but what does this provide that ipchains, ipsec, vpnd, ssh, etc... not provide? Dont get me wrong, I LOVE seeing companies move towards Linux, I'm just curious why I would need a package like that.
I personally would use the VPN-HOWTO found (in RedHat at least) at/usr/doc/HOWTO/mini/VPN. It uses ssh and if you enable compression, speeds even on a dialup line can dramatically increase. One hint from experience though: If you have a bidirectional line of I'd say a meg or more, dont use compression. It actually slows you down due to the number of packets it's processing. Just use the vpn script and make a private net between the remote and local machines. There is also vpnd (search Freshmeat) but I've never used it.
The other option would be to choose four ports on the main box, use port forwarding, and map those ports to port 23 on each machine, but I would strongly suggest using ssh in some way.
I'm assuming you are trying to ftp via command line from a box behind the masq box. You have to use passive mode ftp to do this. I believe a "quote pasv" will do the trick.... It's been a while since I've used passive by hand so I dont remember. There are plenty of gui ftp clients for Linux (and Windows:P) that will do pasv. If that's NOT the problem, try a "insmod ip_masq_ftp" on the masq server if you havent already. I dunno if this helped, but I thought I'd give it a shot.
I've been using Greek gods. I figure if I ever run out I'll move to Roman. If I get to the point that I'm running out of names, I'll need another admin in here:)
Hey... I can stop any time I want! Really! I'm only a social Linux user. I only use linux when I'm slashdotting! They told me everyone was doing it. It was peer pressure!
I dont see how this is a court issue at all. If I noticed spiders slamming a website twice a day I'd block the domain from my subnet, and I wouldnt listen to anything anyone had to say about it. Is this a technical incompetence issue rather than a legal one?
Bellsouth's DSL service isnt anything out of the ordinary. They do get uptight if they _know_ Linux is involved. Just bait and switch them. They use the MAC address for the DHCP server. Give them a 95 machine with a nic in it and let the Bellsouth guy do his Bellsouth thing, and move the nic to another box (or reboot if it's dual boot:P), and all is well. This is the case for most DSL and cable ISP's. It's easier to let them think they have done what they are supposed to than to fight them.
I certainly wasnt implying that relying on switches alone would completely secure anything. It does stop people from running a sniffer and then choosing what traffic they see from the whole subnet to grab. As far as faking the MAC address, would that not interrupt the communication to the other NIC? I've never tried faking a MAC address so I really dont know. Ethernet broadcasts arent generally sensitive information that I can think of. I know I said it before, but crypto is always the best way to go.
I would think that a firewall would cause "protected" software to disable itself. I would imagine that the local copy of the software would have to contact a master server over IP or dialup or something for a daily or weekly or monthy ACK. If it cannot get the ACK, it shuts down. Anyone who would want to do this remote shutdown routine has surely thought about firewalls.
1)My network is 100 base switched. My servers have hardware RAID 5. My setup is three times the speed of a hard drive on a workstation. There is no delay for saving to the network. None.
2)I dont back up my workstation. I keep my stuff on the server.
3)I have drop in replacements sitting in the back. The customizing for the individual user takes maybe an hour. Restoring from tape takes FOREVER. Besides, the user can shift over to another workstation while I'm setting up Outlook and the other stuff. Big deal.
4)Backing up all the workstations would make my already enormous backup even bigger. This costs more money in tapes, takes longer, and is harder to sift through when there is a problem.
5)I dont know if you noticed, but I have not been using the term "we". Guess why! Because I'm the only one who does internal support. With it being only me, I _need_ everything centralized.
I'm assuming you are letting the station ask for it's servers. Dont rely on the remote PPP server to dictate the DNS servers. Specify them by hand in the dialup properties. It's been over a year since I've used NT to dial anything, but it should work.
As far as profiles for modem or no modem, network or no network, dont worry about that. NT can actually handle being multi-homed but 9x has some odd problems and requires some coaxing.
I hope this helped! You can email me at the above address if you would like. Take care.
I hit TAB/SPACE and it submitted:P. So I suck. Anyway what I was going to say was....
My setup is this: On my dedicated backup server I have NFS mounts to the main Linux servers. I run BRU on a crontab that does a incremental backup daily and a full backup weekly. I used a rather ugly hack on the MTX driver for the DLT library control, but it works very well. I chose BRU because of it's verify pass on backups. Makes me feel better about the amazing amount of data I've been asked to manage. For the database, I just dump the contents of what it backed up into different/var/log files. Cat and grep let me find what is where.
My point is that if you keep everything on servers, locating, backing up, and restoring is easier.
However, if you must keep stuff on the Windows machines, smbmount should work fine allowing you to keep everything mounted in one place. Someone already said this, but for the Mac, use one of the utils that lets you use SMB and "share" the directories.
One last note, if you are doing this over the internet, I would hope you're using a vpn of some sort:) If not, please do! Encryption is our friend, even if El Reno says it's evil.
Well, I've seen a few of my thoughts already said earlier, but I figured I'd tell you what I've been doing. I have a dedicated server that does nothing but backup. Over 400 gigs go through it to a 15 tape DLT library per week. We have ~60 workstations and 4 servers.
My policy on it irritates people, hence the title of my post. With the number of workstations I have to manage, I consider workstations expendable. If the Win9x/Winnt4 station eats itself, oh well... reinstall and get on with it. I tell everyone to keep anything they care about ON THE SERVER. Some dont listen, and they lose stuff when Windows blows up completely.
Porn is brought up when referring to controlling the internet because damn near every politcal goal recently has been justified as being "for the children!".
Get rid of the guns! Why? For the children!
Socialized health care now! Why? For the children!
Metal detectors and full cavity searches for all high school students who wear all black! Why? For the children!
Censor the Internet! Why? For the children!
Restrict Crypto! Why? For the children!
As if any smart terrorist would use Americian crypto when we have the KRA (http://www.kra.org). Next we're not going to be able to import crypto, and I'd bet money the reason will be..... you guessed it... for the children!
I think I've ranted out now and will go get a beer:)
Well, there is a howto for a vpn with ssh in/usr/doc/HOWTO/mini/VPN (in RedHat anyway). What it does is use a pppd over ttys over ssh. It works quite well, but the only problem I have is that it doesnt notice when it is dead and tends to leave ghosted ppp's floating around. I'm sure that could be scripted though. One hint: Since you are on a 10mb lan, make sure you dont use compression in the ssh part. It will slow you down painfully. It did that to me on a 3mb link. On slow connections, the compression works beautifully.
Vpnd was probably referring to slip because a VPN is a virtual point to point connection, and then you can route through that point. I would think PPP would make more sense than slip, but who knows.
I've seen a few other projects that look promising. Check out the FreeS/WAN project at http://www.xs4all.nl/~freeswan/. It uses IPSEC so it should work with other IPSEC devices.
The reason I suggested a vpn of some sort is after you have securely connected two networks, encrypting file transfers, ttys, etc become unneeded unless you've got people inside your own network you have to worry about. This allows many more tools to be used for administration.
Could a VPN like vpnd work for you? you could create a private IP network inside it and use unencrypted free tools inside an encrypted tunnel. Just a thought:)
I am not a Windows NT fan (nor do I play one on TV), but I admin about 60 Windows machines as workstations at work. What I have noticed is the absolute lack of knowledge that a lot of these users have. In Win9x, there are no levels of admin/poweruser/domain user/guest. People are encouraged everywhere you turn to run this neato exe from a web site with a "~" in the URL. Screen savers that have an install instead of just a.scr file are a perfect example.
But that's only part of the problem. Mass production of MCSEs isnt helping.
I've been admining NT and Linux for quite a while now, but I decided to enroll in (ugh...I know...shaddup) MCSE school to learn the little details I would need to throw back out at the test to be "certified". It was pretty depressing. In the ENTIRE NT wks and svr sections, I only recall seeing "dont stay logged in as the Admin" once. It was never stated in class. I was one of two people in the class who had even installed NT. (They give you a 120 day eval) Several people didnt have computers.
IF you are going to use NT as an important server, you should really set it up with strictly what you need, service pack it as best you can, lock the console, and never log in locally unless there is a problem. I have gone to way too many places seeing people using the server as their workstation logged in as Administrator with IE4 and Outlook (with Word as the editor) both open having no idea what that can do. Getting your hands on people to run your servers intelligently (or for God's sake learn yourself) is the best plan if you must use NT. Dont use IT staffing firms. And the most important rule: If the NT machine matters to you, dont put it on the Internet. If you must put it on the internet, dont browse from it and DAMNIT, DISABLE netbios on the nic that is facing the internet. These cant solve all problems, but it's all you can really do.
This is not taught to the people who really really want to be an admin in MCSE school. People arent learning. I have no idea what the solution to this is. I can make all the noise I want about it, but someone always knows better.
It is pretty silly to see this as some massive threat. IP Masqing or proxying or whatever should stop this from happening to you unless someone makes one that opens control outbound actively to a predefined host instead of passively waiting for a connection. People were scanning clients on IRC for PC-Anywhere connections to look for blank passwords. Why is cDc worse? Open netbios shares, buggy Windows ftp servers, etc are much more of a problem for the people willing to have MS products directly on the Internet, but again, that's user error and they probably didnt know.
Maybe I'm way off track here, but I dunno. Just thought I'd ramble:) Take care.
It would seem to me that the reason Linux hits the news so much here is because a lot of people here watch for it and send stories in about it. It also seems to be the fastest moving OS around. With it being developed and spread so fast, I'm not surprised it gets that much attention here. But then again, I'm a Linux freak myself, so what do I know:)
Good grief. Is it just me or does this sound more like an IRC war than a discussion? Hanging out on IRC changed drastically after the internet went mainstream. You always had your schmucks, but after tens of thousands of IRC clients started showing up, we ended up with a lot more schmucks. I have always had a hard time grasping the concept of saying things in text that you would never have the balls to say in real life in front of a person. I type as I would speak to you in person.
Rioting and mob mentality is understandable IMHO if tanks and soldiers are rolling down Main Street USA, but not when somebody says something dumb. Had he said he was going to rape the mothers of all RedHat investors, fine, attack. But he didnt.
If I went full force after every dumb comment made to me in person, there would be a lot less dumb comment makers in the world, and I'd be in prison *grin*.
One last thought: Ever notice that the religious nuts who run up to your car screaming about hell while holding a fistful of pamphlets hold a LOT less credibility than the preacher sitting quietly in a church doing his thing? Not that I'm a religious man, but heh, it's a thought.
Educating the users is nice in theory, but almost impossible in practice. I deal with this constantly. I had a scene which was amazingly like a uf cartoon. She was convinced that the OS at her previous job was "Gateway 2000" and Netscape was their ISP. All I could do was smile, nod, and say "Oh yeah! I've worked on those before". And we all also know that any jerk-off who has bought a Packard Bell at CompUSA and managed to get it on the internet is an expert now and can tell you how you should fix problems. You cannot tell this kind of user how not to use email. They know better.
One of the main education issues I can see is the same faith that some people put in the government they put into Microsoft (microsoft.gov? who knows). Microsoft is in the media the same way the white house is. They can spin stories just as well as the Clintons can. Trying to tell your average user that GUIDs and sending personal data through the Windows 98 Update Wizard is bad is like trying to tell media zombies that the internet and quake do not make kids go bonkers with weapons.
Basically, I think all of us who admin Windows machines have a massive challenge as far as this goes. I can rant about it until I lose my voice around here, but heh, I'm just the long haired weirdo geek in the back room with the servers that run that other OS. What does he know.
I saw it last night too, and I'm going to have to say that I about cried laughing during the Jerry Springer scenes. Seeing Jerry Springer fighting with Dr Evil was too funny. I thought the movie as a whole was very well done. There arent very many movies that I will watch over and over, but I think this one will make that list.
The 28 gig model is worth the same amount as my whole car! Oh well, I'll just drool. Hopefully these will take off, these guys will make a fortune for such a cool device, and the prices will drop after a while.
Slashdot Mirror
but what does this provide that ipchains, ipsec, vpnd, ssh, etc... not provide? Dont get me wrong, I LOVE seeing companies move towards Linux, I'm just curious why I would need a package like that.
I personally would use the VPN-HOWTO found (in RedHat at least) at /usr/doc/HOWTO/mini/VPN. It uses ssh and if you enable compression, speeds even on a dialup line can dramatically increase. One hint from experience though: If you have a bidirectional line of I'd say a meg or more, dont use compression. It actually slows you down due to the number of packets it's processing. Just use the vpn script and make a private net between the remote and local machines. There is also vpnd (search Freshmeat) but I've never used it.
The other option would be to choose four ports on the main box, use port forwarding, and map those ports to port 23 on each machine, but I would strongly suggest using ssh in some way.
I'm assuming you are trying to ftp via command line from a box behind the masq box. You have to use passive mode ftp to do this. I believe a "quote pasv" will do the trick.... It's been a while since I've used passive by hand so I dont remember. There are plenty of gui ftp clients for Linux (and Windows :P) that will do pasv. If that's NOT the problem, try a "insmod ip_masq_ftp" on the masq server if you havent already. I dunno if this helped, but I thought I'd give it a shot.
I've been using Greek gods. I figure if I ever run out I'll move to Roman. If I get to the point that I'm running out of names, I'll need another admin in here :)
Hey... I can stop any time I want! Really! I'm only a social Linux user. I only use linux when I'm slashdotting! They told me everyone was doing it. It was peer pressure!
I dont see how this is a court issue at all. If I noticed spiders slamming a website twice a day I'd block the domain from my subnet, and I wouldnt listen to anything anyone had to say about it. Is this a technical incompetence issue rather than a legal one?
If I remember correctly, Worldnet stores their usernames and passwords in a text file or ini in the Windows directory.
Bellsouth's DSL service isnt anything out of the ordinary. They do get uptight if they _know_ Linux is involved. Just bait and switch them. They use the MAC address for the DHCP server. Give them a 95 machine with a nic in it and let the Bellsouth guy do his Bellsouth thing, and move the nic to another box (or reboot if it's dual boot :P), and all is well. This is the case for most DSL and cable ISP's. It's easier to let them think they have done what they are supposed to than to fight them.
I certainly wasnt implying that relying on switches alone would completely secure anything. It does stop people from running a sniffer and then choosing what traffic they see from the whole subnet to grab. As far as faking the MAC address, would that not interrupt the communication to the other NIC? I've never tried faking a MAC address so I really dont know. Ethernet broadcasts arent generally sensitive information that I can think of. I know I said it before, but crypto is always the best way to go.
Switched hubs render sniffers useless simply because every packet does not go to every NIC. Of course, encryption is a good idea anyway :)
I would think that a firewall would cause "protected" software to disable itself. I would imagine that the local copy of the software would have to contact a master server over IP or dialup or something for a daily or weekly or monthy ACK. If it cannot get the ACK, it shuts down. Anyone who would want to do this remote shutdown routine has surely thought about firewalls.
1)My network is 100 base switched. My servers have hardware RAID 5. My setup is three times the speed of a hard drive on a workstation. There is no delay for saving to the network. None.
2)I dont back up my workstation. I keep my stuff on the server.
3)I have drop in replacements sitting in the back. The customizing for the individual user takes maybe an hour. Restoring from tape takes FOREVER. Besides, the user can shift over to another workstation while I'm setting up Outlook and the other stuff. Big deal.
4)Backing up all the workstations would make my already enormous backup even bigger. This costs more money in tapes, takes longer, and is harder to sift through when there is a problem.
5)I dont know if you noticed, but I have not been using the term "we". Guess why! Because I'm the only one who does internal support. With it being only me, I _need_ everything centralized.
I'm assuming you are letting the station ask for it's servers. Dont rely on the remote PPP server to dictate the DNS servers. Specify them by hand in the dialup properties. It's been over a year since I've used NT to dial anything, but it should work.
As far as profiles for modem or no modem, network or no network, dont worry about that. NT can actually handle being multi-homed but 9x has some odd problems and requires some coaxing.
I hope this helped! You can email me at the above address if you would like. Take care.
I hit TAB/SPACE and it submitted :P. So I suck. Anyway what I was going to say was....
/var/log files. Cat and grep let me find what is where.
:) If not, please do! Encryption is our friend, even if El Reno says it's evil.
My setup is this: On my dedicated backup server I have NFS mounts to the main Linux servers. I run BRU on a crontab that does a incremental backup daily and a full backup weekly. I used a rather ugly hack on the MTX driver for the DLT library control, but it works very well. I chose BRU because of it's verify pass on backups. Makes me feel better about the amazing amount of data I've been asked to manage. For the database, I just dump the contents of what it backed up into different
My point is that if you keep everything on servers, locating, backing up, and restoring is easier.
However, if you must keep stuff on the Windows machines, smbmount should work fine allowing you to keep everything mounted in one place. Someone already said this, but for the Mac, use one of the utils that lets you use SMB and "share" the directories.
One last note, if you are doing this over the internet, I would hope you're using a vpn of some sort
Well, I've seen a few of my thoughts already said earlier, but I figured I'd tell you what I've been doing. I have a dedicated server that does nothing but backup. Over 400 gigs go through it to a 15 tape DLT library per week. We have ~60 workstations and 4 servers.
My policy on it irritates people, hence the title of my post. With the number of workstations I have to manage, I consider workstations expendable. If the Win9x/Winnt4 station eats itself, oh well... reinstall and get on with it. I tell everyone to keep anything they care about ON THE SERVER. Some dont listen, and they lose stuff when Windows blows up completely.
Porn is brought up when referring to controlling the internet because damn near every politcal goal recently has been justified as being "for the children!".
:)
Get rid of the guns! Why? For the children!
Socialized health care now! Why? For the children!
Metal detectors and full cavity searches for all high school students who wear all black! Why? For the children!
Censor the Internet! Why? For the children!
Restrict Crypto! Why? For the children!
As if any smart terrorist would use Americian crypto when we have the KRA (http://www.kra.org). Next we're not going to be able to import crypto, and I'd bet money the reason will be..... you guessed it... for the children!
I think I've ranted out now and will go get a beer
that only criminals would want guns too.
Well, there is a howto for a vpn with ssh in /usr/doc/HOWTO/mini/VPN (in RedHat anyway). What it does is use a pppd over ttys over ssh. It works quite well, but the only problem I have is that it doesnt notice when it is dead and tends to leave ghosted ppp's floating around. I'm sure that could be scripted though. One hint: Since you are on a 10mb lan, make sure you dont use compression in the ssh part. It will slow you down painfully. It did that to me on a 3mb link. On slow connections, the compression works beautifully.
Vpnd was probably referring to slip because a VPN is a virtual point to point connection, and then you can route through that point. I would think PPP would make more sense than slip, but who knows.
I've seen a few other projects that look promising. Check out the FreeS/WAN project at http://www.xs4all.nl/~freeswan/. It uses IPSEC so it should work with other IPSEC devices.
The reason I suggested a vpn of some sort is after you have securely connected two networks, encrypting file transfers, ttys, etc become unneeded unless you've got people inside your own network you have to worry about. This allows many more tools to be used for administration.
Could a VPN like vpnd work for you? you could create a private IP network inside it and use unencrypted free tools inside an encrypted tunnel. Just a thought :)
I am not a Windows NT fan (nor do I play one on TV), but I admin about 60 Windows machines as workstations at work. What I have noticed is the absolute lack of knowledge that a lot of these users have. In Win9x, there are no levels of admin/poweruser/domain user/guest. People are encouraged everywhere you turn to run this neato exe from a web site with a "~" in the URL. Screen savers that have an install instead of just a .scr file are a perfect example.
:) Take care.
But that's only part of the problem. Mass production of MCSEs isnt helping.
I've been admining NT and Linux for quite a while now, but I decided to enroll in (ugh...I know...shaddup) MCSE school to learn the little details I would need to throw back out at the test to be "certified". It was pretty depressing. In the ENTIRE NT wks and svr sections, I only recall seeing "dont stay logged in as the Admin" once. It was never stated in class. I was one of two people in the class who had even installed NT. (They give you a 120 day eval) Several people didnt have computers.
IF you are going to use NT as an important server, you should really set it up with strictly what you need, service pack it as best you can, lock the console, and never log in locally unless there is a problem. I have gone to way too many places seeing people using the server as their workstation logged in as Administrator with IE4 and Outlook (with Word as the editor) both open having no idea what that can do. Getting your hands on people to run your servers intelligently (or for God's sake learn yourself) is the best plan if you must use NT. Dont use IT staffing firms. And the most important rule: If the NT machine matters to you, dont put it on the Internet. If you must put it on the internet, dont browse from it and DAMNIT, DISABLE netbios on the nic that is facing the internet. These cant solve all problems, but it's all you can really do.
This is not taught to the people who really really want to be an admin in MCSE school. People arent learning. I have no idea what the solution to this is. I can make all the noise I want about it, but someone always knows better.
It is pretty silly to see this as some massive threat. IP Masqing or proxying or whatever should stop this from happening to you unless someone makes one that opens control outbound actively to a predefined host instead of passively waiting for a connection. People were scanning clients on IRC for PC-Anywhere connections to look for blank passwords. Why is cDc worse? Open netbios shares, buggy Windows ftp servers, etc are much more of a problem for the people willing to have MS products directly on the Internet, but again, that's user error and they probably didnt know.
Maybe I'm way off track here, but I dunno. Just thought I'd ramble
-True Dork
Then I suggest you ask for your money back! :P
:)
It would seem to me that the reason Linux hits the news so much here is because a lot of people here watch for it and send stories in about it. It also seems to be the fastest moving OS around. With it being developed and spread so fast, I'm not surprised it gets that much attention here. But then again, I'm a Linux freak myself, so what do I know
Good grief. Is it just me or does this sound more like an IRC war than a discussion? Hanging out on IRC changed drastically after the internet went mainstream. You always had your schmucks, but after tens of thousands of IRC clients started showing up, we ended up with a lot more schmucks. I have always had a hard time grasping the concept of saying things in text that you would never have the balls to say in real life in front of a person. I type as I would speak to you in person.
Rioting and mob mentality is understandable IMHO if tanks and soldiers are rolling down Main Street USA, but not when somebody says something dumb. Had he said he was going to rape the mothers of all RedHat investors, fine, attack. But he didnt.
If I went full force after every dumb comment made to me in person, there would be a lot less dumb comment makers in the world, and I'd be in prison *grin*.
One last thought: Ever notice that the religious nuts who run up to your car screaming about hell while holding a fistful of pamphlets hold a LOT less credibility than the preacher sitting quietly in a church doing his thing? Not that I'm a religious man, but heh, it's a thought.
I'll shaddup now, but damn people, relax.
Educating the users is nice in theory, but almost impossible in practice. I deal with this constantly. I had a scene which was amazingly like a uf cartoon. She was convinced that the OS at her previous job was "Gateway 2000" and Netscape was their ISP. All I could do was smile, nod, and say "Oh yeah! I've worked on those before". And we all also know that any jerk-off who has bought a Packard Bell at CompUSA and managed to get it on the internet is an expert now and can tell you how you should fix problems. You cannot tell this kind of user how not to use email. They know better.
One of the main education issues I can see is the same faith that some people put in the government they put into Microsoft (microsoft.gov? who knows). Microsoft is in the media the same way the white house is. They can spin stories just as well as the Clintons can. Trying to tell your average user that GUIDs and sending personal data through the Windows 98 Update Wizard is bad is like trying to tell media zombies that the internet and quake do not make kids go bonkers with weapons.
Basically, I think all of us who admin Windows machines have a massive challenge as far as this goes. I can rant about it until I lose my voice around here, but heh, I'm just the long haired weirdo geek in the back room with the servers that run that other OS. What does he know.
I saw it last night too, and I'm going to have to say that I about cried laughing during the Jerry Springer scenes. Seeing Jerry Springer fighting with Dr Evil was too funny. I thought the movie as a whole was very well done. There arent very many movies that I will watch over and over, but I think this one will make that list.
The 28 gig model is worth the same amount as my whole car! Oh well, I'll just drool. Hopefully these will take off, these guys will make a fortune for such a cool device, and the prices will drop after a while.