Can someone explain to me how discovering the THIRD closes system to ours in 2013 doesn't suggest that all the Dark Matter(tm) that's out there just isn't a mass of brown dwarfs that we can't see, and not a whole new class of matter?
Quick browse of the source makes it look like connections run through a python server... so anyone who deploys this on a gateway server (public web, but internally connected) would expose all internal ssh servers -- or at least that's how it appears.
Of course, using the web auth to connect mitigates the risk (but requires dual auth?) -- it's not obvious from the description that the connections to port 22 don't initiate from the browser's machine... and people may deploy this without appreciating the possible internal network exposure.
I bought my latest server board from Intel specifically because it supports this, and it does work well -- full KVM over VNC, can boot from bios all the way to desktop regardless of the OS, it's basically exactly like sitting at the console, but you can be anywhere.
However, I had a few issues with the design:
1) Setting up encryption for VNC was a pain... I had to dig around on intel's site to find some corporate management software before I could install a x509 certificate and connect to the encrypted port using RealVNC
2) RealVNC Viewer Plus ($$) is required if you want the ability to have full AMT (all the cool remote disk mounting, system power control etc). Some of this you can get via the web interface though (via a different port).
Apart from the setup pains though, it's very cool tech. I was also able to perform a full GUI install of Fedora on my US server from my laptop in Norway, using an ISO file on the laptop for the install (yes, you read that correctly... you can mount a local disk file on the remote machine and the bios make's it appear as a local disk! But again, that required the AMT features, and RealVNC Plus:P).
The system works by intercepting IP packets on the motherboard network interface (so you must connect via that port, not just any network port), and redirects connections to a selection of ports (all configurable) to support remote management via VNC, http/https, or a few other protocols. This means you can connect in and check out the desktop at full rez even when someone's using the machine, or even work on fixing issues even though a kernel oops. Basically, as long as the network to the port stays up, you have access to full console control.
I had tons of old disks from my Amiga, Mac Plus and even Apple ][ days, and did a fair amount of hunting before finding Kryoflux... it uses a USB device as a 3.5 and 5.25 disk controller, and can read the disks at the lowest level the drive supports -- so it can, for example, read the old 400/800k mac disks that require the old apple multi-speed drives with a regular 3.5 PC drive. The blueprints for the board are available (to etch/build your own, but I think you need to create your own layout), or you can buy a prefab from them (when they have them in stock, anyway -- I had to wait a few months).
They have software that connects to the USB device and creates various decoded files for lots of archaic disk formats. They keep talking about opening the source code, but I haven't followed the latest developments there... software is free for non-commercial use regardless.
I managed to dump about 50 ancient disks from mac, apple ][ (5.25) and amiga without problems, and could use the images in various emulators to recover the files. I had a few disks with sectors that couldn't be correctly parsed, and lost a few files there, but overall I found the device a savior for my old writings and early coding projects.
They sell the devices at http://www.kryoflux.com/ or you can troll the forum link for the blueprints (I can dig it up if there's interest). Last I heard they were working on write support (and a quick check looks like that may be available now too).
I've been running my own "full stack" for over a decade, and currently use Fedora (linux) and the following services:
postfix - smtp, very good security record, and I setup most processes chrooted
dovecot - very stable imap, also good security record, I recommend maildir format for storage, and setup the sieve plugin for filtering rules
roundcube - very good ajax webmail, hosted on apache, also has managesieve plugin for config of filters
squirrelmail - another webmail, I keep in on there too for when a mobile browser doesn't like roundcube
spamd - spamassassin daemon, pretty easy to add as a content filter to postfix (then use sieve rules to direct tagged mail)
Get a cheap ssl cert, and make sure to use https for roundcube, and use smtps and imaps for clients. Make sure you have iptables setup correctly (deny by default), setup a good backup (I use rsync to removable storage with hard links between multiple aged versions).
Only allow remote login over ssh, I recommend only allowing an odd named account to ssh in, and then use su to admin stuff.
You should keep the system updated, 'yum update' makes that easy on Fedora -- probably the only really manual admin that needs to be done, you can automate it, but I prefer to keep tabs on what's changing and why...
Initial setup and config can take awhile (esp if you want to setup chroot for most stuff), but once it's up and running, it's pretty solid. If you want you can add things like SPF entries to DNS.
I went an extra step and setup a box with intel's vpro on the motherboard so I have encrypted full graphical console even if the kernel crashes or system won't boot (hasn't been a problem yet:). I also setup a hardware raid, so even the boot device is raided.
There's a lot more that you can do too regarding monitoring (tripwire, smartd, rkhunter) and extra services (dnssec, ipv6 etc) and there's tons of configuration tweaking that can keep you busy for weeks if you go deep, but that's not strictly necessary...
While I'd love to support DKIM (one more tool...) on my email server, my family all use Blackberries and iPhones -- the blackberry internet service (BIS) doesn't appear to support supplying a private key, or DKIM signing in general, so if I implement DKIM then I'm basically marking all the messages sent from the Blackberries as spam:P I assume the iPhone is in the same camp, but haven't looked into it since the BIS limitation already knixes the deal...
I've been traveling for more than a year, and I bought a Vaio G1 because it uber-light (2lbs), long batt life (11hrs) and has dual layer DVD burner -- and it's made of carbon fiber so it's a tough cookie. It wasn't cheap though, cost me $2k in Kuala Lumpur.
I found that I didn't need it most places though, since the rest of the world (non US) has internet cafes everywhere, and they usually have cd/dvd burners if you need them.
I found the most useful toy was my Blackberry, esp. with the unlimited intl. data plan -- I could browse the web, send/recv emails and even IM everywhere I went (except Nepal and Cambodia though... prob for your Everest plans). The new ones have cameras and wifi, so they're even better than my old and creaky 8700. But being able to lookup something on wikipedia on the beach on a remote island in the Philippines is just too cool:)
I bought a Sony Vaio G1 about a year ago, and it beats the pants off the Air and X300 for "featherweight with features":
Dual-layer DVD writer, 11 hour battery (I get about 8 hrs, swappable), wifi/g, ethernet, modem, multi-flash reader, pcmcia, bluetooth, 12in screen, 80GB, phones/mic plugs, usb2, even fingerprint reader! Everything you need short of a camera (wish it had one for skype...)
In a carbon-fiber case at 2.46lbs... a year ago!
An *yes* I installed OSX on it:) (as well as XP, came with Vaisto:P) Drop the optical, you're http://www.dynamism.com/g2/main.shtml -- which adds firewire, 2 cores (same weight, longer batt life!)
Don't know what all the fuss is with these "new" featherweights, they're a little late to the game, and missing some key features: no optical!? Don't see feature details on X300, but Air is also missing swappable battery (or v. long batt life), no ethernet (enjoy you're slow file transfers), no firewire, card slots (hardly any ports really).
I haven't played with the gnome2 desktop until now, and to save (gobs) of time pulling/compiling, I just installed the Ximian Gnome2 developer snapshot.
However, I can't seem to find where the preference to enable anti-alias fonts is... I've tried selecting largish fonts, but all the rendering is clearly bitmapped.
Anyone else using the Ximian snapshot having this problem? Are they compiling w/ anti-aliasing off?
I've been using DavFS for awhile now. It is a kernel modules which allows you to mount a dav location as a filesystem -- which pretty much allows any app to use the dav.
It was easy enough to compile for my RH7.1 system, you just need the kernel headers installed, and you can build/install the module, and then use mount.davfs to mount a location just like a samba share. It supports user auth. and you can compile in ssl support (a must in my book:)
My only issue is that you need to choose your mount point carefully, as an 'ls' even on the directory containing the mount point can take a second or two to complete (since the fs needs to perform a propget on the server); so I suggest placing your mount point in a subdirectory that you will only access when you're doing dav work... (ie not in your home directory).
Other than that, it's great. I love it especially because it very tolerant of the server restarting/going offline, since it's just http gets and doesn't have any "state" like nfs.
I've also mounting the drives on XP and OSX, which makes sharing documents (even securely to my office box over ssl) very cool. And setting up a dav share is just like setting up any other web location in apache (I use the mod_dav that ships with RH7.2 for my server...)
Slashdot Mirror
(obvious typo: that's closest)
Can someone explain to me how discovering the THIRD closes system to ours in 2013 doesn't suggest that all the Dark Matter(tm) that's out there just isn't a mass of brown dwarfs that we can't see, and not a whole new class of matter?
Quick browse of the source makes it look like connections run through a python server... so anyone who deploys this on a gateway server (public web, but internally connected) would expose all internal ssh servers -- or at least that's how it appears.
Of course, using the web auth to connect mitigates the risk (but requires dual auth?) -- it's not obvious from the description that the connections to port 22 don't initiate from the browser's machine... and people may deploy this without appreciating the possible internal network exposure.
Back to my mindterm java client.. *sigh*
I bought my latest server board from Intel specifically because it supports this, and it does work well -- full KVM over VNC, can boot from bios all the way to desktop regardless of the OS, it's basically exactly like sitting at the console, but you can be anywhere.
However, I had a few issues with the design:
1) Setting up encryption for VNC was a pain... I had to dig around on intel's site to find some corporate management software before I could install a x509 certificate and connect to the encrypted port using RealVNC
2) RealVNC Viewer Plus ($$) is required if you want the ability to have full AMT (all the cool remote disk mounting, system power control etc). Some of this you can get via the web interface though (via a different port).
Apart from the setup pains though, it's very cool tech. I was also able to perform a full GUI install of Fedora on my US server from my laptop in Norway, using an ISO file on the laptop for the install (yes, you read that correctly... you can mount a local disk file on the remote machine and the bios make's it appear as a local disk! But again, that required the AMT features, and RealVNC Plus :P).
The system works by intercepting IP packets on the motherboard network interface (so you must connect via that port, not just any network port), and redirects connections to a selection of ports (all configurable) to support remote management via VNC, http/https, or a few other protocols. This means you can connect in and check out the desktop at full rez even when someone's using the machine, or even work on fixing issues even though a kernel oops. Basically, as long as the network to the port stays up, you have access to full console control.
I had tons of old disks from my Amiga, Mac Plus and even Apple ][ days, and did a fair amount of hunting before finding Kryoflux... it uses a USB device as a 3.5 and 5.25 disk controller, and can read the disks at the lowest level the drive supports -- so it can, for example, read the old 400/800k mac disks that require the old apple multi-speed drives with a regular 3.5 PC drive. The blueprints for the board are available (to etch/build your own, but I think you need to create your own layout), or you can buy a prefab from them (when they have them in stock, anyway -- I had to wait a few months).
They have software that connects to the USB device and creates various decoded files for lots of archaic disk formats. They keep talking about opening the source code, but I haven't followed the latest developments there... software is free for non-commercial use regardless.
I managed to dump about 50 ancient disks from mac, apple ][ (5.25) and amiga without problems, and could use the images in various emulators to recover the files. I had a few disks with sectors that couldn't be correctly parsed, and lost a few files there, but overall I found the device a savior for my old writings and early coding projects.
They sell the devices at http://www.kryoflux.com/ or you can troll the forum link for the blueprints (I can dig it up if there's interest). Last I heard they were working on write support (and a quick check looks like that may be available now too).
Thumbs up here.
Scott
I've been running my own "full stack" for over a decade, and currently use Fedora (linux) and the following services:
postfix - smtp, very good security record, and I setup most processes chrooted
dovecot - very stable imap, also good security record, I recommend maildir format for storage, and setup the sieve plugin for filtering rules
roundcube - very good ajax webmail, hosted on apache, also has managesieve plugin for config of filters
squirrelmail - another webmail, I keep in on there too for when a mobile browser doesn't like roundcube
spamd - spamassassin daemon, pretty easy to add as a content filter to postfix (then use sieve rules to direct tagged mail)
Get a cheap ssl cert, and make sure to use https for roundcube, and use smtps and imaps for clients. Make sure you have iptables setup correctly (deny by default), setup a good backup (I use rsync to removable storage with hard links between multiple aged versions).
Only allow remote login over ssh, I recommend only allowing an odd named account to ssh in, and then use su to admin stuff.
You should keep the system updated, 'yum update' makes that easy on Fedora -- probably the only really manual admin that needs to be done, you can automate it, but I prefer to keep tabs on what's changing and why...
Initial setup and config can take awhile (esp if you want to setup chroot for most stuff), but once it's up and running, it's pretty solid. If you want you can add things like SPF entries to DNS.
I went an extra step and setup a box with intel's vpro on the motherboard so I have encrypted full graphical console even if the kernel crashes or system won't boot (hasn't been a problem yet :). I also setup a hardware raid, so even the boot device is raided.
There's a lot more that you can do too regarding monitoring (tripwire, smartd, rkhunter) and extra services (dnssec, ipv6 etc) and there's tons of configuration tweaking that can keep you busy for weeks if you go deep, but that's not strictly necessary...
Good luck, and have fun!
While I'd love to support DKIM (one more tool...) on my email server, my family all use Blackberries and iPhones -- the blackberry internet service (BIS) doesn't appear to support supplying a private key, or DKIM signing in general, so if I implement DKIM then I'm basically marking all the messages sent from the Blackberries as spam :P I assume the iPhone is in the same camp, but haven't looked into it since the BIS limitation already knixes the deal...
I've been traveling for more than a year, and I bought a Vaio G1 because it uber-light (2lbs), long batt life (11hrs) and has dual layer DVD burner -- and it's made of carbon fiber so it's a tough cookie. It wasn't cheap though, cost me $2k in Kuala Lumpur.
... prob for your Everest plans). The new ones have cameras and wifi, so they're even better than my old and creaky 8700. But being able to lookup something on wikipedia on the beach on a remote island in the Philippines is just too cool :)
I found that I didn't need it most places though, since the rest of the world (non US) has internet cafes everywhere, and they usually have cd/dvd burners if you need them.
I found the most useful toy was my Blackberry, esp. with the unlimited intl. data plan -- I could browse the web, send/recv emails and even IM everywhere I went (except Nepal and Cambodia though
I bought a Sony Vaio G1 about a year ago, and it beats the pants off the Air and X300 for "featherweight with features":
:) (as well as XP, came with Vaisto :P) Drop the optical, you're http://www.dynamism.com/g2/main.shtml -- which adds firewire, 2 cores (same weight, longer batt life!)
Dual-layer DVD writer, 11 hour battery (I get about 8 hrs, swappable), wifi/g, ethernet, modem, multi-flash reader, pcmcia, bluetooth, 12in screen, 80GB, phones/mic plugs, usb2, even fingerprint reader! Everything you need short of a camera (wish it had one for skype...)
In a carbon-fiber case at 2.46lbs... a year ago!
An *yes* I installed OSX on it
Don't know what all the fuss is with these "new" featherweights, they're a little late to the game, and missing some key features: no optical!? Don't see feature details on X300, but Air is also missing swappable battery (or v. long batt life), no ethernet (enjoy you're slow file transfers), no firewire, card slots (hardly any ports really).
Nice try... play again soon!
I haven't played with the gnome2 desktop until now, and to save (gobs) of time pulling/compiling, I just installed the Ximian Gnome2 developer snapshot.
However, I can't seem to find where the preference to enable anti-alias fonts is... I've tried selecting largish fonts, but all the rendering is clearly bitmapped.
Anyone else using the Ximian snapshot having this problem? Are they compiling w/ anti-aliasing off?
I've been using DavFS for awhile now. It is a kernel modules which allows you to mount a dav location as a filesystem -- which pretty much allows any app to use the dav.
:)
It was easy enough to compile for my RH7.1 system, you just need the kernel headers installed, and you can build/install the module, and then use mount.davfs to mount a location just like a samba share. It supports user auth. and you can compile in ssl support (a must in my book
My only issue is that you need to choose your mount point carefully, as an 'ls' even on the directory containing the mount point can take a second or two to complete (since the fs needs to perform a propget on the server); so I suggest placing your mount point in a subdirectory that you will only access when you're doing dav work... (ie not in your home directory). Other than that, it's great. I love it especially because it very tolerant of the server restarting/going offline, since it's just http gets and doesn't have any "state" like nfs.
I've also mounting the drives on XP and OSX, which makes sharing documents (even securely to my office box over ssl) very cool. And setting up a dav share is just like setting up any other web location in apache (I use the mod_dav that ships with RH7.2 for my server...)
In short, very cool stuff.