Re: [pptp-server] Debian source: GRE-patched traceroute_1.4a12
There is a rpm gre patched traceroute at http://home.swbell.net/berzerke On Thursday 22 March 2001 21:13, Neale Banks wrote: > This is the GRE(PPTP) patch from > > http://www.impsec.org/linux/masquerade/ip_masq_vpn.html > > hacked into traceroute_1.4a12 from unstable (builds happily on stable). > > The .dsc and .diff.gz are at > > http://www.planet.net.au/~neale/debian/traceroute-GRE/ > > (you'll need traceroute_1.4a12.orig.tar.gz from a Debian mirror plus the > usual tools to build the .deb). > > The README-GRE: > > == > GRE (PPTP) patched traceroute. > == > > This version of traceroute incorporates a patch to provide an option to > use GRE packets (with PPTP-like payload). > > This functionality is useful for debugging internetworking that has the > dubious feature of blocking GRE packets, and thus breaking GRE tunneling > such as used by PPTP. > > The original patch is at: > > ftp://ftp.rubyriver.com/pub/jhardin/masquerade/pptp-traceroute.patch.gz > > It was hacked into the Debian package traceroute_1.4a12-3 by Neale > Banks <[EMAIL PROTECTED]> > > IMPORTANT: Please do not worry Herbert Xu (maintainer of the official > Debian traceroute package) about this hacked package. > > Neale Banks <[EMAIL PROTECTED]> > March 2001 > == > > As goes with this kind of thing: no warranties of any kind (express, > implied or otherwise) - this is offered in the hopes that (a) somebody > might find it useful and (b) somebody might find something I've > overlooked. > > Regards, > Neale. > > ___ > pptp-server maillist - [EMAIL PROTECTED] > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com!
Re: [pptp-server] Debian source: GRE-patched traceroute_1.4a12
There is a rpm gre patched traceroute at http://home.swbell.net/berzerke On Thursday 22 March 2001 21:13, Neale Banks wrote: > This is the GRE(PPTP) patch from > > http://www.impsec.org/linux/masquerade/ip_masq_vpn.html > > hacked into traceroute_1.4a12 from unstable (builds happily on stable). > > The .dsc and .diff.gz are at > > http://www.planet.net.au/~neale/debian/traceroute-GRE/ > > (you'll need traceroute_1.4a12.orig.tar.gz from a Debian mirror plus the > usual tools to build the .deb). > > The README-GRE: > > == > GRE (PPTP) patched traceroute. > == > > This version of traceroute incorporates a patch to provide an option to > use GRE packets (with PPTP-like payload). > > This functionality is useful for debugging internetworking that has the > dubious feature of blocking GRE packets, and thus breaking GRE tunneling > such as used by PPTP. > > The original patch is at: > > ftp://ftp.rubyriver.com/pub/jhardin/masquerade/pptp-traceroute.patch.gz > > It was hacked into the Debian package traceroute_1.4a12-3 by Neale > Banks <[EMAIL PROTECTED]> > > IMPORTANT: Please do not worry Herbert Xu (maintainer of the official > Debian traceroute package) about this hacked package. > > Neale Banks <[EMAIL PROTECTED]> > March 2001 > == > > As goes with this kind of thing: no warranties of any kind (express, > implied or otherwise) - this is offered in the hopes that (a) somebody > might find it useful and (b) somebody might find something I've > overlooked. > > Regards, > Neale. > > ___ > pptp-server maillist - [EMAIL PROTECTED] > http://lists.schulte.org/mailman/listinfo/pptp-server > List services provided by www.schulteconsulting.com! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: routing routable IPs over non-routable IPs
On Mon, 21 May 2001 13:46:14 +1000, Jeremy Lunn writes: >I know this isn't Debian specific. But I'm just wondering if it's fine >to route routable IP addresses over non-routable IP addresess. Yes, although many would consider it bad practice (I am an example), because you´ll face trouble when you have to debug something, and have non-routable IPs on some path. >So is it just a matter of setting up something like >/sbin/route -net 10.1.2.0/24 gw 172.16.5.2 >on the gateway? Yes, but you should specify the netmask in 255.x.x.x-notation, route on linux sometimes tends to get classful when facing /-notation... cheers, &rw -- / Ing. Robert Waldner | <[EMAIL PROTECTED]> \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Kernels 2.4.x for ISP ?
On Mon, May 21, 2001 at 06:56:28PM +0200, PiotR wrote: > > I manually upgraded the required programs. > > We didn't have any problems with the deamons we were running ( Squid, ircd, > apache, proftpd... ) Interesting. We can't run Kernel 2.4.4 with Squid, as squid wants to use about 40% CPU which slows down the box way too much. Any suggestions anyone? When we boot back to a 2.2.19 kernel squid is fine again. I have also tryed recompiling squid when a 2.2.4 kernel was running. There are no obvious log entry's that point out the problem either. It's Debian Potato with modutils and the like upgraded. Regards, Robert Davidson. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: routing routable IPs over non-routable IPs
On Tue, 22 May 2001 01:26:56 EDT, Chris Wagner writes: >We should probably clarify "non-routable" by saying "non-publicly routable". Well, we could also say RFC1918, couldn´t we ;-? >Routers have no concept of restricted ip ranges other than what is programed >into them. As long as you are debugging from a place that "knows about" >your private ip's, there shouldn't be a problem. At GE we cross privates to >go from public to public all the time. Well, there are several issues, none of them really bad, but if you want a clean setup..: - DNS, you´ll have to set up split DNS for your RFC1918- and external IPs - in Real Life, you sometimes _will_ have to debug from the outside of your network - in Real Life, someone else _will_ debug from the outside (and quite probably complain about the RFC1918-IPs or simply be fed up) cheers, &rw -- / Ing. Robert Waldner | <[EMAIL PROTECTED]> \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: What Happened to ORBS?
(please don´t send html-mails, thankyouverymuch) On Tue, 05 Jun 2001 06:46:31 CDT, "s u r f l o r i d a" writes: >Does anyone know what happened to http://www.orbs.org/ and the >mail servers they had on their blacklist? Is someone taking it over? > >I have searched the news sites and have came up with nothing. see attached mail. cheers, &rw On Fri, 01 Jun 2001 17:44:11 EDT, "Noah L. Meyerhans" writes: >On Fri, Jun 01, 2001 at 11:21:37PM +0200, Robert Waldner wrote: >> On Fri, 01 Jun 2001 12:04:27 EDT, "Noah L. Meyerhans" writes: >> >Does anybody know what happened to ORBS? http://www.orbs.org simply >> >shows "Due to circumstances beyond our control, the ORBS website is no >> >longer available." There's no further explanation. >> >> Well, according to Alan Brown they were "served with 2 NZ High court >> injunctions ordering the removal of several ORBS listings against >> sites inside New Zealand". >> >> I´d guess a connection there. > >I would think so as well, except for the fact that their database is >still working. It seems that only their web server is down. > >It's odd. Yup. Alan, would you care to comment? cheers, &rw -- -- I think you should defend to the death their right to -- march, and then go down and meet them with baseball bats. -- [Woody Allen ueber den Ku Klux Klan] PGP signature / Ing. Robert Waldner | <[EMAIL PROTECTED]> \ \ Xsoft GmbH | T: +43 1 796 36 36 692 /
Re: AT&T public router
On Wed, 27 Jun 2001 02:14:41 EDT, Chris Wagner writes: >A while back, AT&T had a publicly accessible router for doing route lookups >and stuff like that. It supposedly knew about the whole world. The special >thing about this router was that you didn't need a user name or password to >log on with. It just gave you the IOS prompt. I haven't been on this >router for a long time and I can't remember the exact name of it. It was >something like ip-router.att.net or route.world.att.net. Does anybody >remember this thing and have the host name? Thanks. Why not simply use one of the dozen´s publicly available looking glasses instead? www.traceroute.org cheers, &rw -- / Ing. Robert Waldner | <[EMAIL PROTECTED]> \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / PGP signature
Qmail errors
Currently I am having a problem with qmail. Our users are getting the following error when sending mail via SMTP: "No transport provider was available for delivery to this recipient" The client they are using is Microsoft Outlook. I can send via Outlook express, and it works fine on my machine. I check the qmail logs, but cannot find any bounce message. The error bounces back to the user with systems administrator as the user. With Microsoft Outlook, internet email is enabled as well as Microsoft Mail (the old win3.11 pop system) for internal mail. Any ideas? I am running a debian 1.3 server with qmail being v1.02. Thanks Rob..
Re: IP Accounting and 2.4
And if you want an accounting system to go with Portslave or just plain pppd's you can use ACUA, http://acua.ebbs.com.au/ -- Regards, Robert Davidson. On Wed, Jul 04, 2001 at 02:52:50PM +0200, Russell Coker wrote: > On Wed, 4 Jul 2001 00:44, Chad C. Walstrom wrote: > > OK. New job, new problems. Whereas I used to be able to ignore > > systems administration and networking, it's now my focus. Our ISP > > wants to be able to record IP traffic and bandwidth useage for each of > > its users, a common need amongst ISP's. > > How do customers connect to you? If they are using any decent terminal > server device then it should send accounting packets to the RADIUS server > that list the number of bytes and packets sent and received. > > If they connect via a Linux terminal server then if you use the latest > version of my Portslave package (which isn't in Debian yet because I > haven't fixed all the bugs) then it'll log bytes (logging packets > requires changes to pppd). > > -- > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/ Postal SMTP/POP benchmark > http://www.coker.com.au/projects.html Projects I am working on > http://www.coker.com.au/~russell/ My home page > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Remote Execution of Scripts
On Tue, 24 Jul 2001 19:01:31 EDT, "Gene Grimm" writes:
>As I am a relative novice system administrator, perhaps someone more
>experienced can guide me to the proper way of securely invoking a script on
>a remote server. We have two facilities presently, with most of our
>equipment in our main office. I am attempting to automate account
>maintenance and would like to find information on the proper way to have one
>Perl script begin remote execution of scripts on another Linux server.
I´d go for something like
system("ssh someotherhost command");
You can easily limit the commands the user under which your script on
the first host runs with prepending the command in the
authorizid_keys-file on the remote host. See the recent
debian-user - archives for the exact syntax.
cheers,
&rw
--
/ Ing. Robert Waldner | <[EMAIL PROTECTED]> \
\ Xsoft GmbH | T: +43 1 796 36 36 692 /
PGP signature
Re: Virtual Hosting
On Wed, Jul 25, 2001 at 07:44:22PM -0700, Jeremy C. Reed wrote: > > Now if you are talking about real virtual hosting where you could have > multiple users with the same name, then you'd need to have separate > authentication (passwd) files for each virtual host -- and -- you'd need > to decide on a UID (and GID) to own that user's files (maybe one UID and > GID per virtual host, but then you'd have to stop different users from > accessing other users' files -- maybe with chroot or jail?). Thats what I was thinking about - a real virtual hosting setup. Out of interest, is there anything already made to do this kind of thing? Like another FTP server for example? -- Regards, Robert Davidson. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
q ad ftp- w/o system-accounts
Hi! (This is probably a PAM-question, too, but..) I just got cyrus to work w/o having system- (eg shell-) accounts, but now I need to get ftp to work also :/ proftpd uses PAM, which is good as there´s pam_userdb.so. This far I´m sufficiently clued. But I don´t get how I can tell it to set the userdir to, let´s say, /home/$luser/ftp based an the key out of the .db-file. Any hints? cheers+tia, &rw -- / Ing. Robert Waldner | <[EMAIL PROTECTED]> \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / PGP signature
Re: Little Exim questions
On Sun, Jul 29, 2001 at 11:05:18PM +0300, Antti Tolamo wrote: > At 22:32 29.7.2001, you wrote: > > >What could pause Exim server to slow down considerably when sending > >mail? > > > >I just fixed problem with hosts file, and it worked well but few hours > >later it has > >started to slow despite no big traffic. > > No matter, I found the reason. > DNS problem? or ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: q ad ftp- w/o system-accounts
>Robert Waldner wrote: >> (This is probably a PAM-question, too, but..) >> >> I just got cyrus to work w/o having system- (eg shell-) accounts, but >> now I need to get ftp to work also :/ >> >> proftpd uses PAM, which is good as there´s pam_userdb.so. This far I´m >> sufficiently clued. But I don´t get how I can tell it to set the >> userdir to, let´s say, /home/$luser/ftp based an the key out of the >> .db-file. On Mon, 30 Jul 2001 08:12:42 EDT, Haim Dimermanas writes: > I strongly suggest you take a look at ProFTPd with the LDAP or MySQL modules. >You can put all your users information in a directory or an SQL database >(homedir, username, pass, etc) and have the FTP server look in there. Hmm, I don´t want to cope with LDAP and/or MySQL just for a bunch of ftp-accounts (~ 30). Flat berkeley-db-files are much more appealing for such small numbers (they´re definitely not supposed to grow, not on this box, it´s just that I´m much more security-aware since it was hacked not long ago). > For more info on how to set it up, take a look at the doc I wrote: > > http://dudle.linuxroot.org/docs/proftpd/ Well-written and, seemingly, quite complete, even if I won´t try that on my box (see above) ;-) cheers, &rw -- / Ing. Robert Waldner | <[EMAIL PROTECTED]> \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / PGP signature
Re: q ad ftp- w/o system-accounts
On Tue, 31 Jul 2001 10:17:56 CDT, Haim Dimermanas writes: > >> Hmm, I don´t want to cope with LDAP and/or MySQL just for a bunch of >> ftp-accounts (~ 30). Flat berkeley-db-files are much more appealing >> for such small numbers (they´re definitely not supposed to grow, not on >> this box, it´s just that I´m much more security-aware since it was >> hacked not long ago). > > I agree. 30 accounts is not much. Now to say that it's not enough for you >to deploy a scalable (and very secure) solution that would solve your >problem(s), I disagree. I wrote a doc explaining how to install MySQL step >by step. If you keep your installation current and up-to-date, you should be >ok when it comes to security. I tried, but MySQL is Just Too Much for that box (it´s a lowly 486 w/ 32 MB RAM and already running at load 0.8++ most of the time[0]). Anyway, I´ve now got it (mentioning it here for the sake the search-engines): proftpd.conf: AuthUserFile/etc/proftpd.users AuthGroupFile /etc/proftpd.groups RequireValidShell no PersistentPasswdoff Usernobody Group nogroup DefaultRoot ~ proftpd.users: waldner::1000:1000:Robert Waldner,,,:/home/waldner:/bin/false et voila. 0: mailhub for ~ 3k mails/day, webserver for ~ 400 hits/day, approx. 1200 dns-queries/day. Man, I *like* the hardware-requiremnts of sane OSs. cheers, &rw -- / Ing. Robert Waldner | <[EMAIL PROTECTED]> \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / PGP signature
Re: scripting lynx
Here's a script I use to make Orange (a phone company) send me a
password reminder SMS message via their website when there is a network
problem here. The script is a rip off of some other script i found,
it's written in python. it will probably be easy enough to adapt for
what you want.
My reason for using it in the first place was because I didn't want to
have to pay Orange more money so i can send SMS messages via their
website, but password reminders for the SMS service are free :)
Regards,
Robert Davidson.
On Wed, Aug 01, 2001 at 06:11:34PM +0200, Olivier MACCHIONI wrote:
> At 18:08 01/08/01 +0200, Russell Coker wrote:
> >On Wed, 1 Aug 2001 00:33, Craig Sanders wrote:
> > > On Wed, Aug 01, 2001 at 12:17:20AM +0200, Russell Coker wrote:
> > > > I want to script lynx to post data to a web site and save the results.
> > > > I am using the --post_data option but have been unable to find
> > > > documentation on the format of data expected on standard input.
> >[...]
> > > or use the LWP modules to make yourself a web-bot.
> >
> >I may have to do that. Thanks for the suggestions.
>
>
> wget and a few shell commands may do the trick too
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
#!/usr/bin/python
import httplib, sys, time
# Trick Orange into sending me my password for my phone - Makes my phone beep!
### build the query string
qs = "devNum=xx"
### connect and send the server a path
httpobj = httplib.HTTP('www.orangemail.com.au', 8080)
httpobj.putrequest('POST', '/servlet/orangemail.CreatePassword')
### now generate the rest of the HTTP headers...
httpobj.putheader('Accept', '*/*')
httpobj.putheader('Connection', 'Keep-Alive')
httpobj.putheader('Content-type', 'application/x-www-form-urlencoded')
httpobj.putheader('Content-length', '%d' % len(qs))
httpobj.endheaders()
httpobj.send(qs)
### find out what the server said in response...
reply, msg, hdrs = httpobj.getreply()
if reply != 200:
sys.stdout.write(httpobj.getfile().read())
Re: exim and relaying
On Wed, Aug 01, 2001 at 01:13:04PM -0300, Carlos Barros wrote: > On Wed, Aug 01, 2001 at 03:19:41PM +0800, Sanjeev Gupta wrote: > > > Try > > Seems to be what Im looking for. > > Thanks. I already know that relaying is not good. But Im trying to close the > relaying as much as I can. That's why I only want to permit relaying from > some hosts only if they claim to be from fcien.edu.uy domain (just by now). > Why not just allow relaying based on the IP Address of the hosts? Regards, Robert Davidson. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Virtual Hosting
On Thu, Jul 26, 2001 at 11:36:07AM +1000, David Stanaway wrote: > On Thursday, July 26, 2001, at 10:17 AM, Waldemar Brodkorb wrote: > > You can't do name based virtual hosting with ftp, as the protocol > doesn't use domain names. > > You will need to do IP based virtual hosting and use IP aliasing. How hard would it be to implement a thing in say ProFTPd for example, that took "[EMAIL PROTECTED]" as the actual username, rather than just "user" ? Would that be possible? -- Regards, Robert Davidson. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Good pop3 server
(please send your mails in text only) On Fri, 10 Aug 2001 10:36:28 +0200, Javier Castillo Alcibar writes: > I am looking for a good pop3 server in the woody(testing) >distribution. I was going to install qpopper v4, but it runs from inetd >daemon, what I think is a bad idea from the performance point of view.. > > Any ideas?? I´d go for cyrus, with some extra configuration you can even get rid of having to have local users for every mail-account. cheers, &rw -- / Ing. Robert Waldner | <[EMAIL PROTECTED]> \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / PGP signature
magic accretion of list-mail via blue-chip.com
Hi, every time someone Cc´s list-mail to me, I´d expect two copies arriving here. But with debian-isp there are always /three/ of them, the first one comes here on the direct route, the next two through murphy.debian.org. Examining headers: Received: from murphy.debian.org(216.234.231.6) via SMTP by fw.xsoft.at, id smtpdEflgIL; Fri Aug 10 18:02:51 2001 Received: (qmail 18254 invoked by uid 38); 10 Aug 2001 16:02:33 - X-envelope-sender: [EMAIL PROTECTED] Received: (qmail 18218 invoked from network); 10 Aug 2001 16:02:32 - Received: from unknown (HELO happylinuxbox.netnumina.com) (130.105.10.10) by murphy.debian.org with SMTP; 10 Aug 2001 16:02:32 - Received: (qmail 22533 invoked from network); 10 Aug 2001 16:01:57 - Received: from unknown (HELO whirlycott.com) (130.105.10.75) by happylinuxbox.netnumina.com with SMTP; 10 Aug 2001 16:01:57 - Message-id: <[EMAIL PROTECTED]> Received: from UNKNOWN(195.188.16.215), claiming to be "SERVER.blue-chip.com" via ESMTP by fw.xsoft.at, id smtpdIEbsTi; Fri Aug 10 18:17:21 2001 Received: from SERVER.blue-chip.com ([195.188.16.215]) by SERVER.blue-chip.com with Microsoft SMTPSVC(5.0.2195.2096); Fri, 10 Aug 2001 17:15:42 +0100 Received: by SERVER.blue-chip.com (Microsoft Connector for POP3 Mailboxes 5.00.2195) with SMTP (Global POP3 Download) id [EMAIL PROTECTED]; Fri, 10 Aug 2001 17:15:39 +0100 Received: from murphy.debian.org (murphy.debian.org [216.234.231.6]) by flipper.blue-chip.net (8.9.3/8.9.3/Debian 8.9.3-6) with SMTP id RAA16244 for <[EMAIL PROTECTED]>; Fri, 10 Aug 2001 17:11:01 +0100 Resent-date: Fri, 10 Aug 2001 17:11:01 +0100 (18:11 CEST) Received: (qmail 18254 invoked by uid 38); 10 Aug 2001 16:02:33 - X-envelope-sender: [EMAIL PROTECTED] Received: (qmail 18218 invoked from network); 10 Aug 2001 16:02:32 - Received: from unknown (HELO happylinuxbox.netnumina.com) (130.105.10.10) by murphy.debian.org with SMTP; 10 Aug 2001 16:02:32 - Received: (qmail 22533 invoked from network); 10 Aug 2001 16:01:57 - Received: from unknown (HELO whirlycott.com) (130.105.10.75) by happylinuxbox.netnumina.com with SMTP; 10 Aug 2001 16:01:57 - Message-id: <[EMAIL PROTECTED]> blue-chip.com, you have a problem. Your crapware is broken. Please - fix it, or - simply turn the fscking thing off. Why do I Cc this to the list? - I strongly suspect postmaster@ will just bounce - Other people on the list will have the same problem Ah, yes, another thing. Please don´t Cc me on list-mail, I read all the lists/newsgroups/whatnot I post to. thankyouverymuch, Robert Waldner -- / Ing. Robert Waldner | <[EMAIL PROTECTED]> \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / PGP signature
Re: Confused
>> Open my firewall for 113 Auth ... has worked, now >> i need someone or some docs to explain what/how and why :) Simply put something along the lines of auth stream tcp nowait nobody /bin/dd dd if=/dev/urandom bs=32 count=1 in inetd.conf, this will not break anything, leave programs that depend on some auth-answer happy, and doesn´t open any security-holes (that I´m aware of, someone correct me if I´m wrong). You could also use that for ident et al (although for ident I use fake_identd). cheers, &rw -- / Ing. Robert Waldner | <[EMAIL PROTECTED]> \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / PGP signature
Re: Confused
On Thu, 16 Aug 2001 10:58:37 +0200, Michael Wood writes: >> Simply put something along the lines of >> auth stream tcp nowait nobody /bin/dd dd if=/dev/urandom bs=32 count=1 >> in inetd.conf, this will not break anything, leave programs >> that depend on some auth-answer happy, and doesn?t open any >> security-holes (that I?m aware of, someone correct me if I?m >> wrong). > >hmmm... well, it might break insecure programs connecting to >your "ident" server. Also, you're wasting the entropy in your >random number generator. Why not just "cat blah" or something >instead? sure, where I´m worried about the entropy I just generate a file, for example there´s waldner@ka:~$ ls -al /home/apache/default.ida -rw-rw-r-- 1 waldner waldner 10240119 Jul 19 19:34 /home/apache/default.ida Some friends of mine swear by cat´ing their kernel-sources, some by /dev/zero. But personally I think that /dev/urandom provides most fun ;-) , although the following is nice, too: ident stream tcp nowait nobody /usr/bin/nc nc www.microsoft.com 80 Imagine the confusion of the script-kiddies... (and yes, I know that with doing that an open proxy for www.microsoft.com is created, this is just an example, don´t use it like that) cheers, &rw -- / Ing. Robert Waldner | <[EMAIL PROTECTED]> \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / PGP signature
RE: your mail
I know the feelingI came from the qmail mailing list and there isn't
any message appended to the bottom of the email messages. I had to go to
their website to figure it out again after doing that trick.
I stopped looking at debian-user as I got something of the order of 100 -
300 messages per day...Don't get much time to read them these days :-)
Sometimes I prefer newsgroups as I can filter through the volume of
messages without trashing all the ones I don't have time to read.
Cheers
Rob..
-Original Message-
From: Thomas Fini Hansen [SMTP:[EMAIL PROTECTED]]
Sent: Saturday, 18 August 2001 11:20 AM
To: [EMAIL PROTECTED]
Subject:Re: your mail
On Sat, Aug 18, 2001 at 10:37:58AM +1000, [EMAIL PROTECTED] wrote:
> unsubscribe
Amazing, I came directly from exim-users where someone else did the
exact same thing and in consequence was being ridiculed.
One thing is to be told to RTFM, but when people will ignore error
messages ("It doesn't work! What do you mean 'error message'?), don't
read dialog boxes ('OK to wipe your entire hardrive?' *click*), or
read what's appended to every damn message from a mailinglist, what
can you do?
I'll get my coat...
---
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
FW: roaming with qmail and smtp-poplock
Try subscribing to the qmail mailing list at [EMAIL PROTECTED] They get heaps of mail, but someone should be able to help you there or point you in the right direction. Some other links you could try is: http://www.qmail.org/ http://cr.yp.to/qmail.html Cheers Rob -Original Message- From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] Sent: Tuesday, 21 August 2001 3:14 AM To: lista debian-isp Subject:roaming with qmail and smtp-poplock Hello. I'm in the need of implement roaming usage of a qmail server. I've been looking in qmail site and found smtp-poplock as the best tool for me ( http://www.davideous.com/smtp-poplock/ ), in a first, documental, evaluation. ?Any suggestion, tip, advice...? -- He pedido drivers para Linux. No 00073030: http://www.libralinux.com/petition.spanish.html Jose Esteban Granada. Spain. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
FW: Webalizer
On Tue, 28 Aug 2001, Craig wrote: >> only thing is its version 1.30 >> whereas if you download the source its 2.01 > Martin then wrote: Ah -- OK. Thanks for clueing me in -- I hadn't realised. Is the difference worth it? (I.e. what can't-possibly-do-without goodies am I going to get that will persuade me to roll my own before >= v2.01 makes it into testing?) I'm hoping it will help me...my webalizer gets an error about strings being too long. Rob... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Funny kernel antics
Hi! On my Internet server (running potato and kernel 2.2.19pre), I got a funny thing happening. The kernel started to spit out errors on the console. I can't reproduce them, but they are the CPU dump of registers that you get when unix normally crashes and then halts the machine. I kept getting this dump, then I tried to shut down the machine, but couldn't. It was dumping on qmail and apache processes and just causing havoc, although I could still ping the outside world. I had to press the reset button to get out of this situation. Luckily the machine came up ok. Some symptoms include: (a) I can't log in properly in the first console screen, but after Alt-F2 to the second screen, I can get in ok (b) I have had the machine hang with the screen being blank..had to press reset...this happens once every two weeks. Logs don't show up any errors. I had upgraded from the bo distribution to potato and suspect it must have been something done during the upgrade, as I updated heaps of packages. Previously, running on bo was very stable..hardly had a crash at all Anyone know what causes this or seen this happen before? I will probably install a fresh copy of potato on another hard disk and do the config again, just as a backup :-) Rob... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
FW: Funny kernel antics
Good to know someone else saw the problem...I thought I was going crazy! :-) I will try a lower version of the kernel... I managed to get this from the logs: (don't know if this helps anyone to see the problem :) Rob... > Aug 31 16:01:42 ns kernel: Unable to handle kernel NULL pointer dereference > at virtual address 0 > Aug 31 16:01:42 ns kernel: current->tss.cr3 = 00a3, %%cr3 = 00a3 > Aug 31 16:01:42 ns kernel: *pde = 0 > Aug 31 16:01:42 ns kernel: Oops: > Aug 31 16:01:42 ns kernel: CPU: 0 > Aug 31 16:01:42 ns kernel: EIP: 0010:[<0>] > Aug 31 16:01:42 ns kernel: EFLAGS: 00010282 > Aug 31 16:01:42 ns kernel: eax: 0 ebx: c10ae228 ecx: c064bad0 edx: > c0c27f4 > 0 > Aug 31 16:01:42 ns kernel: esi: c0e1ff38 edi: c0e1ff28 ebp: c0dcc000 > esp: > c0e1fef8 > Aug 31 16:01:42 ns kernel: ds: 0018 es: 0018 ss: 0018 > Aug 31 16:01:42 ns kernel: Process apache (pid: 4693, process nr: 91, > stackpage= > c0e1f000) > Aug 31 16:01:42 ns kernel: Stack: 0 c0b2b840 080a675c bc3c bbbc > c0131962 > 0 0 > Aug 31 16:01:42 ns kernel: 07 bc3c bb7c 0 01 00 0 0 > Aug 31 16:01:42 ns kernel: 0 0 0 0 0 c0c30620 1255 c0e1ff50 > Aug 31 16:01:42 ns kernel: Call Trace: [fcntl_setlk+358/376] > [sys_fcntl+772/984] > [sys_socketcall+176/484] > [system_call+52/56]\210F^G\211v^L\215V^P\215N^L\211\xf > 3\xb0^K\xcd\200\xb0^A\xcd\200\xe8\177\xff\xff\xff >Aug 31 16:01:42 ns kernel: Code: Bad EIP value. - > Anyone know what causes this or seen this happen before? I have no idea why but I did have this happen to me running 2.2.19. Same exact symptoms. Only thing unusual was that I had patched the kernel to support an AACraid controller and made some modifications to run Oracle. At the time I was using 2.2.19 on 5 or 6 other boxen without problems. I was rushed for a solution, so I simply fell back to an older kernel without investigation. I'm sure this was completely un-helpful. Pete -- http://www.elbnet.com ELB Internet Services, Inc. Web Design, Computer Consulting, Internet Hosting -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SOS Bind
On Tue, 04 Sep 2001 13:12:45 +0200, "Craig" writes: >I have a debian box running Bind, acting as a primary DNS server. I >have update the serial numbers on the zone files but nothing is >propagating out. Its been about 72 hours now and still has the old >IP of the server. Bind version 8.2.3 > >Any help would be great appreciated :) First of all: have you reloaded the zone (`ndc reload $zonemame`)? What do the logs tell? cheers, &rw -- / Ing. Robert Waldner | <[EMAIL PROTECTED]> \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / PGP signature
Re: current cpu usage
On Thu, 06 Sep 2001 09:00:37 EDT, Peter Billson writes: >> sorry, I should have been more specific, I need to get the output in a forma >t >> a script could use. >> I have tried the uptime command however I'm a bit lost at what the numbers >> displayed represent (& how to turn these into a percentage). >> (If indeed this is a good way to do this) > >/usr/bin/top -bin 1 cat /proc/meminfo cat /proc/loadavg hth+cheers, &rw -- / Ing. Robert Waldner | <[EMAIL PROTECTED]> \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / PGP signature
Re: current cpu usage
On Thu, 06 Sep 2001 09:34:05 EDT, Peter Billson writes: >> cat /proc/meminfo >> cat /proc/loadavg > > The meminfo would help him but he posted that he didn't understand load >average and, anyway, needs percent of CPU used. You can not calculate >CPU usage from load average. Not to mention the deep dark magic by which loadavg is generated. I still don´t understand that completely ;-) And yep, that should´ve read cat /proc/stat instead. (And no, I don´t know what the values in the first line exactly mean, but as soon as I set up mrtg again, I´m gonna read up on the kernel-sources) > You could use /proc to get CPU usage but it would be rather involved >to do and why bother when the nice man who wrote top has already done it >for you. :-) ´cause it´s *fun* ;-) cheers, &rw -- / Ing. Robert Waldner | <[EMAIL PROTECTED]> \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / PGP signature
Re: current cpu usage
On Thu, 06 Sep 2001 13:30:43 CDT, Nathan E Norman writes: <...> >Yesterday I wrote a perl script that does this (I'm playing with >cricket ... see > > http://canaris.visionary.micromuse.com/cgi-bin/cricket/grapher.cgi?target= >=3D%2Fservers > >I'll make the script source available if someone wants it ... By all means: Yes, please, do so ;-) > I use a >db file to store the readings from each run for use in the next run. > >My loadavg figures come from /proc/loadavg ... I wasn't interested in >any heavy lifting :) > >Now for the mem stats ... I did something ugly in bash some time ago (for the previous incarnation of my webserver), look at http://gfrastsackl.org/scripts/ cheers, &rw -- / Ing. Robert Waldner | <[EMAIL PROTECTED]> \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / PGP signature
Re: Remote IP for inetd "daemon"
On Tue, 18 Sep 2001 09:55:06 PDT, "Jeremy C. Reed" writes: >On Tue, 18 Sep 2001, Marcel Hicking wrote: > >> I have a script invoked via inetd. >> How can I let the script know of the IP of the client >> connecting (remote IP)? >> I need to do some additional security checks not >> possible with hosts.access|deny >> >> Any hints? > >getpeername(2) is the C library function to get the remote IP. This works >for me: > > >Then compile it with "gcc -o getpeername getpeername.c". Then use the >getpeername executable in your script. Hmm, this doesn´t work for me. If I invoke it via inetd.conf: sunrpc stream tcp nowait nobody /usr/local/bin/test.sh test.sh test.sh: #!/bin/bash /usr/local/bin/getpeername >>/tmp/peer.ip exit only a \n is logged to the file (so permissions et al are ok ;-) ). However, if I do inetd.conf: sunrpc stream tcp nowait nobody /usr/local/bin/getpeername getpeername waldner@st:~$ telnet ka 111 Trying 4.3.2.1... Connected to ka. Escape character is '^]'. 1.2.3.4Connection closed by foreign host. (IPs obfuscated) What am I doing wrong? cheers+tia, &rw -- / Ing. Robert Waldner | <[EMAIL PROTECTED]> \ \ Xsoft GmbH | T: +43 1 796 36 36 692 / PGP signature
Re: Remote IP for inetd "daemon"
On Wed, 19 Sep 2001 15:06:24 +0200, "Marcel Hicking" writes:
>The problem is the redirect.
>When redirecting, the prog doesn't
>get peername anymore.
Ah, thanks!
So now I simply send the IP to stderr and everything´s fine:
if (getpeername((int) 1,
(struct sockaddr *) & name, (socklen_t *) & namelen) == 0) {
if ((temp_domain = (char *) inet_ntoa(name.sin_addr)))
fprintf (stderr,"%s", temp_domain);
test.sh:
#!/bin/bash
/usr/local/bin/getpeername 2>/tmp/peer.ip
exit
It isn´t too useful to have the information but being unable to use it
;-)
cheers,
&rw
--
/ Ing. Robert Waldner | <[EMAIL PROTECTED]> \
\ Xsoft GmbH | T: +43 1 796 36 36 692 /
PGP signature
Re: pppoe on demand?
Why not use the persist and holdoff options? I assume you want it connected to the isp 24/7? Cya. KOZMAN Balint wrote: > > Hi, > > I have a problem with pppoe and woody. I'd like to use my woody as a small > router/firewall for my lan using an adsl connection. The adsl-provider > terminates the connection every 90 minutes, so I had to set up the > connection using the demand function of pppd with a connect script: > "exit 0". This works fine, but sometimes my pppd fails to reconnect, then > I have to make it "redial" by hand. What might be the problem? > > Thanks, > > Balint > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Regards, Robert Davidson. http://www.mlug.org.au/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
host & DNS
Hi, I am trying to understand how the hosts.allow and hosts.deny files work as well as DNS. So far, I have a nameserver, but kept getting an error: warning: /etc/hosts.allow, line 11: can't verify hostname: gethostbyname (gomez.star.cd) failed I finally figured out that something was wrong as one of this ISP's user complained that they couldn't send an email to my mailserver (which is the nameserver as well). I did a host lookup and got the following: host 203.36.43.17 Name: gomez.star.cd Address: 203.36.43.17 then later: host gomez.star.cd gomez.star.cd does not exist, try again Why would cause this to fail? When I put "ALL: 203." in the /etc/hosts.allow file and commented out the "ALL: PARANOID" in the /etc/hosts.deny file, it then allowed access to my mailserver. Incidentally, I did try to dig the address and hostname and it did work fine. I am using qmail as the mailserver, but know that it uses your DNS to resolve hostnames instead of /etc/resolv.conf. Also, I am using xinetd as well for mail and other services. Is there anywhere that tells you how these files actually work and what's the best way of making sure the system is reasonably secure without barring out legitimate servers? For example, I tried to do the following, but it didn't work. The man pages didn't really shed much light on this. in the /etc/hosts.allow file: ALL: ALL in the /etc/hosts.deny file: in.telnetd: ALL EXECEPT 192.168.1. I expected that you wouldn't be able to telnet to the machine unless you had the address 192.168.1.XXX, but I could still do it for some reason. In the /etc/hosts.allow file, I previously had "ALL: .mydomain.com.au", and in the /etc/hosts.deny I had "ALL:PARANOID", but this seemed to bounce everyone in the above category, which annoyed some of our users. I thought that the DNS server (bind) handled all these requests and that the host files didn't matter much, until I saw what was happening. Rob... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
iptables and routing
Hi Everyone :) I've got a problem and I can't seem to find a solution without putting another computer in the works as a router, which isn't really a good solution. I'm using kernel 2.4.10, iptables and some policy routing. What I would like to do (if it's possible) is decide which network interface a packet goes out depending on which program generated it locally. For example, if Apache generates a packet, I always want it to go out of cipcb0 (vpn interface). I have some live IP's routed over the cipcb0 interface, and that goes over my cable link. I'm not allowed to simply serve pages on the cable modem IP because it's against their acceptable use policy, and I've already had my account suspended once for doing that. Anyway, the problem is, when someone is using the same cable provider as I do, if their proxy server gets the request it will ask my server to give it the page, but the server won't send the data out of cipcb0 because there is a host route pointing to the cable providers proxy/dns server as I want to be able to use their proxy/dns servers myself, and because the packet comes back to the cable provider through the cable modem, it gets dropped, thus there is a large area around me where users on the same cable provider that I use can not access any of my web pages. Does anyone know how to fix this problem? I've had a play with marking packets based on UID and so on in an effort to use the policy routing stuff to route the packets up to the cipcb0 interface, but I havn't has any success yet. -- Regards, Robert Davidson. http://www.mlug.org.au/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables and routing
Peter Billson wrote: > > Take a look at using iproute2. > http://www.linuxguruz.org/iptables/howto/Adv-Routing-HOWTO.html#s4 Read that many times in the past, hasn't helped. I'll go back to square one and see if I can get the thing to work how I want it to, but I don't think I'll have any success. I've done policy routing before (and am still using it) but I've never managed to get packets that are generated on the same machine as is holding the uplinks to route the packets where I want them to go. -- Regards, Robert Davidson. http://www.mlug.org.au/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables and routing
That sounds like exactly what I want to do. Would you be willing to send me a copy of your script(s) that you have made to do this? I always thought I was the problem. Remco van de Meent wrote: > > What you need to do is, roughly: > > o in the OUTPUT table, mark the packets you want to go through your > secure connection with some value. E.g. match on source port 80 > and owner nobody; > > o make sure that packets marked with that value are processed in a > seperate routing table, using 'ip rule', and setup that routing > table according to your demands > > In my case the idea is that I have two uplinks and I want some > applications to use the first uplink, and use the second by default. > > regards, > Remco. -- Regards, Robert Davidson. http://www.mlug.org.au/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ppp problem
Hello everyone: I am new to debian and I am having problem pinging outside my remote server when I dial-out. I've used the pppconfig to setup my dial-out. When I do an ifconfig ppp0 my ip addresses match but it says that Point -To-Point running NOARP MULTICAST. I can used my dial-out for Windows 2000 and my old FreeBSD box. My /etc/resolv.conf has my DNS addresses and my isp domain name. I cannot ping, for example, www.google.com, etc. If there is anything else that needs setting up or I have overlooked anything else let me know. Thanx
Re: problem with php-cgi
Does your script put a blank line after the Content-type and so on, like: blah: blah foo-foo: bar Content-type: blah hello Maybe you could post the first few lines of output to the list. Cya Sebastian Ezequiel Ovide wrote: > > yes it do. > > ./test.php.vgi make the same result that ./test.pl.cgi but test.pl.cgi > work fine with apache but test.php.cgi don't want to work with apach > > help. > > > > Sebastián Ezequiel Ovide ICQ:113198452 > Universitá degli studi di Padova <http://www.unipd.it> > Dipartimento di Elettronica e Informatica <http://www.dei.unipd.it> > > On Fri, 12 Oct 2001, Peter Billson wrote: > > |Sebastian Ezequiel Ovide wrote: > |> > |> Hi, > |> > |> just installed php4-cgi, fixed bad symlink in /usr/lib/cgi-bin > |> > |> The prob is, > |> > |> running as a standar cgi does not work ie > |> > |> #!/usr/bin/php > |> > |> apache complains > |> > |> [Thu Dec 21 20:18:36 2000] [error] [client 192.168.1.169] Premature end of > |> script headers: /var/www/home/felipe/Proyectos/hola.php4.cgi > |> > |> running from the comand line works great and with > |> > |> AddHandler bla bla > |> Action bla bla bla > |> > |> also works fine. > |> > |> Any clue > |> > |> I'm running potato > |> > | > |Your script is not send the magic Content-type: line before it's output. > | > |Pete > |-- > |http://www.elbnet.com > |ELB Internet Services, Inc. > |Web Design, Computer Consulting, Internet Hosting > | > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Regards, Robert Davidson. http://www.mlug.org.au/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange kernel compile error
You need to install the bin86 package (thats in sid, probably the same for potato and woody i guess). James Mclean wrote: > > All, > > I am recompiling my kernel on my file-server, it was running Debian Potato, and > on a make bzImage, i get the following error. > > make[1]: Entering directory `/usr/src/linux/arch/i386/boot' > as86 -0 -a -o bbootsect.o bbootsect.s > make[1]: as86: Command not found > make[1]: *** [bbootsect.o] Error 127 > make[1]: Leaving directory `/usr/src/linux/arch/i386/boot' > make: *** [bzImage] Error 2 > > I have tried a few different kernels, kernel 2.2.17 (kernel.org), debian kernel- > source-2.2.17 package, kernel 2.2.19 (kernel.org), debian kernel-source-2.2.19 > package. > > I also did apt-get dist-upgrade to Woody, to no avail. > > What is causing this error? What package can i install to get this to work? > I have searched the debian package archives, and could not find any packages > that matched, and apt-get install as86 did nothing. > > I havent tried to compile a kernel on this machine before. > > TIA > > James Mclean > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Regards, Robert Davidson. http://www.mlug.org.au/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Tcpwrappers
Thanks for the suggestion to read about tcpwrappers. I have also read the Security Quick-start howto and found it useful. One problem I am still coming to grips with is email. I am running qmail out of xinetd and using tcp-env for the smtp service. I tried putting the qmail daemons into hosts.allow (ie: qmail-smtpd: ALL), and then ALL:ALL in hosts.deny, but it denied access to all incoming emails. At the moment, I have ALL: PARANOID set in hosts.deny, but this won't allow some incoming emails and gives an error on the line where I have the line .domain.com.au set in hosts.allow, where ns.domain.com.au is our nameserver. Anyone know how I let all emails to our domain through, whether or not I can do a lookup on them? I know that our DNS works fine as I get the same error using a machine at home from a different ISP and different DNS server. I am assuming that hosts that fall into the PARANOID category must not have their DNS files setup right, or they may not be legitimate users. I suppose the other option is to try and run qmail using daemontools and uspci as the qmail manuals and life with qmail suggests. Thanks Rob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: HTTP put
On Thu, 06 Dec 2001 14:29:24 +0100, Markus Garscha writes: >I'm interested in the technology behind this. how does it work? do these >providers use redirectors - but how to configure when every dialup user >gets a dyn. ip??? On Thu, 06 Dec 2001 15:26:27 +0100, "Frank Thesen (serve-it)" writes: >I can't tell the technique, but I can tell you examples: > >I you go to www.freenet.de or to www.arcor.de to get them as acess >providers. > >If you tell me, what I should do, to figure out the technique, I will do it. Every one of the big access-concentrators can do that. Technically it's a simple filter that is put out of service as soon as it's hit the first time. Redback, Cisco, ... they're all able to do that since, oh, ages.. cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg04374/pgp0.pgp Description: PGP signature
Re: Mailinglist software recommendations?
On Sat, 08 Dec 2001 20:57:17 +1100, Jeremy Lunn writes: >On Fri, Dec 07, 2001 at 03:41:11PM +0100, Marcel Hicking wrote: <...> >> b) Some admin web interface for the guys going >> to use and feed the lists. Need to be able to add lists, > >Ecartis has this packaged in listar-cgi. > >> c) A web interface to (un)subscribe to lists (which I >> could probably do myself ;-) Not the ability to add/remove lists, though. But that's the only thing missing from your list, AFAICT. I wouldn't want that anyway as it would imply to mangle with the MTA (aliases!), and I'd rather do that myself, thankyouverymuch. >I think you can do this with listar-cgi but if not then as you say it's >not much effort to add this functionality. You can do - (un/)subscribe - manage user(s)&list config(s) <...> listar/ecartis not only work great, but the main developer is also very responsive when it comes to bugs and/or new features. cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg04459/pgp0.pgp Description: PGP signature
Re: naver-mailer
On Mon, 31 Dec 2001 20:53:03 +0100, Russell Coker writes: >On Mon, 31 Dec 2001 15:28, Russell Coker wrote: >> Every time I post here I get a response that looks like a bounce in a >> strange language from naver-mailer. Here's the headers: >> >> >> Here's my solution to the naver-mailer problem: >> ipchains -A input -j DENY -s 211.218.150.15 > >They are persistant bastards and have multiple machines in that netblock. So >I've changed it to the following: > >ipchains -A input -j DENY -s 211.218.150.0/24 So they will deliver their annoying bounces via the backup-MXs... This is something wich IMHO should be addressed at MTA-level, not IP. cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg04665/pgp0.pgp Description: PGP signature
scp, no ssh
How to allow, for some users' IPs, only scp and no ssh? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: BGP / Zebra
On Fri, 11 Jan 2002 10:39:01 +0100, =?iso-8859-1?Q?Anders_Gj=E6re?= writes: >I have a router running BGP / Zebra, and it seems like the maximum >throughput is 25Mbit/s > >BGP and Zebra using 100% cpu together, and alternating on witch using >most. > >The machine is a pII 233 with 196mb ram. > >What hardware/config-changes do i need to be able to route 100Mbit/s? Uhm, someone correct me if I'm wrong, but shouldn't Zebra just update the kernel's routing-table and let it then handle the actual packet-juggling? If that is so, your problem probably lies elsewhere... cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg04806/pgp0.pgp Description: PGP signature
Re: PPOP3 Webmail
On Sun, 20 Jan 2002 12:08:46 EST, [EMAIL PROTECTED] writes: >I agree! I have squirrelmail (which is still broken in Debian), <...> What exactly is broken in squirrelmail? Works just fine here: ii cyrus-admin1.5.19-2 Cyrus mail system (administration tool) ii cyrus-common 1.5.19-2 Cyrus mail system (common files) ii cyrus-imapd1.5.19-2 Cyrus mail system (IMAP support) ii cyrus-pop3d1.5.19-2 Cyrus mail system (POP3 support) ii squirrelmail 1.2.2-1Webmail for nuts ii php4 4.0.3pl1-0pota A server-side, HTML-embedded scripting langu cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg04947/pgp0.pgp Description: PGP signature
Re: interpreting email headers
On Mon, 21 Jan 2002 01:44:14 +0100, Russell Coker writes: >I have attached a strange bounce message I received, and would like some >advice in understanding exactly what happened. This looks like a somewhat braindead bounce, but the headers look just fine. What exactly makes you wonder? cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg04948/pgp0.pgp Description: PGP signature
Re: PPOP3 Webmail
On 21 Jan 2002 08:41:14 EST, Tim Sailer writes: >> >I agree! I have squirrelmail (which is still broken in Debian), >> <...> >> >> What exactly is broken in squirrelmail? Works just fine here: > >I'm running unstable for a number of reasons, and for the last two >uploaded versions, you can't even log in. Well, sounds like a configuration problem, and judging from experience[0] it's most likely to be with apache/php4, not squirrelmail. 0: If you enable register_globals in php.ini _and_ in a vhost-statement, it's...off. cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg04952/pgp0.pgp Description: PGP signature
Re: [BAD] the whole server down with a red-alert-like attack
On Thu, 24 Jan 2002 11:58:57 +0100, [EMAIL PROTECTED] writes: >On Thu, 24 Jan 2002, alexis bory wrote: > >> This morning my litlle server (potato, apache 1.3.9) was down. No >> webservices, no ssh, nothing but ping :( >> >> Jan 24 06:13:54 sfa01 kernel: VM: do_try_to_free_pages failed for kswapd... > >upgrade your kernel. and *test your RAM*. I've had this happen (no IP services but ICMP) 'cause of bad RAM a few times. http://www.teresaudio.com/memtest86/ cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg04968/pgp0.pgp Description: PGP signature
Re: woody's sendmail on potato
On Mon, 04 Feb 2002 15:00:45 +0100, "Davi Leal" writes: >> > Not sure but it's safe to use Postfix, so why not use that? >> >> Let's not get into religious arguments, since that's not the question >> asked. He's got a running sendmail config; upgrading to a new version is >> less work than converting to a different mail system. > >Yes, this is the point. However, I failed at this conversion, so I'm now running the stable sendmail on a testing/unstable box... cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg05218/pgp0.pgp Description: PGP signature
Re: webmail for debian
On Fri, 08 Feb 2002 14:52:29 +0100, [EMAIL PROTECTED] writes: >does anybody know some webmail system for debian? squirrelmail (from unstable, but getting it to work on a stable box is a one-line - fix) works pretty well here. cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg05303/pgp0.pgp Description: PGP signature
Re: webmail for debian
On Fri, 08 Feb 2002 10:52:47 -0400, [EMAIL PROTECTED] writes: >Any hint about the fix for squirrel? dpkg -i squirrelmail-package vi /var/lib/dpkg/status change the dependency from "perl-base" to "perl" or "perl-5.005" (or the other way around, can't remember) apt-get install squirrelmail cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg05305/pgp0.pgp Description: PGP signature
downgrading woody kernel 2.4 -> 2.2 (fwd)
I just upgraded to Woody from potato and I was running the 2.2 kernel. It told be that binutils may play up with the 2.2 kernel and to do the following: in arch/i386/vmlinux.lds.S delete any reference to (.text.exit) in arch/boot/i386/Makefile change -oformat to --oformat Interestingly I couldn't find either in my kernel source, so I don't know if it was for later versions of the 2.2 kernels (I have 2.2.19pre17) I suppose just try it and see. I am running 2.4.17-686 kernel at the moment and touch wood it seems to be stable. Rob.. - message from David Biro (DaV3|D3) - Hi! We're using Debian Woody (testing) on one of our servers, a we're experiencing several crashes. I think it's because the 2.4 kernel (but if not, just tell me please ;), so I decided to downgrade the kernel to 2.2 (whis is available in woody). I'd ask if there will be any problems after downgrading? Or i have to download 2.2 source (apt-get install ...), compile, and that's it? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Best mail setup?
On Thu, 28 Feb 2002 19:41:16 EST, "D. Clarke" writes: >I was wondering what your recommendations would be for 50 (and growing) >virtual hosts. We want something that doesn't require a seperate system >user for each virt-user account, and something that's relatively easy to >configure. Your preferred MTA (sendmail, postfix, whatever) and cyrus as MDA+IMAP4/ POP3-server. No need for shell-accounts et al and runs stable whereever I've used it. cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg05588/pgp0.pgp Description: PGP signature
Re: Traffic monitoring/logging question
On 01 Mar 2002 14:22:43 +1100, Kevin Littlejohn writes: >Be aware that on-the-wire counting will give you traffic counts >inclusive of packet overhead, whereas counting in squid will give you >only the size of the content in question. Don't do math on these >things, as one rather large provider used to do ;) Why go to trouble with accounting in squid? Just account on the "insode" interfaces, compare with the totals of "outside" and you're set. ipac-ng can do this, only the png-generation is severely broken at the moment (I'm debugging it right now). >Be aware of media-specific packet wrapping sizes, and be aware of the >difference between "the size of the content", and "the size of the >content + IP headers". Just account on the same layer everywhere and you can split the bill from the ISP in the proper %s. cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg05589/pgp0.pgp Description: PGP signature
tool(s) to analyze contents of tcp-sessions
Hi! I'm looking for a tool with which I could analyze the contents (payload) of captured tcp-sessions. I know tcpdump, ngrep, tcptrace et al but none of them can do what I need, and before I spend a week of hacking together my own software... What I need would be something which could provide output like: TCP-session $foo from $bar:1234 to $baz:4321: >> GET / HTTP/1.0 << HTTP/1.1 200 OK << Date: Mon, 04 Mar 2002 16:06:15 GMT ... preferrably from dumped sessions, though live capture only would also do. cheers+tia, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg05621/pgp0.pgp Description: PGP signature
Re: tool(s) to analyze contents of tcp-sessions
On Mon, 04 Mar 2002 17:53:12 +0100, Olivier Macchioni writes: >> I'm looking for a tool with which I could analyze the contents >> (payload) of captured tcp-sessions. >tcpflow Ah, yes. That one comes _very_ close to what I need. Thanks. BTW, ethereal I already know, but it's not too useful when only the payload of packets are of interest and you have to analyze ~ 20 MB of data out of ~ 30 different, mostly simultaneous, connections. cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg05638/pgp0.pgp Description: PGP signature
Re: web-based/gui firewall administration
On Mon, 15 Apr 2002 14:12:03 PDT, "Jeremy C. Reed" writes: >I have a customer that wants a easy-to-use interface for configuring a >firewall. > >Basically, the firewall will do IP forwarding, maybe IP masquerading, and >packet filtering. > >I already know how to do it manually. But we are looking for configuring >the address translation and selecting what ports to allow, etc. Have a look at fwbuilder, .deb's are in testing and unstable. Basically, it (kind of) emulates a Checkpoint GUI. cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg06124/pgp0.pgp Description: PGP signature
Re: DNS weirdness
On Thu, 18 Apr 2002 14:13:57 +0200, Russell Coker writes: >I've attached a brief tcpdump snippet showing an unusually large DNS delay. And there are way more packets involved than should be necessary. Could you post (or just send me) a full dump (in binary format), snaplen 1500? cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg06138/pgp0.pgp Description: PGP signature
woes with proftpd and quotas
Hi! I'm running a strictly potato+security - box with proftpd on it. So far, everything works fine, even chroot()ing users, using a special password-file and such. But as soon as I enable quotas proftpd stops working completely, it grants login and commands as "passive" et al, but even a simple LIST causes it to die immediately. >From the client side this looks like: ftp> ls 200 PORT command successful. 421 Service not available, remote server has closed connection If I run proftpd in full debug mode this is what I get (FQDNs and IPs omitted to protect the guilty ;) ): ka (dump[x.x.x.x]) - USER waldner: Login successful. ka (dump[x.x.x.x]) - mysql: close [0] for mod_sqlpw/2.0 ka (dump[x.x.x.x]) - received: SYST ka (dump[x.x.x.x]) - received: PORT x,x,x,x,8,131 ka (dump[x.x.x.x]) - received: LIST ka (dump[x.x.x.x]) - ProFTPD terminating (signal 11) The configuration seems to parse quite fine: ka (dump[x.x.x.x]) - Config for ka.graffl.net: ka (dump[x.x.x.x]) - Quotas ka (dump[x.x.x.x]) - DefaultQuota ka (dump[x.x.x.x]) - QuotaCalc ka (dump[x.x.x.x]) - QuotaType ka (dump[x.x.x.x]) - QuotaBlockSize ka (dump[x.x.x.x]) - AuthUserFile ka (dump[x.x.x.x]) - AuthGroupFile ka (dump[x.x.x.x]) - RequireValidShell ka (dump[x.x.x.x]) - User ka (dump[x.x.x.x]) - UserName ka (dump[x.x.x.x]) - Group ka (dump[x.x.x.x]) - GroupName ka (dump[x.x.x.x]) - DefaultRoot ka (dump[x.x.x.x]) - AllowOverwrite ka (dump[x.x.x.x]) - Umask ka (dump[x.x.x.x]) - DenyFilter ka (dump[x.x.x.x]) - PathDenyFilter ka (dump[x.x.x.x]) - USER ka (dump[x.x.x.x]) - CURRENT-CLIENTS Also an strace on the child process doesn't reveal anything useful (to me): read(0, "LIST\r\n", 1022) = 6 alarm(0)= 284 alarm(284) = 0 write(2, "ka (dump[6"..., 63) = 63 geteuid() = 1000 --- SIGSEGV (Segmentation fault) --- So, has anyone any idea on what's happening? I can run w/o quotas for some time but I don't really trust my users to behave... cheers+TIA, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / msg06188/pgp0.pgp Description: PGP signature
Re: RCS control for config files
On 01 Jul 2002 16:41:25 CDT, Alex Borges writes: >Ive finnaly come to a point where i think im needing revision control >for my configuration files on some servers > >So i thought id come in and ask you guys if there is some vertical stuff >explicitly for this purpose or if you yourselves simply cvs ci your /etc >directory et all.. > >Or any tips would be appreciated (like "i use emacs and rcs...works for >me") :) waldner@beren->~ $ cat `which rcsvi` #!/bin/sh /usr/bin/co -l $1 && /usr/bin/vi $1 ; /usr/bin/ci -u $1 exit cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MLM solution?
On Tue, 09 Jul 2002 12:52:14 +0200, Thomas -Balu- Walter writes: >> > >Mailinglistmanager that supports >> > >- virtual hosts (and different setups for each) >> > >- translation / customization of all automatic generated >> > > messages >> > >- Newsletter-style setups >> > >- automatic handling of bounces >> > >- administrative web-pages (for the customers) >> > >- .deb :) <...> >What about ecartis(listar) or mailman? Do they meet the requirements? Yes, ecartis meets those. You probably don't want to use the .deb, though (but it's a straightforward install even without). Oh, and before anyone else brings it up: yes, the 8bit<->q/p - flaws are finally fixed ;) . cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MLM solution?
On Tue, 09 Jul 2002 14:31:07 +0200, Thomas -Balu- Walter writes: >I've tried ecartis a while ago (half a year?) and one thing I did not >like were those messages (not translateable - one of the biggest >feature-requests at that time :)) a user had to reply to be subscribed. > >Is that possible by now? I think you can do that on a per-list basis with texts in the $list/ texts - directory, but as I don't use that particular feature.. cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
pam_userdb and version of .db-file
(I'm not really sure this belongs here, but it seems at least as fitting as -user, where I didn't get an answer. If this is the wrong place, just tell me to shut the f**k up ;) - although in that case I'd appreciate pointers on where to best ask this) Hi! One of the latest updates to my i386/stable-box gave me severe headaches wrt the subject. I run cyrus for providing a small handful of users with POP3/ IMAP4-access, and since I do not want all of them to have shells on my box, I authenticate them via pam_userdb and a separate password-file. Until recently this just worked. I'd create the .db-file with sendmails makemap from a "keyvalue\n"-style source. Now makemap produces "Version 8" (libdb3?) files, which pam_userdb cannot read. After much debugging I've now resorted to creating a "Version 5" .db-file with db_load (from libdb2-util). This seems like an ugly kludge (it's far from "intuitive", and db_load wants paired lines of input which means I have to rewrite all my little helper-scripts). Is there a "standard" or "preferred" way of doing this? Maybe one which has some probability of surviving the next libdb-/sendmail-upgrade? TIA+cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / signature.ng Description: PGP signature
cyrus/pam_userdb, how to let users change their own passwords
Hi! I use cyrus together with pam_userdb.so (to not have every mail-user also have a local system account). Now I need to let my mail-users change their own passwords, preferrably via a web-interface. Before I hack together a perl script that does the checking and furtheron recreates the .db-file for pam_userdb, is there already something Out There which does this? google and freshmeat only turned up stuff for changing system passwords (or doing everything in mysql/ postgresql, which I really can't do on the system in question). TIA for any hints. cheers, &rw -- / Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \ \ <[EMAIL PROTECTED]> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 / signature.ng Description: PGP signature
exim limit number of mail per user.
Hi all, Is there a way to limit the number of messages per hour and user with Exim? -- Robert Lindgren <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: anti virus software for mail server
On Friday 07 March 2003 14:03, Markus Welsch wrote: > Hi, > > I've found > > RAV Antivirus > (http://www.ravantivirus.com/pages/showproduct.php?p=21) > > > but I never heard of that one before! From the first view it looks amazing > - so if somebody has experience with that one post please! Of course also > post your personal recommendations. It is a bit pricy. I have used http://clamav.elektrapro.com/ with great sucess. Lot cheaper and works well. Take care - RL -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of edNET or lightershade ltd. Finally, the recipient should check this email and any attachments for the presence of viruses. edNET and lightershade ltd accepts no liability for any damage caused by any virus transmitted by this email. -- -- Virus scanned by edNET. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
SPAM from murphy.debian.org -- INCREDIBLE EARNINGS $$$$$$$$$$$$$$$$$$
Where is this spam coming from! On Fri, Mar 17, 2000 at 07:39:49PM -0800, Orhan C wrote: > Before being to skeptical, please read the article! > > I found this posted in another area and want to pass > it on to all interested in making alot of > money. If you > follow the directions carefully and honestly, you will > make money!! This article is the best I've > seen by giving > clear, step by-step instructions, making it simple for > you to make lots of money without much > effort on your > part. If you really look into this, you'll see that it > works. > > The initial investment is $6.00 plus six stamps -- > other participants have earned $2,500 in > almost 3 weeks > from following this plan. > > HERE IS THE ORIGINAL POST: > A while back , I was browsing these newsgroups, just > like you are now, and came across an > article similar to > this that said you could make thousands in CASH within > a few weeks with only an investment > of $6.00 plus > stamps! So I thought, "Yeah, right, this must be a > scam!" But like most of us I was courious > and kept reading. > It said that if you send $1.00 to each of the 6 names > and addresses listed in the article, you > could make > thousands in a very short period of time. You then > place your own name and address at the > bottom of the list > at #6, and post the article to a least 300 newsgroups. > (There are about 32,000 of them out > there and that's > quite a large market pool). No catch, that was it. > Even though the investment was a measly > $6.00, I had three > questions that needed to be answered before I could > get involved in this sort of thing. > > 1. IS THIS REALLY LEGAL? > I called a lawyer first. The lawyer was a little > sceptical that I would actually make any CASH but > he said it WAS > LEGAL if I wanted to try it. I told him it sounded a > lot like a chain letter but the details of the > system (SEE > BELOW) actually made it a legitimate legal business. > > 2. IS IT OK WITH THE POST OFICE OR IS IT MAIL FRAUD? > I called them:1-800-725-2161 and they confirmed THIS > IS ABSOLUTELY LEGAL! (See 18, h > section 1302 NS > 1341 of the Postal Lottery laws.) This clairfies the > program of collecting names and > addresses for a mailing > list. > > 3.IS IT RIGHT? > Well, everyone who sends me a buck has a good chance > getting A LOT of CASH... a much > better chance than > buying a lottery ticket! > > So, having these questions answered, I invested > EXACTLY $7.98...and six stamps..and boy > am I glad I did > Within 7 days, I started getting CASH in the mail! I > was shocked! I figured it would end soon > and didn't give it > another thought. But the CASH continued coming in. In > my first week I made between $20 and > $30. By the > end of the second week I had made a total of $1000.00 > In the third week I had over > $10,000.00 and it was still > growing. This is now my fourth week and I have made a > total of just over $42,000.00 and it's > still coming > inIt's cetainly worth $6.00 ans six stamps!!! I > love the power of the internet! > > SUGGESTION: Read this entire message carefully! (print > it out and download it now) Follow > the simple > directions and watch the CASH come in! It's that easy. > It's legal. And, your investent is only > $8.00. > > IMPORTANT: This is not a rip-off; it is not indecent; > it is not illegal;and it is virtually no risk - it > really works!!! If > all of the following instructions are adhered to, you > will receive extraordinary dividends. > > PLEASE NOTE: > Please follow these directions EXACTLY, and $50,000 or > more can be yours in 20 to 60 days. > This program > remains successful because of the honesty and > integrity of the participants. Please continue > its success by > carefully adhering to the instructions. You will now > become part of the Mail Order business. > In this business your product is not solid and > tangible, it's a sevice. You are in the business of > developing > Mailing Lists. Many large corporations are happy to > pay big bucks for quality lists. However, > tha CASH made > from the mailing lists is secondary to the income > which is made from people like you and me > asking to be > included in that list. > > HERE ARE 4 EASY STEPS TO SUCCESS: > > STEP1: Get 6 seperate pieces of paper and write the > following on each piece of paper > "PLEASE PUT ME ON > YOUR MAILING LIST." Now get 6 US $1.00 bills and place > ONE inside each of the 6 pieces of > paper so the > bill will not be seen through the envelope. Place one > paper in each of the 6 envelopes and > seal them. Your > now have 6 sealed letters each with a piece of paper > stating the above phrase, your name > and address, and > a $1.00 bill. > What you are doing is creating a service. THIS IS > ABSOLUTELY LEGAL! You are requesting a > legitimate > service and you are paying for it! Like most of us I > was a little worried about the leg
Re: Front Page Extensions :-(
Hi! Are there any security issues with Frontpage Extensions for 98 or 2000 in Debian? Also, what are the alternatives for simple cgi scripts? Cheers! Rob.. --- [EMAIL PROTECTED] ---
Potato and Modem
Hi! You could try connecting at a lower speed, say 56K or 38K and see if this works. Rob... > > >Hello > >I have probem with Potato and modem. I had Slink and everything was great. >Then I made upgrade to Potato and my modem dont work. Problem is after connect. >Under minicom everything seems to be ok, I can send AT command and I have >response. But when I am tring to connect I recive trash. On the screen is >Connect and speed and then strange signs, there should be login prompt from the >Unix machine. When I reboot to windows on the same machine and teh same modem >everything is ok I can connect. Answering modem is US Robotisc Flash and >dialing modem is US Rbotics K56. I tried with Lucent MAX 6000 but it was >the same under win works, under Potado dont. > >So there is no hardware problem I think that setserial set samthing strange > >hades:~# setserial -a /dev/ttyS0 >/dev/ttyS0, Line 0, UART: 16550A, Port: 0x03f8, IRQ: 4 >Baud_base: 115200, close_delay: 50, divisor: 0 > closing_wait: 3000 >Flags: spd_vhi skip_test > >I swithed setserial from slink but it wasen it. > >I tested under 2.2.14 2.3.48 2.2.13 self made and from the debian install > >Linux hades 2.2.14 #1 Wed Mar 22 17:54:03 EST 2000 i686 unknown > > >What is wrong, do you have the same probelm ? > >Please help. > > >- > Marcin "user" Jakubowski >[EMAIL PROTECTED] > > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > >
Re: postfix, qmail, zmailer, qpopper, cyrus?
I suggest you use qmail for MTA, aand the latest vpopmail for providing mail addresses to the users without needing a shell account to each. The latest vpopmail package can be accessed from vpopmail homepage (http://www.inter7.com/vpopmail). If you don't want to store the user data (authentication info only) in a mysql database, then contact the packager, to provide a patch for normal cdb authentication. He can be reached at [EMAIL PROTECTED] I think for 300 users you don't need mysql. For other questions, subscribe to the debian-qmail list, at [EMAIL PROTECTED] (send a letter to [EMAIL PROTECTED] to subscribe). For mailing lists you can choose an arbitrary mailing list manager software, I would suggest mailman or ezmlm-idx, both are provided in debian package, and both support maildirs I think. Ezmlm has better integration with vpopmail though, so I recommend that. POP3 is provided with qmail. Regards, Robert Varga On Wed, 5 Apr 2000, David Charro Ripa wrote: > I`m installing a mail server. And I need a simple configuration system, > 300 e-mail accounts, mailing lists, pop accounts but no login-shell > accounts. > > Could you teel which and why of the potato MTA's and POP servers are > better for me? > żexim, postfix, zmailer, qmail? > żqpopper, cyrus? > > TIA > > K-charro > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Strange message in logs
Hi! I get the following error messages in my log: Apr 9 06:47:39 ns tcp-env[17281]: warning: /etc/hosts.allow, line 11: can't verify hostname: gethostbyname(114.trusted.net) failed Apr 9 06:47:40 ns tcp-env[17281]: refused connect from 209.140.0.114 Apr 9 06:56:54 ns tcp-env[17346]: connect from murphy.debian.org Apr 9 06:58:38 ns tcp-env[17364]: warning: /etc/hosts.allow, line 11: can't verify hostname: gethostbyname(114.trusted.net) failed Apr 9 06:58:38 ns tcp-env[17364]: refused connect from 209.140.0.114 Is this because my hosts.deny file is set to ALL: PARANOID (this is the only line apart from comments and is line 9) My hosts.allow has the following in line 11: ALL: .mydomain.com.au Is there a way to "fix" this, as I am assuming that the machine that is denied access cannot access my server to browse a web page or send e-mail. This message seems to crop up when someone tries to send email mainly. I am running Debian 1.3 (but some parts are Hamm (eg: libraries are lib.so.6), apache and qmail. Rob...
RE: Installing Debian on a RAIDed partition
The more up-to-date infos are: root can be put on raid but /boot must be on a non-raid. Exception is /boot can be on RAID-1 with some patches to lilo which are made by RedHat and I think are in the lilo found in woody. the root-RAID-HOWTO is a bit outdated, or at least was a month ago, when I installed a system on RAID (root as well). Look at raid-HOWTO for up-to-date infos. I installed a system with every filesystem of it on RAID-1 except for /tmp which is not preserved for next boot in any case, and /boot since lilo in debian did not support RAID-1 booting at that time. Use RAID 0.90 (you can convert older version RAID arrays), and raidtools2 package. The raidtools2 package also contains the mentioned RAID-HOWTO. I set everything up as mentioned in it, and it worked without problem. Booting did not work due to other problems (it did not want to boot even the stock install, when RAID was nowhere in sight yet, some problem with SCSI settings I think, since I have the same problem with another SCSI machine. It is using Adaptec 2940 UW). These problems don't have any relation with RAID setup. Just put /boot in the first 1024 cylinder. And of course read the whole HOWTO before you do anything to know what you will be doing, or else you will be into some partition reorganization. Preferably use a spare hard-drive for initial install. The best would be of course to put a RAID0.90-supporting kernel on the boot-disks, so that debian could be installed straight on raid without a problem. The kernel patches for RAID 0.90 can be found at http://people.redhat.com/mingo Regards, Robert Varga On Tue, 9 May 2000, John Gonzalez/netMDC admin wrote: > On Tue, 9 May 2000, Robert H. Clugston wrote: > > >Whatever.. here's the instructions on how to load a raid partition as > >root... > > > >http://www.linux.org/help/ldp/howto/Root-RAID-HOWTO.html > > > > > >Yes. You cannot boot to a raid partition. One, lilo cant read a RAID > >partition, and the 'raid' drivers havent been loaded yet. You will either > >need to have the / or more specifically /boot be on a NON raid partition > >(ie. floppy) or compile special tools to boot raid partitions. Someone has > >developed info on that, but the address escapes me now, search the web and > >it should turn up. > > > >The RAID howto|mini howto should be of assistance. > > Whatever...??? > > What part of my statement does not make sense to you? > > How about: > > "or compile special tools to boot raid partitions. Someone has > developed info on that, but the address escapes me now, search the web > and it should turn up." > > In other words. It's not possible to simply compile in raid support and > setup the device and then boot off of it right out of the box. It takes > work, kernel patches, kernel support, among other things. > > ___ _ __ _ > __ /___ ___ /__ John Gonzalez/Net.Tech > __ __ \ __ \ __/_ __ `__ \/ __ /_ ___/ MDC Computers/netMDC! > _ / / / `__/ /_ / / / / / / /_/ / / /__ (505)437-7600/fax-437-3052 > /_/ /_/\___/\__/ /_/ /_/ /_/\__,_/ \___/ http://www.netmdc.com > [-[system info]---] > 12:10pm up 105 days, 19:07, 6 users, load average: 0.27, 0.48, 0.38 > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: mail server w/ 65000++ users
Use qmail and vpopmail. They are both packaged to debian, so there should not be much of a problem for it. Vpopmail is a virtual domain pop3 server suited for serving as many as 23million POP3 mailboxes taking up only one system user, integrating with qmail and other qmail-extension software. It can store user information in cdb datafiles or in a mysql database. It can serve virtual domains. Of course it also provides POP3 for the system users as well. In the upcoming version postgresql and oracle databases can also serve as a means for storing user information. Mails are stored in maildir format, which is NFS-safe without the need of locking. Qmail package can be built from the qmail-src package. Vpopmail package can be built from the source downloaded from www.sury.cz/Debian/vpopmail or you can find binary versions of the package as well at the same place. I suggest downloading the source since a few options need to be set at compile-time, although the packager did incorporate a few things to provide a means for runtime configuration, but not every option is runtime configurable, yet. An IMAP server is also provided for qmail and vpopmail called courier-imap, it is also packaged for debian as far as I remember, but I haven't tried installing it yet. Ask the vpopmail packager about installation comments. I have no experience with Postfix myself, but qmail is regarded as the fastest and most secure mailserver, and I think it is much easier configurable than sendmail or exim. I really have no problem with it myself. Regards, Robert Varga On Sun, 14 May 2000, Russell Coker wrote: > On Fri, 12 May 2000, Craig Sanders wrote: > >On Fri, May 12, 2000 at 04:10:40PM +0800, Chad A. Adlawan wrote: > >> does anybody have any URL's or docs w/ talks on how to build > >> a mail server (both Exim and Sendmail are OK w/ me) with more > >> than 65,000 users ? i.e., what are the available methods (and > >> what are the best ones) of having mail users w/o having them on > >> /etc/passwd. > > > >i'd suggest postfix + cyrus. from comments in the postfix-users list, it > >seems to be a nearly ideal combination for doing what you want. > > I'd suggest Postfix + the Qmail POP server. Postfix (and Postfix-tls) are in > Debian. There's a package of the Qmail source which allows you to compile > your own Qmail POP server. > > Cyrus uses a different mail storage format to anything else and sequesters > all your mail. > > For users who aren't in the /etc/passwd file use LDAP, give all users the > same UID and with /dev/null as the shell (so they can't login). > > Use the NSS modules for LDAP. > > >hint, for performance you probably want to look at a machine with > >multiple fast scsci drives for the mail spool (raid striping), formatted > >with reiserfs. and lots of memory, of course. CPU speed isn't a big > >issue - mail systems are I/O bound. > > Last year I was working on an AIX machine (AIX is slow) that had old 2G and > 4G SSA drives (drive performance was less than my Thinkpad in every test). > The AIX machine ran 27000 mail accounts, an Oracle server, and some shell > accounts. After I had finished with it performance was quite OK. > > It really depends on the type of access the machine will get. 27000 > university students don't produce much load (especially when most of them are > arts students who only check mail once a week). 1000 people on a corporate > network sending emails with Word and Excel documents attached will produce > 1000 times the load. > > When mail is being delivered and immidiately downloaded via POP (no mail left > on server) my Thinkpad 600E (10G IDE hard drive, Celeron 400) can do 20G of > email traffic a day. An ISP with >50 users I know of has about 15G of > email a day. > > For best performance have no direct TCP connections between your mail server > and the outside world. Have the MX records point to an inbound-relay which > sends the mail to the real server. Have the clients SMTP relay address point > to a machine that's configured to just be an outbound relay. Have your > server setup with ipchains or TCP wrappers to deny SMTP connections from > machines other than the inbound relay. > When mail comes from the Internet it generally comes in slowly, and in > spurts. This hurts the caching on the queue partition. Have the mail come > in from the inbound relay (or relays, you'll need several for a big system) > in only a small number of TCP connections. That way data will generally > never be read from the queue partition (it'll be in the cache). > > Have seperate physical media for the queue file system. All writes of email > data are synchronous.
Re: mail server w/ 65000++ users
On Mon, 15 May 2000, Russell Coker wrote: > On Mon, 15 May 2000, Robert Varga wrote: > >Use qmail and vpopmail. They are both packaged to debian, so there should > >not be much of a problem for it. > > Qmail isn't a regular package because it's got licence issues. > It is in debian in source package form, it can be built with one command, so it is not a real problem I think. > Also Qmail is lacking in functionality when compared to Postfix, Sendmail, or > probably any other Unix mail server. Qmail is fast and reliable, it's good > for installing for one of those clients who is expected to stuff up Postfix > config files. I did not really find any lacking functionality for my needs currently, and we are using it as an ISP customer mailserver and as a company mailserver as well. > > For a serious server system it will rapidly become annoying for the > administrator because it just won't do the things you want. > > Try spam blocking (both ORBs and header filtering) and address re-writing for > two things that Qmail falls down on. Address rewriting: look at the mess822 package on DJB's homepage, for one. For address rewriting in messages originating on the qmail host, it is even easier than that. You just need to wrap qmail-inject. I have done it and it is not that hard to do. SPAM blocking: it is not that hard to do, the biggest problem is always the algorithm and patterns you filter on. > > >Mails are stored in maildir format, which is NFS-safe without the need of > >locking. > > Postfix does this too. > > >I have no experience with Postfix myself, but qmail is regarded as the > >fastest and most secure mailserver, and I think it is much easier > >configurable than sendmail or exim. I really have no problem with it > >myself. > > Being easier to configure than Sendmail is an understatement. Sendmail is > the hardest to configure and Qmail is the easiest. > > I doubt that Qmail is any more secure than Postfix. I doubt that it is any > faster. > It can be said the other way round as well. I don't personally know postfix, but I don't think it would be faster than qmail. About security: there is one thing with postfix: it is under current development, ergo it always can contain newly introduced security holes. Of course that also means fast error fixes, however. Qmail is unfortunately not under visible development, no one knows what DJB does currently with qmail. The licencing is the biggest drawback in qmail I think.
Re: mail server w/ 65000++ users
Exim: Its documentation is a joke I think. It is 800 pages, but unusable for anything but reading it from the start, but if you want to search in it quickly and haven't read it before, because you just want to put in something, then it is unusable. Features: probably rich enough. Speed: much slower than qmail. Regards, Robert Varga On Mon, 15 May 2000, Irwan Hadi wrote: > At 01:03 PM 5/15/00 +0200, Russell Coker wrote: > >On Mon, 15 May 2000, Robert Varga wrote: > >Qmail isn't a regular package because it's got licence issues. > > > >Also Qmail is lacking in functionality when compared to Postfix, Sendmail, or > >probably any other Unix mail server. Qmail is fast and reliable, it's good > >for installing for one of those clients who is expected to stuff up Postfix > >config files. > > how about exim then ? (Www.exim.org) > >
Re: mail server w/ 65000++ users
On Tue, 16 May 2000, Mark Brown wrote: > On Tue, May 16, 2000 at 12:28:40PM +0200, Robert Varga wrote: > > > Its documentation is a joke I think. It is 800 pages, but unusable for > > anything but reading it from the start, but if you want to search in it > > quickly and haven't read it before, because you just want to put in > > something, then it is unusable. > > Depends on what you're after in terms of documentation, of course - I > always found it quite nice when I used Exim. It's also worth looking at > the FAQ which is more oriented towards "I'd like to..." when you don't > know the sort of Exim feature you'd use. It fulfils a lot of the roles > of a tutorial-type section in the manual. I told what I told from my experience. I tried to set up virtual users and virtual domains, looked at the FAQ, and did not know where to put in the config file, what I found there. It's simply unusable this way, or at least it was that a year ago when I tried it. Even sendmail documentation is better than that, at least I managed to do it with sendmail which I put up instead of exim then. After that, I looked at qmail, and now I don't install anything else on any machine I install. > > > Speed: much slower than qmail. > > It's not that bad - from my memories of both Exim and qmail I think that > qmail has some much more aggressive defaults than Exim. I could be > wrong on that, but it's certainly possible to push a good load through > Exim. > You should try a stress test. :) Robert
secret data for php pages
Is there a way in which I can store some data (eg. mysql passwords) safely from other users on a website and retrieve it from php3/4? The site is running php3 or php4 as an apache_module, and I need to provide separate mysql databases for each users inaccessible to all other users, so each user's data in the database is safe from other users. However the mysql passwords are need to be stored on the server somewhere, and then they are retrievable, if special means are not taken. I would be interested in these special means. Since apache modules run with the id of the webserver itself (www-data.www-data) therefore if the user passwords are stored in .php files, then they must be readable by www-data, and therefore they are retrievable (1. put on a php3 script which lists the public_html dir of the other user, 2. put on a php3 script which displays all the files of the other user's public_html, and there it is, 3. use this recursively to reach directly untraversable directories). I would not like to use php-cgi if it is not a necessity, due to the performance drop. Regards, Robert Varga
RE: secret data for php pages
On Wed, 7 Jun 2000, Sean 'Shaleh' Perry wrote: > > On 07-Jun-2000 Robert Varga wrote: > > > > Is there a way in which I can store some data (eg. mysql passwords) safely > > from other users on a website and retrieve it from php3/4? > > > > include the files from your script. The file can be elsewhere, the server > just > has to be able to get to it. > This is the scenario I told in my letter: If I would like to include it, then it has to be retrievable to the user www-data, and therefore it can be retrieved. Regards, Robert Varga
Re: secret data for php pages
That is not the same problem. When I refer on users, they are meant as system users on the webserver, not web visitors. What I need is a way to provide separate mysql databases to all virtualhosts and webserver users, without a possibility for them to access each other's databases. Regards, Robert On Wed, 7 Jun 2000, Andrew Sullivan wrote: > On Wed, Jun 07, 2000 at 07:46:29PM +0200, Robert Varga wrote: > > > > Is there a way in which I can store some data (eg. mysql passwords) safely > > from other users on a website and retrieve it from php3/4? > > You need to use sessions. Either use phplib under php3, or use php4. > > A > > -- > Andrew Sullivan Computer Services > <[EMAIL PROTECTED]>Burlington Public Library > +1 905 639 3611 x158 2331 New Street >Burlington, Ontario, Canada L7R 1J4 >
Re: secret data for php pages
On Wed, 7 Jun 2000, Sean 'Shaleh' Perry wrote: > > On 07-Jun-2000 Robert Varga wrote: > > > > That is not the same problem. When I refer on users, they are meant as > > system users on the webserver, not web visitors. > > > > What I need is a way to provide separate mysql databases to all > > virtualhosts and webserver users, without a possibility for them to access > > each other's databases. > > > > each v host gets a user, the web daemon runs as that user. The mysql passwds > are in a file that that user can read. Only people who can learn it are other > members of the v host. > No, that is only true if it is a cgi. Apache modules don't change uid-s. They always run as set globally in httpd.conf, by default www-data, and you cannot override it for virtual hosts. What you can override is running cgi-s or exec-s from SSI-s. The User / Group override for virtual hosts is only for cgi-s run in that virtual host. PHP is an apache module on our site, and if it was run from a cgi (php3-cgi package) then performance would decrease due to 1. not having persistent connections 2. having to load the php interpreter on every request for every php page. Regards, Robert Varga
Re: secret data for php pages
On Wed, 7 Jun 2000, Fraser Campbell wrote:
> Robert Varga wrote:
>
> > What I need is a way to provide separate mysql databases to all
> > virtualhosts and webserver users, without a possibility for them to access
> > each other's databases.
>
> Create a unique database for each site. Grant access to it from localhost
> (and others if necessary) to a unique user.
>
> GRANT ALL ON somedatabase.* TO [EMAIL PROTECTED] IDENTIFIED BY
> 'somepassword';
>
> Adjust permissions as necessary of course ...
>
> Store the mysql connection information in a PHP file in the webspace. I
> often create a file db_config.php3 and it looks like this:
>
>$dbhost = "localhost";
> $dbuser = "someuser";
> $dbpasswd = "somepassword";
> mysql_connect ($dbhost, $dbuser, $dbpasswd) or
> die("Unable to connect to mysql server ($dbhost) ...");
> ?>
>
> Include that file at the beginning of every PHP script and you know that
> you have a mysql connection available for use automatically. Storing
> within the webspace may not be ideal but if someone tries to access the
> file directly through a browser the script is interpretted anyway and the
> data isn't accessible (they will get a "document contains no data" error).
>
> Make sure users cannot move up the "directory tree" when they login by
> ftp. "DefaultRoot ~" in proftpd.conf will take care of that. Other FTP
> servers should also have options for this.
The problem is that anyone who can put up a php page can download every
php page _source_ there is on the webserver (see my initial post).
Therefore the password is retrievable this way.
Regards,
Robert Varga
Re: secret data for php pages
On Wed, 7 Jun 2000, Sean 'Shaleh' Perry wrote: > > On 07-Jun-2000 Robert Varga wrote: > > > > > > On Wed, 7 Jun 2000, Sean 'Shaleh' Perry wrote: > > > >> > >> On 07-Jun-2000 Robert Varga wrote: > >> > > >> > That is not the same problem. When I refer on users, they are meant as > >> > system users on the webserver, not web visitors. > >> > > >> > What I need is a way to provide separate mysql databases to all > >> > virtualhosts and webserver users, without a possibility for them to > >> > access > >> > each other's databases. > >> > > >> > >> each v host gets a user, the web daemon runs as that user. The mysql > >> passwds > >> are in a file that that user can read. Only people who can learn it are > >> other > >> members of the v host. > >> > > > > No, that is only true if it is a cgi. Apache modules don't change uid-s. > > They always run as set globally in httpd.conf, by default www-data, and > > you cannot override it for virtual hosts. > > > > What you can override is running cgi-s or exec-s from SSI-s. The User / > > Group override for virtual hosts is only for cgi-s run in that virtual > > host. > > > > PHP is an apache module on our site, and if it was run from a cgi > > (php3-cgi package) then performance would decrease due to > > 1. not having persistent connections > > 2. having to load the php interpreter on every request for every php > > page. > > > > apache runs as the vhost user. One apache daemon group per v host. > Nope. It may be true for ip-based virtual hosts, but surely not for namebased virtual hosts. It changes uid and gid only for running cgi-s via suexec. It is sure. You can check it the following way: put a file which should be readable by the uid and gid that is set at the virtual host, but not by www-data.www-data, into that virtual host's webspace. Try to retrieve it with a browser. You will get a 403 error (access forbidden). Therefore it is sure that for normal pages the server and the apache modules (eg php3) run as www-data. I tried it. Regards, Robert Varga
Re: secret data for php pages
Unfortunately we are serving only web- and mail services currently and we don't have an ip-block, only one server. Regards, Robert Varga On Wed, 7 Jun 2000, Sean 'Shaleh' Perry wrote: > >> apache runs as the vhost user. One apache daemon group per v host. > >> > > > > Nope. It may be true for ip-based virtual hosts, but surely not for > > namebased virtual hosts. > > > > we ran IP based, I assumed most people did, sorry. > > Guess you just have to cross your fingers and hope. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: secret data for php pages
On Wed, 7 Jun 2000 [EMAIL PROTECTED] wrote:
> On Wed, Jun 07, 2000 at 08:23:18PM +0200, Robert Varga wrote:
>
> > > Store the mysql connection information in a PHP file in the webspace. I
> > > often create a file db_config.php3 and it looks like this:
> > >
> > > > > $dbhost = "localhost";
> > > $dbuser = "someuser";
> > > $dbpasswd = "somepassword";
> > > mysql_connect ($dbhost, $dbuser, $dbpasswd) or
> > > die("Unable to connect to mysql server ($dbhost) ...");
> > > ?>
> > >
> >
> >
> > The problem is that anyone who can put up a php page can download every
> > php page _source_ there is on the webserver (see my initial post).
> > Therefore the password is retrievable this way.
>
>
> Nor would the above script be persistent no? I don't do any PHP.
It would be persistent if invoked from the mod_php3 and not from php3 cgi.
>
> What we do is generate an initial connection to db when server starts
> up as root. The server then changes uid/gid to nobody:nogroup. Now
> that is with WN. Hardly stock debian setup. ;^) Nor do we let users
> onto the machines with that setup; it's staff only. Period.
>
How can this be carried out and what is WN? :)
> As an alternative, you might be able to set server id read only depending
> on how much updating and run the updates suid, etc
>
I don't understand this part, but reads are also dangerous, think on
retrieving other user's sensitive data :)
Regards,
Robert Varga
Re: secret data for php pages
If php is called as a cgi then it can be run setuid via suexec anyway. What I was looking for was a way to provide some information preload during the time when apache is still root for the php3 module, since modules run as www-data. There was another suggestion for running several instances of suid-ed apache on ports other than 80 and using the rewrite engine to transfer calls to them. This would cause large memory consumption but still looks like the most feasible method aside from ip-based virtualhosts. Regards, Robert Varga On Thu, 8 Jun 2000, Christian Hammers wrote: > Hello > > > Is there a way in which I can store some data (eg. mysql passwords) safely > > from other users on a website and retrieve it from php3/4? > There exists a patch that allowes apache to run every virtual host in > a seperated chrooted environment under a different UID. > This involves that php has to be called as cgi but it's ok from the > security point of view. > > http://stein.cshl.org/software/sbox/ > > bye, > > -christian- > > -- > Linux - the choice of the GNU generation. Join the Debian Project > http://www.debian.org > Christian Hammers * Oberer Heidweg 35 * D-52477 Alsdorf * Tel.: 02404-25624 > 0AA3 E879 1D82 F59E 77A4 0096 911F 4AE6 86A1 18E6 1024D/86A118E6 1999-09-17 >
Re: POP + Maildir not at HOME
Look at the vpopmail homepage, there is a document regarding the usage of vpopmail with postfix. Of course you still need the qmail package to provide the qmail-pop3d mechanism. The vpopmail package (for qmail) is packaged for debian by Ondrej Sury and it can be found at www.sury.cz/Debian with a couple of useful other packages. It supports a quota system itself as well, so you need not put it on another filesystem, and it needs only one uid/gid and no system users for providing pop3 access. Regards, Robert Varga On Mon, 12 Jun 100, Ivan Vilata i Balaguer wrote: > > Hi all, > > We are trying to set up a Debian mail server running potato. We > are planning to use Postfix as an MTA and Maildir as the mail storing > format. The server should be able to handle POP requests for the users > to read their mail (we are an ISP that provides PPP connections). > > However, we would like to separate home directories from mail > directories so we can stablish different quotas and/or filesystems, > such as ReiserFS. > > So I have a pair of questions: > > - Can Postfix be configured to store mails in maildir format in a > dirtectory other than the user's home? > - What POP server could I use that supported Maildir? I've heard > of the POP server provided with Qmail. And, if the maildir affair > would not be possible, which POP server would you recommend > anyway? > > Well, thanks a lot in advance, and keep on dpkging! > > > Ivan Vilata i Balaguer > [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
pppd problem, authentication doesn't seem to work.
Hi all, I've got a linux box set up as a ppp server, using mgetty with AutoPPP and pppd (2.3.11-1.4 - Potato's current version as far as I know). The problem seems to be that it's not asking the remote machine to authenticate. It will allow logins with any password, any username, etc. to log in. I have the "login" option set and the "auth" option set. In /etc/ppp/pap-secrets and /etc/ppp/chap-secrets I have a line like so: * * "" * I believe this is correct. I've copied all config files off another working setup I've done in the past, running the same version of Potato, and I cant seem to get it to work. Any suggestions would be great. Regards, Robert Davidson. [EMAIL PROTECTED]
Re: pppd problem, authentication doesn't seem to work.
On Thu, Jun 22, 2000 at 11:03:07AM +0800, Sanjeev Gupta wrote: > > Check /etc/ppp/options, you may have a > > noauth > > somewhere Nope.. I've checked for that, but it is effectivly acting like it has been given the noauth option. Any ideas? Regards, Robert Davidson. [EMAIL PROTECTED]
Re: pppd problem, authentication doesn't seem to work.
On Thu, Jun 22, 2000 at 12:23:53PM -0400, Larry Morrow wrote: > Nathan, > > As sent from the user, it was open because the example sent > does NOT have a hostname listed nor a username and so it > does not matter what options are included , auto PPP would validate > all requests. I have done lots of tests in all configurations and found > this to be the case no matter what the docs say. Ok.. The server is a dial-up server that I wanted to accept connections from anyone who is using a valid username/password. I need to have any user in the /etc/passwd file able to login using ppp, so I've got the login option and the auth option. Is there a way to aviod adding a line to pap-secrets for every user I want to be able to login using ppp? I've done it in the past but I'm now thinking it's setup incorrectly, as I was using "* * "" *" in pap-secrets. Regards, Robert Davidson. [EMAIL PROTECTED]
Re: Strange Qmail problem...
IMHO it is not a wise idea to use alias as a normal user due to the fact that it is a special user in the qmail architecture: Mail to addresses on local domains that don't in fact exist, are delivered via ~alias/.qmail-localpart where localpart@ is the recipient of the mail, and the user 'localpart' does not exist. Therefore don't use alias as a regular user or you will have surprises in store. Regards, Robert Varga On Wed, 19 Jul 2000, parlin imanuel wrote: > dear all, > i've just installed qmail and set it to use maildir. > but mail for alias cannot be delivered. > maillog tells something like this: > "deferral: Temporary_error_on_maildir_delivery" > i've tried to change ~alias/.qmail with both > "/var/qmail/alias/Maildir/" and "./Maildir/" > but nothing happened. Is there any step i miss? > other users can receive mail normally. > > TIA > -parlin- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: Unidentified subject!
On Tue, Aug 08, 2000 at 06:57:54PM -0400, Granick, Neal D wrote: > Hi, > > I found this string you sent in February > > > "Dear Friends, I need install a firewall and need a "good" documentation > about this!! I'm looking for DOCs and HOWTOs about IPChains... Can anyone > help me with some links?? Tnx! Best Regards, > > > Did you find any good documentation in downloadable format? If so would you > mind passing the links or information on to me? Hello, Lots of stuff at: http://metalab.unc.edu/pub/Linux/docs/HOWTO/other-formats/html/ hth, Robert > > Thanks > * > The information in this email is confidential and may be legally privileged. > It is intended solely for the addressee. Access to this email by anyone else > is unauthorized. > > If you are not the intended recipient, any disclosure, copying, distribution > or any action taken or omitted to be taken in reliance on it, is prohibited > and may be unlawful. When addressed to our clients any opinions or advice > contained in this email are subject to the terms and conditions expressed in > the governing KPMG client engagement letter. > * > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: Inherited ISP host configuration nightmare
> he's probably better off using squid on the linux box as an http > accelerator. much easier to configure, just set it up to accelerate for > virtual domains and that's it. > > squid is also a lot faster and avoids the delays inherent in sending a > redirect (browser queries apache, apache sends redirect, browser queries > 2nd server). This is true and I like squid, I use it, but it runs the risk of not being transparent enough. You end up having to special case sites, and one of the things it can't do is M$ authentication. > after a week or so (when you know that you wont need to revert to the > old setup because everything is working fine), recycle the NT box - > format it and install debian. Ah why wait... you know it's the only really long term solution *grin*...
Re: sort of a load balancing question
Shao, We are also a small ISP and do exactly that with one of our vital servers. We used rsync for this. Regards, Robert Davidson. On Thu, Aug 24, 2000 at 12:30:12PM +1000, Shao Zhang wrote: > Hi, > This is not a really load balancing question, but similar sort > of thing. > > We are an isp here and we would like to set up two webservers > that are completely tranparent(rsync daily). > > We will only be using one webserver to server all the pages, but > if it goes down, we would like the second webserver to take over > without any downtime. > > Is there any programs out there that does this? > > Thanks. > > Shao. > > -- > > Shao Zhang - Running Debian 2.1 ___ _ _ > Department of Communications/ __| |_ __ _ ___ |_ / |_ __ _ _ _ __ _ > University of New South Wales \__ \ ' \/ _` / _ \ / /| ' \/ _` | ' \/ _` | > Sydney, Australia |___/_||_\__,_\___/ /___|_||_\__,_|_||_\__, | > Email: [EMAIL PROTECTED] > |___/ > _ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: what is sufficient free memory?
> Thanks for all the reponses. From most of the replies, can I gather that > I'll have to observe my how much is being swapped to determine whether I > should immediately "up" the RAM back to 128MB? (and pester the tight-wad > suits who'll approve the requesition) Why wait? Run the command vmstat, and observe how much is paged in /out, what is the scan rate? That indicates how hard the page stealer is looking for pages it can free off. vmstat 10 is usually a goodish, number but if you can run it a long time, longer sample times is useful. If you still have the 128MB in the machine, you could force Linux to ignore it, using a boot parameter. With lilo, that would mean an append line with 'mem=64M' in it, or enter it at the lilo boot prompt. boot: linux mem=64M That way you can actually trial your system out, at the cost of a reboot, to see the affect. With squid, you probably want to lower the mem cache down to about 1/4 of physical RAM, if it's higher than the default. Depending on usage perhaps less than 16MB would be a waste of RAM, your call! If the suits don't blink, then perhaps you could investigate interleaving swap over a number of disk partions, by using mkswap, and swap entries in fstab all set with a priority=5, instead of the defaults which don't interleave. Rob
Re: MySQL vs. Postgres
My workplace used php3 + mysql, then php3 + oracle, now looking at a combination of php3 + local mysql + master oracle db (the local mysql db's would act as caches for fast answers to most page queries). This is for scalability and availability reasons. php most commonly used with mysql, told by php dudes it's better supported, and php4 + mysql further the integration, projects cooperating. mysql are doing work on replicating the db which would be a nice thing to have for scalability. > We run mySQL here and created an application with PHP3/4 to interface with > the SQL engine. I will tell you now, that we re-wrote all the php pages into > ANSI C as the performance was PATHETIC. (p2 350 with 256 megs of ram) The > performance was 10 times faster than php. Another thing that I notice about Rather surprised by that, wonder what the hit rate was. On the web server I run which has been pretty busy at times (1GB served less than a week, daily access logs of 60-70MB), the php and apache usage was virtually undectable, p3 650 256MB. Basically DB access and network download times, swamped out anything that the PHP interpreter does. > mySQL is that it's load can get rather high if you have a large database. > (we have 5k records in a realestate database so there's a pile of fields too > that we have broken into 50 different tables to optimize the searches). > > If you plan on running a dynamic website, we aware of the following issues. > 1) You will need more horsepower that you likely think. (true in my > experience with this solution) > 2) Search engines will NOT index php pages or asp pages and the like nearly > as well as static pages. This is a big deal if you are looking for traffic > to this site. > 3) If you decided to go this way, offload the mySQL to a box on it's own, > you will see marked improvement. We moved ours to a 700 with 512 megs of ram > and it's almost acceptable. (we get a few searches a minute, not a lot, but > definately busy)
ISDN & MRTG (or similar)
Hi Guys, I have a linux box with 2 NETjet ISDN cards in it maintaining links to two different ISP's. Previously they were running on our PortMaster 3 and we were using MRTG to monitor them. Is there a way we can monitor them with MRTG on the linux box, or is there some other program that can do it, and preferably publish it to a webpage or into a file? Regards, Robert Davidson.
Re: Qmail and Debian
On Wed, 13 Sep 2000, Nathan E Norman wrote: > On Tue, Sep 12, 2000 at 04:59:12PM -0600, Art Sackett wrote: > > I haven't tried any of the web-based stuff, but have found that the > > .debs of ucspi-tcp, ezmlm, rmlsmtpd, fastforward, and vchkpw have > > all gone in flawlessly. Well, almost -- there's still a niggling > > little problem where any other existing mail-transport-agent being > > on the system will cause dpkg to bail out thinking qmail causes a > > conflict. So after yanking out the default exim, you have to go back > > and reinstall any you need of at, mailx, logrotate, and mail readers. > > There may be others, which will be installation dependent. > > Huh? Why would you need to deinstall at, mailx, logrotate and mail > readers in the first place? > No need, really. :) Compile qmail from qmail-src, and ucspi-tcp from ucspi-tcp-src. # dpkg --ignore-depends=mail-transfer-agent \ --ignore-depends=mail-transport-agent --purge exim ... # dpkg -i ucspi-tcp qmail That's all :) Robert Varga
