Re: IPv6 deployment?
On Tue, Apr 20, 2010 at 3:12 PM, Chip Marshall wrote: > On 20-Apr-2010, John Abreau sent: > > Has anyone else deployed IPv6 yet? Is there a decent HOWTO that > > shows how to deploy it for a network of CentOS servers? > > > I attended a meeting of NNEUUG in 1993 that discussed ongoing IPv6 efforts. Someone from DEC led the talk. For OSF/1 the change for telnet was to recompile with a new library. For VMS, they had lost the source to telnet :-( They didn't bother with Ultrix. DEC was ready back then. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: IPv6 deployment?
If you want to configure static IPv6 addresses in CentOS, it's pretty easy. You set UPV6_NETWORKING=yes in /etc/sysconfig/network and assign an address in your /etc/sysconfig/network-scripts/ifcfg-XXX file. See this page for some more details http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/. All of the available IPV6 options for the sysconfig scripts are listed in sysconfig.txt which you'll find in /usr/share/doc/initscripts- on ypur CentOS boxen. This all assumes you have some router running IPv6 to configure as your default gateway. IPv6 supports stateless autoconfiguration for non-static addresses. Basically, your routers need to provide routing advertisements with a IPv6 network prefix (this can be done on a Linux router either with the radvd package or the quagga routing suite). Basically your host comes up, sends out a notification looking routers and the IPv6 router on your submit responds with a advertisement response containing what prefix the host should use. The rest of the IPv6 address is usually derived from the MAC address. This only gets you an address though, and there is a DHCPv6 standard now for getting you things like DNS. From my understanding, you basically use stateless autoconf to get you on the network and use that address to get DHCPv6 to get the rest of your network info. The Linuxen and BSDs have decently robust support for IPv6 these days from the OS perspective. Most of the important server apps have IPv6 support and clients are coming along. Mac OS X has had decent client support I believe since about 10.4. As for Windows, XP has limited IPv6 support. If you turn on IPv6, there is no GUI configuration support (all config done through netsh command line). IIRC, you cannot configure an IPv6 address (all you get is the IPv6 address space equivalent of what your IPv4 address is). Also there is no DHCPv6 support (a grad student wrote a DHCPv6 implementation called Dibbler http://klub.com.pl/dhcpv6/ ). Also XP (last I checked anyway) doesn't make DNS queries over v6 (it'll make v4 queries and if, for example, it gets a record and the app supports v6, it will use v6 to talk for that app). Windows Server 2003 has better, but not awesome IPv6 support. Vista is the first MS OS that they claim has full IPv6 support. Most major routers (Cisco and Juniper at least) also do IPv6. As for home, the home router vendors (Linksys, Netgear, D-Link, etc) are still fairly new to implementing IPv6. I hope that's helpful! :) -Shawn On Tue, Apr 20, 2010 at 1:10 PM, John Abreau wrote: > I'd like to begin deploying IPv6 on the BLU.ORG servers. They will need > to transparently handle both IPv4 and IPv6, at least until some distant > future time when IPv4 goes away. I suspect both will probably have to > work in parallel for a while. > > Has anyone else deployed IPv6 yet? Is there a decent HOWTO that > shows how to deploy it for a network of CentOS servers? > > Eventually I'll want to deploy it at home and at work, where MacOS and > Windows clients will presumably complicate the picture. I'm assuming > it will be easier to get my first deployment working if I do it in a pure > Linux environment. Is this a reasonable assumption? > > The three BLU.ORG servers are running CentOS; two are CentOS 4, and > the other is CentOS 5. > > > > -- > John Abreau / Executive Director, Boston Linux & Unix > AIM abreauj / JABBER j...@jabber.blu.org / YAHOO abreauj / SKYPE > zusa_it_mgr > Email j...@blu.org / WWW http://www.abreau.net / PGP-Key-ID 0xD5C7B5D9 > PGP-Key-Fingerprint 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99 > ___ > gnhlug-discuss mailing list > gnhlug-discuss@mail.gnhlug.org > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ > ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: IPv6 deployment?
Coincidentally (or not?), Comcast notified me yesterday that I'd been accepted as part of their IPv6 beta rollout (to be deployed at a date TBD). Don't know if it's too late to try signing up -- I did so a month or two ago -- but I guess it never hurts to throw your hat into the ring. http://www.comcast6.net/ for more info. -Ken P.S. And, yes, it does look as if they're still seeking maso^H^H^H^H^H beta testers. On Tue, April 20, 2010 3:12 pm, Chip Marshall wrote: > On 20-Apr-2010, John Abreau sent: > >> Has anyone else deployed IPv6 yet? Is there a decent HOWTO that >> shows how to deploy it for a network of CentOS servers? >> >> Eventually I'll want to deploy it at home and at work, where >> MacOS and Windows clients will presumably complicate the >> picture. I'm assuming it will be easier to get my first deployment >> working if I do it in a pure Linux environment. Is this a reasonable >> assumption? > > I have v6 setup on a couple of my personal servers, along with a tunnel > from Hurricane Electric at home (was doing 6to4 previously.) > > Windows XP and above and Mac OS X handle it just fine, at least when > using SLAAC. I haven't even looked at DHCPv6 yet, but I get the impression > that client support is lacking. > > It's been my experience so far that most of the issues happen when some > clients are going over v4 to a server and some are going over v6 and the > server breaks on one protocol but not the other. But so far this has been > pretty rare, though that might just be due to a lack of dual-stack servers > in the wild. > > Most of my experience is on FreeBSD though, so I don't think I'll > be of much help for Linux v6 support. > > -- > Chip Marshall > http://weblog.2bithacker.net/ KB1QYWPGP key ID 43C4819E > v4sw5PUhw4/5ln5pr5FOPck4ma4u6FLOw5Xm5l5Ui2e4t4/5ARWb7HKOen6a2Xs5IMr2g6CM > ___ > gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: IPv6 deployment?
On 20-Apr-2010, John Abreau sent: > Has anyone else deployed IPv6 yet? Is there a decent HOWTO that > shows how to deploy it for a network of CentOS servers? > > Eventually I'll want to deploy it at home and at work, where > MacOS and Windows clients will presumably complicate the > picture. I'm assuming it will be easier to get my first > deployment working if I do it in a pure Linux environment. Is > this a reasonable assumption? I have v6 setup on a couple of my personal servers, along with a tunnel from Hurricane Electric at home (was doing 6to4 previously.) Windows XP and above and Mac OS X handle it just fine, at least when using SLAAC. I haven't even looked at DHCPv6 yet, but I get the impression that client support is lacking. It's been my experience so far that most of the issues happen when some clients are going over v4 to a server and some are going over v6 and the server breaks on one protocol but not the other. But so far this has been pretty rare, though that might just be due to a lack of dual-stack servers in the wild. Most of my experience is on FreeBSD though, so I don't think I'll be of much help for Linux v6 support. -- Chip Marshall http://weblog.2bithacker.net/ KB1QYWPGP key ID 43C4819E v4sw5PUhw4/5ln5pr5FOPck4ma4u6FLOw5Xm5l5Ui2e4t4/5ARWb7HKOen6a2Xs5IMr2g6CM pgp4JJX9XAz5a.pgp Description: PGP signature ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
IPv6 deployment?
I'd like to begin deploying IPv6 on the BLU.ORG servers. They will need to transparently handle both IPv4 and IPv6, at least until some distant future time when IPv4 goes away. I suspect both will probably have to work in parallel for a while. Has anyone else deployed IPv6 yet? Is there a decent HOWTO that shows how to deploy it for a network of CentOS servers? Eventually I'll want to deploy it at home and at work, where MacOS and Windows clients will presumably complicate the picture. I'm assuming it will be easier to get my first deployment working if I do it in a pure Linux environment. Is this a reasonable assumption? The three BLU.ORG servers are running CentOS; two are CentOS 4, and the other is CentOS 5. -- John Abreau / Executive Director, Boston Linux & Unix AIM abreauj / JABBER j...@jabber.blu.org / YAHOO abreauj / SKYPE zusa_it_mgr Email j...@blu.org / WWW http://www.abreau.net / PGP-Key-ID 0xD5C7B5D9 PGP-Key-Fingerprint 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99 ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Deployment
Bill McGonigle wrote: I haven't worked with MV before, so * would MV hit a reset button and choose a kernel if we got into a bind? Not speaking for MV, but being a MV customer for many years, the answer has been "yes." I have had them do just that for us in an emergency (as well as other helpful things, such as inserting a boot CD, or even hooking up a monitor and reading me what was on the screen). Now that I'm less than 10 minutes away from MV, it's easy to gain access 24x7 with my security card, so I haven't needed that sort of help from them in awhile. -- Dan Jenkins ([EMAIL PROTECTED]) Rastech Inc., Bedford, NH, USA --- 1-603-206-9951 *** Technical Support for over a Quarter Century ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Deployment
[EMAIL PROTECTED] said: > Well, anyone who's interested in system administration as a spectator sport > is welcome to watch: > http://mail.gnhlug.org/mailman/private/gnhlug-sysadmin/ This required a login name and password, and going there is "out of band" for me. >http://mail.gnhlug.org/mailman/private/gnhlug-sysadmin/ I found this interesting, but specific to a particular need, whereas your initial question, and the answers, were more general. I would would not mind a more open discussion to the "discuss" mailing list about the technical issues of "what type of security and access should happen in a rack-mount, remote system", keeping the tender issues of whether the machine should be named "liberty" or "moose" to a smaller, more impassioned group. I feel more along the same lines as the guy who said: [EMAIL PROTECTED] said: > Benefits of a group approach: > * We have few people who know everything that we need > * We have few people, period > * Learning experience for those involved > * Knowledge resource for others who are interested > * Demonstration of the power of Linux > * Transparency of GNHLUG operations Ignoring the first two bullets, the last four are what the "discuss" list is all about. md -- Jon "maddog" Hall Executive Director Linux International(R) email: [EMAIL PROTECTED] 80 Amherst St. Voice: +1.603.672.4557 Amherst, N.H. 03031-3032 U.S.A. WWW: http://www.li.org Board Member: Uniforum Association, USENIX Association (R)Linux is a registered trademark of Linus Torvalds in several countries. (R)Linux International is a registered trademark in the USA used pursuant to a license from Linux Mark Institute, authorized licensor of Linus Torvalds, owner of the Linux trademark on a worldwide basis (R)UNIX is a registered trademark of The Open Group in the USA and other countries. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Host-based intrusion detection (was Pre-deployment security)
On Mon, 2006-02-27 at 12:35 -0500, Neil Schelly wrote: > On Monday 27 February 2006 11:16 am, Bair,Paul A. wrote: > > If you have any questions on ftimes, you can email me directly. I > > support and contribute to the project. > > I've always used AIDE myself. I remember looking into it a few years ago and > found it to be preferable at least to Tripwire, though I understand that > Tripwire has a few admin GUIs that make it more worthwhile if you want to go > commercial. > > I'm curious what you think though if you're contributing to a project in this > space. How familiar are you with the other competing projects and what each > has in terms of strengths/weaknesses. I've never heard of ftimes, but am > curious about it and others, if you'd care to expound a bit. > -Neil Unfortunately, I'm not a great resource for comparing these tools and I also try not to bash other tools. That said, I use ftimes for these reasons: - ftimes is free - there are several recipes to help you deal with ftimes data: http://ftimes.sourceforge.net/FTimes/Cookbook.shtml - ftimes produces nice delimited output, that is easily importable to a db. I'm not sure if the tripwire output can be parsed that easily. - ftimes has a 'dig' mode which allows me to search an entire drive for one or more regular expressions. This makes it nice to search for known trojan signatures, or IP addresses, etc. - ftimes has a great 'compare' mode that allows you to compare any fields it collects. So if you only want to see files who's md5's changed, you would execute ftimes like this: # ftimes --compare none+md5 baseline.map snapshot.map - ftimes works on unix and windows (and it finds Alternate data streams in windows) - ftimes url-encodes non-printable characters in the output file which is very handy when dealing with wacky named files. Malicious programs tend to create unusually named files. - while i don't use it often, ftimes also integrates the unix file magic when scanning files. So, this helps identify the file type quickly. - ftimes has a test harness used to validate the tool (http://cvs.sourceforge.net/viewcvs.py/ftimes/ftimes/tests/) Later, Andy ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Deployment
On 2/27/06, Jon maddog Hall <[EMAIL PROTECTED]> wrote: >> Crap! This was supposed to go to a different list. > > I, for one, found it useful. Well, anyone who's interested in system administration as a spectator sport is welcome to watch: http://mail.gnhlug.org/mailman/private/gnhlug-sysadmin/ http://wiki.gnhlug.org/twiki2/bin/view/Organizational/InternetServer If you're interested in helping out, it's kind of late to contribute for initial decisions, but help with future endeavors is both welcome and needed: http://wiki.gnhlug.org/twiki2/bin/view/Organizational/ServerAnnounce -- Ben "Full Contact System Administrator" Scott ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Pre-deployment security (Tripwire, etc.)
> I did some work with Tripwire and alternatives a few years ago, > although I haven't touched it recently. Anyone want to toss out > alternatives/suggestions/best practices/etc? The first thought that comes to mind is, is it overkill? Really necessary? To do tripwire or aids "right" it requires a fair amount of work -- and makes software updates quite a bit more difficult than simply running yum or apt-get. As I'm sure you're aware, to do tripwire or aids properly, the database has to be on read-only media. IMHO, that means burned to a CD. Doing updates on a remote box without easy physical access is going to be a PITA. Regards, . Randy -- Do you like browsing the web, independent of whatever type of computer you are talking to on the other end? "Enhancements" to public standard protocols is the way the WWW will be turned into a proprietary nightmare. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Deployment
> Crap! This was supposed to go to a different list. I, for one, found it useful. md -- Jon "maddog" Hall Executive Director Linux International(R) email: [EMAIL PROTECTED] 80 Amherst St. Voice: +1.603.672.4557 Amherst, N.H. 03031-3032 U.S.A. WWW: http://www.li.org Board Member: Uniforum Association, USENIX Association (R)Linux is a registered trademark of Linus Torvalds in several countries. (R)Linux International is a registered trademark in the USA used pursuant to a license from Linux Mark Institute, authorized licensor of Linus Torvalds, owner of the Linux trademark on a worldwide basis (R)UNIX is a registered trademark of The Open Group in the USA and other countries. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Host-based intrusion detection (was Pre-deployment security)
On Monday 27 February 2006 11:16 am, Bair,Paul A. wrote: > If you have any questions on ftimes, you can email me directly. I > support and contribute to the project. I've always used AIDE myself. I remember looking into it a few years ago and found it to be preferable at least to Tripwire, though I understand that Tripwire has a few admin GUIs that make it more worthwhile if you want to go commercial. I'm curious what you think though if you're contributing to a project in this space. How familiar are you with the other competing projects and what each has in terms of strengths/weaknesses. I've never heard of ftimes, but am curious about it and others, if you'd care to expound a bit. -Neil ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Deployment
On 2/27/06, Ben Scott <[EMAIL PROTECTED]> wrote: > Hi everybody (Hi Dr. Nick!), > > As Bruce rightly points out, time is running short. Crap! This was supposed to go to a different list. Sorry for the noise, everybody. /me whips self with an LDAP schema ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Pre-deployment security (Tripwire, etc.)
On Mon, 27 Feb 2006 10:57:02 -0500 "Ben Scott" <[EMAIL PROTECTED]> wrote: > I did some work with Tripwire and alternatives a few years ago, > although I haven't touched it recently. Anyone want to toss out > alternatives/suggestions/best practices/etc? As one who does not do this stuff as a day job, but who worries , I found Tripwire and Snort to be a good combo. Of course you need to have reports send to you and then you need to read the reports and think about what you see in the reports. Ed Lawson ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Pre-deployment security (Tripwire, etc.)
On Mon, 2006-02-27 at 10:57 -0500, Ben Scott wrote: > Hi all, > > A good thing to do would be to use Tripwire or similar to build a > "known good" database of file signatures prior to deployment. When it > comes to intrusion detection and compromise recovery, this is the only > way to be sure. > > I did some work with Tripwire and alternatives a few years ago, > although I haven't touched it recently. Anyone want to toss out > alternatives/suggestions/best practices/etc? > I would recommend ftimes as an alternative to tripwire. It captures quite a lot of information for both windows and unix file systems. Here's an example execution. The commands below collect all file system information for the /tmp directory and send the output to a file. # ftimes --mapauto all -l 6 /tmp > /tmp/baseline.map # ftimes --mapauto all -l 6 /tmp > /tmp/snapshot.map Here's what the baseline.map file looks like, the pipe character is the delimiter. # head -3 /tmp/baseline.map name|dev|inode|mode|nlink|uid|gid|rdev|atime|mtime|ctime|size|magic|md5 "/tmp/.snap"|1040|3|40775|2|0|5|3016|2006-02-21 08:05:29|2006-01-20 14:55:58|2006-01-20 14:55:58|512||DIRECTORY "/tmp/err"|1040|5|100644|1|0|0|3024|2006-02-23 16:27:07|2005-07-09 00:30:26|2005-07-09 00:30:26|2698||6decb5604954792a16e0cdd22ff71cb5 It's trivial to compare a baseline and snapshot as shown with the command below. The results follow the command which shows that /tmp/snapshot.map is a new file (N), and the /tmp directory and /tmp/baseline.map files have changed (C). # ftimes --compare all-atime-magic /tmp/baseline.map /tmp/snapshot.map category|name|changed|unknown C|"/tmp/baseline.map"|size,md5| N|"/tmp/snapshot.map"|| C|"/tmp"|mtime,ctime| You can get ftimes here: http://ftimes.sourceforge.net/FTimes/index.shtml If you have any questions on ftimes, you can email me directly. I support and contribute to the project. --- Andy ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Deployment
On Feb 27, 2006, at 10:53, Ben Scott wrote: - BIOS password - Disable boot from non-HD in BIOS - Boot loader password and restrictions I haven't worked with MV before, so * are these MV requests? * would MV hit a reset button and choose a kernel if we got into a bind? The theory being, let's not secure the box such that someone has to drive in if a kernel update goes bad and there's another option. Assuming MV has access control to their server room, backups and auditing may be better than securing against physical attack. The determined attacker can always just steal a RAID drive. -Bill - Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 [EMAIL PROTECTED] Cell: 603.252.2606 http://www.bfccomputing.com/Page: 603.442.1833 Blog: http://blog.bfccomputing.com/ VCard: http://bfccomputing.com/vcard/bill.vcf ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Pre-deployment security (Tripwire, etc.)
Hi all, A good thing to do would be to use Tripwire or similar to build a "known good" database of file signatures prior to deployment. When it comes to intrusion detection and compromise recovery, this is the only way to be sure. I did some work with Tripwire and alternatives a few years ago, although I haven't touched it recently. Anyone want to toss out alternatives/suggestions/best practices/etc? -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Deployment
Hi everybody (Hi Dr. Nick!), As Bruce rightly points out, time is running short. The server now known as "liberty" appears to be operating okay and nobody's screamed in pain yet, so I guess we can use the existing install "as is" if we have to. If anyone wants major changes in system configuration, speak now. What do we need to get done before we install it at the ISP, and thus release physical control of and access to the box? - BIOS password - Disable boot from non-HD in BIOS - Boot loader password and restrictions - Strong root password (currently non-trivial but still too easy) - Confirm RAID boot works - Any firewall hardening? - Tripwire/etc (filesystem IDS)? - PortSentry or the like? Anything else? -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
FWD - IDC seeking Linux deployment info
Forwarded from [EMAIL PROTECTED]: On behalf of a major IT research company, I am seeking to interview IT managers at companies using Linux on the desktop. I would like to ask qualified respondents questions about Linux implementations, costs, downtime, etc. If you are interested in being part of this survey, please send me your name, email, company, phone (optional), # of Linux desktops, and whether they're managed or unmanaged. Confidentiality guaranteed. We will pay cash for qualified interviews. There is also a drawing for a digital camera or DVD player. Many thanks, David <[EMAIL PROTECTED]> ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss