There are esentially three ways to fix this problem. The first is to patch sshd which is probably the least preferable way as you would need to continually keep patching with each upgrade. But this seems effective allowing you to exec a system command such as iptables. http://ethernet.org/~brian/src/timelox/
The second is to use iptables to limit connection attempts from an IP address. One problem with this is people who use scp alot may quickly rack up that connection limit. Here is a recent example from the iptables mailing list iptables -A INPUT -p tcp --dport 22 -s ! $My_Home_Firewall_IP -m state --state NEW -m recent --name SSH --set --rsource -j SSH_BF iptables -A SSH_BF -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j RETURN iptables -A SSH_BF -j LOG --log-prefix "SSH Brute Force Attempt: " iptables -A SSH_BF -p tcp -j DROP
The best in my opinion is a pam module found at http://www.kernel.org/pub/linux/libs/pam/modules.h tml called pam_abl This does not have the problem of the IPTables method that may mistake multiple fast scps etc as an attack attempt, and will not require coninutal repatching of the kernel such as the timelox patches.
Lastly you probably want to lock down ssh somewhat using the below config lines, primarily changing the PermitRootLogin to either no or without-password.
Protocol 2 PermitRootLogin without-password # disable skeys PasswordAuthentication no ChallengeResponseAuthentication no ClientAliveInterval 60 ClientAliveCountMax 30
This technology is great, just think, if it was made small enough and be powered by the great wattage of our own brains that run enough electricity to power a light bulb, we could have them installed incognito into suspected terrorists and find out their plans! Even better we could as people demand them installed into our politicians so we know why they write the laws they do. It sounds like great stuff to me!
Well they Govt already sticks racks used by Asio (Australian version of CIA) into ISPs or at least ensure they have a port available if they decide to wheel their rack in. Maybe they can put them to good use and inform us if they detect the Kiddy Porn and then we won't have to worry about trawling through our already overflowing abuse emails "as much" in our vast quantities of spare time
Most times I connect to overseas, and the latency/window size is the biggest speed issue. Even sitting on a 100Mb/s pipe to MCI at work you rarely see speeds above 2Mb/s to any site overseas especially if using TCP not UDP due to the latency issues and the nature of TCP windowing. OK so it might be fast to connect to other people on IInet, but thats the only bonus. Currently I have 6Mb/s ADSL to home in Australia (only one on my ISP with it from what I understand) and while I reach breakneck speeds to mirror.aarnet.edu.au on the Optus network to whom my ISP's primary provider is, I rarely see anything above 512kb/s to overseas sites. Going to just get unlimited 512k to the ISP I work for. No point getting any higher in Australia if your connecting to international stuff most of the time. And no its not because my ISPs are shit its just how it is being on the other side of the world. Fast to Singapore tho!
Try and do a fresh install of Symantec Internet Security 2003 and it will not get LiveUpdates for the Antivirus definitions nor the IDS Definitions.
I spent much time doing fresh installs of Win2k on various machines, going via different provider links and arguing with Symantec Tech support that it was not my machine or internet connection.
With full LiveUpdate logging turned on in Internet Security 2003 it showed various files were missing from the Symantec site but Tech support would make no comment on the missing files.
VERY ANNOYING
I currently have 6M/640k ADSL to home and I'm in Australia, which costs me an arm and a leg. However I normally get around 500kb/s to international sites and if I'm lucky 5Mb/s max to Australian sites. So I might as well have 512kb/s shdsl for 1/2 the price.
As some other Australian ISP admin says "over 512kb/s is a pipe dream" but maybe just in Australia
When will we see...
Signed Binary packages
By Default gnupg checking of Release.gpg files
Cokers SE Linux policy packages configurable during install
Default chrooting and ran as a user for standard services such as Bind and ntpd
Use of Kernel Capabilities and userspace tools patches already available but unmerged to drop unnecessary permisions by default in programs such as tcpdump and ntpd
Use of propolice within gcc
Updated libpam-cracklib installed by default for strong passwords
Ability to run portmap only on loopback for local programs that require portmac (eg libdrac)
Installation of TLS by default for services where this is avaialable (such as the creation of files/usr/lib/ssl/cert/ftpd-rsa.pem and/usr/lib/ssl/private/ftpd-rsa-key.pem to get TLS working in proftpd)
User supported but vendor managed daily updated "rules" packages for things such as snort/clamav signatures, and spamassassin/razor lists
Ill have to hope I get a spam from him. I believe the law says political partys can spam but not companies. So does this mean a company can from doing the spamming for a non-profit/political organisation? Maybe not
It appears that WineX 4 does have the Shared memory wineserver. From an interview with transgaming CEO at http://desktopos.com.at.spry.com/sections.php?op=v iewarticle&artid=23
Gavriel State: "this is the first release to incorporate our ShmServer technology, which can provide a significant speedup for games that make very heavy use of the Win32 Kernels synchronization facilities. This can speed up some games by 50% or more.
"
Yay!
When are we going to see a shared memory wineserver. This would be the best way to see a significant speed increase in Wine, rather than it having to launch a new Wineserver process for each application run. Transgaming were working on this some time ago but seem to have ditched the idea.
Hydro electric power systems generate VERY LITTLE electricity. My Dad who just retired has been operating the head control systems on NSW in Australia for most of his life. He told me that the coal generators which cost much less to build (there are something like 10 or so in NSW from memory) produce more than 98% of the states electricity while the single hydroelectric generator produces less than 2% or so. The "great" thing about hydroelectricity is that it is easy to turn on and off the regulate the flow of electricty while the coal generators are either increased or decreased to handle the greater load. The NSW Snowy System scheme is used to regulate not only the electricty in NSW but also other states such as South Australia, Victoria and I think also Queensland but not to sure about QLD. Anyways hydro electriciy isnt going to save us. It is majorly damaging to the environments and really doesnt produce much.
first mp3 i had was one i encoded myself. i remember being on efnet and someone told me some new music encoder was out and a music group on efnet was being started. I found out they were calling themselves an mp3 group forget their name though. i got sent the frahhoffen mp3 encoder beta and told not to give it to anyone. they had taken all the text out of the binary and written instructions how to use it so noone know where it had come from. i decided mp3 format was pretty cool so whois'ed mp3.com and found it was available. unfortunately i was broke at the time and i couldnt see any of my friends helping me pay for my domain buying addiction (as internic had only just started to make you pay for domains to register them rather than a freebie for 3 months) so i didnt buy it after much wondering who would give me the money and coming up with noone, and just whoised it for two weeks until i saw someone else had registered it....
It would allow a computer interface to be implanted into somebodies head and monitor what activity was happening. Its a good first step at least. We could have it put into Terrorists and if they were thinking bad thoughts zap em like labrats. Of course this would probably need a warrant for this unlike being able to look at all our emails sms's and phone calls without one. After all they need to keep an eye on us. Or when we get used to the idea they could use it in schoolkids to stop em thinking the wrong things. I'm all for it. This is the next step for technology. I wonder what the step after this is going to be. The Goverments of Australia, England and the USA are leading the world to the furture I can see it already!
Actually EDS stock took its beating because of its major partnership with MCI Worldcom just before Worldcoms collapse. Under the agreeement EDS had to pay Worldcom ($US)billons over the next few years if they didnt get them enough Contracts during that time. They got out of paying some of it by giving MCI Worldcom wads of cash upfront while they were in chapter 11. Stock shares went through the floor, Dick was the scape goat as the idiot (scammer?) from EDS who originally brokered the stupid deal was already long gone. Dick may have been a complete Dick but he wasnt the main reason for EDS stock falling to 1/4 of their original price. I believe it is now only half of what it was. EDS are rumoured to be about to lose the US Navy contract as it is up for renewal. But hey that wont affect me cause Im in Australia!:)
Glad your in Canada till you read todays other story about Canada taxes
Australia ain't much better with its new spam laws either:) But hey ASIO is already allowed to log into anyones computer without a warrant and modify data on your machine. We aren't too far behind
Try using apt-get secure from monk.debian.net which will check the Release.gpg file to ensure your Release files md5 sums are correct. Good to ensure your arent downloading a hacked binary from a compromised mirror site.
I do about 15minutes of firewall changes a week. The rest is "prep work" which involves sitting in on phone conferences listening to project managers think they are organising whats going on, looking at my task list and wondering I'll get something interesting and challenging, trying to think of what to put in my timesheet, and speding the rest of my time reading pdf files so I look like Im busy. Its an easy life but its boring as hell. Pity the place I work for aren't willing to give me anything else but firewall changes to do. Ive told them I only do a few hours of real work a week (which is a grose overstatement) and they seem happy to leave it at that, but wont let me go for another position in the company where Ill be busy. Going to have to find a new job soon cause Im dying of boredom.
debian doesnt have signed packages, redhat does. debian package security consists of a signed md5sum file and only the md5sum list is verified never the rsa sig of the md5sum list. while i use debian i think about moving to redhat because of this
Caffeine depletes your adrenal glands. Usually if you can go to sleep after downing a strong cup of coffee your adrenal glands are exhausted and you should decrease your caffiene intake to a cup or two in first half of the day. Or so I read not so long ago in some science rag
Slashdot Mirror
There are esentially three ways to fix this problem.
h tml called pam_abl
The first is to patch sshd which is probably the least preferable way as you would need to continually keep patching with each upgrade. But this seems effective allowing you to exec a system command such as iptables.
http://ethernet.org/~brian/src/timelox/
The second is to use iptables to limit connection attempts from an IP address. One problem with this is people who use scp alot may quickly rack up that connection limit.
Here is a recent example from the iptables mailing list
iptables -A INPUT -p tcp --dport 22 -s ! $My_Home_Firewall_IP -m state --state NEW -m recent --name SSH --set --rsource -j SSH_BF
iptables -A SSH_BF -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j RETURN
iptables -A SSH_BF -j LOG --log-prefix "SSH Brute Force Attempt: "
iptables -A SSH_BF -p tcp -j DROP
The best in my opinion is a pam module found at http://www.kernel.org/pub/linux/libs/pam/modules.
This does not have the problem of the IPTables method that may mistake multiple fast scps etc as an attack attempt, and will not require coninutal repatching of the kernel such as the timelox patches.
Lastly you probably want to lock down ssh somewhat using the below config lines, primarily changing the PermitRootLogin to either no or without-password.
Protocol 2
PermitRootLogin without-password
# disable skeys
PasswordAuthentication no
ChallengeResponseAuthentication no
ClientAliveInterval 60
ClientAliveCountMax 30
can we fit down a single cable tv feed is what I'm wondering
This technology is great, just think, if it was made small enough and be powered by the great wattage of our own brains that run enough electricity to power a light bulb, we could have them installed incognito into suspected terrorists and find out their plans! Even better we could as people demand them installed into our politicians so we know why they write the laws they do. It sounds like great stuff to me!
Well they Govt already sticks racks used by Asio (Australian version of CIA) into ISPs or at least ensure they have a port available if they decide to wheel their rack in. Maybe they can put them to good use and inform us if they detect the Kiddy Porn and then we won't have to worry about trawling through our already overflowing abuse emails "as much" in our vast quantities of spare time
Most times I connect to overseas, and the latency/window size is the biggest speed issue. Even sitting on a 100Mb/s pipe to MCI at work you rarely see speeds above 2Mb/s to any site overseas especially if using TCP not UDP due to the latency issues and the nature of TCP windowing. OK so it might be fast to connect to other people on IInet, but thats the only bonus. Currently I have 6Mb/s ADSL to home in Australia (only one on my ISP with it from what I understand) and while I reach breakneck speeds to mirror.aarnet.edu.au on the Optus network to whom my ISP's primary provider is, I rarely see anything above 512kb/s to overseas sites. Going to just get unlimited 512k to the ISP I work for. No point getting any higher in Australia if your connecting to international stuff most of the time. And no its not because my ISPs are shit its just how it is being on the other side of the world. Fast to Singapore tho!
Try and do a fresh install of Symantec Internet Security 2003 and it will not get LiveUpdates for the Antivirus definitions nor the IDS Definitions. I spent much time doing fresh installs of Win2k on various machines, going via different provider links and arguing with Symantec Tech support that it was not my machine or internet connection. With full LiveUpdate logging turned on in Internet Security 2003 it showed various files were missing from the Symantec site but Tech support would make no comment on the missing files. VERY ANNOYING
I currently have 6M/640k ADSL to home and I'm in Australia, which costs me an arm and a leg. However I normally get around 500kb/s to international sites and if I'm lucky 5Mb/s max to Australian sites. So I might as well have 512kb/s shdsl for 1/2 the price. As some other Australian ISP admin says "over 512kb/s is a pipe dream" but maybe just in Australia
When will we see... Signed Binary packages By Default gnupg checking of Release.gpg files Cokers SE Linux policy packages configurable during install Default chrooting and ran as a user for standard services such as Bind and ntpd Use of Kernel Capabilities and userspace tools patches already available but unmerged to drop unnecessary permisions by default in programs such as tcpdump and ntpd Use of propolice within gcc Updated libpam-cracklib installed by default for strong passwords Ability to run portmap only on loopback for local programs that require portmac (eg libdrac) Installation of TLS by default for services where this is avaialable (such as the creation of files /usr/lib/ssl/cert/ftpd-rsa.pem and /usr/lib/ssl/private/ftpd-rsa-key.pem to get TLS working in proftpd)
User supported but vendor managed daily updated "rules" packages for things such as snort/clamav signatures, and spamassassin/razor lists
Ill have to hope I get a spam from him. I believe the law says political partys can spam but not companies. So does this mean a company can from doing the spamming for a non-profit/political organisation? Maybe not
It appears that WineX 4 does have the Shared memory wineserver. From an interview with transgaming CEO at http://desktopos.com.at.spry.com/sections.php?op=v iewarticle&artid=23
Gavriel State: "this is the first release to incorporate our ShmServer technology, which can provide a significant speedup for games that make very heavy use of the Win32 Kernels synchronization facilities. This can speed up some games by 50% or more.
"
Yay!
Where in the first ammendment does it say you shall have the right install software to spy on other people and ransack their private information
When are we going to see a shared memory wineserver. This would be the best way to see a significant speed increase in Wine, rather than it having to launch a new Wineserver process for each application run. Transgaming were working on this some time ago but seem to have ditched the idea.
Hydro electric power systems generate VERY LITTLE electricity. My Dad who just retired has been operating the head control systems on NSW in Australia for most of his life. He told me that the coal generators which cost much less to build (there are something like 10 or so in NSW from memory) produce more than 98% of the states electricity while the single hydroelectric generator produces less than 2% or so. The "great" thing about hydroelectricity is that it is easy to turn on and off the regulate the flow of electricty while the coal generators are either increased or decreased to handle the greater load. The NSW Snowy System scheme is used to regulate not only the electricty in NSW but also other states such as South Australia, Victoria and I think also Queensland but not to sure about QLD. Anyways hydro electriciy isnt going to save us. It is majorly damaging to the environments and really doesnt produce much.
first mp3 i had was one i encoded myself. i remember being on efnet and someone told me some new music encoder was out and a music group on efnet was being started. I found out they were calling themselves an mp3 group forget their name though. i got sent the frahhoffen mp3 encoder beta and told not to give it to anyone. they had taken all the text out of the binary and written instructions how to use it so noone know where it had come from. i decided mp3 format was pretty cool so whois'ed mp3.com and found it was available. unfortunately i was broke at the time and i couldnt see any of my friends helping me pay for my domain buying addiction (as internic had only just started to make you pay for domains to register them rather than a freebie for 3 months) so i didnt buy it after much wondering who would give me the money and coming up with noone, and just whoised it for two weeks until i saw someone else had registered it....
It would allow a computer interface to be implanted into somebodies head and monitor what activity was happening. Its a good first step at least. We could have it put into Terrorists and if they were thinking bad thoughts zap em like labrats. Of course this would probably need a warrant for this unlike being able to look at all our emails sms's and phone calls without one. After all they need to keep an eye on us. Or when we get used to the idea they could use it in schoolkids to stop em thinking the wrong things. I'm all for it. This is the next step for technology. I wonder what the step after this is going to be. The Goverments of Australia, England and the USA are leading the world to the furture I can see it already!
Of the Radioactive Boyscount who built a nuclear reactor in his shed from uranium paint you find on antiques
Actually EDS stock took its beating because of its major partnership with MCI Worldcom just before Worldcoms collapse. Under the agreeement EDS had to pay Worldcom ($US)billons over the next few years if they didnt get them enough Contracts during that time. They got out of paying some of it by giving MCI Worldcom wads of cash upfront while they were in chapter 11. Stock shares went through the floor, Dick was the scape goat as the idiot (scammer?) from EDS who originally brokered the stupid deal was already long gone. Dick may have been a complete Dick but he wasnt the main reason for EDS stock falling to 1/4 of their original price. I believe it is now only half of what it was. EDS are rumoured to be about to lose the US Navy contract as it is up for renewal. But hey that wont affect me cause Im in Australia! :)
we will never see Debian get this
Glad your in Canada till you read todays other story about Canada taxes Australia ain't much better with its new spam laws either :) But hey ASIO is already allowed to log into anyones computer without a warrant and modify data on your machine. We aren't too far behind
Try using apt-get secure from monk.debian.net which will check the Release.gpg file to ensure your Release files md5 sums are correct. Good to ensure your arent downloading a hacked binary from a compromised mirror site.
I do about 15minutes of firewall changes a week. The rest is "prep work" which involves sitting in on phone conferences listening to project managers think they are organising whats going on, looking at my task list and wondering I'll get something interesting and challenging, trying to think of what to put in my timesheet, and speding the rest of my time reading pdf files so I look like Im busy. Its an easy life but its boring as hell. Pity the place I work for aren't willing to give me anything else but firewall changes to do. Ive told them I only do a few hours of real work a week (which is a grose overstatement) and they seem happy to leave it at that, but wont let me go for another position in the company where Ill be busy. Going to have to find a new job soon cause Im dying of boredom.
And implement a new standard to allow for http requests to doubleclick whenever a dns resolution is made
debian doesnt have signed packages, redhat does. debian package security consists of a signed md5sum file and only the md5sum list is verified never the rsa sig of the md5sum list. while i use debian i think about moving to redhat because of this
Caffeine depletes your adrenal glands. Usually if you can go to sleep after downing a strong cup of coffee your adrenal glands are exhausted and you should decrease your caffiene intake to a cup or two in first half of the day. Or so I read not so long ago in some science rag
And 80% of Sea Squirt genome is found in humans and other vertebrates....