I've spent time in both redhat & debian (though mostly in debian)
apt-get update ; apt-get upgrade -s ; apt-get upgrade # if OK
...is zero $
up2date # $50 per year per machine.
# fewer built in packages
If $ is a concern to your boss, then postgres is probably the equal
> Must resist urge to call them.. *twitch*
Since there is a small chance they are being DOS'd via forgery this would
be a good urge to resist.
On Wed, 18 Jun 2003, Splash Tekalal wrote:
> At 12:26 PM 6/18/2003 -0400, you wrote:
> >NORSEMAN CARTAGE LTD.
> >2458 HAINES RD
> >MISSISSAUGA, ONTARIO
Doing an apt-cache search on "tripwire" and "intrusion"
I came up with these packages:
aide
bsign
fcheck
integrit
I've googled around a bit but haven't found much evaluation...
Does anyone have opinions on them?
We're setting up 3 new servers and I want to have
> (I have tried using suexec as it is installed with the Debian Apache
> package, but when I tried to execute a script in a virtual host, not
> using the www.domain.com/~username address, it did not execute the
> script, saying it was not in the document root. Does anyone know what
the defa
chkrootkit is also avaialble through apt-get
apt-get install chkrootkit
##
On Sun, 29 Jun 2003, Jason Lim wrote:
> Hi Russell,
>
> Well, SE Linux certainly seems like something that needs to be installed.
> Most annoying is that all the recent security updates were already done!
>
> T
I had a similar experience, decided to look at postfix and then never
looked back.
On Mon, 30 Jun 2003, Dustin Douglas wrote:
> I've got the chance to set up a brand new email server for one of our
> clients, and being the forward thinking sysadmin that I am, I don't
> want to go with the old s
>Does anyone know what the default document
>root is for the Debian configuration of suexec?
/var/www/
To change the document root of suexec you need to recompile suexec see:
http://communitysoftwarelab.org/sys/project.d/suexec.d/install.txt
###
On Wed, 2 Jul 2003, Anand At
> If only this could be in a configuration file..
What is worse is that every time there is a security patch for apache, we
break our hand compiled suexec
On Thu, 3 Jul 2003, Jason Lim wrote:
>
>
> >
> > >Does anyone know what the default document
> > >root is for the Debian configu
Anand
>
> - Original Message -
> From: "Dan MacNeil" <[EMAIL PROTECTED]>
> To: "Jason Lim" <[EMAIL PROTECTED]>
> Cc: "Anand Atreya" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Wednesday, July 02, 2003 9:33 PM
&g
One reason to avoid mod_perl is memory consumption. CGI scripts take up
memory only when they are running. --You can have hundreds of CGI scripts
on your server. When we moved to mod_perl our apache processes moved from
taking about 3M each to about 8M each. With a 100 processes this might be
an
We want to create a debain based storage server and mount /var/www/
/home and other directories from it onto other servers and workstations.
Right now we're looking at smaba, autofs, amd, smbfs. We've heard bad
things about NFS security, but maybe we haven't looked at it close enough.
What is th
We've a couple debian systems to patch for the new sshd problems.
On one of them that is monitored closely and patched quickly. The other is
patched less quickly.
The system that is patched less quickly claims to be up to date but nobody
remembers patching it. There are some wierd things about f
>information regarding the removable caddies?
>
> I am interested for information, specs, and esp uses and suppliers. IS
---
Here's a bit recycled from something I did for a youth center
Dunno if it works for you in Oz. Google is my only connection with the
vendor.
---
Hard drive drawers an
You probably want to run suexec which runs cgi as a specific user.
Our project docs --including links to the real docs are here:
http://www.communitysoftwarelab.org/sys/project.d/suexec.d/
It is easy if you have not changed DocumentRoot from /var/www
On Fri, 3 Oct 2003, Antonin Kar
> has documentation on it. As far as I've experenced, you need 1 IP address
> per user, but I hear you can run any number of users off the same IP
> address.
We are running many sites w/ suexec on (1) IP number.
NameVirtualHost 129.63.24.92
ServerAdmin [EMAIL PROTECTED]
ServerName $h
Group directive :o)
>
> This solution is nice, but it's using PerChild module - I think.
>
> Can I ask, how many Virtual Hosts are you handling on one computer? I think
> it can't be very efective (see my previous mail).
>
> Dan MacNeil writes:
>
> >
> >>
>Why is this doubled? Is this intentional?
Copy and paste slip. In the config file they are not doubled.
On Sat, 4 Oct 2003, Marcin Owsiany wrote:
> On Fri, Oct 03, 2003 at 04:40:51PM -0400, Dan MacNeil wrote:
> >
> > AllowOverride None
> > Option
I can't answer you question for sure, but have a vaguely similar
question about two network cards in the same server.
We have (2) nics in our main server. One faces our internal network runs
samba & the like, the other faces the outside world and runs apache and
the like.
The internal network ha
Rod & Frode,
Thanks for your help. (Rod I took the liberty of replying to
the list w/o without your email as your answer may be helpful
to other people.)
=
Frode Haugsgjerd wrote:
see the manpage interfaces(5), specifically the up command.
auto eth1
iface eth1 inet stat
be easier/cheaper to get a single better network connection
On Fri, 10 Oct 2003, Leonardo Boselli wrote:
> On Thu, 9 Oct 2003, Dan MacNeil wrote:
> > Rod & Frode,
> > Thanks for your help. (Rod I took the liberty of replying to
> > the list w/o without your email as y
For a box that will have limited shell access, I'm looking for something
that will log all commands. The sudo log is nice but not everything is run
through sudo.
There won't be many privacy issues as most users won't have shell.
The goal is to review a daily report for anything unexpected: stuff
I'm sure this info is googlable but after 30 minutes I can't find it...
I can hear the discs on the server going wild, I run:
sar -d 2 120
...and disc utilization is indeed higher than normal. How do I find what
process is driving up the i/o load?
the command:
top
..is great for CPU
Two questions:
1) Has anyone done a:
apt-get install bcm5700-module-2.4.18
...with a stock 2.4.18 kernel or otherwise used this driver from without
the package system.
I would very much like to avoid custom compiling kernels so I can fix any
future kernel security holes with apt-get up
All this assumes that you need to ration your dialup time. If not use
something like freesco.org to make the connection on demand and use
regular smtp/ftp/http etc to allow people remote access to your Strasbourg
server(s)
> ...and if I collect the Mail in Strasbourg, how can I send it effectif
>
CSS is not deprecated. It is not reliable for positioning but it is quite
usable for defining text and character styles. If you have ever
changed all the font tags in a web site, you will be a CSS fan.
If you attempt to validate your HTML against w3.org's validator, you
are required to be a fan
Right now we use sanitizer (stable package) to call a virus scanner and to
strip script,img, style, etc tags
We're thinking of switching to amavisd-new (unstable) and clamav (testing)
because while sanitizer strips out the virus, it still passes the junk
message through. We'd like to be able to d
3.2 should also be very solid.
>
> It works with a slew of AV scanners,a nd integrating with one it doesn't
> support natively is simple as editing a few files. The thing has about
> 1000 some odd settings though so it can be daunting to set up.
>
> --On Saturday, Ja
gs with an upgrade to postfix not worth the
speed.
3
On Sat, 10 Jan 2004, Michael Loftis wrote:
>
>
> --On Saturday, January 10, 2004 21:53 -0500 Dan MacNeil
> <[EMAIL PROTECTED]> wrote:
>
> >
> > Thanks for your reply.
> >
> >> Mig
> iam looking for generate a privat SSH-Key. There is a toolthe generates
> Privat RSA keys. Now i have a privat key generated but where must i put
> it in the Linux that linux know who ami and i didnt need a passwort for
> login.
You put the **private** key on the system you are connecting FROM
How about running apache chroot'd so what apache thinks is /tmp and
what apt-get thinks is /tmp are two different things?
fstab would look something like: (untested)
#
/dev/sdc1 /var/www/tmp/ noexec, blah,blah,blah
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> I have at most a week from a known kernel exploit to when one of my users
> tries to exploit via shell access.
One of my hats is a junior sys admin in an academic environment. I'm
curious as to how you know when shell users are trying to exploit a kernel
hole.
In another non academic environme
How do you allow non root users to bind to ports below 1024 ?
Alternatively, what iptables / tcpwrappers / xinetd / stunnel / magic
thing should I be looking at to forward port 995 to port 5432 ?
Our bandwidth provider (A university telcom dept) is filtering port 5432,
the postgres port. On the
I don't have a footnote, but I believe a recent linux journal article says
that the 2.6 kernel uses a posix threads library which are much nicer than
linux threads and that redhat has backported this support to RH9 and the
2.4 kernel.
It should be possible to DL the redhat 2.4 patches
On Mon, 2
anomy sanitizer works well with postfix, but as far as I can tell, it
can't be configured to drop messages instead of defanging them.
I plan to configure sanitizer to add a tag to bad messages and then use
procmail to quarantine messages with that tag. Is there better way?
Is there something tha
> What's wrong with sendmail?
Well, mostly that I've bought into the postfix fanboy propaganda that
postfix is superior for speed, security, ease of use and world peace.
##
On Thu, 5 Feb 2004, Lucas Albers wrote:
>
> Dan MacNeil said:
> >
> > anomy sa
I'm in similar situation, last night I installed spamassassin & razor from
backports.org. It seems to be working ok
Fortunately for me, I don't have to worry about being forward compatible
with an existing Bayes db.
For you a (maybe painful) alternative to going to unstable is to discard
you
I'm not affiliated with these folks but this $8000 contest may be of
interest to folks on this list. Feel free to pass this on to other lists,
this is the only list I'm sending it to.
#
Community Network Open Source Package Awards program
http://www.afcn.org/opensource/
[..
> http://homepages.tesco.net/~J.deBoynePollard/Reviews/UnixMTSes/postfix.html
says at the very bottom:
Postfix is only available in source form,
not as precompiled or prepackaged binaries.
There is a list of FTP sites that hold the
source tarball on the official we
Given the sudoers file below omacneil (as a member of wheel) should be
able to do anything with a password and should be able to run "update"
with no password.
I can run everything but only with a password.
What am I missing?
reversing the order of %wheel & omacneil lines doesn't change things.
do file allows running the above command only with no password.
> Also you should note that a sudo file like this allows for you to get a
> root shell via "sudo bash", which may or may not be what you want to allow.
>
> Mark
>
> Dan MacNeil wrote:
>
> >Given the
We're getting enough domains and email accounts that doing things by hand
is getting to be a pain. (even with some scripts)
We'd like to give our users a web control panel to handle email account
administration for their own domains.
We use:
Postfix
Courier-pop/imap
Squi
> The installer from woody has built-in support for the cciss controller
> on at least the Proliant DL 580 G2.
> It works smoothly, but lacks support for the default installed 3com
> gig-ethernet adapter (tg3 driver), once installed,
The network installer for sarge detects the t3 gig-ethernet ad
I've just converted from mbox to maildir
Right now there are some users with 500 files in a directory, I expect
this go grow.
I expect this figure to grow. RaiserFS is looking good.
The benefits of running a central storage server and a bunch of seperate
web/smtp/pop3/spamfiltering/ftp/ servers
On Sat, 17 Apr 2004, Michelle Konzack wrote in part:
>But use a self-compiled Linux with nfs and nfsd compiled WITH
>"TCP" and "v3" support.
>if you mount your server add "nfsvers=3,tcp" to it otherwise it
>will use UDP which is realy not good.
Why? from my (maybe wrong?) reading of the docs, t
Right now most of our domains are registered with register.com, support is
good, they provide DNS but... $35 per domain per year is pretty steep.
Eventually we'd like to be our own registrar or to use a domain wholesaler
like:
http://resellers.tucows.com/
>From other lists OpenSRS/tuco
Does anyone have a recipe for getting ttysnoop working with openssh on
woody w/o recompiling openssh?
This guide:
http://64.233.161.104/search?q=cache:ieeFRmtUJ-AJ:www.forty-two.nl/documentation/HOWTOOPENSSHwithTTYSNOOP.pdf+ttysnoop/++ssh+snooptab++login+program&hl=en&lr=lang_en
...will do it b
We have:
ns1.lctc.org
ns2.lctc.org
ns2.lctc.org is (aparently) down. It is in a locked and alarmed building.
How is this effecting users of our DNS?
Where in the fine manual is this information?
We've looked at the backup DNS chapter of the bind book. We've also
We don't have per domain accounts we have user accounts with access to
web files for various domains.
We're looking to chroot user's ftp sessions to their home directory. with
a "site" sub directory.
something like:
/ == /home/people/user
/sites == /home/s
> I also want to use something like tripwire to set up file intregity.
apt-cache search tripwire
apt-cache show aide
On Fri, 6 Aug 2004, Tinus Nijmeijers wrote:
> I'm looking at securing a new server.
>
> i'll be using iptables to restrict acces and i want to install SNORT to
>
On Tue, 10 Aug 2004, Tinus Nijmeijers wrote:
> On Fri, 2004-08-06 at 19:57, Dan MacNeil wrote:
> > > I also want to use something like tripwire to set up file intregity.
> >
> > apt-cache search tripwire
> > apt-cache show aide
> >
> I know, and,
> Comments, suggestions and especially contributions are welcome!
Make the site a Wiki, or at least add a wiki section. Lowers the barrier
to contribution a great deal. If you fear vandelism, create a static
authoritative section also.
10 minutes work:
apt-get install kwiki
mkdi
I've spent time in both redhat & debian (though mostly in debian)
apt-get update ; apt-get upgrade -s ; apt-get upgrade # if OK
...is zero $
up2date # $50 per year per machine.
# fewer built in packages
If $ is a concern to your boss, then postgres is probably the equal
> Must resist urge to call them.. *twitch*
Since there is a small chance they are being DOS'd via forgery this would
be a good urge to resist.
On Wed, 18 Jun 2003, Splash Tekalal wrote:
> At 12:26 PM 6/18/2003 -0400, you wrote:
> >NORSEMAN CARTAGE LTD.
> >2458 HAINES RD
> >MISSISSAUGA, ONTARIO
Doing an apt-cache search on "tripwire" and "intrusion"
I came up with these packages:
aide
bsign
fcheck
integrit
I've googled around a bit but haven't found much evaluation...
Does anyone have opinions on them?
We're setting up 3 new servers and I want to have
> (I have tried using suexec as it is installed with the Debian Apache
> package, but when I tried to execute a script in a virtual host, not
> using the www.domain.com/~username address, it did not execute the
> script, saying it was not in the document root. Does anyone know what
the defa
chkrootkit is also avaialble through apt-get
apt-get install chkrootkit
##
On Sun, 29 Jun 2003, Jason Lim wrote:
> Hi Russell,
>
> Well, SE Linux certainly seems like something that needs to be installed.
> Most annoying is that all the recent security updates were already done!
>
> T
I had a similar experience, decided to look at postfix and then never
looked back.
On Mon, 30 Jun 2003, Dustin Douglas wrote:
> I've got the chance to set up a brand new email server for one of our
> clients, and being the forward thinking sysadmin that I am, I don't
> want to go with the old s
>Does anyone know what the default document
>root is for the Debian configuration of suexec?
/var/www/
To change the document root of suexec you need to recompile suexec see:
http://communitysoftwarelab.org/sys/project.d/suexec.d/install.txt
###
On Wed, 2 Jul 2003, Anand At
> If only this could be in a configuration file..
What is worse is that every time there is a security patch for apache, we
break our hand compiled suexec
On Thu, 3 Jul 2003, Jason Lim wrote:
>
>
> >
> > >Does anyone know what the default document
> > >root is for the Debian configu
Anand
>
> - Original Message -
> From: "Dan MacNeil" <[EMAIL PROTECTED]>
> To: "Jason Lim" <[EMAIL PROTECTED]>
> Cc: "Anand Atreya" <[EMAIL PROTECTED]>;
> Sent: Wednesday, July 02, 2003 9:33 PM
> Subject:
One reason to avoid mod_perl is memory consumption. CGI scripts take up
memory only when they are running. --You can have hundreds of CGI scripts
on your server. When we moved to mod_perl our apache processes moved from
taking about 3M each to about 8M each. With a 100 processes this might be
an
For a box that will have limited shell access, I'm looking for something
that will log all commands. The sudo log is nice but not everything is run
through sudo.
There won't be many privacy issues as most users won't have shell.
The goal is to review a daily report for anything unexpected: stuff
I'm sure this info is googlable but after 30 minutes I can't find it...
I can hear the discs on the server going wild, I run:
sar -d 2 120
...and disc utilization is indeed higher than normal. How do I find what
process is driving up the i/o load?
the command:
top
..is great for CPU
Two questions:
1) Has anyone done a:
apt-get install bcm5700-module-2.4.18
...with a stock 2.4.18 kernel or otherwise used this driver from without
the package system.
I would very much like to avoid custom compiling kernels so I can fix any
future kernel security holes with apt-get up
All this assumes that you need to ration your dialup time. If not use
something like freesco.org to make the connection on demand and use
regular smtp/ftp/http etc to allow people remote access to your Strasbourg
server(s)
> ...and if I collect the Mail in Strasbourg, how can I send it effectif
>
CSS is not deprecated. It is not reliable for positioning but it is quite
usable for defining text and character styles. If you have ever
changed all the font tags in a web site, you will be a CSS fan.
If you attempt to validate your HTML against w3.org's validator, you
are required to be a fan
Right now we use sanitizer (stable package) to call a virus scanner and to
strip script,img, style, etc tags
We're thinking of switching to amavisd-new (unstable) and clamav (testing)
because while sanitizer strips out the virus, it still passes the junk
message through. We'd like to be able to d
gs with an upgrade to postfix not worth the
speed.
3
On Sat, 10 Jan 2004, Michael Loftis wrote:
>
>
> --On Saturday, January 10, 2004 21:53 -0500 Dan MacNeil
> <[EMAIL PROTECTED]> wrote:
>
> >
> > Thanks for your reply.
> >
> >> Mig
3.2 should also be very solid.
>
> It works with a slew of AV scanners,a nd integrating with one it doesn't
> support natively is simple as editing a few files. The thing has about
> 1000 some odd settings though so it can be daunting to set up.
>
> --On Saturday, Ja
> iam looking for generate a privat SSH-Key. There is a toolthe generates
> Privat RSA keys. Now i have a privat key generated but where must i put
> it in the Linux that linux know who ami and i didnt need a passwort for
> login.
You put the **private** key on the system you are connecting FROM
How about running apache chroot'd so what apache thinks is /tmp and
what apt-get thinks is /tmp are two different things?
fstab would look something like: (untested)
#
/dev/sdc1 /var/www/tmp/ noexec, blah,blah,blah
> I have at most a week from a known kernel exploit to when one of my users
> tries to exploit via shell access.
One of my hats is a junior sys admin in an academic environment. I'm
curious as to how you know when shell users are trying to exploit a kernel
hole.
In another non academic environme
How do you allow non root users to bind to ports below 1024 ?
Alternatively, what iptables / tcpwrappers / xinetd / stunnel / magic
thing should I be looking at to forward port 995 to port 5432 ?
Our bandwidth provider (A university telcom dept) is filtering port 5432,
the postgres port. On the
I don't have a footnote, but I believe a recent linux journal article says
that the 2.6 kernel uses a posix threads library which are much nicer than
linux threads and that redhat has backported this support to RH9 and the
2.4 kernel.
It should be possible to DL the redhat 2.4 patches
On Mon, 2
anomy sanitizer works well with postfix, but as far as I can tell, it
can't be configured to drop messages instead of defanging them.
I plan to configure sanitizer to add a tag to bad messages and then use
procmail to quarantine messages with that tag. Is there better way?
Is there something tha
> What's wrong with sendmail?
Well, mostly that I've bought into the postfix fanboy propaganda that
postfix is superior for speed, security, ease of use and world peace.
##
On Thu, 5 Feb 2004, Lucas Albers wrote:
>
> Dan MacNeil said:
> >
> > anomy sa
I'm in similar situation, last night I installed spamassassin & razor from
backports.org. It seems to be working ok
Fortunately for me, I don't have to worry about being forward compatible
with an existing Bayes db.
For you a (maybe painful) alternative to going to unstable is to discard
you
I'm not affiliated with these folks but this $8000 contest may be of
interest to folks on this list. Feel free to pass this on to other lists,
this is the only list I'm sending it to.
#
Community Network Open Source Package Awards program
http://www.afcn.org/opensource/
[..
We're getting enough domains and email accounts that doing things by hand
is getting to be a pain. (even with some scripts)
We'd like to give our users a web control panel to handle email account
administration for their own domains.
We use:
Postfix
Courier-pop/imap
Squi
> The installer from woody has built-in support for the cciss controller
> on at least the Proliant DL 580 G2.
> It works smoothly, but lacks support for the default installed 3com
> gig-ethernet adapter (tg3 driver), once installed,
The network installer for sarge detects the t3 gig-ethernet ad
I've just converted from mbox to maildir
Right now there are some users with 500 files in a directory, I expect
this go grow.
I expect this figure to grow. RaiserFS is looking good.
The benefits of running a central storage server and a bunch of seperate
web/smtp/pop3/spamfiltering/ftp/ servers
On Sat, 17 Apr 2004, Michelle Konzack wrote in part:
>But use a self-compiled Linux with nfs and nfsd compiled WITH
>"TCP" and "v3" support.
>if you mount your server add "nfsvers=3,tcp" to it otherwise it
>will use UDP which is realy not good.
Why? from my (maybe wrong?) reading of the docs, t
Right now most of our domains are registered with register.com, support is
good, they provide DNS but... $35 per domain per year is pretty steep.
Eventually we'd like to be our own registrar or to use a domain wholesaler
like:
http://resellers.tucows.com/
>From other lists OpenSRS/tuco
Does anyone have a recipe for getting ttysnoop working with openssh on
woody w/o recompiling openssh?
This guide:
http://64.233.161.104/search?q=cache:ieeFRmtUJ-AJ:www.forty-two.nl/documentation/HOWTOOPENSSHwithTTYSNOOP.pdf+ttysnoop/++ssh+snooptab++login+program&hl=en&lr=lang_en
...will do it b
84 matches
Mail list logo
