From mharrold at cas.org Wed Dec 1 08:14:20 2004 From: mharrold at cas.org (Mike Harrold) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] TERM madness In-Reply-To: <41AD16F2.2070406@iwaynet.net> from "Jess Balint" at Nov 30, 2004 07:57:22 PM Message-ID: <200412011314.iB1DEKM03685@srv45.cas.org> > > The normal way to change this is with the command stty: > > $ stty erase ^? > > or > > $ stty erase ^H > > Where "^?" or "^H" is Ctrl-V+Backspace. And then just put it in your > .profile. Err, you know you can just do ^h (a ^ followed by an h) right? :-) /Mike From archanoid at columbus.rr.com Wed Dec 1 10:14:47 2004 From: archanoid at columbus.rr.com (Aaron Howard) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] Blocking Korean IPs Message-ID: <1101914087.2842.17.camel@linus> Someone had asked how to determine what IP ranges belonged to what region. I'll put a disclaimer on this: I consider myself fair-to-middlin' at this stuff. There are probably much better ways to do this that I just don't know about. In the past, I have literally "brute forced" or walked my way through entire address ranges using whois services. This entails starting with all IPs assigned to APNIC and then breaking it down one sub-network at a time, and querying whois to find out if (a) that's a valid assigned subnet and (b) if it's Korean. Now, there's a much better way. APNIC publishes this list: http://ftp.apnic.net/stats/apnic/delegated-apnic-latest An enterprising script writer could easily parse out the ipv4 records for KR and create firewall rules based on it. In fact, googling turns up http://www.hakusan.tsg.ne.jp/tjkawa/lib/krfilter/index-e.jsp which houses daily updated scripts based on that file...so someone already has gone to the trouble of writing said script. I don't see the parsing script, though, that generates the iptables rules...just the iptables scripts. -Aaron From josh at bitbuckets.com Wed Dec 1 10:38:27 2004 From: josh at bitbuckets.com (josh@bitbuckets.com) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] Blocking Korean IPs In-Reply-To: <1101914087.2842.17.camel@linus> References: <1101914087.2842.17.camel@linus> Message-ID: > for KR and create firewall rules based on it. In fact, googling turns > up http://www.hakusan.tsg.ne.jp/tjkawa/lib/krfilter/index-e.jsp which > houses daily updated scripts based on that file...so someone already has > gone to the trouble of writing said script. I don't see the parsing Heh... yeah... and I think I'll leave my firewall configuration up to some script somewhere in another country... :) It's good to have a list, though. --Josh From windon at windon.net Wed Dec 1 16:20:13 2004 From: windon at windon.net (Chesley A Windon) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] Blocking Korean IPs In-Reply-To: <1101914087.2842.17.camel@linus> References: <1101914087.2842.17.camel@linus> Message-ID: On Wed, 1 Dec 2004, Aaron Howard wrote: > Someone had asked how to determine what IP ranges belonged to what > region. I'll put a disclaimer on this: I consider myself > fair-to-middlin' at this stuff. There are probably much better ways to > do this that I just don't know about. Why not use the IANA published list? Make a local copy and grep out all of the APNIC allocated IP space. Actually, this should be fairly trivial to automate so that you're always running with a pseudo-current list. You shouldn't have to update your list but once every quarter, if that. IPv4 http://www.iana.org/assignments/ipv4-address-space IPv6 http://www.iana.org/assignments/ipv6-address-space Chesley From archanoid at columbus.rr.com Wed Dec 1 16:31:28 2004 From: archanoid at columbus.rr.com (Aaron Howard) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] Blocking Korean IPs In-Reply-To: References: <1101914087.2842.17.camel@linus> Message-ID: <1101936688.2842.29.camel@linus> On Wed, 2004-12-01 at 16:20, Chesley A Windon wrote: > Why not use the IANA published list? Make a local copy and grep out all of > the APNIC allocated IP space. Actually, this should be fairly trivial to > automate so that you're always running with a pseudo-current list. You > shouldn't have to update your list but once every quarter, if that. > That's fine for blocking all of the Asia Pacific area...but in order to get down to just Korea (where I had more bots/scripts coming at me than anyplace else) you need to go to APNIC and use their file to break out just the KR entries. It's just finer-grained control. I personally wanted Australia, Japan, and Taiwan left open. I didn't really care about India, China, Indonesia, or Malaysia. -Aaron From ian.m.wilson at gmail.com Wed Dec 1 16:43:37 2004 From: ian.m.wilson at gmail.com (Ian Wilson) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] iptables oddities Message-ID: Good afternoon folks; I've attempted to get my firewall working on my suse box for about 2 days, with no success. I currently have a three NIC firewall set up, with eth0 being my public side, eth1 being my wireless (Linksys B and G AP's through ethernet bridging), and eth2 being my wired. basic setup: eth0 - dhcp acquired address from cable modem eth1 - 10.5.10.1 (to be issuing 10.5.10.10-200 in addresses) eth2 - 10.50.10.1 (to be issuing 10.50.10.50-200 in addresses) For some odd reason, I can't get my wireless clients to get acquire a dhcp address when it's plugged into eth1. If I move the ap's to my switch carrying eth2, I'll get an ip address from the dhcp pool for eth2, which leads me to believe that everything is set correctly on the switch side. The parts in question in my dhcpd.conf file look like: subnet 10.50.10.0 netmask 255.255.255.0 { default-lease-time 28800; option domain-name-servers 65.24.192.171; option domain-name-servers 10.50.10.1; option domain-name "wired.home.iwcg.net"; option routers 10.50.10.1; range 10.50.10.10 10.50.10.200; authoritative; } subnet 10.5.10.0 netmask 255.255.255.0 { default-lease-time 28800; option domain-name-servers 65.24.192.171; option domain-name-servers 10.5.10.1; option domain-name "wireless.home.iwcg.net"; option routers 10.5.10.1; range 10.5.10.5 10.5.10.200; authoritative; } if I do an ifconfig, the ip addresses are correct, I'm just stumped. Where's a good place to start looking to see what the problem is? (Also, on a second note, my dhcp server seems to die after about 6 hours, but I can't find anything in the syslog about it) Thanks; Ian -- [insert witty comment here] Ian Wilson ian.m.wilson@gmail.com http://blog.iwcg.net/users/ian/ From jep200404 at columbus.rr.com Wed Dec 1 16:59:00 2004 From: jep200404 at columbus.rr.com (Jim) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] iptables oddities In-Reply-To: References: Message-ID: <20041201165900.137d3c86.jep200404@columbus.rr.com> Ian Wilson wrote: > firewall working on my suse box What all else is running on this Suse box? Do you use it as a normal workstation? Do you use it as a server? From ian.m.wilson at gmail.com Wed Dec 1 17:04:14 2004 From: ian.m.wilson at gmail.com (Ian Wilson) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] iptables oddities In-Reply-To: <20041201165900.137d3c86.jep200404@columbus.rr.com> References: <20041201165900.137d3c86.jep200404@columbus.rr.com> Message-ID: On Wed, 1 Dec 2004 16:59:00 -0500, Jim wrote: > What all else is running on this Suse box? ssh dhcpd ntop (on the private wired side) and iptables > Do you use it as a normal workstation? Not really...I've contemplated throwing X on there for network monitoring, but ended up installing nagios on one of the other machines on my network. > Do you use it as a server? No. All "server" type services are ran on separate machines with port forwarding, with the exception of ssh--sshd is the only server that is outward facing that is hosted on suse. Ian -- [insert witty comment here] Ian Wilson ian@iwcg.net http://www.iwcg.net/users/ian/ From ian.m.wilson at gmail.com Wed Dec 1 17:04:14 2004 From: ian.m.wilson at gmail.com (Ian Wilson) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] iptables oddities In-Reply-To: <20041201165900.137d3c86.jep200404@columbus.rr.com> References: <20041201165900.137d3c86.jep200404@columbus.rr.com> Message-ID: On Wed, 1 Dec 2004 16:59:00 -0500, Jim wrote: > What all else is running on this Suse box? ssh dhcpd ntop (on the private wired side) and iptables > Do you use it as a normal workstation? Not really...I've contemplated throwing X on there for network monitoring, but ended up installing nagios on one of the other machines on my network. > Do you use it as a server? No. All "server" type services are ran on separate machines with port forwarding, with the exception of ssh--sshd is the only server that is outward facing that is hosted on suse. Ian -- [insert witty comment here] Ian Wilson ian@iwcg.net http://www.iwcg.net/users/ian/ From archanoid at columbus.rr.com Wed Dec 1 17:11:01 2004 From: archanoid at columbus.rr.com (Aaron Howard) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] iptables oddities In-Reply-To: References: Message-ID: <1101939061.2842.43.camel@linus> On Wed, 2004-12-01 at 16:43, Ian Wilson wrote: > > Where's a good place to start looking to see what the problem is? > (Also, on a second note, my dhcp server seems to die after about 6 > hours, but I can't find anything in the syslog about it) > I'd say start by posting the entirety of your dhcpd.conf and the results of "iptables -L -n" as well as the script you're using to set the iptables rules. There's probably something wrong in your iptables rules or your dhcpd.conf settings that is messing things up. Also, how are you starting dhcpd? Are you passing it what interface(s) to bind to on the command line? How are you telling it subnet 10.5.10.0/24 is for eth1 and 10.50.10.0/24 is eth2? I assume your wireless devices get good signal from the APs either way; but, can the APs themselves "see" the suse box? From the suse machine (eth1), can you ping the APs? Do they have a web interface for configuration? If so, can you access that from the suse machine on eth1? My 802.11b AP has a "link test" function that allows me to put in an IP address for it to ping. Can you get your APs to do this? That's all I can think of ottomh. -Aaron From jep200404 at columbus.rr.com Wed Dec 1 17:11:13 2004 From: jep200404 at columbus.rr.com (Jim) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] iptables oddities In-Reply-To: References: <20041201165900.137d3c86.jep200404@columbus.rr.com> Message-ID: <20041201171113.53b2881c.jep200404@columbus.rr.com> Ian Wilson wrote: > On Wed, 1 Dec 2004 16:59:00 -0500, Jim wrote: > > What all else is running on this Suse box? > ssh (sshd I presume) > dhcpd > ntop (on the private wired side) > and iptables Good. > > Do you use it as a normal workstation? > Not really... Good. > > Do you use it as a server? > No. All "server" type services are ran on separate machines with port > forwarding, with the exception of ssh--sshd is the only server that is > outward facing that is hosted on suse. Great! From windon at windon.net Wed Dec 1 20:16:54 2004 From: windon at windon.net (Chesley A Windon) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] Blocking Korean IPs In-Reply-To: <1101936688.2842.29.camel@linus> References: <1101914087.2842.17.camel@linus> <1101936688.2842.29.camel@linus> Message-ID: On Wed, 1 Dec 2004, Aaron Howard wrote: > On Wed, 2004-12-01 at 16:20, Chesley A Windon wrote: >> Why not use the IANA published list? Make a local copy and grep out all of >> the APNIC allocated IP space. Actually, this should be fairly trivial to >> automate so that you're always running with a pseudo-current list. You >> shouldn't have to update your list but once every quarter, if that. >> > > That's fine for blocking all of the Asia Pacific area...but in order to > get down to just Korea (where I had more bots/scripts coming at me than > anyplace else) you need to go to APNIC and use their file to break out > just the KR entries. It's just finer-grained control. I personally > wanted Australia, Japan, and Taiwan left open. I didn't really care > about India, China, Indonesia, or Malaysia. > > -Aaron When I'm doing to many things at once, I sometimes start offering suggestions before I've thought the issue all of the way through, which is one of the reasons why I don't post to the list too often. I remembered what the original problem was about 10 minutes after I posted last. Still... Grep'ing out all of the network blocks assigned to APNIC and "Various Registries" should at least reduce the cycles required to brute-force the address space. This does pose an iteresting delima, to me anyway. Perhaps next time I'm all hopped up on caffine and can't sleep I'll try automating it anyway. --C From dollzerr at iwaynet.net Wed Dec 1 21:49:05 2004 From: dollzerr at iwaynet.net (Jess Balint) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] TERM madness In-Reply-To: <200412011314.iB1DEKM03685@srv45.cas.org> References: <200412011314.iB1DEKM03685@srv45.cas.org> Message-ID: <41AE82A1.2070601@iwaynet.net> Mike Harrold wrote: >>The normal way to change this is with the command stty: >> >>$ stty erase ^? >> >>or >> >>$ stty erase ^H >> >>Where "^?" or "^H" is Ctrl-V+Backspace. And then just put it in your >>.profile. > > > Err, you know you can just do ^h (a ^ followed by an h) right? Well I guess I didn't. I just tried it and it worked with ^?. Thanks! Jess From bnmille at gmail.com Wed Dec 1 22:32:38 2004 From: bnmille at gmail.com (Brian) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] iptables oddities In-Reply-To: <20041201171113.53b2881c.jep200404@columbus.rr.com> References: <20041201165900.137d3c86.jep200404@columbus.rr.com> <20041201171113.53b2881c.jep200404@columbus.rr.com> Message-ID: <9c1f8ae04120119324cd5fc44@mail.gmail.com> When you run your iptables command, please run both of these: /usr/sbin/iptables -nvL /usr/sbin/iptables -nvL -t nat This will provide both the standard filter rules, as well as anything set up in your nat tables. I would particularly look for rules blockking UDP ports 67 and 68 on eth1. On Wed, 1 Dec 2004 17:11:13 -0500, Jim wrote: > Ian Wilson wrote: > > > On Wed, 1 Dec 2004 16:59:00 -0500, Jim wrote: > > > What all else is running on this Suse box? > > ssh > > (sshd I presume) > > > dhcpd > > ntop (on the private wired side) > > and iptables > > Good. > > > > Do you use it as a normal workstation? > > Not really... > > Good. > > > > Do you use it as a server? > > No. All "server" type services are ran on separate machines with port > > forwarding, with the exception of ssh--sshd is the only server that is > > outward facing that is hosted on suse. > > Great! > > > > _______________________________________________ > colug1 mailing list colug1@colug.net > http://www.colug.net/mailman/listinfo/colug1 > From rfunk at funknet.net Wed Dec 1 22:33:06 2004 From: rfunk at funknet.net (Rob Funk) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] TERM madness In-Reply-To: <200412011314.iB1DEKM03685@srv45.cas.org> References: <200412011314.iB1DEKM03685@srv45.cas.org> Message-ID: <200412012233.06344.rfunk@funknet.net> Mike Harrold wrote: > > The normal way to change this is with the command stty: > > $ stty erase ^? > > or > > $ stty erase ^H > > > > Where "^?" or "^H" is Ctrl-V+Backspace. And then just put it in your > > .profile. > > Err, you know you can just do ^h (a ^ followed by an h) right? But that requires first figuring out which one your backspace sends. It's easier just to have the key send what it's going to send. In fact, in many cases (when the shell doesn't try to understand both versions of backspace) you don't even need to hit control-V before the backspace key. Then it's one key (after "stty erase ") rather than three. -- ==============================| "A microscope locked in on one point Rob Funk |Never sees what kind of room that it's in" http://www.funknet.net/rfunk | -- Chris Mars, "Stuck in Rewind" From ian.m.wilson at gmail.com Wed Dec 1 23:09:47 2004 From: ian.m.wilson at gmail.com (Ian Wilson) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] iptables oddities In-Reply-To: <9c1f8ae04120119324cd5fc44@mail.gmail.com> References: <20041201165900.137d3c86.jep200404@columbus.rr.com> <20041201171113.53b2881c.jep200404@columbus.rr.com> <9c1f8ae04120119324cd5fc44@mail.gmail.com> Message-ID: On Wed, 1 Dec 2004 22:32:38 -0500, Brian wrote: > When you run your iptables command, please run both of these: > /usr/sbin/iptables -nvL > /usr/sbin/iptables -nvL -t nat > This will provide both the standard filter rules, as well as anything > set up in your nat tables. I would particularly look for rules > blockking UDP ports 67 and 68 on eth1. > > I don't see anything blocking anything on port 67 or 68 UDP on eth1 or eth2. Also, when I start up dhcpd, I get the following output in my /var/log/messages.log, and that leads me to believe that everything is set up correctly on the dhcpd side: Dec 1 23:00:06 suse dhcpd: Listening on Socket/eth2/10.50.10.0/24 Dec 1 23:00:06 suse dhcpd: Sending on Socket/eth2/10.50.10.0/24 Dec 1 23:00:06 suse dhcpd: Listening on Socket/eth1/10.5.10.0/24 Dec 1 23:00:06 suse dhcpd: Sending on Socket/eth1/10.5.10.0/24 Ian -- [insert witty comment here] Ian Wilson ian.m.wilson@gmail.com http://blog.iwcg.net/users/ian/ From lefevre.10 at osu.edu Thu Dec 2 00:36:06 2004 From: lefevre.10 at osu.edu (Steve Lefevre) Date: Sat Jan 8 01:37:08 2005 Subject: [COLUG] recent rebate success Message-ID: <41AEA9C6.40204@osu.edu> Hey folks -- I've had off-again, on-again experiences with rebates. In the past I've always kept documentation, and I've never been burned with anything major. In the past two months, I've bought several items on rebate at Micro center. This time around, I included cover letters with each rebate submission form. Part of the letter informs the rebate party that I have copies of the documentation. I don't know if it has to do with Microcenter, or if it's the new letters, but I've gotten very fast email notification from wheresmyrebate.com on these recent rebates. So a cover letter might not hurt next time around. Steve From lefevre.10 at osu.edu Thu Dec 2 02:02:05 2004 From: lefevre.10 at osu.edu (Steve Lefevre) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] recovering a partition Message-ID: <41AEBDED.9020004@osu.edu> Hey folks - I am going through a stack of hard drives trying to find some data that I may have lost. I think I have the drive I want, and of course, the drive isn't co-operating. It's a 10 GB drive. I've booted to knoppix on it, and knoppix's desktop automount can mount /dev/hda1, which is ~100 MB. It cannot mount /dev/hda2, complaining that there is no fs type label. I tried the mount command, specifying ext2, ext3, and xfs (I'm certain I've never setup another fs type on linux in my life, unless it was FAT -- hm...) , and it gives the same error : wrong fs type, or bad superblock. fdisk says the type is 83, linux native. The Centos 3.3 installer's graphical disk druid also calls the partition 'linux native'. I've tried booting off the drive, and there what appears to be a RH 9 splash screen. So I'm guessing that the drive at one time had a RH9 install on it, and the 100 MB partition at the beginning was a boot partition. Anyways, it gets to the part 'loading linux......' and reboots. Also, there is a 500 MB swap partition. So I'm at the end of my expertise. Any thoughts? Steve From jep200404 at columbus.rr.com Thu Dec 2 08:26:49 2004 From: jep200404 at columbus.rr.com (Jim) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] recovering a partition In-Reply-To: <41AEBDED.9020004@osu.edu> References: <41AEBDED.9020004@osu.edu> Message-ID: <20041202082649.071ce900.jep200404@columbus.rr.com> Steve Lefevre wrote: > I am going through a stack of hard drives trying to find some data that > I may have lost. I think I have the drive I want, and of course, the > drive isn't co-operating. > So I'm at the end of my expertise. Any thoughts? As root: dd if=/dev/hda | strings | grep whatyouarelookingfor From lefevre.10 at osu.edu Thu Dec 2 11:04:33 2004 From: lefevre.10 at osu.edu (Steve Lefevre) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] recovering a partition In-Reply-To: <20041202082649.071ce900.jep200404@columbus.rr.com> References: <41AEBDED.9020004@osu.edu> <20041202082649.071ce900.jep200404@columbus.rr.com> Message-ID: <41AF3D11.4040109@osu.edu> Thanks for the tip, Jim. So far I've gotten tons of developer comments. Will this technique produce directory and file names? Steve Jim wrote: >Steve Lefevre wrote: > > > >>I am going through a stack of hard drives trying to find some data that >>I may have lost. I think I have the drive I want, and of course, the >>drive isn't co-operating. >> >> > > > >>So I'm at the end of my expertise. Any thoughts? >> >> > >As root: > >dd if=/dev/hda | strings | grep whatyouarelookingfor > >_______________________________________________ >colug1 mailing list colug1@colug.net >http://www.colug.net/mailman/listinfo/colug1 > > > > From dbrinkley at techneglas.com Thu Dec 2 16:44:22 2004 From: dbrinkley at techneglas.com (Daniel Brinkley) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. References: <41AEBDED.9020004@osu.edu><20041202082649.071ce900.jep200404@columbus.rr.com> <41AF3D11.4040109@osu.edu> Message-ID: <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> Hey all, I'm Daniel...and I'm in the midst of converting to GNU/Linux and everything that's open source. I'm fed up with Micro$oft and feeling like I have no control over my own PC. I'm trying out Mandrake first on my Compaq Laptop (but have yet to really decide on a distro) Since my friends and workmates are MS people, I now have no resources other than online, (and hopefully you guys.) Which Linux flavor would be best OR RATHER Which flavor would be best if I needed assistance from COLUG. Although I consider myself a newbie, I do know the basics (shell,etc...) since I've been thrown into a syadmin position maintaining several HP-UX machines and one HP3000 (MPE). Thanks, Daniel Brinkley Techneglas, Inc. ----- Original Message ----- From: "Steve Lefevre" To: "Central OH Linux User Group" Sent: Thursday, December 02, 2004 11:04 AM Subject: Re: [COLUG] recovering a partition > Thanks for the tip, Jim. So far I've gotten tons of developer comments. > Will this technique produce directory and file names? > > Steve > > Jim wrote: > > >Steve Lefevre wrote: > > > > > > > >>I am going through a stack of hard drives trying to find some data that > >>I may have lost. I think I have the drive I want, and of course, the > >>drive isn't co-operating. > >> > >> > > > > > > > >>So I'm at the end of my expertise. Any thoughts? > >> > >> > > > >As root: > > > >dd if=/dev/hda | strings | grep whatyouarelookingfor > > > >_______________________________________________ > >colug1 mailing list colug1@colug.net > >http://www.colug.net/mailman/listinfo/colug1 > > > > > > > > > > _______________________________________________ > colug1 mailing list colug1@colug.net > http://www.colug.net/mailman/listinfo/colug1 From nathan.valentine at venntech.net Thu Dec 2 16:56:50 2004 From: nathan.valentine at venntech.net (Nathan R. Valentine) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. In-Reply-To: <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> References: <41AEBDED.9020004@osu.edu> <20041202082649.071ce900.jep200404@columbus.rr.com> <41AF3D11.4040109@osu.edu> <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> Message-ID: <1102024610.2913.16.camel@chaco> My order of preference for new Linux desktop users: Ubuntu - www.ubuntu.org Fedora - fedora.redhat.com Suse - www.suse.com Mepis - www.mepis.org Although I suspect that you will get lots of help on this list for any of the listed distros, feel free to contact me directly as well. All of those listed except for Fedora also have bootable "Live" CDs that you can use to test drive Linux on your system before making any permanent changes to your hard drive. You might want to play with the Live CDs to see which you like best. Have fun. :) -- --- Nathan Valentine, CISSP - nathan.valentine@venntech.net Open Source Technician/Computer Forensics Analyst Venn Technologies, Inc. : 859.403.0003 http://www.venntech.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://www.colug.net/pipermail/colug/attachments/20041202/2673243c/attachment.bin From brett at bnbstauffer.net Thu Dec 2 16:59:22 2004 From: brett at bnbstauffer.net (Brett Stauffer) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. In-Reply-To: <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> References: <41AEBDED.9020004@osu.edu><20041202082649.071ce900.jep200404@columbus.rr.com><41AF3D11.4040109@osu.edu> <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> Message-ID: <4095.65.24.104.178.1102024762.spork@webmail.bnbstauffer.net> Daniel Brinkley said: > I'm trying out Mandrake first on my Compaq Laptop > (but have yet to really decide on a distro) As far as ease-of-use goes, you're on the right track with Mandrake. It's long been touted as a beginner distro. For ubiquity, Fedora is hard to beat. I haven't tried the latest offering (Core 3), but have had good success with Core 1 and 2. Installation is very easy, the interface is nice and slick, and most things Just Work. That is, with the exception of package management. IMNSHO, RPM sucks hard. yum makes it slightly less painful. If you like to install new software frequently, you might look elsewhere. Ubuntu is a newcomer based on Debian, which uses apt. apt is often thought of as the hands-down best solution for package management, and my personal experience is consistent with this. Debian is known for stability and a very user-unfriendly installer. Ubuntu uses a nice installer, takes more recent versions of Debian packages, and wraps it into a neat little package. The install is only one CD, with everything else coming from the net. I recently installed it on my desktop at work, and like what I see so far. Good luck! --brett From jep200404 at columbus.rr.com Thu Dec 2 17:13:30 2004 From: jep200404 at columbus.rr.com (Jim) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. In-Reply-To: <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> References: <41AEBDED.9020004@osu.edu> <20041202082649.071ce900.jep200404@columbus.rr.com> <41AF3D11.4040109@osu.edu> <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> Message-ID: <20041202171330.7ab40fa6.jep200404@columbus.rr.com> Daniel Brinkley wrote: > Which Linux flavor would be best Which tastes better? You left thumb or your right thumb? That's entirely up to you. We might now which distro each one of likes best, but will not be able to tell you which distro will be best for you. Try many distros. You won't even know what features you care about until you've tried a variety of them: Red Hat / Fedora / Caosity / Centos Suse / Novell Desktop Linux Debian Mandrake Slackware Gentoo Knoppix (no installation) Darn Small Linux (no installation) LEAF/Bering Also, consider the BSDs. Also, play with Colinux. Also, look at Xen. > Which flavor would be best if I needed assistance > from COLUG. Any of the big distros. http://distrowatch.com/ Since you're a beginner, consider using whichever one is easiest for you to install on the hard drive. Install a bunch of them. You should be able to install two or three per evening. After you've installed half a dozen Linuxes, you'll have a much better idea what you want, and which distros gives you that. The domain of your email address is noted. Care to comment on how much lead is in a typical color CRTs, and how easy or difficult it is for that lead to get inside people? From whooper at freeshell.org Thu Dec 2 17:16:50 2004 From: whooper at freeshell.org (William Hooper) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. In-Reply-To: <1102024610.2913.16.camel@chaco> References: <41AEBDED.9020004@osu.edu> <20041202082649.071ce900.jep200404@columbus.rr.com> <41AF3D11.4040109@osu.edu> <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> <1102024610.2913.16.camel@chaco> Message-ID: <1783.12.29.16.103.1102025810.squirrel@whooper.org> Nathan R. Valentine said: [snip] > All of > those listed except for Fedora also have bootable "Live" CDs [snip] Some unofficial efforts for Fedora Live CDs have also developed. http://www.redhat.com/archives/fedora-test-list/2004-November/msg01977.html -- William Hooper From whooper at freeshell.org Thu Dec 2 17:18:34 2004 From: whooper at freeshell.org (William Hooper) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. In-Reply-To: <4095.65.24.104.178.1102024762.spork@webmail.bnbstauffer.net> References: <41AEBDED.9020004@osu.edu><20041202082649.071ce900.jep200404@columbus.rr.com><41AF3D11.4040109@osu.edu> <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> <4095.65.24.104.178.1102024762.spork@webmail.bnbstauffer.net> Message-ID: <1869.12.29.16.103.1102025914.squirrel@whooper.org> Brett Stauffer said: [snip] > IMNSHO, RPM sucks hard. > yum makes it slightly less painful. If you like to install new software > frequently, you might look elsewhere. [snip] > apt is often > thought of as the hands-down best solution for package management, and my > personal experience is consistent with this. Groan. You could at least compare programs that do the same thing. Compare rpm to deb. Compare yum to apt. Heck, for that matter, use apt on Fedora. -- William Hooper From dane at olneyfriends.org Thu Dec 2 17:19:46 2004 From: dane at olneyfriends.org (Dane Miller) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. In-Reply-To: <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> References: <41AEBDED.9020004@osu.edu> <20041202082649.071ce900.jep200404@columbus.rr.com> <41AF3D11.4040109@osu.edu> <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> Message-ID: <1102025986.32459.4.camel@opus> I vote Ubuntu (http://www.ubuntulinux.org). Dane On Thu, 2004-12-02 at 16:44, Daniel Brinkley wrote: > Which Linux flavor would be best > OR RATHER > Which flavor would be best if I needed assistance > from COLUG. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://www.colug.net/pipermail/colug/attachments/20041202/286f8692/attachment.bin From jep200404 at columbus.rr.com Thu Dec 2 17:20:57 2004 From: jep200404 at columbus.rr.com (Jim) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. In-Reply-To: <1102024610.2913.16.camel@chaco> References: <41AEBDED.9020004@osu.edu> <20041202082649.071ce900.jep200404@columbus.rr.com> <41AF3D11.4040109@osu.edu> <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> <1102024610.2913.16.camel@chaco> Message-ID: <20041202172057.236d2241.jep200404@columbus.rr.com> "Nathan R. Valentine" wrote: > All of > those listed except for Fedora also have bootable "Live" CDs that you > can use to test drive Linux on your system before making any permanent > changes to your hard drive. The Suse Live CD felt very different than a regular Suse installation, so I'm wary of judging the regular installations by their Live CD kin. From jep200404 at columbus.rr.com Thu Dec 2 17:30:47 2004 From: jep200404 at columbus.rr.com (Jim) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. In-Reply-To: <1102024610.2913.16.camel@chaco> References: <41AEBDED.9020004@osu.edu> <20041202082649.071ce900.jep200404@columbus.rr.com> <41AF3D11.4040109@osu.edu> <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> <1102024610.2913.16.camel@chaco> Message-ID: <20041202173047.0826e099.jep200404@columbus.rr.com> "Nathan R. Valentine" wrote: > except for Fedora also have bootable "Live" CDs http://distrowatch.com/table.php?distribution=rpmlive From jep200404 at columbus.rr.com Thu Dec 2 17:32:48 2004 From: jep200404 at columbus.rr.com (Jim) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. In-Reply-To: <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> References: <41AEBDED.9020004@osu.edu> <20041202082649.071ce900.jep200404@columbus.rr.com> <41AF3D11.4040109@osu.edu> <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> Message-ID: <20041202173248.30f2ff09.jep200404@columbus.rr.com> Daniel Brinkley wrote: > my friends and workmates are MS people, You are going to have some FUN with them. Boot Knoppix on their boxes. From pat at linuxcolumbus.com Thu Dec 2 17:39:17 2004 From: pat at linuxcolumbus.com (Pat Collins) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. In-Reply-To: <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> References: <41AF3D11.4040109@osu.edu> <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> Message-ID: <20041202223917.GC9916@linuxcolumbus.com> On Thu, Dec 02, 2004 at 04:44:22PM -0500, Daniel Brinkley wrote: > I'm trying out Mandrake first on my Compaq Laptop > (but have yet to really decide on a distro) > I would figure out which distro best supports the hardware your laptop before making a choice. Pat From brett at bnbstauffer.net Thu Dec 2 17:45:21 2004 From: brett at bnbstauffer.net (Brett Stauffer) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. In-Reply-To: <1869.12.29.16.103.1102025914.squirrel@whooper.org> References: <41AEBDED.9020004@osu.edu><20041202082649.071ce900.jep200404@columbus.rr.com><41AF3D11.4040109@osu.edu><006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com><4095.65.24.104.178.1102024762.spork@webmail.bnbstauffer.net> <1869.12.29.16.103.1102025914.squirrel@whooper.org> Message-ID: <4530.65.24.104.178.1102027521.spork@webmail.bnbstauffer.net> William Hooper said: > Groan. You could at least compare programs that do the same thing. > Compare rpm to deb. Compare yum to apt. Heck, for that matter, use apt > on Fedora. rpm is both a package format and a program. Is deb a program? If so, it's news to me. rpm has long been the way to install software on RH-based distros. yum is only a recent addition, and it didn't used to even come with the distro (does it now?). RH's official method, up2date, is even worse. Sure, you can install apt on Fedora, but that's not a "beginner" task. Install apt on Fedora, then do a 'apt-get dist-upgrade'. Is the result the same as on Debian? Using apt or firing up Synaptic on Ubuntu is a beginner task, and it works out of the box. That was my point. --brett From dbrinkley at techneglas.com Thu Dec 2 18:02:57 2004 From: dbrinkley at techneglas.com (Daniel Brinkley) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. References: <41AF3D11.4040109@osu.edu><006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> <20041202223917.GC9916@linuxcolumbus.com> Message-ID: <00b601c4d8c3$11205350$9a0b010a@Techneglas.com> Pat said: > I would figure out which distro best supports the hardware your laptop > before making a choice. And that's certainly a good point. I had already found several online articles (after installing Mandrake) stating that Compaq laptops have their 'issues' with Linux. I knew all those wouldn't be easy. Thanks. ----- Original Message ----- From: "Pat Collins" To: "Central OH Linux User Group" Sent: Thursday, December 02, 2004 5:39 PM Subject: Re: [COLUG] Looking for Distro Recommendations for new CONVert. > On Thu, Dec 02, 2004 at 04:44:22PM -0500, Daniel Brinkley wrote: > > > I'm trying out Mandrake first on my Compaq Laptop > > (but have yet to really decide on a distro) > > > > I would figure out which distro best supports the hardware your laptop > before making a choice. > > Pat > > _______________________________________________ > colug1 mailing list colug1@colug.net > http://www.colug.net/mailman/listinfo/colug1 From friedman at vonfriedman.com Thu Dec 2 18:04:42 2004 From: friedman at vonfriedman.com (Frank E. Friedman) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] Recommendations Message-ID: <20041202225624.M12078@wowway.com> To all, I am helping a non-profit with some computer hardware/software. They wish to give some of their clients a PC. However, the PC's that were donated have the following specs: 133 processor 64 Meg Ram 2 Gig HD. The rest of the specifications are not really needed. I wanted to install a flavor of Linux on these PC's, but I am not too sure that I can at this point. Are these machines powerful enough that I will be able to install a flavor of Linux (with a graphical interface, Openoffice.org and Mozilla/Firefox? I was planning to use SuSE. Will this work and are there any recommendations / suggestions on how to do this. Thanks in advance. Frank PS: The only reason that I ask these questions is that I once tried to install either SuSE 9 or RH Fedora and the install stopped because I did not have at least 96 meg of ram. -- Frank E. Friedman friedman@vonfriedman.com It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change. ? Charles Darwin From brett at bnbstauffer.net Thu Dec 2 18:17:47 2004 From: brett at bnbstauffer.net (Brett Stauffer) Date: Sat Jan 8 01:37:09 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. In-Reply-To: <00b601c4d8c3$11205350$9a0b010a@Techneglas.com> References: <41AF3D11.4040109@osu.edu><006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com><20041202223917.GC9916@linuxcolumbus.com> <00b601c4d8c3$11205350$9a0b010a@Techneglas.com> Message-ID: <4549.65.24.104.178.1102029467.spork@webmail.bnbstauffer.net> Daniel Brinkley said: > And that's certainly a good point. > I had already found several online articles (after installing Mandrake) > stating that Compaq laptops have their 'issues' with Linux. You're increasing the likelihood that you'll have problems by using a laptop. Some have standard hardware and work great. Others are known for being difficult, even for experienced users. --brett From jep200404 at columbus.rr.com Thu Dec 2 19:36:04 2004 From: jep200404 at columbus.rr.com (Jim) Date: Sat Jan 8 01:37:10 2005 Subject: [COLUG] Recommendations for P133 w/64MB & 2GB In-Reply-To: <20041202225624.M12078@wowway.com> References: <20041202225624.M12078@wowway.com> Message-ID: <20041202193604.138da1cb.jep200404@columbus.rr.com> "Frank E. Friedman" wrote: > PC's ... have the following specs: > > 133 processor > 64 Meg Ram > 2 Gig HD. > I wanted to install a > flavor of Linux on these PC's, but I am not too sure that I can at this point. > > Are these machines powerful enough that I will be able to install a flavor of > Linux (with a graphical interface, Openoffice.org and Mozilla/Firefox? Yes, but the memory and CPU speed will severely affect your choices. > I was planning to use SuSE. You _can_ get a usable system, but you'll have to work at it. Starting with a fat distro, like Suse or Red Hat/Fedora might create much work for you. First of all, you won't be using KDE or Gnome. They use too much memory and CPU. Use one of the lightweight GUIs, such as XFCE. There are a handful of other lightweight GUIs to check out. Use lighter browsers. I don't know how thin Firefox is. Check it out. Play with the piddly dillo. OpenOffice is probably out of the question. Consider Abiword. You can get a good feel for how bloated things are or are not with Knoppix. You can choose from several GUIs at boot time. I've been able to run Knoppix on machines with only 64MB by choosing a GUI other than KDE or Gnome. Use the free command often. In short, choose lightweight GUIs and lightweight applications. From whooper at freeshell.org Thu Dec 2 20:05:22 2004 From: whooper at freeshell.org (William Hooper) Date: Sat Jan 8 01:37:10 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. In-Reply-To: <4530.65.24.104.178.1102027521.spork@webmail.bnbstauffer.net> References: <41AEBDED.9020004@osu.edu><20041202082649.071ce900.jep200404@columbus.rr.com><41AF3D11.4040109@osu.edu><006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com><4095.65.24.104.178.1102024762.spork@webmail.bnbstauffer.net> <1869.12.29.16.103.1102025914.squirrel@whooper.org> <4530.65.24.104.178.1102027521.spork@webmail.bnbstauffer.net> Message-ID: <1307.192.168.0.254.1102035922.squirrel@whooper.org> Brett Stauffer said: > William Hooper said: > > >> Groan. You could at least compare programs that do the same thing. >> Compare rpm to deb. Compare yum to apt. Heck, for that matter, use apt >> on Fedora. > > rpm is both a package format and a program. Is deb a program? If so, > it's news to me. If you want to talk about a program to install packages, compare rpm to dpkg. Not to get into a religous war or anything, but I just get tired of these one sided "apt is better than rpm" discussions that ignore that there is more than one way to install a package on both systems. > rpm has long been the way to install software on RH-based distros. yum > is only a recent addition, and it didn't used to even come with the distro > (does it now?). Yum has been included in every Fedora release, along with adding the ability to use both apt and yum repos with up2date. > RH's official method, up2date, is even worse. Some real world examples would be interesting. > Sure, you can install apt on Fedora, but that's not a "beginner" task. Funny, there are a lot of beginners doing it. http://www.fedora.us/wiki/FedoraHOWTO > Install apt on Fedora, then do a 'apt-get dist-upgrade'. > Is the result the same as on Debian? No, the result is a newer version of Fedora, not Debian. Seriously, there are reports on the Fedora list of people doing version upgrades with both yum and apt. Some have better luck than others. -- William Hooper From brucehohl at yahoo.com Thu Dec 2 20:17:38 2004 From: brucehohl at yahoo.com (Bruce Hohl) Date: Sat Jan 8 01:37:10 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. In-Reply-To: <20041202223917.GC9916@linuxcolumbus.com> Message-ID: <20041203011738.9162.qmail@web52706.mail.yahoo.com> --- Pat Collins wrote: > On Thu, Dec 02, 2004 at 04:44:22PM -0500, Daniel > Brinkley wrote: > > > I'm trying out Mandrake first on my Compaq Laptop > > (but have yet to really decide on a distro) > > > > I would figure out which distro best supports the > hardware your laptop > before making a choice. > > Pat > SuSE claims that with version 9.2 power management for all common laptops is supported out of the box. Apparently a good deal of effort was put into better support of laptops for version 9.2. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rfunk at funknet.net Thu Dec 2 23:01:18 2004 From: rfunk at funknet.net (Rob Funk) Date: Sat Jan 8 01:37:10 2005 Subject: [COLUG] Recommendations In-Reply-To: <20041202225624.M12078@wowway.com> References: <20041202225624.M12078@wowway.com> Message-ID: <200412022301.18871.rfunk@funknet.net> Frank E. Friedman wrote: > I am helping a non-profit with some computer hardware/software. They > wish to give some of their clients a PC. However, the PC's that were > donated have the following specs: > > 133 processor > 64 Meg Ram > 2 Gig HD. You could try a basic install of Debian or Slackware, and use lightweight programs while avoiding KDE and Gnome. Those two desktop environments are really the major things that keep most modern mainstream distros from running on such a machine. Also check out the RULE Project: http://www.rule-project.org/ > Are these machines powerful enough that I will be able to install a > flavor of Linux (with a graphical interface, Openoffice.org and > Mozilla/Firefox? I was planning to use SuSE. Will this work and are > there any recommendations / suggestions on how to do this. Openoffice is probably out, but worth a try if you set up about 128MB or so of swap. Mozilla might be fine; Firefox would be better. SuSE is not a good choice in this case, in my opinion. > PS: The only reason that I ask these questions is that I once tried to > install either SuSE 9 or RH Fedora and the install stopped because I did > not have at least 96 meg of ram. -- ==============================| "A microscope locked in on one point Rob Funk |Never sees what kind of room that it's in" http://www.funknet.net/rfunk | -- Chris Mars, "Stuck in Rewind" From lowery.3 at osu.edu Fri Dec 3 04:17:44 2004 From: lowery.3 at osu.edu (Jerry Lowery) Date: Sat Jan 8 01:37:10 2005 Subject: [COLUG] Recommendations In-Reply-To: <20041202225624.M12078@wowway.com> References: <20041202225624.M12078@wowway.com> Message-ID: <1102065464.2204.6.camel@util044> Feather or DSL (Damn Small Linux) would work. Openoffice probably is too much a stretch with 64MB of memory. Current versions of X, KDE, or GNOME in SUSE would probably be very slow on the PCs. FWIW, Jerry On Thu, 2004-12-02 at 18:04 -0500, Frank E. Friedman wrote: > To all, > > I am helping a non-profit with some computer hardware/software. They wish to > give some of their clients a PC. However, the PC's that were donated have the > following specs: > > 133 processor > 64 Meg Ram > 2 Gig HD. > > The rest of the specifications are not really needed. I wanted to install a > flavor of Linux on these PC's, but I am not too sure that I can at this point. > > Are these machines powerful enough that I will be able to install a flavor of > Linux (with a graphical interface, Openoffice.org and Mozilla/Firefox? I was > planning to use SuSE. Will this work and are there any recommendations / > suggestions on how to do this. > > Thanks in advance. > > Frank > > PS: The only reason that I ask these questions is that I once tried to install > either SuSE 9 or RH Fedora and the install stopped because I did not have at > least 96 meg of ram. > > > > -- > Frank E. Friedman > friedman@vonfriedman.com > > It is not the strongest of the species that survive, nor the most > intelligent, but the one most responsive to change. > ? Charles Darwin > > _______________________________________________ > colug1 mailing list colug1@colug.net > http://www.colug.net/mailman/listinfo/colug1 From dane at olneyfriends.org Fri Dec 3 07:56:37 2004 From: dane at olneyfriends.org (Dane Miller) Date: Sat Jan 8 01:37:10 2005 Subject: [COLUG] Recommendations In-Reply-To: <20041202225624.M12078@wowway.com> References: <20041202225624.M12078@wowway.com> Message-ID: <1102078596.3172.5.camel@opus> I went through this exercise about a year ago with a PII 250Mhz system, 64mb Ram, 5gb HD. I chose the ICEwm window manager and Konqueror for web browsing... even having to load the relevant KDE libraries this approach required less RAM than Mozilla, Firefox, or Opera. Dane On Thu, 2004-12-02 at 18:04, Frank E. Friedman wrote: > To all, > > I am helping a non-profit with some computer hardware/software. They wish to > give some of their clients a PC. However, the PC's that were donated have the > following specs: > > 133 processor > 64 Meg Ram > 2 Gig HD. > > The rest of the specifications are not really needed. I wanted to install a > flavor of Linux on these PC's, but I am not too sure that I can at this point. > > Are these machines powerful enough that I will be able to install a flavor of > Linux (with a graphical interface, Openoffice.org and Mozilla/Firefox? I was > planning to use SuSE. Will this work and are there any recommendations / > suggestions on how to do this. > > Thanks in advance. > > Frank > > PS: The only reason that I ask these questions is that I once tried to install > either SuSE 9 or RH Fedora and the install stopped because I did not have at > least 96 meg of ram. > > > > -- > Frank E. Friedman > friedman@vonfriedman.com > > It is not the strongest of the species that survive, nor the most > intelligent, but the one most responsive to change. > Charles Darwin > > _______________________________________________ > colug1 mailing list colug1@colug.net > http://www.colug.net/mailman/listinfo/colug1 > From frank_rieder at bankone.com Fri Dec 3 08:09:27 2004 From: frank_rieder at bankone.com (frank_rieder@bankone.com) Date: Sat Jan 8 01:37:10 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. In-Reply-To: <20041203011738.9162.qmail@web52706.mail.yahoo.com> Message-ID: I am running 9.2 on my laptop and it works flawlessly. Ready to go from the second boot. [the first boot was after the first disk is installed (base)] Suspend works great even if I just close the laptop. There are different options for closing the laptop. Battery Life also shows higher that with 9.1 or 9.0. Not by much but it reads another 15 min at a full charge. Frank Rieder Operations Specialist Banc One Leasing Corporation Mail code: OH1-1178 Phone: 614-213-4591 Fax: 614-213-2083 toll-free 800-879-7184 ext. 34591 Email : Frank Rieder@Bankone.com |---------+----------------------------> | | Bruce Hohl | | | | | | Sent by: | | | colug1-bounces@co| | | lug.net | | | | | | | | | 12/02/2004 08:17 | | | PM | | | Please respond to| | | Central OH Linux | | | User Group | |---------+----------------------------> >-----------------------------------------------------------------------------------------------------------------------------| | | | To: colug1@colug.net | | cc: | | Subject: Re: [COLUG] Looking for Distro Recommendations for new CONVert. | >-----------------------------------------------------------------------------------------------------------------------------| --- Pat Collins wrote: > On Thu, Dec 02, 2004 at 04:44:22PM -0500, Daniel > Brinkley wrote: > > > I'm trying out Mandrake first on my Compaq Laptop > > (but have yet to really decide on a distro) > > > > I would figure out which distro best supports the > hardware your laptop > before making a choice. > > Pat > SuSE claims that with version 9.2 power management for all common laptops is supported out of the box. Apparently a good deal of effort was put into better support of laptops for version 9.2. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ colug1 mailing list colug1@colug.net http://www.colug.net/mailman/listinfo/colug1 This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. From skippy at skippy.net Fri Dec 3 09:58:38 2004 From: skippy at skippy.net (Scott Merrill) Date: Sat Jan 8 01:37:10 2005 Subject: [COLUG] Debian upkeep Message-ID: <40493.216.136.35.122.1102085918.squirrel@216.136.35.122> Are there any automated scripts or processes (suitable for cron) that I can use to monitor when new packages are avaialble in my specified apt repositories? I'd like to keep informed about when new packages are available for my server (as opposed to just any new packages), but don't yet feel comfortable automating the actual installation of new packages. Thanks! Scott -- skippy@skippy.net | http://skippy.net/ From tobey at ilive4code.net Fri Dec 3 10:24:03 2004 From: tobey at ilive4code.net (Travis Sidelinger) Date: Sat Jan 8 01:37:10 2005 Subject: [COLUG] Over Customizing RedHat Message-ID: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> Hello everyone, I work at a large company were we will be deploying hundreds of servers running RedHat Advanced Server 3.0. We have developed a customized build via kickstart were we install the default package groups. We also use the kickstart file to add several additional RPM's needed by specific applications and remove about 30 RPM's that our security team deems have excessive risk. Besides a few RPM's I could like re-added, such as wget and ethereal, everything works great. Our dilemma is the security team here would like us to edit the comps.xml file and remove hundreds of additional packages. They would prefer our systems have the bare minimum packages (RPM's) required to run. They also want to audit exactly which packages are on every system. They argue the more software our systems have install the less secure they are. Keey in mind all setuid programs, running daemons, and system file permissions are currently tracked. This argument here is about possible unused or rarely used software existing on our systems. If this was a specific custom build for a single application and for support by a small group of admins I would be okay with this. Although, our build is targeted for a large number of applications and will be supported by a large team of system admins, application admins, application developers, and 3rd party vendors. The stability and availably of production systems costing potentially hundreds of thousands of dallors is at stake here. Has anyone else had experienced this in their work place? What are your thoughts on gutting a RedHat system. Travis Sidelinger travis@ilive4code.net From jep200404 at columbus.rr.com Fri Dec 3 10:50:09 2004 From: jep200404 at columbus.rr.com (Jim) Date: Sat Jan 8 01:37:10 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> Message-ID: <20041203105009.2ce5d414.jep200404@columbus.rr.com> Travis Sidelinger wrote: > we will be deploying hundreds of servers > the security team here would like us to edit the comps.xml > file and remove hundreds of additional packages. They would prefer our > systems have the bare minimum packages (RPM's) required to run. They also > want to audit exactly which packages are on every system. They argue the > more software our systems have install the less secure they are. They are correct. > This argument here is about possible unused or rarely > used software existing on our systems. When an attacker gets a toehold in a system, those unused programs might have the weakness that allows them gain control over the whole system. The security folks are correct to remove unused code. > If this was a specific custom build for a single application and for > support by a small group of admins I would be okay with this. Actually, I would tolerate a fat install more for a single machine more than I would for a server farm. > Although, > our build is targeted for a large number of applications and will be > supported by a large team of system admins, application admins, > application developers, and 3rd party vendors. The stability and > availably of production systems costing potentially hundreds of thousands > of dallors is at stake here. With a mono-culture of software on hundreds of systems, the compromise of one computer can spread to other computers, so I can understand the caution that the security folks are exercising. Stripping unnecessary code (and services) from computers is indeed part of good security. As long as there _is_ enough code left to run the applications, then the removal of unused code is good. You _can_ have good discussions about what code is really needed. There is always the classic tradeoff between convenience and security. If your question is about security, the minimalists win hands down. If you ask a business question, about balancing the risk of loss due to intrusion versus the risk of loss of revenue by making work more difficult, then you can have the beginning of a discussion. > What are your thoughts on gutting a RedHat system. Sounds like good classic security. From nathan.valentine at venntech.net Fri Dec 3 10:54:48 2004 From: nathan.valentine at venntech.net (Nathan R. Valentine) Date: Sat Jan 8 01:37:10 2005 Subject: [COLUG] Debian upkeep In-Reply-To: <40493.216.136.35.122.1102085918.squirrel@216.136.35.122> References: <40493.216.136.35.122.1102085918.squirrel@216.136.35.122> Message-ID: <1102089288.6421.37.camel@chaco> http://packages.debian.org/stable/admin/cron-apt Can be configured to check for updates, check and download, or check and download and auto-install. I only recommend the first though. By default, runs nightly and emails the results to whatever address you configure. Also: $ apt-cache search ^apt That will give you a list of lots of useful tools in Debian for scripting and altering the behavior of apt. One of my favorites is apt-listchanges. Enjoy. :) -- --- Nathan Valentine, CISSP - nathan.valentine@venntech.net Open Source Technician/Computer Forensics Analyst Venn Technologies, Inc. : 859.403.0003 http://www.venntech.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://www.colug.net/pipermail/colug/attachments/20041203/962fe7eb/attachment.bin From archanoid at columbus.rr.com Thu Dec 2 19:50:25 2004 From: archanoid at columbus.rr.com (Aaron Howard) Date: Sat Jan 8 01:37:10 2005 Subject: [COLUG] Looking for Distro Recommendations for new CONVert. In-Reply-To: <4549.65.24.104.178.1102029467.spork@webmail.bnbstauffer.net> References: <41AF3D11.4040109@osu.edu> <006f01c4d8b8$18ce1e80$9a0b010a@Techneglas.com> <20041202223917.GC9916@linuxcolumbus.com> <00b601c4d8c3$11205350$9a0b010a@Techneglas.com> <4549.65.24.104.178.1102029467.spork@webmail.bnbstauffer.net> Message-ID: <1102035025.3130.214.camel@linus> On Thu, 2004-12-02 at 18:17, Brett Stauffer wrote: > You're increasing the likelihood that you'll have problems by using a > laptop. Some have standard hardware and work great. Others are known for > being difficult, even for experienced users. I am using Fedora Core 2 on an HP Pavilion ze5300 series laptop. Everything works. No, I take that back. Gnome refuses to burn a CD for me. Somewhere, it's got a setting that's causing it to passsomething cdrecord doesn't like. If I use command line, I can burn just fine. Also, this is a model with a touch pad for the mouse and before kernel 2.6.9 the tap-to-click function didn't work. Now it works and is too sensitive. If any part of my hand accidentally touches the pad (like while I'm typing as now) the system responds as though I just clicked the left mouse button. I almost prefer 2.6.8 not even recognizing it. Anyway, other than those two things, everything works. WLAN, printing to both USB and network (smb) printers, desktop apps, development apps, vmware, etc. Like a charm. I am partial to redhat based distros (and the sucky rpm stuff too) if only because of my RHCE. But, I gotta say, I've installed and used Debian on a number of systems and find apt to be a thing of beauty. I still remember installing Debian from an old install CD (like a 2.1) and apt just automagically updated it to the then current distribution (2.). -Aaron From tobey at ilive4code.net Fri Dec 3 13:20:27 2004 From: tobey at ilive4code.net (Travis Sidelinger) Date: Sat Jan 8 01:37:10 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <20041203105009.2ce5d414.jep200404@columbus.rr.com> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> <20041203105009.2ce5d414.jep200404@columbus.rr.com> Message-ID: <44671.155.188.191.3.1102098027.squirrel@155.188.191.3> I can understand how a running daemon with an exploit can be a danger, but if a static read only file has an exploit, how is this a danger? I suppose if this program opened pipes or sockets the intruder could lie in wait for the process to start up and then take advantage of the exploit. Or, the intruder could craft malicious data files and trick someone into parsing the file with the exploitable program. In the first case here I would think keeping track of who is logging into your systems and what programs they are running would be a better approach. If the second case here I would think managing proper file permissions and watching what your programs are doing would be the better approach. One of the things I have seen over and over again with the minimalist approach to security is that the machines are so secure the admins themselves don't have the tools they need to admin their machines. They end up spending more time working with less tools and they don't have time to focus on proper security and configuration. Often the machines end up less secure because of configuration, patching, and support issues. For the two examples given above, auditing permissions and monitoring processes, I have seen it many times where people do not have the time for these. Their time is spend just getting their applications working and filling out security exception requests for all the system additions they need to make. Often they can't figure they stuff out and blindly use a shotgun approach. The end result is they are often no more secure and sometimes even less secure. > Travis Sidelinger wrote: > >> we will be deploying hundreds of servers > >> the security team here would like us to edit the comps.xml >> file and remove hundreds of additional packages. They would prefer our >> systems have the bare minimum packages (RPM's) required to run. They >> also >> want to audit exactly which packages are on every system. They argue >> the >> more software our systems have install the less secure they are. > > They are correct. > >> This argument here is about possible unused or rarely >> used software existing on our systems. > > When an attacker gets a toehold in a system, those unused > programs might have the weakness that allows them gain > control over the whole system. The security folks are > correct to remove unused code. > >> If this was a specific custom build for a single application and for >> support by a small group of admins I would be okay with this. > > Actually, I would tolerate a fat install more for a single machine > more than I would for a server farm. > >> Although, >> our build is targeted for a large number of applications and will be >> supported by a large team of system admins, application admins, >> application developers, and 3rd party vendors. The stability and >> availably of production systems costing potentially hundreds of >> thousands >> of dallors is at stake here. > > With a mono-culture of software on hundreds of systems, the compromise of > one computer can spread to other computers, so I can understand the > caution that the security folks are exercising. Stripping unnecessary > code > (and services) from computers is indeed part of good security. > > As long as there _is_ enough code left to run the applications, > then the removal of unused code is good. > > You _can_ have good discussions about what code is really needed. > There is always the classic tradeoff between convenience and security. > If your question is about security, the minimalists win hands down. > If you ask a business question, about balancing the risk of loss due to > intrusion versus the risk of loss of revenue by making work > more difficult, then you can have the beginning of a discussion. > >> What are your thoughts on gutting a RedHat system. > > Sounds like good classic security. > > _______________________________________________ > colug1 mailing list colug1@colug.net > http://www.colug.net/mailman/listinfo/colug1 > > From whooper at freeshell.org Fri Dec 3 14:03:22 2004 From: whooper at freeshell.org (William Hooper) Date: Sat Jan 8 01:37:10 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <44671.155.188.191.3.1102098027.squirrel@155.188.191.3> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> <20041203105009.2ce5d414.jep200404@columbus.rr.com> <44671.155.188.191.3.1102098027.squirrel@155.188.191.3> Message-ID: <1625.12.29.16.103.1102100602.squirrel@whooper.org> Travis Sidelinger said: > I can understand how a running daemon with an exploit can be a danger, > but if a static read only file has an exploit, how is this a danger? Local exploits can be just as dangerous as remote exploits. Case in point, the Debian hack: http://lists.debian.org/debian-devel-announce/2003/11/msg00012.html Someone got the password for a local account and went to town using a local vulnerbility in the kernel. -- William Hooper From peter.king at utoronto.ca Fri Dec 3 14:15:59 2004 From: peter.king at utoronto.ca (Peter King) Date: Sat Jan 8 01:37:11 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <20041203105009.2ce5d414.jep200404@columbus.rr.com> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> <20041203105009.2ce5d414.jep200404@columbus.rr.com> Message-ID: <20041203191559.GA17839@antec> On Fri, Dec 03, 2004 at 10:50:09AM -0500, Jim wrote: > > we will be deploying hundreds of servers [snip] > > What are your thoughts on gutting a RedHat system. [snip] Too much effort in a distro not designed for it. You want a secure solution deployed over hundreds of machines in a server farm? Install OpenBSD. Its footprint is lightweight. Add only what you need. Even out of the box (i.e. before configuring PF) it's very secure. While it isn't an easy desktop OS (though it is possible to run it that way), as a secure and responsive server OS it's hard to beat.* _______________________________________________________________________ * Unless you're running SMP systems with >4 processors, in which case OpenBSD doesn't scale all that well. But it sounds like you've opted for multiplying machines rather than processors within the machines. -- Peter King peter.king@utoronto.ca Department of Philosophy 215 Huron Street The University of Toronto (416)-978-3788 ofc Toronto, ON M5S 1A1 CANADA http://individual.utoronto.ca/pking/ ========================================================================= GPG keyID 0x7587EC42 (2B14 A355 46BC 2A16 D0BC 36F5 1FE6 D32A 7587 EC42) gpg --keyserver pgp.mit.edu --recv-keys 7587EC42 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://www.colug.net/pipermail/colug/attachments/20041203/7ba61c67/attachment.bin From todd at todd.homedns.org Fri Dec 3 14:19:29 2004 From: todd at todd.homedns.org (Todd) Date: Sat Jan 8 01:37:11 2005 Subject: [COLUG] Re: Over Customizing RedHat Message-ID: The security guys are 100% correct. My experience leans more toward the Novell side of things (currently) in a large corporate environment, but "less is more". If you don't need a product or service, it should not be installed or running. If you find you need a product or service in the future, you can add it, however it can be a severe security risk running products and services that are not necessary if an exploit is found for one of these services you may not be using but are installed. As a security person, you must audit and manage every service running in the environment and verify at all times that no vulnerabilites exist for services running (or if they do, work to mitigate the issues or patch). Therefore, if it isn't needed to do the job, remove it. Todd From tobey at ilive4code.net Fri Dec 3 14:32:27 2004 From: tobey at ilive4code.net (Travis Sidelinger) Date: Sat Jan 8 01:37:11 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <1625.12.29.16.103.1102100602.squirrel@whooper.org> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> <20041203105009.2ce5d414.jep200404@columbus.rr.com> <44671.155.188.191.3.1102098027.squirrel@155.188.191.3> <1625.12.29.16.103.1102100602.squirrel@whooper.org> Message-ID: <44364.155.188.255.5.1102102347.squirrel@155.188.255.5> I am familliar with this Debian incident and I fully agree with patching kernel exploits and all setuid programs. > > Travis Sidelinger said: >> I can understand how a running daemon with an exploit can be a danger, >> but if a static read only file has an exploit, how is this a danger? > > Local exploits can be just as dangerous as remote exploits. Case in > point, the Debian hack: > > http://lists.debian.org/debian-devel-announce/2003/11/msg00012.html > > Someone got the password for a local account and went to town using a > local vulnerbility in the kernel. > > -- > William Hooper > > _______________________________________________ > colug1 mailing list colug1@colug.net > http://www.colug.net/mailman/listinfo/colug1 > > From jim at rossberry.com Fri Dec 3 14:37:08 2004 From: jim at rossberry.com (Jim Wildman) Date: Sat Jan 8 01:37:11 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> Message-ID: On Fri, 3 Dec 2004, Travis Sidelinger wrote: > Hello everyone, > > I work at a large company were we will be deploying hundreds of servers > running RedHat Advanced Server 3.0. We have developed a customized build so do I. > via kickstart were we install the default package groups. We also use the > kickstart file to add several additional RPM's needed by specific > applications and remove about 30 RPM's that our security team deems have > excessive risk. Besides a few RPM's I could like re-added, such as wget > and ethereal, everything works great. ditto > > Our dilemma is the security team here would like us to edit the comps.xml > file and remove hundreds of additional packages. They would prefer our What good would that do? Keeps them from being available to install during kickstart, but you already have that scripted. > systems have the bare minimum packages (RPM's) required to run. They also > want to audit exactly which packages are on every system. They argue the > more software our systems have install the less secure they are. Keey in > mind all setuid programs, running daemons, and system file permissions are > currently tracked. This argument here is about possible unused or rarely > used software existing on our systems. I agree with them. What tools are they proposing to use? > > If this was a specific custom build for a single application and for > support by a small group of admins I would be okay with this. Although, > our build is targeted for a large number of applications and will be > supported by a large team of system admins, application admins, > application developers, and 3rd party vendors. The stability and > availably of production systems costing potentially hundreds of thousands > of dallors is at stake here. So have them certify the foundation build, then have them certify groups of applications that are either pulled by 'keystone' rpms (to borrow Phil's term) or using yumgroups. So you can turn a certified 'foundation' box into a 'developement' box with one command. > > Has anyone else had experienced this in their work place? What are your > thoughts on gutting a RedHat system. working on it right now and do it all the time. > > Travis Sidelinger > travis@ilive4code.net > > _______________________________________________ > colug1 mailing list colug1@colug.net > http://www.colug.net/mailman/listinfo/colug1 > ------------------------------------------------------------------------ Jim Wildman, CISSP, RHCE jim@rossberry.com http://www.rossberry.com "Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one." Thomas Paine From jacob at teched.net Fri Dec 3 14:41:12 2004 From: jacob at teched.net (J. Jacob Hopkins) Date: Sat Jan 8 01:37:11 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> Message-ID: <20041203194112.GA19127@noroute.teched.net> On Fri, Dec 03, 2004 at 10:24:03AM -0500, Travis Sidelinger wrote: > I work at a large company were we will be deploying hundreds of servers > running RedHat Advanced Server 3.0. Is this the same company indicated in the headers? > Besides a few RPM's I could like re-added, such as wget and ethereal, > everything works great. wget and ethereal? It isn't clear what you do, or what you need the tools for... what was the policy maker/enforcer's response when you asked for the tools? > Our dilemma is the security team here would like us to edit the comps.xml > file and remove hundreds of additional packages. They would prefer our > systems have the bare minimum packages (RPM's) required to run. They also > want to audit exactly which packages are on every system. They argue the > more software our systems have install the less secure they are. Keey in > mind all setuid programs, running daemons, and system file permissions are > currently tracked. This argument here is about possible unused or rarely > used software existing on our systems. It sounds like they have established a policy. They are the security team and you are an admin, developer, or something else? > If this was a specific custom build for a single application and for > support by a small group of admins I would be okay with this. So you disagree with the policy? > Although, our build is targeted for a large number of applications and > will be supported by a large team of system admins, application admins, > application developers, and 3rd party vendors. The stability and > availably of production systems costing potentially hundreds of thousands > of dallors is at stake here. Are you arguing for or against the policy here? > Has anyone else had experienced this in their work place? What are your > thoughts on gutting a RedHat system. It is a good start. Jacob jacob@teched.net From nathan.valentine at venntech.net Fri Dec 3 14:52:32 2004 From: nathan.valentine at venntech.net (Nathan R. Valentine) Date: Sat Jan 8 01:37:11 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <20041203191559.GA17839@antec> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> <20041203105009.2ce5d414.jep200404@columbus.rr.com> <20041203191559.GA17839@antec> Message-ID: <1102103552.2914.130.camel@chaco> I'm not the biggest fan of SuSE because I don't believe that they have as strong a commitment to Open Source and Free Software as other distros like Debian and Red Hat, but, honestly, the demos that I have seen for some of Novell's centralized authentication and patch management software make me think that it would probably be easier to lock down a large number of machines using those tools than going through the trouble of paring a distro down to absolute minimum yourself. > Too much effort in a distro not designed for it. You want a secure > solution deployed over hundreds of machines in a server farm? > > Install OpenBSD. > > Its footprint is lightweight. Add only what you need. Even out of the > box (i.e. before configuring PF) it's very secure. While it isn't an > easy desktop OS (though it is possible to run it that way), as a secure > and responsive server OS it's hard to beat.* Imagine a circle labeled like this at the cardinals: Identify -> Recover -> Monitor -> Prevent It is often labeled "the security lifecycle" or something similar. I know, more CISSP junk. ;) OpenBSD is really good at the Prevent part but not so good at the Recover part. Most Linux distros are good at the Recover but not so good at Prevent. It's a wash on the Identify and Monitor. OpenBSD gets the nod on Prevent because they value security so highly in the design process. Linux gets the nod on Recover because the distros that use package management are easier to patch en masse than OpenBSD. The Linux guys are getting better on the Prevent part with SELinux, RSBAC, overflow countermeasures, and similar stuff. The OpenBSD guys are getting better on Recover now that they are working on improvement to the upgrade and patching process. IMO, overall, trading one for the other ends up being a wash. Training and familiarity are more important than which kernel you run. I'm personally more comfortable with Debian so that's what works well for me. -- --- Nathan Valentine, CISSP - nathan.valentine@venntech.net Open Source Technician/Computer Forensics Analyst Venn Technologies, Inc. : 859.403.0003 http://www.venntech.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://www.colug.net/pipermail/colug/attachments/20041203/103f3e8f/attachment.bin From tobey at ilive4code.net Fri Dec 3 15:17:21 2004 From: tobey at ilive4code.net (Travis Sidelinger) Date: Sat Jan 8 01:37:11 2005 Subject: [COLUG] Re: Over Customizing RedHat In-Reply-To: References: Message-ID: <59533.155.188.255.3.1102105041.squirrel@155.188.255.3> Again, I agree with all running services should be patched and audited. The point I'm trying to make here is with non-running software. Example: lets say we have a 200 machines. Randomly across all machines the x-server is only used on each machine ~0.20 times a month. Do to security reasons the X-server was not installed. 200 machines * 0.20 = 40 uses of X each month. Now lets add up our time spent on tasks: Time spent getting the security exception approval: maybe 1-5 days Time spent explaining to the application team that installing the x-server will not break their app: 1-2 hrs Time spent getting the change request approved: 4hrs over 2 weeks Time spent installing xfree86 with network available: 1 min Time spent installing xfree86 without network available: Getting datacenter access approved: 2hrs over 2 weeks Getting to the datacenter: 0.5 - 2 hrs Installing xfree86: 2 minutes Remembering to bring the correct cdroms: priceless Time spent configuring xfree86: 1-10 min, veries with different admins ... Perform tasks needed with xfree86 .... Remembering to remove xfree86 when finished: 1 min Time spend removing the x-server on machines where they failed to uninstall it: repeat the whole process Now, add all this up and multiple by 40 and then divide by 14 system admins. How much time do you think these admins have left to worry about real security? I suggest we only run the x-server when needed. Instead of spending our time only installing where needed, we could spend our time hardening other security settings and auditing our systems. Regular patching should always be done on all systems regardless. > The security guys are 100% correct. My experience leans more toward the > Novell side of things (currently) in a large corporate environment, but > "less is more". > > If you don't need a product or service, it should not be installed or > running. If you find you need a product or service in the future, you > can add it, however it can be a severe security risk running products > and services that are not necessary if an exploit is found for one of > these services you may not be using but are installed. > > As a security person, you must audit and manage every service running in > the environment and verify at all times that no vulnerabilites exist for > services running (or if they do, work to mitigate the issues or patch). > Therefore, if it isn't needed to do the job, remove it. > > Todd > > > _______________________________________________ > colug1 mailing list colug1@colug.net > http://www.colug.net/mailman/listinfo/colug1 > > From tobey at ilive4code.net Fri Dec 3 15:25:43 2004 From: tobey at ilive4code.net (Travis Sidelinger) Date: Sat Jan 8 01:37:11 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <20041203194112.GA19127@noroute.teched.net> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> <20041203194112.GA19127@noroute.teched.net> Message-ID: <43905.155.188.191.5.1102105543.squirrel@155.188.191.5> > On Fri, Dec 03, 2004 at 10:24:03AM -0500, Travis Sidelinger wrote: > >> I work at a large company were we will be deploying hundreds of servers >> running RedHat Advanced Server 3.0. > > Is this the same company indicated in the headers? > >> Besides a few RPM's I could like re-added, such as wget and ethereal, >> everything works great. > > wget and ethereal? It isn't clear what you do, or what you need the > tools for... what was the policy maker/enforcer's response when you > asked for the tools? Let me see, with wget one could possibly write scripts using clear text passwords. With ethereal, one could possible sniff passwords. Keep in mind they did let us keep tcpdump. (Please don't flame me over this. These are NOT my words.) > >> Our dilemma is the security team here would like us to edit the >> comps.xml >> file and remove hundreds of additional packages. They would prefer our >> systems have the bare minimum packages (RPM's) required to run. They >> also >> want to audit exactly which packages are on every system. They argue >> the >> more software our systems have install the less secure they are. Keey >> in >> mind all setuid programs, running daemons, and system file permissions >> are >> currently tracked. This argument here is about possible unused or >> rarely >> used software existing on our systems. > > It sounds like they have established a policy. They are the security > team and you are an admin, developer, or something else? Admin. > >> If this was a specific custom build for a single application and for >> support by a small group of admins I would be okay with this. > > So you disagree with the policy? No, I completely agree with this pratice. Although, this is not very pratical in this environment. The cost of one admin per project is too high, and who will support this once you leave. > >> Although, our build is targeted for a large number of applications and >> will be supported by a large team of system admins, application admins, >> application developers, and 3rd party vendors. The stability and >> availably of production systems costing potentially hundreds of >> thousands >> of dallors is at stake here. > > Are you arguing for or against the policy here? for > >> Has anyone else had experienced this in their work place? What are your >> thoughts on gutting a RedHat system. > > It is a good start. > > Jacob > jacob@teched.net > _______________________________________________ > colug1 mailing list colug1@colug.net > http://www.colug.net/mailman/listinfo/colug1 > > From jep200404 at columbus.rr.com Fri Dec 3 15:30:10 2004 From: jep200404 at columbus.rr.com (Jim) Date: Sat Jan 8 01:37:11 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <44671.155.188.191.3.1102098027.squirrel@155.188.191.3> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> <20041203105009.2ce5d414.jep200404@columbus.rr.com> <44671.155.188.191.3.1102098027.squirrel@155.188.191.3> Message-ID: <20041203153010.4d3149b3.jep200404@columbus.rr.com> Travis wrote: > I can understand how a running daemon with an exploit can be a danger, but > if a static read only file has an exploit, how is this a danger? Computers are run by people. People get tired and make mistakes. Having to check some inocuous file takes someone's time. How many files are on a regular installation of RH? Is each one going to be looked at and judged? What applications use that file? How do they use it? Configuration files are often dangerous. What user is that config file run as? Does the application run the config file as a shell script? What information might that file have that would give an attacker some insight into how to further compromise the computer (or other computers)? Complexity is the enemy of security. By avoiding having the file, one avoids security issues with it. > I suppose if this program opened pipes or sockets the intruder could lie > in wait for the process to start up and then take advantage of the > exploit. Or, the intruder could craft malicious data files and trick > someone into parsing the file with the exploitable program. Yup. There are many many ways to crack a system. You need to fight all of them. The latter also answers in part your first question about how a "static" read-only file can compromise a system. > In the first case here I would think keeping track of who is logging into > your systems and what programs they are running would be a better > approach. That is a good thing to do _in_addition_ to reducing the number of files to mess with. > If the second case here I would think managing proper file > permissions and watching what your programs are doing would be the better > approach. That is a good thing to do _in_addition_ to reducing the number of files to mess with. > One of the things I have seen over and over again with the minimalist > approach to security is that the machines are so secure the admins > themselves don't have the tools they need to admin their machines. They > end up spending more time working with less tools and they don't have time > to focus on proper security and configuration. Often the machines end up > less secure because of configuration, patching, and support issues. There certainly can be tradeoffs, but I don't get the feeling that you are not haggling over just a few utilities, but over a heck of a lot of utilities. By the way, one of the utilities you mentioned was ethereal. Go to www.cert.org and search for ethereal. > For the two examples given above, auditing permissions and monitoring > processes, I have seen it many times where people do not have the time for > these. Amen. Security can be hard and boring. Innocuous read-only files can be camouflage. It's harder for bad guys to hide in a forest, when the forest is reduced to flat dirt. Fewer packages and files is more secure than many packages and files. > Their time is spend just getting their applications working and > filling out security exception requests for all the system additions they > need to make. I have been frustrated by the inconveniences imposed on me when using a shared computer, but I also understood that the restrictions were actually appropriate and appreciated the protection that they gave me from other users. > Often they can't figure they stuff out and blindly use a > shotgun approach. Complexity is an enemy of security. Extraneous files, no matter how seemingly inocuous, do not aid in figuring stuff out. They distract. By making a system as simple as possible, one makes stuff easier to figure out, reducing the desparate urge to "shotgun" stuff. From nathan.valentine at venntech.net Fri Dec 3 14:29:19 2004 From: nathan.valentine at venntech.net (Nathan R. Valentine) Date: Sat Jan 8 01:37:11 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <44671.155.188.191.3.1102098027.squirrel@155.188.191.3> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> <20041203105009.2ce5d414.jep200404@columbus.rr.com> <44671.155.188.191.3.1102098027.squirrel@155.188.191.3> Message-ID: <1102102159.2912.106.camel@chaco> On Fri, 2004-12-03 at 13:20 -0500, Travis Sidelinger wrote: > I can understand how a running daemon with an exploit can be a danger, but > if a static read only file has an exploit, how is this a danger? The concept is called privilege escalation. I may be able to gain access to the system with limited privileges and then use my limited access to launch an attack that produces access with greater privileges. For instance, I use an SQL injection attack against a dynamic web site to run arbitrary commands as the special low-privilege user account set aside for the web server process. One of those commands builds a reverse SSH tunnel which I then use to get an interactive login to the system. Once I have interactive access to the system, I search for suid binaries with known buffer overflow exploits or with known symlink/race condition attacks. > I suppose if this program opened pipes or sockets the intruder could lie > in wait for the process to start up and then take advantage of the > exploit. Or, the intruder could craft malicious data files and trick > someone into parsing the file with the exploitable program. Those are also popular techniques. And, I might add, easily scripted techniques. > In the first case here I would think keeping track of who is logging into > your systems and what programs they are running would be a better > approach. If the second case here I would think managing proper file > permissions and watching what your programs are doing would be the better > approach. Keeping track of what programs a user has run is good step but it is a reactive measure. Assuming that the traces are not wiped, it will only tell you what has happened. It doesn't prevent bad stuff from happening and in security, "an ounce of prevention is worth a pound of cure" is very much the truth. Minimizing the number of applications, users, and privileges on a system is, ready for that non-word, "pro-active". Search the web for the term "attack trees". In a nutshell, the fewer the branches in the attack tree the more secure the environment and minimization leads to fewer branches. > One of the things I have seen over and over again with the minimalist > approach to security is that the machines are so secure the admins > themselves don't have the tools they need to admin their machines. They > end up spending more time working with less tools and they don't have time > to focus on proper security and configuration. Often the machines end up > less secure because of configuration, patching, and support issues. An integral part of security is the cost-benefit analysis. For every security practice or countermeasure that you employ you must compare the cost of the countermeasure against the value of the asset. Security measures are only appropriate up to the point where their cost exceeds the likely loss from a compromise. In CISSP-world, we have terms like Single Loss Expectancy and Annualized Loss Expectancy. It is certainly possible to go overboard and reduce your effectiveness but my experience is that it is far more costly, and more common, to be cavalier about security and then suffer greater loss from an exposure. Again, preventative medicine. I have trouble envisioning a scenario where even cumbersomely strict pro-active security measures lead to problems with configuration, patching, and support. Perhaps you can elaborate. I suspect that those are actually symptoms of something besides the security program. Keep reading... > For the two examples given above, auditing permissions and monitoring > processes, I have seen it many times where people do not have the time for > these. Their time is spend just getting their applications working and > filling out security exception requests for all the system additions they > need to make. Often they can't figure they stuff out and blindly use a > shotgun approach. The end result is they are often no more secure and > sometimes even less secure. That is not a problem of security; that is a problem of priorities, security procedures, and professionalism. Both management and staff must understand that "just get it working" cannot become the de facto method of operation if they expect a secure, stable, supportable environment. The two are diametrically opposed almost to a mathematically provable level. Similarly, the security folks have to understand that security measures do not override business goals. They are there to make the organization *more* effective not *less*. If you have one set of people preaching "just get it done" and another set of people preaching "total security at all costs" then upper management has not effectively defined, communicated, or delegated the security program. That's my buck and a half two cents at a time. ;) -- --- Nathan Valentine, CISSP - nathan.valentine@venntech.net Open Source Technician/Computer Forensics Analyst Venn Technologies, Inc. : 859.403.0003 http://www.venntech.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://www.colug.net/pipermail/colug/attachments/20041203/e7580426/attachment.bin From tobey at ilive4code.net Fri Dec 3 15:56:21 2004 From: tobey at ilive4code.net (Travis Sidelinger) Date: Sat Jan 8 01:37:11 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <200412031746.iB3Hkn86010818@fenris.bitwolf.com> References: Your message of "Fri, 03 Dec 2004 10:24:03 EST." <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> <200412031746.iB3Hkn86010818@fenris.bitwolf.com> Message-ID: <47146.155.188.191.5.1102107381.squirrel@155.188.191.5> This is exactly what I have been talking about. We do have another team that maintains much stripped distrobution used for internet facing machines. Though, they support a small set of applications and have many fewer systems. Their system admin to server ratio is much higher. > In a tome entitled > <58867.155.188.255.4.1102087443.squirrel@155.188.255.4>, "Tr > avis Sidelinger" has written: >> >> Has anyone else had experienced this in their work place? What are your >> thoughts on gutting a RedHat system. > > YMMV, but I used to gut RedHat to run servers. As the system became > smaller and smaller, there was an increase in dependancy problems > ( not all caught by RPM ) and general bits of minor wierdness. As > long as my network was small and I was willing to devote a fair > amount of time to testing/debugging then it was a managable task. > A couple of years ago, my network grew to the point where this > wasn't practical for a single administrator, and I changed tactics. > I now use two distributions. I use Trustix ( www.trustix.org ), a > server distribution derived from RedHat, for servers and limited > capability workstations, adding packages that are needed, but not > in the distribution. For "full featured" workstations, I use > RedHat/Fedora and strip out packages. By using a distribution > appropriate the machine, I stray less from the stable distribution > and minimize the work I need to do. > > Paul > > From tobey at ilive4code.net Fri Dec 3 16:02:44 2004 From: tobey at ilive4code.net (Travis Sidelinger) Date: Sat Jan 8 01:37:11 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <20041203191559.GA17839@antec> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> <20041203105009.2ce5d414.jep200404@columbus.rr.com> <20041203191559.GA17839@antec> Message-ID: <37442.155.188.255.3.1102107764.squirrel@155.188.255.3> I can see this fly like a lead balloon. Don't get me wrong, I like OpenBSD. It's just not an Enterprise ready OS. For instance, when my 5 terabyte SAN driven Oracle database crashes and I loose 3 million dollars over 2 hours... Who do I get to sue? > On Fri, Dec 03, 2004 at 10:50:09AM -0500, Jim wrote: > >> > we will be deploying hundreds of servers > [snip] >> > What are your thoughts on gutting a RedHat system. > [snip] > > Too much effort in a distro not designed for it. You want a secure > solution deployed over hundreds of machines in a server farm? > > Install OpenBSD. > > Its footprint is lightweight. Add only what you need. Even out of the > box (i.e. before configuring PF) it's very secure. While it isn't an > easy desktop OS (though it is possible to run it that way), as a secure > and responsive server OS it's hard to beat.* > _______________________________________________________________________ > > * Unless you're running SMP systems with >4 processors, in which case > OpenBSD doesn't scale all that well. But it sounds like you've opted > for multiplying machines rather than processors within the machines. > > -- > Peter King peter.king@utoronto.ca > Department of Philosophy > 215 Huron Street > The University of Toronto (416)-978-3788 ofc > Toronto, ON M5S 1A1 > CANADA > > http://individual.utoronto.ca/pking/ > > ========================================================================GPG > keyID 0x7587EC42 (2B14 A355 46BC 2A16 D0BC 36F5 1FE6 D32A 7587 EC42) > gpg --keyserver pgp.mit.edu --recv-keys 7587EC42 > _______________________________________________ > colug1 mailing list colug1@colug.net > http://www.colug.net/mailman/listinfo/colug1 > From chriseverest at gmail.com Fri Dec 3 16:18:22 2004 From: chriseverest at gmail.com (Chris Everest) Date: Sat Jan 8 01:37:11 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <37442.155.188.255.3.1102107764.squirrel@155.188.255.3> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> <20041203105009.2ce5d414.jep200404@columbus.rr.com> <20041203191559.GA17839@antec> <37442.155.188.255.3.1102107764.squirrel@155.188.255.3> Message-ID: <864321e204120313181042b164@mail.gmail.com> Good Point Travis.....! Have you discussed your dilemma with the RedHat Support Reps..... ? I am curious as to what their recommendations were. On Fri, 3 Dec 2004 16:02:44 -0500 (EST), Travis Sidelinger wrote: > I can see this fly like a lead balloon. Don't get me wrong, I like OpenBSD. > It's just not an Enterprise ready OS. For instance, when my 5 terabyte > SAN driven Oracle database crashes and I loose 3 million dollars over 2 > hours... Who do I get to sue? > > > > > On Fri, Dec 03, 2004 at 10:50:09AM -0500, Jim wrote: > > > >> > we will be deploying hundreds of servers > > [snip] > >> > What are your thoughts on gutting a RedHat system. > > [snip] > > > > Too much effort in a distro not designed for it. You want a secure > > solution deployed over hundreds of machines in a server farm? > > > > Install OpenBSD. > > > > Its footprint is lightweight. Add only what you need. Even out of the > > box (i.e. before configuring PF) it's very secure. While it isn't an > > easy desktop OS (though it is possible to run it that way), as a secure > > and responsive server OS it's hard to beat.* > > _______________________________________________________________________ > > > > * Unless you're running SMP systems with >4 processors, in which case > > OpenBSD doesn't scale all that well. But it sounds like you've opted > > for multiplying machines rather than processors within the machines. > > > > -- > > Peter King peter.king@utoronto.ca > > Department of Philosophy > > 215 Huron Street > > The University of Toronto (416)-978-3788 ofc > > Toronto, ON M5S 1A1 > > CANADA > > > > http://individual.utoronto.ca/pking/ > > > > ========================================================================GPG > > keyID 0x7587EC42 (2B14 A355 46BC 2A16 D0BC 36F5 1FE6 D32A 7587 EC42) > > gpg --keyserver pgp.mit.edu --recv-keys 7587EC42 > > _______________________________________________ > > colug1 mailing list colug1@colug.net > > http://www.colug.net/mailman/listinfo/colug1 > > > > _______________________________________________ > colug1 mailing list colug1@colug.net > http://www.colug.net/mailman/listinfo/colug1 > -- Chris Everest http://vinylproject.com/~everestc/ From archanoid at columbus.rr.com Fri Dec 3 16:31:28 2004 From: archanoid at columbus.rr.com (Aaron Howard) Date: Sat Jan 8 01:37:11 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <37442.155.188.255.3.1102107764.squirrel@155.188.255.3> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> <20041203105009.2ce5d414.jep200404@columbus.rr.com> <20041203191559.GA17839@antec> <37442.155.188.255.3.1102107764.squirrel@155.188.255.3> Message-ID: <1102109488.2844.19.camel@linus> On Fri, 2004-12-03 at 16:02, Travis Sidelinger wrote: > I can see this fly like a lead balloon. Don't get me wrong, I like OpenBSD. > It's just not an Enterprise ready OS. For instance, when my 5 terabyte > SAN driven Oracle database crashes and I loose 3 million dollars over 2 > hours... Who do I get to sue? > Microsoft? Oh! Oh! I know: SCO All kidding aside, I have no idea if you can get OpenBSD from somebody who'll support it at that level. I also have no idea if Oracle will support you running in that configuration. I also have no idea if you SAN vendor or anybody else for that matter will support you. On the other hand, can you sue Red Hat? What kind of warranty do you get from them when you admittedly run a customized RHEL3? Are they or Oracle willing to say, "Hey, we don't mind being held responsible for your systems which you've done a lot of custom hacking on and are running custom apps and have custom RPMs installed and we really have very little idea of how well you've tested all that and haven't done any testing of your configurations on our own. We love that kind of liability!" Also, your X example was imho a bad choice: I cannot think of a reason X should be *required* on a server. A monitor should not be required on a server, much less a GUI. That said, I can understand why you might occasionally need a tool (wget, curl, lrzsz, etc.) that a security admin would normally want non-existent on the machine. But, in regards to innocuous software just sitting around installed on the machine, think of this: it's often nice to have a complete C build chain on a machine so you can patch things easily...(although in an enterprise environment you hopefully have more appropriate patch management)...and such a thing could never be open to remote exploitation...however, as surely as an ursus eliminates alfresco you do not want make and gcc lying around on your servers. My $0.02. -Aaron From jroyse at gmail.com Fri Dec 3 16:36:38 2004 From: jroyse at gmail.com (Josiah Royse) Date: Sat Jan 8 01:37:12 2005 Subject: [COLUG] Recommendations In-Reply-To: <20041202225624.M12078@wowway.com> References: <20041202225624.M12078@wowway.com> Message-ID: <1722bf504120313361a557d35@mail.gmail.com> On Thu, 2 Dec 2004 18:04:42 -0500, Frank E. Friedman wrote: > Are these machines powerful enough that I will be able to install a flavor of > Linux (with a graphical interface, Openoffice.org and Mozilla/Firefox? I was > planning to use SuSE. Will this work and are there any recommendations / > suggestions on how to do this. I would also check out http://www.distrowatch.org and look for Peanut Linux. --Josiah From tobey at ilive4code.net Fri Dec 3 16:55:38 2004 From: tobey at ilive4code.net (Travis Sidelinger) Date: Sat Jan 8 01:37:12 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <864321e204120313181042b164@mail.gmail.com> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> <20041203105009.2ce5d414.jep200404@columbus.rr.com> <20041203191559.GA17839@antec> <37442.155.188.255.3.1102107764.squirrel@155.188.255.3> <864321e204120313181042b164@mail.gmail.com> Message-ID: <49347.155.188.255.3.1102110938.squirrel@155.188.255.3> I did not negotiate the actual contract, though we do pay them a lot of money for each system. I have opened a case with RedHat to determine the impact of editing the comps.xml file and gutting the system of many more RPM's. The results of this case are still pending. I expect the second part to require consulting hours. > Good Point Travis.....! > > Have you discussed your dilemma with the RedHat Support Reps..... ? > I am curious as to what their recommendations were. > > > On Fri, 3 Dec 2004 16:02:44 -0500 (EST), Travis Sidelinger > wrote: >> I can see this fly like a lead balloon. Don't get me wrong, I like >> OpenBSD. >> It's just not an Enterprise ready OS. For instance, when my 5 terabyte >> SAN driven Oracle database crashes and I loose 3 million dollars over 2 >> hours... Who do I get to sue? >> >> >> >> > On Fri, Dec 03, 2004 at 10:50:09AM -0500, Jim wrote: >> > >> >> > we will be deploying hundreds of servers >> > [snip] >> >> > What are your thoughts on gutting a RedHat system. >> > [snip] >> > >> > Too much effort in a distro not designed for it. You want a secure >> > solution deployed over hundreds of machines in a server farm? >> > >> > Install OpenBSD. >> > >> > Its footprint is lightweight. Add only what you need. Even out of the >> > box (i.e. before configuring PF) it's very secure. While it isn't an >> > easy desktop OS (though it is possible to run it that way), as a >> secure >> > and responsive server OS it's hard to beat.* >> > _______________________________________________________________________ >> > >> > * Unless you're running SMP systems with >4 processors, in which case >> > OpenBSD doesn't scale all that well. But it sounds like you've opted >> > for multiplying machines rather than processors within the machines. >> > >> > -- >> > Peter King peter.king@utoronto.ca >> > Department of Philosophy >> > 215 Huron Street >> > The University of Toronto (416)-978-3788 ofc >> > Toronto, ON M5S 1A1 >> > CANADA >> > >> > http://individual.utoronto.ca/pking/ >> > >> > ========================================================================GPG >> > keyID 0x7587EC42 (2B14 A355 46BC 2A16 D0BC 36F5 1FE6 D32A 7587 EC42) >> > gpg --keyserver pgp.mit.edu --recv-keys 7587EC42 >> > _______________________________________________ >> > colug1 mailing list colug1@colug.net >> > http://www.colug.net/mailman/listinfo/colug1 >> > >> >> _______________________________________________ >> colug1 mailing list colug1@colug.net >> http://www.colug.net/mailman/listinfo/colug1 >> > > > -- > Chris Everest > http://vinylproject.com/~everestc/ > > From bnmille at gmail.com Fri Dec 3 18:24:45 2004 From: bnmille at gmail.com (Brian) Date: Sat Jan 8 01:37:12 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <49347.155.188.255.3.1102110938.squirrel@155.188.255.3> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> <20041203105009.2ce5d414.jep200404@columbus.rr.com> <20041203191559.GA17839@antec> <37442.155.188.255.3.1102107764.squirrel@155.188.255.3> <864321e204120313181042b164@mail.gmail.com> <49347.155.188.255.3.1102110938.squirrel@155.188.255.3> Message-ID: <9c1f8ae04120315244899e31a@mail.gmail.com> I would suggest this tack: Do the install as currently planned on one box. Then start removing rpms. If the server still functions as intended, you edit that file out of the comps.xml file. That should give assurance that the server will work, and make the security people happy. If there is a specific program that you need to assist in your administration, you should be able to justify why you need it. Saying, "I don't want to take the trouble to remove it" is not, in my opinion, a sufficient justification. But since you are going through the effort to remove unneeded programs, security should be willing to give you some leeway in terms of what stays on the install. I think you should try to remove as many files as possible, for all the reasons others have suggested. However, you should also be able to get the security people to accept that some programs might have to be re-installed, if you later find that they are needed (and the need can be justified). The justification process shouldn't require an act of Congress, but it also should not be based on one user's "I want it." If you have a group of admins supporting the systems, and they all agree the previously removed program is necessary, I would hope your security people are reasonable enough to let you put it back on. This allows you to remove as many programs as possible, while still getting your job done. And it will allow the security people to keep better tabs on what programs need to updated if a security patch is released. On Fri, 3 Dec 2004 16:55:38 -0500 (EST), Travis Sidelinger wrote: > I did not negotiate the actual contract, though we do pay them a lot of > money for each system. > > I have opened a case with RedHat to determine the impact of editing the > comps.xml file and gutting the system of many more RPM's. The results of > this case are still pending. I expect the second part to require > consulting hours. > > > > > Good Point Travis.....! > > > > Have you discussed your dilemma with the RedHat Support Reps..... ? > > I am curious as to what their recommendations were. > > > > From jim at rossberry.com Fri Dec 3 19:08:16 2004 From: jim at rossberry.com (Jim Wildman) Date: Sat Jan 8 01:37:12 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <864321e204120313181042b164@mail.gmail.com> References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> <20041203105009.2ce5d414.jep200404@columbus.rr.com> <20041203191559.GA17839@antec> <37442.155.188.255.3.1102107764.squirrel@155.188.255.3> <864321e204120313181042b164@mail.gmail.com> Message-ID: On Fri, 3 Dec 2004, Chris Everest wrote: > On Fri, 3 Dec 2004 16:02:44 -0500 (EST), Travis Sidelinger > wrote: > > I can see this fly like a lead balloon. Don't get me wrong, I like OpenBSD. > > It's just not an Enterprise ready OS. For instance, when my 5 terabyte > > SAN driven Oracle database crashes and I loose 3 million dollars over 2 > > hours... Who do I get to sue? Nobody. Regardless of who's OS you are running. (I know, I know, PHB's think support contracts give them the right to sue.) ------------------------------------------------------------------------ Jim Wildman, CISSP, RHCE jim@rossberry.com http://www.rossberry.com "Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one." Thomas Paine From tobey at ilive4code.net Fri Dec 3 19:34:47 2004 From: tobey at ilive4code.net (Travis Sidelinger) Date: Sat Jan 8 01:37:12 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: References: <58867.155.188.255.4.1102087443.squirrel@155.188.255.4> <20041203105009.2ce5d414.jep200404@columbus.rr.com> <20041203191559.GA17839@antec> <37442.155.188.255.3.1102107764.squirrel@155.188.255.3> <864321e204120313181042b164@mail.gmail.com> Message-ID: <39442.155.188.255.5.1102120487.squirrel@155.188.255.5> Oh, I know too. Often once you go through all the fine print both parties agreements are voided. > On Fri, 3 Dec 2004, Chris Everest wrote: > >> On Fri, 3 Dec 2004 16:02:44 -0500 (EST), Travis Sidelinger >> wrote: >> > I can see this fly like a lead balloon. Don't get me wrong, I like >> OpenBSD. >> > It's just not an Enterprise ready OS. For instance, when my 5 >> terabyte >> > SAN driven Oracle database crashes and I loose 3 million dollars over >> 2 >> > hours... Who do I get to sue? > > Nobody. Regardless of who's OS you are running. (I know, I know, PHB's > think support contracts give them the right to sue.) > > ------------------------------------------------------------------------ > Jim Wildman, CISSP, RHCE jim@rossberry.com http://www.rossberry.com > "Society in every state is a blessing, but Government, even in its best > state, is a necessary evil; in its worst state, an intolerable one." > Thomas Paine > _______________________________________________ > colug1 mailing list colug1@colug.net > http://www.colug.net/mailman/listinfo/colug1 > > From tobey at ilive4code.net Fri Dec 3 19:58:22 2004 From: tobey at ilive4code.net (Travis Sidelinger) Date: Sat Jan 8 01:37:12 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <1e488c1e7d20.1e7d201e488c@columbus.rr.com> References: <1e488c1e7d20.1e7d201e488c@columbus.rr.com> Message-ID: <43026.155.188.255.3.1102121902.squirrel@155.188.255.3> I have several examples for binaires embedded in bourne shell scripts. Plus we have both perl and python available. Why not use these to run the exploit? I do see you point on the easy of running root kits. Although, I would predict for every 1 minute you save an includer, weeks are waisted by the supporting system admins. Though, I guess this would strongly depend on your frequency of breakins. What about locking down the development tools to only a special group. If someone needs to run then, then we could just add them to that special group. This would not require a change control, it would be easy to audit in NIS, and best of all -> another team manages NIS groups. > Travis Sidelinger wrote: >> Couldn't they just as easily upload >> their pre-complied exploits? >> > > No, actually, they couldn't...not "just as easily" anyway. When creating > shell code or uploading binaries, there is some specific tailoring to a > given kernel and libraries. It is actually considered easier to upload > the build chain and compile against the local system than to upload > pre-compiled binaries. > > Of course, if they can transfer anything they want to the system, they can > easily transfer make, etc., so it hardly matters. But, it's harder. And > considering a lot of the danger is from script kiddies...if it's harder, > there's a lot less danger. > > Consider an exploit in sendmail (just a for instance here) that can get > you remote root capabilities. Now, if I attack your system and gain root > due to this, what binaries do I need to upload? What if the server I just > broke into runs Solaris? Or a BSD? It's not so simple then to install my > root kit automatically if it's binaries. But if it's source, I just > upload the source and run make. Bingo, now my root kit is good for your > RHEL box, the guy down the street's Solaris box, and some other person's > BSD system. All in one easily scriptable root kit. > > It's no that it can't be done w/o the build system; but, by leaving a > build-chain on the system, you're just making the script kiddie's job that > much easier. > > -Aaron > > > From tomjhanlon at earthlink.net Fri Dec 3 20:08:51 2004 From: tomjhanlon at earthlink.net (Tom Hanlon) Date: Sat Jan 8 01:37:12 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <37442.155.188.255.3.1102107764.squirrel@155.188.255.3> Message-ID: <0FA42D38-4591-11D9-9ABE-00039317745E@earthlink.net> On Friday, December 3, 2004, at 04:02 PM, Travis Sidelinger wrote: > I can see this fly like a lead balloon. Don't get me wrong, I like > OpenBSD. > It's just not an Enterprise ready OS. For instance, when my 5 terabyte > SAN driven Oracle database crashes and I loose 3 million dollars over 2 > hours... Who do I get to sue? > This argument about who I get to sue is one that I hear all the time. I usually hear it in regards to open source vs proprietary. The implied logic is that because you pay for it they have some sort of guarantee that it will work or something like that. If you read the license agreement for SAN or Oracle or MS you will see that your chances of suing anybody are pretty slim. At most they accept liability for the price of the product. So if WIN XP kills your whole business you can get $200 back. I don't know for sure but it seems that the security blanket that a manager imagines that he has because there is someone he can sue is a pretty lame safety net. I do not mean to start a flame war, and a hope one does not develop but the question I always want to ask when someone sez "who am I gonna sue when...." I always want to say "Good luck with that lawsuit strategy !" I can count plenty of bad software products but I can recall very few lawsuits. The other assumption that is made is that the for profit company makes better software than the OS guys because they have a reputation to maintain based upon the quality of the product. This can be true but an investment in marketing seems to take precedence over an investment in quality. Seems like the folks most concerned about their reputation is the OS guys. They can not cover up a shoddy product with slick marketing, they do no marketing whatsoever. Just my 2 cents... From tobey at ilive4code.net Fri Dec 3 21:03:03 2004 From: tobey at ilive4code.net (Travis Sidelinger) Date: Sat Jan 8 01:37:12 2005 Subject: [COLUG] Over Customizing RedHat In-Reply-To: <0FA42D38-4591-11D9-9ABE-00039317745E@earthlink.net> References: <37442.155.188.255.3.1102107764.squirrel@155.188.255.3> <0FA42D38-4591-11D9-9ABE-00039317745E@earthlink.net> Message-ID: <41145.155.188.191.5.1102125783.squirrel@155.188.191.5> I have seen a lot of money waisted on exactly what you just described. But, good luck trying to explaining this to management. They often do an analysis of the company. Whether they have a good product or not, if they don't have good capital they don't get the contract. For myself, I believe in using open source tools or good common tools, and building what is needed internally. Make sure you spread the knowledge across a team, so when your best programmer walks out you can still support the stuff. In the end, I think you will keep been staff in house. Often management wants someone they can pass the blame too. If management paid a good reputable company for a service and the project failed, they can at say all their ducks were in a row and it was the other companies fault. Now compare this to a questionable company (at least perceived as questionable.). I think you can see where I'm going on this one. There is a saying I've heard here at work: "No one ever gets fired for bringing in IBM." The project may have cost you a crap load of money and accomplished nothing, but management still keeps their jobs at the end of the week. > > On Friday, December 3, 2004, at 04:02 PM, Travis Sidelinger wrote: > >> I can see this fly like a lead balloon. Don't get me wrong, I like >> OpenBSD. >> It's just not an Enterprise ready OS. For instance, when my 5 terabyte >> SAN driven Oracle database crashes and I loose 3 million dollars over 2 >> hours... Who do I get to sue? >> > > This argument about who I get to sue is one that I hear all the time. I > usually > hear it in regards to open source vs proprietary. The implied logic is > that > because you pay for it they have some sort of guarantee that it will > work or > something like that. If you read the license agreement for SAN or > Oracle or > MS you will see that your chances of suing anybody are pretty slim. At > most they > accept liability for the price of the product. So if WIN XP kills your > whole business > you can get $200 back. > > I don't know for sure but it seems that the security blanket that a > manager imagines > that he has because there is someone he can sue is a pretty lame safety > net. > > I do not mean to start a flame war, and a hope one does not develop but > the question I always want to ask when someone sez "who am I gonna sue > when...." > I always want to say "Good luck with that lawsuit strategy !" I can > count plenty > of bad software products but I can recall very few lawsuits. > > The other assumption that is made is that the for profit company makes > better > software than the OS guys because they have a reputation to maintain > based upon the > quality of the product. This can be true but an investment in marketing > seems to take > precedence over an investment in quality. Seems like the folks most > concerned > about their reputation is the OS guys. They can not cover up a shoddy > product > with slick marketing, they do no marketing whatsoever. > > Just my 2 cents... > > _______________________________________________ > colug1 mailing list colug1@colug.net > http://www.colug.net/mailman/listinfo/colug1 > > From jep200404 at columbus.rr.com Fri Dec 3 22:02:47 2004 From: jep200404 at columbus.rr.com (Jim) Date: Sat Jan 8 01:37:12 2005 Subject: [COLUG] PHP Database IDE RAD? In-Reply-To: <405484B6.4000108@byrd.net> References: <4054802A.2040201@skippy.net> <405484B6.4000108@byrd.net> Message-ID: <20041203220247.6dd54f26.jep200404@columbus.rr.com> George Byrd wrote: > I am developing web pages with php/apache/mysql and am so tired of > having to do everything by scratch. Check out Zend Studio http://zend.com/store/products/zend-studio.php From colug_cmh at yahoo.com Fri Dec 3 21:51:55 2004 From: colug_cmh at yahoo.com (COLUG Administratus) Date: Sat Jan 8 01:37:12 2005 Subject: [COLUG] Head's Up: Pending Email Address Change Message-ID: <20041204025156.66060.qmail@web61308.mail.yahoo.com> The email address change for this mailing list worked great for several months, but the spammers have found it, so expect this list to change to a new address soon. If after a few days you stop getting email, you'll have to resubscribe to the new list name, which will likely be colug432 instead of colug1. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From pat at linuxcolumbus.com Fri Dec 3 23:34:24 2004 From: pat at linuxcolumbus.com (Pat Collins) Date: Sat Jan 8 01:37:12 2005 Subject: [COLUG] Head's Up: Pending Email Address Change In-Reply-To: <20041204025156.66060.qmail@web61308.mail.yahoo.com> References: <20041204025156.66060.qmail@web61308.mail.yahoo.com> Message-ID: <20041204043424.GH9916@linuxcolumbus.com> On Fri, Dec 03, 2004 at 06:51:55PM -0800, COLUG Administratus wrote: > The email address change for this mailing list worked > great for > several months, but the spammers have found it, so > expect this > list to change to a new address soon. > If after a few days you stop getting email, > you'll have to resubscribe to the new list name, > which will likely be colug432 instead of colug1. > Why not just use a white list of subscribers. Anyone else gets a 553 cya later spammer message. Un-friendly, but I think it is stupid to keep changing the list email address all the time. How bout it you postfix guru's. Pat From lefevre.10 at osu.edu Wed Dec 8 15:27:45 2004 From: lefevre.10 at osu.edu (Steve Lefevre) Date: Sat Jan 8 01:37:12 2005 Subject: [COLUG] javascript work needed Message-ID: <41B763C1.1050308@osu.edu> Hey gang -- Looking for a javascript expert to help with a project. Email me at lefevre.10@osu.edu and I will email you the details. Then please submit a bid. Steve Lefevre From lefevre.10 at osu.edu Thu Dec 9 14:50:22 2004 From: lefevre.10 at osu.edu (Steve Lefevre) Date: Sat Jan 8 01:37:12 2005 Subject: [COLUG] using grub/lilo to boot Windows Message-ID: <41B8AC7E.1040800@osu.edu> Hey folks - I'm helping a friend with an IBM thinkpad 600E laptop. It has a ~200 Mhz processor. Until recently, it was running Win98 on a 2 GB drive. She didn't have enough space to install anything new, so I directed her to buy a 40 GB drive. I installed Win2k and XP on it. Both times, the install went ok, but on reboot, the drive wouldn't boot. To test, I installed debian, and it booted okay (with a 40 GB partition). I tried re-installing win2k several times, and no luck. So we loaded Win98 SE. Fdisk would only create a 7 GB partition. Now Win98 SE has crapped out, and I am going to do a reinstall of it, if my little experiment doesn't work out. I was thinking that I could install Win2k on a 35 MB partition, and then do an install of another modern distro, and have her use the lilo menu to boot to the win2k partition. Would this work? Steve Lefevre From chriseverest at gmail.com Thu Dec 9 15:12:54 2004 From: chriseverest at gmail.com (Chris Everest) Date: Sat Jan 8 01:37:12 2005 Subject: [COLUG] using grub/lilo to boot Windows In-Reply-To: <41B8AC7E.1040800@osu.edu> References: <41B8AC7E.1040800@osu.edu> Message-ID: <864321e20412091212506f08b0@mail.gmail.com> I think that your idea would work... However, here is a tip. THis has happened to me many, many times. LILO usually overwrites the MBR by default on the hard disk. Windows then cannot boot (unless LILO is configured to boot the Win32 partition). If you boot into the install CD (Win 2000 or Win XP) and enter the recovery/repair console (before installing) and then issue the command 'fixmbr' the MBR will be rewritten to boot a win32 OS... Or you can do the 35GB Windows + 5 GB Linux idea. Becareful though, if a valid win32 partition is not found, LILO will not create a Win32 boot option by default. You will then have to set one up manually. On Thu, 09 Dec 2004 14:50:22 -0500, Steve Lefevre wrote: > Hey folks - > > I'm helping a friend with an IBM thinkpad 600E laptop. It has a ~200 Mhz > processor. Until recently, it was running Win98 on a 2 GB drive. She > didn't have enough space to install anything new, so I directed her to > buy a 40 GB drive. > > I installed Win2k and XP on it. Both times, the install went ok, but on > reboot, the drive wouldn't boot. To test, I installed debian, and it > booted okay (with a 40 GB partition). I tried re-installing win2k > several times, and no luck. > > So we loaded Win98 SE. Fdisk would only create a 7 GB partition. Now > Win98 SE has crapped out, and I am going to do a reinstall of it, if my > little experiment doesn't work out. > > I was thinking that I could install Win2k on a 35 MB partition, and then > do an install of another modern distro, and have her use the lilo menu > to boot to the win2k partition. Would this work? > > Steve Lefevre > _______________________________________________ > colug1 mailing list colug1@colug.net > http://www.colug.net/mailman/listinfo/colug1 > -- Chris Everest http://vinylproject.com/~everestc/ From s.molnar at sbcglobal.net Thu Dec 9 15:17:38 2004 From: s.molnar at sbcglobal.net (Stephen P. Molnar, Ph.D.) Date: Sat Jan 8 01:37:12 2005 Subject: [COLUG] using grub/lilo to boot Windows In-Reply-To: <41B8AC7E.1040800@osu.edu> References: <41B8AC7E.1040800@osu.edu> Message-ID: <6.0.0.22.2.20041209151709.02ca24b0@pop.sbcglobal.yahoo.com> Grub will do it for you. That's how I boot my laptop. At 02:50 PM 12/9/2004, you wrote: >Hey folks - > >I'm helping a friend with an IBM thinkpad 600E laptop. It has a ~200 Mhz >processor. Until recently, it was running Win98 on a 2 GB drive. She >didn't have enough space to install anything new, so I directed her to buy >a 40 GB drive. > >I installed Win2k and XP on it. Both times, the install went ok, but on >reboot, the drive wouldn't boot. To test, I installed debian, and it >booted okay (with a 40 GB partition). I tried re-installing win2k several >times, and no luck. > >So we loaded Win98 SE. Fdisk would only create a 7 GB partition. Now Win98 >SE has crapped out, and I am going to do a reinstall of it, if my little >experiment doesn't work out. > >I was thinking that I could install Win2k on a 35 MB partition, and then >do an install of another modern distro, and have her use the lilo menu to >boot to the win2k partition. Would this work? > >Steve Lefevre >_______________________________________________ >colug1 mailing list colug1@colug.net >http://www.colug.net/mailman/listinfo/colug1 Stephen P. Molnar, Ph.D. Life is a fuzzy set Foundation for Chemistry Multivariant and stochastic http://www.geocities.com/FoundationForChemistry