[gentoo-user] Re: Dependency conflict. openjpeg ffmpeg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/15/2014 04:47 AM, Dale wrote: John Campbell wrote: On 06/14/2014 10:10 PM, Dale wrote: Well, I have 16Gbs here. I'm not lacking for memory. If memory prices were to drop a bit, I could upgrade some more. I'd have to swap out what I have tho. Old mobo would only take 4GB sticks and this new one will take 8GB sticks. Unless you have a specific reason for keeping both x32 and 64 ABIs I'd suggest changing to ABI_X86=32 64 globally in /etc/make.conf (or /etc/portage/make.conf). It's a lot easier than waiting for the next conflict. Then do emerge --new-use --deep @world and you're done. There shouldn't bee too many packages that need rebuilding. I put that in make.conf and get this: # required by sys-fs/eudev-1.7[gudev] # required by @selected # required by @world (argument) =dev-libs/glib-2.40.0 ~amd64 Does it make sense to keyword that? Isn't that the package that once upgraded you can't go backward? I'm just double checking that this all makes sense. scratches head Dale :-) :-) The package you are thinking of that is a one-way upgrade is glibc, not glib. Glibc is the C Runtime Environment, absolutely everything written in C and C++ ends up linking against it (and things that aren't tend either to be compiled using something that is or interpreted by something that is). If glibc is downgraded, anything that uses something from a newer version (or something that *changed* in a newer version, due to how symbol versions work) will fail to run against the older version. For example, any program linked against glibc 2.14 or greater that uses memcpy ends up linking against the symbol memcpy@@GLIBC_2.14, which is only in newer versions of glibc. Programs linked against older versions of glibc use memcpy@GLIBC_2.2.5, which differs in some way (specifically in this case, the old memcpy always went in a particular direction, the new memcpy may be faster on some CPUs, but this broke old Adobe Flash). -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTnqAdAAoJELHSF2kinlg4RwIQAIBA/fnW7hq6GUK3fQimcEIo RdeXK3RXy750T6XP5vo71NFhrJJmaROaNzSksKXfAtfJZt3PnpbIxFxtvKep7Xp3 bJnAOXHej+EndkSDXEoZTAepzEmqIj8V+Y4blSmRE25w+NLTe2Wgkjd92Y6ugroW Hk1A/nrGRNO5pBepSvIUOIn5GIoTMMH4485HBnwUdtt6+EQja50cfSMbTUoXqF38 GgkJkik28TOYSivn6b6VdzCvl+X8ZqFY0M+BhWSLLaN+7/BR1S5dI1Th1QNDaHSX KcCbtSIwqB1V5w5jSLb4JtU+Noi5nqXyy4ZnwR0wCN/MkhBFFQlRYE/sgOeYrOgw mxCj7442q0Ml1nv+4ASHdOsQ/M8VCoBR3TZhCYDU5wZB6Wb4AVY/tSxopDL54aqi 4iutCTBn9fh7NIfasVjhvSdNMdglF/SHnHfiS9C94odFGvbZjHJd7ICwshSh9eNG /jwRRSrmdMK9IiqK9IkTYDXlCYkre2CtIt8urlypoWaQwD5IrkEIeE9PvXEUcDNU jw8S+3hhNkQ5/3MKErBwGOshdhoogTM03afbSg/M3DRn+B3GAo8Zi9i26wUPTMJo Y6Nm3xhPd5K5h9hmh4bTkG+eqIshtTpqC9cdzQ/xf1dA2X1yxvBdXt6B3cGQg/+1 kUyTwlCW3O11b9l0LzeH =C+Xr -END PGP SIGNATURE-
[gentoo-user] Re: eix: error while reading from database: end of file
meino.cra...@gmx.de meino.cra...@gmx.de wrote: while trying to use eix I got constantly this error: error while reading from database: end of file It seems that your eix database was truncated (out of disk space?). Have you tried to recreate it with eix-update?
Re: [gentoo-user] gupnp enforces connman || networkmanager
On Monday 16 Jun 2014 00:23:15 Neil Bothwick wrote: On Sun, 15 Jun 2014 22:55:09 +0100, Mick wrote: I'm pretty sure this was a simple developer error. REQUIRED_USE=^^ ( connman networkmanager ) should have been REQUIRED_USE=?? ( connman networkmanager ). The former requires that exactly one flag be enabled. The latter requires that at most one flag may be enabled. Why at most one flag may be enabled? What if *both* connman and networkmanager are installed in a system? Will emerge error out? It's not saying you can't have both installed, only that you cannot have both USE flags in force for that particular package. I got it now. Thanks! -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] GCC upgrade can't run fix_libtool_files
Does someone know what causes the error? I got this when upgrading from GCC 4.8.2 to 4.8.3: Installing (1 of 1) sys-devel/gcc-4.8.3 * gcc-config: Could not locate 'x86_64-pc-linux-gnu-4.8.2' in '/etc/env.d/gcc/' ! * Running 'fix_libtool_files.sh 4.8.2' * Scanning libtool files for hardcoded gcc library paths... * gcc-config: Active gcc profile is invalid! gcc-config: error: could not run/locate 'gcc' :0: assertion failed: (gcc -dumpversion) | getline NEWVER)
Re: [gentoo-user] GCC upgrade can't run fix_libtool_files
On 06/16/2014 09:56 AM, Nikos Chantziaras wrote: Does someone know what causes the error? I got this when upgrading from GCC 4.8.2 to 4.8.3: Installing (1 of 1) sys-devel/gcc-4.8.3 * gcc-config: Could not locate 'x86_64-pc-linux-gnu-4.8.2' in '/etc/env.d/gcc/' ! * Running 'fix_libtool_files.sh 4.8.2' * Scanning libtool files for hardcoded gcc library paths... * gcc-config: Active gcc profile is invalid! gcc-config: error: could not run/locate 'gcc' :0: assertion failed: (gcc -dumpversion) | getline NEWVER) It looks like you've upgraded gcc and removed the version that was currently active. What's the output of `gcc-config -l`? It should look something like this: $ sudo gcc-config -l [1] x86_64-pc-linux-gnu-4.7.3 * The asterisk means it's active. If you see a list and none are active, you need to set one. Dan
[gentoo-user] Re: GCC upgrade can't run fix_libtool_files
On 16/06/14 20:02, Daniel Frey wrote: On 06/16/2014 09:56 AM, Nikos Chantziaras wrote: Does someone know what causes the error? I got this when upgrading from GCC 4.8.2 to 4.8.3: Installing (1 of 1) sys-devel/gcc-4.8.3 * gcc-config: Could not locate 'x86_64-pc-linux-gnu-4.8.2' in '/etc/env.d/gcc/' ! * Running 'fix_libtool_files.sh 4.8.2' * Scanning libtool files for hardcoded gcc library paths... * gcc-config: Active gcc profile is invalid! gcc-config: error: could not run/locate 'gcc' :0: assertion failed: (gcc -dumpversion) | getline NEWVER) It looks like you've upgraded gcc and removed the version that was currently active. What's the output of `gcc-config -l`? It should look something like this: $ sudo gcc-config -l [1] x86_64-pc-linux-gnu-4.7.3 * The asterisk means it's active. If you see a list and none are active, you need to set one. I was only interested in the fix_libtool_files.sh error. The gcc-config error is probably due to portage removing 4.8.2 when updating to 4.8.3, since it's a minor version update.
[gentoo-user] Any application to control uvc parameters of a webcam ?
Hi, is there any other application than guvcview be able to control the uvc parameters of a uvc camera (Logitech C920) while gstreamer is reading its device (/dev/video1) ? Best regards, Meino
[gentoo-user] Secure DNS servers
Hello, I'm reading up on how to secure DNS primary and secondary servers. I guess DNSSEC is pretty important. Any other areas I should read up on? It's been a few years since I admin'd a dns server Also, look for gentoo centric DNS primary solutions, I see no mention of hardened, up-mounted or read only partitions, etc etc. I wondering if anyone has some general suggestions on how to keep a gentoo dns primary only machine secure. The iptables suggests seem trite and old. I'll not be running anything but DNS primary on the machine. When it is up, I want to test it and see if it can be hacked, by me. So a listing of how to hack-test your DNS primary server of ideas would be keen too. I wonder why the gentoo wiki does not have such information, as I'm sure it is commonly needed? Any other thoughts, suggestions and ideas are most appreciated, as I have not kept current with all of the latest dns security issues. I cannot even find a listing of security issues, that are strictly centric to DNS primary server issues. James
Re: [gentoo-user] Re: [OT} GStreamer: How to view AND record a stream coming from an USB Webcam
James wirel...@tampabay.rr.com [14-06-16 05:36]: meino.cramer at gmx.de writes: After unsuccessfully trying vlc with a Logitech C920 HD Pro Webcam (over 2 seconds delay between audio and video). Have you tried : media-video/ffmpeg ? This wiki is full of good information. Many video packages use ffmpeg as part of their core solution... Pay attention to the myriad of flags you can set and the order of your syntax (manual) strings. http://trac.ffmpeg.org/wiki Here are some ideas: https://wiki.archlinux.org/index.php/FFmpeg You *may* be able to use the copy command of ffmpeg to spit and view the h.264 (x.264) stream in real time. Google for some more syntax snippets. Also there is zoneminder a video surveillance application. I do not know if they ever added x.264 support HTH, James Hi James, thanks for your resply 8) Zoneminder needs to intercept the video stream to analyse it -- that means, that it need to decode the stream, analyse it and to encode it again. Furthermore it needs a webserver... A little to much load for my CPU and a little too much effort... FFmpeg crashes and breaks (similiar reports on the web...) when trying to watch video streams from the c920... Currently the best results I get with gstreamer...but then I cannot control the uvc parameters Sigh...things are crossing the border between interesting to complex... Best regards, mcc
Re: [gentoo-user] [OT} GStreamer: How to view AND record a stream coming from an USB Webcam
Canek Peláez Valdés can...@gmail.com [14-06-16 04:33]: On Sun, Jun 15, 2014 at 1:04 PM, Canek Peláez Valdés can...@gmail.com wrote: On Sun, Jun 15, 2014 at 12:54 PM, meino.cra...@gmx.de wrote: Hi, After unsuccessfully trying vlc with a Logitech C920 HD Pro Webcam (over 2 seconds delay between audio and video). I played around with gstreamer and from bits and pieces from the web I build this line: gst-launch-1.0 v4l2src device=/dev/video1 ! video/x-h264,width=1920,height=1080,framerate=30/1 ! \ h264parse ! muxout. alsasrc device=hw:3,0 ! queue ! audioconvert ! lamemp3enc ! \ muxout. matroskamux name=muxout streamable=true ! filesink location=c920.mp4 which records a Full HD video with audio to my harddisc. The delay is minimal and the sync between audio and video is good. But there is one disadvantage: I cannot see what I am recording and I cannot watch the webcams stream before I fire up the script because otherwise the device would be already in use (I dont like scripts, which simply kill other applications when called). Any ideas or hints how to manage that? Use the tee element. I'm in a hurry, so I cannot test a pipeline right now, but I will try later. Meanwhile, just try to put a queue element after each path of the tee. gst-inspect-1.0 tee OK, it took me a bit of an effort, but this is my pipeline: gst-launch-1.0 v4l2src norm=NTSC device=/dev/video1 ! queue ! deinterlace mode=1 ! videorate ! video/x-raw,format=YV12,width=720,height=480,framerate=3/1001 ! tee name=t t. ! queue ! videoconvert ! mpeg2enc ! avimux ! filesink location=file.avi t. ! queue ! videoconvert ! autovideosink My hardware is much more limited (analog RGB), so resolution and famerate are accordingly lower. This captures to an AVI file encoded to MPEG2 the video signal, and at the same time it opens a window to show the stream. It should not be that much of a problem to modify it to your needs; just notice that I didn't capture audio. Regards. -- Canek Peláez Valdés Profesor de asignatura, Facultad de Ciencias Universidad Nacional Autónoma de México Hi Canek, Thanks a lot for your effort!!! 8) Is there any documentation out there about this How to build a pipeline with gst-launch, which you would recommend to read? I will see how I can map your example to my code I have already, which handles audio and video... Best regards, mcc
Re: [gentoo-user] Secure DNS servers
On 06/16/2014 02:15 PM, James wrote: Hello, I'm reading up on how to secure DNS primary and secondary servers. I guess DNSSEC is pretty important. Any other areas I should read up on? It's been a few years since I admin'd a dns server The benefits of DNSSEC are debatable. We're moving the centralized trust from one group of scumbags (the CAs) to another group of scumbags (the registrars). So the benefits to authentication are not entirely clear-cut. But, DNSSEC will eventually allow us to do away with the SSL racket, and that can only improve security through the widespread adoption of encryption. So it's a good thing either way. There's a video of DJB at the 27c3 conference floating around where he discusses some of this stuff. Some of his points shouldn't be taken seriously, but it's entertaining nevertheless. Also, look for gentoo centric DNS primary solutions, I see no mention of hardened, up-mounted or read only partitions, etc etc. I wondering if anyone has some general suggestions on how to keep a gentoo dns primary only machine secure. Sven Vermeulen maintains some general suggestions here: http://dev.gentoo.org/~swift/docs/security_benchmarks/ The iptables suggests seem trite and old. Which suggestion? For a DNS server, you probably want something like, iptables -P INPUT DROP iptables -A INPUT -p ALL -i lo -j ACCEPT iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED \ -j ACCEPT iptables -A INPUT -p ALL -m conntrack --ctstate INVALID -j DROP # Allow SSH, up to you iptables -A INPUT -p tcp --dport 22 -j ACCEPT # And allow DNS traffic iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT
Re: [gentoo-user] Any application to control uvc parameters of a webcam ?
On Mon, Jun 16, 2014 at 12:23 PM, meino.cra...@gmx.de wrote: Hi, is there any other application than guvcview be able to control the uvc parameters of a uvc camera (Logitech C920) while gstreamer is reading its device (/dev/video1) ? What parameters? Usually the v4l2src element in gstreamer is able to change the video parameters (norm, brightness, hue, contrast, etc.) gst-inspect-1.0 v4l2src will tell you about all the possible parameters that v4l2src can handle. Regards. -- Canek Peláez Valdés Profesor de asignatura, Facultad de Ciencias Universidad Nacional Autónoma de México
Re: [gentoo-user] [OT} GStreamer: How to view AND record a stream coming from an USB Webcam
On Mon, Jun 16, 2014 at 1:27 PM, meino.cra...@gmx.de wrote: Canek Peláez Valdés can...@gmail.com [14-06-16 04:33]: On Sun, Jun 15, 2014 at 1:04 PM, Canek Peláez Valdés can...@gmail.com wrote: On Sun, Jun 15, 2014 at 12:54 PM, meino.cra...@gmx.de wrote: Hi, After unsuccessfully trying vlc with a Logitech C920 HD Pro Webcam (over 2 seconds delay between audio and video). I played around with gstreamer and from bits and pieces from the web I build this line: gst-launch-1.0 v4l2src device=/dev/video1 ! video/x-h264,width=1920,height=1080,framerate=30/1 ! \ h264parse ! muxout. alsasrc device=hw:3,0 ! queue ! audioconvert ! lamemp3enc ! \ muxout. matroskamux name=muxout streamable=true ! filesink location=c920.mp4 which records a Full HD video with audio to my harddisc. The delay is minimal and the sync between audio and video is good. But there is one disadvantage: I cannot see what I am recording and I cannot watch the webcams stream before I fire up the script because otherwise the device would be already in use (I dont like scripts, which simply kill other applications when called). Any ideas or hints how to manage that? Use the tee element. I'm in a hurry, so I cannot test a pipeline right now, but I will try later. Meanwhile, just try to put a queue element after each path of the tee. gst-inspect-1.0 tee OK, it took me a bit of an effort, but this is my pipeline: gst-launch-1.0 v4l2src norm=NTSC device=/dev/video1 ! queue ! deinterlace mode=1 ! videorate ! video/x-raw,format=YV12,width=720,height=480,framerate=3/1001 ! tee name=t t. ! queue ! videoconvert ! mpeg2enc ! avimux ! filesink location=file.avi t. ! queue ! videoconvert ! autovideosink My hardware is much more limited (analog RGB), so resolution and famerate are accordingly lower. This captures to an AVI file encoded to MPEG2 the video signal, and at the same time it opens a window to show the stream. It should not be that much of a problem to modify it to your needs; just notice that I didn't capture audio. Regards. -- Canek Peláez Valdés Profesor de asignatura, Facultad de Ciencias Universidad Nacional Autónoma de México Hi Canek, Thanks a lot for your effort!!! 8) No problem; I have a little MP3 encoder that I use to handle my music collection (along with other utilities) [1], and I was trying to do some video analysis for another project I have, so I had the GStreamer notions kinda fresh. Is there any documentation out there about this How to build a pipeline with gst-launch, which you would recommend to read? GStreamer is a programmer's framework, and really gst-launch-1.0 is just a test tool; however, GStreamer is so flexible and powerful, that a lot of stuff can be done using the launcher and without a single line of code written. Having said that, IMNSHO the only way to really understand the GStreamer pipelines is to read the developer's documentation[2]; specially when you need to use pads, although using the queue element can solve that problem many times. I will see how I can map your example to my code I have already, which handles audio and video... Good luck. [1] https://github.com/canek-pelaez/mlm/blob/master/src/mlm-encoder.vala#L467 [2] http://gstreamer.freedesktop.org/data/doc/gstreamer/head/gstreamer/html/index.html -- Canek Peláez Valdés Profesor de asignatura, Facultad de Ciencias Universidad Nacional Autónoma de México
[gentoo-user] Re: Secure DNS servers
Michael Orlitzky mjo at gentoo.org writes: On 06/16/2014 02:15 PM, James wrote: Hello, I'm reading up on how to secure DNS primary and secondary servers. I guess DNSSEC is pretty important. Any other areas I should read up on? It's been a few years since I admin'd a dns server The benefits of DNSSEC are debatable. We're moving the centralized trust from one group of scumbags (the CAs) to another group of scumbags (the registrars). So the benefits to authentication are not entirely clear-cut. But, DNSSEC will eventually allow us to do away with the SSL racket, and that can only improve security through the widespread adoption of encryption. So it's a good thing either way. I'm just reading at this point. Listening to follks too. I have formed no options (yet). Here is a nice, general listing: [1] http://csrc.nist.gov/groups/SMA/fasp/documents/network_security/NISTSecuringDNS/NISTSecuringDNS.htm There's a video of DJB at the 27c3 conference floating around where he discusses some of this stuff. Some of his points shouldn't be taken seriously, but it's entertaining nevertheless. I thought DJB was mostly deprecated. He's still preaching dns security, yet does not update his offernings? Interestingly strange. Also, look for gentoo centric DNS primary solutions, I see no mention of hardened, up-mounted or read only partitions, etc etc. I wondering if anyone has some general suggestions on how to keep a gentoo dns primary only machine secure. Sven Vermeulen maintains some general suggestions here: http://dev.gentoo.org/~swift/docs/security_benchmarks/ Sven is great. So just the generic hardened remedies, nothing special to DNS servers or services, from my quick parse of his documents on hardened? Sven's also into selinux. I see no selinux policies or rules. Maybe I should drop him a line about selinux related to dns primary servers? Surely a selinux policy for a primary only selinux dns server would been keen? Not needed ? Overkill ? I was going to read up a bit, before asking him questions I should have discovered from robust research on the subject.. The iptables suggests seem trite and old. Which suggestion? For a DNS server, you probably want something like, iptables -P INPUT DROP iptables -A INPUT -p ALL -i lo -j ACCEPT iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED \ -j ACCEPT iptables -A INPUT -p ALL -m conntrack --ctstate INVALID -j DROP # Allow SSH, up to you iptables -A INPUT -p tcp --dport 22 -j ACCEPT # And allow DNS traffic iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT Ah, you've added to this iptables listing: http://wiki.gentoo.org/wiki/BIND/Tutorial So, I am looking for a minimal listing of flags that is sufficient for a dns primary server, ssh and only necessary other services (make.conf). I'm thinking there should be tremendously reduced set of C libraries so as to remove potential issues found on other services, or a secure, blessed C library commonly used for ultra tight servers. I was also thinking of not mounting some partitions rw, but r only so a manual reboot would be need to modify settings critical to security on the primary server. Good idea? Other similar ideas? eix dns revels many servers, tools and complimentary softwares. also, /usr/portage/net-dns/ has some ebuilds not discovered by eix. Any recommended or useful for dns security issues? Any guidance of those? secure dns servers: sheerdns, maradns TOOLS to test the security of a dns server? fpdns, dnscap, validns, dnstop (with alarms or logging?) dnshijacker, dnscap, dnstracer, etc etc? New, relevant DNS RFC's ? It's more ideas on subjects I should read up on, or specifically targeted responses from those current on dns security issues, like ISP that practice dns-hijacking for their selfished desires and expose others in the process: [2] http://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_ISPs CERT. I did find this singular issue: Alert (TA13-088A) DNS Amplification Attacks [3] https://www.us-cert.gov/ncas/alerts/TA13-088A And this compreshensive listing of dns server issues: http://search.us-cert.gov/search?utf8=✓affiliate=us-certquery=all+dns+server+alertscommit=Search As well as a current listing of dns server issues, which is currently empty? Anyone and Everyone is encouraged to chime in on dns server security issues, particularly related to the primary servers issues and protection strategies. James
[gentoo-user] [OT] auto mounting and umounting flash drives using udev rule
Hi, Looking for alternatives on the subject, I've found this: http://www.unixli.com/q/answers-automount-usb-sticks-on-gentoo-78276.html It looks good, for now, it creates a directory named after the VFAT partition name under /media and then it mounts the flash drive on it. Regarding umounting, it umounts the drive after it is removed, which looks strange (to say the least) to me. Did I miss something? Or, in other words, is there a way of forcing operations on a usb flash media to always flush buffers and/or caches as fast as possible? Thanks, Francisco
Re: [gentoo-user] [OT] Intel(R) Celeron(R) CPU J1800 drivers
2014-06-15 6:52 GMT-03:00 Mick michaelkintz...@gmail.com: On Wednesday 11 Jun 2014 12:28:17 Francisco Ares wrote: Hi, I am trying to install Gentoo on a x64 system with such processor, that, as far as I could understand, is like to have the chipset embedded, so the buses to video, pci express, usb, etc, comes out of the processor chip. The kernel from the 3.10 series were not able to correctly handle this processor, at least the video driver (not sure about the rest), but the new stable one, gento-sources-3.12.21-r1 is OK, now I have the framebuffer splash. But no X11 for now. I have added ~amd64 keywords to x11-drivers/xf86-video-intel, but, for now, only a black screen, with no clue on the log file /var/log/Xorg.0.log (which is the latest). On /etc/portage/make.conf, I have the line: VIDEO_CARDS=intel i915 i965 modesetting Did I miss something? Change the above to: VIDEO_CARDS=intel i965 modesetting (not sure if modesetting is necessary) Enable the corresponding kernel drivers, but not for framebuffer - see here: https://wiki.gentoo.org/wiki/Xorg/Configuration and recompile and install your new kernel. Run emerge -uaNDv world which will remerge the necessary xorg drivers. Reboot and it should work. -- Regards, Mick Thanks, going to try this too. Now I get something in a (what seems a) VGA compatible controller, and although the frame buffer is working, the Tux logos and all text characters are all white and irregular blocks, with approximate expected sizes for characters, but it looks like each one was written twice, a bit shifted each time, so some of them even merge. Even the colored brief diagnostic messages for the results of the init scripts are also white. I guess I forgot to add the intel drivers to the kernel, going to check this first. Thanks again, Francisco
Re: [gentoo-user] Secure DNS servers
generally using something like ISC BIND you can set filters and easily create an external view and internal view, so that you can do split dns based on network connection. if doing something like this test it and then test it again to make sure there is no leak due to a typo. it would be easier if we knew what you were standing up the servers for. if it is for example your own domain name, you want something simple like a couple of A addresses and an MX record then you don't need to deviate much. if you are looking for dynamic dns updates you want to make sure you have auth by secured ip (encrypted traffic) and you want to guard your keys to allow DDNS. DNSSec is to prevent MITM attacks such as DNS cache poisoning, and you can see some starter material at ISC BIND website [1] In terms of hack my dns server there are many things that can hamper it - something at the bleeding edge like gentoo is ace for this kind of thing (*cough* centos is prehistoric *cough*) and if you were to load up metasploit with ISC specific filters you can try to see what is vulnerable. you can filter by CVE on your favourite website [2] If the server is public facing then you want to be wary of such goodies as recursive lookups as these can contribute to DoS attacks. you might also like to try flooding the server with DNS or spoofed ip and see what it responds to. these are not necessarily dns server specific but UDP server specific and you can start to get an idea of scalability. in terms of primary to secondary then you have to question the underlying layers -- is this being xferred across the internet ? internally over vpn ? are your secondary servers going to be full secondaries or just caching forwarders ? how will you control zone transfers ? consider filtering the type of queries, and the size of queries also consider the consequences of a hack. use selinux or similar, make sure dns running in its own username and/or namespace. primary target though has to be to change dns zones, so to make www.example.com map to www.clickads.com, so make sure that you have a remote server doing lookups regularly and report anomalies. hope this gives you a few directions to explore! [1] http://www.isc.org/downloads/bind/dnssec/ [2] https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html
Re: [gentoo-user] Re: Secure DNS servers
On 06/16/2014 08:57 PM, James wrote: Michael Orlitzky mjo at gentoo.org writes: On 06/16/2014 02:15 PM, James wrote: Hello, I'm reading up on how to secure DNS primary and secondary servers. I guess DNSSEC is pretty important. Any other areas I should read up on? It's been a few years since I admin'd a dns server The benefits of DNSSEC are debatable. We're moving the centralized trust from one group of scumbags (the CAs) to another group of scumbags (the registrars). So the benefits to authentication are not entirely clear-cut. except for the preventions of dns injection/ spoof floods But, DNSSEC will eventually allow us to do away with the SSL racket, and that can only improve security through the widespread adoption of encryption. So it's a good thing either way. Sven's also into selinux. I see no selinux policies or rules. Maybe I should drop him a line about selinux related to dns primary servers? Surely a selinux policy for a primary only selinux dns server would been keen? Not needed ? Overkill ? how paranoid are you? are you using SSL and fear the heartbleed will appear here too? I was going to read up a bit, before asking him questions I should have discovered from robust research on the subject.. The iptables suggests seem trite and old. Which suggestion? For a DNS server, you probably want something like, iptables -P INPUT DROP iptables -A INPUT -p ALL -i lo -j ACCEPT iptables -A INPUT -p ALL -m conntrack --ctstate ESTABLISHED,RELATED \ -j ACCEPT iptables -A INPUT -p ALL -m conntrack --ctstate INVALID -j DROP # Allow SSH, up to you iptables -A INPUT -p tcp --dport 22 -j ACCEPT # And allow DNS traffic iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT how secure do you need this to be? how about iptables -A OUTPUT -m state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp --sport 53 -j ACCEPT iptables -A OUTPUT DROP in case your machine gets hacked ? do you control all the clients connecting to the DNS ? then disable UDP dns which is what the entire world uses, and then you can much more easily control spoof flood amplification Ah, you've added to this iptables listing: http://wiki.gentoo.org/wiki/BIND/Tutorial So, I am looking for a minimal listing of flags that is sufficient for a dns primary server, ssh and only necessary other services (make.conf). it all depends on where the balance lays for you. do you have a text only requirement for dns and no ssl ? do you require ldap support or ip6 ? a minimal set for ISC BIND i think is nothing -- you can boot minimal gentoo and websync and emerge net-dns/bind a minimal gentoo running bind can easily fit with into a couple of GB (or nothing with PXE boot) and 256MB RAM so you can have a hundred boxes working in tandem. assuming of course you have very small zones to load I'm thinking there should be tremendously reduced set of C libraries so as to remove potential issues found on other services, or a secure, blessed C library commonly used for ultra tight servers. you might also like to consider looking at embedded setups or alternative to glibc such as uclibc but this is a little offtopic. I was also thinking of not mounting some partitions rw, but r only so a manual reboot would be need to modify settings critical to security on the primary server. Good idea? Other similar ideas? A wise idea, but then you are trading off manageability for security. ah security, the eternal balance, and only you can know where the tipping point lies.
Re: [gentoo-user] Secure DNS servers
On Mon, Jun 16, 2014 at 2:49 PM, Michael Orlitzky m...@gentoo.org wrote: The benefits of DNSSEC are debatable. We're moving the centralized trust from one group of scumbags (the CAs) to another group of scumbags (the registrars). So the benefits to authentication are not entirely clear-cut. But, DNSSEC will eventually allow us to do away with the SSL racket, and that can only improve security through the widespread adoption of encryption. So it's a good thing either way. While I agree with your concerns about trust, I think the good thing about DNSSEC is that you don't have to trust as many people. With the current SSL racket I need to trust all the folks in my browser's CA list to not mess with my connection. Any one of them has the power to spoof any website on the planet, and have you seen how long the list is? With DNSSEC the only person who can tamper with a connection is the domain owner, registrar, and TLD owner. So, while Verisign can tamper with a .com domain, they can't mess with a .uk domain, and at least the folks who buy a .com domain know who they're getting involved with. With SSL Verisign can spoof any domain there is anywhere, since the trust relationship in SSL is not limited to some domain. I'd like to see things improved further still, but DNSSEC is a big step in the right direction. Rich
[gentoo-user] Re: Secure DNS servers
thegeezer thegeezer at thegeezer.net writes: generally using something like ISC BIND you can set filters and easily create an external view and internal view, so that you can do split dns based on network connection. if doing something like this test it and then test it again to make sure there is no leak due to a typo. it would be easier if we knew what you were standing up the servers for. if it is for example your own domain name, you want something simple like a couple of A addresses and an MX record then you don't need to deviate much. Well some things will be very simple (minimal). Then, There is a portal I'm researching where we run all sorts of applications very securely, for one person at a time. It's eventually (hopefully) going to be a full LMS Learning Management system, something comprehensive, maybe even www-apps/moodle and or SWAD. Eventually a full ecommerce system, just for one company, not as a service to others. But for now, just running various forms of secure, minimized DNS. Some machine controls (SCADA) will use the DNS as part of the SSL services. if you are looking for dynamic dns updates you want to make sure you have auth by secured ip (encrypted traffic) and you want to guard your keys to allow DDNS. DNSSec is to prevent MITM attacks such as DNS cache poisoning, and you can see some starter material at ISC BIND website [1] DNS sec will be down the road. I have time to build, test, research and adjust the strategy as this goes along. It's not fixing a desparate situation; more along the lines of building up various secure dns platforms along an increasing features set. In terms of hack my dns server there are many things that can hamper it - something at the bleeding edge like gentoo is ace for this kind of thing (*cough* centos is prehistoric *cough*) and if you were to load up metasploit with ISC specific filters you can try to see what is vulnerable. you can filter by CVE on your favourite website [2] Yep: http://cyberarms.wordpress.com/2014/04/20/detecting-openssl-heartbleed-with-nmap-exploiting-with-metasploit/ I got that, hense the advise is being sought out, first. If the server is public facing then you want to be wary of such goodies as recursive lookups as these can contribute to DoS attacks. you might also like to try flooding the server with DNS or spoofed ip and see what it responds to. these are not necessarily dns server specific but UDP server specific and you can start to get an idea of scalability. One of the things I like to do, is profile the traffic, particularly in well behaved, machine control networks with IP services first. The open them up and gather some statistics, to start to develop some heuristics for patterns and volumes of excpected and un expected traffic flows. That will be for latter. in terms of primary to secondary then you have to question the underlying layers -- is this being xferred across the internet ? internally over vpn ? are your secondary servers going to be full secondaries or just caching forwarders ? how will you control zone transfers ? consider filtering the type of queries, and the size of queries also consider the consequences of a hack. use selinux or similar, make sure dns running in its own username and/or namespace. primary target though has to be to change dns zones, so to make www.example.com map to www.clickads.com, so make sure that you have a remote server doing lookups regularly and report anomalies. hope this gives you a few directions to explore! Yep, THANKS! James [1] http://www.isc.org/downloads/bind/dnssec/ [2] https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html
Re: [gentoo-user] Re: Secure DNS servers
On 06/16/2014 03:57 PM, James wrote: There's a video of DJB at the 27c3 conference floating around where he discusses some of this stuff. Some of his points shouldn't be taken seriously, but it's entertaining nevertheless. I thought DJB was mostly deprecated. He's still preaching dns security, yet does not update his offernings? Interestingly strange. He's a security researcher, not a system administrator. Most of his software is in the public domain if someone wants to maintain it. And while it's getting long in the tooth, e.g. djbdns still has one of the best track records for security -- you just won't get any new features. Sven is great. So just the generic hardened remedies, nothing special to DNS servers or services, from my quick parse of his documents on hardened? Nothing specific to DNS, no. Sven's also into selinux. I see no selinux policies or rules. Maybe I should drop him a line about selinux related to dns primary servers? Surely a selinux policy for a primary only selinux dns server would been keen? Not needed ? Overkill ? I was going to read up a bit, before asking him questions I should have discovered from robust research on the subject.. I personally don't use SELinux, so my opinion is overkill. But that opinion is highly colored by a lazy reluctance to learn how it works. Ah, you've added to this iptables listing: http://wiki.gentoo.org/wiki/BIND/Tutorial No! There's a dangerous mistake on that page that I've just fixed. This line, iptables -A INPUT -p tcp --sport 53 -j ACCEPT puts a big hole in your firewall for anyone smart enough to attack you from port 53.
Re: [gentoo-user] [OT] auto mounting and umounting flash drives using udev rule
On Monday 16 Jun 2014 20:58:07 Francisco Ares wrote: Hi, Looking for alternatives on the subject, I've found this: http://www.unixli.com/q/answers-automount-usb-sticks-on-gentoo-78276.html It looks good, for now, it creates a directory named after the VFAT partition name under /media and then it mounts the flash drive on it. Regarding umounting, it umounts the drive after it is removed, which looks strange (to say the least) to me. Did I miss something? Or, in other words, is there a way of forcing operations on a usb flash media to always flush buffers and/or caches as fast as possible? You shouldn't need to define any special udev rules, the defaults should work. Make sure sys-fs/udisks is installed. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: Secure DNS servers
On 06/16/2014 10:08 PM, James wrote: thegeezer thegeezer at thegeezer.net writes: generally using something like ISC BIND you can set filters and easily create an external view and internal view, so that you can do split dns based on network connection. if doing something like this test it and then test it again to make sure there is no leak due to a typo. it would be easier if we knew what you were standing up the servers for. if it is for example your own domain name, you want something simple like a couple of A addresses and an MX record then you don't need to deviate much. Well some things will be very simple (minimal). Then, There is a portal I'm researching where we run all sorts of applications very securely, for one person at a time. It's eventually (hopefully) going to be a full LMS Learning Management system, something comprehensive, maybe even www-apps/moodle and or SWAD. Eventually a full ecommerce system, just for one company, not as a service to others. sounds interesting. going for full interactive video distance learning too would be a great direction to take, especially if the teacher controls who has audio (to speak). the only thing i would add is to keep each system seperated as much as possible. don't put everything on one server. bad things happen to good people so try to make sure one thing doesn't affect another. depending on the age of the people you are helping they probably will try to use latest scriptkiddie toys against you first, so think about the ingress and egress of the network and of the individual nodes when you think about security. But for now, just running various forms of secure, minimized DNS. Some machine controls (SCADA) will use the DNS as part of the SSL services. scada huh. i wouldn't put it on a public facing internet connection. even on a network connected to things i care about. i'm sure you have good reasons, i would probably urge you to reconsider them [3] if you are looking for dynamic dns updates you want to make sure you have auth by secured ip (encrypted traffic) and you want to guard your keys to allow DDNS. DNSSec is to prevent MITM attacks such as DNS cache poisoning, and you can see some starter material at ISC BIND website [1] DNS sec will be down the road. I have time to build, test, research and adjust the strategy as this goes along. It's not fixing a desparate situation; more along the lines of building up various secure dns platforms along an increasing features set. if your scada devices are using the public internet to get to your dns servers i would seriously urge you to rethink things, even if you are using dnssec. In terms of hack my dns server there are many things that can hamper it - something at the bleeding edge like gentoo is ace for this kind of thing (*cough* centos is prehistoric *cough*) and if you were to load up metasploit with ISC specific filters you can try to see what is vulnerable. you can filter by CVE on your favourite website [2] Yep: http://cyberarms.wordpress.com/2014/04/20/detecting-openssl-heartbleed-with-nmap-exploiting-with-metasploit/ I got that, hense the advise is being sought out, first. and bear in mind the security in depth. your perimeter will be bypassed - what happens next is down to you. you are looking at having possible external user generated web content -- how do you protect other users from XSS exploits ? how about 2factor auth for staff and/or students ? how do you sandbox your remote apps ? having an open network behind the wall is convenient, but servers in your own network not trusting each other by default is how it should be designed. If the server is public facing then you want to be wary of such goodies as recursive lookups as these can contribute to DoS attacks. you might also like to try flooding the server with DNS or spoofed ip and see what it responds to. these are not necessarily dns server specific but UDP server specific and you can start to get an idea of scalability. One of the things I like to do, is profile the traffic, particularly in well behaved, machine control networks with IP services first. The open them up and gather some statistics, to start to develop i for one would be very interested in reading of this work, should you care to share it some heuristics for patterns and volumes of excpected and un expected traffic flows. there are very many companies that do this such as darktrace for one [4] but my argument with them is that it is difficult to detect normal unless you aggregate data among very large sites and use big data statistics on them. it wasnt' so long ago that usb dsl modems were the norm, and windows xp had zero firewall on the dialup connection. viruses came in within seconds of connectivity. what happens if what you start with is not normal ? especially on a proving ground it is not only subject to change but also you intend to pentest it -- is that flood of syn's normal
[gentoo-user] Re: [OT} GStreamer: How to view AND record a stream coming from an USB Webcam
meino.cramer at gmx.de writes: OK, one last trick, that will work with a coax camera. A coax output camera, can be connected to either a h.264 encoder/mux (standard industry equipment) or to a pci card that has external coax inputs. You can then put a coax splitter (a mechanical tee) and run the camera output to 2 differnet computers. One encodes and records (writes to) the HD, then other for viewing. Hokey, but we used it to test the encoding delays of various video surveillance boxes. Camera's that output h.264 direclty, usually use a custom encoder that will differ from vendor to vendor. Vendors do this because each algo, code_block and patent is managed my the MPLA and vendors engineer what to put inside of a video camera that outputs h.264 by playing what if with a myriad of offerings directly or indirectly from software vendors. It you can, a video camera with coax outputs is best and you can run your own h.264 encoding on a workstation or a stand alone video encoding board. Probably too much work for your needs, methinks... I have threatened to pick up the zoneminder code and fork it, as have others, but I just dont have the time for that. It's a large effort to say the least. A google summer of code genius could/should do that, because support for h.264 and V8 (media-libs/libvpx) would be very, very keen, imho added to ZM. V8 is superior to h.264 and is not patent encumbered. sorry I'm not more help, James
Re: [gentoo-user] [OT] auto mounting and umounting flash drives using udev rule
On Mon, 16 Jun 2014 16:58:07 -0300, Francisco Ares wrote: Regarding umounting, it umounts the drive after it is removed, which looks strange (to say the least) to me. Udev doesn't know you want to remove the drive until you've pulled it. Apparently, a future release of systemd will be able to predict when you want to remove the drive as it will control everything you do. Did I miss something? Or, in other words, is there a way of forcing operations on a usb flash media to always flush buffers and/or caches as fast as possible? Mount it with the sync option. On the other hand, this increases the number of writes to the drive, quickly killing performance and slowly killing the drive. -- Neil Bothwick We all know what comes after 'X', said Tom, wisely. signature.asc Description: PGP signature
[gentoo-user] webkit-gtk grumbles
I'm sick of building webkit-gtk. My oldest machine (a dual-core AMD64) has been building webkit for 6 hours and still going :( Can anyone answer a few questions for me, please? 1) Why do we not have a binary webkit package in portage, like libreoffice-bin, firefox-bin, thunderbird-bin, etc? 2) Why does webkit-gtk drag in ruby and several ruby gems? I've wasted hours trying to untangle conflicts between multiple ruby versions, which I need *only* because webkit-gtk drags them in. I have no other need for ruby. 3) Why does webkit-gtk have a spell useflag? Why does an html rendering engine need a spellcheck function? Thanks for any insights. (I'm not maximally grumpy, merely slightly grumpy :)
Re: [gentoo-user] webkit-gtk grumbles
On 17/06/2014 01:53, walt wrote: I'm sick of building webkit-gtk. My oldest machine (a dual-core AMD64) has been building webkit for 6 hours and still going :( Can anyone answer a few questions for me, please? 1) Why do we not have a binary webkit package in portage, like libreoffice-bin, firefox-bin, thunderbird-bin, etc? Probably because there isn't a downloadable upstream binary? LO and firefox have -bin ebuilds precisely because upstream provides one (which gets installed in the same fashion Windows does it - unpack a blob) 2) Why does webkit-gtk drag in ruby and several ruby gems? I've wasted hours trying to untangle conflicts between multiple ruby versions, which I need *only* because webkit-gtk drags them in. I have no other need for ruby. /var/log/portage/net-libs:webkit-gtk-2.4.3:20140605-010132.log:/usr/bin/ruby20 ./Source/JavaScriptCore/offlineasm/generate_offset_extractor.rb ./Source/JavaScriptCore/llint/LowLevelInterpreter.asm DerivedSources/JavaScriptCore/LLIntDesiredOffsets.h /var/log/portage/net-libs:webkit-gtk-2.4.3:20140605-010132.log:/usr/bin/ruby20 ./Source/JavaScriptCore/offlineasm/asm.rb ./Source/JavaScriptCore/llint/LowLevelInterpreter.asm Programs/LLIntOffsetsExtractor DerivedSources/JavaScriptCore/LLIntAssembly.h /var/log/portage/net-libs:webkit-gtk-2.4.3:20140605-010132.log:/usr/bin/ruby20 ./Source/JavaScriptCore/offlineasm/generate_offset_extractor.rb ./Source/JavaScriptCore/llint/LowLevelInterpreter.asm DerivedSources/JavaScriptCore/LLIntDesiredOffsets.h /var/log/portage/net-libs:webkit-gtk-2.4.3:20140605-010132.log:/usr/bin/ruby20 ./Source/JavaScriptCore/offlineasm/asm.rb ./Source/JavaScriptCore/llint/LowLevelInterpreter.asm Programs/LLIntOffsetsExtractor DerivedSources/JavaScriptCore/LLIntAssembly.h As to why webkit-gtk does *that*, you'll have to ask upstream. Personally I think it's simply because they can and apparently perl, python are not enough scripting languages to have on a box. 3) Why does webkit-gtk have a spell useflag? Why does an html rendering engine need a spellcheck function? Ever typed a post into a web forum? Ever seen the red squigly lines underneath typos? That's why. There's also HTML rendering in mailer apps -- Alan McKinnon alan.mckin...@gmail.com
[gentoo-user] Re: Secure DNS servers
thegeezer thegeezer at thegeezer.net writes: I'm researching where we run all sorts of applications very securely, for one person at a time. It's eventually (hopefully) going to be a full LMS Learning Management system, something comprehensive, maybe even www-apps/moodle and or SWAD. Eventually a full ecommerce system, just for one company, not as a service to others. sounds interesting. going for full interactive video distance learning too would be a great direction to take, especially if the teacher controls who has audio (to speak). the only thing i would add is to keep each system seperated as much as possible. don't put everything on one server. bad things happen to good people so try to make sure one thing doesn't affect another. depending on the age of the people you are helping they probably will try to use latest scriptkiddie toys against you first, so think about the ingress and egress of the network and of the individual nodes when you think about security. We're planning on lots of unwanted noise from a range of talented problem hackers. Eventually a massive VM system approach will be deploy, but first I want to test security the old fashion way But for now, just running various forms of secure, minimized DNS. Some machine controls (SCADA) will use the DNS as part of the SSL services. scada huh. i wouldn't put it on a public facing internet connection. even on a network connected to things i care about. i'm sure you have good reasons, i would probably urge you to reconsider them [3] Let me share a little background with you on SCADA. Most networks that have SCADA on them, are really poorly secured. It's just layers upon layers of MS crap. I do not design those sorts of machine networks. I have been given the opprotunity of 'fix' many such networks. Most I just walk away from. I employ techniques I would characterize as network partitioning and asymmetric traffic routing and loads of passive monitoring and profiling. Many scada networks have all sorts of improperly configured devices, bounced packets, and no sort of 'state machine' design on what is and is not need, how often and why. They have evolved, mostly by technicians and poorly trained IT folks that just 'got it to work' without optimization or system design constraints being enforced. Far too many folks and machines are present on those critical networks. IT folks view a 20 million dollar gas turbine, just like an expensive printer. Hacking them is trivial. Most SCADA networks have MS servers on the same segments for the'convenience' of all sorts of non-essential personel. To boot they put video surveillance networks in place, so the hackers can actually see the physical layout of the plants. Stupid does not begin to characterize the mistakes common to scada operations. You have the very wrong impression of my scada network designs. Most companies I talk to, do not like my 'draconian' designs, and I'm never going to be responsible for MS inspired, stupid networks. That said the big vendors do make billions of (scada) dollars and I search pretty hard form companies that will listen and I like enough to work for. Networks with many machines and without humans are easy to secure, you just have to think out of the box a bit (sorry trade secrets here). Just keep anybody with an MBA out of the process. if you are looking for dynamic dns updates you want to make sure you have auth by secured ip (encrypted traffic) and you want to guard your keys to allow DDNS. DNSSec is to prevent MITM attacks such as DNS cache poisoning, and you can see some starter material at ISC BIND website [1] DNS sec will be down the road. I have time to build, test, research and adjust the strategy as this goes along. It's not fixing a desparate situation; more along the lines of building up various secure dns platforms along an increasing features set. if your scada devices are using the public internet to get to your dns servers i would seriously urge you to rethink things, even if you are using dnssec. Ok, so even though folks consider these 'devices' as scada, I do not. I mostly work on industrial control systems, when I choose to do scada work. What you are referring to, something like using a cell phone to open your front door, turn on the hot tub, or manipulate your audio gear, is not really what I consider scada, but others do. If those things get hacked, you flood a basement, illegally enter a house etc etc. Bad things but not really catistrophic to the neighborhood. For me, scada means big industry, water supply, chemical plants, manufacturing etc etc. So if you hack them, costs rise astronomically, very quickly. Loss of life is a distinct possibility. These types of things should not depend on MS anything, or using the open internet for anything. Few listen now a days, because of the allure of sexy visual candy for folks that do not need access to the
Re: [gentoo-user] webkit-gtk grumbles
140616 walt wrote: I'm sick of building webkit-gtk. My oldest machine (a dual-core AMD64) has been building webkit for 6 hours and still going. An entry in my home-made list of un/installed pkgs : 140322 net-libs/webkit-gtk-1.8.3-r201 [ 22 min : for gimp] The date is when I removed it, having removed Gimp too ; the time is compile+install time when I previously installed it ; the current stable version is 2.2.6 , which mb much more demanding. Generally, old hardware (how old is yours ? ) doesn't play well with the latest versions of popular free software : that's why there are distros designed for old hardware. Why does webkit-gtk drag in ruby and several ruby gems? I need them only because of webkit-gtk : I have no other need for ruby. I've never had Ruby installed in this machine, so try juggling flags. HTH -- ,, SUPPORT ___//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT`-O--O---' purslowatchassdotutorontodotca