servus,
> I want to install snort an my firewall, but didn't want the logging to be
> done on that box but on an box with postgres installed (7.1 on potato).
> And i don't want both db on that machine (political reason :).
by the changelog on woody, mfr added that support on 2000-07-06:
* N
hi folks,
please direct me to some documentation on ways to account for user
traffic on a single machine, acting as BIND9, apache, postfix, and sshd
server for a number of users. i need to get as close as possible to
exact traffic volume measurements to do proper billing, and
(unfortunately), i ca
also sprach Thedore Knab <[EMAIL PROTECTED]> [2002.01.07.1624 +0100]:
> How would ipfm work for this?
>
> http://freshmeat.net/projects/ipfm/
this strikes me as a nice tool, but one that needs to run on a
router/gateway/firewall, and one which can only differentiate according
to IPs. if IPs were
[cc'd to gr and peter because i think they might be interested and
because they might have valuable input. this is about accounting on a
user basis for each and every byte a user or her domains cause.
debian-isp is open to posting... original post lives at [1]]
also sprach Marcel Hicking <[EMAIL
also sprach Jeff Waugh <[EMAIL PROTECTED]> [2002.01.09.0257 +0100]:
> Nice idea, but it's not going to work. Perhaps with some real love and
> affection from someone who purely wanted to achieve this (and wasn't
> primarily interested in using it as a debugging tool), it may happen, but in
> its c
also sprach Alexander Reelsen <[EMAIL PROTECTED]> [2002.01.09.0756 +0100]:
> Anyone actually tried vserver? That might be what you are searching for
> instead of UML...
>
> http://www.solucorp.qc.ca/miscprj/s_context.hc
>
> I think that's the right URL if I may believe my bookmarks.
yeah, it wo
also sprach Robert Janusz <[EMAIL PROTECTED]> [2002.01.09.0949 +0100]:
> How to allow, for some users' IPs, only scp and no ssh?
i don't think you can, since scp actually uses ssh as its backend...
--
martin; (greetings from the heart of the sun.)
\ echo mailto: !#^."<*>"|tr
also sprach Robert Janusz <[EMAIL PROTECTED]> [2002.01.09.0949 +0100]:
> How to allow, for some users' IPs, only scp and no ssh?
you *could* disable their passwords, give them DSA identities, and use
the authorized_keys file to specify that this identity may only run the
scp command...
--
marti
also sprach Mark Janssen <[EMAIL PROTECTED]> [2002.01.08.1847 +0100]:
> I don't think this will work. I haven't used UML that much yet, but I
> fear that you will not be able to run hundreds of UML's on a single
> machine. You might be able to run 10 maybe 20 virtual linux-es on your
> box, but it
also sprach Marcel Hicking <[EMAIL PROTECTED]> [2002.01.09.1428 +0100]:
> I'd go for real partitions. No worries with quotas, and
> faster than NFS anyway.
i guess, but then it couldn't use accounting on the IP level for that
traffic. UML *does* support hostfs, which is wicked cool! so i'll use
t
also sprach Tim Quinlan <[EMAIL PROTECTED]> [2002.01.10.0319 +0100]:
> how about setting the user's shell to /bin/true. this allows ftp, but no
> login shell. so it may work for scp as well.
nope. as i said, scp uses ssh and needs a shell
--
martin; (greetings from the heart of
also sprach Gernot Glawe <[EMAIL PROTECTED]> [2002.01.10.0905 +0100]:
> What about setting ssh and scp to a diffenrent user an make appropiate
> sudo settings ?
and how do you want to get that working remotely? i supposed you could
create a shell script scp and a shell script ssh that would call
also sprach Joel Michael <[EMAIL PROTECTED]> [2002.01.10.0323 +0100]:
> This is true, but you can still (probably) use ssh to execute commands,
> like /bin/sh, and effectively get a shell.
that's not possible either. try it.
--
martin; (greetings from the heart of the sun.)
\
also sprach Marcel Hicking <[EMAIL PROTECTED]> [2002.01.10.1646 +0100]:
> What about sftp?
> Clients should be available by now. I mean,
> Windooze clients ;-)
> As secure as scp, as restricted as ftp.
but you still need to enable a shell and ssh, because sftp does nothing
else but pipe over ssh.
also sprach Marcel Hicking <[EMAIL PROTECTED]> [2002.01.10.1646 +0100]:
> /bin/true will log you out right away,
> and therefore you cannot start scp.
> I've doublechecked this yesterday, and
> even tried to put "exit " into the .bashrc
> *This* did work fine, no ssh anymore, but scp
> works. But!
also sprach David Bishop <[EMAIL PROTECTED]> [2002.01.10.1634 +0100]:
> I'm running a server that's hot to the net, and running some insecure
> services (by necessity), like nfs. Of course, I used iptables to
> block all those ports, using nmap and netstat to double check all my
> open ports. Ho
[greg: please wrap your lines at 76 characters...]
also sprach Greg Hunt <[EMAIL PROTECTED]> [2002.01.10.1850 +0100]:
> The reason it reports it as filtered is if someone tries to connect to
> a port on which you're not running a service, say port 12345, your
> server will respond back with a TCP
also sprach Sam Varghese <[EMAIL PROTECTED]> [2002.01.10.2323 +0100]:
> Why would you want to remove your first line of defence? Do you want the
> whole world to have access to the box in question?
that doesn't mean allowing access to the whole world!
> If a host does not match its IP, your syst
also sprach Sam Varghese <[EMAIL PROTECTED]> [2002.01.11.0053 +0100]:
> i can only speak from my limited experience. i have found these measures
> to work, therefore i practice them. of course, one would agree to
> disagree.
i don't want to come across as the wannabe-guru, but what exactly do yo
also sprach Marcin Owsiany <[EMAIL PROTECTED]> [2002.01.11.0058 +0100]:
> > it's not really a security measure anymore, i find. feel free to
> > disagree...
>
> Disabling PARANOID mode only means that you shouldn't trust the logged
> hostnames, because thay may be faked, no?
kinda. it also tries
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0205 +0100]:
> Well, the rationale behind this is as you touched on, preventing
> spoofed address attacks. A paranoid lookup essentially verifies that
> the connecting system is a known legit host. In effect you're using
> your DNS system
also sprach Nathan E Norman <[EMAIL PROTECTED]> [2002.01.11.0501 +0100]:
> Congratulations ... you just set up your DNS incorrectly. Every PTR
> entry should resolve to a _unique_ name, and that name should resolve
> to a _unique_ IP. That doesn't mean you can't have additional A
> records doing
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0556 +0100]:
> >a bogus IP won't even make it past OSI layer 4 on debian...
> >rp_filter...
>
> There are ways of doing it such that the box has NO WAY of knowing
> that the traffic is spoofed. Granted, that is hard to do. Even
> paranoid
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0541 +0100]:
> This is sort of the function of canonical names. "Other" names for the IP
> besides the absolute name (or Loopback name in our parlance). But CNAME's
> are deprecated for other reasons. I personally never had any problems u
also sprach Christian Kurz <[EMAIL PROTECTED]> [2002.01.11.1152 +0100]:
> Pardon? Would you please cite that paragraph of the RfCs that states
> that "every PTR entry should resolve to a _unique_ name"? The last time
> I read in the RfC and in another book about DNS both didn't mention
> that. And
a general question: so i have this server handling some domains as
primary DNS, as well as being their web- and mailserver. another domain
does slaving and secondary MX, but because i don't want load-balancing
on DNS RR basis for webservices, and because HTTP can't deal with
secondary servers, web
also sprach Jason Lim <[EMAIL PROTECTED]> [2002.01.11.2007 +0100]:
> For our high-end plans and other dedicated hosting solutions, we spread
> out the DNS data across more servers... the point being to make DNS
> resolution more reliable.
the two primary DNS i mentioned are already in different c
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0616 +0100]:
> >okay, why libwrap then?
>
> Once the network is compromised, it makes no difference what's on the box.
> If done properly, the compromised network is indistinguishable from the
> uncompromised network. That box is totally o
also sprach David Bishop <[EMAIL PROTECTED]> [2002.01.11.1550 +0100]:
> > you can configure iptables to return ICMP type 3 "port unreachable"
> > packets, just like the OS would, using the REJECT target. that's what
> > you want to do. to get your desired effect.
>
> I'll look into that, thanks.
also sprach Jacob Elder <[EMAIL PROTECTED]> [2002.01.11.1933 +0100]:
> > however, this being an extra administrative burden, and me currently in
> > the process of moving to another registrar, i started questioning the
> > point of the additional two. assume the main server as well as it's mail
>
also sprach alexis bory <[EMAIL PROTECTED]> [2002.01.15.1224 +0100]:
> I wonder if abruptly changing the MX for his domaine
> wouldn't cause any trouble. Is it possible to configure
> a forward in the old MTA before changing the MX ? I
> mean this to avoid trouble during the time all the DNS
> get
also sprach Olivier MACCHIONI <[EMAIL PROTECTED]> [2002.01.15.1317 +0100]:
> Could help a lot... The problem is to retreive the mail which has already
> been delivered to the "old" mailboxes.
why don't you rsync them over??? are they mailbox or Maildir formats?
then feed them to the local procma
also sprach Olivier MACCHIONI <[EMAIL PROTECTED]> [2002.01.15.1555 +0100]:
> Moreover I doubt Lotus Notes uses mailbox or Maildir formats to store mails
> (I may very well be mistaken on this one). Same story goes for Exchange for
> example.
valid point, i missed that this was about lotus. shou
also sprach Jesse <[EMAIL PROTECTED]> [2002.01.16.1737 +0100]:
> I am a newbie administrator and I'm in the process of upgrading(fixing) our
> current dns setup. Right now there is a dns forward zone set up for each
> virtual host. After reading some docs on apache.org and the dns and bind
>
also sprach Jesse <[EMAIL PROTECTED]> [2002.01.16.2031 +0100]:
> > however, you can't place
> > vhost.com. IN CNAME ...
> > into a zone for our.real.domain.
>
> It did work believe it or not :)
are you kidding me???
i am going to have to try that right now...
i can't reproduce it. where is this
also sprach Russell Coker <[EMAIL PROTECTED]> [2002.01.17.0047 +0100]:
> As 95% of the mail comes from 10% of the users (most users aren't changing IP
> addresses that often so users == IP addresses) a bind instance on localhost
> should do pretty well at caching the RBL entries.
rbl is somethi
also sprach Jesse <[EMAIL PROTECTED]> [2002.01.16.2031 +0100]:
> > however, you can't place
> >
> > vhost.com. IN CNAME ...
> >
> > into a zone for our.real.domain.
> >
> > maybe it would even work, but you need a separate zone file for each.
>
> It did work believe it or not :)
i tried it, and:
also sprach Jesse <[EMAIL PROTECTED]> [2002.01.18.1939 +0100]:
> We have a caching only nameserver on our firewall. Apparently, whoever
> setup the original DNS on that machine "had" to put zone files in there
> pointing to our internal host in order for the local lan to access our
> hosted si
[EMAIL PROTECTED]: you are listed in the floridasunonline.com whois
information as registrant. please help me get in touch with Jesse G.
jesse,
i am trying to fix your DNS but i can't get in touch with you because
your DNS is broken, and mail can't be delivered.
do you have another email account
(sorry, list...)
jesse,
i am trying to fix your DNS but i can't get in touch with you because
your DNS is broken, and mail can't be delivered.
do you have another email account that you can use? i could give you one
temporarily, or just get one at hushmail.com
i hope you are seeing this message
also sprach jogi hofmueller <[EMAIL PROTECTED]> [2002.01.28.1746 +0100]:
> i know that everyone hates spam. therefore i think the idea to put a
> mailing-list-like mechanism with automated (un)subscribe procedure behind
> such a thing would be not so bad because it would make it possible to
> real
also sprach jogi hofmueller <[EMAIL PROTECTED]> [2002.01.28.1815 +0100]:
> the thing with mailman is (we run 20 lists here too using it) that it
> provides for many-to-many communication and has proven to create even more
> unwanted mail for all the people writing unsubscribes to the list (just to
also sprach Lang Hurst <[EMAIL PROTECTED]> [2002.01.28.2013 +0100]:
> This is getting even further off topic, but the first person who
> figures out how to make micro payments with regard to the web will
> make a killing.
ask bill gates. he's actually proposed something like this. you
receive an
also sprach Thedore Knab <[EMAIL PROTECTED]> [2002.01.31.1922 +0100]:
> Is there a way in the 2.4.17 kernel to prevent fork bombs from crashing
> a system ?
have a look at the kernel patches at www.grsecurity.net. i believe
a debian package is in the works.
but ulimit can also do wonders...
> I
hi folks,
i was wondering if anyone out there would be interested to exchange
secondary MX servers - i'll backup your domains and you'll back up
mine... postfix preferred.
and while we're at it: does someone know of a way to allow a non-admin
to configure the MTA for his relays? i thought about s
also sprach Matt Ryan <[EMAIL PROTECTED]> [2002.02.06.2215 +0100]:
> > It is a pretty thing, and can virtually be plugged in anywhere to provide
> > instant firewall protection :-)
>
> Yeah, I use it at home on my DSL line as BT (in the UK) don't allow any
> routing at layer 3 to put a firewall i
also sprach Donovan Baarda <[EMAIL PROTECTED]> [2002.02.06.0543 +0100]:
> ../all/accept_source_route was '0'. I'm assuming the '../all/..' overides
> the individual interfaces, but then I'm not sure _what_ that little blip of
> traffic was.
correct.
> I know decent firewalling will kill source-r
also sprach Matt Ryan <[EMAIL PROTECTED]> [2002.02.09.0151 +0100]:
> Well I have a /29 subnet - what I mean is that BT offer no way to
> have say a DMZ next to the router with a firewall (with a /30) and
> the other /30 routed via the firewall device. That where the layer
> 2 firewall comes in han
also sprach Russell Coker <[EMAIL PROTECTED]> [2002.03.24.2237 +0100]:
> Mar 24 22:28:40 lyta postfix/smtpd[21250]: connect from lyta[127.0.0.1]
> Mar 24 22:29:03 lyta postfix/smtpd[21244]: C3E6D23763: client=lyta[127.0.0.1]
> Mar 24 22:29:03 lyta postfix/smtpd[21244]: reject: RCPT
> Mar 24 2
also sprach Patrick Hsieh <[EMAIL PROTECTED]> [2002.03.25.1737 +0100]:
> I'd like to make the bandwidth limit of smtp incoming/outgoing traffic.
> I think iproute2 is kind of too sophisticated. Is there any
> straightforward configuration for this purpose?
incoming that's easy. but outgoing ...
also sprach Craig <[EMAIL PROTECTED]> [2002.04.22.0948 +0200]:
> Does anyone know how I can tell chmod that I want
> 664 permissions on files and 2770 permissions on
> directorys without having to cycle through them
> individually ?>
find . -type f | xargs chmod 644
find . -type d | xargs chmod 2
also sprach Craig <[EMAIL PROTECTED]> [2002.05.06.1232 +0200]:
> Could someone help with changing file contents
> in a specific directory with a number of files.
>
> I used greg to extract the criteria but need
> something to change it.
man sed
--
martin; (greetings from the heart
also sprach Daniel J. Rychlik <[EMAIL PROTECTED]> [2002.06.09.2127 +0200]:
> Are there any free pgp servers out there?
wwwkeys.pgp.net
> That brings up another question , Is
> their a debian package that I could install and run my own PGP?
of course: pks
--
martin; (greetings fro
also sprach Ivan Kohler <[EMAIL PROTECTED]> [2002.07.04.1405 +0200]:
> ObDebian: Although Freeside is not yet packaged, the dependancies are
> available in unstable and woody.
i'll package it if you wish.
--
martin; (greetings from the heart of the sun.)
\ echo mailto: !#^."<
also sprach Thedore Knab <[EMAIL PROTECTED]> [2002.09.26.1508 +0200]:
> ip route 209.243.33.0 255.255.255.0 FastEthernet0/0
> ip route 209.243.34.0 255.255.255.0 FastEthernet0/0
> ip route 209.243.35.0 255.255.255.0 FastEthernet0/0
> ip route 209.243.36.0 255.255.255.0 FastEthernet0/0
> ip route 2
also sprach [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2002.09.26.1546 +0200]:
> at least his upstream seems to be doing the right thing
his "thing" ain't wrong, and with <20 routing entries, it really
doesn't matter. but this is what supernetting is for...
--
martin; (greetings from t
also sprach Jason Lim <[EMAIL PROTECTED]> [2002.10.10.1948 +0200]:
> Well, some of us do need Oracle for business reasons. And while I'm an
> opensource advocate and choose opensource technology whenever it makes
> sense, Oracle is a darned good database, with fairly good support. (if
> you can a
also sprach Jason Lim <[EMAIL PROTECTED]> [2002.10.11.0106 +0200]:
> "simply, the cost of mantaining a debian box is
> lower than running a redhat boxen,"
At three companies I worked, as well as two universities I help out
at, the computer staff reported more than 200% more time to
concentrate on
have a look at zmailer also! if you are limited to choose between the
three you quoted, then postfix is the answer. reasons in other posts
of this thread...
--
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, and user
`. `'`
$100 just for the name.
--
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
NOTE: The public PGP keyservers are broken!
Get my key here: http://people
CC me! Get a proper mailer instead: www.mutt.org
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
NOTE: The public PGP keyser
;s efforts. Maybe we can
synchronize with him.
--
Please do not CC me! Mutt (www.mutt.org) can handle this automatically.
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things
AME right.time.fortytwo.ch
don't use CNAMEs.
we'll just keep the IP pools in sync, that's better.
--
Please do not CC me! Mutt (www.mutt.org) can handle this automatically.
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, ad
also sprach Michelle Konzack <[EMAIL PROTECTED]> [2003.02.19.0024 +0100]:
> [EMAIL PROTECTED]
is there a replacement for this dead list?
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :
hen the ping successively fails, then to remove the IP of the other
side from the A record, adding it back in as soon as the pong comes
back.
you can also look at the heartbeat package.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <[E
also sprach Gene Grimm <[EMAIL PROTECTED]> [2003.03.10.2128 +0100]:
> What is the Postfix main.cf configuration directive used to specify the
> domain name for MAILER-DAEMON's outgoing error messages?
$myorigin
--
Please do not CC me when replying to lists; I read them!
.
do you work aroud this
> with your scheme?
that's a good point. the answer is simple though: offlineimap, and
ditch POP3.
use offlineimap on the slave to keep in sync with the IMAP folders of
the master. the slave won't have anything to do anyway.
--
Please do not CC me when replying t
nd
chroots are easy to break out of.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a syste
also sprach martin f krafft <[EMAIL PROTECTED]> [2003.03.14.1805 +0100]:
> > o support for DNSSec
>
> i am sure there are patches out there.
wait, djbdns doesn't need DNSSEC at all. it doesn't suffer from
AXFR/IXFR problems like BIND.
seriously, djbdn
two DNS
servers for internal and external hosts, run them separately. there
is no reason to make them share a process!
> You can configure it in chroote jail
> http://www.linuxsecurity.com/docs/LDP/Chroot-BIND-HOWTO.html
http://www.bpfh.net/simes/computing/chroot-break.html
--
Please do not C
s; I read them!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html
Get my key her
it, but i am not sure.
> Where can i found informatión about it´s posibilities, and
> funcionalities. ? Is there any other option in Linux?
www.postnuke.org
other options would include Zope (this would be my choice) and
ezpublish.
--
Please do not CC me when replying to lists; I read them!
hout any problems.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' :proud Debian developer, admin, and user
`. `'`
`- Debian - when you have better things to do than fixing a system
Keyserver p
also sprach Andrew Miehs <[EMAIL PROTECTED]> [2003.03.24.1626 +0100]:
> Have had a look at this, but cyrus supports sasl2 and postfix sasl1.
so backport postfix from testing.
--
Please do not CC me when replying to lists; I read them!
.''`. martin f. kraff
hi folks,
please direct me to some documentation on ways to account for user
traffic on a single machine, acting as BIND9, apache, postfix, and sshd
server for a number of users. i need to get as close as possible to
exact traffic volume measurements to do proper billing, and
(unfortunately), i can
also sprach Thedore Knab <[EMAIL PROTECTED]> [2002.01.07.1624 +0100]:
> How would ipfm work for this?
>
> http://freshmeat.net/projects/ipfm/
this strikes me as a nice tool, but one that needs to run on a
router/gateway/firewall, and one which can only differentiate according
to IPs. if IPs were
[cc'd to gr and peter because i think they might be interested and
because they might have valuable input. this is about accounting on a
user basis for each and every byte a user or her domains cause.
debian-isp is open to posting... original post lives at [1]]
also sprach Marcel Hicking <[EMAIL P
also sprach Jeff Waugh <[EMAIL PROTECTED]> [2002.01.09.0257 +0100]:
> Nice idea, but it's not going to work. Perhaps with some real love and
> affection from someone who purely wanted to achieve this (and wasn't
> primarily interested in using it as a debugging tool), it may happen, but in
> its cu
also sprach Alexander Reelsen <[EMAIL PROTECTED]> [2002.01.09.0756 +0100]:
> Anyone actually tried vserver? That might be what you are searching for
> instead of UML...
>
> http://www.solucorp.qc.ca/miscprj/s_context.hc
>
> I think that's the right URL if I may believe my bookmarks.
yeah, it wor
also sprach Robert Janusz <[EMAIL PROTECTED]> [2002.01.09.0949 +0100]:
> How to allow, for some users' IPs, only scp and no ssh?
i don't think you can, since scp actually uses ssh as its backend...
--
martin; (greetings from the heart of the sun.)
\ echo mailto: !#^."<*>"|tr "
also sprach Robert Janusz <[EMAIL PROTECTED]> [2002.01.09.0949 +0100]:
> How to allow, for some users' IPs, only scp and no ssh?
you *could* disable their passwords, give them DSA identities, and use
the authorized_keys file to specify that this identity may only run the
scp command...
--
martin
also sprach Mark Janssen <[EMAIL PROTECTED]> [2002.01.08.1847 +0100]:
> I don't think this will work. I haven't used UML that much yet, but I
> fear that you will not be able to run hundreds of UML's on a single
> machine. You might be able to run 10 maybe 20 virtual linux-es on your
> box, but it
also sprach Marcel Hicking <[EMAIL PROTECTED]> [2002.01.09.1428 +0100]:
> I'd go for real partitions. No worries with quotas, and
> faster than NFS anyway.
i guess, but then it couldn't use accounting on the IP level for that
traffic. UML *does* support hostfs, which is wicked cool! so i'll use
th
also sprach Tim Quinlan <[EMAIL PROTECTED]> [2002.01.10.0319 +0100]:
> how about setting the user's shell to /bin/true. this allows ftp, but no
> login shell. so it may work for scp as well.
nope. as i said, scp uses ssh and needs a shell
--
martin; (greetings from the heart of t
also sprach Gernot Glawe <[EMAIL PROTECTED]> [2002.01.10.0905 +0100]:
> What about setting ssh and scp to a diffenrent user an make appropiate
> sudo settings ?
and how do you want to get that working remotely? i supposed you could
create a shell script scp and a shell script ssh that would call
s
also sprach Joel Michael <[EMAIL PROTECTED]> [2002.01.10.0323 +0100]:
> This is true, but you can still (probably) use ssh to execute commands,
> like /bin/sh, and effectively get a shell.
that's not possible either. try it.
--
martin; (greetings from the heart of the sun.)
\
also sprach Marcel Hicking <[EMAIL PROTECTED]> [2002.01.10.1646 +0100]:
> What about sftp?
> Clients should be available by now. I mean,
> Windooze clients ;-)
> As secure as scp, as restricted as ftp.
but you still need to enable a shell and ssh, because sftp does nothing
else but pipe over ssh..
also sprach Marcel Hicking <[EMAIL PROTECTED]> [2002.01.10.1646 +0100]:
> /bin/true will log you out right away,
> and therefore you cannot start scp.
> I've doublechecked this yesterday, and
> even tried to put "exit " into the .bashrc
> *This* did work fine, no ssh anymore, but scp
> works. But!
also sprach Sam Varghese <[EMAIL PROTECTED]> [2002.01.10.2323 +0100]:
> Why would you want to remove your first line of defence? Do you want the
> whole world to have access to the box in question?
that doesn't mean allowing access to the whole world!
> If a host does not match its IP, your syste
also sprach David Bishop <[EMAIL PROTECTED]> [2002.01.10.1634 +0100]:
> I'm running a server that's hot to the net, and running some insecure
> services (by necessity), like nfs. Of course, I used iptables to
> block all those ports, using nmap and netstat to double check all my
> open ports. How
[greg: please wrap your lines at 76 characters...]
also sprach Greg Hunt <[EMAIL PROTECTED]> [2002.01.10.1850 +0100]:
> The reason it reports it as filtered is if someone tries to connect to
> a port on which you're not running a service, say port 12345, your
> server will respond back with a TCP/
also sprach Sam Varghese <[EMAIL PROTECTED]> [2002.01.11.0053 +0100]:
> i can only speak from my limited experience. i have found these measures
> to work, therefore i practice them. of course, one would agree to
> disagree.
i don't want to come across as the wannabe-guru, but what exactly do you
also sprach Marcin Owsiany <[EMAIL PROTECTED]> [2002.01.11.0058 +0100]:
> > it's not really a security measure anymore, i find. feel free to
> > disagree...
>
> Disabling PARANOID mode only means that you shouldn't trust the logged
> hostnames, because thay may be faked, no?
kinda. it also tries
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0205 +0100]:
> Well, the rationale behind this is as you touched on, preventing
> spoofed address attacks. A paranoid lookup essentially verifies that
> the connecting system is a known legit host. In effect you're using
> your DNS system a
also sprach Nathan E Norman <[EMAIL PROTECTED]> [2002.01.11.0501 +0100]:
> Congratulations ... you just set up your DNS incorrectly. Every PTR
> entry should resolve to a _unique_ name, and that name should resolve
> to a _unique_ IP. That doesn't mean you can't have additional A
> records doing
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0556 +0100]:
> >a bogus IP won't even make it past OSI layer 4 on debian...
> >rp_filter...
>
> There are ways of doing it such that the box has NO WAY of knowing
> that the traffic is spoofed. Granted, that is hard to do. Even
> paranoid
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0541 +0100]:
> This is sort of the function of canonical names. "Other" names for the IP
> besides the absolute name (or Loopback name in our parlance). But CNAME's
> are deprecated for other reasons. I personally never had any problems us
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0616 +0100]:
> >okay, why libwrap then?
>
> Once the network is compromised, it makes no difference what's on the box.
> If done properly, the compromised network is indistinguishable from the
> uncompromised network. That box is totally on
also sprach Christian Kurz <[EMAIL PROTECTED]> [2002.01.11.1152 +0100]:
> Pardon? Would you please cite that paragraph of the RfCs that states
> that "every PTR entry should resolve to a _unique_ name"? The last time
> I read in the RfC and in another book about DNS both didn't mention
> that. And
a general question: so i have this server handling some domains as
primary DNS, as well as being their web- and mailserver. another domain
does slaving and secondary MX, but because i don't want load-balancing
on DNS RR basis for webservices, and because HTTP can't deal with
secondary servers, webp
1 - 100 of 225 matches
Mail list logo
