Using OpenBSD (and linux could work too) it is possible to create a bridging firewall with no IPs that simply scrubs packets as they come through the interface.
One could always add a dialup modem to the machine in case remote access was neccessary but when you have two nics neither of which have IP addresses or running services it makes a machine a whole hell of a lot more useful then a linux machine in halted mode which could EASILY run into weird memory/timing issues. (which the author didn't bring up)
Re:are they for real or just a bad pun?
on
Non-Profit Colocation?
·
· Score: 3, Informative
I've also sponsored some hardware for the CCCP as well as doing some admin work.
This project is definitly real and the CCCP pun is just that...or rather a *nod* to a somewhat socialist concept. (In fact, the IWW might start colocating with us)
This is probably exactly the kind of market
Lindows.com is going after.
We talk about them a lot and ask: "Who would use their system?" but it seems to me that this is the perfect application.
It would provide Microsoft Office, X-windows, all kinds of terminal emulation, as well as stability, network management, security and most importantly, it would be COST EFFECTIVE.
Just my $0.02,
davidu
I think it goes without saying...
on
Linus Does Not Scale
·
· Score: 4, Redundant
This is Linus's project, although supported by 1000's of developers, he is the man with the final say.
Maybe he does have some Theo-like qualities, it doesn't bother me -- He's created a great OS for me and I trust his judgement in what he wants to merge in and out of the source tree in the future.
Before creating some kind of soap opera from the emails on LKML we need to realize that that all that is going on is discussion...this posting (hardly an "article") is trying to make something out of nothing.
You shouldn't really rely on a company who you are in contract with to provide you DNS service. When you leave, they have no incentive to keep pointing records for you or even make it easy for you to move.
It's much easier to use a third party DNS provider who is either really cheap or free.
There are quite a few cheap ones out there and a couple free ones, but of course, I won't cool my own.;-)
Actually, David Weekly and the California Community Colocation Project is hosting one of my new servers at their space in HurricaneElectric's colo. So at the moment I'm good but it's always nice to get a sponsor especially at the rate I'm growing.
For people looking for an easier and as of now more secure implementation for DNS you might want to check out tinydns, part of
djbdns by the famous (or infamous) professor and programmer Dan Berstein.
DJBDNS has never had a security hole discovered and plenty of people frequently evaluate his sourcecode.
The one gripe people have with his code is that he hasn't GPL'd it or even opensourced it. What he has done which is slightly more interesting is just released it with NO license and instead just asserts ownership over his codebase. If it doesn't bother you that it isn't GPL or BSD, etc -- check it out and help make the net's DNS servers safer and more secure.
We run it at EveryDNS.Net and haven't had a problem with it yet.
I can't comment on register.com but at
EveryDNS.Net we found bind to be too much of a risk to run for our servers. In the long run, DJBDNS has proven to not only be secure but also far easier to setup, administer as well as write parsers for.
I dunno, I guess people "in the know" tend to know about Zebra because we use it over our networks on a daily basis. I learned about it from NANOG.
It works great but it has some problems scaling over huge routing tables (75,000+) especially with Solaris. You should be fine doing RIP2 or OSPF in linux with it.
The gimp can't output to CMYK color seps because the CMYK color system is patented and covered in licensing. There is NO way to do CMYK in the open source world without a license granted by the holders. (Pantone, etc)
Tools like LaBrea are cool, but aren't more then hacks. By wasting the TCP timeout on these worms it just forces the next worm writer to create a multi-threaded worm which would instantly be immune to such a defense.
A better defense, which I admit is more costly in terms of CPU is to run border IDS systems and simply have rulesets to filter this kind of traffic out.
For Example: Here is a snort ruleset for Nimba and Codered and possibly other worm varients against Windows OS's:
alert tcp any any -> any 80 (content: "cmd.exe";msg: "cmd.exe access in HTTP!!";react: block;)
alert tcp any any -> any 80 (content: "root.exe";msg: "root.exe access in HTTP!!";react: block;)
If you're running BigIP switches:
rule block_nimda {
if (http_uri starts_with "/scripts" or http_uri contains "root.exe") {
discard
} else {
use ( server_pool)
}
}
The point is...
It's better to stop these things on border routers and on the edges of Lan's then on individual machines or IPs. LaBrea does nothing to protect other machines aside from slowing down the worm which is almost futile.
I think the most popular alternative registry is the one run by OpenNIC. Chances are that if an alternative registry were ever to gain populace that would be it.
Tuesday, September 18, 2001, 11:51:43 AM, you wrote:
JM> Yes. We are seeing it here bigtime. Does anyone have any apache hacks
JM> to lessen the impact? One idea: Once a probe is sent, the prober's
JM> IP# is stored in a hash (perhaps in shared memory or a mmap'd file
JM> that all children can share) and new connections from that IP are no
JM> longer accepted.
Here's a possibility but I need help with one aspect:
A) create a rule in your apache httpd.conf like this:
<Location/scripts/root.exe>
Deny from all
ErrorDocument 404 http://www.everydns.net/blockip.php
</Location>
B) create blockip.php (or use perl or whatever[read: python])
<?
$iptables = '/usr/local/sbin/iptables';
$ip = $REMOTE_ADDR;
$blockline = $iptables." -A INPUT -s ".$ip." -p all -j DROP;";
system($blockline);
?>
C) the caveat here is that you need to give the webuser (nobody)
access to iptables. This can be done in sudo like this:
nobody ALL=NOBODY:/usr/local/sbin/iptables
The MAJOR problem is that you have now given your entire web site
access to iptables. If you have a machine which has no "users" then
this may be okay for you however for most of us it is not. Do any of
you have a way to call a perl script directly from the httpd.conf
entry and perhaps pass the REMOTE_ADDR to it? I know there's a way
and I'll look for it, but in the meantime -- any ideas?
Ok, I can't believe I am going to bite on this troll but here it goes:
QMAIL is not your problem. In fact, even if you REALLY screw up in your setup qmail is still hard to use as a relay as you ACTIVELY have to open it up as one. Now I'll get to your points (which are few):
I think you are saying that qmail allows relaying. -- That is false. If you read the relaying section in life with qmail you will notice that it says "If you follow the official directions for installing qmail, relaying will be turned off by default." -- Obviously you messed that up.
To monitor your rule you will look in the/etc/tcp.smtp file and find rules in this pattern:
IP address of client:allow,RELAYCLIENT=""
IP address of client:allow,RELAYCLIENT=""
Now unless you are using like pop-before-smtp then that' it. If you are using pop-before-smtp make sure your cron job is running every half hour to clear out old relay entries.
<RANT> PLEASE DON'T BLAME QMAIL FOR YOUR MISCONFIGURATION</RANT>
You can email me privately if you still need help and Cliff, you should not have posted this troll.
-dave
How to manage popup windows in the new Mozilla
on
Mozilla 0.9.4 Released
·
· Score: 5, Informative
Ok folks, here is a really cool feature:
The Ability to manage, on a site by site basis, which sites can give you popups and which can't. A very effective way to manage pop up ads. Here's how:
No POPUPS whatsoever: user_pref("capability.policy.default.Window.open", "noAccess");
But...if some sites need popups, make a zone for them like this:
user_pref("capability.policy.strict.sites", "http://www.evil.org http://www.annoying.com");
user_pref("capability.policy.strict.Window.alert", "noAccess");
user_pref("capability.policy.strict.Window.confirm ", "noAccess");
user_pref("capability.policy.strict.Window.prompt" , "noAccess");
... you get the idea....
It is very cool, and there is a lot of scripting and other trickery you can do with these prefrences.
You know that was in bad taste -- I know you aren't serious because I looked at your webpage but a lot of the kids on slashdot have no idea and are pretty ignorant.
I'm not calling you a troll, it was even mildly funny -- just in poor taste.
This solution, far from creative or unique, offers nothing in terms of aiding in the creation of secure PUBLIC networks.
For example, a college campus can't be expected to teach every student, including the non-geeks how to setup IPsec, port forwarding with SSH, and all other kinds of neat things.
Granted, Dan Kaminsky gave a talk at DefCon this year on how to seamlessly tunnel your way through 'hostile' networks it still isn't as simple as just renewing your IP and being online.
One possible solution to secure public nets is similar to the way we validate PGP keys. Face to face signing parties. If I run a public net I'd like to know who is using it. How about you drop by my cafe and just give me your MAC address and I'll add you to the firewall's rulesets. Automatically you now can find out who is in promiscuous mode, who is using all your bandwidth, etc, etc, etc.
There are many other solutions that aren't as much of a hack as IPSec, ssh tunneling, or any of these other high level obfuscators.
Slashdot Mirror
-davidu
BOFH Quote of the moment
Phreedom.Net BOFH Quote
I've also sponsored some hardware for the CCCP as well as doing some admin work.
This project is definitly real and the CCCP pun is just that...or rather a *nod* to a somewhat socialist concept. (In fact, the IWW might start colocating with us)
-davidu
Just my $0.02,
davidu
David U.
Contact me privately at support@everydns.net and I'll help you through this.
You are confusing a couple different issues/problems.
-davidu
You shouldn't really rely on a company who you are in contract with to provide you DNS service. When you leave, they have no incentive to keep pointing records for you or even make it easy for you to move.
;-)
It's much easier to use a third party DNS provider who is either really cheap or free.
There are quite a few cheap ones out there and a couple free ones, but of course, I won't cool my own.
-davidu
not to be a troll but...
in this case the difference is that this works and freenet still isn't usable by any decent minority of people let alone a majority of people.
-davidu
haha, yeah right, everyone's a cheap bastard. ;-)
Actually, David Weekly and the California Community Colocation Project is hosting one of my new servers at their space in HurricaneElectric's colo. So at the moment I'm good but it's always nice to get a sponsor especially at the rate I'm growing.
thanks for caring,
-davidu
Thanks, David U.
Just my $.02,
davidu
I dunno, I guess people "in the know" tend to know about Zebra because we use it over our networks on a daily basis. I learned about it from NANOG.
It works great but it has some problems scaling over huge routing tables (75,000+) especially with Solaris. You should be fine doing RIP2 or OSPF in linux with it.
-davidu
The gimp can't output to CMYK color seps because the CMYK color system is patented and covered in licensing. There is NO way to do CMYK in the open source world without a license granted by the holders. (Pantone, etc)
It's a bummer I know.
-dave
The sky is falling...
Here's my mirror of the two coolest "wallpaper" size images:
The Blue One
The Green One
-davidu
thanks, couldn't have said it more clear myself.
-dave
I think the most popular alternative registry is the one run by OpenNIC. Chances are that if an alternative registry were ever to gain populace that would be it.
;-)
www.opennic.unrated.net
Furthermore, dot-god.com works and dotgod.com doesn't. I think it's a message from God...whoever ( he | she ) is.
-dave
it does. been tested -- it works.
here is an apache module which scans and blocks infected hosts:
Apache-Nimba-0.1.tar.gz
-dave
Hello,
/scripts/root.exe>
/usr/local/sbin/iptables
Tuesday, September 18, 2001, 11:51:43 AM, you wrote:
JM> Yes. We are seeing it here bigtime. Does anyone have any apache hacks
JM> to lessen the impact? One idea: Once a probe is sent, the prober's
JM> IP# is stored in a hash (perhaps in shared memory or a mmap'd file
JM> that all children can share) and new connections from that IP are no
JM> longer accepted.
Here's a possibility but I need help with one aspect:
A) create a rule in your apache httpd.conf like this:
<Location
Deny from all
ErrorDocument 404 http://www.everydns.net/blockip.php
</Location>
B) create blockip.php (or use perl or whatever[read: python])
<?
$iptables = '/usr/local/sbin/iptables';
$ip = $REMOTE_ADDR;
$blockline = $iptables." -A INPUT -s ".$ip." -p all -j DROP;";
system($blockline);
?>
C) the caveat here is that you need to give the webuser (nobody)
access to iptables. This can be done in sudo like this:
nobody ALL=NOBODY:
The MAJOR problem is that you have now given your entire web site
access to iptables. If you have a machine which has no "users" then
this may be okay for you however for most of us it is not. Do any of
you have a way to call a perl script directly from the httpd.conf
entry and perhaps pass the REMOTE_ADDR to it? I know there's a way
and I'll look for it, but in the meantime -- any ideas?
Thanks,
David Ulevitch
davidu@everydns.net
I told the guy he could email me if he had trouble.
I was just pissed he blamed qmail for a fault of his own and worse, posted it to a public server.
-dave
Someone woke up on the wrong side of the bed this morning...
-dave
No POPUPS whatsoever:
user_pref("capability.policy.default.Window.open"
But...if some sites need popups, make a zone for them like this:
user_pref("capability.policy.strict.sites", "http://www.evil.org http://www.annoying.com");
user_pref("capability.policy.strict.Window.alert"
user_pref("capability.policy.strict.Window.confir
user_pref("capability.policy.strict.Window.prompt
It is very cool, and there is a lot of scripting and other trickery you can do with these prefrences.
-David
Hey Tom,
You know that was in bad taste -- I know you aren't serious because I looked at your webpage but a lot of the kids on slashdot have no idea and are pretty ignorant.
I'm not calling you a troll, it was even mildly funny -- just in poor taste.
-dave
This solution, far from creative or unique, offers nothing in terms of aiding in the creation of secure PUBLIC networks.
For example, a college campus can't be expected to teach every student, including the non-geeks how to setup IPsec, port forwarding with SSH, and all other kinds of neat things.
Granted, Dan Kaminsky gave a talk at DefCon this year on how to seamlessly tunnel your way through 'hostile' networks it still isn't as simple as just renewing your IP and being online.
One possible solution to secure public nets is similar to the way we validate PGP keys. Face to face signing parties. If I run a public net I'd like to know who is using it. How about you drop by my cafe and just give me your MAC address and I'll add you to the firewall's rulesets. Automatically you now can find out who is in promiscuous mode, who is using all your bandwidth, etc, etc, etc.
There are many other solutions that aren't as much of a hack as IPSec, ssh tunneling, or any of these other high level obfuscators.
Thanks,
David U.