Slashdot Mirror

If only it were so simple... /etc/hosts implementations do not generally support any form of wildcard.

Using hosts properly for this purpose is quite difficult, since the software could send to arbitrary subdomains. At this point you're better off writing a simple proxy.pac javascript file supported in all major browsers or running a local dnsmasq server.

They should have used stopforumspam or botscout or at least throttled their bandwidth for excessive page requests.

No human reads 50 LinkedIn profiles a minute, FFS. Throttling the bandwidth would have been the simplest solution, something like bw_share would do it.

yep, you can write a web server in shell script. https://www.debian-administration.org/article/371/A_web_server_in_a_shell_script

"The old random number generator, that I believe affected every distribution of linux."

I'd need more information to say anything about this one.

"The bugged cryptography library / key generator that shipped for over a year, that I believe affected one distribution."

... has absolutely nothing to do with the kernel.

"Heck, a more down to earth issue: How long was it before NTFS was understood well enough to be able to write to it in every case, given some strange features that had to be "black-boxed" reversed before they were understood -- and are you sure that there is 100% compatibility today?"

You could say the exact same thing about Windows NTFS implementation. How do you know, even today? Well, with Linux you have the source, but as you point out, no spec. With Windows you have neither unless you are "connected." It always makes me frustrated when Microsoft screws it up for everybody and then people blame someone other than Microsoft

". I'm calling the whole "no program can write to the disk without OS control, but any program can write to any place on the network without any control" a security flaw."

If that were true it certainly would be a security flaw. Of course, iptables solves the problem. You don't seem to understand that the kernel is part of the operating system rather than the whole OS..

' Heck, you could argue that being able to determine your real IP address is a flaw "

No. You couldn't. That is an absurd statement. That is like saying that being able to determine your current login name or the date and time is a flaw. Your claim is that if you have been cracked they can find stuff out. No kidding.

"[FYI, the alternative would be to eliminate the distinction between a socket descriptor and a file descriptor, and have network end-points created by open("/dev/net/hostname:port", O_RDRW) or something similar.]"

I recommend you post this great insight to the Linux Kernel Mailing List for feedback. Make sure you put on a flame retardant suit first though!

Mount home and tmp as non executable link

Which of course you can do that, but then you can't have the database LV and the log LV on different physical disks any more, which is what was asked. Can you post an example how you would concatenate two existing LVs, with existing file systems on them, mounted and being modified at the time. into a "new virtual block device" without even un-mounting them, and then make a consistent snapshot of them?

You're delusional, "without even unmounting them" appeared nowhere in the discussion above, nor did the concept of making separate filesystems work together atomically. Your assertion about "different physical disks" doesn't make any sense at all. Of course you can combine different physical disks into a single logical volume. You would then create a single filesystem on the logical volume. Look here for examples.

Instead of trying to "detect" a DDOS, you can simply replace 1) with rate limiting.

That's a great thing for doing in the kernel. Thus, I was out searching if it was alreay done, and yes, it is.

SSH Tunneling by far: http://www.debian-administration.org/article/38/Tunneling_connections_securely_with_SSH

The Debian packages are really strange for XBMC. First off the Linux instructions are aimed primarily at Ubuntu. Then the other problem is that there is some kind of a fork between the "official packages" for Ubuntu and the Debian packages provided on debian-multimedia.org, the latter not being up to date (only rc2 is available).

...

Short of adding a Ubuntu PPA to my sources.list, I am not sure how I can get this thing installed on Debian, which is a bit annoying.

I've compiled it myself for Debian, using the instructions from Compile XBMC for Linux. I've spent some hours figuring out which packages to install prior to compilation, but most of them is listed in the README.linux file (which you get when you checkout with git as part of the installation procedure).

When you're done compiling, instead of doing a make install, use checkinstall to get a .deb package.

The best thing about this is that you can run the latest code without waiting for a release. The code in the repository have always been very stable for me, and I've had access to most of the features in 11.0 since February. Once you've managed to do your own compile it's just a matter of git pull to get the latest changes downloaded and then doing a recompile and build a new package.

24 x 7? Only if Dunkin' Donuts deliver to said office...

not that they would need to. Human-less monitoring and alerting is just an apt-get away.

First, let me just say that since you're in a Windows environment, if you just want to play around with LAMP the easiest way to get started is to grab a LAMP appliance for vmware player and run it.

That out of the way, whether you're using a physical machine or not, I think you should run Debian. You will be able to find lots of help, because the solutions for Ubuntu will apply to your system as well (For problems with the LAMP stack, anyway.) But meanwhile, you will have a relatively simple system; I'm not especially pleased with some of the added complexity in recent versions of Debian, but you are unlikely to have to mess with any of it for the scope of your problem anyway.

There *is* merit to running an Ubuntu server, mostly that sometimes you find great stuff in PPAs and you don't have to go building it yourself. Sometimes, getting software to build is an epic journey. When I have found it to be so, I have sometimes packaged it and put it up on my PPA. Some of those things are now part of Ubuntu, although I don't think they bothered to use the packages I produced. There is a great tendency for people to reinvent the wheel over at Ubuntu so that they can get all the credit. Cue the violins.

Problem is, when you install Ubuntu you get a lot of junk. So I install Ubuntu with debootstrap, from a functioning Linux system. You probably don't want to figure that out right now. So just install debian and follow along. Once you log in you can just install the packages. An article from 1996 described the process with php4, but you could use its advice on finding packages to find the ones you're looking for. (I don't have any debian systems booted right now, sorry.)

If the users are at all technical, just use port-knocking. The idea is simple: Connects to your ftp[s] port is denied by default. If someone makes a tcp connection to a magic port, the ftp[s] port is opened for say 30 seconds. Naturally you configure it such that if someone connects to the port below or above your port knock that you close the ftp[s] port (assuming they are port scanning you).

Here is a multi-port implimentation, but you can use a single port:
http://www.debian-administration.org/articles/268

I like a single port knock and nothing special other than a tcp connection. This allows you to use telnet from a command line (and batch file/bash shell script).

Newsletter, no, but if you are interested in cryptography authentication, this would be worth reading (it is a very simple description that uses ssh as an example):

http://www.debian-administration.org/articles/530

There is quite a bit of documentation available for setting up public key logins. TLS supports it (Firefox can store personal keys for this purpose), SSH now supports it with a rudimentary PKI, and there are some other methods out there.

The Intel team behind what has become MeeGo Linux made an Eee 900 boot Fedora in five seconds. This took advantage of the SSD in the 900, but there are a number of generally-applicable things you can do to speed up boot times; it's as good an excuse as any to compile your own kernel.

I know everyone secretly wants to compile their own kernel for fun and profit. Chicks dig it.

I always had a hard time understanding IPv6 until I read the Running IPv6 in practice howto on Debian-administration and tried it at home. The next move is configuring the office where I work to use such a tunnel, then a friend's colo server, then our hosting environment. It's really not hard. Get over the adressing scheme. IPv6 is much easier to manage than NAT.

Tunnelbroker by Hurricane-Electric also does a great job of making IPv6 easy to use and fun to learn (the "certification" games). They also throw in free DNS hosting, and announcing IPv6 addresses using BGP is possible.

Now stop whining and bite the bullet :-)

Motion is a great little program available in the Debian repositories and works with any Video4Linux supported device (off the shelf USB web cams and video capture cards).

I've used it a few times, easy to install and configure.

It can do time lapse, motion sense and round robin on multiple devices. Even supports a streaming function with Apache and can upload the latest image to a remote FTP server on the Internet.

Doesn't need much as far as hardware either, one of the systems I set up was a 450MHz celeron with 128M RAM. Over all the hardest part of using it was hiding the camera.

And best of all, Its free!!

You tell me how to deploy OSPF, RIP, EIGRP, or BGP in a small business network with branch office VPNs and I'll give you a gold star.

That said, about DHCPv4:
http://www.debian-administration.org/article/Supplying_routing_information_using_DHCP

Defined in RFC3442.

Keep in mind we don't have professional router boxes, there's no room in our budget for a few thousand to drop on Cisco or anything more than a few cheap smoothwall boxes.

Again, this is what I see every time small business networking is involved. There's a huge disconnect between what Cisco or even the IETF think is needed in small business and what actually is.

I'm still running reiser3, and probably holding out for reiser4... it's been confusing since the benchmarks for the next-gen fs's have been all over the place, but some look promising:
http://www.debian-administration.org/articles/388#comment_127

I've always run software RAIDs to crank out a bit more performance out of the slowest part of my system, and reiserfs3 has always worked better out of the box. I'd spent long hours tuning EXT3 stripe widths and directory indexes and stuff, and EXT3 always came out slower and more wasteful of space.

Here's a handful of numbers from bonnie++ from my 4-disk raid10:

EXT3fs: 4G 246 97% 61403 29% 39928 11% 1512 95% 166253 24% 525.3 10%
Latency 87699us 4739ms 644ms 54683us 69023us 302ms

Reiser3: 4G 264 97% 65732 31% 44530 15% 1447 95% 164567 34% 557.9 18%
Latency 33368us 4201ms 4061ms 21967us 134ms 118ms

The specs seem more than sufficient for Debian. You will have to tune it after installing, obviously. I got X11 running on Debian using 10MB of RAM (on a laptop with 32MB).
  As you mention, the tricky part is installing. If you can plug the HDD in some other computer, you can format it to ext2 and copy the files no problem. Debootstrap is a very useful tool for this: http://www.debian-administration.org/articles/426
  If you can't plug the HDD somewhere else, it's not really a big issue, just find a floppy distro that can see your HDD, can connect through FTP or HTTP to some other computer, and then just use it to boot and copy the files like the link above shows. It doesn't really need to be a distro, anything that can create ext2 partitions and do FTP/HTTP will work, but linux is probably the best bet when dealing with unknown hardware.
  This is a well known one diskette distro: http://www.toms.net/rb/

What about apt and in-house repositories?

Reprepro in particular seems to be up to the task

http://www.debian-administration.org/articles/286

The issue of public self-signed certs seems best resolved by using Perspectives (http://www.cs.cmu.edu/~perspectives/firefox.html), which solves the man-in-the-middle problem using a distributed set of auditing servers to verify you are getting the same certificate others on the internet are.

This method has advantages over paying for a certificate from a CA vendor. It is possible for a determined man-in-the-middle attack to succeed without any errors on the client using social engineering or other measures to get a validly signed copy of the certificate for a site without being the actual site owner due to the lax verification measures used by some of these vendors.

Another common issue, companies should be creating their own CA certs and deploying them to clients in situations where the client is controlled (for example intranet sites), but most instead train their users to ignore these errors. See this example, (http://www.debian-administration.org/article/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian) note that these basic instructions work on any operating system, not just Debian, using openssl at the command line.

The article here explains that you can either have a secured FTP repository or one grabbed by SSH.

As I understand it, however, there's no way to protect that application against non-authenticated users. Can you have an APT repository that, say, requires a login and password?

Yes, there are other ways but a couple easy methods are in this article: http://www.debian-administration.org/articles/513

It would have to be able to wake your machine if you want to use it for remote SSH access. On Ethernet, you can already do that.

The first comment on this page: http://www.debian-administration.org/article/Use_ssh_on_multiple_servers_at_one_time is a cool little tip:

If you're using KDE, just use Konsole, open a tab for each server, and on the tab you're working on, click 'Send input to all sessions'.

Thanks, vegiVamp!

or "clusterssh"
http://www.debian-administration.org/article/Use_ssh_on_multiple_servers_at_one_time

But this is distributed. Ie, from 13 different IPs there will be 13 different login attempts with different passwords targetting the same username.

To me, this seems like something new. I've been doing this for years to protect my users from your ordinary brute force attack: http://www.debian-administration.org/articles/187 Now, it is no longer effective. Of course my users should not have weak passwords, but rate-limiting by IP is no longer a trustworthy defense against dictionary attacks.

One does not write a web server in Bash

I accept your challenge. :-D

But seriously, yeah, you're absolutely right. Ooh, but a basic web server written as a Bourne shell script called by inetd would be so freaking cool....

Oh, no. Somebody actually did that.... Yikes! Now I'm scared.

Sadly you still need it at times.

For example I use the "System | Preferences | Keyboard Shortcuts" applet to set "Ctrl+Alt+T" to open a new terminal. That works fine, because "open terminal" is a predefined choice.

But to configure "Ctrl+Alt+E" to mean "Open emacs"? You cannot do that though the GUI, which is a real annoyance.

I had to resort to using gconf to setup a global GNOME shortcut.

Is there some reason the version under Linux would be so comparatively fragile?

My understanding is that Silicon Graphics (now SGI) wrote XFS specifically for their hardware which was designed to handle power failures, and would maintain enough power to finish it's current I/O operations. Since almost none (if any) x86 hardware has this built-in feature, XFS isn't as robust as it was on native SGI hardware. I can't find the references for this tibit, though. So take it with a grain of salt. It's just what I remember being told when XFS was first appearing on the Linux scene.

Although, some of the issues that people see on XFS may be due to modified files that haven't been flushed to disk before the system loses power. XFS intentially zeros any unwritten data blocks to avoid possible security issues arising from residual data [1]. I believe XFS also uses out-of-order writes for both meta-data and data so a loss of power could mangle some data.

There are a couple of slightly older, but still well-written, roundups about file system comparions. One here and one here.

My Debian Administration website uses a GET for logout, but with a secure nonse.

I spent a while writing a guide to preventing CSRF attacks and implemented most of the suggestions.

My Debian Administration website uses a GET for logout, but with a secure nonse.

I spent a while writing a guide to preventing CSRF attacks and implemented most of the suggestions.

Sure you can use Ext3 if you want to be conservative, but why not use one that performs much better, such as JFS, XFS, or Reiser3? Read this comparison for example in which Ext3 is mostly bringing up the rear. They recommend XFS overall. I use Reiser3 for most of the filesystems on my MythTV systems and XFS for the recordings.

The data loss on power loss in XFS has been fixed, so as long as you're using Linux 2.6.22-rc1 or newer, there's no reason not to use it. If one's Ubuntu installation still has the bug preventing automatic JFS checking, that might be a reason to avoid it.
 

you can, though it's a lot more stable and secure... in honesty though, that's a capability that's widely available. i'd be willing to bet (a small amount of) money that OSX can do it too, if not now, within 5 years.

Pretty much.

I run the Debian Administration website, and every few weeks somebody will start attacking either me personally or the site.

If it is polite criticism, (valid or not), I'll reply.

If it degenerates into bad language I just delete the comments and temporarily ban the IP.

(I don't want to censor things, but I don't need random anti-semetic comments around either.)

AFAIK, it doesn't provide a way to throttle connections (if it does, please share).

We don't use it ourselves - and we use Shorewall to manage our firewall settings, but I refer you to Shorewall Rules. There is a section there titled "rate limit". It allows you to control how many connections per second/minute and how big of a burst are allowed before Shorewall will block it. AFAIK, this is done with iptables.

Or this older article from 2005 Using iptables to rate-limit incoming connections.

What does that mean? why would /tmp be a mount. And if it's a directory it has to be executable right?

Many simple exploits that are used against machines, (via vulnerable PHP applications or local users, etc), rely upon being able to execute commands in /tmp. You can set up a partition to be non-executable meaning every file on it does not have execution permissions.

More info here:
http://www.debian-administration.org/articles/57

Updating your timezone data for daylight savings changes....

A better solution is to use mongrel running on localhost:3000, then use Apache's mod_proxy to proxy to it.

That loses the overhead of parsing .htacess for each request.

See here for a Debian-centric guide.

There is a simple example / introduction to CSRF attacks here.

If your victim is running Debian or one of its children, there are always alternatives.

That is one approach - writing documentation for games/software, and trying to get it included in the future releases.

Another approach is to start writing guides on how to use software, configure it, etc. Then submit that documentation to the appropriate forums and wikis.

I started a site aimed at documentation useful for Debian, which is nothing more than a collection of individual articles on a few topics. Despite that it has been very useful to myself and others. I'm not suggesting you setup your own site and fragment things further, but I'm sure there are markets for many beginner-level (and more advanced) introductions to particular software applications and packages.)

etch ships with CONFIG_IP_ROUTE_MULTIPATH_CACHED (experimental) enabled in the kernel. This breaks the multipath route behavior in iproute. As the google search shows, it is wreaking havoc with anyone using multipath and dual-wan systems. Those who upgraded this morning to the new stable may be in for a ride. This is a known and documented issue but cannot be found in debian's bug tracking system. This issue is not unique to Debian but it should not have passed through the release engineering for the new stable release.

Reason #2 is g-cpan, and things like it. Ubuntu has to manually go and re-package CPAN libs, Gentoo can automagically generate them for things which don't require special care

Interesting, I didn't know that gentoo had special handling for that.

Debian, and by extension Ubuntu, can also automatically generate packages from CPAN using the dh-make-perl tool, as described here.

I find that 90% of the Perl packages I commonly use exist as packages in the official repositories, and the others I create myself. I don't like mixing packages and CPAN - and usually stick to only Debian packages on my machines.

Any Debian derivative (using .deb packages) will do this easily.

The package metadata makes it easy to determine when a package was installed to satisfy a dependency. There are also trivial tools for identifying orphans.

There's an extensive discussion here.

Methods for keeping your system clean vary, in a way dating those who use them. Some people use the old way:

apt-get remove `deborphan`

Although many modern package management UIs (aptitude is one I'm certain of) will offer to cull your orphaned packages automatically (or just do it quietly by default).

In between, I believe there's even an apt-get command line option for removing orphaned dependent packages when removing a package, but I can't remember it right now.

The problem here is two-fold:

• You need somebody to write the comparisons. Somebody either unbiased, or capable of overlooking that.
• You need somewhere to host the writeup(s).

The bigger problem is that very few people write documentation, and yet so many people seem to want it. I started some here, and have been lucky enough to get a reasonable number of submissions from external people. But the fact remains if you wait for people to volunteer to write documentation .. well you'll be a long time waiting.

You could just use java-package to install Java.

What pisses me off is the 32 step process to making a deb (that's what dpkg calls a package btw.. just incase you're playing acronym bingo out there). So if you want to install something you built from source, and be able to remove it later, you need some freakin' magician to have made it into a source package.. cause there's no way in hell you're doing it yourself.

What really depresses me is that debs, dpkg and apt, that's about the best anyone has done.

For a start you could see this site in my profiley link.

I also manage a couple of minor social sites which are public but "local".

Rather than using RAID, much better to use ssss. Description here. An easy script can read the key files from each usb key inserted and pass the keys to ssss. The output from ssss can then be redirected into luks or whatever encryption/login system you want.