|
Table of Contents:
|
||||||||||
Editor: Michael Orr
Technical Editor: Heather Stern
Senior Contributing Editor: Jim Dennis
Contributing Editors: Michael "Alex" Williams, Don Marti, Ben Okopnik
TWDT 1 (gzipped text file) TWDT 2 (HTML file) are files containing the entire issue: one in text format, one in HTML. They are provided strictly as a way to save the contents as one file for later printing in the format of your choice; there is no guarantee of working links in the HTML version. | |||
This page maintained by the Editor of Linux Gazette, gazette@ssc.com
Copyright © 1996-2001 Specialized Systems Consultants, Inc. | |||
The Mailbag!Write the Gazette at gazette@ssc.com |
Contents: |
Send tech-support questions, answers and article ideas to The Answer Gang <tag@ssc.com>. Other mail (including questions or comments about the Gazette itself) should go to <gazette@ssc.com>. All material sent to either of these addresses will be considered for publication in the next issue. Please send answers to the original querent too, so that s/he can get the answer without waiting for the next issue.
Unanswered questions might appear here. Questions with answers--or answers only--appear in The Answer Gang, 2-Cent Tips, or here, depending on their content. There is no guarantee that questions will ever be answered, especially if not related to Linux.
Before asking a question, please check the Linux Gazette FAQ to see if it has been answered there.
Hi all,
I have a webserver on our internal LAN that I would like to make accessible to the Internet. I have setup a firewall (RH6.2) using ipchains to allow Internet access from my LAN through an ADSL connection.
The firewall has two NIC's, one for the external (Internet) connection and one for the internal (LAN) connection. The adsl modem/router is setup to NAT the static IP of the router to the IP of the internal server.
i.e.
-->static IP [ADSL modem/router] 1.2.3.4 ----> 1.2.3.5 [ Firewall ] 10.11.12.13 ---> LAN ( webserver=10.11.12.20) NAT static IP:443 -> 10.11.12.20:443
I know attempts to access the internal server via the static IP are getting to my firewall and being accepted by the input rule, but I don't know what I need to do from there on in to get the request to the LAN ?
On the firewall if I issue the following:
ipchains -C input -p tcp -i eth1 -s <internet address> 443 -d 10.11.12.20 443
it is accepted.
If I issue the following:
ipchains -C forward -p tcp -i eth1 -s <internet address> 443 -d 10.11.12.20 443
it is accepted.
If I issue the following:
ipchains -C output -p tcp -i eth1 -s <internet address> 443 -d 10.11.12.20 443
it is accepted.
Do I need to bridge the two NIC's on the firewall ? Do I just put in some routing entries ? DO I have to do anything more to the forward and/or output rule to get the packets through ?
As you've probably concluded by now I new to ipchains, although I have read many of firewall/ipchains/bridge HOWTOs, so any help would be gratefully accepted
Thanks
Gavin.
This is a tiny sample - a number of other home/SOHO packet filtering and defensive firewall questions are in the queue to be answered. But it would be really nice to see an article for ipchains... or especially, the new netfilters, since they are a bit different... which is aimed for readers who are not already network administrators. -- Heather.
I am running a home peer to peer net work of 3 PS's running Win98 and internet sharing to access the internet through my cable modem (Telewest Blueyonder). On the PC that acts as the gateway to the internet, I have two removable drives, one runs win98 (obviously...lol) and the other is running Mandrake 7.1. What I would like to do is to Dump Win98 from the gateway PC and go over to Linux completely, while the other two PC's will continue to run win98. Now what I want to be able to do is have a similar set-up to my win98 network, where the three PC's all have access the internet.
Have you a complete numpties' guide to doing this, bearing in mind that I have little or no Linux experience. i.e. the definitive guide to getting cable modems to run under Mandrake 7.1.
Many thanks
Ian Garvie
There is a quiet little utility called Masqdialer which is supposed to be for exactly this purpose. However, I've never used it, though I've been tempted to give masqmailer a try ... that's a mailer that might be good for people on dialups, because it's smart about whether you're online, and via what ISP.
An article on either of these, or the general case of a sometimes-disconnected setup, would be a good read for newbies and old hands alike.
Hi there. As you probably gathered from the subject header, I'm a fairly new Linux user--I used it for a few months a while back with a RH 6.0 install, but ended up back in MSFT land when I had trouble replacing my NIC. In any event, I just installed Mandrake 7.2, and I've been doing pretty well getting the system to do everything I need/want it to do over the last several days.
HOWEVER: I'm using it almost exclusively inside X/KDE, and I'm well aware that I'm really not learning anything about how to properly setup/use/maintain a Linux system. So I've been browsing about the web, IRC channels, newsgroups, etc., and reading pretty much any documentation that's aimed at new users. The problem is that just reading everything doesn't teach one all that much when it comes to actually trying to use the system.
What all this buildup is leading to is: what would you recommend as practical projects to undertake as learning exercises for a fairly new user? At the risk of sounding immodest, I'm quite comfortable and conversant with computers and computing in general, hardware setup, programming, etc.--but only in a MSFT world. I'm not terrifically afraid of breaking my system--everything is well backed-up, and I've been working with Windows products for long enough that the prospect of reformat/reinstall isn't even vaguely daunting. I just don't know what it is I should be -trying- to do such that succeeding in the endeavor would involve gaining understanding of the system.
Sincerely, Matt "sorry for the SPAM" Cherwin
Better answers than "read back issues of the Gazette" will be published, if you copy them to tag@ssc.com.
Thanks for taking time to answer questions.
I have some tapes (1/4" cartrage - 120MB format) that I would like to make copies of. Now, I know that they were made on an AS/400, But as I see it; data is data - if I can figure out what format it is in.
The hardware is an AMD-K6/II 500 with an Adaptec AIC-7850 narrow SCSI controler connected to the PCI bus. There are 3 devices connected to this SCSI controler. 1 TANDBERG SLR1 150MB tape drive (device ID 6 /dev/st1). 1 TANDBERG SLR2 525MB tape drive (device ID 0 /dev/st0) and 1 philips CDD 2600 (device ID 4 /dev/scd0) which is at the end of the cable with the termination jumper installed.
The software is a heavily modified RedHat 5.0. The kernel version is 2.2.15 (with the needed network utility updates) gcc(egcs)2.95. With all the updates I figured that the old mt command probably didn't support the current IOCTLS on the st driver - so I deleted it and got the source code for mt-st v. 0.6 (the old one was 0.4)
At this point I can create tapes under linux and read them back reliably. however, This is all working with default settings.
Now for the interesting part. when I try to read a tape created on my as/400 (the same drive that is now in my linux machine as st0) I get the complaint st0: Incorrect block size. the mt status command shows Tape Block Size = 512, Density code 0x11(525 tape) Begining of tape and Write Protect.
If I try to change the block size - I first do a rewind(as per the tandberg manual) then I do a setblk 32768 (does the same thing with setblk 512) and the response is: st0: Error with sense data: [valid=0] Info fld=0x0, Current st09:00 sense key Illegal request aditional sense indicates End-of-partition/medium detected. When I follow the procedure on the tape I made under linux and use a block size of 512 everything works fine. What am I missing? PS although IBM provides no documentation their tape file listing program seems to indicate that the block size might be 32768 bytes.
Layton
We have a lot of good people, but not so many with AIX experience. If any of you with experience in an IBM/Linux heterogenous environment ... or who know about what tapes are really saying when they do this... have some good hints for Layton, send them to tag@ssc.com.
PS. A big thank-you to the answer guy for some of his answers a year or two ago that have gotten me this far. Especially on the SCSI termination which I should have remembered from my macintosh days (only 10 years ago).
You're welcome, of course!
PPS. I hope USA.net sends a plain text version of this since I am not at work where I have an e-mail account that will let me specify what I want to send.
It came through fine.
setup: mainboard PC Chips M807, kernel 2.2.15 (Mandrake 7.1), memory 2 stick of 128MB PC100
If I put insert only one memory stick BIOS finds correctly 128MB but Linux only 64MB. After addition append = "mem=128M" to lilo.conf Linux finds 64MB again. If I insert 2 memory sticks BIOS finds correctly 128MB but Linux only 15MB! After addition of append= "mem=256M" to lilo.conf Linux finds 64MB. Any suggetion? BTW Win98 see always correct RAM size.
Thanks Jan Jakubik
Someone with a good memory can slip us a tip in the right direction by mailing tag@ssc.com.
on 29 mar 2000 the question was asked who invented the cardboard box. The answer is Robert Gair. I found this information at http://www.europen.be/basics/understand/und6_types.html
I am doing research for a School speech on the inventer of the cardboard box. (this is no joke) Your website is great and I will visit often. I am glad I found you.
[Heather] You're doubly lucky as well; one of the Gang decided to answer it, and it was sufficiently amusing that we published it even though it's off topic. If you end up with any questions about a free computer operating system whose mascot is a cute penguin, don't hesitate to ask.
Heya Heather,
better late than ...
Happy New Year and all best wishes to you and all of Linux Gazette !
Yours linuxely,
Wilf (French/English => German translations)
On Wed, Jan 24, 2001 at 10:47:23AM -0700, Spicer wrote:
I just ran across a link to one of your messages and was wondering... do I
just ask you a question?
If it's related to Linux technical support, yes. There are about ten people in The Answer Gang, and if any of us feel qualified to respond, we'll e-mail you back. Then, the question and answers will be considered for publication in the next issue of Linux Gazette. The submission address is tag@ssc.com.
We'd appreciate it if you'd peruse a few back issues of Linux Gazette first to see if your question has already been answered. (The LG search engine is useful for this.)
Also, if you have any Linux tips that might be helpful for other readers, please send them in too. Both beginner and advanced tips are appreciated, because we have a wide variety of readers.
RE: http://www.linuxgazette.com/issue61/lg_answer61.html#tag/36
Mike Orr asked "What's a smoothwall?"
Smoothwall is a browser administered, Linux-based, open-source, ppp firewall and router appliance. It's targeted at older 386 and 486 systems gathering dust in a closet.
See http://sourceforge.net/projects/smoothwall -or- http://www.smoothwall.org
The sourceforge page has links to the mailing lists and forums where Jim Watkins' original question about diald on the smoothwall has been discussed and answered many times...
BTW- Smoothwall would make a great subject for an upcoming Linux Journal article!
"Take a look at one's desktop config. That'll give you an idea where they are with Linux." - an unidentified O'Reilly author @ ALS 2000.
Way back in time the editor wrote: "Regarding the e-mails: they're still worth printing because they may help somebody else." from: http://www.linuxgazette.com/issue47/lg_mail47.html
And by jove, they did. Thanks a bunch, it has lifted a weight from my shoulders, I had the same problem.
Glad the archives ares still up.
Regards
Etienne Posthumus
Thanks for your help!
-- Marius Andreiana
The Answer Gang,
Hello! My name is Terrell Phillips and as a "newbie", I've been learning Linux via KeyStone Learning Systems video training series.
I sincerely hope that my ongoing Linux training will not have been in vain as I can find no postings for any entry-level workstation jobs here in Atlanta for newbies. Even if I were to have attained my RHCE, the only Linux jobs I've seen posted on the Internet require a working UNIX background foremost.
Attending my local Atlanta Linux Enthusiasts user group meetings, it seems that advanced users attending the meetings are not thrilled at the prospect of helping newbies acquire initial work experience, but rather give every impression that somehow Linux will blossom someday into the corporate world. Apple Computer made the same mistakes early on by marketing their OS to new users and user groups as the best choice for getting work done efficiently. Later, Apple began boasting that their platform was the best and most rapid developer for cross-platform apps. But there was just one little problem. Apple didn't want anyone especially new users to know upfront. No instructor-led training programs for software development were/are in place, nor did Apple partners care to offer the same. And you could count the non-graphics jobs using Apple Computers on one finger.
The point is, that unless the entire Linux community decides to truly help their own, "newbies" will retreat back to using Microsoft for careers. A mature forest of Linux trees lacking little new tree saplings growing all around them won't be a forest for long.
It is a very smart move on the part of the various Windows user groups to see to it that their "newbies" find entry work quickly.
Tonight, I have set my Linux notes printed off various websites along with my training videos aside in favor of learning Visual Basic, MS Access 2000 and SQL. With some training and initiative on my part, I can find entry-level work in a Windows world.
I wish I had better news.
Sincerely,
Terrell Phillips
Dear answerguy,
I am incredibly happy that I could save one of my Linux-installs with the help of an answer you gave to one of those people before (retrieved with a search-engine) on lost root-passwords!! All the other stuff that I had found before didn't make it ('linux single' always ended at the login-prompt!) and the rest said 'new install'. Now I have the task to find out, who had tempered with the machine across the network (Internet), because I have been using this password for ages, I'm a sysadministrator and have clearly never had too many drinks since I had logged on successfully the last time! - The machine is a server behind closed doors ...!!
Have a drink on me!
Uwe
the gazette looks very nice -- sort of a moderated discussion, i guess. like a civilized slashdot, or an old letters to the editor section of a magazine.
john
We seem to have received notes from more than one site about ftp being strange...
Ferg (gferg from sgi.com)
Hi -
I maintain the LDP mirror(s) of the LG, and the last couple of times I've run our 'mirror'based update script, I received a number of errors, such as:
Too many files to delete, not actually deleting (3626 > 3278) Too many directories to delete, not actually deleting (398 > 358)
I'm pretty sure I know how to correct that in the mirror config file. More troublesome are these (from my last run):
Failure on 'RETR pub/lg/www_root/.glimpse-eye.jpg' command Failed to get pub/lg/www_root/.glimpse-eye.jpg: 550 'pub/lg/www_root/.glimpse-eye.jpg': No such file or directory Failed to get file 550 'pub/lg/www_root/.glimpse-eye.jpg': No such file or directory Failure on 'RETR pub/lg/www_root/404.html' command Failed to get pub/lg/www_root/404.html: 550 'pub/lg/www_root/404.html': No such file or directory
There are an enormous number of those errors.
Did anything change on the host site? Was there some massive restructuring done to have caused this?
Here are my configuration parms:
package=LG site=ftp.ssc.com comment=Linux Gazette remote_dir=/pub/lg/www_root local_dir=/public/html/LDP/LDP/LG
I hope you can help. Thanks in advance.
best regardsm -- Greg Ferguson
[Ira Abramov is one of LG's mirrors.] I have been getting spam to an address I gave you as a contact for an LG mirror I was running, yet it was posted to a webpage without my approval, and I have been getting a lot of Spam through it lately.
please remove nospam-lgmirror-20000426 at.the.site ira.scso.com from the mirrors page at http://www.linuxgazette.com/mirrors.html, as well as from your lists. the correct contact from now on is webmaster-nospam-lgmirror-20001205 at.the.site linux.org.il and they won't appreciate spam either. I sugest you somehow cloak the mail addresses on that page, remove the mailto: links or use some other mechanisms, but do not leave the current situation broken like this.
[Heather] I actually tweaked the above so neither would turn into a hotlink. Normally they would.
I have removed the link as you requested. Change visible at 5pm (UTC-0800).
In general, it's our policy to publish the contact addresses of the mirrors because (1) we need the information and this is where we store it, and (2) readers need to be able to contact a mirror if there's a problem using it--that's why it's called a contact address. As for spam, I get it too--30% of the messages to gazette@ssc.com are spam.
[Ira] ok, possible ideas. instead of a mailto: link, put the address plain, maybe even add a space before and after the @ sign. that way one can still cut and paste it for an individual contact but not harvest it automaticly with a robot... there are ways.
for the more advanced ways there are simply CGIs. see the following address (which spammers aren't smart enough to handle)
http://scso.com/cgi-bin/mgazettenospam@dhtssc.com
the CGI that does this little magic looks like this:
> cat /home/httpd/cgi-bin/m #!/usr/bin/perl $address=substr($ENV{'PATH_INFO'},1); $address=~ s/nospam\@dht/\@/g; print "Location: mailto:$address\n\n"; exit(0);
4 lines of perl, and spammers never harvest those addresses (tested!)
where there's a will, there's a way... I love ssc for it's great donation to the community, I just ask that you don't repay the kind people mirroring you by exposing them to spam...
[Mike] The trouble is, that requires a CGI script, so it won't run on the mirrors, and it certainly won't work on the CD-ROM version.
Is it time to make all e-mail addresses non-clickable? Your Editor is undecided.
[Heather] You don't want to make it easier for spammers (who use scripts and have delusions of time on their hands) to get ahold of you than the people who would have a legitimate reason to reach you. I suppose we could have various mirrorNN.LocnCode kinds of addresses at SSC, where we could attempt to pre-filter a bit. (are you getting worse than 30 % spam?)
That way you as mirror admin get some possible defense, at least your actual address isn't exposed until you reply, there is the backup that SSC learns about mirror problems sometimes, and some people might actually feel we made it easier to reach somebody in case of errors.
[Don Marti] Hiding email addresses from spammers is letting spammers define the terms of our conversation. I'm against it and don't participate in any list that does this form of "cowardice by proxy" for me.
[Dan Wilder] Though in less absolute terms than Don, I'll add my voice to those not favoring cowardice by proxy.
Let 'em try and spam me. I'll either /dev/null their mail, or hunt 'em down with a rusty bottle opener!
It was all D&D back then, and Traveller.
Never heard of these... I've started on ZX spectrum, with Dizzy being my favourite(s)
NEVER HEARD OF?? I gotta publish this. The generational difference between games. Do you mind if I publish this letter?
If you publish that I never heard of D&D and Traveller ? no, I don't mind. Maybe you write about these too. (are they still available ?)
I don't do gaming, so I don't know. Cc'ing a gaming friend.
Ogre, this guy is one of my correspondents for the Linux Gazette ezine. He's too young to have heard of Dungeons & Dragons and Traveller, the only role-playing games I ever had the least bit involvement with. Do they still exist or are they long gone?
[Heather] There are an avid batch of Traveller players in my area although I don't game with them, and D&D recently released a new edition. Not only are they available, but you can find traveller players on IRC, a lot of support software for D&D gamemasters... uh, well for some other platform anyway. My traveller playing friend is famous for Penguin Artillery.
After dropping you a mail about issue 60, I thought I was pen a few lines on my venture in Linux and just why LG has made the transition so painless.
It is redundant of me to mention just how fantastic LG is? I can hear you all muttering now about stating the bleeding obvious. For me, the most curious thing is to note the range of interest, from the rank Linux newbie to input from individuals who are quite clearly among some of the knowledgeable to be found, and all receive the same warm response (unless they happen to be some poor Windoze momo with a Winmodem
Anyway, I thought I would share my recent real plunge into Linux and perhaps lend some cheer to all the neophytes out their coming to terms with Windoze withdrawal and faced with the murky morass of Linux. I should mention I am not new to computers, I have used a plethora of Uncle Bill's offerings, and in all fairness, I am possibly the only person in the world to never had had any problems at all, I can count my 'Blue Screens of Death' on one hand. Suffice to say, I have no problems with MS, as a bit of a closet gamer, it serves it purpose.
Linux on the other hand, was always something that I presumed was not for me, I had once upon a time installed some ancient Red Hat, and a mouldy Slackware, both of which suffered a format quite promptly. It just all seemed too complicated and of limited appeal to where I was at the time. I tend to spend a lot of time on the Net now, so about 2 weeks ago I decided to have another look. I need to make it very clear, the sum total of my Linux knowledge prior to biting the bullet and trying it again, was the ability to type 'ls - -la, uptime, rm and a few other sundry commands that everyone anywhere normally picks up over the years, in other words it was all virgin territory. With that in mind, thus begins my journey.
A friend of mine mailed me Mandrake 7.2 (along with Storm, Corel, Slackware 7.0, Redhat 6.0 and a bunch of other distros. I had once installed a prehistoric Mandrake, so my victim was preordained. My system is fairly standard, a PIII 850, 192mb ram, Voodoo 3 3000, SB Live, Adaptec 2940 + 2944, network card etc. I chose custom install, and prepared myself for what I was sure would be many hours of getting things to actually work post-install. To say I was impressed was an understatement, Mandrake install was easier and clearer than anything Bill Gates ever threw at me, and HW detection? every thing was 100% up and running without any intervention on my part. I am a console sort of person, and X is just something I will use when I am forced to, but once I booted up, a quick startx a boy was I shocked, X 4.0 and KDE2 all running with full 3d acceleration. I fired up Tux Racer as I was checking things out, and it bodes well, Linux has come a long way since I toyed with it. I have a feeling either MS will be forced to meet Linux head on one of these days, MS Linux maybe? Since from what I see, once the Linux community manages to implement anything akin to DirectX and thus gain wide support from the gaming industry, the Redmond Wunderkind will be on a fast track to oblivion if they don't have some contingency plans.
Ooops back to nub of it all. Ok so X was working, so I quickly exited the session, to get as far away from Netscape as I could. Like most people 'new' to Linux, I was a little overwhelmed at the sheer vastness of it all, and headed as fast as I could for the most speedy route to begin the learning process. Thank god for man pages, info pages, HOWTOs and the like, I was soon starting to feel like this was one mountain I could conquer.
Next up PPP, or was it? No, silly me used fdisk to partition initially and I made Linux one single partition didn't I. tsk tsk, well I wanted to learn more, so.... REINSTALL, this time with Mandrake's own tool, which in a word is awesome for the newer users, result:
Filesystem 1k-blocks Used Available Use% Mounted on /dev/hda5 489992 55987 408705 12% / /dev/hda8 241116 1481 227187 1% /boot /dev/hda10 2514172 150644 2235816 6% /home /dev/hda1 7158976 5588472 1570504 78% /mnt/win_c /dev/hdb1 6285144 1685608 4599536 27% /mnt/win_c2 /dev/hde1 8233232 12 8233220 0% /mnt/win_c3 /dev/hdg1 2498940 12 2498928 0% /mnt/win_c4 /dev/hdh1 2498936 418500 2080436 17% /mnt/win_c5 /dev/hda7 241116 170 228498 0% /tmp /dev/hda11 7937796 3655320 3879248 49% /usr /dev/hda9 489992 65081 399611 14% /var /proc/bus/usb 489992 489992 0 100% /proc/bus/usb
I am happy with that (the Win drives are games + multiple backups), so then on to PPP, unlike many who have sad tales to tell, my small local ISP has a handy dandy tar.gz file to set things up, unpack, run, few quetions like pass, modem and such, type ./ppp-on and viola! Nice some ISP's give a damn about their users... fantastic.
After a day or two, I had devoured every HOTWO, I made life easier for myself too with:
alias ht='cd /usr/share/doc/HOWTO/HTML/en;lynx index.html'
My little superhighway to fast help and my 1st ever alias, oh did I mention Netscape sucks and Lynx is sublime
Now I was wanting some access to Linux information, time to search the Web. I suppose I was lucky within a minute of two, I came across the Linux documentation Project and thus Linux Gazette. After perusing the online issue, I knew where it need to be, so FTP Mirror here we come and some time later all 60 issues on my HDD.
Ever since for the last week or so, I have been wading through the plethora of tips (Isn't Heather just the living end eh? I have managed to come to terms with Linux file structure, I have personalised bash and my environment to my liking, I have edited most of my .rc files, for example custom hdparm parameters, along with removing things like telnet and ensuring ssh is up and running. Almost everything I have learnt, is due to Linux Gazette, it never ceases to amaze me how much their is to learn. Only a few days ago, a friend of mine who has been using Linux for four years came over, to help me with a wine.conf issue, and I ended up teaching him a few things and minor commands he had never used nor knew existed. It just goes to show how extensive Linux is.
I suppose the point of my taking the time to pen a few words, is to reassure those new to Linux that much of the rubbish that gets bandied about that Linux is "hard" is in practice misguided. Certainly some distros are not as user friendly as say Mandrake or Red Hat to install, and presume a certain working knowledge, but any Linux once up and running, provided you are have a passion for computers and an enquiring mind is most certainly not rocket science, in other words, if you are content to click a mouse, and care nothing for what might live beneath the hood, then perhaps you deserve nothing more than Windoze.
I fit the profile of a normal advanced Windoze user, I can edit registry crap, trouble shoot .dll problems and all that jazz, but I certainly cannot write one line of code, thus I am sure that many newer LG readers wil relate to my experiences as a new Linux user. Sure I have had to stop and run for a man page at times, and been totally stumped at times, for example getting Wine to work (which I use for one prog only) made me tear my hair out, on the other hand VMware was painless. At the end of the day, it is only by overcoming problems that you learn, and the sudden "ZAP" of revelation once you master some problem makes it all worthwhile, Linux certainly lights my fire, a tinkerers delight, and I am sure that in the future, when I look back on my 7 years of Windoze, and compare it to the years of Linux to come (or whatever LInux becomes) I will wonder why I never made the change sooner. One thing I know for certain, I will never be tempted to buy a Winmodem
[A guest commentary from our News Bytes editor. I asked him to summarize the controversy on Slashdot regarding SSH/SSL vulnerabilities, and to assess whether we need an article on it. -Mike]
Date: Thu, 28 Dec 2000 16:55:56 +0000 Subject: Re: Late News Bytes additions From: Michael Conry michael.conry@softhome.net
Hi Mike, please find attached the ( ../issue61/lg_bytes61.html ) news bytes 61 file. I did go through the SSH issues, and summarised them briefly. I kind of skirted around the SSL because it seemed less clear cut, and very much an issue of implementation and protecting users from themselves. Most discussion in the links focussed on SSH in any case.
I would recommend, not an article on Holes in SSH, but rather an article on security in general. Lots of contradictory messages on Slashdot indicate that people still don't really understand what is going on or how exactly to administer a public key system.
The issues are not new, but are inherent in public key systems. pgp,gnupg is the same (how can i be sure the key i think is yours is really yours?). The biggest issue is probably users (lusers) ignoring warning messages.
The new dsniff software is probably worth commenting on also. I included a link in my short discussion, but have not studied it. What could be very interesting would be for an article to highlight how to use tools like this to strengthen your system/network by scrutinising it and probing it. Focus tends to be on how these tools allow malicious people to break other people's systems.
"Linux On Your Desktop" is an important article. But Linux-Gazette should `edit out' several English mistakes. Syntax and Spelling. This does not help Linux get a professional image.
[Mike] Linux Gazette is not a professional publication--it's a volunteer publication. We do not have the resources to proofread and reword every article. That would take 10-20 hours per issue. Would you like to volunteer to proofread a few articles each issue? If you're willing, it would certainly be welcome.
It would be so nice if I could come to your index.html page and not have to load a 40k logo. Wouldn't an 8k do nicely?
[Mike] We'll consider this for the next version of the Gazette, but most requests have been asking for more graphics, not less. 8 K would get us a logo that's just a bit bigger than the sponsorship logos are now. Since our graphic designer put a lot of time into getting the shape and color of the logo just right, I don't want to ask him to somehow manage to keep the same look while squeezing the file down to a fifth of its size. It is a jpg, which is the most efficient graphics format there is.
In any case, doesn't it just load once in your browser and then the cached version is used thereafter?
Thanks for your feedback.
[Richard Storey] Not knocking the great design of the logo, but aside from slow loading it creates its motif doesn't match that of the rest of the site. As far as graphics go, look at Yahoo. They've managed to keep their site just ahead of text level, which I use most of the time anyway. There's a lot to be said for a site which is designed cleanly, neatly, for fast load times, but is rich because of its content rather than *eye-candy*.
[Heather] You're quite welcome to visit us in lynx, the world's fastest browser, since it wastes no time whatsoever on eyecandy ... unless you absolutely insist on working at it. My normal surfing mode is lynx-ssl with zgv wired into my MIME support, so I can see an occasional photo if I feel like it.
We make a serious effort to be lynx clean around here anyway, since that's how we produce the text version of the download.
Contents: |
Submitters, send your News Bytes items in PLAIN TEXT format. Other formats may be rejected without reading. You have been warned! A one- or two-paragraph summary plus URL gets you a better announcement than an entire press release.
The February issue of Linux Journal is on newsstands now. This issue focuses on Kernel Internals. Click here to view the table of contents, or here to subscribe. All articles through December 1999 are available for public reading at http://www.linuxjournal.com/lj-issues/mags.html. Recent articles are available on-line for subscribers only at http://interactive.linuxjournal.com/.
OREM, UT-January 16, 2001- Caldera Systems, Inc., today announced the release of Caldera Volution, a Linux management solution that reduces the cost of implementing and managing Linux systems. With Caldera Volution, administrators can use policies and profiles to manage thousands of Linux systems, without having to individually manage or touch each. Volution is distribution-neutral - designed to work with all major Linux distributions, and provides broad management functions. Volution will significantly benefit anyone needing to manage multiple Linux servers and desktops.
Caldera Volution is a Web-based remote management solution that allows administrators to manage Linux systems from anywhere at anytime. It is directory-based utilizing the inherent strengths of LDAP directories. Directories provide two major benefits: They give administrators a place to not only store information, but a logical and intuitive way of managing network resources. Volution supports three major LDAP directories, Novell's eDirectory, OpenLDAP and iPlanet. OpenLDAP and eDirectory ship with the product. Volution will ship in nine additional languages including Chinese - simplified and traditional, French, Italian, German, Spanish, Japanese, Korean and Portuguese. The suggested list price for Caldera Volution is US $2995. Volution ships with the Volution software, Novell eDirectory and OpenLDAP, a secure Web server and licenses to manage up to 10 nodes. Additional nodes are sold separately.
Nuremberg, Germany - January 12, 2001 - Today, SuSE Linux presented the second generation of e-mail solutions for commerce, public administration, workgroups and all others needing professional e-mail communication.
The SuSE eMail Server II is an Open Source solution, based on reliable components consistent with Internet standards such as SMTP, IMAP4, POP3, and LDAP. In accordance with the IMAP standard (Internet Message Access Protocol), the SuSE eMail Server administrates mail on a central server. The server supports all common e-mail clients, including Microsoft Outlook, Outlook Express, Netscape Messenger, and Eudora or via the included Web-Mail Client IMP.
The SuSE eMail Server II can be obtained from SuSE or from software retailers from the beginning of February onwards. The suggested retail price for one server is 255 Euro and includes a manual, 60 days installation support and the server backup solution Arkeia from Knox Software.
Nuremberg, Germany - January 19, 2001 - SuSE Linux and Lotus announced the SuSE Linux Groupware Server. The new server combines the comprehensive functionality of the Domino Messaging and Web Application Server with the cost advantages and the reliability of the Linux operating system. This provides a basis for improved business processing and customer relations.
With more than 50 million users worldwide, the product-integrated Domino Server delivers efficient tools for groupware, workflow, messaging and scheduling. Domino also provides a flexible basis for fast web and messaging application development.
SuSE Linux Groupware Server can be purchased from SuSE or software retailers, beginning February 2001. The suggested retail price is Euro 2.555,00 + VAT.
For further information on SuSE Linux Groupware Server, please visit SuSE's Groupware web page Groupware web page.
Linux Expo, Amsterdam |
January 23-24, 2001 Amsterdam, Netherlands http://www.linuxexpoamsterdam.com/EN/home/ |
6th USENIX Conference on Object-Oriented Technologies and Systems
| January 29 - February 2, 2001 San Antonio, TX http://www.usenix.org/events/coots01 |
LinuxWorld Conference & Expo | January 29 - February 2, 2001 New York, NY http://www.linuxworldexpo.com |
Linux Expo, Paris | January 31 - February 2, 2001 Paris, France http://www.linuxexpoparis.com/EN/home |
Open Source and Free Software Developers' Meeting
| February 3-4, 2001 Brussels, Belgium http://www.osdem.org |
Internet World Canada/ISPCON | February 5-8, 2001
Toronto, Canada http://www.internetworld.com |
The O'Reilly Peer-to-Peer Conference |
February 14-16, 2001 San Francisco, CA http://conferences.oreilly.com/p2p/index.html |
Internet Appliance Workshop |
February 20-21, 2001 San Jose, CA http://netapplianceconf.com |
Bang!inux |
March 5-7, 2001 Bangalor, India http://www.Banglinux.com/ |
LINUX Business Expo |
March 7-9, 2001 Sydney, Australia http://www.linuxexpo.com.au |
Computerfest |
March 10-11, 2001 Dayton, OH http://www.computerfest.com |
Internet World Spring | March 12-16, 2001 Los Angeles, CA http://www.internetworld.com |
COMDEX Canada West | March 13-15, 2001 Vancouver, B.C. http://www.key3media.com/comdex/canadawest2001 |
Game Developers Conference | March 20-24, 2001 San Jose, CA http://www.gdconf.com |
CeBit | March 22-28, 2001 Hannover, Germany http://www.cebit.de |
3rd USENIX Symposium on Internet Technologies and Systems
| March 26-28, 2001 San Francisco, CA http://www.usenix.org/events/usits01 |
LinuxBazaar
| March 28-29, 2001 Prague, Czech Republic http://www.linuxbazaar.cz |
Colorado Linux Info Quest Conference & Expo/CLIQ 2001 | March 29-30, 2001 Denver, CO http://thecliq.org |
Association of C/C++ Users (ACCU)
| March 29-31, 2001 Oxford, England http://www.accuconf.com/ |
LINUX Business Expo | April 2-5, 2001 Chicago, IL http://www.linuxbusinessexpo.com |
Linux Expo, Madrid | April 4-5, 2001 Madrid, Spain http://www.linuxexpomadrid.com/EN/home |
Linux Expo Road Show | April 23-27, 2001 Various Locations http://www.linux-expo.com |
Linux for Industrial Applications 3rd Braunschweiger Linux-Tage | May 4-6, 2001 Braunschweig, Germany http://braunschweiger.linuxtage.de/industrie |
Linux@Work Europe 2001 | May 8 - June 15, 2001 Various Locations http://www.ltt.de/linux_at_work.2001 |
Linux Expo, Sao Paulo | May 9-10, 2001 Sao Paulo, Brazil http://www.linux-expo.com |
SANS 2001 | May 13-20, 2001 Baltimore, MD http://www.sans.org/SANS2001.htm |
7th Annual Applied Computing Conference | May 14-17, 2001 Santa Clara, CA http://www.annatechnology.com/annatech/HomeConf2.asp |
Linux Expo, China | May 15-18, 2001 Shanghai, China http://www.linux-expo.com |
SITI International Information Technologies Week OpenWorld Expo 2001 | May 22-25, 2001 Montreal, Canada http://www.mediapublik.com/en/ |
Strictly e-Business Solutions Expo | May 23-24, 2001 Minneapolis, MN http://www.strictlyebusinessexpo.com |
Linux Expo, Milan | June 6-7, 2001 Milan, Italy http://www.linux-expo.com |
USENIX Annual Technical Conference | June 25-30, 2001 Boston, MA http://www.usenix.org/events/usenix01 |
PC Expo | June 26-29, 2001 New York, NY www.pcexpo.com |
Internet World Summer | July 10-12, 2001 Chicago, IL http://www.internetworld.com |
O'Reilly Open Source Convention | July 23-26, 2001 San Diego, CA http://conferences.oreilly.com |
10th USENIX Security Symposium | August 13-17, 2001 Washington, D.C. http://www.usenix.org/events/sec01/ |
HunTEC Technology Expo & Conference Hosted by Hunstville IEEE | August 17-18, 2001 Huntsville, AL URL unkown at present |
Computerfest | August 25-26, 2001 Dayton, OH http://www.computerfest.com |
LinuxWorld Conference & Expo | August 27-30, 2001 San Francisco, CA http://www.linuxworldexpo.com |
Linux Lunacy Co-Produced by Linux Journal and Geek Cruises | October 21-28, 2001 Eastern Caribbean http://www.geekcruises.com |
LinuxWorld Conference & Expo | October 30 - November 1, 2001 Frankfurt, Germany http://www.linuxworldexpo.de/linuxworldexpo/index.html |
5th Annual Linux Showcase & Conference | November 6-10, 2001 Oakland, CA http://www.linuxshowcase.org/ |
Strictly e-Business Solutions Expo | November 7-8, 2001 Houston, TX http://www.strictlyebusinessexpo.com |
LINUX Business Expo Co-located with COMDEX | November 12-16, 2001 Las Vegas, NV http://www.linuxbusinessexpo.com |
15th Systems Administration Conference/LISA 2001 | December 2-7, 2001 San Diego, CA http://www.usenix.org/events/lisa2001 |
Come up with cover ideas for fun and prizes! The LJ crew's brains are growing fatigued after six years of coming up with ideas to put on the cover of Linux Journal, so they'd like to expand the thinking pool by soliciting cover ideas from LJ readers. They need cover ideas for the following issues and editorial foci:
Nikodem Kuznik, the creator of the site, says that the goal of this web-site is to provide the most up-to-date links to chemical software running on Linux. As the field is still under an intensive development, the web-site will also be continuously under construction and you may even find some not-up-to-date URLs there for this same reason. In that case the author will be very glad of your feedback. Nikodem says that you are very welcome to send your comments, new URLs and so on.
Mojolin has added international support to its full featured online Job/Resume database. Job listings and resumes can now be entered with full location specifics. This new ability is complemented by a feature that allows an individual to search by countries, and by states and provinces in the United States and Canada. In addition, links have been provided to BabelFish for translation of the site into five different languages: German, French, Italian, Spanish and Portuguese. Other features include a nightly email agent which informs job seekers of the latest opportunities, and the ability for Webmasters to include Mojolin's job listings on their own sites.
LinuxIT, a European Linux Solution Provider, has announced that it has signed an agreement to acquire the business interests of 01Linux Solutions Ltd, a UK-based Linux Support and Consulting company.
LinuxIT has a Linux portal that includes directories for software, hardware, documentation, job postings and user forums, offering services for Linux users and professionals.
This acquisition strengthens LinuxIT's position as one of the leading Vendor-neutral solution providers in Europe. 01Linux has marketed itself extensively as a solutions and services provider and has acquired a reputation for quality offerings based around excellent technical expertise.
Peter Dawes, Managing Director of LinuxIT commented, "The integration of 01Linux into LinuxIT will further add to our Support and Professional Services offerings. We are now offering Total Linux support for all types of customers ranging from one server through to corporates with hundreds of mission critical systems. Combined with our bespoke development, porting of applications to Linux and our educational offerings, this means that LinuxIT is in a unique position to service the growing demand for Linux and Open Source know-how."
Writing GNOME Applications
by John R. Sheets
ISBN: 0-201-65791-0
Writing GNOME Applications will help Linux programmers learn the basics of GNOME and understand how to write real-world applications using this important programming environment. Focusing on the essentials, this book guides you through GNOME's fundamental elements and explains how and why these elements function as they do. Rather than serving as an exhaustive reference, the book offers detailed discussion on the most important function calls, demonstrating how to put them to work in application development. This book should appear soon under the OpenBook licence. Keep an eye on the OpenBooks website for updates on this and other titles.
PostgreSQL: Introduction and Concepts
by Bruce Momjian
ISBN: 0-201-70331-9
PostgreSQL: Introduction and Concepts, written by a founding member of the PostgreSQL Global Development Team, provides a much-needed tutorial and real-world guide to understanding and working with this complex yet essential system. The book is also available on-line from the PostgreSQL website, at this location.
Manning Books have brought a new title: Data Munging with Perl to our attention. They say: "The transformation of data from one format to another, colloquially 'munging', is one of the most common programming tasks. The new Manning book, Data Munging with Perl, examines this important process in detail and shows how well suited Perl is for these tasks. The book is aimed at programmers using any programming language who carry out data munging as part of their daily routine. Programmers who are more experienced in Perl may learn a number of new Perl techniques to make their jobs easier."
For a closer look at Data Munging with Perl, Manning offers components of the book online: the table of contents, two sample chapters, the index and source code can be viewed at www.manning.com/cross/. As an added perk, the publisher runs an Author Online discussion forum for discussions between readers and the author, Dave Cross.
The book can be bought now, in PDF format at a discount to the paper version which will soon be for sale. Printed Edition - Softbound, 304 pages, $36.95 Ebook Edition - PDF format, 2 MB, $13.50
Programming KDE 2.0
By Lotzi Bφlφni
ISBN: 1-929629-13-3, Price: US$39.95
Trade Paper with CD-ROM, 265 pp.
CMP say that this book aims to explain all aspects of developing applications to run on the K Desktop Environment (KDE). It describes KDE development from the ground up, starting with fundamentals of event-driven programming and object/component-oriented systems. It progresses through design and management of GUI widgets and dialogs, and ends with the details of font and text controls and picture display. The author shows how to use the Applications Programming Interface (API), manage multitasking applications and build embedded applications using object/component models and the new Kannosa shared library techniques.
ZF Linux Devices has just created what they like to call the "littlest PC", the MachZ. The MachZ fits on an inch square chip, yet is a complete computer, loaded with Linux. More than 60 companies are designing products around the Mach Z, from medical devices and farm equipment to home appliances and vending machines.
Applications for the MachZ PC-on-a-chip include:
With recent comments on this web-page on the subject of security, it would probably be worthwhile for anyone whose interest has been piqued to peruse the Linux Security FAQ (as pointed to by /.)
ShowMeLinux's January Issue Now Available with a mix of features, news and support.
The Duke of URL have a couple of items that may be of interest to you:
Finally, Slashdot have an article where you can read how Steve Ballmer says Linux is the top threat to MS.
January 8, 2001 SAN LEANDRO, CA, PlugSys International today announced its new Max Server Pages (MSP) product. This gives Xbase developers a reliable, economical way to migrate to Linux and perform server-side scripting. Using classic Xbase commands and functions, developers can access data stored in DBF files or ODBC databases and blend the results with HTML and Javascript. Max Server Pages development focuses on creation of HTML templates with embedded Xbase control structures, expressions, commands and functions. MSP Professional also allows developers to precompile source code for even faster loading libraries. The final phase of beta test is in progress. Beta testers are encouraged to apply. The company is particularly interested in Xbase developers with some web development experience and access to a web server machine running Red Hat 6.2.
Oakland, CA (January 10, 2000) - Runaware, the world's first Evaluation Service Provider for software vendors and consumers, today announced a partnership with SlashTCO, a U.K.-based open source services provider, to promote Linux awareness through online testing and supplementary resources.
Runaware will enable software purchasers to test Linux products through the web browser without downloads or installation. Support materials such as reviews and explanatory articles provided by SlashTCO will enhance the evaluation process.
FREMONT, Calif. (January 17, 2001) WordWalla, Inc., a leading global language software provider, has joined three key industry organizations to participate in the development and understanding of new, emerging technologies and markets the Embedded Linux Consortium, LISA and the Unicode Consortium
As members of these three leading organizations, WordWalla will help contribute to the latest developments in Linux applications and Unicode standards as it relates to the use and proliferation of new font technologies, and will support and evangelize globalization initiatives.
PALO ALTO, Calif., January 23, 2001 - VMware, Inc. today announced that it has concluded its GSX Server beta program with more than 300 companies worldwide participating. The company also announced that the product is available for sale today at www.vmware.com
Based on VMware's patent pending MultipleWorlds technology, GSX Server gives information technology (IT) organizations mainframe-class control on Intel based servers. The software helps IT professionals leverage resources in responding to the growing demand for new applications and services by cutting down on the number of servers required, taking the pain out of staging and testing server applications and automating server installation and management.
VMware GSX Server for Linux systems is priced at $2,499 for a single license purchase and is available today via electronic distribution directly from VMware. Premium support at the Silver, Gold and Platinum levels is available on a per incident basis or via subscription. Packaged versions of GSX Server will be available from VMware and from selected resellers and distributors within imminently.
BETHESDA, MD, January 3, 2001 - OTG Software, a software developer of online storage, data access and email management solutions, today announced DiskXtender for Linux, new storage software that supports the Red Hat Linux platform. This new product aims to enable true heterogeneous and centralized storage management. OTG is now further extending its expertise in Windows 2000/NT storage systems to Linux, building on its recent announcement of DiskXtender for UNIX.
This month I improved my little scripts so that it does about half the work (the part that becomes the mailbag and Tips) much more efficiently. I even managed to get things back to a level where I can split the messages back out as seperate files again.
Outside of this stuff, one thing on my mind is, how well supported will those new slim Apple notebooks be under Linux for the PPC platform? I hear they finally have a decent battery life, plus, they've got a really nice tough shell. I need that. I'm pretty hard on my stuff. Just ask my Magio.
Oh yeah. Can't do that, I haven't finished making it use Speak Freely yet. Sigh. I'm sure it's not supposed to be very hard, but there's no decent checklist out there. So, it can't talk to you quite yet!
Earlier this week, Mike asked if I could have my script format the Gazette Matters section, since I was doing 2 of the 3 other parts, and he's got an armful of articles. We've both had to defer some of the items until next issue ... Next month is going to be pretty tasty! Meanwhile we hope you enjoy what we've got in here for you.
So, since I didn't have time for a cool editorial (and I missed LWE) here's the backside scoop on how we select where messages end up:
Here it is.
There's one letter where the guy gives a long explanation about his install. I'm not sure if it belongs in the Mailbag or Tips.
[got your attachment on this one]
If he's telling the rest of us his successful answer, but it's really long (eg more than 2 lynx pages) I put in in TAG with a bangbubble. That's what happened to our SuSE/NFS fellow.
If shorter ans esp. if he has some good insightful item that's enough to absorb there, it goes in Tips. Oh yeah, I don't count script length too much against people.
If he has a gnarly question I think the Gang would have trouble with too, it goes in Wanted. "I'd like to see an article on..." also go in wanted, inclu. if that's my own thought sponsored by some question that came through. This is a massively reduced subset of the unanswered souls - I just like to give the readership a flavor of some of the stuff we have overflowing.
If it's a kudo thanking us 'cuz some past issue helped him nail it, it goes in mailbag... possibly edited, but not usually. (mild kudos with lots of tip or answer go in tips or tag respectively.)
Otherwise it goes back in the float, and maybe Jim and I will give a shot at answering it, or maybe he loses the TAG lotto. We don't promise to answer everything. Once in a long while Jim gets bitten by the answer bug and decides to clean out a bunch of backlog, but I don't see that happening for at least a couple of months at least.
To be perfectly honest, Jim's better at keeping the lost ones together, and I'm better at keeping track of which month they came in, but that's a natural side effect of the way we each work on the messages
I don't know how Ben and the rest keep track of what they like to answer, but as long as it all flows by my desk, everything works great.
[ and if I don't have enough time for it, that's gonna be The Blurb. :D ]
... and of course, Dear Reader, you know that that's exactly what happened. That fellow's message is long, but he just decided that he couldn't give us enough kudos if we didn't see the voyage of discovery he travelled with LG. So it stayed right where it is, and this is The Blurb.
Not Linux of the month for me:
On our local radio show two mornings ago, the PG&E building is right across the street from the station, and the hosts notice that it's "lit like a christmas tree" - every floor, completely on. Except the lobby area, where people would normally come in to pay bills. So... PG&E in California can't pay their bills to buy us enough power, but they haven't ordered their cleaning crew to change its habits about leaving all the lights on in their buildings.
But Jim says Walgreens is a lot easier on the eyes now that they only use a third of the lighting. Just remember -- computers don't eat much!
Enjoy.
From Matthew Keller
Answered By Mike Orr, Heather Stern
Ok, so this is probably a trivial problem, but it's one I've had for years. If I have 3 Ethernet devices (eth0,eth1,eth2), I want to be able to tell Linux WHICH one I want to be which. If they are of different kinds (or at least have different drivers) I can fool Linux by specifying them in /etc/conf.modules (or modules.conf for RH7 users) and defining which card gets which name. How do I do that if they're all the same kind?!
[Mike] I've tried to do that before too, but I haven't found a way. It seems like a glaring ommission. I just use different brands of cards, and then I can decide which order to insmod the modules. Obviously, each card is attached to a different network, and it's important to know card X is eth0 so you can configure the right card for the right network.
The worst part is, if the first card is removed or fizzles out, the second card becomes eth0, and your startup script will initialize the wrong card, and presto, no network.
You may find they get detected in order of hardware address. PCI slots have fixed addresses, so you may be able to move the cards among different slots and get the order you want.
(If they were ISA cards like the 3C509, you would the DOS program 3C5X9.EXE to set the hardware address on each card. Other ISA cards you would set jumpers on, if you're lucky enough to find documentation about which setting is which! Dunno about plug n play, but on the 3C509 you can turn off plug n play using the same program. You could also use LILO's "ether=" parameter to specify which order you want the hardware addresses probed.)
What brings this to mind now, is that I have a new server, fresh install, one on-motherboard Intel NIC and 2 PCI NIC's. Linux picked the first PCI NIC to be Eth0, the second to be Eth1 and the on-board to be Eth2, and I'm just demented enough to argue with it.
Matthew Keller
[Heather] Well, I don't know, but in the linux source tree under /Documentation/networking/net-modules.txt several common options are described for explicitly setting options such as I/O address rather than allowing autoprobing. It also says that for many cards, explicitly stating is better for them than autoprobing anyway. But the important part is it directly addresses part of the question... namely, how one would use two cards with the same driver, because at least under the 8390 family (cheap old cards, such as ne2000):
In many cases it is highly preferred that insmod:ing is done ONLY with defining an explicit address for the card, AND BY NOT USING AUTO-PROBING! ... 8390 based Network Modules (Paul Gortmaker, Nov 12, 1995) -------------------------- (Includes: smc-ultra, ne, wd, 3c503, hp, hp-plus, e2100 and ac3200) The 8390 series of network drivers now support multiple card systems without reloading the same module multiple times (memory efficient!) This is done by specifying multiple comma separated values, such as: insmod 3c503.o io=0x280,0x300,0x330,0x350 xcvr=0,1,0,1 The above would have the one module controlling four 3c503 cards, with card 2 and 4 using external transceivers. The "insmod" manual describes the usage of comma separated value lists. It is *STRONGLY RECOMMENDED* that you supply "io=" instead of autoprobing. If an "io=" argument is not supplied, then the ISA drivers will complain about autoprobing being not recommended, and begrudgingly autoprobe for a *SINGLE CARD ONLY* -- if you want to use multiple cards you *have* to supply an "io=0xNNN,0xQQQ,..." argument.
Therefore, I'm not certain, but it would be worth the experiment: io=0xXXX,0xYYY and irq=X,Y parameters (where these X's and Y's represent the values for each card respectively) should allow you to make it honor two cards explicitly rather than autoprobing them. If you succeed at that, try swapping card "X" and card "Y" in the settings and see if they switch places in the ethN ring. And in any case you should be able to get the right values for these from your logs, because you said you have the system detecting all 3 cards.
If they were really ISA cards with plug-n-play and/or jumpers, the isapnptools would be the next place I'd look.
I took the lazy route; I have a tulip and a 3com card in my dual ethernet system. With it that way, I can even tell the system to not even automatically bring these interfaces up, and explicitly bind the given drivers into the pre-up and post-down, at least on debian. In SuSE I have it mentioned in modules.conf:
alias eth0 3c59x alias eth1 tulip
From Antony, in issue 61 (TAG q.#12)
Answer By Mitchell Bruntel
Hi, I recently attempted to install Linux Mandrake, but I did it wrong and know Windows has been deleted and linux won't work, all I want to do is Delete linux so I can reinstall Windows and be happy again, I cant even install windows at the moment because linux is taking up too much room on the hard drive. Mum is heaps annoyed as she can't use the computer so can you please help me quickly? Thanks
[Mike] Hmm, three questions about uninstalling Linux in two days. I wonder what that means.
Doesn't the Windows setup program allow you to repartition your disk as part of the process? If not, that's a big omission.
Anybody here use Mandrake? Does it come with a boot floppy that can be used as a rescue disk? If so, you should be able to boot from the floppy, press Alt-F2 to go to the second virtual console, run "cfdisk" or "fdisk" and delete the Linux partitions (or all the partitions), and then reboot and run the Windows install program.
[Mitchell] Yes:
3 emails, 2 answers, not too bad I guess...
[Mike] No, I mean the fact that three separate people wrote in to TAG all in the same month wanting help uninstalling Linux, and does that mean there's been a sudden upsurge in uninstalls on a larger scale?[Don] No, it just means that Linux installs are now easier than Microsoft Windows installs.When Linux installs were harder, anyone who was knowledgeable enough to get Linux installed could also install Microsoft Windows over it and blow it away (including fdisk if necessary)Now that Linux installs are really easy, you don't need to know anything about MBRs and partitions to get Linux going on your machine. But you do need to know something about PCs at the sub-OS level to get other OSs installed.(I'm just waiting for somebody to write a Linux installer as a macro virus...Linux fora will be swamped with angry users of other, insecure OSs and we'll all have to take off to Costa Rica for a year or so.)Any technology distinguishable from magic is insufficiently advanced.
[Mitchell] Windows, depending on the version either does reinstall(upgrade) or will format your disk (new pc version only) mandrake DOES have a boot floppy that is bootable and you CAN do fdisk!
Mitch Bruntel
(16 yrs of desktop and UNIX experience...later)
From Jane Liu
Answered By Mike Orr, Ben Okopnik, Dan Wilder
I have a question about rm command. Would you please tell me how to remove all the files excepts certain files like anything ended with .c?
[Mike] The easiest way (meaning it will work on any Unix systems anywhere), is to move those files to a temporary directory, then delete "everything", then move those files back.
mkdir /tmp/tdir
mv *.c /tmp/tdir
rm *
mv /tmp/tdir/* .
rmdir /tmp/tdir
[Ben] The above would work, but seems rather clunky, as well as needing a lot of typing.
[Mike] Yes, it's not something you'd want to do frequently. However, if you don't know a lot about Unix commands, and are hesitant to write a shell script which deletes a lot of files, it's a good trick to remember.
[Ben] It's true that it is completely portable; the only questionable part of my suggestion immediately below might be the "-1" in the "ls", but all the versions of "ls" with which I'm familiar support the "single column display" function. It would be very easy to adapt.
My preference would be to use something like
rm $(ls -1|grep -v "\.c$")
because the argument given to "grep" can be a regular expression. Given that, you can say things like "delete all files except those that end in 'htm' or 'html'", "delete all except '*.c', '*.h', and '*.asm'", as well as a broad range of other things. If you want to eliminate the error messages given by the directories (rm can't delete them without other switches), as well as making "rm" ask you for confirmation on each file, you could use a "fancier" version -
rm -i $(ls -AF1|grep -v "/$"|grep -v "\.c$")
Note that in the second argument - the only one that should be changed - the "\" in front of the ".c" is essential: it makes the "." a literal period rather than a single-character match. As an example, lets try the above with different options.
In a directory that contains
testc
test-c
testcx
test.cdx
test.c
".c" means "'c' preceded by any character" - NO files would be deleted.
"\.c" means "'c' preceded by a period" - deletes the first 3 files.
"\.c$" means "'c' preceded by a period and followed by the end of the line" - all the files except the last one would be gone.
Here's a script that would do it all in one shot, including showing a list of files to be deleted:
See attached misc/tag/rmx.bash.txt
[Dan] Which works pretty well up to some limit, at which things break down and exit due to $skip being too long.
For a less interactive script which can remove inordinate numbers of files, something containing:
ls -AF1 | grep -v /$ | grep -v $1 | xargs rm
allows "xargs" to collect as many files as it can on a command line, and invoke "rm" repeatedly.
It would be prudent to try the thing out in a directory containing only expendable files with names similar to the intended victims/saved.
[Ben] Possibly a good idea for some systems. I've just tried it on a directory with 1,000 files in it (created just for the purpose) and deleted 990 of them in one shot, then recreated them and deleted only 9 of them. Everything worked fine, but testing is indeed a prudent thing to do.
[Dan] Or with some typists. I've more than once had to resort to backups due to a slip of the fingers (the brain?) with an "rm" expression.
[Ben] <*snort*> Never happened to me. No sir. Uh-uh. <Anxious glance to make sure the weekly backup disk is where it should be>
I just put in that "to be deleted" display for, umm, practice. Yeah.
<LOL> Good point, Dan.
Thanks a million! It worked.
I have another question: My shell script is in a file called hw1d.sh. When I run sh hw1d.sh, the output shows on the screen. But the command details won't show. Is there a way I can capture the detailed command lines and output at the same time?
[Ben] For one thing, you shouldn't be running your script as "sh ..."; simply make it executable via "chmod +x <scriptname>" and run it. Other than that (I think I understand what you're asking here), you can add "-v" to the hashbang line so it looks like this -
#!/bin/bash -v
This will print out each line as it is read.
[Mike] Or -x, which is what I use. They do slightly different things. Consider this program.
#!/bin/bash -v
TOWHOM="world"
echo "Hello"
echo $TOWHOM
# This is a comment.
Now running it:
$ ./hello.sh
#!/bin/bash -v
TOWHOM="world"
echo "Hello"
Hello
echo $TOWHOM
world
# This is a comment.
Now change -v to -x and run it.
$ ./hello.sh + TOWHOM=world + echo Hello Hello + echo world world
The variable was expanded, there's a "+ " before each program line, and the comments are omitted. It looks like -v shows the commands before they're interpreted and -x shows them after.
[Ben] For more details on shell scripting, see my "Introduction to Shell Scripting" articles in LG53-57 and 59.
He got the issue numbers wrong, but no sense worrying about that, here they are. -- Heather
Thanks!
For practice purpose, I create file -cfile and try to rename it to cfile. I figured out one way:
>cat <\-cfile >cfile
But I just couldn't delete the old file -cfile because shell always interprets as option. Is there a way I can do this?
[Dan] Yes.
rm -- -cfile
From "man rm":
GNU STANDARD OPTIONS [ ... ] -- Terminate option list.
[Ben] Given that "there's more than one way to do it",
rm ./-cfile
also works. As you have found out, it's not a good idea to create filenames with non-alphanumeric characters at the beginning: just because you can, really does not mean that you should...
While it's normally the practice here to state who's asking and who's answering, on this issue, that itself was a hot topic.
While answering "A rather unique query" last month, Mike dispensed some common wisdom... which has, it seems, become unwise, at least unless you are exceedingly careful of the context.
Thanks to Michal Jaegermann from the kernel list for bringing it to more serious attention (can we say flame war here in the land of curmudgeons? knew ya could), everyone from the Gang who hopped in, and, especially, Breen Mullins and Dan Wilder for providing clearer detail into the nature of the problem. And my apologies to anyone who feels a need to get grumpy that I ruined all concept of timeline in this thread, in favor of clarity to the readers.
Distro vendors and anyone who tends to build themselves kernels of different vintages (mixing 2.0 with 2.2, etc) should pay special attention.
[Mike] This is the normal Linux convention. Actually, you can place your build tree anywhere, but you should make /usr/src/linux a symlink to it so that the compiler will find the include files.
[Michal] Actually no, you SHOULDN'T!! Please do not spread an incorrect information in TAG or Linus will come and will haunt you for the rest of your lives.
I'll spare the readership the flame war on his flight into hyperbole. -- Heather
[Mike] (Is this [headers in /usr/src/linux/include/] still required now that glibc has its own kernel headers?)
[Michal] Headers in /usr/include/linux are "private" but these should be those headers which were used in a compilation of your libraries (notably glibc) and hacking around the with a link in /usr/src is a mistake as Linus tried to explain many times - sometimes quite forcibly. Headers used in a kernel compilation are NOT searched for in subdirectories of /usr/src/linux but are specific to a kernel version and can be drastically different between different versions, or at least you do not have any guarantees that they are not. If you happen to have sources to one of 2.2 kernels and one of 2.4 then /usr/src/linux link is supposed to mean what?
Good question... building a kernel vs. building other things, this link does or doesn't exist or is real instead of a link; some other link named "build" in the modules subtree does or doesn't exist, and if it does, what's a good link look like? [hot topic compression algorithm, kinda lossy but hopefully sufficient.]
[Mike] OK tag, what do you think? Is it time to stop linking /usr/src/linux to /usr/src/linux-VERSION ?
[Michal] AFAIK this time was at least like two years ago. Some things just have a big inertia.
[Breen] That does seem to be the official answer.
From the 2.4.0 release, in linux/README:
INSTALLING the kernel: - If you install the full sources, put the kernel tarball in a directory where you have permissions (eg. your home directory) and unpack it: gzip -cd linux-2.4.XX.tar.gz | tar xvf - Replace "XX" with the version number of the latest kernel. Do NOT use the /usr/src/linux area! This area has a (usually incomplete) set of kernel headers that are used by the library header files. They should match the library, and not get messed up by whatever the kernel-du-jour happens to be.
[Dan] Yes. No. Maybe.
Many userland programs need (or think they need) kernel includes. They usually get these through /usr/include/asm and /usr/include/linux, which are often themselves symlinks:
/usr/include/asm -> /usr/src/linux/include/asm /usr/include/linux -> /usr/src/linux/include/linux
Perhaps this is wrong, and either
In the one case, the application developers are at fault, and should be told to mend their ways. In the other, blame the distributions.
[Michal] Debian does not provide bad links for a long time. Red Hat also recently caught itself on a mistake. I do not know details of other distributions but if they not fixed that already then likely they will soon.
Some source packages indeed search for /usr/src/linux for configuration purposes. If this is not just a default which could, and should, be adjusted then they are simply wrong. Current 2.2 kernels will install 'build' link in its /lib/modules subdirectory to indicate where sources for a given version are/were. This is not a foolproof either but still better than alternatives.
[Dan] In either case the poor end user can't be faulted for tolerating those links into the kernel source. The conscientious user might be praised for complaining to the program maintainer.
Recent application source trees exhibiting things like
#include <linux/...
include (just for starters) autofs, cdrecord, DOSEMU, gnupg, kde, mysql, ntp, pgp, procps, python, samba, util-linux, wu-ftpd.
Perhaps we need a userland API? oh yeah, right, got that, called glibc. Sigh. I think we can grant that procps has to know what /proc is really up to, though.
[Dan] Or maybe we just say there exist, though perhaps there should not, applications that depend on kernel version. And they pick that up through symlinks into the kernel source tree.
[Mike] None of my systems have ever had a /usr/src/linux directory at all. (Otherwise, I would not have been able to make the symlink without erasing stuff first.)
So the thread at the end of this month still carries some questions:
[Dan] What's a poor user to do?
At the very least, folks, while you're building new kernels out there, here's a few safety tips:
depmod -a -F /path/to/correct/System.map
If anyone has some good checklist points to look out for when compiling userland apps, or a clearer description of what's going on in glibc's tiny brain when it reaches for "headers", let us know!
A few of the Answer Gang this month have a special interest in seeing the quality of the incoming questions improve. In good humor, here's some ways to bump up your chances in the "Answer Gang might notice my message and answer me" lotto.
From Querents Everywhere
Answered By Ben Okopnik, Heather Stern
From comp.unix.security's newest reader
Answered By Jim Dennis
[Ben] And Now, Cometh The Rant. Not to worry - it's not directed at anybody; this is just a personal peeve that addresses a common problem, here, in various places on Usenet, in tech support, etc. It also seems to be prevalent in the Linux community at large, and that's a trend I'd like to reverse, or at least contribute to slowing down.
Note that I speak only for myself - neither LG nor the rest of the Answer Gang have contributed their opinions to this (though they'd be more than welcome.)
Being part of the Answer Gang, as well as the Alpha Geek and Supreme Guru in other venues, I get questions about Linux, Life, and the Universe almost daily. Usually, the questions fall into one of two categories:
"Hi, I want to know about [Linux, brain surgery, love, astrophysics]."
"Hi. I have a Pentium 266/64MB/6.4GB running Debian Linux 2.2. I've just installed Mutt (version 1.0.1i) with PGP support built in - I double-checked by running "mutt -v", and it does. I'm getting a message - here, I wrote it down - it says "pgp: ^GRequires a later version", and I can't read the PGP-encoded e-mail that was sent to me. I've checked the PGP site at MIT and I do indeed have the latest version, 2.6.3a-7. Could you help me?"
My response to the first type, if indeed I do make one, is "Go away." My response to the second one is "Marry me!!!" (this has required building a much larger house, but never mind. There are very few of the second kind, anyway.)
The presumption in the first type is extremely annoying. It has driven a number of people, some of them True Gurus of their respective crafts, off Usenet and into virtual e-mail seclusion. There are many, many people out there who think nothing of asking a person they don't know to put in hours of work - it's one of the unfortunate side effects of easy communication provided by Net access. I would suggest that these folks walk into a lawyer's office and demand free help. (I would actually enjoy being a fly on the wall at that conference, short and loud as it may be.) There are indeed a number of us willing to provide free help - but in general, leeches and time moochers aren't welcome. Making sure you aren't one isn't that difficult - it simply takes consideration and common sense.
So, rather than ranting on about the manifold evils of this, let me contribute something substantial here: to wit, a checklist. This applies to TAG questions - and hopefully, to other issues. May it lead to greater consideration for others, a more harmonious life on the Net, and eternal World Peace. Or at least fewer wives and a smaller house.
[x] I have tried my best to resolve this problem with the knowledge and tools that I have at hand.
[x] I have tried my best to extend my understanding of the problem by studying the list of of Linux HOWTOs, searching the Net for relevant keywords, and scanning past issues of LG.
[x] I have performed the above two steps at least twice, in that order.
[x] Now that I can proceed no further, despite all my study and effort, I have done my utmost to put my question into a clear, understandable form. This also means that I have given all applicable information, have been specific about version/type/machine specifics, etc.
[x] I have also considered ways in which other people may misunderstand my question, and have rephrased it to avoid those misunderstandings. I have also used a spellchecker, lest my meaning be unclear in that manner.
[x] I have used the sacred 40 characters of "Subject" wisely, not wasting them on garbage like "NEWBIE NEEDS HELP!!!!" but thoughtfully choosing a good introduction, like "gcc dies with sig11 on kernel compilation".
[x] Only now have I hit the 'send' key. If someone expends their valuable time and effort to help me, I shall show my gratitude, if and when I am able, by helping others as I have been helped.
Selah.
There. Saving the world in seven easy steps. What more can you ask for?
[Heather] My own rant comes courtesy of a querent who sent his mail in every single month until we answered him. Being the second month in a row that happened I figure, it's time to say something about it.
A fair percentage of the Linux world reads our stuff. Every month. You really don't want to know how many questions we get. Our Senior Editor has mentioned that about 28% of the stuff we get is spam.
This is after you consider our procmail defenses; some of the lint trap contents *aren't* spam, it's questions for the Gang, and our sysadmin eventually forwards those to us. (Poor guy. Dan not only reads TAG and answers stuff, he keeps our lists running, our web servers humming, and has to read through all our spam in case it might be a real question. Sigh.)
Of the stuff that isn't "real" spam, I'd say well over 10% is questions which are not about Linux at all. Sometimes not even about computers! (I've stopped publishing any offtopic stuff unless more than one of us thinks it ought to go in.) The remainder is still huge.
So, we can't promise to answer every single question -- and we can't anyway. So while I have to hand it to this guy for his perseverence in the face of silence... we still can't promise to answer every single question!
But I will add for the benefit of those who send us the tricky ones and hope that we'll help them out, that the following features in his mail seriously delayed this fellow's answer:
He used almost no paragraph structure. Even if he'd gotten the paragraphs a little wrong, it would have made the question easier to read.He sent it as inline HTML... not even plaintext plus an attachment. Most mailers under Linux do NOT deal with inline HTML automatically, and the combination meant his mail remained unanswered. Sadly, a lot of spam does this - you might get deleted out of hand by the Answer Gang when it arrives in our mailboxes, if we're just too overloaded to deal with that sort of mail.
During formatting of this month's mail I have noticed a nasty trend, some webmail accounts but almost every Outlook Express mail has come in as "quoted printable". Now this is a mail encoding that is supposed to exist to protect special text ... say, something written in spanish ... from being mangled by the mail routers or cheap mail clients while being bounced around. (Hi Felipe!) However, when neither the original mail nor the HTML version has such weird characters, it only serves to annoy the heck out of my scripts.
I have to give credit to a lot of our querents this month who didn't get answers - for many it's not because you've failed at Ben's suggestions, but we of the Gang either didn't feel adept at tackling your question this time around, or we were all busy helping others.
So add to your checklist...
[x] If my message is long and rambly I will insert blank lines when I am changing thoughts. If it's hard for you, you can try a blank line between each of these:
- what type of system and linux I have
- what I'm trying to do
- how it's screwed me up so far
- things I tried to look up so I could fix it
- guesses at what next, and thanks for any clues.
[x] I have turned off the HTML attachment since it sends 3 or 4 times as many bits, and doesn't help when it gets there. I am sending plain ASCII text. (I'm not, however, afraid of using smileys and unhappy faces to express cheer and frustration.)
[x] If I am writing in a foreign language I will use quoted printable to defend my homeland's letterset from being mangled, and if I know any English at all I will tranlate it myself rather than wait a month or so extra for the translators to get to my mail.
Proof that Jim D. doesn't just pick in Linux users when he get churlish.
In this message he responds to a clueless message in the comp.unix.security newsgroup. Despite his early sarcasm, he later provides a wealth of advice to newbie Solaris sysadmins and show, once again that "It's all just UNIX."
Newsgroups: comp.security.unix Subject: Re: Help References: <9377cp$r4t$1@newton3.pacific.net.sg> Followup-To:
In article <9377cp$r4t$1@newton3.pacific.net.sg>, May Hu wrote:
I'm new to Solaris, can some experts help me with security matters in the Solaris Platform on SUN SPARC.
[JimD] I'm new the the field of medical science. Can some medical doctor help me with disease prevent on the human body.
What are the paths to pay attention to?
[JimD] What are the limbs and organs that I should pay attention to?
What are the logs or system logs do I require to checked or backup?
[JimD] What are the vital signs that should be checked or monitored?
What are the things to pay more attention to in the Solaris platform?
[JimD] What are the things to pay more attention to in Homo Sapiens (as opposed to other mammals)?
What are the things to backup for system recovery, if there's any?
[JimD] How would I restore a terminally ill patient?
Hope to get some replies from any of you out there who are familiar with the platform.
[JimD] I'm hoping that someone here can make me a doctor in a USENET posting. I'm not going to give you any clues as to my background, so you won't know if I've taken high school biology, undergraduate pre-med, or even a Red Cross first aid course. I won't go out to a book store and read a few books on medicine, biology, nursing, or anything like that --- or if I have read any of them I won't mention it so YOU'LL HAVE TO EXPLAIN IT ALL TO ME FROM SCRATCH!
Thanks May
[JimD] May, are you starting to get the idea of how absurd your questions are? Broad expertise is not something that can be imparted in a few hundred lines of Internet posting. Your questions are not specific enough for a real expert to answer in a reasonable space (whole books are written on each of these topics).
So, let's try this:
Go get Unix System Administrator's Handbook by Evi Nemeth et al. (3rd Edition, Prentice Hall) --- that's commonly called the "Grape Book" because the cover is purple. The first two editions were widely referred as "the cranberry book" because the first had a cartoon with a reference to a cranberry patch on it and the second had a modified version of that cartoon (no patch) but was a dark red color that is reminiscent of cranberry juice.
Read it! USAH is not Solaris specific, but it should give you a good overview of UNIX systems administration.
While you're at the book store, get a copy of Essential System Administration (Aeleen Frisch, O'Reilly & Associates, 2nd Ed). This is often called "The Armadillo Book" because, in the O'Reilly tradition, it has a woodcut styled picture of an armadillo on the cover.
Read it! It is also not Solaris specific. See the penultimate (next to last) paragraph.
If I haven't irritated you enough, pick up a copy of my book, Linux System Administration (M Carling, Stephen Degler, and Jim Dennis (me)). It's also not about Solaris, but most of what it says is applicable to all UNIX platforms. My book doesn't duplicate much of what you'd find in Nemeth or Frisch. I wrote it in a context of having read those (and many others) and specifically avoided covering the topics that were adequately covered in the more basic books.
After you have a thorough grounding in systems administration, then you can learn a bit more specifically about UNIX security and then you can focus on Solaris security. If you find a shortcut that's really effective, let us know. However, you should expect to read about a half dozen fairly large books from cover to cover. There will be a test (every day on the job is a bit of a test in our field).
There is an interesting online UNIX SysAdmins Independent Learning (USAIL) project at Indiana University:
http://www.uwsg.iu.edu/usail
It seems to be a reasonable place to learn a bit of our craft. There are chapters that relate to each of your questions, and there are self-quizzes you can take using any web browser (even Lynx; which is still my favorite; all of URLs in this posting were checked in Lynx as I was writing it --- most were yanked in from my Lynx bookmarks file).
On the topic of security I'd recommend three titles to start with: Practical UNIX and Internet Security by Simson Garfinkel, and Gene Spafford (O'Reilly, 2nd Ed.), Building Internet Firewalls by Brent Chapman, Elizabeth Zwicky, and Simon Cooper (O'Reilly, 2nd Ed.) and Firewalls and Internet Security: Foiling The Wily Hacker by Steven Bellovin and William Cheswick (Addison Wesley?). I've heard a rumor that a second edition of the latter title is going to be released soon. (I've been holding out on buying a new copy; mine walked off a few years ago).
(BTW: you might have noticed that most of the books on my list are in second editions or later. I expect that my own book would also benefit from further revision --- but only time will tell if the publishers have the interest).
Read all of those. Then get a few books that are more specific to Solaris. I've read through both of Janic Windsor's books (Solaris System Administrator's Guide and Solaris Advanced System Administrator's Guide) but I mostly don't use Solaris any more. The few Solaris and SunOS boxes I ever professionally administered are fading memories.
You can find more recommended books on the topics of systems administration at:
- SAGE - General reference books for Sysadmins
- http://www.usenix.org/sage/sysadmins/books/general.html
SAGE is the SysAdmin's Guild (the "e" is silent, we stole it from /etc/resolv.conf's filename!)
Once you have a reasonable educational foundation you can make better use of online resources (like this newsgroup). Of course you should start by reading the FAQs (Frequently Asked/Answered Questions) that relate to any topic about which you are tempted to ask a question. There's a very nice collection of FAQs at the obvious URL: http://www.faqs.org (Note: www.faq.org, no "s", is some sort of lame "portal" site that makes no effort to make FAQs available, ARGH!).
Here's a few appropriate FAQs and links for you:
For this newsgroup:
- comp.security.unix and comp.security.misc FAQ
- http://www.faqs.org/faqs/computer-security/most-common-qs
On Solaris:
- Solaris 2 Frequently Asked Questions (FAQ) 1.70
- http://www.faqs.org/faqs/Solaris2/FAQ
... this one is maintained by Casper Dik, who has been quite active on netnews, particularly in comp.unix.admin, for longer than I have.
On various security topics:
- Computer Security Index
- http://www.faqs.org/faqs/computer-security
So, with all of that advice let's review your questions:
What are the paths to pay attention to?
[JimD] All of them. Actually Solaris installs a whole bunch of crap that you don't care about and will never use. However, you haven't given any details about what machines you have, or what they're doing. Thus no one in this newsgroup could know what paths you could probably ignore. (Unless this is the secret hobby of the "psychic friends network").
Since you are asking this in the context of comp.unix.security I can guess that you're really intended to ask something more like:
How would I know if an attacker has compromised my
system? What files are likely to be modified by a cracker?
This suggests that you'd like to install file integrity test system or an intrusion detection system (IDS). You could get a copy of Tripwire (by Gene Kim and Gene Spafford) which started as a free tool and is now maintained as a commercial product by Gene Kim's company at: http://www.tripwiresecurity.com) You could also look at AIDE (which is basically a freeware clone of Tripwire). AIDE (http://www.cs.tut.fi/~rammer/aide.html). is more popular among Linux, and *BSD users, but it will run on Solaris and should run on any other modern UNIX.
What are the logs or system logs do I require to checked or backup?
[JimD] I don't know. Does Solaris still use /var/adm/messages (like SunOS did)? I do know that your /etc/syslog.conf should have information that tells the system logging daemon where to store different messages from various facilities. You should be able to read that file, and its man pages to figure it out for yourself. That should work on most UNIX systems.
On most forms of UNIX you could even modify your /etc/syslog.conf to force it to copy certain types of messages to another system on your network or to a printer, through a serial line to a terminal or to another system. These sorts of customizations can provide you with a tamper resistant copy of your messages.
Setting up remote loghosts is considered to be a useful security measure. If the loghost is sufficiently hardened and dedicated it can consolidate copies of your logs and prevent the (otherwise successful) attacker from "covering his or her tracks" by editing the evidence out of the logs.
You can also create cron jobs that periodically scan your logs looking for anomalous entries, filtering out all the innocuous messages and mailing, printing or otherwise delivering the summaries to you.
In my book I give a very simple (10 line) awk script that loads a file full of patterns (regular expressions) and filters a file of all of them. It is an extremely simple anomaly detection engine. The hard part of using it is creating a list of patterns to meet your needs. Maintaining the pattern files for each of your logs is made more challenging by the fact that upgrades to your OS and other software can affect the messages that they generate.
On many UNIX systems you can look for a "logger" command (/usr/bin/logger, or /bin/logger) so that your shell scripts can easily post their own syslog messages. There are also modules and extensions to PERL, and Python (and probably others) that let you natively post messages to the system logs from scripts in those languages.
There are also replacements to the stock UNIX syslog system. So you could rip out the Solaris syslog daemon and install syslog-NG or some other package. That might offer better reliability (using TCP rather than UDP) security that conforms more closely to your needs (using encrypted tunnels for example) or more flexibility (letting you dispatch and filter based on regular expression rather than simple facility/level codes).
Obviously none of that last paragraph will make any sense until you understand how the conventional UNIX syslog system works. Go read those books and a few of the man pages on your system!
What are the things to pay more attention to in the Solaris platform?
[JimD] This amounts to a question like:
What parts of Solaris really suck?
My answer is: "I don't know. Read the FAQ." I'm an expert on Linux, and I can tell you the parts of it that can be problematic for UNIX and Solaris users as they adopt it. (For example, if you were among the few people who actually use ACLs --- access control lists --- under Solaris or some other OS than you might find that Linux' lack of them in their standard kernels and distributions "really sucks." You might also hold that having to fetch and apply an unofficial kernel patch, rebuild your kernel, and install an extra set of utilities also "really sucks").
Again, the FAQ (and some strategic lurking in this newsgroup and on some of the mailing lists that are recommended in the FAQs) will answer that question.
What are the things to backup for system recovery, if there's any?
[JimD] Everything. Here's another case where the psychic friends might be able to help you; but where you haven't give us enough information to do so.
Recovery planning is one of the most important jobs of a system administrator. Doing backups is a part of a recovery plan, but it's ONLY A PART.
As I've mentioned in this post, I'm not a Solaris expert. I could write a 30 page HOWTO on doing Linux backups (in fact, I did, sort of; it's the latter half of chapter 3 in my book). Most of it would be the same under Solaris --- you have your choice of tar, cpio and dump (ufsdump under Solaris, I guess).
However, it is often as effective to know how to look for answers than to know the answers themselves. In this case I searched the FAQ (see above) and found that Casper had failed me. Apparently it's not frequently asked enough on the Solaris/SunOS newsgroups. There is a passing reference to the Solstice Backup documentation on the "AnswerBook" CDs that ship with Solaris. Perhaps that would be handy.
Next I went to Google. Google (http://www.google.com) is currently the best search engine on the 'net. I used the terms: solaris backup.
Here's the best couple of links I found:
- Solaris Backup FAQ/Top Ten
- http://www.ebsinc.com/solaris/backup.html
- Backup Central: Free Backup Software
- http://www.backupcentral.com/toc-free-backup-software.html
... which includes:
- Backup Central: hostdump.sh
- http://www.backupcentral.com/hostdump.html
... a general purpose full system backup script.
Obviously, I'm not a Solaris expert. Luckily Solaris is UNIX and I am pretty good at that. Most generic UNIX knowlege will serve you as well on Solaris, Linux, FreeBSD, etc as it would on a SCO or other system.
Whether the answers I've given to your specific questions make any sense depends on your background. If my references to tripwire, ufsdump, syslog facilities and levels, FAQs, man pages were confusing then you don't yet have the background to be a professional sysadmin. Go through USAIL, read the books I've suggested. If those are too advanced and confusing then try more basic ones like Mark G. Sobell's Practical Guide to Solaris (http://www.sobell.com) or Unix for the Impatient by Paul Abrahams and Bruce Larson. (Actually if USAIL is too advanced, then give up and start flipping burgers somewhere!).
Meanwhile, for your immediate needs you may want to hire a consultant to audit your current production systems, do AND TEST a full set of backups and to disable any unnecessary networking services and generally configure you system until you've learned enough to manage it yourself.
Unfortunately finding a good consultant is difficult. There are alot of snake oil salesmen and any decent huckster can wow you with technobabble that's indistinguishable from good advice. To the untrained ear; they sound the same. I can't help you much there. (I'm not available as a consultant these days, and I wouldn't be the right person for your Solaris boxes anyway. My wife is a UNIX/Linux consultant and she does offer a "phone technical interview" service --- where she can interview your prospective consultant or sysadmin over the phone and give you an evaluation of their UNIX proficiency).
Lastly: If you're going to become a professional Solaris sysadmin you'll want to have a copy on at least one NON-PRODUCTION system. You want to be able to experiment and to break things without disrupting your real business processes. If you're sure that you want to stick with Solaris then it would make sense to participate in Sun's "Free Solaris[tm] Binary License Program" http://www.sun.com/developers/tools/solaris (although their meaning of "free" is a bit loose since their CD will cost you $75 --- and they don't let you modify/sell copies of that!).
Personally I prefer Linux, FreeBSD (and OpenBSD and NetBSD) where "free" means you can download the ISO image and burn it to your own CD, you can buy the CD sets for prices ranging from $2 to about $100, and most of those you could copy and resell if you wanted to, and you get the source code and the right to make changes and redistribute your own custom versions of the software. That's a version of "free" that seems more liberated n'est ce pas?
For hardware you have two choices: get Solaris x86 and install it on a PC; or get a SPARC system. You can get used SPARC systems on eBay or other online auction sites for anywhere from $50 to $200 for old 32-bit SPARC classics, IPXs etc, to $500-2,000 for 64-bit UltraSPARC I and II systems. Caveat emptor!
So, that's the Linux Gazette "Answer Guy's" guide to becoming a Solaris security and system adminstration professional.
From Cole Ragland
Answered By Mike Orr
I have a Slackware machine acting as a gateway/router between two separate networks e.g. 172.29.17.0 and 10.10.3.0. This machine is mulithomed with eth0=172.29.17.19 and eth1=10.10.3.10. Packets from the 10.10 .3 network cannot get passed eth0. I've enable ip forwarding e.g. "echo 1 ip_forward" but I believe that is only for routing between subnets. How can I route between two separate networks. I'm thinking ip_chains, ipmasq, and routed (which I have to fire up manually -- if I uncomment rc.inet2 lines, machine stalls at boot) but not sure. Thanks for your help.
[Mike] If your internal network had public IPs, you would need only IP forwarding. However, 10.x.x.x IPs are reserved for private networks, and Internet routers automatically reject them. So even if your request does go out, there's no way for replies to get back to you. The trick is to use IP Masquerading.
If you're using kernel 2.2.x, the minimal commands required in your startup scripts are:
echo "1" > /proc/sys/net/ipv4/ip_forward # Enable forwarding between eth0 and eth1. /sbin/ipchains -P forward DENY # Forbid all other types of forwarding. /sbin/ipchains -A forward -s 10.0.0.0/8 -j MASQ # Forward and masquerade requests from 10.x.x.x and handle replies back
This will handle ordinary TCP services. FTP, ping, irc, CuSeeme, Quake also require additional modules in order to be masqueraded.
You can also build a more elaborate ipchains ruleset to customize security.
- A similar thread is in last month's The Answer Gang.
- http://www.linuxgazette.com/issue61/lg_answer61.html#tag/5
From Robert Campbell
Answered By Ben Okopnik
I am trying to install a ess1869 sound card. and I have read in allot of place that the card works with linux but I cannot find the modual that looks right for it.... I want to know where I can download the modual for the ess1869 sound card.. and is there a site that is dedicated to linux moduals and drivers so I can download others from there when needed?
[Ben] Linux does indeed support ESS sound cards, including the ESS1869. Unfortunately, your question, as phrased, is impossible to answer - modules are not "downloaded", they are created as part of the kernel compilation. Chances are high that your "stock" kernel comes with the necessary modules; if not, recompiling the kernel is not a difficult process. See the Kernel-HOWTO.
When you say that you "cannot find the modual that looks right for it", what do you mean? I'm not aware of any physical characteristics that would make a module "look wrong" - what criteria are you using? In any case, the module that "looks right" to me, in this case, is 'sb', the SoundBlaster module. I would suggest downloading my "shotgun" script that was published in the current issue of LG as "2-cent tip - module resource detection" and running it with 'sb' as a parameter; if one of the listed switches is "esstype", then ESS support is compiled in, and you simply need to load 'sb' (as well as the modules that are necessary to support it.) In case of problems, I would suggest reading the extensive comments in the source code (/usr/src/linux/drivers/sound/sb_ess.c) Hint: search for the word 'esstype'.
1 2 3 4 5 6 7 |