Re: [vox-tech] Before I do this...
begin Rusty Minden [EMAIL PROTECTED] For what my limited advice is worth I would start by checking the install. Is it partitioned properly IE is /var and / on separate partitions this is a pet peeve of mine I like to start with proper partitioning, but that is only my opinion. good advice, but i think you mean ie instead of IE, which could be interpreted as something else. ;) Check your system for proper patches and keep it to a minimum. * actually, go hog wild on proper patches. don't stop installing them, and keep on installing them until you've installed ALL of them. :) * keep /functionality/ to a minimum (which is what rusty was saying). this is pretty standard stuff: don't enable cgi's or SSI unless you use them. don't load apache modules you won't use. many distros turn everything on but the kitchen sink by default. * disable directory browsing so people can't look at what files you have. * install portsentry, at least for a few months just so that you educate yourself on what nasty traffic you have. key point: DON'T FREAK OUT. you'll see lots of nasty stuff. mostly doorknob twisting that you really don't need to care about. but you should at *least* be aware of. once you have the ability to look at your portsentry logs and not want to vomit your breakfast all over your keyboard, then you can uninstall portsentry. * use a log reader. i use logcheck based on jeff's advice. it's pretty good, but i don't think the filtering works 100% as advertised. The more software you have installed the more can go wrong IE less is better than more :-) Other than that keep good logs and check them monitor your traffic and use programs like ntop to monitor your network flow and saint to look for security holes like unused ports. * yes. use saint, or even better, nmap. saint is kind of over the hill and not maintained well. nmap is pretty much the defacto standard. * other things you CAN use are cops and tara (both very out of date). You may also want to look into a good security book. LUGOD has one that I donated a while back and I have Hack Proofing LINUX by Syngress Press. I was impressed with it personally. Look at http://www.nerdbooks.com for other good books Dave has a great book store. excellent advice. all the advice in the world can't equal reading a good book. and nerdbooks.com is the best place to go. they're linux friendly, lugod friendly and has an incredible assortment of books. security is a tug of war between a tight system vs convenience and time you want to spend thinking about security. no clear cut value of how much is enough. but i think everything i mention here is prolly more than enough for a home adsl user. also, go to the vox-tech archives and read about mark kim's hacking project he did for a class at ucdavis. imho, it's in the top 10 best posts ever made to vox-tech. pete ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Before I do this...
On Monday 25 March 2002 12:44, Rusty Minden wrote: ... Is it partitioned properly IE is /var and / on separate partitions this is a pet peeve of mine... I'm just curious to know why you feel so stongly about this. I've heard it before and tend to think it's a good idea, but never thought it was *that* big a deal. -- Rod http://www.sunsetsystems.com/ ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Before I do this...
OK, thanks. I work with a lot of different distribution releases and like to put all the distribution-specific stuff in one partition, and things like /home and /opt and /tmp elsewhere. Since /var is more or less distribution-specific I tend to leave it in the root filesystem for my own use. It's just a convenience thing. Cheers, -- Rod http://www.sunsetsystems.com/ On Monday 25 March 2002 13:34, Rusty Minden wrote: It is not hard to fill a computer with a load of crap. When a partition is filled you can not do much with it until you get rid of the crap that has it filled like core dumps or like a recent problem a program taking up allot of space. Partitioning a hard drive for proper use is easy and results in more security. I go a little overboard, but I like it that way. I have /var separate / separate /usr separate /opt separate (I use SuSE) /home serpate (making upgrades nice I usually do not loose data when upgrading or even when trying out a new distro like Mandrake 8.2 (IMHO a real dog). I also keep a partition /local that I have all of my iso's for the IF in. Beyond that I have read several times to do it so I do. I have done so since my second install and have not been unhappy with this decision. I have had an instance when /var was filled and I could not mount it. So I mounted it manually and removed a few of the backup files in /var that SuSE put there and I was off and running again in no time. Rusty On Monday 25 March 2002 01:09 pm, you wrote: On Monday 25 March 2002 12:44, Rusty Minden wrote: ... Is it partitioned properly IE is /var and / on separate partitions this is a pet peeve of mine... I'm just curious to know why you feel so stongly about this. I've heard it before and tend to think it's a good idea, but never thought it was *that* big a deal. -- Rod http://www.sunsetsystems.com/ ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
[vox-tech] how to be not nice within C
is there a way for an executable written in C to change its own nice value? is there a system call that does this sort of thing? pete ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] how to be not nice within C
DOH!!! why oh why does man 1 nice have to come before man 2 nice?!? ;-) thanks, bill! pete Oegin nbs [EMAIL PROTECTED] On Mon, Mar 25, 2002 at 05:43:54PM -0800, Peter Jay Salzman wrote: is there a way for an executable written in C to change its own nice value? is there a system call that does this sort of thing? As seen in man 2 nice: ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] how to be not nice within C
On Mon, Mar 25, 2002 at 05:57:02PM -0800, Peter Jay Salzman wrote: DOH!!! why oh why does man 1 nice have to come before man 2 nice?!? ;-) thanks, bill! Yeah. Irritating. Every time I want to man printf, I always end up with the shell 'printf' program's man page, not the C library one. ;) -bill! ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] need to debug boot crash
ME wrote: On Sun, 24 Mar 2002, eric nelson wrote: First, something about mount program didn't pass correct address, then RPC: sendmsg returned error 101 nfs: RPC call returned error 101 over and over There are so many errors, that I can't scroll back. I'll need to redo the kernel w/ the option Peter Jay Salzman mentioned. I'm not doing the kind of mount straight from the bios, but I want to learn how to do that one, later. I have a boot floppy which loads a kernel, then gets an address from dhcp server, then mounts on nfs. I'm sure the problem is in init scripts, or fstab or something. It's good to know someone is doing this, it's a great approach. First, check out the netboot howto/docs. Second, make sure the server is exporting the filesystems in question on a non-netbooting box/session with normal # mount -t nfs host.name:/export/path /local/mount/point Why? You can make sure the server's /etc/hosts.[allow||deny] is set up in such a way to allow portmap and nfs stuff from a client's IP address to work. If that works, then try to test the next step. Start up a netbootable kernel with loadlin or lilo (special entry on a disk-booting system) to tell it to netboot instead of use the local disk. Certainly, it will still grab a kernel from the local disk but shyould do the rest over the network like it was diskless. Checkout /usr/src/linux/Documentation/nfsroot.txt You should be able to add an entry to lilo.conf (or at the lilo prompt) like: (Use IP addresses to eliminate DNS as yet another piece to work out.) LILO: Boot: mykernel root=/dev/nfs nfsroot=IP.Addr.Of.Srvr:/path/to/root/export ip=client-ip:server-ip:gw-ip:netmask:hostname:device:autoconf* *= See the above mentioned linux kernel doc for this line. It is a good idea to test with a hand-enetered IP address for client and server as well as all other info to eliminate bootp/dhcp from the list of possible problems. And you could, of course, have added those items into a separate lilo.conf entry to save re-entry of those keystrokes every single time. If that works, then remove the client ip and let everything else be determined except for server ip, next drop server IP and let it all be dynamic, and then try to shift to let the special bootp/dhcp response include the nfsroot. (At this point, if all else works, then you would only be passing the: root=/dev/nfs ) Next, if you want it to be true network booting (bootp/dhcp then tftp of kernel, and finally boting kernel get nfsroot and goes) then you will likely need some sort of modification to your final compiled kernel that would be dl via tftp (a boot strapper of sorts.) I use the netboot stuff with programmed EPROMS dropped into the ethernet cards. ( http://sourceforge.net/projects/netboot ) Thanks for the major breakdown of the project. It's going to take me a little while to read these docs., and go through the whole process, but we want to use this for two things: 1) testing an os we are putting together. we can work on the os on a host machine, then boot it on the target to test, so the target is a simple machine and the host has full development enviroment. 2) we are developing a linux based product, which will net boot as an option, so we need to understand the whole process very well. I have read that people use this technique to boot multiple diskless workstations. Is that what you use it for? I have found testing each part, one-at-a-time save troubleshooting and leads to a steady advance to solutions. Of course, there is a great sense of accomplishment when you take a big project with lots of pieces, throw it all together and note that it all works the first time too. ]: -ME -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-) C++$() U$(+$) P+$+++ L+++$(++) E W+++$(+) N+ o K w+$+ O-@ M+$ V-$- !PS !PE Y+ !PGP t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+++ h(++)+ r*? z? --END GEEK CODE BLOCK-- decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
