[SLUG] Editing python scripts in emacs

[Ken Caldwell]

I'm trying to learn python and was planning to edit some python scripts
using emacs.  The box I will be using is running Debian unstable.
Emacs does not seem to have a python mode.  I assume such exists? what
packages should I look for?

At the moment dpkg -l shows emacs20 and emacsen-common installed.  I did
not see any packages containing "emacs" and "python" what should I be
looking for?

TIA

Ken

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

[SLUG] Weird MASQ issue...

[Marty Richards]

Hi Sluggers,

This is a weird one. Any thoughts/speculation appreciated.
 
A client is using a Slackware 7.1 machine as a firewall and IP-Masq
connection for their internal network. Its clean and simple, using an
identical build as a dozen others which are running properly.

UDP and ICMP are masquerading happily

TCP is being weird.

>From the servers and a few workstations it works properly.

>From other workstations the IP address in the TCP header is being
re-written, or mangled, to a particular IP and port. ie, telnet anywhere
results in a packet going through the firewall to a very specific IP and
port, every time.

There is no routing or routers on the internal network.

There are 2 hubs (2803's) and 1 switch (3com). For a while I thought
anything connected to the switch was working while the hubs were mangling,
but I have since proved this false - at least one workstation connected
directly to the switch has the same problem, although most don't.

The switch is a 3com, couple years old by looks. I didn't note the model
number ;(  My current guess is that the switch has been configured to
redirect any TCP connection from most of its switched ports to this
particular IP/port... does anyone know if this can be done with 3com? Are
they capable of playing layer 4 games like this? 

Any other guesses? There doesn't appear to be any other devices involved...
unless something is hiding in the roof, which is possible. 

Tomorrow I'll be taking my Slackware notebook and getting some real details
from various points on the network.

Thanks!
 
Cheers,
Marty

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

RE: [SLUG] Security Breach

[Sean Carmody]

> This occurred to me as well last night - I think around 3am. Similarly, it
> was discovered because the mail destination domain could not be found.
> However, I think this is because somewhere in teh process of getting in,
> they broke my local named (i wasnt working in the morning) - that or
> somewhere upstream someone hurt DNS - I was getting a lot of "Lame server
> errors". The email contained the output of ifconfig and the contents of
> /etc/passwd and /etc/shadow.

My local named seemed ok. Contents of my email exactly as you describe.

> The ISP I was on was Telstra bigpond - if its the same, maybe they were
> scanning that range of addresses.

I was on ihug.

> The other change I found was the following entry on the end of
> /etc/inetd.conf:
> 1008 stream tcp nowait root /bin/sh sh
>
> which you may want to check for and remove/comment.

That's in mine too! Now commented.

> I am thinking it could have been the BIND exploit coming active, but not
> sure (I havent upgraded yet, and my listen-on clause was broken -
> now fixed not to listen outside).
>
> The fact taht they edited /etc/inetd.conf and cat-d shadow indicates root
> priveleges. However, there doesnt seem to be any evidence of things inside
> or other changes, so possibly a buffer of exploit type deal?
>
> I run RH6.2 btw :)

So do I.

> The only services i had running out of inetd were ftp, telnet and auth
> (first 2 are shut down until i get home to tighten things) - not portmap.
>
> Makes you wonder if one should send an edited email with prepared IP and
> ready a box to trace what happens :)

Was your email also addressed to [EMAIL PROTECTED]?


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Silly eth question.

[Jobst Schmalenbach]

On Thu, Mar 01, 2001 at 04:40:26PM +1100, Ken Yap ([EMAIL PROTECTED]) wrote:
> |> Cost cutting.
> |
> |buhahahaha, you gotta be kiddin`
> |a flimsy piece of sticky tape with a few numbers on it?
> 
> Obviously you have no idea these things are made. The PCBs are assembled

Actually I do! The last thing I was doing at Uni was a Phd in 
"Computer Systems and Electronics" and I have made so many circuit boards
that sometimes I get hold of a board and I am surprised I made that and
I have visited so many manufactures of boards that I dont even remember
their names and what they actually did.

> by machine. The surface mount compoents are deposited on the PCB, the

[snip]

> Now if you wanted to put the MAC address and bar code on a sticker,
> you'd need another machine to print and attach the sticker. When you are

No you dont, the station where the eeprom is burned can produce a sticker as
by simply attaching a little "sticker printer" to it (seen that). Considering 
what this would cost divided by the amount of network cards produced you would
end up with 10c per card.

> a Taiwanese manufacturer turning out these things for $10 each (the
> other $10 goes to profit and middlemen), an extra 20c makes a
> difference. Look, some of these mfrs don't even give you a floppy, they
> expect that the driver will be already with the OS, or you get it from
> their web site.

I dont think its the guys from the production line who DONT want to do it.
I believe its that most people dont care about it anymore .. aka PNP

I just had a look at a bunch of cheap cards (all RTL8XXX based) made in
China and Taiwan. All of them have a lot of other info like

 * part number sticker
 * production date sticker
 * some "OK" sticker
 * type sticker
 * complies with .
 * batch number

but MAC address.


I have seen that info missing on some of the more expenisive (aka brand) models, too.

There are missing on all of the XIRCOM cards (I currently can only look at 3)
but that might be for security reasons.



jhs






-- 
If proof denies faith, and uncertainty denies proof, then uncertainty is proof of 
God's existence.

|__, Jobst Schmalenbach, [EMAIL PROTECTED], Technical Director|
|  _ _.--'-n_/   Barrett Consulting Group P/L & The Meditation Room P/L  |
|-(_)--(_)=  +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia|

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Silly eth question.

[Ken Yap]

|> Cost cutting.
|
|buhahahaha, you gotta be kiddin`
|a flimsy piece of sticky tape with a few numbers on it?

Obviously you have no idea these things are made. The PCBs are assembled
by machine. The surface mount compoents are deposited on the PCB, the
larger chips held in place with dabs of temporary glue, solder paste is
deposited at the pads and the whole things is put under high temperature
to melt the solder and make the joints. The NIC then goes into another
station where the MAC address is written into the serial EEPROM
automatically. This can be done insitu, the NIC controller chips have a
feature where you can program the EEPROM and then disable further access
to it by writing a particular location of the EEPROM.

Now if you wanted to put the MAC address and bar code on a sticker,
you'd need another machine to print and attach the sticker. When you are
a Taiwanese manufacturer turning out these things for $10 each (the
other $10 goes to profit and middlemen), an extra 20c makes a
difference. Look, some of these mfrs don't even give you a floppy, they
expect that the driver will be already with the OS, or you get it from
their web site.

If you pay for a name brand like 3Com or Intel you will get a sticker.
Sysadmins with a bar code wand can read the product code and MAC address
into their assets database. But forget any idea of trained gorillas
putting stickers on the cheap models.

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Silly eth question.

[Jobst Schmalenbach]

On Thu, Mar 01, 2001 at 02:18:27PM +1100, David Kempe ([EMAIL PROTECTED]) wrote:
> > On Thu, Mar 01, 2001 at 01:48:47PM +1100, Ken Yap ([EMAIL PROTECTED]) wrote:
> > > |I have seen lots of cards around from lots of different companies.
> > > |I know that a while ago every company used to mark their cards with
> > > |the mac address, I dont know why they dont do that anymore.
> > >
> > > Cost cutting.
> >
> > buhahahaha, you gotta be kiddin`
> > a flimsy piece of sticky tape with a few numbers on it?
> 
> the cost would be in the manufactuer actually having to find out what the
> mac addr is and then having to make sure the right label got on the right
> card. I reckon this would add some cost for sure. without cost cutting how
> could we get new, working 10/100 sub $20 network cards?

I can only think of a few ways of making up an address on a card:

 * PROM (the circuitry inside determines the address)
 * resistors (connected==1, not connected==0) which are connected to
   the main chip making up the last parts of the mac address.
 * switch (not feasable as one could change it)
 
In the PROM case during the burning of the chip the number could be burned
ontop of the chip (as it used to be) or, alternatively, a little printer
connected to the (e)eprom burner could print out the number and stick it
onto the chip.

costs? 10c.



-- 
If a pig loses its voice, is it disgruntled?

|__, Jobst Schmalenbach, [EMAIL PROTECTED], Technical Director|
|  _ _.--'-n_/   Barrett Consulting Group P/L & The Meditation Room P/L  |
|-(_)--(_)=  +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia|

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

[SLUG] Free LinuxExpo Tickets

[Crossfire]

Ok,

I have a small pile of Free LinuxExpo Tickets to give away!

The only catch22, you have to come to North Sydney before the expo to
collect them.

Priority is given to SOs and other attached people of people who are
volunteering, otherwise its open season.

If you want some tickets, please email me, and I'll send you the
address of my workplace and my mobile number so you can collect them
from me.

Afterhours collection is also negotiable - yet again, around the North
Sydney area.

C.
-- 
--==--
  Crossfire  | This email was brought to you
  [EMAIL PROTECTED] | on 100% Recycled Electrons
--==--

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] [OT] Fixed IP ADSL

[John Ferlito]

On Thu, Mar 01, 2001 at 02:16:55PM +1100, David Kempe wrote:
> > They'll route the /24 to you. You will also need to tell them to turn
> > the tran proxy off for your /24.
> 
> 
> They will give you a fixed IP but they won't route the /24 for you.
> We have tried that for a client of ours and pacific refused to do it after
> much deliberating. Perhaps it will happen in the future but they wouldn't do
> it. We have contacts in corporate sales and the technical people here in
> sydney and both where unwilling to route anything but 1 ip.
> If you have any tips on how to kick it through em I would appreciate it :)

I've been told that afte beating telstra about the head a bit
and getting some documentation out of them that they now know how to
route more than 1 ip address. So should be doing it now or shortly. I
think one of our customers was goig to be the test case until telstra
decided that they'd run out of ADSL ports in that exchange.


-- 
John Ferlito
Senior Engineer - Bulletproof Networks
ph: +61 (0) 410 519 382
http://www.bulletproof.net.au/

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

RE: [SLUG] Silly eth question.

[David Kempe]

> On Thu, Mar 01, 2001 at 01:48:47PM +1100, Ken Yap ([EMAIL PROTECTED]) wrote:
> > |I have seen lots of cards around from lots of different companies.
> > |I know that a while ago every company used to mark their cards with
> > |the mac address, I dont know why they dont do that anymore.
> >
> > Cost cutting.
>
> buhahahaha, you gotta be kiddin`
> a flimsy piece of sticky tape with a few numbers on it?

the cost would be in the manufactuer actually having to find out what the
mac addr is and then having to make sure the right label got on the right
card. I reckon this would add some cost for sure. without cost cutting how
could we get new, working 10/100 sub $20 network cards?

dave


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

RE: [SLUG] [OT] Fixed IP ADSL

[David Kempe]

> They'll route the /24 to you. You will also need to tell them to turn
> the tran proxy off for your /24.


They will give you a fixed IP but they won't route the /24 for you.
We have tried that for a client of ours and pacific refused to do it after
much deliberating. Perhaps it will happen in the future but they wouldn't do
it. We have contacts in corporate sales and the technical people here in
sydney and both where unwilling to route anything but 1 ip.
If you have any tips on how to kick it through em I would appreciate it :)

Dave


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

RE: [SLUG] [OT] Fixed IP ADSL

[Marty Richards]

I was thinking about corporate.pacific.net.au, but haven't committed yet.
Anyone using Pacific? Fixed IP is not a problem there they tell me.

Cheers,
Marty

On Thursday, March 01, 2001 1:44 PM, Ian Ward [SMTP:[EMAIL PROTECTED]]
wrote:
> OK, I'm sick of waiting for Telstra Direct.
> 
> Anyone using any of the other carriers for ADSL?
> 
> I need fixed IP, I have a class-c that needs routing.
> 
> NO tranparent proxies (like on telstra)
> 
> Ian.
> (why the @#$% do we have to drag our carriers kicking and screaming into
the
> 21st century?  INTERNET connectivity in Australia is a joke)
> /rant... sorry. just had to get that off my chest
> 
> 
> -- 
> SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> More Info: http://slug.org.au/lists/listinfo/slug

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Silly eth question.

[Jobst Schmalenbach]

On Thu, Mar 01, 2001 at 01:48:47PM +1100, Ken Yap ([EMAIL PROTECTED]) wrote:
> |I have seen lots of cards around from lots of different companies.
> |I know that a while ago every company used to mark their cards with
> |the mac address, I dont know why they dont do that anymore.
> 
> Cost cutting.

buhahahaha, you gotta be kiddin`
a flimsy piece of sticky tape with a few numbers on it?


jhs



-- 
Don't rejoice in his defeat, You men.  For though the world stood up and stopped the 
Bastard, the Bitch that bore him is in heat again. - Bertold Brecht.

|__, Jobst Schmalenbach, [EMAIL PROTECTED], Technical Director|
|  _ _.--'-n_/   Barrett Consulting Group P/L & The Meditation Room P/L  |
|-(_)--(_)=  +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia|

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] [OT] Fixed IP ADSL

[John Ferlito]

On Thu, Mar 01, 2001 at 01:43:34PM +1100, Ian Ward wrote:
> OK, I'm sick of waiting for Telstra Direct.
> 
> Anyone using any of the other carriers for ADSL?
> 
> I need fixed IP, I have a class-c that needs routing.
> 
> NO tranparent proxies (like on telstra)
> 

Pacific Internet. 

They'll route the /24 to you. You will also need to tell them to turn
the tran proxy off for your /24.

-- 
John Ferlito
Senior Engineer - Bulletproof Networks
ph: +61 (0) 410 519 382
http://www.bulletproof.net.au/

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Silly eth question.

[Ken Yap]

|I have seen lots of cards around from lots of different companies.
|I know that a while ago every company used to mark their cards with
|the mac address, I dont know why they dont do that anymore.

Cost cutting.

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

[SLUG] [OT] Fixed IP ADSL

[Ian Ward]

OK, I'm sick of waiting for Telstra Direct.

Anyone using any of the other carriers for ADSL?

I need fixed IP, I have a class-c that needs routing.

NO tranparent proxies (like on telstra)

Ian.
(why the @#$% do we have to drag our carriers kicking and screaming into the
21st century?  INTERNET connectivity in Australia is a joke)
/rant... sorry. just had to get that off my chest


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Silly eth question.

[Jobst Schmalenbach]

On Wed, Feb 28, 2001 at 04:09:44PM +1100, Crossfire ([EMAIL PROTECTED]) wrote:
> John Ferlito was once rumoured to have said:
> > On Wed, Feb 28, 2001 at 03:52:42PM +1100, Martin wrote:
> >> 2 ethernet cards, both Netgear FA310tx
> >> 
> >> both detected fine.
> >> 
> >> question is, is there any way to tell which physical card is eth0 and
> >> which is eth1 ?
> > 
> > I just usually plug some ethernet in and bring one device up and
> > swap the ethernet cable to work out which one it is. Then label it :)
> 
> Better way is to copy the hardware address onto the back of the card
> where you can see it, and check them against data from ifconfig.

Netgear provides the address already on the card, its located where the
boot rom would be..

I have seen lots of cards around from lots of different companies.
I know that a while ago every company used to mark their cards with
the mac address, I dont know why they dont do that anymore.


jhs


-- 
A loving atmosphere in your home is the foundation for your life.

|__, Jobst Schmalenbach, [EMAIL PROTECTED], Technical Director|
|  _ _.--'-n_/   Barrett Consulting Group P/L & The Meditation Room P/L  |
|-(_)--(_)=  +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia|

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Dual Screen Problem

[Terry Collins]

Peter Rundle wrote:
> 
> Sluggers,
> 
> How do I get gdm to display / work with a second physical screen?

No idea, but you start with defining the M screens & N adapters in
XF86Config.
Then I think it really depends on the apps ability to use M
screens/adapters.
> 
> I've just got off my butt and finally installed X 4.0.2. Put the
> beta drivers for my G400 in and plugged in the second screen.

I suggest searching the Slug archive on G400 and multiple monitors - I
hear a bell ringing  and it isn't the cat prancing across the backyard
{:-).

--
   Terry Collins {:-)}}} Ph(02) 4627 2186 Fax(02) 4628 7861  
   email: [EMAIL PROTECTED]  www: http://www.woa.com.au  
   WOA Computer Services 

 "People without trees are like fish without clean water"

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

[SLUG] RedHat 7 ppp scripts redialling even when brought down manually

[San Chotai]

Hi,

I ama a relative newbie to linux. I have a RH 6.something server running
which has worked for quite a while - started playing around with rh7 on a
spare machine and this is the problem:

I need to set up a dial out line to the isp on a persistent basis. Normally
one would think that if you bring the conn down with ifdown ppp1 then it
should not redial.

Mine redials almost immediately - if you run ifdown ppp1 in quick succession
a few time (5-6) it eventually gets killed.

The rh7 scripts seem to be quite different and have a new beast called the
ppp-watch. For some reason this or pppd or wvdial restart the process
quicker than it can be killed.


I've tried setting wvdial.conf auto redial=off; used the pppd option
"holdoff 30" and tried the linuxconf configuration parameter disconnect
delay to 25 seconds.

If poss I'd like to stick with linuxconf or rh7 scripts because it makes it
easy to remember if the setup needs to be redone.

A workaround seems to be to add a couple of lines of kill -9 `cat
/proc/run/pppwatch-ppp1.pid` in a script just after the ifdown.

If anyone can help I would be most grateful.

San

[EMAIL PROTECTED]


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Security Breach

[Martin]

> I also tried to apply some "tight" ipchains rules but that
> seemed to stuff up pretty much everything so it's back out
> again for now until I work it out properly.

if you have problems getting ipchains rules right, have a look at
pmfirewall...

http://www.pointman.org

it is a script based ipchains ruleset that configures things according
to your answers to a series of questions during installation...

later
marty

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Security Breach

[Dave Fitch]

On Wed, Feb 28, 2001 at 01:51:08PM +, Simon Bowden wrote:
> However, I think this is because somewhere in teh process of getting in,
> they broke my local named (i wasnt working in the morning) - that or
> somewhere upstream someone hurt DNS - I was getting a lot of "Lame server
> errors".

funny you should say that, my named was also dead yesterday
when I got home from work.  I checked over everything, all
the logs, any binarys changed etc etc and couldn't find
anything else at all suspicious.  I was however accidentally
running named on all interfaces so I changed it to just
lo and eth0.  I was also running portmap but stopped it and
everything still seems to work so I guess I don't need it.
And I installed all the relevent security updates from the
debian security site.

I also tried to apply some "tight" ipchains rules but that
seemed to stuff up pretty much everything so it's back out
again for now until I work it out properly.

If I have tcp wrappers controlling everything listening on
all ports (except ssh, apache and postfix), it should be
reasonably secure without ipchains firewalling right?

Dave.

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

[SLUG] Dual Screen Problem

[Peter Rundle]

Sluggers,

How do I get gdm to display / work with a second physical screen?

I've just got off my butt and finally installed X 4.0.2. Put the
beta drivers for my G400 in and plugged in the second screen.

"the" X display shows up on it, the mouse moves over to it I can 
put windows like xeyes on it with DISPLAY=mybox:0.1 etc. So all 
that's all sorted. But gdm/E etc just hangs on the first screen.

I looked at the gdm.conf file and now I'm lost, is it the
servers section at the bottom?

Thanks

Pete

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Silly eth question.

[Antony Stace]

every ethernet card has a unique hardware address/name(in theory) known
as the MAC address of the card,
  
to find it for each card, boot the box with one ethernet card in, run

ifconfig

have a look at the part where it says HWaddr, this is the MAC address of
the card.


HWaddr, this is the unique name
Martin wrote:
> 
> Hi guys,
> 
> situation:
> 
> 2 ethernet cards, both Netgear FA310tx
> 
> both detected fine.
> 
> question is, is there any way to tell which physical card is eth0 and
> which is eth1 ?
> 
> and, will they always be detected in the same order ? (ie. so that eth0
> will always refer to the same physical card)
> 
> thanks
> marty
> 
> --
> SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
> More Info: http://slug.org.au/lists/listinfo/slug

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

[SLUG] Re: Email and Virii

[Angus Lees]

\begin{John Ferlito}
> From
> From:
> Reply-To:
> X-Sender:

i'd go with "Errors-to:" (or whatever it is), then reply-to:, then
from:

should be the same as an mta error bounce.
(in fact, better would be to check this in the mta somehow, and just
give a 500 error - let the mta worry about how to report that)

-- 
 - Gus

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] [OT] but most people will probably follow it

[Rachel Polanskis]

On 1 Mar 2001, Craige McWhirter wrote:

> http://www.userfriendly.org/static/

Not you (them) too?

Someone set us up the bomb?


rachel

-- 
Rachel PolanskisOptus/Excite@Home
UNIX Administrator  100 Harris Street
IT Operations   Pyrmont, Sydney NSW
[EMAIL PROTECTED]Ph: (+61 2) 900 51144


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

[SLUG] [OT] but most people will probably follow it

[Craige McWhirter]

http://www.userfriendly.org/static/


-- 

Cheers,
  Craige.

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Umar Goldeli]

> Stateful inspection is the only way to come remotely close to securing
> UDP without stepping to the point of not using it at all.

UDP == evil.

*grin*

(but this is getting way OT ;)



//umar.


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Re: Security Breaches

[Umar Goldeli]

dd will not affect the atimes on the files on the filesystem.

dd is your friend.

//umar.


> > Oh one more thing - it will alter the atime on /dev/sdb1 (or whatever) -
> > but that's not exactly going to be useful anyway.
> 
> If your backup software didn't preserve the atime then perhaps it's time
> to use something a little bit more sophisticated.



-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Re: Security Breaches

[Umar Goldeli]

Bollocks.

Yes it's true that your kernel is suspect, but when you arrive at the
scene and want to preserve forensic data in a useful state, the last thing
you want to do is reboot.

It's a tradeoff. The main thing is to get a disk image. And chances are
that your statically compiled "dd" will work happily.

Then you run cryogenic or similar. If you're really keen, you get dumps of
ram and other goodies for some even keener person to fiddle with later.

After you have preserved your data, ten you can think of rebooting.. in
fact, let me rephrase that, you don't reboot. You pull the plug. A lot of
the time, systems are triggered to hide traces etc if rebooted or shutdown
cleanly.

However, your course of action depends entirely on what your goals
are.. do you want to analyze data? Or do you just want to get back in
production in a clean state?

If it's the latter - you can ignore the CD anyway, because you need to
blow away the box WHOLE anyway. It can't be trusted anymore.


//umar.


> Umar Goldeli <[EMAIL PROTECTED]> wrote:
> >
> > Every admin should also have a statically compiled set of tools on CD
> > btw. Not only can binaires be trojaned, but so can libraries.
> 
> But the same thing can happen to the kernel...  Time to reboot with the CD.


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Crossfire]

Umar Goldeli was once rumoured to have said:
> > Hence why you use stateful inspection firewalls, not ipchains.
> > ipchains is completely unflexible in this regard.
> 
> It works, but even so, let's face it, stateful inspection in regards to
> UDP is still a kludge. ;)

Stateful inspection is the only way to come remotely close to securing
UDP without stepping to the point of not using it at all.

C.
-- 
--==--
  Crossfire  | This email was brought to you
  [EMAIL PROTECTED] | on 100% Recycled Electrons
--==--

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

[SLUG] sms messages

[Jiannis Alexakis]

hello,
glad to know you.
I'd like to know how could I send messages to 
mobile phone in Poland
 
Looking forward to hearing from you,
thank you in advance

Re: [SLUG] meeting tonight

[Jeff Waugh]

> Hey gang, Craige,

Um, that email was *meant* to go to the committee. I suck. There's nothing
to see here, move along.

- Jeff


-- [EMAIL PROTECTED] --- http://linux.conf.au/ --

  It's depressing to see such useful code wasted on such a useless  
  license.  

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

[SLUG] meeting tonight

[Jeff Waugh]

Hey gang, Craige,

I'm not sure I can come along tonight, I'm for lack of a better owrd, sick.
Great combination of lethargy and insomnia, which the doctor seems more
interested in than I (and I don't understand, no). Needled today. Blergh.

We're going to have to have another meeting (real or not) for the codefest
too anyway, which I think will need more involved organisation than the
installfest, plus with Jaime and the CompSoccers.

I'll email later if I can, but I probably shouldn't. Besides, I wouldn't
want to give Craige the satisfaction of drinking me under the table in this
state. ;)

Someone spam ctte back with notes please (preferably before the fest, Gus!)

- Jeff


-- [EMAIL PROTECTED] - http://lazarus.aphid.net/ --

   "Can we have a special TELSABUG category, and everything gets
 dropped to fix them first?" - Telsa Gwynne 

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Re: Security Breaches

[Herbert Xu]

Umar Goldeli <[EMAIL PROTECTED]> wrote:
>> BTW, when you do a backup to tape, would that not alter the atime?

> Oh one more thing - it will alter the atime on /dev/sdb1 (or whatever) -
> but that's not exactly going to be useful anyway.

If your backup software didn't preserve the atime then perhaps it's time
to use something a little bit more sophisticated.
-- 
Debian GNU/Linux 2.2 is out! ( http://www.debian.org/ )
Email:  Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Herbert Xu]

chesty <[EMAIL PROTECTED]> wrote:
>
> It doesn't mention it in the report, but would mounting /home, /tmp and /var with 
> noexec help? It might stop a non root user from running their own programs, but it 
> won't stop root.

Unless used in conjunction with chroot, noexec is pointless on Linux.
-- 
Debian GNU/Linux 2.2 is out! ( http://www.debian.org/ )
Email:  Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Re: Security Breaches

[Herbert Xu]

Umar Goldeli <[EMAIL PROTECTED]> wrote:
>
> Every admin should also have a statically compiled set of tools on CD
> btw. Not only can binaires be trojaned, but so can libraries.

But the same thing can happen to the kernel...  Time to reboot with the CD.
-- 
Debian GNU/Linux 2.2 is out! ( http://www.debian.org/ )
Email:  Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Silly eth question.

[Howard Lowndes]

Yes same here.  The first card detected was io=0x6100 irq=11 and the next
card detected was io=0x6200 irq=10.  This is on Linux as well.

-- 
Howard.

LANNet Computing Associates 
"...well, it worked before _you_ touched it!"   --me
"I trust just one person,
 and there are times when I don't even trust myself"
--me

On Wed, 28 Feb 2001, Jon Biddell wrote:

>
> I've had this happen when doing an Evilware/NT installation, and after some
> examination, it turned out that the two cards (identical Netelligent's) were
> detected in this order;
>
> Lower memory address was detected first, then lower IRQ if memory addresses
> were the same (stupid, I know)...
>
> Then again, this was EvilWare - YMMV.
>
>


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

[SLUG] Why you should be using ekepoint...

[Jeff Waugh]

Why?

  http://www.microsoft.com/Windows/ie/security/powerpoint.asp

Where?

  http://ekepoint.sourceforge.net/


[ Conrad: Pantsmarks? Too much beer. ]

- Jeff


-- [EMAIL PROTECTED] --- http://linux.conf.au/ --

 She said she loved my mind, though by most accounts I had already  
  lost it.  

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Umar Goldeli]

> Hence why you use stateful inspection firewalls, not ipchains.
> ipchains is completely unflexible in this regard.

It works, but even so, let's face it, stateful inspection in regards to
UDP is still a kludge. ;)


//umar.


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Umar Goldeli]

You just missed Alan Cox by a few weeks I believe! :)

//umar.

> What sort of time/date/places do the Linux gurus, or those who others
> might consider to be gurus anticipate being around.  I anticipate I might
> have some beer money with me (8-)


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Crossfire]

Howard Lowndes was once rumoured to have said:
> On Wed, 28 Feb 2001, Crossfire wrote:
>> Howard Lowndes was once rumoured to have said:
>>> Can you do stateful inspections on ntp though?  It runs on udp.  Is this
>>> possible?  You can define what servers you will accept ntp from, but
>>> surely the source IP could be easily spoofed anyway.  I don't know how you
>>> would go trying to do an auth transfer from, say, CSIRO.
>>
>> Yes.  NTP is very simple protocol.
>>
>> You open the return path once you send the NTP "request" packet, and
>> close it within a reasonable timeframe.  If you're getting a large
>> number of reply packets any other time, you just block, and don't
>> open.
>
> I can see how this would be done if you were using something like cron,
> ipchains and ntpdate to query the server - something like "cron, include
> ipchain ACCEPT rule, ntpdate, sleep for a few seconds, delete ipchain
> rule", but what if you want to do the auto synch thing with your server as
> a strata server.  In this case the synch timing is handled by the ntpd
> daemon itself, or perhaps the ntpd daemon shouldn't be used like this.

Hence why you use stateful inspection firewalls, not ipchains.
ipchains is completely unflexible in this regard.

C.
-- 
--==--
  Crossfire  | This email was brought to you
  [EMAIL PROTECTED] | on 100% Recycled Electrons
--==--

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Crossfire]

Howard Lowndes was once rumoured to have said:
> Can you do stateful inspections on ntp though?  It runs on udp.  Is this
> possible?  You can define what servers you will accept ntp from, but
> surely the source IP could be easily spoofed anyway.  I don't know how you
> would go trying to do an auth transfer from, say, CSIRO.

Yes.  NTP is very simple protocol.

You open the return path once you send the NTP "request" packet, and
close it within a reasonable timeframe.  If you're getting a large
number of reply packets any other time, you just block, and don't
open.

Also, use the fact that ntpd permits multiple servers.

C.
-- 
--==--
  Crossfire  | This email was brought to you
  [EMAIL PROTECTED] | on 100% Recycled Electrons
--==--

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Howard Lowndes]

I can see how this would be done if you were using something like cron,
ipchains and ntpdate to query the server - something like "cron, include
ipchain ACCEPT rule, ntpdate, sleep for a few seconds, delete ipchain
rule", but what if you want to do the auto synch thing with your server as
a strata server.  In this case the synch timing is handled by the ntpd
daemon itself, or perhaps the ntpd daemon shouldn't be used like this.

-- 
Howard.

LANNet Computing Associates 
"...well, it worked before _you_ touched it!"   --me
"I trust just one person,
 and there are times when I don't even trust myself"
--me

On Wed, 28 Feb 2001, Crossfire wrote:

> Howard Lowndes was once rumoured to have said:
> > Can you do stateful inspections on ntp though?  It runs on udp.  Is this
> > possible?  You can define what servers you will accept ntp from, but
> > surely the source IP could be easily spoofed anyway.  I don't know how you
> > would go trying to do an auth transfer from, say, CSIRO.
>
> Yes.  NTP is very simple protocol.
>
> You open the return path once you send the NTP "request" packet, and
> close it within a reasonable timeframe.  If you're getting a large
> number of reply packets any other time, you just block, and don't
> open.
>
> Also, use the fact that ntpd permits multiple servers.
>
> C.
>


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Silly eth question.

[Jon Biddell]

On Wednesday 28 February 2001 16:09, Crossfire wrote:
> John Ferlito was once rumoured to have said:
> > On Wed, Feb 28, 2001 at 03:52:42PM +1100, Martin wrote:
> >> 2 ethernet cards, both Netgear FA310tx
> >>
> >> both detected fine.
> >>
> >> question is, is there any way to tell which physical card is eth0 and
> >> which is eth1 ?

I've had this happen when doing an Evilware/NT installation, and after some 
examination, it turned out that the two cards (identical Netelligent's) were 
detected in this order;

Lower memory address was detected first, then lower IRQ if memory addresses 
were the same (stupid, I know)...

Then again, this was EvilWare - YMMV.

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Howard Lowndes]

Digressing slightly from this track, but still to some extent relevant.

This country boy is planning on heading for the smoke for the Linux Expo.

What sort of time/date/places do the Linux gurus, or those who others
might consider to be gurus anticipate being around.  I anticipate I might
have some beer money with me (8-)

-- 
Howard.

LANNet Computing Associates 
"...well, it worked before _you_ touched it!"   --me
"I trust just one person,
 and there are times when I don't even trust myself"
--me


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Howard Lowndes]

Can you do stateful inspections on ntp though?  It runs on udp.  Is this
possible?  You can define what servers you will accept ntp from, but
surely the source IP could be easily spoofed anyway.  I don't know how you
would go trying to do an auth transfer from, say, CSIRO.

-- 
Howard.

LANNet Computing Associates 
"...well, it worked before _you_ touched it!"   --me
"I trust just one person,
 and there are times when I don't even trust myself"
--me

On Wed, 28 Feb 2001, Crossfire wrote:

> This is what stateful inspection firewalls or very tight firewall
> rulesets are for.  Only accept NTP replies from systems you've
> queried, that way they have to compromise the time server(s) too.


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Umar Goldeli]

Or try two part authentication, ala secureid.. or at least SNK (challenge
response) as a minimum.. it doesn't fix the problem, but makes it more
difficult.

//umar.

> the problem is not so much the key being in memory (it needs to get into
> memory if it's ever gonna go through the cpu) but that when that memory
> gets paged to disk it can potentially be read by someone else later; you
> don't want that key you've taken pains to put on CD to be sitting in the
> swap space of every box you use.
> 
> the software that accesses the data has to handle this. see mlock(2)
> 
> Conrad.
> 


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Umar Goldeli]

> Theres no c compiler (but they could upload bin's I suppose) but there is
> perl, I'll have to check if perl is needed. 

Uploading a compiler is hard.. why not upload a binary straigt away? :)

But remember - if there are no ready tools, they'll find it very difficult
to readily suck a binary down in the first place.

> Unforunately, at the moment it has a proxy running.

Eek. Put a proxy behind the firewall?

> > Agreed throughly about the turn of all listening services bit. :)
> 
> Sorry, did you say something?

When you're first setting up the box, make sure you Detonate(tm) all
listening services that you don't specifically want. The less ports
listening, the better ("none" is good. :)

> Printers run out of paper (printer DoS), with some printers you can reverse 

I like this one.. I can see a script kiddy doing that now.. :)

> the paper back and write over stuff making it unreadable.

Well the men in green have appropriate printers for the job with lackeys
always watching the paper etc.. but hey, this is not my ideal solution.. I
like trees.

//umar.


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Umar Goldeli]

> filtered, but that won't stop them. If a cracker wants to spend time rooting
> the firewall I wish them well, at least while they are trying to get root on
> the firewall, they aren't trying to attack other hosts.

This has nothing to do with man pages anymore but as an aside, you're
assuming that he wants to attack other boxes.. what about if he wants to
sit and sniff.. and later collect his goodies? How many admins check their
segments regularly for promisc interfaces (use switches to mitigate risks
please!)? It could be months before someone realises... and by then
they're most probably gone without a trace. Especially if they're looking
for something specific, in which case his strange tcpdump
|grep combo won't output much at all and he'll
output it to "/dev/pty2345" which won't grow beyond 2k in months etc..

Anyway, he'll need root to put ethx into promisc mode.. Or what if he
wants to modify data going through the firewall for his own purposes with
netsed or similar? Think of how many thousands upon thousands of
applications are poorly coded and will quite happily accept packets
modified in transit.. think online banking, think shopping apps, think
live stock feeds etc... sit there and modify the share price of BHP down
or up by 10% for a day.. and then switch it around the next day.. confuse
the hell out of people and cause them to make silly mistakes.. or fiddle
with the data feed of a large merchant bank you've taken the firewall
of.. hey, you can make money out of this.. 

Of course we're assuming lots and lots and lots of things here, but you
get the drift..

There are a myriad of scenarious here. Any time an attacker spends on
*any* of your boxes is Bad Karma(tm).

> > Correct. As well as seemingly harmles binaries like "uname" and even the
> > layout of the filesystem.
> 
> Removing uname isn't going to buy me much.
> find  /proc -exec less {} \;
> /proc is bad, mmmkay.

*grin*

> I've never tried to run a box without proc, I might give it a go.

Bad Karma(tm) if you're using the box as a "multiuser" box.. if you're
just running it as a firewall with no actual users doing stuff on the box
- you should be fine.. just don't try anything exciting.. :)

> You bring up a good point about ntp auth, obviously ntp will be
> filtered, but that won't stop forged packets (and unfortunately,
> neither will some of our routers (yet)). I wonder if someone could
> send bogus ntp packets and shift the time on the firewall?

If you're running the xntpd as a "brodcastclient" (which I've seen a lot
of people do, as they get the router on the segment to be an ntp master
and get it to broadcast).. then yes, very easy to set the time remotely.

However, if you're logging elsewhere, and they change your time, it
doesn't really matter, as the logs you'll have elsewhere will show that
the time looks "strange" (in fact the syslog on the remote
logging box will timestamp it itself and the box that doing the logging 
won't offer a timestamp at all).. 

However if you're strange/paranoid/etc you can get syslog to "mark" every
x minutes etc.. and gauge it that way.

(note that these aren't ideal situations, but ideas to aid).

//umar.



-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Security Breach

[Scott Howard]

On Wed, Feb 28, 2001 at 12:47:18PM +1100, Adrian Chiang wrote:
> Robert Graham's website has some info on port 1024:
> http://www.robertgraham.com/pubs/firewall-seen.html
> 
> quoted below -
> "1024 - Many people ask the question what this port is used for. The
> answer is that this is the first port number in the dynamic range of ports.

This is for outgoing connections, not for incoming, as is the case here.

lsof -i  will tell you which process is using a port.

  Scott.

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Crossfire]

chesty was once rumoured to have said:
> On Wed, Feb 28, 2001 at 10:49:32AM +1100, Umar Goldeli wrote:
>
> Removing uname isn't going to buy me much.
> find  /proc -exec less {} \;
> /proc is bad, mmmkay.
> 
> I've never tried to run a box without proc, I might give it a go.

It won't work very well.  A lot of stuff relies on /proc.

> > > We have been advised to run ntp on the firewall so log time stamps are in
> > > sync. Another potential access point.
> > 
> > Bind ntp to a particular interface and only allow port 123 from your ntp
> > server, also turn on the funky auth features (or you could do ipsec to
> > your ntp box ;) 
> 
> You bring up a good point about ntp auth, obviously ntp will be
> filtered, but that won't stop forged packets (and unfortunately,
> neither will some of our routers (yet)). I wonder if someone could
> send bogus ntp packets and shift the time on the firewall?

This is what stateful inspection firewalls or very tight firewall
rulesets are for.  Only accept NTP replies from systems you've
queried, that way they have to compromise the time server(s) too.

C.
-- 
--==--
  Crossfire  | This email was brought to you
  [EMAIL PROTECTED] | on 100% Recycled Electrons
--==--

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Firewall security audit report

[Conrad Parker]

On Wed, Feb 28, 2001 at 10:45:58AM +1100, Howard Lowndes wrote:
> I actually burn my private keys, locked with an access phrase, onto one of
> those credit card CDs, ...
> 
> This probably still doesn't overcome the problem of the CD image being
> carried in user memory space tho.
> 
> Anyone know how to stop the CD image being carried in memory space?

the problem is not so much the key being in memory (it needs to get into
memory if it's ever gonna go through the cpu) but that when that memory
gets paged to disk it can potentially be read by someone else later; you
don't want that key you've taken pains to put on CD to be sitting in the
swap space of every box you use.

the software that accesses the data has to handle this. see mlock(2)

Conrad.

-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug