Slashdot Mirror

You need to develop a strategy that includes network monitoring, penetration testing, and watching the security lists or sites.

For a network monitor, Nagios (http://www.nagios.org/ is popular, but I like Mon (http://www.kernel.org/pub/software/admin/mon), because of its simplicity.

Once you start watching, you realize that you get attacked so much that you quickly scale back the sensitivity. In the end, the monitor becomes a forensics tool, or a way of verifying that it's not an attack that's causing whatever problem you're having.

Acquire skill with Nmap (http://insecure.org./ Learn how to know what the bad guys know about you. Google yourself and your network, to see what dangerous information is out there about you and your network. Try to render that information obsolete.

Read up at http://sans.org/ or maybe a CERT advisory list.

You can spend minimal time on any of this or all of your waking hours.

But it's great getting paged that a server is offline before anyone else (like the client) knows about it.

Imagine notification of software updates.

Good example - two of the feeds I'm subscribed to are the Gnome FTP server (notifying of anything new uploaded), and the kernel site.

http://ftp.gnome.org/pub/GNOME/LATEST.xml

http://kernel.org/kdist/rss.xml

Very handy if you're interested in keeping track of latest releases. Security advisories are another useful one.

There are esentially three ways to fix this problem.
The first is to patch sshd which is probably the least preferable way as you would need to continually keep patching with each upgrade. But this seems effective allowing you to exec a system command such as iptables.
http://ethernet.org/~brian/src/timelox/

The second is to use iptables to limit connection attempts from an IP address. One problem with this is people who use scp alot may quickly rack up that connection limit.
Here is a recent example from the iptables mailing list
iptables -A INPUT -p tcp --dport 22 -s ! $My_Home_Firewall_IP -m state --state NEW -m recent --name SSH --set --rsource -j SSH_BF
iptables -A SSH_BF -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j RETURN
iptables -A SSH_BF -j LOG --log-prefix "SSH Brute Force Attempt: "
iptables -A SSH_BF -p tcp -j DROP

The best in my opinion is a pam module found at http://www.kernel.org/pub/linux/libs/pam/modules.h tml called pam_abl
This does not have the problem of the IPTables method that may mistake multiple fast scps etc as an attack attempt, and will not require coninutal repatching of the kernel such as the timelox patches.

Lastly you probably want to lock down ssh somewhat using the below config lines, primarily changing the PermitRootLogin to either no or without-password.

Protocol 2
PermitRootLogin without-password
# disable skeys
PasswordAuthentication no
ChallengeResponseAuthentication no
ClientAliveInterval 60
ClientAliveCountMax 30

Swoosh.

Since it isn't possible for one article to explain how to configure identification, authentication, and authorization for all systems, the article contained links to more information.

That's because you often have to learn about things in order to do them. With flexibility comes a price, and that price is work. Luckily, they pay you for that, if you do it well enough.

Or maybe he should have published a GUI along with the article? Sorry for being flippant, but I think you're expecting too much hand-holding.

Yea okay, so now they've arrested a few more of our so called "public enemies". Great. Why, again?

We hear how much money these huge corporations are losing every day, yet noone bothers to check the facts.
The very few facts that actually DO exist (companies don't feel like publishing their own investigations for some reason...) shows that the music industry are losing a small or no percentage of their yearly profits. Why? Well, you listen to cd more than once.

Movies, however, is a different story, and I can only speak for myself.

If I download a movie, I do that because I would never go see it in theatres anyways, so the movie industry aren't losing money they wouldn't "lose" anyways.

So, games, then? Again, I can only speak for myself, and I never play games that doesn't have multiplay online, and those always demand a cd-key, so I buy those.

Since I switched to linux a few years ago though, I have only played Quake III - which I bought, and haven't downlaoded or played another game since.

I guess we should arrest Linux Thorvalds for creating Linux in the first place, since I'm not using an OS that is supported by most games. Maybe we should arrest the developers behind Doom3 because they DIDN'T support linux?
No wait, I got it. Lets arrest me, because I dont use that pathetic excuse for an Operating System anymore.

We're pretty badly off-topic here, but what the hey...

C was first designed and implemented in the time period from 1969-1973. It is hardly a critique of its original designers and implementors that we have learned a lot about programming language design and implementation in the succeeding 30+ years, and that many of the constraints of the computing environment have been weakened or removed during that time. Indeed, some of the original designers of C and UNIX spent a lot of time 10+ years ago developing an alternative language and runtime for writing operating system and application code that fixes the problems with C that I described.

"In fact, when you are coding things like process and memory mangement routines and libraries, it is very handy to be able to do arithmetic with and compare to variables that are not "exactly" the same type, if the comparison or operation otherwise makes sense. Hence, things like the boolean FALSE and integer 0 being equal (which Java will complain about) are handy."

If by "handy", parent meant "tempting" but "error-prone" and "potentially insecure", I think there's about 30 years' experience to back up this claim. Things as fundamental or important as my operating system's process or memory management routines are occasionally broken in particularly dangerous ways because their programmer did something that seemed to "make sense" at the time, even though a "safe" programming language wouldn't allow it. Go look at the changelogs of a recent UNIX kernel for plenty of examples.

"The lack of dynamic type checking, operand checking and bounds checking allows the programmer to write low level or system code that gets out of the way of higher level code." I'm sorry, but I don't know what this means.

"Imagine the performance degradation at the kernel if every comparison was dynamically checked for type, operand and bounds." One would prefer that operations be checked statically whenever possible. This is not so much for performance as because failed runtime checks in low-level code are difficult to handle gracefully. That said, as I mentioned in my previous post on this topic, we have known for a long time how to build programming languages so that a combination of static and runtime type and operand checking will provide some correctness guarantees without signficantly impacting execution performance. IMHO, it's way past time to start using that knowledge.

Not really. They're likely running stock linux on an ARM box with their own external kernel modules. So their GPL usage probably stops at the kernel.

Want that code? ....*looks around* here I've got something for you.

Just because you use GPL code doesn't mean your use of it falls under GPL.

Tom

High quality? Looks more like a bunch of dodgy knock-offs of legitimate software. Oh, and anyone following the links in the parent post might want to be aware that at least one of the links will infect your computer with a virus which will render your computer unable to play games and potentially could prevent you from even BEING ABLE TO BOOT YOUR COMPUTER!

Remember kids, knowledgeable computer users only use legitimately licensed software!

I'm lucky. I know lots of really fast FTP servers with lots of high quality software on them. And best of all? It's completely free, and legal.

I say FUD. HP is doing plenty to support linux, as well as development. They sponsor:

- Gentoo ,GNOME,
- Linux International
- Free Standards Group (the LSB is a workgroup of these guys)
- the OSS Institute
- OSDL, Kernel.org
- etc.

HP has many people hacking the linux kernel. Of course, IBM is doing great stuff as well, but you sketched the situation in a much too black & white way.

When and why did they stop the system of releasing stable versions on the even minor releases (2.4.x, 2.6.x, etc.) and unstable/development versions on the odd minor releases (2.5.x, 2.7.x, etc.)?
According to the maintainers, the scheme hasn't changed. From the linux kernel faq (http://www.kernel.org/pub/linux/docs/lkml/):

What is an experimental kernel version?

* (ADB)) Linux kernel versions are divided in two series: experimental (odd series e.g. 1.3.xx or 2.1.x) and production (even series e.g. 1.2.xx, 2.0.xx, 2.2.x, 2.4.x and so on). The experimental series are fast moving versions which are used to test new features, algorithms, device drivers, etc. By their own nature the experimental kernels may behave in unpredictable ways, so one may experience data losses, random machine lockups, etc.

Furthermore, if you bothered to look at Kernel.org, you'd see:

"The latest stable version of the Linux kernel is: 2.6.12"

..which is a big nice help for me. Thanks, Linux and others!

See bug 4495, which I suppose can now be closed.

I'm burning the original linux kernel source-code, plus Sarge on CDs right now, and I'm sticking them inside a time capsule (old cardboard box), together with a couple of metal bars and burying it on my backyard.

C'mon guys... mirrors.kernel.org is only pumping 1100 Mbit/s so far... plenty of bandwidth to spare :)

http://mirrors.kernel.org/fedora/core/4/
ftp://mirrors.kernel.org/fedora/core/4/
rsync://mirrors.kernel.org/fedora/core/4/

C'mon guys... mirrors.kernel.org is only pumping 1100 Mbit/s so far... plenty of bandwidth to spare :)

http://mirrors.kernel.org/fedora/core/4/
ftp://mirrors.kernel.org/fedora/core/4/
rsync://mirrors.kernel.org/fedora/core/4/

I use FC3 - if you need NTFS support just download a custom kernel and tick the NTFS support option before compiling it... if you haven't installed a custom kernel before I suggest you read up on it first though - google will yield plenty of results.

x86 Unix systems have largely been also-rans...

Linux is a also-ran? What about Solaris on x86?

Fedora Core 4 has binaries for Eclipse in the "core" repository, as well as SRPMS.

http://mirrors.kernel.org/fedora/core/development/ SRPMS/

...because your computer does not belong to you anymore. It is Microsoft's property now.

Unless you install GNU/Linux!

Oh wait... but an Intel rep confirmed the 945 would help implement Microsoft's DRM at a chip level! AMD all the way!

So "the UNIX operating system", and "The Windows operating system" are kernels?

Back to school, kiddo.

As Linus said: "Sadly, a kernel by itself gets you nowhere. To get a working system you need a shell, compilers, a library etc. These are separate parts and may be under a stricter (or even looser) copyright. Most of the tools used with linux are GNU software and are under the GNU copyleft. These tools aren't in the distribution - ask me (or GNU) for more info."

At my work we use Ultramonkey with LVS-kiss and Mon.

Our hardware infrastructure includes 2 load-balancers running in a failover system with 3 web servers in the backend (1.8ghz, 512ram, 40gig hdd, 100mbps network) systems. That hosts over 60 million page views a month, it also supports real-time failover. For monitoring there are tools out there that use MRTG/RRD for cluster statistics.

Where did I say "no shiny boxes", what I said was that shiny-boxes are less important than the components, by an order of magnitude.

I will not cry anything.

There are 196 contributors listed on the Linux credits at kernel.org

That's not many branches of your favourite fast food joint.

I agree completely! Linux should be stripped down to the bare basics immediately!

Oh, wait...

Cpufreq works fine on iBooks and PBooks. Since the Mini uses the same processor (7447A) I suppose it should also work.

Not every distro relies on a heavily-patched kernel. Slackware use a kernel from kernel.org. Debian apply some kernel patches, but you can take an "ordinary" kernel and compile it and Debian userland will run just fine on it anyway.

Certain distributions {one named after a dog in an orange drink advert springs to mind} have a kernel so full of patches that the userland won't stay up on an "ordinary" kernel.

It's really only a big deal until some hacker figgers out how to graft the patchset for an older kernel onto the newest kernel. I for one would have no objection if software not compiled on my machine would not run there ..... in fact, a kernel/userland mismatch situation pretty much saved my job once.

You check it with:

gpg --verify kernel.sig kernel.tar

It's all on kernel.org's website:
http://www.kernel.org/signature.html

But now, reading all these posts that point out the story is mistaken, and should say 2.6.11.10, not 2.6.11.9, I feel much better. So, uh, how do you check those signatures?

The current bleeding-edge kernel is 2.6.12-rc4-mm2, which now seems to have at least some parts of the kitchen sink included. (I've not used vanilla kernels for a long time - the patchsets are usually much more feature-rich, often just as stable, and have a certain geekiness factor.)

We just got done upgrading our kernel, except we upgraded to 2.6.11.10
Changelog: http://www.kernel.org/pub/linux/kernel/v2.6/Change Log-2.6.11.10

When they can download it for free instead?

http://kernel.org/

It's open source - you don't need to buy it, just download it, make a fork, and rebrand it as whatever you want. $0 and perfectly legal. Somehow I don't see it happening though.

If I make a Linux program that burps when then kernel oopses or crashes, does that then mean that it can be said that "Linux" burps when it crashes. No it doesn't, and since RedHat is not the same thing as Linux, neither does it dump to disk on crash.

So, while RedHat may be capable of doing it if you install a nonstandard RedHat tool for it, simlarly I'm sure there is the windows equivalent in shareware form with nag screen and $20 registration for the full version, or maybe there even is a developer tool for it hidden deep inside MSDN CDROMs.

But Linux does not save anything to disk when it encounters a kernel oops. Tell me which files on http://www.kernel.org/pub/linux/kernel/v2.6 contain the code and you have a point.

there were many linux defects with no track cache flush command being recived by devices, but if you want one set of recent fixes for flush corruption ...

refer to :

-force-ide-cache-flush-on-shutdown-flush.patch
-force-ide-cache-flush-on-shutdown-flush-fix.patch

in Changes since 2.6.6-mm1

ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/ patches/2.6/2.6.6/2.6.6-mm2/

why the hell my informative parent post gets modded to only a "2" just because people do not like the truth is astounding.

I was hoping this would happen to my INFORMATIVE post because it just means i will not bother helping anyone in slashdot again for another halfyear absence form posting.

i figure... why bother... the S/N ratio is such that no low level coders seem to ever read slashdot anymore anyways in recent years.

its probably time for me to more to other sites as well.

"2"! on the only FACTUAL and informative post in the entire damned thread!

"Programming instructions" for machines that power much of Internet already available.

wget http://www.kernel.org/pub/lin ux/kernel/v2.6/linux-2.6.0.tar.bz2

This is very odd. The slashcode appears to have inserted the anchor tags.

wget http://www.kernel.org/pub/linux/kernel/v2.6/linux- 2.6.0.tar.bz2

Hmmm. So it appears that slashcode tries to linkify that link, but when it's in an <ecode> entity, the anchor tags get displayed, rather than used as a link.

I guess slashdot needs better QA, too! Of course, we already knew that.

wget http://www.kernel.org/pub/lin ux/kernel/v2.6/linux-2.6.0.tar.bz2

This is very odd. The slashcode appears to have inserted the anchor tags.

wget http://www.kernel.org/pub/linux/kernel/v2.6/linux- 2.6.0.tar.bz2

Hmmm. So it appears that slashcode tries to linkify that link, but when it's in an <ecode> entity, the anchor tags get displayed, rather than used as a link.

I guess slashdot needs better QA, too! Of course, we already knew that.

Everybody knows that The SCO Group created Linux

Oh, wait...

I just see it as Mr Young showing support for another alternative to MS. The underlying code for OS X is open, Linux code is open. Publicity? Sure. But also a show of solidarity.

mirrors.kernel.org takes up most of the disk space. 10 TB obviously includes plenty of room to grow.

Let's start with his argument that Linux didn't spring from nothing, which is the same bit you talk about. Uhhh, nobody claimed it did and by claiming that it didn't, he is being disenginious as to what it is people are claiming.

Umm...

Linux is a clone of the operating system Unix, written from scratch by Linus Torvalds with assistance from a loosely-knit team of hackers across the Net.
(From kernel.org, emphasis mine)

Of course, it's a lie (see Minix and GNU) but that is what Mr. Torvalds has always claimed.

http://bugzilla.kernel.org/

Thinking of Windows as an operating system is the same as thinking of Linux + BASH + XFree + KDE as an "operating system."

Well, that IS what "operating system" means, after all...

A single low-level kernel is NOT an operating system, it's just part of one. The Linux kernel, for example, is not by itself an operating system, since it cannot operate alone.

I'm pretty sure that the BitKeeper adventure has been, overall, good for kernel development. Linus and a lot of the others liked it, and felt productive using it.

More importantly, the switch to something else seems to go quite swiftly. git and cogito are already good enough to manage the kernel (if a little rough around the edges yet).

In other words, the price for dumping BitKeeper was pretty low. And so was the risk taken by using it.

And that's exactly the point of free software: nobody can take it away from you. That keeps the risk in using it low.

The risk and cost of using non-free software might be ok if you can live without it. But use free software for important stuff.

The source for git is available online at:

I'm having some difficulty wrapping my head around what git is and how much functionality it provides that is needed to do SCM. My take on this is that git can be thought of as a low level SCM repository kernel that can implement a particule file structure (optimized for directory content management) that leads to easy replication, distributed file system with no worries about file corruption (unless you are really worried about SHA1 collisions). Git is not yet a SCM but a work in progress of the repository layer.

Anyone familiar with ClearCase (a proprietary SCM now owned by IBM) is aware (possibly painfully so if they were invloved with administrating it) that it uses its own proprietary file system (which it calls VOBs). ClearCase has replication capabilities so there may be some degree of overlap in the basic concepts between ClearCase's lower level VOB layer and git.

There's more to do on top of git to make it part of a polished SCM system. I expect just as Linux has multiple Desktops (KDE/Gnome/xfce) there will be multiple git front-end clients to use the git utilities (API) to manipulate the contents of a git repository using your favourite language (Perl/PHP/Java/...) along with utilities to provide gateways to/from other SCM repositories such as CVS.

The source for git is available online at:

I'm having some difficulty wrapping my head around what git is and how much functionality it provides that is needed to do SCM. My take on this is that git can be thought of as a low level SCM repository kernel that can implement a particule file structure (optimized for directory content management) that leads to easy replication, distributed file system with no worries about file corruption (unless you are really worried about SHA1 collisions). Git is not yet a SCM but a work in progress of the repository layer.

Anyone familiar with ClearCase (a proprietary SCM now owned by IBM) is aware (possibly painfully so if they were invloved with administrating it) that it uses its own proprietary file system (which it calls VOBs). ClearCase has replication capabilities so there may be some degree of overlap in the basic concepts between ClearCase's lower level VOB layer and git.

There's more to do on top of git to make it part of a polished SCM system. I expect just as Linux has multiple Desktops (KDE/Gnome/xfce) there will be multiple git front-end clients to use the git utilities (API) to manipulate the contents of a git repository using your favourite language (Perl/PHP/Java/...) along with utilities to provide gateways to/from other SCM repositories such as CVS.

Well, they do have commie pinko unconstitutional fraud to worry about, not to mention the other operating system which "Just Works" :).

You almost feel sorry for Bill. Then you remember Windows ME.

I found this on kernel.org:
ftp://ftp.kernel.org/pub/software/scm/git/

It's empty at the moment but we'll probably be seeing the source code appearing in it soon.

Actually, smartass, I DID test it thoroughly, and (in 2.6.11, and continuing to 2.6.12-rc2 - no other kernels tried) it consistently fails to connect the MSN protocol (any client) and POP3, and some HTTP seems to behave badly but mostly okay. It IS a bug in Linux because none of the BSDs exhibit this, and it is also a bug that isn't fixed in 2.6.12-rc2 despite numerous changes to IPSec (and related) components.

Well I use POP3 and HTTP over ipsec and it is fine. So it is likely that you are doing something wrong.

Where is your bug report?

When you show me a BSD exposing a significant security hole (like the Linux signal exploit) or breaking long-standing network functionality (IPSec, packet filtering, etc.), then I might consider them somewhere close to buggy, but flawed hardware support is nothing compared to the breakages Linux experiences.

You really have no idea about software development, do you? You honestly think BSDs have no bugs? You are a sad, stupid idiot.

I've looked up your posting history and you are a stupid trolling idiot who wouldn't know a kernel if it kicked him up the anus. You consistently say stupid and incorrect things and try to pass them off as fact. I'm having nothing more to do with the likes of you.

A Linux advocate I know said, and I quote directly, "I've had some corker problems on GNU/Linux-based systems that can only be attributed to poor development and testing, and implementing the same thing on OpenBSD had no issues at all. First thing that comes to mind as indicative of the difference in quality between the GNU/Linux and BSD's, is PAM vs BSDAuth.."

A BSD advocate I know recently said (quote) "First thing that comes to mind for me is that Linux happens to beat all the BSDs at their own game. It is faster and far more scalable than FreeBSD, it is more portable than NetBSD, and it has advanced security infrastructure that OpenBSD can't match."

Honestly, it's no mystery and nothing new at all. Linux does not get tested. Shit, are you even listening to kernel devs? They've decided NOT to do any quality assurance, leaving vendors up to the task of testing and bug fixing (hint: they don't do a good job either). Find THAT kind of philosophy in any BSD...

Err, actually if you had any idea you would know that they do plenty of quality assurance and follow a good release process. Just because it doesn't exactly match what you small minded BSD zealots are used to, doesn't mean it is wrong. The various BSDs are far more comparable to Linux distributions than the Linux kernel itself.

When looking through the kernel source code there is only support for 2D. Kernel bugreport X.org bugreport

And what you write is exactly what Linus is doing now. It is not a full version control system, but it can likely do the basic job for the kernel, especially for distribution of the tree history between developers; it is probably likely that they will use (test, improve) various version control systems on top of this, actually. (Which should be possible.)

No, not really. What Linus is doing looks completely different. It is quite similar to Monotone if anything, in fact. It has quite a good description of itself in the README (skip the top part there :-) ).

One consequence of what he is doing is that it is trivial to do e.g. pulling from remote repositories (basically just two rsync commands), or diffing arbitrary two trees. You can see my scripts as an example.