Re: How efficient is mounting /usr ro?

2003-10-09 Thread Ted Cabeen
ruption helping an attacker accours. I agree. If you are looking for this kind of security, your best bet is to set the immutable bit on all of your system files. That will ensure that only a reboot in single user mode will allow these files to be changed. (Make sure you set immutable the system b

Re: How efficient is mounting /usr ro?

2003-10-09 Thread Ted Cabeen
ruption helping an attacker accours. I agree. If you are looking for this kind of security, your best bet is to set the immutable bit on all of your system files. That will ensure that only a reboot in single user mode will allow these files to be changed. (Make sure you set immutable the system b

Re: services installed and running "out of the box"

2003-09-26 Thread Ted Cabeen
0 *:www *:* LISTEN > ... > > Where does one go from here? It involves link removal, but if you remove all of the thttpd links in /etc/rc?.d except one K link (doesn't matter which one), thttpd will not start even if you upgrade the package. -- Ted Cabeen Sr. Systems/Network Administrator Impulse Internet Services

Re: services installed and running "out of the box"

2003-09-26 Thread Ted Cabeen
0 *:www *:* LISTEN > ... > > Where does one go from here? It involves link removal, but if you remove all of the thttpd links in /etc/rc?.d except one K link (doesn't matter which one), thttpd will not start even if you upgrade the package. -- Ted Cabeen Sr. Systems/Network Administrator Impulse Internet Services -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Why is proftpd always started when one update it?

2003-06-30 Thread Ted Cabeen
l link. That way the update-rc.d script will know that the program has already been installed and will not change anything. When you remove all of the links, it has no way of knowing that the program was already installed and the admin removed the links, so it restores them all. -- Ted Cabeen Syst

Re: Why is proftpd always started when one update it?

2003-06-30 Thread Ted Cabeen
l link. That way the update-rc.d script will know that the program has already been installed and will not change anything. When you remove all of the links, it has no way of knowing that the program was already installed and the admin removed the links, so it restores them all. -- Ted Cabeen Syst

Re: recommendations for FTP server

2003-06-20 Thread Ted Cabeen
odules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html -- Ted Cabeen Systems/Network Administrator Impulse Internet Services

Re: recommendations for FTP server

2003-06-20 Thread Ted Cabeen
odules/mod_tls.html http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html -- Ted Cabeen Systems/Network Administrator Impulse Internet Services -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Someone scanned my ssh daemon

2003-06-17 Thread Ted Cabeen
running a version of ssh with security patches backported and aren't vulnerable to the known exploits agains OpenSSH 3.4 and the like. Still, the Debian part of the version string should be user-customizable. -- Ted Cabeen Systems/Network Administrator Impulse Internet Services

Re: Someone scanned my ssh daemon

2003-06-17 Thread Ted Cabeen
running a version of ssh with security patches backported and aren't vulnerable to the known exploits agains OpenSSH 3.4 and the like. Still, the Debian part of the version string should be user-customizable. -- Ted Cabeen Systems/Network Administrator Impulse Internet Services --

Re: Default Apache install not fit for multiple domains/users

2003-06-09 Thread Ted Cabeen
could snoop on other users's scripts, session >> >files, etc. >> > >> >Something like: >> > >> >> I suggest you look up the suEXEC Apache module, it seems to do exactly >> what you want. > > > -- > To UNSUBSCRIBE, email to [EMAIL

Re: Default Apache install not fit for multiple domains/users

2003-06-09 Thread Ted Cabeen
could snoop on other users's scripts, session >> >files, etc. >> > >> >Something like: >> > >> >> I suggest you look up the suEXEC Apache module, it seems to do exactly >> what you want. > > > -- > To UNSUBSCRIBE, email to [EMAIL

Re: spam block

2003-04-15 Thread Ted Cabeen
.0.X), but spamassasin needs perl >>5.6 Spamassassin doesn't require 5.6. I'm running it with 5.005 right now. - -- Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] &

Re: Pop mail virtual user security [LONG]

2002-12-08 Thread Ted Cabeen
In message <[EMAIL PROTECTED]>, Tim van Erven writes: >On Sun, Dec 08, 2002 at 12:29:09PM -0200, Henrique de Moraes Holschuh <[EMAIL >PROTECTED] >ian.org> wrote: >> On Sat, 07 Dec 2002, Tim van Erven wrote: >>> Inspired by a recent thread on this list I decided to set up a >>> mailserver with pop3

Re: Pop mail virtual user security [LONG]

2002-12-08 Thread Ted Cabeen
In message <[EMAIL PROTECTED]>, Tim van Erven writes: >On Sun, Dec 08, 2002 at 12:29:09PM -0200, Henrique de Moraes Holschuh ian.org> wrote: >> On Sat, 07 Dec 2002, Tim van Erven wrote: >>> Inspired by a recent thread on this list I decided to set up a >>> mailserver with pop3 access over ssl. It's

Re: pop mail recommendations

2002-12-06 Thread Ted Cabeen
little bit of overkill for a small site, but all in all, it's a fine recommendation. If we disregarded software that has had problems in the past, sendmail would be dead and buried by now. - -- Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED] Check Websi

Re: pop mail recommendations

2002-12-06 Thread Ted Cabeen
little bit of overkill for a small site, but all in all, it's a fine recommendation. If we disregarded software that has had problems in the past, sendmail would be dead and buried by now. - -- Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED] Check Websi

Re: postfix in qmail out proftpd in pureftpd

2002-10-02 Thread Ted Cabeen
rs because they are adding features instead of standing still. However, the underlying design concepts of qmail are quite solid, which is why postfix uses a similar architecture. That said, they're both very good mail servers, just with slightly different focuses. - -- Ted Cabeen

Re: postfix in qmail out proftpd in pureftpd

2002-10-02 Thread Ted Cabeen
rs because they are adding features instead of standing still. However, the underlying design concepts of qmail are quite solid, which is why postfix uses a similar architecture. That said, they're both very good mail servers, just with slightly different focuses. - -- Ted Cabeen

Re: Apache Log Files

2002-08-14 Thread Ted Cabeen
y useful for this kind of thing. http://www.abuse.net/howwork.html - -- Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] "I have taken all knowledge to be my province."

Re: ipmasq + port filtering recipe?

2002-03-15 Thread Ted Cabeen
f you want to be excessively paranoid, you'll want a rule that re-assembles any fragments. I have a I85fragments.rul file that does this. Here's the relevant line: $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -f - -- Ted Cabeen http://www.pobox.com/~secabeen[E

Re: ipmasq + port filtering recipe?

2002-03-15 Thread Ted Cabeen
broadcast packets. If you want to be excessively paranoid, you'll want a rule that re-assembles any fragments. I have a I85fragments.rul file that does this. Here's the relevant line: $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -f - -- Ted Cabeen http://www.pobox.com/~se

Re: ftpd-ssl woes

2002-02-22 Thread Ted Cabeen
he data, and may allow the connection to get through the firewall. Of course, this will break any users that are also behind a firewall, but it's very difficult to run ftp between two machines that are protected by a firewall, unless one of the machines' firewall is really smart WRT ftp

Re: ftpd-ssl woes

2002-02-22 Thread Ted Cabeen
he data, and may allow the connection to get through the firewall. Of course, this will break any users that are also behind a firewall, but it's very difficult to run ftp between two machines that are protected by a firewall, unless one of the machines' firewall is really smart WRT ftp

Re: Un-installing inetd on Woody.

2002-02-14 Thread Ted Cabeen
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii In message <[EMAIL PROTECTED]>, Petro writes: >On Wed, Feb 13, 2002 at 09:39:02PM -0800, Ted Cabeen wrote: >> You shouldn't use the update-rc.d script to remove init.d scripts. If

Re: Un-installing inetd on Woody.

2002-02-14 Thread Ted Cabeen
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii In message <[EMAIL PROTECTED]>, Petro writes: >On Wed, Feb 13, 2002 at 09:39:02PM -0800, Ted Cabeen wrote: >> You shouldn't use the update-rc.d script to remove init.d scripts. If

Re: Un-installing inetd on Woody.

2002-02-13 Thread Ted Cabeen
In message <[EMAIL PROTECTED]>, Stefan Srdic writes: > My system is my desktop and my server. The machine is >connected to the internet and I use my own IPTables script to protect my >network. > >I've used the update-rc.d script to remove the inetd init scripts from all >runlevels. But, I still

Re: Un-installing inetd on Woody.

2002-02-13 Thread Ted Cabeen
In message <02021309001300.00464@NodeFilter>, Stefan Srdic writes: > My system is my desktop and my server. The machine is >connected to the internet and I use my own IPTables script to protect my >network. > >I've used the update-rc.d script to remove the inetd init scripts from all >runlevels

Re: Exim Relay

2002-02-01 Thread Ted Cabeen
In message <[EMAIL PROTECTED]>, John Gal t writes: >That still works? I thought mail-abuse.org was going subscription... Yeah, they went subscription, but they provide that as a service to the net. It checks the machine you telnet from, so it's not really subject to much abuse. >>You can telnet

Re: Exim Relay

2002-02-01 Thread Ted Cabeen
In message <[EMAIL PROTECTED]>, John Gal t writes: >That still works? I thought mail-abuse.org was going subscription... Yeah, they went subscription, but they provide that as a service to the net. It checks the machine you telnet from, so it's not really subject to much abuse. >>You can telne

Re: More security for screensavers

2002-01-03 Thread Ted Cabeen
obably be set to off. A debconf questio= n of = "low" priority would probably also be a good thing. - -- = Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED] e.net = Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] x.com "I h

Re: More security for screensavers

2002-01-03 Thread Ted Cabeen
obably be set to off. A debconf questio= n of = "low" priority would probably also be a good thing. - -- = Ted Cabeen http://www.pobox.com/~secabeented@impuls= e.net = Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen@pobo= x.com "I have

Re: More security for screensavers

2002-01-02 Thread Ted Cabeen
= desktop images. If you run xscreensaver-demo, it's in the options tab. = =46rom my brief look, none of the xlockmore modes grab the screen. - -- = Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED] e.net = Check Website or Keyserver for PGP/GPG Key BA0

Re: More security for screensavers

2002-01-02 Thread Ted Cabeen
= desktop images. If you run xscreensaver-demo, it's in the options tab. = =46rom my brief look, none of the xlockmore modes grab the screen. - -- = Ted Cabeen http://www.pobox.com/~secabeented@impuls= e.net = Check Website or Keyserver for PGP/GPG Key BA0349D2

Re: ssh and root

2001-12-13 Thread Ted Cabeen
y off-topic, but FYI, you can download a nightly sna= pshot of your complete CVS repository from sourceforge at the following URL: http://cvs.sourceforge.net/cvstarballs/projectname-cvsroot.tar.gz - -- = Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED] e.net = Check Website

Re: ssh and root

2001-12-13 Thread Ted Cabeen
y off-topic, but FYI, you can download a nightly sna= pshot of your complete CVS repository from sourceforge at the following URL: http://cvs.sourceforge.net/cvstarballs/projectname-cvsroot.tar.gz - -- = Ted Cabeen http://www.pobox.com/~secabeented@impuls= e.net = Check Website or Ke

Re: Can a daemon listen only on some interfaces?

2001-12-10 Thread Ted Cabeen
things so that the links are as you say. > >When you say: leave one kill link; Do you just leave the kill link in >rc6.d or do you put a kill link in every one of rc1.d - rc6.d, or >doesn't it matter so long as there is at least one. It doesn't matter as long as there is at l

Re: Can a daemon listen only on some interfaces?

2001-12-10 Thread Ted Cabeen
things so that the links are as you say. > >When you say: leave one kill link; Do you just leave the kill link in >rc6.d or do you put a kill link in every one of rc1.d - rc6.d, or >doesn't it matter so long as there is at least one. It doesn't matter as long as there is at

Re: Can a daemon listen only on some interfaces?

2001-12-10 Thread Ted Cabeen
n at the next reboot. The correct way to turn off a service is to remove all of the links except for one Kill link. That way the service won't start and won't be restarted when the service is upgraded. - -- Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROT

Re: Fw: Can a daemon listen only on some interfaces?

2001-12-10 Thread Ted Cabeen
I15lospoof.def. It also blocks and logs packets coming from external interfaces claiming to be from an internal address in the /etc/ipmasq/rules/I70masq.def file. The ipmasq firewall is very careful about blocking these sorts of attacks. The only change I make to its default operation is to lo

Re: Can a daemon listen only on some interfaces?

2001-12-10 Thread Ted Cabeen
n at the next reboot. The correct way to turn off a service is to remove all of the links except for one Kill link. That way the service won't start and won't be restarted when the service is upgraded. - -- Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROT

Re: Fw: Can a daemon listen only on some interfaces?

2001-12-10 Thread Ted Cabeen
tc/ipmasq/rules/I15lospoof.def. It also blocks and logs packets coming from external interfaces claiming to be from an internal address in the /etc/ipmasq/rules/I70masq.def file. The ipmasq firewall is very careful about blocking these sorts of attacks. The only change I make to its default o

Re: VI wrapper for SUDO?

2001-12-03 Thread Ted Cabeen
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii In message <[EMAIL PROTECTED]>, Wichert Akkerman writes: >Previously Ted Cabeen wrote: >> However, thinking about it, this doesn't work. If you're editing as root, >> you >

Re: VI wrapper for SUDO?

2001-12-03 Thread Ted Cabeen
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii In message <[EMAIL PROTECTED]>, Wichert Akkerman writes: >Previously Ted Cabeen wrote: >> However, thinking about it, this doesn't work. If you're editing as root, you >> ca

Re: VI wrapper for SUDO?

2001-11-29 Thread Ted Cabeen
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii In message <[EMAIL PROTECTED]>, Ted Cabeen writes: >In message <[EMAIL PROTECTED]>, Mike Renfro writes: >>> A lazy sysadmin, not thinking through the ramifications, might put >

Re: VI wrapper for SUDO?

2001-11-29 Thread Ted Cabeen
t; >and it looks like nvi still supports the secure options mentioned >there. Vim also supports something similar, either by prepending r to the executable name (rvim) or adding the -Z flag. - -- Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED] Check Web

Re: VI wrapper for SUDO?

2001-11-29 Thread Ted Cabeen
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii In message <[EMAIL PROTECTED]>, Ted Cabeen writes: >In message <20011129165355.A15543@ch208h>, Mike Renfro writes: >>> A lazy sysadmin, not thinking through the ramifications, m

Re: VI wrapper for SUDO?

2001-11-29 Thread Ted Cabeen
i-wuerzburg.de > >and it looks like nvi still supports the secure options mentioned >there. Vim also supports something similar, either by prepending r to the executable name (rvim) or adding the -Z flag. - -- Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED]

Re: Which ssh should I have?

2001-11-07 Thread Ted Cabeen
fix security bugs in stable rather than upgrade to a newer version. That could be confusing your sysadmin. The CRC bug was patched in debian as of ssh version 1.2.3-9.2. You can look at the changelog in /usr/share/doc/ssh/changelog.Debian.gz for specific information. -- Ted Cabeen

Re: Which ssh should I have?

2001-11-07 Thread Ted Cabeen
fix security bugs in stable rather than upgrade to a newer version. That could be confusing your sysadmin. The CRC bug was patched in debian as of ssh version 1.2.3-9.2. You can look at the changelog in /usr/share/doc/ssh/changelog.Debian.gz for specific information. -- Ted Cabeen

Re: bind appears to restart before the kernel is fully loaded

2001-10-01 Thread Ted Cabeen
GA+ 80x25 >Oct 1 08:07:50 taurus kernel: Calibrating delay loop... 198.66 BogoMIPS >Oct 1 08:07:50 taurus kernel: Memory: 47272k/49152k available (744k kernel >code, 412k reserved, 684k data, 40k init) -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED]

Re: bind appears to restart before the kernel is fully loaded

2001-10-01 Thread Ted Cabeen
: colour VGA+ 80x25 >Oct 1 08:07:50 taurus kernel: Calibrating delay loop... 198.66 BogoMIPS >Oct 1 08:07:50 taurus kernel: Memory: 47272k/49152k available (744k kernel >code, 412k reserved, 684k data, 40k init) -- Ted Cabeen http://www.pobox.com/~secabeen [EMAI

Re: rlinetd security

2001-06-19 Thread Ted Cabeen
etbase dependency on netkit-inetd, but I can't really seem to tell why. I've looked at his posts on debian-devel and in the BTS, but I haven't found a good justification for the dependency yet. If anyone does know Anthony's reasons, I'd like to hear them. -- Ted Cabeen

Re: rlinetd security

2001-06-19 Thread Ted Cabeen
In message <[EMAIL PROTECTED]>, Quietman writes: >On Tue, Jun 19, 2001 at 01:25:17PM -0500, Ted Cabeen wrote: >> >It's true that uninstalling it (in potato, anyway) is not worth all the >> >effort. But you can definitely disable it. I have "K20inetd"

Re: rlinetd security

2001-06-19 Thread Ted Cabeen
etbase dependency on netkit-inetd, but I can't really seem to tell why. I've looked at his posts on debian-devel and in the BTS, but I haven't found a good justification for the dependency yet. If anyone does know Anthony's reasons, I'd like to hear them. -- Ted Cabeen

Re: rlinetd security

2001-06-19 Thread Ted Cabeen
y well understood by now. > >It's true that uninstalling it (in potato, anyway) is not worth all the >effort. But you can definitely disable it. I have "K20inetd" links in >all my /etc/rc?.d directories where I don't want to run inetd. Unfortunately, you ca

Re: rlinetd security

2001-06-19 Thread Ted Cabeen
dating daily. :) They don't. If you leave any /etc/rc?.d links in place (I use a harmless K?? link), then any upgrade of that package will never re-enable the service. Check out the man page for update-rc.d for more information. I think update-inetd has a similar functionality. -- T

Re: rlinetd security

2001-06-19 Thread Ted Cabeen
In message <[EMAIL PROTECTED]>, Quietman writes: >On Tue, Jun 19, 2001 at 01:25:17PM -0500, Ted Cabeen wrote: >> >It's true that uninstalling it (in potato, anyway) is not worth all the >> >effort. But you can definitely disable it. I have "K20inetd"

Re: rlinetd security

2001-06-19 Thread Ted Cabeen
y well understood by now. > >It's true that uninstalling it (in potato, anyway) is not worth all the >effort. But you can definitely disable it. I have "K20inetd" links in >all my /etc/rc?.d directories where I don't want to run inetd. Unfortunately, you ca

Re: rlinetd security

2001-06-19 Thread Ted Cabeen
proliferation rather than have a drastic change to policy. This combination of ease-of-use with the eternal vigilance of the security team is what gives debian the enviable reputation of security and ease-of-use that it has today. -- Ted Cabeen http://www.pobox.com/~secabeen [

Re: rlinetd security

2001-06-19 Thread Ted Cabeen
dating daily. :) They don't. If you leave any /etc/rc?.d links in place (I use a harmless K?? link), then any upgrade of that package will never re-enable the service. Check out the man page for update-rc.d for more information. I think update-inetd has a similar functionality. -- T

Re: rlinetd security

2001-06-19 Thread Ted Cabeen
age proliferation rather than have a drastic change to policy. This combination of ease-of-use with the eternal vigilance of the security team is what gives debian the enviable reputation of security and ease-of-use that it has today. -- Ted Cabeen http://www.pobox.com/~secabeen [

Re: 127.0.0.0/8 addresses from the network

2001-03-10 Thread Ted Cabeen
In message <[EMAIL PROTECTED]>, Christian Hammers writes: >Hello > >> >"is debian protected beforeconnecting from remote hosts to address >> >127.0.0.0/8 ?" > >On Sat, Mar 10, 2001 at 08:52:08AM -0600, Ted Cabeen wrote: >> Ummm, the kernel

Re: 127.0.0.0/8 addresses from the network

2001-03-10 Thread Ted Cabeen
In message <[EMAIL PROTECTED]>, Jim Breton writes: >On Fri, Mar 09, 2001 at 10:09:13PM -0600, Ted Cabeen wrote: >> Actually we trap illegal packets like this one in I15lospoof.def. >> >> :#: Deny and log all packets trying to come in from a 127.0.0.0/8 address >&

Re: 127.0.0.0/8 addresses from the network

2001-03-10 Thread Ted Cabeen
In message <[EMAIL PROTECTED]>, Christian Hammers writes: >Hello > >> >"is debian protected beforeconnecting from remote hosts to address >> >127.0.0.0/8 ?" > >On Sat, Mar 10, 2001 at 08:52:08AM -0600, Ted Cabeen wrote: >> Ummm, the kernel

Re: 127.0.0.0/8 addresses from the network

2001-03-10 Thread Ted Cabeen
In message <[EMAIL PROTECTED]>, Jim Breton writes: >On Fri, Mar 09, 2001 at 10:09:13PM -0600, Ted Cabeen wrote: >> Actually we trap illegal packets like this one in I15lospoof.def. >> >> :#: Deny and log all packets trying to come in from a 127.0.0.0/8 address >&

Re: 127.0.0.0/8 addresses from the network

2001-03-09 Thread Ted Cabeen
NAL; do $IPFWADM -I -a deny -W $i -S 127.0.0.1/255.0.0.0 -o done fi ;; ipchains) $IPCHAINS -A input -j DENY -i ! lo -s 127.0.0.1/255.0.0.0 -l ;; netfilter) $IPTABLES -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0 ;; esac Although there is a final deny rule, thi

Re: 127.0.0.0/8 addresses from the network

2001-03-09 Thread Ted Cabeen
NAL; do $IPFWADM -I -a deny -W $i -S 127.0.0.1/255.0.0.0 -o done fi ;; ipchains) $IPCHAINS -A input -j DENY -i ! lo -s 127.0.0.1/255.0.0.0 -l ;; netfilter) $IPTABLES -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0 ;; esac Although there is a final deny rule, thi

Re: secure install

2001-02-17 Thread Ted Cabeen
s best if you have a whole partition to copy. However, it's much faster than the cpio/tar approach. cpio and tar is good for piping through ssh. :) -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EM

Re: secure install

2001-02-17 Thread Ted Cabeen
s best if you have a whole partition to copy. However, it's much faster than the cpio/tar approach. cpio and tar is good for piping through ssh. :) -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EM

Re: Problems with root on network clients

2000-11-23 Thread Ted Cabeen
y lawyer about this) This isn't a problem with an easy techincal solution. Policy is the way to go here. -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] "I have taken all knowledge to

Re: Problems with root on network clients

2000-11-23 Thread Ted Cabeen
y lawyer about this) This isn't a problem with an easy techincal solution. Policy is the way to go here. -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] "I have taken all knowledge to

Re: security.debian.org mirrors?

2000-10-20 Thread Ted Cabeen
ny? > >no. there are none. and won't be Is this official policy? If so, what should I do with the mirror I run here at the UofC? (I can lock it to local users only, like the non-US tree) -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Web

Re: security.debian.org mirrors?

2000-10-20 Thread Ted Cabeen
re any? > >no. there are none. and won't be Is this official policy? If so, what should I do with the mirror I run here at the UofC? (I can lock it to local users only, like the non-US tree) -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Web

Re: security.debian.org mirrors?

2000-09-06 Thread Ted Cabeen
to get anything. > >Is security.debian.org mirrored anywhere? Yup. debian.uchicago.edu/debian-security updated last night cleanly. Enjoy! -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] "I

Re: security.debian.org mirrors?

2000-09-06 Thread Ted Cabeen
to get anything. > >Is security.debian.org mirrored anywhere? Yup. debian.uchicago.edu/debian-security updated last night cleanly. Enjoy! -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] "I

Re: Tripwire in bin-directory?

2000-05-24 Thread Ted Cabeen
wire? I use bzip2 for compression, which helps somewhat, but I still have to cut out way too much. I really should get that remote tripwire system setup. -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Website or finger for PGP/GPG Public Key [EMAIL

Re: password length

2000-03-16 Thread Ted Cabeen
orted >by glibc (and, thus, PAM) is 128 bytes long. Are the MD5 passwords affected by the max=8 setting in the pam.d/passwd entry, or does it ignore them? -- Ted Cabeen http://www.pobox.com/~secabeen [EMAIL PROTECTED] Check Website or finger for PGP Public Key[EMAIL P