msec --nodeps and then put it into the urpmi skip list *grin* James Wh? Uninstall msec??? It's a GREAT tool. I'm glad Mandrake includes it. Just because you're running Linux doesn't mean you're immune for any sort of attacks. Ripping out the security mechanisms is a good way to make it a target. Learn to use msec correctly instead of banishing anything you don't understand. -- Brian Keefer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Some process changing groups permissions
On Mon, 2003-09-01 at 19:48, James Sparenberg wrote: On Mon, 2003-09-01 at 19:28, chort wrote: On Mon, 2003-09-01 at 18:10, Jack Coates wrote: On Mon, 2003-09-01 at 13:08, James Sparenberg wrote: ... I like Todd's method rpm -e msec --nodeps and then put it into the urpmi skip list *grin* James Wh? Uninstall msec??? It's a GREAT tool. I'm glad Mandrake includes it. Just because you're running Linux doesn't mean you're immune for any sort of attacks. Ripping out the security mechanisms is a good way to make it a target. Learn to use msec correctly instead of banishing anything you don't understand. IF someone gets through 2 (or 5) firewalls depending on my location... they probably aren't going to be slowed down by msec. Yes it's a great tool. But not a panacea. C is a great language but lousy for fast prototyping. Need to apply the tool where need and not as a catch all. James Point taken, but neither are firewalls a holistic solution. There are many avenues of attack which firewalls were never designed to stop. Besides, just having lots of layers doesn't mean security is increased. If all the firewalls run the same software/firmware or have the same hardware weakness, they can all be bypassed just as easily. I see msec as more protection against people who have permission to use the machine, not unauthorized outside access. According to most estimates, 80-90% of attacks happen from the inside so it's really those users you have to worry about any way. I just have a knee-jerk reaction when ever someones solution to inconvenient security mechanisms is to automatically remove them. Some are needed simply to protect us from ourselves. Sure, the most usable computers are those without all the burden of security, but by the same token it's easiest to destroy someones work on an unprotected machine, so a balances needs to be struck. msec and Bastille (hope I spelled that right) are two very useful lockdown utilities. Just because they can occasionally be annoying doesn't mean they should be whole-sale removed. -- Brian Keefer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Slow SMB file transfers to XP`
On Tue, 2003-09-02 at 10:44, Brant Fitzsimmons wrote: lorne wrote: On Monday 01 September 2003 08:10 pm, Michael Viron wrote: Seems like this is related to the stuff discussed in http://support.microsoft.com/default.aspx?scid=kb;en-us;321169 and possibly in http://support.microsoft.com/default.aspx?scid=kb;en-us;321098 . You may also want to try running regedit to do the following: go to HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current Version/Explorer/RemoteComputer/NameSpace in the registry remove {D6277990-4C6A-11CF-8D87-00AA0060F5BF} . First I apologize for not reporting what I found yesterday. I had already tried the top two things to no avail yesterday. I tried removing the above key and it made no difference at all. As we speak I'm transferring 285MB of data from the Linux box to the XP box and it has been 8 minutes so far and my guess is that it will take another 9 - 10 minutes. If I do it from my linux server and copy it to the xp box, it will blast over in about 2 minutes or less!! This illustrates my point perfectly. When you initiated the transfer on the Linux box it took around two minutes to do the transfer, and you called it fast (blast). I repeated that behavior in my own setup. I got the same results when initiating the transfer on my Mandrake box using Konqueror and command line (cp). I call it slow because when I initiate the transfer on the Win2000 box, using Windows Explorer, I get the same transfer done in under a minute. Why the huge difference in speed? A two minute transfer for a file that size may be fast compared to a totally broken setup, but it is still half as fast as it should be. The question is: what needs to be done to have file transfers initiated in Linux get the same transfer speed experienced when they are initiated by Windows? The same thing can be said for transfers between Linux and Linux. It experiences the same crippled transfer speed. The common thread being the transfer is initiated on a Linux box. Remember though, this particular network is on a HUB, i.e. half-duplex. If there is any other sort of traffic what-so-ever it's going to be noticeably slower (DNS lookups, Net-BT broadcasts, etc). -- Brian Keefer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] OT: DNS question
On Sat, 2003-08-30 at 16:28, yankl wrote: On Saturday 30 August 2003 05:04 pm, J.C. Woods wrote: yankl wrote: Hi All, Question for dns guru If I own a domain yankele.com do I need to get mail.yankele.com register or can I assign it to myself? No, you did not need separate registration for individual machines, as long as you own the domian name. Just make sure you set up the zone files with all of the appropriate entries , i.e. A, PTR, MX, CNAME, etc. Resource Records (RR). DRJUNG Any good places to RTFM? Websites or HOWTOs Sorry for wrapping link. I hope that works right. http://www.amazon.com/exec/obidos/tg/detail/-/0596001584/qid=1062287699/sr=8-1/ref=sr_8_1/102-7091999-5030501?v=glances=booksn=507846 Any way, you want DNS and BIND, Fourth Edition by Albitz and Liu, published by O'Reilly. It's considered the Bible of DNS. I guarantee that if you do any system administration, you'll use this book over and over. You can find it used quite a few places, but it's well worth the price new as well. -- Brian Keefer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] [OT] Microsoft advocates OSS
On Wed, 2003-08-20 at 13:46, Guy Van Sanden wrote: http://uptime.netcraft.com/up/hosted?netname=MICROSOFT-1BLK,65.52.0.0,65.55.255.255 This is an uptime report for the enitre Microsoft netblock, they sure are using a lot of Linux and FreeBSD (not to mention moving a lot of their sites to akamai on Linux). But the funniest part are the average and maximum uptimes. Linux shows uptimes arround 300-350, while the windows guru's seem unable to keep their systems up for the same amount. They peek at arround 150! Yep Bill is becoming a real fan ;-) In all fairness, I believe a number of those sites are merely being protected by FreeBSD proxies will the actual site is W2K(3)/IIS. I guess that does go to show that even some people at Microsoft have the common sense not to attempt to use Windows a proxy/bastion host OS. -- Brian Keefer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Blaster hits and IPCOP..what should I look for???
On Sun, 2003-08-17 at 10:56, Kiran wrote: I can't seem to get IPCOP to log binary dumps of IDS packet data. Snort is started by a c-code program /usr/local/bin/restartsnort (security I guess). But that would be a start. snort has some info, but i don't think ipcop has updated the snort rules for this. last official update was 7-31-03 (fixes3 update) http://www.snort.org/snort-db/sid.html?sid=2192 http://www.snort.org/snort-db/sid.html?sid=2193 These look close and you may be able to make/add the rules to one of the snort rule files. I know this still doesn't answer the question, but its a start. You really can't know if its a legit/mistaken request or not without the dump. Chances are port 135 requests are, but the dump would help define the attack. On Sun, 2003-08-17 at 00:33, Gavin wrote: Kiran, Thanks for your reply, but I wanted to see an actual snip from someone's IPCOP IDS to see EXACTLY what I should look for, I've got many hits on these ports but not sure if its the blaster worn or not. On Sun, 17 Aug 2003 11:58 am, Kiran wrote: http://www.cert.org/advisories/CA-2003-20.html this describes it best. On Sat, 2003-08-16 at 12:38, Gavin wrote: I've got a few M$ boxes running 2000 and XP behind my IPcop firewall, all my boxes are patched.. I've been checking my logs for anything pertaining to the blaster worm but I THINK there is nothing showing..I've got snort active but I'm not REALLY sure what to look for!! if any of you experts are using ipcop and your logs show hits. could you show me a snip so I know what to look for.. Thank you -- Kiran [EMAIL PROTECTED] Wouldn't the IPCop mailing list be a better place for this question? In any case, you won't see it in your IDS logs unless you applied the new Snort rule for LOVE SAN/MS BLAST. Your firewall log will show tons of dropped packets from sources on the Internet and going to destination port 135/TCP. Many people found that the worm was causing far too much log space to be taken, so they added explicit rules to drop those packets without logging them, in which case you will see nothing (it doesn't sound like you added those rules, though). To tell if your internal boxes are infected, you would have to write iptables rules to log outgoing packets that either source port or destination port 135. Apply that to your external interface to see if packets from your network going outbound match those rules. That will indicate that you have infected boxes. -- Brian Keefer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] EXT3 File Corruption?
On Sat, 2003-08-09 at 22:55, Damon Lynch wrote: On Sun, 2003-08-10 at 16:15, Todd Lyons wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Damon Lynch wanted us to know: I don't care that you are using a journalized filesystem like ext3, I want you to do a full blown filesystem check as if you were ext2. So why does it do this on bootup, on the root filesystem? What is the Mounting the root filesystem is the most important part of the boot process after the kernel has detected all the hardware. You want to give the sysadmin the most options to recover from a bolloxed sp? unclean shutdown. This is one. Fair enough too. But I do think that for the rest of us, an additional part of the message pointing out that the journalling system will / has otherwise done its thing should the user not select Y would reduce stress and clarify what will happen. Thanks for all the info - I had been wondering about this issue for a while. Damon Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com I really could have used this info two months ago :( The power cord came loose from the back of my server, so of course the file system was not unmounted cleanly. I followed the prompts thinking it was the only way to fix my system and I ended up losing about 75% of my data. Wouldn't you know it, after 2 days of intensive system rebuilding, my daughter hit the power button and *BOT* there goes my system again. Again I dutifully followed the prompts and ended up losing about 50% of my date, off to rebuild again... Then just yesterday X blew up on my and froze the system. I reset and this time I ignored the nagging insistence to fsck. Instead I answered 'n' and it dropped me into maintenance mode. I ran fsck.ext3 on all the partitions, it recovered all the journals, and TADA--the system rebooted just fine, all data in tact. I sure wish I hadn't figured out the hard way to NOT let the system fix itself. -- Brian Keefer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Scrolling in Evolution and Galeon
On Wed, 2003-07-16 at 15:34, Brant Fitzsimmons wrote: Hello all, I posted this to the newbie list but didn't get a repsonse. I was hoping someone here could help me. Does anyone know how to change the scroll steps in Evolution and Galeon? When I use my scroll mouse each click scrolls half a page. I want it a little smoother than that. What do I need to do to change it? -- Brant Fitzsimmons [EMAIL PROTECTED] I know this doesn't help much, but I had the same problem with my Logitech Mouseman plugged in as USB. When I switched to a cordless Mouseman Optical as PS/2 the scrolling was significantly more smooth. I can only assume that the different driver made the difference in scrolling, but I couldn't find a setting to control it. Try a different mouse? -- Brian Keefer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] NIC's
On Tue, 2003-07-15 at 14:02, Vox wrote: The only NIC worth using, IMNSHO, is Intel Etherexpress Pro 100+...if you have the inclination, a Pro+/S is a very good model too, but the encryption on it isn't really worth unless you are doing VPNing between boxes that all have the same NIC. I've tested windows boxes against my firewall with my EEPros and the winboxes don't come close (about 3k download speed difference with the best winboxes using an EEPro too). I'll use a lot of crappy HW, but for my NICs, I only buy EEPros. Worth every cent. Vox -- Think of the Linux community as a niche economy isolated by its beliefs. Kind of like the Amish, except that our religion requires us to use _higher_ technology than everyone else. -- Donald B. Marti Jr. Agreed. I asked the operations folks at Supernews (one of the largest NNTP providers in the world, who push GIGABYTES of data through their network) what cards they recommend. They said Intel with the 82559 chipset. That's all I buy, and they've all worked flawlessly. I highly recommend them. -- Brian Keefer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Security and permissions problems
On Wed, 2 Jul 2003, Vox wrote: On September 1993 plus 3591 days Praedor Atrebates wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 After I originally found that all users could see other user's home contents, I tried first changing to security level 3. Someone else mentioned I could set the home permission to 700. Both methods have screwed up my system and I can't seem to get it back even though I switched to security level 2. My system is OK at the moment but there will come a time (how long it takes is unknown as yet) when all of a sudden, I cannot open konsoles, xterms, or start any app for that matter. The perms on my home directory will change that will 1) prevent KDE from working because it can't get write permissions to my home, and 2) kmail wont be able to download/store email because it wont have write permission to my ~/Mail directories. I have had to twice login as root and chown praedor.praedor /home/praedor and set my home perm to 711, then 755. I restarted DrakConf and then went to Drakperms and set the security level to 2 and made sure that /home/* was no longer editable and no longer 700 but nevertheless I get this repetitious problem. What security level will allow users to actually USE their home directories, window managers, etc, without problems but also prevent other users from looking at the contents of their HOME dirs? Uhm...I use msec3 always, on all machines, and never have problems using any apps...I think you messed up the perms in drakperms in some way. What I *have* noticed a couple of times (not tried lately...this happened in the 8.x days) is that if you go from a higher level to a lower level of msec, some perms do get messed up and you have to fix them by hand before msec will start listening to you again. But that happened both times going from 5 to 3, and the problems you are referring to are not problems that I can relate to 3 in any way. Vox I use msec 4, with a few custom tweaks. I've never* had any problems (with using apps, any way). All my homedirs are 700. *Unless you consider that promiscuous check a problem. That crazy thing would always spam my logs until I finally figured out how to disable it for good. Also a few of the other directories were mod'd to some annoying level, but I fixed them in the perms file. -- -chort AKA Brian Keefer The thoughts I express are generally piped from /dev/random, needless to say they do not represent my fine employer: CipherTrust, Inc - www.ciphertrust.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Security or lack thereof
On Mon, 30 Jun 2003, Vincent Danen wrote: This was done, IIRC, to allow people to have a ~/public_html/ directory and allow apache to enter the home directory so as to read ~/public_html/ (which would allow someone to do something like http://yoursite.com/~preador/). That's pretty much the reasoning for it IIRC. nothing stopping you from doing a higher security level or modifying the defaults. I always created a symlink in the user's home directory such as ln -s /var/www/html/user /home/user/(public_html|html|www|whatever). I always thought that was a rather useful solution, but I'm open to criticism. -- -chort AKA Brian Keefer The thoughts I express are generally piped from /dev/random, needless to say they do not represent my fine employer: CipherTrust, Inc - www.ciphertrust.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] snooper
On Tue, 1 Jul 2003, chris wrote: Hi all Does linux have same program snoop in Solaris? how do I get it and install? I would like to use it to analysis the network packet? Thank you The Linux/BSD equivilant is tcpdump, the syntax is very similar IIRC. There are also several graphical sniffers you can use from X, since as Ethereal. -- -chort AKA Brian Keefer The thoughts I express are generally piped from /dev/random, needless to say they do not represent my fine employer: CipherTrust, Inc - www.ciphertrust.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] a bit of a mailserver technical question
On Mon, 23 Jun 2003, Adrian Golumbovici wrote: Hi all, I just installed/configured/secured my own postfix server with a dyndns address. My dyndns entry is as MX server registered and it is working. I normally have about maximum 5 minutes offline time. My provider disconnects me each 24 hours, but linux PC connects again immediately and updates dyndns entry, which normally takes about maximum 5 minutes to propagate). In this time the dyndns still points to the old ip address, which is either not connected (no user got it in so short time) or points to someone who doesn't have the ports opened (no email server). I wondered what happens if someone/some-server tries to deliver me email in this time. Will it be bounced or will it retry and finally send it to me when connection available again? Best regards, Adrian Failing to connect to the old IP isn't really a concern, since (as previously mentioned) the sending server will retry. Of more concern is the fact that someone could take advantage of your situation and maliciously configure a mailserver to accept mail as your domain. If they manage to grab your most recent IP through war-dialing (of sorts) and your old IP is still cached on name servers that are being used to look-up your MX record, then they can hijack your incoming e-mail. If your e-mail means much to you I would highly suggest paying the extra $10/month for a static IP, or trying to find an ISP who provisions static IPs. -- -chort AKA Brian Keefer The thoughts I express are generally piped from /dev/random, needless to say they do not represent my fine employer: CipherTrust, Inc - www.ciphertrust.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] apache rewrite regex
Your specific regex appears to not be correct (it's been a while since I've done PERL so I could be wrong). RewriteRule /perl\/dl.pl/(.*) http://127.0.0.1:8200/perl/dl.pl$1 [P] should be RewriteRule /perl\/dl.pl(.*)/ http://127.0.0.1:8200/perl/dl.pl$1 [P] The // encloses the pattern you're looking for (the \/ notation escapes / so you can match path operators). Parens () delimit the pattern you're representing as $1 (if you have multiple parens, then subsequent pairs are represented in $2, $3, etc). That aside, I still don't think it will work because the default rewrite rule should have handled that case correctly. I don't know mod_perl so unfortunately I can't give you any direction on the root cause. -- -chort On Wed, 11 Jun 2003, Frankie wrote: Hi guys I am hoping that on this list is a regex/apache guru... Currently, I have mdk9.0 running mod_perl/apache via virtual named hosts.. works great. I can run mod_perl scripts in either of the following methods: http://mydomain.com/perl/script.pl or http://mydomain.com:8200/perl/script.pl so the basic proxying works.. However only the latter URL works when passed params.. like so: http://mydomain.com:8200/perl/script.pl?id=somethingfunction=stuff (that one works) This one doesn't: http://mydomain.com/perl/script.pl?id=somethingfunction=stuff when I try that I always get the message that script.pl can't be found. Since its an internal proxy, I can't see what the regex has grabbed. This is the regex in question in the vhosts file: RewriteRule ^(.*\/perl\/.*)$ http://127.0.0.1:8200$1 [P] I tried adding this one too in an effort to be more specific.. but it didn't work either: RewriteRule /perl\/dl.pl/(.*) http://127.0.0.1:8200/perl/dl.pl$1 [P] What I don't understand is this: .* In my mind means '0' or more of 'anything' so why is it not catching params?? Can anyone point me in the right direction here? regards Franki Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com