Slashdot Mirror

You can't. All security software needs to be OSS for this reason.

That being said, OSS had a 2-factor authentication mechanism available years ago. Encrypt your hard drive, save the key to a USB key and enter a passphrase. You'll need to both insert the USB key and type your passphrase for the root disk to get mounted. That's pretty much the entire system locked down.

This article appears to detail that process.

Much of the information in the article about data recovery is also covered by DebianAdministration.org. TestDisk and photorec, are afterall, free software.

Hip, hip hooray!

There is a simple fix, rather than making a request to a remote site which tests only your logged in cookie it should instead send a "random" value with the request.

The way it works is:

• Google sends the a form to you with a hidden "auth string".
• When you make a request back you send the same auth-string/token with the request.
• If the login cookie is invalid then the request is denied.
• If the login cookie is valid and the auth-string was correct the results are sent back.
• If the auth-string was missing then you know the request was forged.

This is the difference between http://example.com/logout and http://example.com/logout/124rkjfldf for example - The former is insecure since example.net could include that link in an image source; whereas the latter example uses a token appended to the URL - if the submission doesn't have the correct token then it can be denied.

I wrote about this here, when I updated my site to work like this.

OMFG if I have to ever use a system with rpm as its standard method of packaging I will vomit.

Debian has changed my life in ways I could have never imagined without .deb packages.
I mean who the fuck uses cds to install anymore? What a waste of plastic.
Since USB install is so easy now:
http://www.debian-administration.org/articles/446
or even encrypted:
http://www.debian-administration.org/articles/179

Apt-get is the best technology since the internet was created.
Nothing can or will ever compare to the amazing ability of apt-get to install any one of 18000 programs and have you using it right away. And thank god for ubuntu bringing .deb to the masses.
All we need now is an open source Turbo Tax and the masses of bill gates slaves will be FREE from his reign of terror.

OMFG if I have to ever use a system with rpm as its standard method of packaging I will vomit.

Debian has changed my life in ways I could have never imagined without .deb packages.
I mean who the fuck uses cds to install anymore? What a waste of plastic.
Since USB install is so easy now:
http://www.debian-administration.org/articles/446
or even encrypted:
http://www.debian-administration.org/articles/179

Apt-get is the best technology since the internet was created.
Nothing can or will ever compare to the amazing ability of apt-get to install any one of 18000 programs and have you using it right away. And thank god for ubuntu bringing .deb to the masses.
All we need now is an open source Turbo Tax and the masses of bill gates slaves will be FREE from his reign of terror.

If I'm reading correctly, you're having internet slowdown issues while using Linux and connecting to DSL internet?

I used to have the same issues. Here's how to fix it:
Don't use local DNS. For some reason, DSL modems (especially of the Actiontec brand) have very slow DNS resolution in non-Windows OS's. Why, exactly, I don't know. I never bothered to research it. It doesn't happen with cable internet.

If you're not sure how to manually specify what DNS server your system is using to resolve names, I wrote a simple little guide on how to fix this some time ago. You can read it here. It explains how it's done in Debian, but Ubuntu is based on Debian, so it should all work exactly the same.

Hope this helps!

Go and have a look here if you haven't already. There's some great stuff.

XFS is an awesome filesystem, and has been ranked the overall best in at least two fs benchmarks:- here, and here. Given what I've read here, I'm possibly considering making it my own default fs...at least for some things.

There's also some OpenGL related projects, as well as some kernel work. What this could also mean for them is that even if they do have to sell SUSE clusters, they can still have some individuality in the offering. Sure, anyone can burn xfsprogs to a CD...but SGI can still market themselves as the people who invented the fs, and thus the people who are most intimate with the code, and thus who can possibly most quickly/easily extend it, or fix it if something breaks.

Haha, thanks, I hadn't had a good laugh in a while. ReiserFS is for mail servers, I'd rather have compatability and greater stability (Though neither filesystem has caused me data loss, fsck likes me. Well, except Reiser4, that one didn't) for my desktop though, thanks anyways. I won't even get into technicals like how ReiserFS fragments horribly and quickly. It's a great filesystem that was put into maintenance mode way too soon, they should have done more with it instead of reinventing numerous wheels with Reiser4 and then bitching that it's not making it in the mainline kernel.

Ext3 doesn't seem very slow to me at all, but maybe I've mellowed out with regards to my Linux setups and think most of the time in the past I was simply having a placebo effect feeling. Interesting conclusion drawn here, too:

Conclusion : For quick operations on large file tree, choose Ext3 or XFS. Benchmarks from other authors have supported the use of ReiserFS for operations on large number of small files. However, the present results on a tree comprising thousands of files of various size (10KB to 5MB) suggest than Ext3 or XFS may be more appropriate for real-world file server operations. Even if JFS minimize CPU usage, it should be noted that this FS comes with significantly higher latency for large file tree operations.

Of course since ReiserFS loves CPU cycles, you'd see it perform slightly better when it brings high load to your system during intensive IO.

Keyword filtering is one option but if your list gets compromised then people will just use other words.

One thing I've done on my site is bayasian filtering of new comments.

Since I have a database full of "good" comments and I have a seperate list of all the comments users have reported as "trollish/offensive" I can use those two corpuses (corpii?) to filter against.

Any anonymous comment which scores more for troll than for good gets rejected with an error telling the user their comment was dropped and they should register as a user if they wish to post it.

Question: What if I wanted to share the desktop with the guy sitting there? Is that possible?

By default, I believe, you'd receive a new desktop each time you connected to a VNC server. However using software such as x11vnc you can certainly share the currently visible desktop, or just a window from it.

I wrote this simple guide last year which should document the process a little.

Debian Etch will have an option to use encryption by default and encrypt all partitions (except boot). This one article details how to encrypt all partitions except boot: http://www.debian-administration.org/articles/428

But if you want to you can install Xorg/X11 and access it remotely via VNC.

Here is one guide on how to do that. (Adding an SSH tunnel would make a lot of sense for remote connections, but should be simple.)

One thing which I just remembered - so I'll post it now even if it is a little late - the single biggest speedup/optimisation I made to my site was to disable DNS lookups in the Apache logfiles.

In the normal course of things this isn't a big deal, but try surving under a /. attack whilst you're getting a ton of incoming connections and your bandwidth is saturated - suddenly theres nothing "spare" to do the DNS lookups for logging purposes.

Nowadays I disable DNS lookups for the logfiles as a matter of policy, and just process the logfiles once/twice a day and do the lookups then.

There are many different ways you can optimise Apache from the simple to the complex, but that was the single biggest win for me.

I run a community website which is written in Perl with a MySQL back end.

Despite having just under 5000 users I had 3million hits last month, and shifted 13 Gb of traffic. Not bad for a single (dedicated) host!

There are two things that I'd suggest above all:

• Mimimize database queries
• Caching, caching, and more caching

I use Danga's memcached which has a perl interface, but there are PHP ones too. This allows me to sensibly cache database queries (don't forget to test things to make sure you expire the cache appropriately!)

A combination of minimising queries and caching has kept me going even under a slashdotting.

If you have written the site code yourself I'd urge you to add a test suite. My site runs a full test suite every day, and I run it manually whenever I make changes - this allows me to be sure that I'm not breaking things when I make changes.

Of course the standard development model of having a "live" site and a "test" site help here too. I develop the code on a laptop and store it under version control (CVS in my case, but it doesn't matter which system you use as long as you pick one) and only when it has passed the test suite do I push it to the live site.

Adding extra hardware can be an option for bigger sites, but I'm not at that point now. I had my biggest strain when the site reached around 1000 users, since then things keep ticking over nicely, and although it is growing it isn't growing terribly quickly which suits me fine. (There are a lot of users who visit the site via google searches and never register/return; I'd like to fix that, but I don't mind too much!)

I run a community website which is written in Perl with a MySQL back end.

Despite having just under 5000 users I had 3million hits last month, and shifted 13 Gb of traffic. Not bad for a single (dedicated) host!

There are two things that I'd suggest above all:

• Mimimize database queries
• Caching, caching, and more caching

I use Danga's memcached which has a perl interface, but there are PHP ones too. This allows me to sensibly cache database queries (don't forget to test things to make sure you expire the cache appropriately!)

A combination of minimising queries and caching has kept me going even under a slashdotting.

If you have written the site code yourself I'd urge you to add a test suite. My site runs a full test suite every day, and I run it manually whenever I make changes - this allows me to be sure that I'm not breaking things when I make changes.

Of course the standard development model of having a "live" site and a "test" site help here too. I develop the code on a laptop and store it under version control (CVS in my case, but it doesn't matter which system you use as long as you pick one) and only when it has passed the test suite do I push it to the live site.

Adding extra hardware can be an option for bigger sites, but I'm not at that point now. I had my biggest strain when the site reached around 1000 users, since then things keep ticking over nicely, and although it is growing it isn't growing terribly quickly which suits me fine. (There are a lot of users who visit the site via google searches and never register/return; I'd like to fix that, but I don't mind too much!)

http://www.debian-administration.org/ is good for all things Debian.

(Disclaimer: I have an article on snort up on there somewhere.)

Debian has a list of consultants / commercial support people on its site.

There are other companies who will offer support too. I offer Debian support on a paid basis too, even though I prefer to point people at community resources where possible.

The Debian Administration website is written in Perl, and the code is available. Might be tricky for people to install, especially on non-Debian hosts, but it is simple, secure, and reliable.

It is also insanely easy to manage.

It doesn't have different payment types, but it does support community adverts, user accounts, articles, polls, weblogs, etc.

The Debian Administration website is written in Perl, and the code is available. Might be tricky for people to install, especially on non-Debian hosts, but it is simple, secure, and reliable.

It is also insanely easy to manage.

It doesn't have different payment types, but it does support community adverts, user accounts, articles, polls, weblogs, etc.

Maybe they were just examples..?

But there are programs designed to detect weak passwords, which could have been what was used. Essentially they try to bruteforce passwords, and if they find one it was weak!

You do understand that everything downloaded from update.microsoft.com needs to be digitally signed, right?

Btw, Debian also does digital signatures for every package installed (see here). I don't think they have gone as far as having an air-gap, but it does mean that a regular hacking won't be able to silently corrupt packages.

Debian's system is actually quite cool, since it can check *every* program installed, and not just core OS updates (courtesy of apt controlling 99% of software installation). In fact, you can add additional keys for other package sources (I run some unofficial packages, but those developers also sign their packages with their own keys, so it is covered as well).

It might be nice to include signed authentication of at least the changelog, if not the package itself, to ensure authenticity of upgrades.

Debian has been checking digital signatures on every package installed for almost a year now. See here.

Of course, I run testing, so I have no idea when this got into stable.

Just a quick chime in, take it with a grain of salt. Some rambling thoughts.

I've just converted my main partition (non-/boot) on a notebook from XFS to reiser3 mainly because I work with huge svn working copies and svn loves to keep small files around, as well as create lots of small files (lock files, etc) during routine svn work. xfs is just way considerably slower than reiserfs for svn status, update, commit, cleanup. Besides, reiser3's tail feature means svn's penchant for small files uses less space overall on my tinny notebook harddrive. Not sure if performance of reiser3 will degrade over time, (I've been on xfs on this partition for longer than a year), but we'll see.

BTW, http://www.debian-administration.org/articles/388 My observations differ from theirs (operations on file tree). I do have a significant larger amount of files, and many of those are smaller than the default block size, so that might affect things.

On the server side, XFS, on multiple concurrent large, random, writes (postgresql) just creams reiser3 and ext3. (IIRC, battery backed SCSI raid controller, tested with both RAID1+0 and RAID5, Linux 2.6.x, 6 x 15000RPM 132(?)GB HDD) Read operations and single thread seq/random writes are too similar in performance for the various filesystems.

Another feature of XFS I used a lot (before converting to reiser3) is xfs_fsr, which defrags a mounted xfs filesystem. Oddly buggy though, as after some runs, some inodes tends to have max_extents corrupted (endian problem?). I'd recommend a xfs_repair after a xfs_fsr, which effectively makes xfs_fsr a utility for defragging *UN*mounted filesystems. So yeah, xfs is a tad unstable. I've only one real corruption, though, and that's from killing the notebook power during some writes. Not sure if that's from the fs, or the harddisk misbehaving.

I've been using munin ever since I read some very similar articles on it at the debian-administration site. There's also an article there on monit:

Monitoring systems with munin

Monitoring windows systems with munin and snmp

Monitor Debian servers with monit

I've been using munin ever since I read some very similar articles on it at the debian-administration site. There's also an article there on monit:

Monitoring systems with munin

Monitoring windows systems with munin and snmp

Monitor Debian servers with monit

I've been using munin ever since I read some very similar articles on it at the debian-administration site. There's also an article there on monit:

Monitoring systems with munin

Monitoring windows systems with munin and snmp

Monitor Debian servers with monit

I run a Debian community site and found that I was spending a reasonable amount of money on a dedicated host for it, (along with time too!), and so figured adding adverts was a reasonable thing to do.

But I know that people can be very vocal on the subject of advertising, especially on community sites where the revenue goes to the "owner" rather than the "community". So the way I tried to made it more bearable was to make it optional. Albeit enabled by default.

If you're an unregistered user you see one block of Google text adverts on each article. But if you're a registered user you can completely disable the adverts via a setting in your user options.

That means that anybody who wishes to support the site and view potentially useful adverts can do so. And anybody who gets annoyed by adverts can hide them.

The people who disable adverts make about 20% of the site membership. Suprisingly low I thought! (Although that could well be because people use adblocking software and have them hidden regardless of the settings?)

If you let people choose to hide or show the adverts I think they are happier about them. There are other sites where I've seen this approach and I'll always happily view them when given a choice (so long as they aren't flash. Ugh) just the fact that the site owners care enough to make it an option makes me more inclined to view them.

I guess it is just a nice change from having adverts appear everywhere on some sites with no ability to configure them apart from using extra software, or plugins.

Thanks to Nasarius and TheNet Avenger for the answer(s) to my question. It really seemed odd to me that fat-32 would be chosen. Actually, I'm not that concerned as I immediately burned a recovery DVD for this box. (Hope I never have to use it, though, as the box came with a God-awful load of real crapware that I spent quite a while dumping.) However, I have spent all but a few hrs in Linux since then. Windows I boot for the security updates, and keep it around mainly till the warranty expires, as whoever has the service for my area may know nothing of Linux. Recently read a review of filesystems supported on Linux here, which suggested that XFS had the best overall performance depending on usage, etc. I may try XFS when "Dapper" is released. OTOH I've had no bad experiences with Reiser or ext3.

Have a look at this article. It describes how to use the motion program (home page).

It might be a good book but I was disappointed to learn that the hack you mentioned wasn't even SSH-specific, just involving creating shell scripts / aliases to avoid typing.

If you want to really "turbo-charge" your SSH logins you might want to look at one of the newer features of OpenSSH v4 reusing existing connections.

I'm a Debian developer and system administrator and I love using Debian in production environments. It is definitely an enterprise-ready distribution (whatever that really means.)

Having said that there are times when I can't use it, much as it pains me. For example today I'm installing SuSE enterprise server on a new box for a client - they demand this so they can get Oracle support. (Even though in practise this will never be needed.)

There are a lot of Debian System Administrators who are happy with Debian in large environments.

Of course I'm biased since I look after a sysadminish Debian site..

http://www.debian-administration.org/articles/185

Do you have Microsoft's internal coder policies handy?

I've heard the MSFT patch QA process described at a TechEd presentation. I'm sure there are references on th MS site somewhere. My impression was that the process was overwhelmingly thorough.

Yes, it's trivial to set up your own apt repository...

Your definition of trivial and mine are very different... and you'd have to do that for every group of machines, write scripts to set all of the machines' apt sources properly.

To be honest, in four years of using Debian I've never had to roll back a patch issued against stable...

And I've never had to roll back an MS patch in my network, either. But that doesn't mean the feature isn't an absolute requirement for a production network of hundreds/thousands of machines. It is.

Loop-AES is not the current recommended way of doing this on GNU/Linux.

For the current method, check out device-mapper, dm-crypt and cryptsetup.

For more information, check out: http://www.saout.de/misc/dm-crypt/

And for a guided howto install Debian on a USB stick with everything but /boot encrypted, check out: http://www.debian-administration.org/articles/179

I use mutt and it is simple to read HTML mails in mutt if you need to.

(Sadly I do.)

Some good comments there :)

I can't see your diagram, but I'd certainly echo the use of Danga's memcached. I use it upon my site, and found that I save a lot of database access via the caching.

There's a brief introduction to memcached with perl I wrote to explain it for newcomers, but bindings are available for PHP, and many many other languages.

Secondly I'd look at cheap clustering with pound this is much better than using Round Robin DNS as another poster mentioned; since it avoids clients getting sent to "dead" hosts. It also allows you to redirect visitors to specific backends for particular requests.

Using dedicated machines for serving static content and images may be useful since it frees your primary server(s) to concentrate on the heavyweight CGI stuff.

Some good comments there :)

I can't see your diagram, but I'd certainly echo the use of Danga's memcached. I use it upon my site, and found that I save a lot of database access via the caching.

There's a brief introduction to memcached with perl I wrote to explain it for newcomers, but bindings are available for PHP, and many many other languages.

Secondly I'd look at cheap clustering with pound this is much better than using Round Robin DNS as another poster mentioned; since it avoids clients getting sent to "dead" hosts. It also allows you to redirect visitors to specific backends for particular requests.

Using dedicated machines for serving static content and images may be useful since it frees your primary server(s) to concentrate on the heavyweight CGI stuff.

I'm going to pretend that I didn't ever rm -f /bin/* . Still the recovery wasn't too painful, and I managed to fix things without having to reboot :)

<plug> http://www.debian-administration.org </plug>

Not just for VPN. I use older hardware every single day.

I've been in the process of doing a writeup that I'll be submitting to the Debian Administration website.
The laptop I have is an old Dell Latitude CP M233XT circa 1997. It's got a Pentium II 233 MHz processor, 128 meg ram, and the original 3G drive is now a 4.1G hard drive swapped out from a dead HP Omnibook 4100.

I won't rehash the entire article in this post, but suffice it to say, it's the laptop that I use for my business every day. It runs Debian (Sarge) and a customized KDE setup. No complaints as far as usability goes. Things take a bit longer to start up than on my P-III 850 at home, but it's nothing I can't deal with. OpenOffice.org is the real pig on the machine, but that's to be expected.

Definitely seconded. I wrote a tutorial on using checkinstall for Debian which explains how it works with a small example.

99% of the time I use Debian's excellent package repository, but for the remaining 1% checkinstall is the way to go, as it lets you deal with your package in the normal manner.

Per Making /tmp non-executable:

Mounting filesystems with these flags set raises the bar a little, but it doesn't stop files from being executed.

What you need is defense in depth. Mounting /tmp noexec,nosuid helps; Keeping everything up-to-date helps; Scanning your log files, following the news,... You get the idea.

And of course, hiring someone competent to do all this is a fine idea;)

Ditto that.

And a trusted environment to run tests from.

Either a bootable cd distro (like http://www.knoppix.org/) or a bootable USB installation (like http://www.debian-administration.org/articles/179) .

It is suprising the author chose "telnet" as one of the programs in his list.

Sure it is useful for diagnosing random problems, and troubleshooting things - for example connecting straight to a webserver, or simulating a POP3 login request, but I've always preferred netcat.

netcat is much more useful, it allows you to bind to sockets and handling incoming requests as well as make outgoing ones this introduction is a good read.

Missing tools from the list? curl, links/lynx, rsync, sudo, nmap, lsof, and less.

I've found that running my site on Debian Administration a fair amount of work.

Choosing the base software was fairly simple, but since then I find I'm making tweaks to the code on an almost daily basis. Sometimes these are just minor things, othertimes I have to make a lot of changes for different reasons.

(Of course switching to a CSS layout to be all cool like /. doesn't help that ;)

Even if you allow users to submit content, as I do, there's still a lot of writing I've had to do. With a couple of thousand registered users and a lot more anonymous repeat visitors I still find that only around 1% of users will ever contribute anything.

Most people seem more interested in reading than supplying content - and I find it unlikely this will ever change significantly.

In terms of income I get virtually nothing, personally, the Google Adsense subsidises the site's hosting costs - but doesn't cover it 100%. Still it is a hobby, and it is a useful site for a particular audience so I'll keep it going as long as I can..

Check out http://www.debian-administration.org/articles/179.

I've had good luck using that base install and the discover package to boot up and get console mode running on 15 different systems. X up on 7. With no user interaction during the boot process.

This is easy enough to do with linux, for example you can find simple instructions for how to do it with Debian at:

http://www.debian-administration.org/articles/179

And using software such as Pound that can be setup fairly easily. Of course if you're running a massive site like /. you might be better off with a hardware load balancer.

But Pound can be used to easily pool a collection of back-end hosts, and avoid forwarding connections if one of them dies. It will even take care of maintaining state if you need that.

And if you're not running KDE you can still do the same thing (mounting filesystems over SSH) which will work in all applications:

• Mounting filesystems over SSH with SHFS

Very useful.

Let's say, somebody breaks into a Debian mirror and replaces sshd with a version with a backdoor. If code signing was in place, you could notice it quite easily.

You've got some typos there. The word "if" falsely implies that Debian doesn't already do this. Replace it with "because". Several other words should be changed to past tense.