I'm only going to comment on two bits of your post, since I've never used ColdFusion/JRun with Apache (Or at all, for that matter) and cannot address the main issue.
disabled all uneeded services, performance tuned our app
You only did that _after_ you noticed your application is having problems?
In Stable, the likelihood of an 0wn4ge is slim to none, in other words.
How about this, or this then?
No distribution is inherently more secure than another, a Debian Woody machine will be as easily compromised as any other distribution, if the admin is incompetent. (And, no, I'm not saying all machines are compromised because of incompetent admins)
Sure, no one has found any bugs Knuth's TeX in years. Same for Qmail, and others.
Er, wrong. qmail has had a couple of security flaws, and more than a couple of bugs. For a more exhaustive list, Google is your friend.
kudos to Slack for moving to X.org so quickly. The faster everyone gets away from X the better we all are.
Aren't you contradicting yourself a bit there?
And akamai's servers seem to be back online, too.
news.yahoo.com wasn't handled by scd, and it's working now.
Makes one think it's a DoS causing all this, coming back online after all major customers moved off Akamai.
The differences between SSH X11 forwarding and plain X11 are:
a) you don't have to meddle with xauth and the likes to allow the host to connect to your X server
b) it's encrypted and can bypass some firewalls
LTSP is just the foundation for building diskless/thin terminals. You can use SSH X11 forwarding to display things, but in this case it would only slow (and complicate things).
You're confusing Perl with CPAN. Perl by itself doesn't allow you to connect to a database the way you described, you use CPAN's DBI to do it. Which is a database abstraction layer, same as PEAR's DB
Re:Times they are a changin'
on
Cell-Phone Wars
·
· Score: 1
I won't set foot in any such establishment. I always put my phone on silent or vibration whenever I go into such a place (library, cinema, class), but I expect it to still work, since I rarely use the cellphone for chatter (Hey, I have no private life!). So instead of trying to catch jammers, why not fine people that don't silence their phones in 'silent' areas? They're much easier to catch, that's for sure, and you'll be attacking the root of the problem, instead of trying to nuke it.
Most of the 'current crop of pay-for distros' are also based on Debian (Lindows, Libranet and Xandros are the biggest three I know of).
That being said, the biggest advantage of Knoppix, imho anyway, isn't that it's GPL, but that I can boot it off the CD, making it a very useful tool when trying to revive dead machines.
Can we say utopia?
The only real way to fight DoS attacks is to apply ingress/egress filtering on routers. That way, not only can packets be traced back to the source, but your upstream may also have a chance at filtering out the DoS.
I find it funny that I've never seen an article which correctly uses the terms 'hacker' and 'cracker'. This one included, although they don't even mention 'cracker'.
So what if we have all these rules if the overwhelming majority of pages out there have Flash intros, content only accessible if you take the time to go through 20 intermediary pages? How many web designers actually know these rules (gudielines) actually exist?
I for one strongly agree with these rules, since they enable you to actually USE the webpages, not simply drool over the shiny pictures, but most people out there simply don't know better.
Actually, you're looking for allow-recursion option, which saves you the trouble of having to add that to every zone. Also, the allow-transfer is useful like that. Both of them go into the options section of named.conf, so, you only have to add them once.
No, that's not firewalls are for. You can't restrict DNS if you host domains from the firewall, you have to use your DNS server's options for this. Same with mail servers, you don't want to restrict who sends mail to you, you only want to restrict who uses you as a relay.
How about if you want to install the Suggests: and Recommends:? Personally, I use a combination of aptitude/apt-get/apt-cache/apt-file/auto-apt to install stuff on my box and I'm quite happy with it. Some people might like dselect's interface (which, I'll admit, I do find cumbersome), who are you to say it's bad? As for using the Web to find packages, that's just wasting bandwidth as there's not much you can't find out using apt* that you can out there.
Slashdot Mirror
Cough.
I'm only going to comment on two bits of your post, since I've never used ColdFusion/JRun with Apache (Or at all, for that matter) and cannot address the main issue.
disabled all uneeded services, performance tuned our app
You only did that _after_ you noticed your application is having problems?
In Stable, the likelihood of an 0wn4ge is slim to none, in other words.
How about this, or this then?
No distribution is inherently more secure than another, a Debian Woody machine will be as easily compromised as any other distribution, if the admin is incompetent. (And, no, I'm not saying all machines are compromised because of incompetent admins)
Sure, no one has found any bugs Knuth's TeX in years. Same for Qmail, and others.
Er, wrong. qmail has had a couple of security flaws, and more than a couple of bugs. For a more exhaustive list, Google is your friend.
kudos to Slack for moving to X.org so quickly. The faster everyone gets away from X the better we all are. Aren't you contradicting yourself a bit there?
Whoaaaa. Let's not go there. From net/ipv4/ipip.c: Authors: Sam Lantinga (slouken@cs.ucdavis.edu) 02/01/95
A lot more people will care, however.
The ISC sinte points to the NANOG archives: http://www.merit.edu/mail.archives/nanog/msg05267. html
That doesn't explain anything either, though. :-)
And akamai's servers seem to be back online, too. news.yahoo.com wasn't handled by scd, and it's working now. Makes one think it's a DoS causing all this, coming back online after all major customers moved off Akamai.
You're comparing your home connection with Akamai? :-)
I hate people that are too overselfconfident.
The differences between SSH X11 forwarding and plain X11 are:
a) you don't have to meddle with xauth and the likes to allow the host to connect to your X server
b) it's encrypted and can bypass some firewalls
LTSP is just the foundation for building diskless/thin terminals. You can use SSH X11 forwarding to display things, but in this case it would only slow (and complicate things).
You're confusing Perl with CPAN. Perl by itself doesn't allow you to connect to a database the way you described, you use CPAN's DBI to do it. Which is a database abstraction layer, same as PEAR's DB
I won't set foot in any such establishment. I always put my phone on silent or vibration whenever I go into such a place (library, cinema, class), but I expect it to still work, since I rarely use the cellphone for chatter (Hey, I have no private life!). So instead of trying to catch jammers, why not fine people that don't silence their phones in 'silent' areas? They're much easier to catch, that's for sure, and you'll be attacking the root of the problem, instead of trying to nuke it.
Most of the 'current crop of pay-for distros' are also based on Debian (Lindows, Libranet and Xandros are the biggest three I know of).
That being said, the biggest advantage of Knoppix, imho anyway, isn't that it's GPL, but that I can boot it off the CD, making it a very useful tool when trying to revive dead machines.
And catching them is sooo easy if you don't even know which machine they launched the attack from!
Uh... Why would Finland of all places be the Capital of Open Source?
Can we say utopia? The only real way to fight DoS attacks is to apply ingress/egress filtering on routers. That way, not only can packets be traced back to the source, but your upstream may also have a chance at filtering out the DoS.
Oh, so dictionaries are not to be used nowadays? Good to know, I've been using those damn things for years without knowing they're so damn evil!
I find it funny that I've never seen an article which correctly uses the terms 'hacker' and 'cracker'. This one included, although they don't even mention 'cracker'.
So what if we have all these rules if the overwhelming majority of pages out there have Flash intros, content only accessible if you take the time to go through 20 intermediary pages? How many web designers actually know these rules (gudielines) actually exist? I for one strongly agree with these rules, since they enable you to actually USE the webpages, not simply drool over the shiny pictures, but most people out there simply don't know better.
Actually, you're looking for allow-recursion option, which saves you the trouble of having to add that to every zone. Also, the allow-transfer is useful like that. Both of them go into the options section of named.conf, so, you only have to add them once.
No, that's not firewalls are for. You can't restrict DNS if you host domains from the firewall, you have to use your DNS server's options for this. Same with mail servers, you don't want to restrict who sends mail to you, you only want to restrict who uses you as a relay.
I really doubt that stable failed because of its packages conflicting... Easy to install, a major pain to update.
How about if you want to install the Suggests: and Recommends:? Personally, I use a combination of aptitude/apt-get/apt-cache/apt-file/auto-apt to install stuff on my box and I'm quite happy with it. Some people might like dselect's interface (which, I'll admit, I do find cumbersome), who are you to say it's bad?
As for using the Web to find packages, that's just wasting bandwidth as there's not much you can't find out using apt* that you can out there.