From jason at hostedlabs.com Sun Dec 2 12:41:37 2007 From: jason at hostedlabs.com (Jason Rexilius) Date: Mon Dec 3 11:34:53 2007 Subject: [LUNI] BARcamp Updates - Events, Jobs Message-ID: <4752FC61.5040706@hostedlabs.com> Hi Everyone! Another update about upcoming events and some other good stuff! ################### This Thursday 12/6/07, 6pm @ Debonair Social Club 1575 N Milwaukee Ave in Wicker Park... Ignite-Chicago! Sean Harper is putting together a great winter-time event, a little more organized than BARcamp ;-) Ignite Chicago is a small conference, free and open to the community, built around 5 minute presentations that include 20 slides each (allowing for 15 seconds / slide). http://ignite-chicago.org/ RSVP at http://upcoming.yahoo.com/event/309951 ################### Also wanted to tell everyone about some great jobs out there: HostedLABS (my company) is hiring a CTO, Software Engineers, and PHP developers. Will be at Ignite, would love to chat with people there! Tribune is hiring some SA's, DBA's and QA folk (work on Metromix) Harvest Trading is looking for a Unix SA. Ludorum is looking for a Director of Technology. Take a look at the Job Board (and feel free to post yours, its free for everyone): http://barcampbeta.jobcoin.com/ ################### Last tid-bit.. Seems most people who replied wanted (2) BARcamps per year.. I am thinking seriously about that but think that perhaps doing Winter and Summer would be good timing for not conflicting with other BARcamps. Also winter is kinda dead ;-) Any one have any last opinions on the 1 or 2 BARcamps per year questions? Take care and see you all at Ignite this Thursday! -jason From mswier at yahoo.com Mon Dec 3 15:49:14 2007 From: mswier at yahoo.com (Mike Swier) Date: Mon Dec 3 17:49:40 2007 Subject: [LUNI] ANN: NWCLUG's next meeting 12/4/07 - tomorrow Message-ID: <270312.76641.qm@web57007.mail.re3.yahoo.com> Hi, NWCLUG's next meeting will be at Harper College in A238 at 7pm on Tuesday 12/4/07. For (a bit) more info see http://nwclug.org/httpd/html/meetings.html#nextmtg mikie -------------- next part -------------- -- Linux Users Of Northern Illinois - Announcements Mailing List http://luni.org/mailman/listinfo/luni-announce From mjmccune at sbcglobal.net Wed Dec 5 16:03:00 2007 From: mjmccune at sbcglobal.net (Mike McCune) Date: Thu Dec 6 15:05:12 2007 Subject: [LUNI] ANN: Windy City Linux Users Group meets Thursday at 7pm. Message-ID: <47572014.1020800@sbcglobal.net> The next WCLUG is meeting Thursday, December 6, 7pm at Caribou Coffee, 3025 N. Clark Street. For more details go to www.wclug.org. -- Linux Users Of Northern Illinois - Announcements Mailing List http://luni.org/mailman/listinfo/luni-announce From special.kevin at gmail.com Sat Dec 8 18:22:43 2007 From: special.kevin at gmail.com (Kevin Harriss) Date: Sat Dec 8 18:22:49 2007 Subject: [LUNI] Chicago GNU/Linux User Group Meeting Saturday December 15th at 3pm Message-ID: <97b3d1fd0712081622x2a46d35dubee0f55098a2394d@mail.gmail.com> The Chicago GNU/Linux User Group will be having a meeting on Saturday, December 15th at 3:00 pm. We will be meeting at the Institute of Design on the 2nd Floor Room 202, 350 N. LaSalle, (http://tinyurl.com/34gkzt). For more information check out our website at http://www.chiglug.org or join our mailing list at https://www.chicagolug.org/lists What: Chicago GNU/Linux User Group Meeting When: Saturday, December 15th @ 3:00 pm Where: Institute of Design, 350 N. LaSalle 2nd Floor Room 202 (http://tinyurl.com/34gkzt) Presentations (Subject to Change) - Neuros OSD (Tristan Sloughter) - web.py (Luca Matteis) From jason at hostedlabs.com Mon Dec 10 11:26:06 2007 From: jason at hostedlabs.com (Jason Rexilius) Date: Mon Dec 10 11:26:34 2007 Subject: [LUNI] OT: job(s) posting Message-ID: <475D76AE.6060301@hostedlabs.com> Hey everyone! Forgive the job spam here but its slightly different from a standard job posting. My company, HostedLABS http://hostedlabs.com/ is looking to solve a number of problems and some can be tackled in different ways. The things I am looking to do are: a) sponsor or pay people to work on a couple of open-source projects. b) part-time work for poor but smart college students. c) full-time employment with the company (salary + stock). So in that context let me describe what I'm looking for: 1) paid open-source project development: port the p0f daemon to an apache module. See http://lcamtuf.coredump.cx/p0f.shtml 2) paid open-source project development: djbdns (tinydns) modifications, adding two modules or extensions to the NS server. see: http://cr.yp.to/djbdns.html 3) paid open-source project development: further code modifications to siege load test tool. see: http://www.joedog.org/JoeDog/Siege 4) part-time work: general linux systems admin work, evening/weekend hours. some coding also possible if desired. 5) full-time employment: I really need at least two developers and one hard-core systems engineer (more than just SA). The software development roles can be different but I have a general need for the following: - low-level network, OS, filesystem, cluster development, usually in C/C++. Familiarity with libraries such as Spread http://www.spread.org/ hack in Erlang, work on VFS or distributed lock managers. etc. Just call it core development. - systems management software development, Python, perl &| C/C++ where called for. Self awareness and overall management of everything from IP space and network stacks to code deployment and system versioning. SVN interface, OS tools usage, heartbeat libraries, rsync, etc. etc. Call it large scale system management. - web library and framework internals development, PHP. perl, python and Ruby. Re-writing modules or libraries, hacking packages (such as Rails), etc. There may be some C/C++ in the mix for some of these. This category is web library development. For the systems engineer, knowledge of linux internals, virtuialization, advanced networking, building OS from scratch, cluster and grid filesystems, cluster computing, PXE boot, etc. Lots of fun stuff to play with. Architecture and design of large scale systems is on the plate. Really looking for smart people who want to build really cool technology in a start-up environment. For those of you who know me or have heard any of my talks you know that there is a global footprint component to this and there may be some travel involved on the systems side. Thats it for now. Thanks for reading and hope to see you all at the next event! -jason From gatorreina at gmail.com Tue Dec 11 13:26:03 2007 From: gatorreina at gmail.com (Richard Reina) Date: Tue Dec 11 13:26:08 2007 Subject: [LUNI] Making a private network somewhat public. Message-ID: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> I have a small linux LAN (7 pcs) that runs a homemade database application (perl mysql). They've had little if any reason to need to be connected to the internet and due to my lack of prowess as a system admin and to the fact that any loss of data or interuption would be very disruptive, I have elected to keep it that way. However, there is an increasing need for me to be able to send reports that are generated by the application via email -- without me having to go to another computer that is connected to the internet and retype the report. Can anyone give me some suggestions on the most secure way to allow access to sending emails and the level of risk associated with doing so. Thanks for any ideas. Richard From tprinty at mail.edisonave.net Tue Dec 11 13:47:41 2007 From: tprinty at mail.edisonave.net (Tom Printy) Date: Tue Dec 11 13:47:51 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> Message-ID: <1197402461.23082.28.camel@localhost> What about using anther system that has internet access to generate the report. You can setup MySQL to only allow this system and the 7 others to access the DB. The report system would hit the MySQL instance and then be allowed to send out the email reports. You should still consider some type of hardware based firewall or turning ip an iptables based firewall on the box that will connect to the Internet. On Tue, 2007-12-11 at 13:26 -0600, Richard Reina wrote: > I have a small linux LAN (7 pcs) that runs a homemade database application > (perl mysql). They've had little if any reason to need to be connected to > the internet and due to my lack of prowess as a system admin and to the fact > that any loss of data or interuption would be very disruptive, I have > elected to keep it that way. However, there is an increasing need for me to > be able to send reports that are generated by the application via email -- > without me having to go to another computer that is connected to the > internet and retype the report. > > Can anyone give me some suggestions on the most secure way to allow access > to sending emails and the level of risk associated with doing so. > > Thanks for any ideas. > > Richard From jrstark at barntowire.com Tue Dec 11 13:47:59 2007 From: jrstark at barntowire.com (Janine Starykowicz) Date: Tue Dec 11 13:54:28 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> Message-ID: <475EE96F.5030909@barntowire.com> Why not save the report to some form of removable media and transfer it that way? Janine Richard Reina wrote: > I have a small linux LAN (7 pcs) that runs a homemade database application > (perl mysql). They've had little if any reason to need to be connected to > the internet and due to my lack of prowess as a system admin and to the fact > that any loss of data or interuption would be very disruptive, I have > elected to keep it that way. However, there is an increasing need for me to > be able to send reports that are generated by the application via email -- > without me having to go to another computer that is connected to the > internet and retype the report. > > Can anyone give me some suggestions on the most secure way to allow access > to sending emails and the level of risk associated with doing so. > > Thanks for any ideas. > > Richard > From sfaci at cs.uic.edu Tue Dec 11 15:02:21 2007 From: sfaci at cs.uic.edu (Samir Faci) Date: Tue Dec 11 15:02:24 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <475EE96F.5030909@barntowire.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <475EE96F.5030909@barntowire.com> Message-ID: <9db93b0e0712111302x5b5302bat9fadb902b190330b@mail.gmail.com> Can't you just write a little script? I presume there is no incoming connection, but you really don't need to open any ports just provide an smtp server you have access to and email the doc that way. maybe I'm misunderstanding the question..... I'm presuming a 7 computer lan setup behind a firewall of some sort (standard linksys/dlink/netgear/whatever)? you average block all type firewall should work fine, you shouldn't even need to open up any ports and just write a little perl (python, ruby, bash, php whatever.. ) script to connect to some smtp server and send your document. -- Samir On 12/11/07, Janine Starykowicz wrote: > > Why not save the report to some form of removable media and transfer it > that way? > > Janine > > Richard Reina wrote: > > I have a small linux LAN (7 pcs) that runs a homemade database > application > > (perl mysql). They've had little if any reason to need to be connected > to > > the internet and due to my lack of prowess as a system admin and to the > fact > > that any loss of data or interuption would be very disruptive, I have > > elected to keep it that way. However, there is an increasing need for > me to > > be able to send reports that are generated by the application via email > -- > > without me having to go to another computer that is connected to the > > internet and retype the report. > > > > Can anyone give me some suggestions on the most secure way to allow > access > > to sending emails and the level of risk associated with doing so. > > > > Thanks for any ideas. > > > > Richard > > > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > From gatorreina at gmail.com Tue Dec 11 16:19:43 2007 From: gatorreina at gmail.com (Richard Reina) Date: Tue Dec 11 16:19:50 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <1197402461.23082.28.camel@localhost> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> Message-ID: <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> If I allow one machine that is already connected to the internet ( behind a router of course) to stay connected to my LAN. Couldn't my LAN still be hacked through that machine (the one that is connected through the internet). Is this likely? On Dec 11, 2007 1:47 PM, Tom Printy wrote: > What about using anther system that has internet access to generate the > report. You can setup MySQL to only allow this system and the 7 others > to access the DB. The report system would hit the MySQL instance and > then be allowed to send out the email reports. You should still consider > some type of hardware based firewall or turning ip an iptables based > firewall on the box that will connect to the Internet. > > > On Tue, 2007-12-11 at 13:26 -0600, Richard Reina wrote: > > I have a small linux LAN (7 pcs) that runs a homemade database > application > > (perl mysql). They've had little if any reason to need to be connected > to > > the internet and due to my lack of prowess as a system admin and to the > fact > > that any loss of data or interuption would be very disruptive, I have > > elected to keep it that way. However, there is an increasing need for > me to > > be able to send reports that are generated by the application via email > -- > > without me having to go to another computer that is connected to the > > internet and retype the report. > > > > Can anyone give me some suggestions on the most secure way to allow > access > > to sending emails and the level of risk associated with doing so. > > > > Thanks for any ideas. > > > > Richard > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > From sfaci at cs.uic.edu Tue Dec 11 17:00:02 2007 From: sfaci at cs.uic.edu (Samir Faci) Date: Tue Dec 11 17:00:06 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> Message-ID: <9db93b0e0712111500o71ccc27euce2257b9c2baa0a5@mail.gmail.com> depends on your level or paranoia. security is a compromise between usability and safety (confidentiality, integrity.. and something else of your data). you want true security.. turn off your machine put it in a safe.. and bury it. oh wait? you mean you wanted to USE it? If you have a hardware firewall which is in front of your lan, then setup a firewall on your lan machines as well.. the likely hood of your machines being compromised is pretty minimalistic. is it possible? sure..... not very likely though. I mean sure.. if you work for the NSA, and you have the NOC list on your mysql db (or whatever that Mission impossible flic called it), it'd be worth their while for someone to try to break in...and may find a way.. but unless your targetted by a group of international hacking alliance to try to get something specific.. you should be fine... as far as most attacks go... run linux, try to keep the software up to date.. usual security guidelines.... and you should be fine. that's just my 2 cents though... -- Samir On 12/11/07, Richard Reina wrote: > > If I allow one machine that is already connected to the internet ( behind > a > router of course) to stay connected to my LAN. Couldn't my LAN still be > hacked through that machine (the one that is connected through the > internet). Is this likely? > > On Dec 11, 2007 1:47 PM, Tom Printy wrote: > > > What about using anther system that has internet access to generate the > > report. You can setup MySQL to only allow this system and the 7 others > > to access the DB. The report system would hit the MySQL instance and > > then be allowed to send out the email reports. You should still consider > > some type of hardware based firewall or turning ip an iptables based > > firewall on the box that will connect to the Internet. > > > > > > On Tue, 2007-12-11 at 13:26 -0600, Richard Reina wrote: > > > I have a small linux LAN (7 pcs) that runs a homemade database > > application > > > (perl mysql). They've had little if any reason to need to be > connected > > to > > > the internet and due to my lack of prowess as a system admin and to > the > > fact > > > that any loss of data or interuption would be very disruptive, I have > > > elected to keep it that way. However, there is an increasing need for > > me to > > > be able to send reports that are generated by the application via > email > > -- > > > without me having to go to another computer that is connected to the > > > internet and retype the report. > > > > > > Can anyone give me some suggestions on the most secure way to allow > > access > > > to sending emails and the level of risk associated with doing so. > > > > > > Thanks for any ideas. > > > > > > Richard > > > > -- > > Linux Users Of Northern Illinois - Technical Discussion > > http://luni.org/mailman/listinfo/luni > > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > From tprinty at mail.edisonave.net Tue Dec 11 17:04:49 2007 From: tprinty at mail.edisonave.net (Tom Printy) Date: Tue Dec 11 17:04:59 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> Message-ID: <1197414289.23082.36.camel@localhost> It is possible but if you were to use some type of firewall then this helps reduce the likely hood of that happening. A 50.00 linksys firewall should offer you decent protection. -Tom On Tue, 2007-12-11 at 16:19 -0600, Richard Reina wrote: > If I allow one machine that is already connected to the internet ( behind a > router of course) to stay connected to my LAN. Couldn't my LAN still be > hacked through that machine (the one that is connected through the > internet). Is this likely? > > On Dec 11, 2007 1:47 PM, Tom Printy wrote: > > > What about using anther system that has internet access to generate the > > report. You can setup MySQL to only allow this system and the 7 others > > to access the DB. The report system would hit the MySQL instance and > > then be allowed to send out the email reports. You should still consider > > some type of hardware based firewall or turning ip an iptables based > > firewall on the box that will connect to the Internet. > > > > > > On Tue, 2007-12-11 at 13:26 -0600, Richard Reina wrote: > > > I have a small linux LAN (7 pcs) that runs a homemade database > > application > > > (perl mysql). They've had little if any reason to need to be connected > > to > > > the internet and due to my lack of prowess as a system admin and to the > > fact > > > that any loss of data or interuption would be very disruptive, I have > > > elected to keep it that way. However, there is an increasing need for > > me to > > > be able to send reports that are generated by the application via email > > -- > > > without me having to go to another computer that is connected to the > > > internet and retype the report. > > > > > > Can anyone give me some suggestions on the most secure way to allow > > access > > > to sending emails and the level of risk associated with doing so. > > > > > > Thanks for any ideas. > > > > > > Richard > > > > -- > > Linux Users Of Northern Illinois - Technical Discussion > > http://luni.org/mailman/listinfo/luni > > From sfaci at cs.uic.edu Tue Dec 11 17:49:43 2007 From: sfaci at cs.uic.edu (Samir Faci) Date: Tue Dec 11 17:49:50 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <1197414289.23082.36.camel@localhost> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> Message-ID: <9db93b0e0712111549i778df018s67906e274113ad9b@mail.gmail.com> I kind of presumed some form of firewall/router already. but yeah.. pick one up if you dont already have one. On 12/11/07, Tom Printy wrote: > > It is possible but if you were to use some type of firewall then this > helps reduce the likely hood of that happening. A 50.00 linksys firewall > should offer you decent protection. > > -Tom > > > On Tue, 2007-12-11 at 16:19 -0600, Richard Reina wrote: > > If I allow one machine that is already connected to the internet ( > behind a > > router of course) to stay connected to my LAN. Couldn't my LAN still be > > hacked through that machine (the one that is connected through the > > internet). Is this likely? > > > > On Dec 11, 2007 1:47 PM, Tom Printy wrote: > > > > > What about using anther system that has internet access to generate > the > > > report. You can setup MySQL to only allow this system and the 7 others > > > to access the DB. The report system would hit the MySQL instance and > > > then be allowed to send out the email reports. You should still > consider > > > some type of hardware based firewall or turning ip an iptables based > > > firewall on the box that will connect to the Internet. > > > > > > > > > On Tue, 2007-12-11 at 13:26 -0600, Richard Reina wrote: > > > > I have a small linux LAN (7 pcs) that runs a homemade database > > > application > > > > (perl mysql). They've had little if any reason to need to be > connected > > > to > > > > the internet and due to my lack of prowess as a system admin and to > the > > > fact > > > > that any loss of data or interuption would be very disruptive, I > have > > > > elected to keep it that way. However, there is an increasing need > for > > > me to > > > > be able to send reports that are generated by the application via > email > > > -- > > > > without me having to go to another computer that is connected to the > > > > internet and retype the report. > > > > > > > > Can anyone give me some suggestions on the most secure way to allow > > > access > > > > to sending emails and the level of risk associated with doing so. > > > > > > > > Thanks for any ideas. > > > > > > > > Richard > > > > > > -- > > > Linux Users Of Northern Illinois - Technical Discussion > > > http://luni.org/mailman/listinfo/luni > > > > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > From gatorreina at gmail.com Wed Dec 12 07:47:52 2007 From: gatorreina at gmail.com (Richard Reina) Date: Wed Dec 12 07:47:57 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <1197414289.23082.36.camel@localhost> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> Message-ID: <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> I appreciate the responses. To make sure I understand correctly. 1) If I replace my old SMC barricade with a new router like a 50.00 linksys I will hopefully gain a measure of security. Is there a more expensive router that I can buy that will give me even greater security? 2) If behind this router I connect one of the machines that is connected to the internet to my LAN via a second NIC card and merely use this machine as an SMPT gateway that only accesses the MySQL server to generate data to be sent via email, would this would be the most secure way to provide the sort of limited access I need? 3) I further understand that I would need to run IP tables on this SMPT gateway machine and I should build it with a striped down OS. Perhaps just MySQL client perl DBI. No Xwindows, no ssh, no anyhing that is not absolutely necessary for the machine to complete it's limited tasks. 4) Of the seven pcs on the linux LAN some are very old running distros as old as RH 7.2. IPtables is not running on any of them and some are have ftp server running so that new program files can be swapped about regularly. Is this a problem? Does it significantly increase the networks risk? 5) If I waat to go a step further. When I get it all set up I should hire someone to try and hack in to see just how secure my network is? Is this a good idea? If so does anyone know where I could hire someone relatively skillful for a reasonable price for this assignment? Thank so much for the help. I really appreciate the responses hopefully they can serve as a useful primer to basic linux security for others as well. Richard On Dec 11, 2007 5:04 PM, Tom Printy wrote: > It is possible but if you were to use some type of firewall then this > helps reduce the likely hood of that happening. A 50.00 linksys firewall > should offer you decent protection. > > -Tom > > > On Tue, 2007-12-11 at 16:19 -0600, Richard Reina wrote: > > If I allow one machine that is already connected to the internet ( > behind a > > router of course) to stay connected to my LAN. Couldn't my LAN still be > > hacked through that machine (the one that is connected through the > > internet). Is this likely? > > > > On Dec 11, 2007 1:47 PM, Tom Printy wrote: > > > > > What about using anther system that has internet access to generate > the > > > report. You can setup MySQL to only allow this system and the 7 others > > > to access the DB. The report system would hit the MySQL instance and > > > then be allowed to send out the email reports. You should still > consider > > > some type of hardware based firewall or turning ip an iptables based > > > firewall on the box that will connect to the Internet. > > > > > > > > > On Tue, 2007-12-11 at 13:26 -0600, Richard Reina wrote: > > > > I have a small linux LAN (7 pcs) that runs a homemade database > > > application > > > > (perl mysql). They've had little if any reason to need to be > connected > > > to > > > > the internet and due to my lack of prowess as a system admin and to > the > > > fact > > > > that any loss of data or interuption would be very disruptive, I > have > > > > elected to keep it that way. However, there is an increasing need > for > > > me to > > > > be able to send reports that are generated by the application via > email > > > -- > > > > without me having to go to another computer that is connected to the > > > > internet and retype the report. > > > > > > > > Can anyone give me some suggestions on the most secure way to allow > > > access > > > > to sending emails and the level of risk associated with doing so. > > > > > > > > Thanks for any ideas. > > > > > > > > Richard > > > > > > -- > > > Linux Users Of Northern Illinois - Technical Discussion > > > http://luni.org/mailman/listinfo/luni > > > > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > From maney at two14.net Wed Dec 12 08:33:14 2007 From: maney at two14.net (Martin Maney) Date: Wed Dec 12 08:33:26 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> Message-ID: <20071212143314.GA24295@furrr.two14.net> On Wed, Dec 12, 2007 at 07:47:52AM -0600, Richard Reina wrote: > I appreciate the responses. To make sure I understand correctly. The biggest threat to most systems comes from insiders; from this it follows that running old, unsupported OSes is a bad idea. Home market routers are cheap and convenient. IMO they're probably *less* safe than a Linux box that's been secured and is running a supported OS version. Heck, lots of the consumer boxes have been based on Linux - generally older versions of the kernel, and without timely updates (or any after the next new model has come out). You would be far better served paying someone to help you secure the systems than trying to break into it after the fact. -- Happy Holidays! Cry "Charge it!" and let slip the dogs of more. From jason at hostedlabs.com Wed Dec 12 08:53:19 2007 From: jason at hostedlabs.com (Jason Rexilius) Date: Wed Dec 12 08:53:46 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <20071212143314.GA24295@furrr.two14.net> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> <20071212143314.GA24295@furrr.two14.net> Message-ID: <475FF5DF.80705@hostedlabs.com> While all of the below comments are true, I would also take a cost-benefit view into account. A newer linksys firewall/router will get you 90% there at 10% of the cost. The last 10% will provide diminishing returns in relation to cost for the majority of people. At a very simple level if you leave it in its default config, which does NATing and dont map any inbound ports the connection will only be outbound which will keep the vast majority of the problems at bay. The part about biggest threat being on the inside is true, but thats a personnel problem and extremely hard to solve with technology. Simplest solutions are best and keeping things within your sphere of knowledge is going to keep things manageable. Martin Maney wrote: > On Wed, Dec 12, 2007 at 07:47:52AM -0600, Richard Reina wrote: >> I appreciate the responses. To make sure I understand correctly. > > The biggest threat to most systems comes from insiders; from this it > follows that running old, unsupported OSes is a bad idea. > > Home market routers are cheap and convenient. IMO they're probably > *less* safe than a Linux box that's been secured and is running a > supported OS version. Heck, lots of the consumer boxes have been based > on Linux - generally older versions of the kernel, and without timely > updates (or any after the next new model has come out). > > You would be far better served paying someone to help you secure the > systems than trying to break into it after the fact. > From gatorreina at gmail.com Wed Dec 12 09:26:20 2007 From: gatorreina at gmail.com (Richard Reina) Date: Wed Dec 12 09:26:23 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <475FF5DF.80705@hostedlabs.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> <20071212143314.GA24295@furrr.two14.net> <475FF5DF.80705@hostedlabs.com> Message-ID: <489cf9d0712120726h1b18f1b8h66d1538943fc734f@mail.gmail.com> Sorry for being a newbie when it comes to security. But if a new Linksys router makes me 90% secure, what's the other 10%, what measures do the other 10% consist of? On Dec 12, 2007 8:53 AM, Jason Rexilius wrote: > While all of the below comments are true, I would also take a > cost-benefit view into account. > > A newer linksys firewall/router will get you 90% there at 10% of the > cost. The last 10% will provide diminishing returns in relation to cost > for the majority of people. > > At a very simple level if you leave it in its default config, which does > NATing and dont map any inbound ports the connection will only be > outbound which will keep the vast majority of the problems at bay. > > The part about biggest threat being on the inside is true, but thats a > personnel problem and extremely hard to solve with technology. > > Simplest solutions are best and keeping things within your sphere of > knowledge is going to keep things manageable. > > > > Martin Maney wrote: > > On Wed, Dec 12, 2007 at 07:47:52AM -0600, Richard Reina wrote: > >> I appreciate the responses. To make sure I understand correctly. > > > > The biggest threat to most systems comes from insiders; from this it > > follows that running old, unsupported OSes is a bad idea. > > > > Home market routers are cheap and convenient. IMO they're probably > > *less* safe than a Linux box that's been secured and is running a > > supported OS version. Heck, lots of the consumer boxes have been based > > on Linux - generally older versions of the kernel, and without timely > > updates (or any after the next new model has come out). > > > > You would be far better served paying someone to help you secure the > > systems than trying to break into it after the fact. > > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > From maney at two14.net Wed Dec 12 09:35:10 2007 From: maney at two14.net (Martin Maney) Date: Wed Dec 12 09:35:21 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <489cf9d0712120726h1b18f1b8h66d1538943fc734f@mail.gmail.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> <20071212143314.GA24295@furrr.two14.net> <475FF5DF.80705@hostedlabs.com> <489cf9d0712120726h1b18f1b8h66d1538943fc734f@mail.gmail.com> Message-ID: <20071212153510.GB24732@furrr.two14.net> On Wed, Dec 12, 2007 at 09:26:20AM -0600, Richard Reina wrote: > Sorry for being a newbie when it comes to security. But if a new Linksys > router makes me 90% secure, what's the other 10%, what measures do the other > 10% consist of? It's just meaningless handwaving with numbers. Did you know that 73% of all statistics are just made up? -- People make secure systems insecure because insecure systems do what people want and secure systems don't. -- James Grimmelmann From gatorreina at gmail.com Wed Dec 12 09:54:05 2007 From: gatorreina at gmail.com (Richard Reina) Date: Wed Dec 12 09:54:07 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <20071212153510.GB24732@furrr.two14.net> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> <20071212143314.GA24295@furrr.two14.net> <475FF5DF.80705@hostedlabs.com> <489cf9d0712120726h1b18f1b8h66d1538943fc734f@mail.gmail.com> <20071212153510.GB24732@furrr.two14.net> Message-ID: <489cf9d0712120754n7693a4fdvbc42566214723770@mail.gmail.com> Numbers aside, whether it is the additional 10% 18% 32% of securing of the network, it would be helpful to know what the other measures are and what contribution they make to the network's security. Like the following: Newer Linksys router 80% Secure SMTP gateway running a striped down OS strict IP tables 15% Keeping distros up to date on all the networks backen machines 3% Running IP tables on all the networks machines 2% These are only examples, I know little about security. It would be great to get input, so to "attempt" to quantify how much the above measures matter and what difference additional measures might make. On Dec 12, 2007 9:35 AM, Martin Maney wrote: > On Wed, Dec 12, 2007 at 09:26:20AM -0600, Richard Reina wrote: > > Sorry for being a newbie when it comes to security. But if a new > Linksys > > router makes me 90% secure, what's the other 10%, what measures do the > other > > 10% consist of? > > It's just meaningless handwaving with numbers. Did you know that 73% > of all statistics are just made up? > > -- > People make secure systems insecure because > insecure systems do what people want and > secure systems don't. -- James Grimmelmann > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > From jason at hostedlabs.com Wed Dec 12 09:55:00 2007 From: jason at hostedlabs.com (Jason Rexilius) Date: Wed Dec 12 09:55:26 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <20071212153510.GB24732@furrr.two14.net> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> <20071212143314.GA24295@furrr.two14.net> <475FF5DF.80705@hostedlabs.com> <489cf9d0712120726h1b18f1b8h66d1538943fc734f@mail.gmail.com> <20071212153510.GB24732@furrr.two14.net> Message-ID: <47600454.6010600@hostedlabs.com> Exactly.. Sorry, it was more for illustration purposes than anything else. But off the top of my head, what could theoretically be part of that 10% could be a remote exploit in the IP stack of the linksys kernel that only a few people in the world know about or some obscure bug in the Wifi driver that someone nearby could crack. This (made up) last 10% is the battleground of hardcore security people and a full-time job to really get right. Diminishing returns.. If you want to get to the point where its as close to secure as being physically unplugged (which itself is still exploitable remotely, ala Van Eck and what not) then you are getting into the realm of full-time security expert. Martin Maney wrote: > On Wed, Dec 12, 2007 at 09:26:20AM -0600, Richard Reina wrote: >> Sorry for being a newbie when it comes to security. But if a new Linksys >> router makes me 90% secure, what's the other 10%, what measures do the other >> 10% consist of? > > It's just meaningless handwaving with numbers. Did you know that 73% > of all statistics are just made up? > From sfaci at cs.uic.edu Wed Dec 12 10:12:14 2007 From: sfaci at cs.uic.edu (Samir Faci) Date: Wed Dec 12 10:12:19 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> Message-ID: <9db93b0e0712120812j732b1a4ft8518e4b8dfba723c@mail.gmail.com> inline comments: On 12/12/07, Richard Reina wrote: > > I appreciate the responses. To make sure I understand correctly. > > 1) If I replace my old SMC barricade with a new router like a 50.00linksys > I will hopefully gain a measure of security. Is there a more expensive > router that I can buy that will give me even greater security? Sure. You can buy a $500 cisco PIX, and then spend another 6 months trying to figure how to freaking configure it. (Actually, I'd say cisco shines on their higher end product line more then their "small office" items) Your linksys should be more then enough for what you need. 2) If behind this router I connect one of the machines that is connected to > the internet to my LAN via a second NIC card and merely use this machine > as > an SMPT gateway that only accesses the MySQL server to generate data to > be > sent via email, would this would be the most secure way to provide the > sort > of limited access I need? You need access to an smtp server, you don't need to run one. Your standard ISP SMTP server would work fine. If you want to run your own SMTP, you can. This is a more complicated setup then I intended, you'd have to only allow traffic from port 25 on the second nic, and disallow forwarding. (both in sysctl.conf and via iptables rules) 3) I further understand that I would need to run IP tables on this SMTP > gateway machine and I should build it with a striped down OS. Perhaps just > MySQL client perl DBI. No Xwindows, no ssh, no anyhing that is not > absolutely necessary for the machine to complete it's limited tasks. Yes. Actually servers overall shouldn't have X, it's a waste of space and resources, especially if the server doesn't use X (which 99.9999% of them dont need for the services they provide 4) Of the seven pcs on the linux LAN some are very old running distros as > old as RH 7.2. IPtables is not running on any of them and some are have > ftp > server running so that new program files can be swapped about > regularly. Is > this a problem? Does it significantly increase the networks risk? They're not exposed to the net so it should be fine, but updating to a quasi recent distro wouldn't be a bad idea. Fedora Core or CentOS if you want to keep with Red Hat. Running software that's over 4 years old makes nervous. 5) If I waat to go a step further. When I get it all set up I should hire > someone to try and hack in to see just how secure my network is? Is this > a > good idea? If so does anyone know where I could hire someone relatively > skillful for a reasonable price for this assignment? Uhmm.. you're buy a $50 linksys from Best Buy.... any hacker wort his salt should be able to get past it. You're keeping script kiddies and bots out and your lame hax0r wannabe. You'll be safe for what you're doing, I wouldn't waste the money on it. If you're THAT paranoid about this, just hire a security firm, give them 5-10K and they'll secure the hell out of it. I wouldn't bother, but that's just me. Thank so much for the help. I really appreciate the responses hopefully > they can serve as a useful primer to basic linux security for others as > well. > > Richard > > On Dec 11, 2007 5:04 PM, Tom Printy wrote: > > > It is possible but if you were to use some type of firewall then this > > helps reduce the likely hood of that happening. A 50.00 linksys firewall > > should offer you decent protection. > > > > -Tom > > > > > > On Tue, 2007-12-11 at 16:19 -0600, Richard Reina wrote: > > > If I allow one machine that is already connected to the internet ( > > behind a > > > router of course) to stay connected to my LAN. Couldn't my LAN still > be > > > hacked through that machine (the one that is connected through the > > > internet). Is this likely? > > > > > > On Dec 11, 2007 1:47 PM, Tom Printy > wrote: > > > > > > > What about using anther system that has internet access to generate > > the > > > > report. You can setup MySQL to only allow this system and the 7 > others > > > > to access the DB. The report system would hit the MySQL instance and > > > > then be allowed to send out the email reports. You should still > > consider > > > > some type of hardware based firewall or turning ip an iptables based > > > > firewall on the box that will connect to the Internet. > > > > > > > > > > > > On Tue, 2007-12-11 at 13:26 -0600, Richard Reina wrote: > > > > > I have a small linux LAN (7 pcs) that runs a homemade database > > > > application > > > > > (perl mysql). They've had little if any reason to need to be > > connected > > > > to > > > > > the internet and due to my lack of prowess as a system admin and > to > > the > > > > fact > > > > > that any loss of data or interuption would be very disruptive, I > > have > > > > > elected to keep it that way. However, there is an increasing need > > for > > > > me to > > > > > be able to send reports that are generated by the application via > > email > > > > -- > > > > > without me having to go to another computer that is connected to > the > > > > > internet and retype the report. > > > > > > > > > > Can anyone give me some suggestions on the most secure way to > allow > > > > access > > > > > to sending emails and the level of risk associated with doing so. > > > > > > > > > > Thanks for any ideas. > > > > > > > > > > Richard > > > > > > > > -- > > > > Linux Users Of Northern Illinois - Technical Discussion > > > > http://luni.org/mailman/listinfo/luni > > > > > > > > -- > > Linux Users Of Northern Illinois - Technical Discussion > > http://luni.org/mailman/listinfo/luni > > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > From sfaci at cs.uic.edu Wed Dec 12 10:13:47 2007 From: sfaci at cs.uic.edu (Samir Faci) Date: Wed Dec 12 10:13:51 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <47600454.6010600@hostedlabs.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> <20071212143314.GA24295@furrr.two14.net> <475FF5DF.80705@hostedlabs.com> <489cf9d0712120726h1b18f1b8h66d1538943fc734f@mail.gmail.com> <20071212153510.GB24732@furrr.two14.net> <47600454.6010600@hostedlabs.com> Message-ID: <9db93b0e0712120813q5bc7ccdfi2a0b4bceeb8ee060@mail.gmail.com> Or forgetting to change the default password, and having wifi on as open AP. On 12/12/07, Jason Rexilius wrote: > > Exactly.. Sorry, it was more for illustration purposes than anything else. > > But off the top of my head, what could theoretically be part of that 10% > could be a remote exploit in the IP stack of the linksys kernel that > only a few people in the world know about or some obscure bug in the > Wifi driver that someone nearby could crack. This (made up) last 10% is > the battleground of hardcore security people and a full-time job to > really get right. Diminishing returns.. > > If you want to get to the point where its as close to secure as being > physically unplugged (which itself is still exploitable remotely, ala > Van Eck and what not) then you are getting into the realm of full-time > security expert. > > > > > > Martin Maney wrote: > > On Wed, Dec 12, 2007 at 09:26:20AM -0600, Richard Reina wrote: > >> Sorry for being a newbie when it comes to security. But if a new > Linksys > >> router makes me 90% secure, what's the other 10%, what measures do the > other > >> 10% consist of? > > > > It's just meaningless handwaving with numbers. Did you know that 73% > > of all statistics are just made up? > > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > From gatorreina at gmail.com Wed Dec 12 10:37:55 2007 From: gatorreina at gmail.com (Richard Reina) Date: Wed Dec 12 10:38:06 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <9db93b0e0712120812j732b1a4ft8518e4b8dfba723c@mail.gmail.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> <9db93b0e0712120812j732b1a4ft8518e4b8dfba723c@mail.gmail.com> Message-ID: <489cf9d0712120837r47200e27vf751c45a75f4a5f6@mail.gmail.com> > > > any hacker worth his salt should be able to get past it. Not the reassurance I was hoping for but I appreciate your candidness. > Or forgetting to change the default password, and having wifi on as open AP. By this do you mean not putting in an encryption code for wireless access? From emperorcezar at gmail.com Wed Dec 12 10:51:19 2007 From: emperorcezar at gmail.com (Adam Jenkins) Date: Wed Dec 12 10:51:30 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <489cf9d0712120837r47200e27vf751c45a75f4a5f6@mail.gmail.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> <9db93b0e0712120812j732b1a4ft8518e4b8dfba723c@mail.gmail.com> <489cf9d0712120837r47200e27vf751c45a75f4a5f6@mail.gmail.com> Message-ID: <58a5f2220712120851t287d6258t79642d7d4ec9db8e@mail.gmail.com> What are you putting behind this thing? You really are making a cost, security trade off. Nothing will stop a determined hacker with skill. On Dec 12, 2007 10:37 AM, Richard Reina wrote: > > > > > any hacker worth his salt should be able to get past it. > > > Not the reassurance I was hoping for but I appreciate your candidness. > > > Or forgetting to change the default password, and having wifi on as open > AP. > > By this do you mean not putting in an encryption code for wireless access? > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > -- --------------------------------------- Adam Jenkins emperorcezar@gmail.com 312-399-5161 --------------------------------------- From gatorreina at gmail.com Wed Dec 12 11:30:30 2007 From: gatorreina at gmail.com (Richard Reina) Date: Wed Dec 12 11:30:34 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <58a5f2220712120851t287d6258t79642d7d4ec9db8e@mail.gmail.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> <9db93b0e0712120812j732b1a4ft8518e4b8dfba723c@mail.gmail.com> <489cf9d0712120837r47200e27vf751c45a75f4a5f6@mail.gmail.com> <58a5f2220712120851t287d6258t79642d7d4ec9db8e@mail.gmail.com> Message-ID: <489cf9d0712120930y23f64d3dicc49f52a58f969f9@mail.gmail.com> > What are you putting behind this thing? > > Nothing really all that special, but between my database server and my software PBX even one day without data and or phones would be highly undesirable. From sfaci at cs.uic.edu Wed Dec 12 11:42:17 2007 From: sfaci at cs.uic.edu (Samir Faci) Date: Wed Dec 12 11:42:21 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <489cf9d0712120837r47200e27vf751c45a75f4a5f6@mail.gmail.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> <9db93b0e0712120812j732b1a4ft8518e4b8dfba723c@mail.gmail.com> <489cf9d0712120837r47200e27vf751c45a75f4a5f6@mail.gmail.com> Message-ID: <9db93b0e0712120942i183fae4bm57951c996e20f35e@mail.gmail.com> I mean disable wireless, wireless has one of the weakest encryption schemes, since you're not using it, disable it. It's one less thing you have to worry about. "Nothing will stop a determined hacker with skill." My point exactly. Come on man, you're spending $50 on a firewall, when there's a hardware firewall that go up to $20,000. Do you really think it's going to be as secure as the 20K unit? and even with the 20K unit, there's still no guarantees. The only thing that's absolute about security, is that there is no such thing as absolute security. You want absolute security? turn off your machines, dig a hole, and poor cement over the machines. They'll be almost secure. . . . If this stuff is your average run of the mill business operation.. you're fine with the solution we provided. If you want to be paranoid. Use a flash disk, or just plug/unplug the cable when you need to access the other lan. -- Samir On 12/12/07, Richard Reina wrote: > > > > > > any hacker worth his salt should be able to get past it. > > > Not the reassurance I was hoping for but I appreciate your candidness. > > > Or forgetting to change the default password, and having wifi on as open > AP. > > By this do you mean not putting in an encryption code for wireless access? > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > From maney at two14.net Wed Dec 12 11:45:44 2007 From: maney at two14.net (Martin Maney) Date: Wed Dec 12 11:45:53 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <489cf9d0712120754n7693a4fdvbc42566214723770@mail.gmail.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> <20071212143314.GA24295@furrr.two14.net> <475FF5DF.80705@hostedlabs.com> <489cf9d0712120726h1b18f1b8h66d1538943fc734f@mail.gmail.com> <20071212153510.GB24732@furrr.two14.net> <489cf9d0712120754n7693a4fdvbc42566214723770@mail.gmail.com> Message-ID: <20071212174544.GA24908@furrr.two14.net> On Wed, Dec 12, 2007 at 09:54:05AM -0600, Richard Reina wrote: > Newer Linksys router 80% If it's only connected to a secured Linux server: 0% (depending on the model, possibly *is* a secured (we hope) Linux server...) > Secure SMTP gateway running a striped down OS strict IP tables 15% This is a form of application-level gateway. I'm not sure it buys you anything at all unless you don't trust the hosts you'll be sending mail to not to attempt to exploit a hypothetical vulnerability in the sending machine's MTA. In the general case that might be worth worrying about (at a near-clinical level of paranoia, anyway, unless you use a flakey SMTP server), but IIRC you only need to send the mail to one or a few destinations, so it seems more likely they can be trusted that far. > Keeping distros up to date on all the networks backen machines 3% s/backen// 99% (assumption: the distro doesn't run a bunch of dodgy services by default, or you've disabled them; likewise that you don't have special needs that call for running vulnerable services. That last might not be true...) > Running IP tables on all the networks machines 2% Depends on what there is there to be blocked. iptables adds nothing to a machine that's running no externally accesible services. Local exploits it might block from reaching out, but given that level of compromise why would you expect that iptables itself couldn't be subverted? Wishful thinking unless you can know that your threat comes only from incompetents... which could be true. > These are only examples, I know little about security. It would be great to > get input, so to "attempt" to quantify how much the above measures matter > and what difference additional measures might make. Keep in mind that I'm making these numbers up as I go along, just like all the others we've seen here. And that security isn't something that comes in packets labeled in percentages anyway... I will give you one totally reliable statistic: adding an internet connection, however firewalled and isolated, increases your vulnerability to remote attacks infinitely. Unless you're already using wifi, the great open door of networking. -- The most common implementation of SMTP is contained in sendmail. This program is included free in most UNIX software distributions, but you get less than you pay for. -- Cheswick, Bellovin & Rubin From maney at two14.net Wed Dec 12 11:50:32 2007 From: maney at two14.net (Martin Maney) Date: Wed Dec 12 11:50:39 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <9db93b0e0712120812j732b1a4ft8518e4b8dfba723c@mail.gmail.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> <9db93b0e0712120812j732b1a4ft8518e4b8dfba723c@mail.gmail.com> Message-ID: <20071212175032.GB24908@furrr.two14.net> On Wed, Dec 12, 2007 at 10:12:14AM -0600, Samir Faci wrote: > wouldn't waste the money on it. If you're THAT paranoid about this, just > hire a security firm, give them 5-10K and they'll secure the hell out of > it. I wouldn't bother, but that's just me. Are they paranoid if there really *is* someone out to get them? Not really having any idea what the OP's office is doing, we can only speculate about the threat model he should be worrying about. Possibly that 10K professional job would be a bargin - or woefully inadequate. Though in either case I have to wonder where they found a disused bank vault large enough for them all... -- I do not believe that a paradigm completely replaces previous paradigms ... Instead, each programming paradigm adds to what worked previously, and as a paradigm matures, it is increasingly integrated with previous paradigms. -- Bjarne Stroustrup From maney at two14.net Wed Dec 12 12:03:21 2007 From: maney at two14.net (Martin Maney) Date: Wed Dec 12 12:03:28 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <489cf9d0712120930y23f64d3dicc49f52a58f969f9@mail.gmail.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> <9db93b0e0712120812j732b1a4ft8518e4b8dfba723c@mail.gmail.com> <489cf9d0712120837r47200e27vf751c45a75f4a5f6@mail.gmail.com> <58a5f2220712120851t287d6258t79642d7d4ec9db8e@mail.gmail.com> <489cf9d0712120930y23f64d3dicc49f52a58f969f9@mail.gmail.com> Message-ID: <20071212180321.GC24908@furrr.two14.net> On Wed, Dec 12, 2007 at 11:30:30AM -0600, Richard Reina wrote: > Nothing really all that special, but between my database server and my > software PBX even one day without data and or phones would be highly > undesirable. Well, you have preconfigured spares for both then, right? Otherwise a 10 cent capacitor in a power supply could have you down for a day pretty easily. Much more likely cause of failure than random molestation from the internet. (just had a power supply with some dodgy brand - Yujjiya or some such - stop wroking the other day... not that I'd know it had the bad parts inside until after I'd replaced it. seems to have cleared up some erratic problems that machine had been having, too) -- Graphic designers are not user interface designers. -- Philip Greenspun From linux at unliketea.com Wed Dec 12 14:11:17 2007 From: linux at unliketea.com (Steve Pribyl) Date: Wed Dec 12 14:54:19 2007 Subject: [LUNI] selinux blocking syslogd Message-ID: <35833.69.17.21.59.1197490277.squirrel@mail.unliketea.com> Being new to selinux I was still a bit surprised to see this in my /var/log/messages. Dec 12 14:07:06 ngznx3c1 kernel: audit(1197490026.746:4): avc: denied { read } for pid=2914 comm="syslogd" name="meminfo" dev=proc ino=4026531842 scontext=user_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file What has been poorly configured? Thanks From joshua.mcadams at gmail.com Wed Dec 12 15:35:14 2007 From: joshua.mcadams at gmail.com (Joshua McAdams) Date: Wed Dec 12 15:35:18 2007 Subject: [LUNI] Reminder: Chicago Perl Hackathon This Weekend Message-ID: <49d805d70712121335m583d023cue79716d1ad7e4f86@mail.gmail.com> This is just a friendly reminder that the Chicago Perl Hackathon 2007 will be this weekend, December 14th-16th, at Hosteling International on 24 E. Congress Pkwy. The event is completely free unless you want to get a room at the hostel. At the hackathon we will have Perl programmers from around the country, including our special guest Dave Rolsky. Dave is responsible for the popular Mason templating system and for the Perl DateTime project. Feel free to stop by the hackathon and spend some time coding with your fellow Perl programmers. Not a Perl programmer? Ruby or Python more your style? Stop by anyway and enjoy the interaction with other talented programmers that you might not normally get the opportunity to work with. Talk sigils. Argue religious points about whitespace. It's all part of the fun. From chris at susi.net Wed Dec 12 19:27:07 2007 From: chris at susi.net (Christopher S. Susi) Date: Wed Dec 12 19:35:11 2007 Subject: [LUNI] Best package for a remote access GUI client Message-ID: <4dd001c83d27$46de6ce0$d49b46a0$@net> I'm looking to replace a Windows server with Linux. What package can I use to replace Windows Terminal Server with a similar remote access on Linux (preferably somewhat secure). I'm using OpenSSH for the command line but would like to have a GUI available as well. I'd need clients available in both Windows and Linux. Also, is there a recommended FTP server and web server. Lighttpd seems to be the current favorite over apache, what about ftp? Ultimately I plan to run a CMS on the server, probably Drupal or Joomla. Actually, I'm not even sure I really need FTP when I can use sftp in OpenSSH. I don't plan on having FTP open to the public, just for me to transfer archive packages for myself for backup. From joe at the-frosts.org Wed Dec 12 20:06:16 2007 From: joe at the-frosts.org (Joe Frost) Date: Wed Dec 12 20:29:14 2007 Subject: [LUNI] Best package for a remote access GUI client In-Reply-To: <4dd001c83d27$46de6ce0$d49b46a0$@net> References: <4dd001c83d27$46de6ce0$d49b46a0$@net> Message-ID: <338F90DF-7DD9-45EF-94E4-620B393CB959@the-frosts.org> > > What package can I use to replace Windows Terminal Server with a > similar > remote access on Linux (preferably somewhat secure). I'm using > OpenSSH for > the command line but would like to have a GUI available as well. > I'd need > clients available in both Windows and Linux. > You can use X tunneled over ssh for this. The linux machines won't need anything more than to be running a gui themselves. The window machines will need some sort of ssh client and an X server. In the past I've used cygwin for both of these. Good luck, Joe From sfaci at cs.uic.edu Wed Dec 12 22:07:26 2007 From: sfaci at cs.uic.edu (Samir Faci) Date: Wed Dec 12 22:07:30 2007 Subject: [LUNI] Best package for a remote access GUI client In-Reply-To: <338F90DF-7DD9-45EF-94E4-620B393CB959@the-frosts.org> References: <4dd001c83d27$46de6ce0$d49b46a0$@net> <338F90DF-7DD9-45EF-94E4-620B393CB959@the-frosts.org> Message-ID: <9db93b0e0712122007u24b83792h8fcf0bb30646b63@mail.gmail.com> There are 3 possible solutions that I've used in the past. As a fair warning, RDP/Terminal Services beast the living daylights out of all of them. X forwarding over ssh... sloowwww + secure. Works fine for your lan, god help you over the net. (sometimes can be faster then VNC though, depends on the content being displayed) windows solution: cygwin +ssh VCN (tightvnc, realvnc, x11vnc take your pic). runs a desktop that you can log into. listens for connection on 5900 and does ++ for each additional session. (5901, 5902...) cons: horrible security, but you can do ssh tunneling and that fixes that. (ssh -L 5900:ip:5900 user@host) windows: realvnc and tightvnc both have clients for it. use putty to setup a tunnel for ssh. freenx: probably the best one and fastest I've used. It tries to act mimic citrix, or it feels like it. windows: no clue. -- Samir On 12/12/07, Joe Frost wrote: > > > > > What package can I use to replace Windows Terminal Server with a > > similar > > remote access on Linux (preferably somewhat secure). I'm using > > OpenSSH for > > the command line but would like to have a GUI available as well. > > I'd need > > clients available in both Windows and Linux. > > > > > You can use X tunneled over ssh for this. The linux machines won't > need anything more than to be running a gui themselves. The window > machines will need some sort of ssh client and an X server. In the > past I've used cygwin for both of these. > > Good luck, > Joe > > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > From me at heyjay.com Wed Dec 12 22:47:36 2007 From: me at heyjay.com (Jay Strauss) Date: Wed Dec 12 22:47:39 2007 Subject: [LUNI] Best package for a remote access GUI client In-Reply-To: <9db93b0e0712122007u24b83792h8fcf0bb30646b63@mail.gmail.com> References: <4dd001c83d27$46de6ce0$d49b46a0$@net> <338F90DF-7DD9-45EF-94E4-620B393CB959@the-frosts.org> <9db93b0e0712122007u24b83792h8fcf0bb30646b63@mail.gmail.com> Message-ID: > VCN (tightvnc, realvnc, x11vnc take your pic). runs a desktop that you can > log into. listens for connection on 5900 and does ++ for each additional > session. (5901, 5902...) > cons: horrible security, but you can do ssh tunneling and that fixes > that. (ssh -L 5900:ip:5900 user@host) > windows: realvnc and tightvnc both have clients for it. use putty to > setup a tunnel for ssh. As a regular user of VNC (I'm using UltraVNC) over Putty (ssh), to a Linux box across the net, it too sucks performancewise, and I have pretty good network connections (comcast at 6Mb on the VNC side, and 2+Mb DSL on the Linux side). I concur, M$ has it all over VNC. I have no experience on Freenx, but will read up. Jay From craig at codestorm.org Thu Dec 13 00:47:46 2007 From: craig at codestorm.org (Craig Van Tassle) Date: Thu Dec 13 00:47:58 2007 Subject: [LUNI] Best package for a remote access GUI client In-Reply-To: References: <4dd001c83d27$46de6ce0$d49b46a0$@net> <338F90DF-7DD9-45EF-94E4-620B393CB959@the-frosts.org> <9db93b0e0712122007u24b83792h8fcf0bb30646b63@mail.gmail.com> Message-ID: <20071213004746.0bef7940@codestorm.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 12 Dec 2007 22:47:36 -0600 "Jay Strauss" wrote: > > VCN (tightvnc, realvnc, x11vnc take your pic). runs a desktop > > that you can log into. listens for connection on 5900 and does ++ > > for each additional session. (5901, 5902...) > > cons: horrible security, but you can do ssh tunneling and > > that fixes that. (ssh -L 5900:ip:5900 user@host) > > windows: realvnc and tightvnc both have clients for it. use > > putty to setup a tunnel for ssh. > > As a regular user of VNC (I'm using UltraVNC) over Putty (ssh), to a > Linux box across the net, it too sucks performancewise, and I have > pretty good network connections (comcast at 6Mb on the VNC side, and > 2+Mb DSL on the Linux side). > > I concur, M$ has it all over VNC. > > I have no experience on Freenx, but will read up. > > Jay You may want to try looking at the linux terminal server project. http://www.ltsp.org/ - -- "An armed society is a polite society. Manners are good when one may have to back up his acts with his life." Robert A. Heinlein "Fear is the father of servitude, and the captor of man. There cannot be slavery without fear, nor freedom with it." "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." -Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFHYNWXv8bO71D0xskRAsILAJ9CUpxpnEw+nyhvhY4UMEeI6cFDDwCfZcjh mFsm5VZzr/fKcUhWVXKKMO0= =+GZZ -----END PGP SIGNATURE----- From jgd-luni at metajoe.com Thu Dec 13 06:21:25 2007 From: jgd-luni at metajoe.com (Joe Digilio) Date: Thu Dec 13 06:21:29 2007 Subject: [LUNI] Best package for a remote access GUI client In-Reply-To: <4dd001c83d27$46de6ce0$d49b46a0$@net> References: <4dd001c83d27$46de6ce0$d49b46a0$@net> Message-ID: <8563497c0712130421h1fbdb317j48ecbcd1996a9777@mail.gmail.com> On Dec 12, 2007 7:27 PM, Christopher S. Susi wrote: > What package can I use to replace Windows Terminal Server with a similar > remote access on Linux (preferably somewhat secure). I'm using OpenSSH for > the command line but would like to have a GUI available as well. I'd need > clients available in both Windows and Linux. Check out NX from NoMachine. http://www.nomachine.com/ Clients are available for Linux, Mac, Solaris and Windows. Client connections can be anywhere from LAN to modem and response is still great. It can also do desktop sharing of the native display (similar to KVM-over-IP). I've been using this for almost a year now and I think it's great. From gatorreina at gmail.com Thu Dec 13 07:18:54 2007 From: gatorreina at gmail.com (Richard Reina) Date: Thu Dec 13 07:18:57 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <20071212180321.GC24908@furrr.two14.net> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> <9db93b0e0712120812j732b1a4ft8518e4b8dfba723c@mail.gmail.com> <489cf9d0712120837r47200e27vf751c45a75f4a5f6@mail.gmail.com> <58a5f2220712120851t287d6258t79642d7d4ec9db8e@mail.gmail.com> <489cf9d0712120930y23f64d3dicc49f52a58f969f9@mail.gmail.com> <20071212180321.GC24908@furrr.two14.net> Message-ID: <489cf9d0712130518g511308a2md9630ba1891c0c@mail.gmail.com> Yes spares are pre-configured. However, for reasons such as replication and quick deployability spares are also on the network. Maybe I need to find a way around that. Or maybe I need to just keep having two separate networks. I really appreciate all of the responses. I think it's been a very instructive thread. If anyone has anything else to add I am all ears, but for now I think I have to conclude that additional risk is not justified by the convenience. Thanks again. On Dec 12, 2007 12:03 PM, Martin Maney < maney@two14.net> wrote: > On Wed, Dec 12, 2007 at 11:30:30AM -0600, Richard Reina wrote: > > Nothing really all that special, but between my database server and my > > software PBX even one day without data and or phones would be highly > > undesirable. > > Well, you have preconfigured spares for both then, right? Otherwise a > 10 cent capacitor in a power supply could have you down for a day > pretty easily. Much more likely cause of failure than random > molestation from the internet. > > (just had a power supply with some dodgy brand - Yujjiya or some such - > stop wroking the other day... not that I'd know it had the bad parts > inside until after I'd replaced it. seems to have cleared up some > erratic problems that machine had been having, too) > > -- > Graphic designers are not user interface designers. -- Philip Greenspun > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > From me at heyjay.com Thu Dec 13 07:36:14 2007 From: me at heyjay.com (Jay Strauss) Date: Thu Dec 13 07:36:16 2007 Subject: [LUNI] Best package for a remote access GUI client In-Reply-To: <8563497c0712130421h1fbdb317j48ecbcd1996a9777@mail.gmail.com> References: <4dd001c83d27$46de6ce0$d49b46a0$@net> <8563497c0712130421h1fbdb317j48ecbcd1996a9777@mail.gmail.com> Message-ID: > Check out NX from NoMachine. http://www.nomachine.com/ > Clients are available for Linux, Mac, Solaris and Windows. Client > connections can be anywhere from LAN to modem and response is still > great. It can also do desktop sharing of the native display (similar > to KVM-over-IP). I've been using this for almost a year now and I > think it's great. Is it possible to have 2+ remote clients share (and operate) the same session? I looked around the site and did NOT get the impression that was possible. You CAN do that with VNC. Thanks Jay From jgd-luni at metajoe.com Thu Dec 13 09:26:29 2007 From: jgd-luni at metajoe.com (Joe Digilio) Date: Thu Dec 13 09:26:32 2007 Subject: [LUNI] Best package for a remote access GUI client In-Reply-To: References: <4dd001c83d27$46de6ce0$d49b46a0$@net> <8563497c0712130421h1fbdb317j48ecbcd1996a9777@mail.gmail.com> Message-ID: <8563497c0712130726ia1c9a93ke3c42e1b346da50f@mail.gmail.com> On Dec 13, 2007 7:36 AM, Jay Strauss wrote: > Is it possible to have 2+ remote clients share (and operate) the same > session? I looked around the site and did NOT get the impression that > was possible. > > You CAN do that with VNC. I've never had a need to do that, but I believe you can do that with NX. In server.cfg, you'd have to set: EnableSessionShadowing = "1" EnableInteractiveSessionShadowing = "1" Setting EnableInteractiveSessionShadowing = "0" would make it "view-only". Their documentation is a little lacking, but it has improved greatly over the last year. Here's a nice comprehensive setup guide: http://www.nomachine.com/documentation/admin-guide.php -Joe From sfaci at cs.uic.edu Thu Dec 13 09:43:06 2007 From: sfaci at cs.uic.edu (Samir Faci) Date: Thu Dec 13 09:43:15 2007 Subject: [LUNI] Best package for a remote access GUI client In-Reply-To: <8563497c0712130726ia1c9a93ke3c42e1b346da50f@mail.gmail.com> References: <4dd001c83d27$46de6ce0$d49b46a0$@net> <8563497c0712130421h1fbdb317j48ecbcd1996a9777@mail.gmail.com> <8563497c0712130726ia1c9a93ke3c42e1b346da50f@mail.gmail.com> Message-ID: <9db93b0e0712130743i70445cfaoa94de4641a55b269@mail.gmail.com> neat. I've never done it with freenx,but I've done it with VNC before, you do end up playing battle of mice as you fight each other for control, but you can have multiple clients remote control the same machine. -- Samir On 12/13/07, Joe Digilio wrote: > > On Dec 13, 2007 7:36 AM, Jay Strauss wrote: > > Is it possible to have 2+ remote clients share (and operate) the same > > session? I looked around the site and did NOT get the impression that > > was possible. > > > > You CAN do that with VNC. > > I've never had a need to do that, but I believe you can do that with > NX. In server.cfg, you'd have to set: > EnableSessionShadowing = "1" > EnableInteractiveSessionShadowing = "1" > > Setting EnableInteractiveSessionShadowing = "0" would make it "view-only". > > Their documentation is a little lacking, but it has improved greatly > over the last year. Here's a nice comprehensive setup guide: > http://www.nomachine.com/documentation/admin-guide.php > > -Joe > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > From steve at unliketea.com Wed Dec 12 19:44:11 2007 From: steve at unliketea.com (Steve Pribyl) Date: Thu Dec 13 10:32:53 2007 Subject: [LUNI] Best package for a remote access GUI client In-Reply-To: <4dd001c83d27$46de6ce0$d49b46a0$@net> References: <4dd001c83d27$46de6ce0$d49b46a0$@net> Message-ID: <52565.10.16.1.103.1197510251.squirrel@mail.unliketea.com> If it just for you sftp is very good. Is you must use a gui try RealVNC. Another option/method is serial port to terminal server. Steve > I'm looking to replace a Windows server with Linux. > > > > What package can I use to replace Windows Terminal Server with a similar > remote access on Linux (preferably somewhat secure). I'm using OpenSSH > for > the command line but would like to have a GUI available as well. I'd need > clients available in both Windows and Linux. > > > > Also, is there a recommended FTP server and web server. Lighttpd seems to > be the current favorite over apache, what about ftp? Ultimately I plan to > run a CMS on the server, probably Drupal or Joomla. > > > > Actually, I'm not even sure I really need FTP when I can use sftp in > OpenSSH. I don't plan on having FTP open to the public, just for me to > transfer archive packages for myself for backup. > > > > > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > > From ebryant at judge.com Thu Dec 13 11:44:10 2007 From: ebryant at judge.com (Eric J. Bryant) Date: Thu Dec 13 12:02:01 2007 Subject: [LUNI] [JOB] Senior Linux Opportunity in Chicago Message-ID: <02D1D0AFB198544D9034DF786D176BFE91FF7A@apollo.judge.com> Greetings all, I have a Senior Linux Administrator opportunity located in downtown Chicago that I am trying to fill and I figured this would be a good place to look for some help. Basically I am looking for an experience Linux user with Red Hat and SuSE for a contract to hire position installing, configuring and administering complex Linux and Unix systems. The pay is open, based on your level of knowledge and experience. If you are interested in hearing more please send an updated version of your resume to ebryant@judge.com and I will get back to you as soon as I get a chance. Thanks, Eric Bryant Eric Bryant | ebryant@judge.com | Technical Recruiter | Judge Technical Staffing | phone: 630.472.0090 | Toll Free: 888.701.3368 | fax: 630.472.0081 | www.JUDGE.com TECHNOLOGY CONSULTING | ENTERPRISE-WIDE STAFFING | WORKFORCE TRAINING Atlanta | Boston | Charlotte | CHICAGO | Dallas | Denver | Detroit | Ft. Myers | Houston | Jacksonville | Los Angeles | Minneapolis New Jersey/New York | Orlando | Philadelphia (HQ) | Providence | San Diego | San Francisco | St. Louis | Tampa | Washington, DC From Jkaplenk at aol.com Thu Dec 13 13:25:10 2007 From: Jkaplenk at aol.com (Jkaplenk@aol.com) Date: Thu Dec 13 12:25:50 2007 Subject: [LUNI] [JOB] Senior Linux Opportunity in Chicago Message-ID: Eric, Thanks. I'm okay right now. Joe In a message dated 12/13/2007 12:03:06 P.M. Central Standard Time, ebryant@judge.com writes: Greetings all, I have a Senior Linux Administrator opportunity located in downtown Chicago that I am trying to fill and I figured this would be a good place to look for some help. Basically I am looking for an experience Linux user with Red Hat and SuSE for a contract to hire position installing, configuring and administering complex Linux and Unix systems. The pay is open, based on your level of knowledge and experience. If you are interested in hearing more please send an updated version of your resume to ebryant@judge.com and I will get back to you as soon as I get a chance. Thanks, Eric Bryant Eric Bryant | ebryant@judge.com | Technical Recruiter | Judge Technical Staffing | phone: 630.472.0090 | Toll Free: 888.701.3368 | fax: 630.472.0081 | www.JUDGE.com TECHNOLOGY CONSULTING | ENTERPRISE-WIDE STAFFING | WORKFORCE TRAINING Atlanta | Boston | Charlotte | CHICAGO | Dallas | Denver | Detroit | Ft. Myers | Houston | Jacksonville | Los Angeles | Minneapolis New Jersey/New York | Orlando | Philadelphia (HQ) | Providence | San Diego | San Francisco | St. Louis | Tampa | Washington, DC -- Linux Users Of Northern Illinois - Technical Discussion http://luni.org/mailman/listinfo/luni **************************************See AOL's top rated recipes (http://food.aol.com/top-rated-recipes?NCID=aoltop00030000000004) From ramin-list at badapple.net Thu Dec 13 10:35:00 2007 From: ramin-list at badapple.net (Ramin K) Date: Thu Dec 13 12:35:04 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <9db93b0e0712120942i183fae4bm57951c996e20f35e@mail.gmail.com> References: <489cf9d0712111126i70e11d70v15f121c03f15251c@mail.gmail.com> <1197402461.23082.28.camel@localhost> <489cf9d0712111419s5cab6e4ejee3efe8fad0c551a@mail.gmail.com> <1197414289.23082.36.camel@localhost> <489cf9d0712120547g226ae60tb6144323dea9281f@mail.gmail.com> <9db93b0e0712120812j732b1a4ft8518e4b8dfba723c@mail.gmail.com> <489cf9d0712120837r47200e27vf751c45a75f4a5f6@mail.gmail.com> <9db93b0e0712120942i183fae4bm57951c996e20f35e@mail.gmail.com> Message-ID: <47617B54.5000905@badapple.net> Let's all take a deep breath and stop telling security ghost stories. What's the primary difference between a $20k firewall and a $50 one? Throughput. That's right, stateful packet inspection at 100mb/s speeds and up is CPU intensive and custom ASICs are expensive. Sure a fancy firewall can do protocol inspection and a few other things like stateful fail over between redundant devices, but at the basic level they are all implementing the same rules. Allow packets from X to Y Disallow packets from I to J I've dealt with a number of compromised boxes and about the only way they have been penetrated remotely is by the services running on them. In summary don't expose services publicly. I've dealt with all the Cisco patches for snmp, ssh, telnet, etc over the past eight years or so. We patched, but were never vulnerable to the world at large because we filtered these protocols at the border. In summary don't expose services publicly. My recommendation is to configure your Linksys to accept no connections from the Internet (likely the default) while turning off upnp, wireless, and other nonsense. Now allow one machine access to the Internet and install an MTA on it. I like Postfix, Sendmail would be fine, and do not use qmail. Allow the other machines in the office to send mail to the this machine and then allow it send mail out to the Internet. If you wanted you could buy the $150 Linksys and set the mail machine on a separate network and only allow SMTP connections to it from the rest of your machines. It's marginally safer, but overkill for an internal system that is never going to get any connections from outside your network. This setup keeps your system from accepting connections from outside, keeps random machines from accessing the Internet, and allows mails to be sent. Ramin From richard at rushlogistics.com Thu Dec 13 11:01:51 2007 From: richard at rushlogistics.com (Richard Reina) Date: Thu Dec 13 13:08:41 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <47617B54.5000905@badapple.net> Message-ID: <974893.50131.qm@web610.biz.mail.mud.yahoo.com> Ramin, Thank you very much for this very insightful reply. I'm going to look into this. I really appreciate the very insightful advice. Thanks again, Richard Ramin K wrote: Let's all take a deep breath and stop telling security ghost stories. What's the primary difference between a $20k firewall and a $50 one? Throughput. That's right, stateful packet inspection at 100mb/s speeds and up is CPU intensive and custom ASICs are expensive. Sure a fancy firewall can do protocol inspection and a few other things like stateful fail over between redundant devices, but at the basic level they are all implementing the same rules. Allow packets from X to Y Disallow packets from I to J I've dealt with a number of compromised boxes and about the only way they have been penetrated remotely is by the services running on them. In summary don't expose services publicly. I've dealt with all the Cisco patches for snmp, ssh, telnet, etc over the past eight years or so. We patched, but were never vulnerable to the world at large because we filtered these protocols at the border. In summary don't expose services publicly. My recommendation is to configure your Linksys to accept no connections from the Internet (likely the default) while turning off upnp, wireless, and other nonsense. Now allow one machine access to the Internet and install an MTA on it. I like Postfix, Sendmail would be fine, and do not use qmail. Allow the other machines in the office to send mail to the this machine and then allow it send mail out to the Internet. If you wanted you could buy the $150 Linksys and set the mail machine on a separate network and only allow SMTP connections to it from the rest of your machines. It's marginally safer, but overkill for an internal system that is never going to get any connections from outside your network. This setup keeps your system from accepting connections from outside, keeps random machines from accessing the Internet, and allows mails to be sent. Ramin -- Linux Users Of Northern Illinois - Technical Discussion http://luni.org/mailman/listinfo/luni Your beliefs become your thoughts. Your thoughts become your words. Your words become your actions. Your actions become your habits. Your habits become your values. Your values become your destiny. -- Mahatma Gandhi From sqrfolkdnc at comcast.net Thu Dec 13 19:59:50 2007 From: sqrfolkdnc at comcast.net (Carey Tyler Schug) Date: Thu Dec 13 20:00:20 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <974893.50131.qm@web610.biz.mail.mud.yahoo.com> References: <974893.50131.qm@web610.biz.mail.mud.yahoo.com> Message-ID: <4761E396.5050007@comcast.net> The original problem also stated "send reports over the internet". Doesn't sound like a continuous 24x7 kind of task. Plug the web enabled computer into the internal network, create and send email, unplug. Or, connect web enabled computer into internal network (only), create email, unplug and plug into www (or dial-up) and send email. The exploit would have to be intelligent enough to work unsupervised and store-and-forward whatever it did. Also, If you want it, a 100% security solution. Connect two serial ports together, with the internal computer configured as an output port and the web computer configured as input. No amount of hacking on the web computer can affect the internal network, since it only WRITES to the connection. This could be custom or some software unknown to me, or the internal computer could run a terminal emulator (via a script) to talk to a terminal session on the www, and create a file (in edit) and "type" the report into that computer, and close the file. Another 100% solution, more costly, but simpler. Get some kind of shared storage with two separate connections, one for the web side and one for the internal side. Write the report to disk from the internal side, read from web enabled side. This could also be an automated tape (or writable DVD) library, perhaps more of them have dual porting than current disk arrays, and might be useful in its own right for backups (and maybe you already have a tape library?). here are some examples of dual port SCSI disk arrays on ebay: http://cgi.ebay.com/HP-SFS20-Storage-Array-Enclosure-MSA20-with-Dual-Port_W0QQitemZ270196591601QQihZ017QQcategoryZ64072QQssPageNameZWDVWQQrdZ1QQcmdZViewItem http://cgi.ebay.com/HP-SFS20-Storage-Array-Enclosure-MSA20-with-Dual-Port_W0QQitemZ270196598912QQihZ017QQcategoryZ64072QQssPageNameZWDVWQQrdZ1QQcmdZViewItem There may be other shared storage solutions, but SAN connected via Ethernet *MAY* be susceptible to being compromised via commands sent over Ethernet. I am much more confident that a SCSI connected storage array cannot be hacked into via SCSI commands, and even if it was, it could not attack your internal network that only talks to it via a SCSI interface. This last could be more general, the www computer could request a specific report which the internal network would then create for it. The other solutions tend to imply some fixed set of reports that go out on some fixed schedule. -- Carey Tyler Schug From gatorreina at gmail.com Sat Dec 15 18:45:33 2007 From: gatorreina at gmail.com (Richard Reina) Date: Sat Dec 15 18:45:36 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <4761E396.5050007@comcast.net> References: <974893.50131.qm@web610.biz.mail.mud.yahoo.com> <4761E396.5050007@comcast.net> Message-ID: <489cf9d0712151645v1171174dk1131d95d209251c7@mail.gmail.com> Carey, Thank you very much for your reply. Although your suggestions are somewhat complicated for me they certainly seem secure. I really appreciate the advice. I will look very closely at these suggestions. Thanks again. Richard On Dec 13, 2007 7:59 PM, Carey Tyler Schug wrote: > The original problem also stated "send reports over the internet". > > Doesn't sound like a continuous 24x7 kind of task. Plug the web enabled > computer into the internal network, create and send email, unplug. Or, > connect web enabled computer into internal network (only), create email, > unplug and plug into www (or dial-up) and send email. The exploit would > have to be intelligent enough to work unsupervised and store-and-forward > whatever it did. > > Also, If you want it, a 100% security solution. Connect two serial > ports together, with the internal computer configured as an output port > and the web computer configured as input. No amount of hacking on the > web computer can affect the internal network, since it only WRITES to > the connection. This could be custom or some software unknown to me, or > the internal computer could run a terminal emulator (via a script) to > talk to a terminal session on the www, and create a file (in edit) and > "type" the report into that computer, and close the file. > > Another 100% solution, more costly, but simpler. Get some kind of > shared storage with two separate connections, one for the web side and > one for the internal side. Write the report to disk from the internal > side, read from web enabled side. This could also be an automated tape > (or writable DVD) library, perhaps more of them have dual porting than > current disk arrays, and might be useful in its own right for backups > (and maybe you already have a tape library?). here are some examples of > dual port SCSI disk arrays on ebay: > > http://cgi.ebay.com/HP-SFS20-Storage-Array-Enclosure-MSA20-with-Dual-Port_W0QQitemZ270196591601QQihZ017QQcategoryZ64072QQssPageNameZWDVWQQrdZ1QQcmdZViewItem > > http://cgi.ebay.com/HP-SFS20-Storage-Array-Enclosure-MSA20-with-Dual-Port_W0QQitemZ270196598912QQihZ017QQcategoryZ64072QQssPageNameZWDVWQQrdZ1QQcmdZViewItem > There may be other shared storage solutions, but SAN connected via > Ethernet *MAY* be susceptible to being compromised via commands sent > over Ethernet. I am much more confident that a SCSI connected storage > array cannot be hacked into via SCSI commands, and even if it was, it > could not attack your internal network that only talks to it via a SCSI > interface. > > This last could be more general, the www computer could request a > specific report which the internal network would then create for it. > The other solutions tend to imply some fixed set of reports that go out > on some fixed schedule. > > -- > Carey Tyler Schug > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > From lite-fx.net at tasselcreations.com Sun Dec 16 14:07:07 2007 From: lite-fx.net at tasselcreations.com (Paul Hall) Date: Mon Dec 17 09:45:53 2007 Subject: [LUNI] Corel Draw Message-ID: <000a01c83ffd$20d27b80$0100007f@sroffgp> http://shv.makoemy.cn/ Windows XP Pro + SP2 Our price: $49 Retail: $269 MS Office Enterprice 2007 Our price: $79 Retail: $899 Acrobat Reader 8 Pro Our price: $79 Retail: $499 http://shv.makoemy.cn/ Also see: Microsoft Windows Vista Ultimate $79 Macromedia Flash Professional 8 $49 Adobe Premiere 2.O $59 Corel Grafix Suite X3 $59 Adobe Il1ustrator CS2 $59 Adobe Photoshop CS2 V9.O $69 Adobe Photoshop CS3 Extended $89 Macromedia Studio 8 $99 Autodesk Autocad 2OO7 $129 Adobe Creative Suite 2 $149 Adobe Creative Suite 3 Premium $269 http://shv.makoemy.cn/ Mac`s positions: Adobe Acrobat PRO 7 $69 Adobe After Effects $49 Macromedia Flash Pro 8 $49 Adobe Creative Suite 2 Premium $49 Ableton Live 5.O.1 $49 Adobe Photoshop CS $49 You can return 77-90% here! http://shv.makoemy.cn/ ........ Father? Jamie asked. What thin Neither one of you has sinned. We havent? Father Murdock smil From gatorreina at gmail.com Wed Dec 19 09:06:08 2007 From: gatorreina at gmail.com (Richard Reina) Date: Wed Dec 19 09:06:17 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <4761E396.5050007@comcast.net> References: <974893.50131.qm@web610.biz.mail.mud.yahoo.com> <4761E396.5050007@comcast.net> Message-ID: <489cf9d0712190706y2d58c590k9714abd611d4e1e3@mail.gmail.com> Does anyone have an idea if spliting a USB flash key with a USB hub would allow two pc's to simultaneously access the flash drive? On 12/13/07, Carey Tyler Schug wrote: > The original problem also stated "send reports over the internet". > > Doesn't sound like a continuous 24x7 kind of task. Plug the web enabled > computer into the internal network, create and send email, unplug. Or, > connect web enabled computer into internal network (only), create email, > unplug and plug into www (or dial-up) and send email. The exploit would > have to be intelligent enough to work unsupervised and store-and-forward > whatever it did. > > Also, If you want it, a 100% security solution. Connect two serial > ports together, with the internal computer configured as an output port > and the web computer configured as input. No amount of hacking on the > web computer can affect the internal network, since it only WRITES to > the connection. This could be custom or some software unknown to me, or > the internal computer could run a terminal emulator (via a script) to > talk to a terminal session on the www, and create a file (in edit) and > "type" the report into that computer, and close the file. > > Another 100% solution, more costly, but simpler. Get some kind of > shared storage with two separate connections, one for the web side and > one for the internal side. Write the report to disk from the internal > side, read from web enabled side. This could also be an automated tape > (or writable DVD) library, perhaps more of them have dual porting than > current disk arrays, and might be useful in its own right for backups > (and maybe you already have a tape library?). here are some examples of > dual port SCSI disk arrays on ebay: > http://cgi.ebay.com/HP-SFS20-Storage-Array-Enclosure-MSA20-with-Dual-Port_W0QQitemZ270196591601QQihZ017QQcategoryZ64072QQssPageNameZWDVWQQrdZ1QQcmdZViewItem > http://cgi.ebay.com/HP-SFS20-Storage-Array-Enclosure-MSA20-with-Dual-Port_W0QQitemZ270196598912QQihZ017QQcategoryZ64072QQssPageNameZWDVWQQrdZ1QQcmdZViewItem > There may be other shared storage solutions, but SAN connected via > Ethernet *MAY* be susceptible to being compromised via commands sent > over Ethernet. I am much more confident that a SCSI connected storage > array cannot be hacked into via SCSI commands, and even if it was, it > could not attack your internal network that only talks to it via a SCSI > interface. > > This last could be more general, the www computer could request a > specific report which the internal network would then create for it. > The other solutions tend to imply some fixed set of reports that go out > on some fixed schedule. > > -- > Carey Tyler Schug > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > From e.ellington at gmail.com Wed Dec 19 09:24:08 2007 From: e.ellington at gmail.com (Eric Ellington) Date: Wed Dec 19 09:24:11 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <489cf9d0712190706y2d58c590k9714abd611d4e1e3@mail.gmail.com> References: <974893.50131.qm@web610.biz.mail.mud.yahoo.com> <4761E396.5050007@comcast.net> <489cf9d0712190706y2d58c590k9714abd611d4e1e3@mail.gmail.com> Message-ID: Hurm... That sound a bit complicated. Why not put the USB drive into computer A and share it over the network with computer B? On Dec 19, 2007 9:06 AM, Richard Reina wrote: > Does anyone have an idea if spliting a USB flash key with a USB hub > would allow two pc's to simultaneously access the flash drive? > > > > On 12/13/07, Carey Tyler Schug wrote: > > The original problem also stated "send reports over the internet". > > > > Doesn't sound like a continuous 24x7 kind of task. Plug the web enabled > > computer into the internal network, create and send email, unplug. Or, > > connect web enabled computer into internal network (only), create email, > > unplug and plug into www (or dial-up) and send email. The exploit would > > have to be intelligent enough to work unsupervised and store-and-forward > > whatever it did. > > > > Also, If you want it, a 100% security solution. Connect two serial > > ports together, with the internal computer configured as an output port > > and the web computer configured as input. No amount of hacking on the > > web computer can affect the internal network, since it only WRITES to > > the connection. This could be custom or some software unknown to me, or > > the internal computer could run a terminal emulator (via a script) to > > talk to a terminal session on the www, and create a file (in edit) and > > "type" the report into that computer, and close the file. > > > > Another 100% solution, more costly, but simpler. Get some kind of > > shared storage with two separate connections, one for the web side and > > one for the internal side. Write the report to disk from the internal > > side, read from web enabled side. This could also be an automated tape > > (or writable DVD) library, perhaps more of them have dual porting than > > current disk arrays, and might be useful in its own right for backups > > (and maybe you already have a tape library?). here are some examples of > > dual port SCSI disk arrays on ebay: > > http://cgi.ebay.com/HP-SFS20-Storage-Array-Enclosure-MSA20-with-Dual-Port_W0QQitemZ270196591601QQihZ017QQcategoryZ64072QQssPageNameZWDVWQQrdZ1QQcmdZViewItem > > http://cgi.ebay.com/HP-SFS20-Storage-Array-Enclosure-MSA20-with-Dual-Port_W0QQitemZ270196598912QQihZ017QQcategoryZ64072QQssPageNameZWDVWQQrdZ1QQcmdZViewItem > > There may be other shared storage solutions, but SAN connected via > > Ethernet *MAY* be susceptible to being compromised via commands sent > > over Ethernet. I am much more confident that a SCSI connected storage > > array cannot be hacked into via SCSI commands, and even if it was, it > > could not attack your internal network that only talks to it via a SCSI > > interface. > > > > This last could be more general, the www computer could request a > > specific report which the internal network would then create for it. > > The other solutions tend to imply some fixed set of reports that go out > > on some fixed schedule. > > > > -- > > Carey Tyler Schug > > > > -- > > Linux Users Of Northern Illinois - Technical Discussion > > http://luni.org/mailman/listinfo/luni > > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > -- Eric Ellington e.ellington@gmail.com From dbt at meat.net Wed Dec 19 09:30:09 2007 From: dbt at meat.net (David Terrell) Date: Wed Dec 19 09:30:11 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <489cf9d0712190706y2d58c590k9714abd611d4e1e3@mail.gmail.com> References: <974893.50131.qm@web610.biz.mail.mud.yahoo.com> <4761E396.5050007@comcast.net> <489cf9d0712190706y2d58c590k9714abd611d4e1e3@mail.gmail.com> Message-ID: <20071219153009.GB14699@sphinx.chicagopeoplez.org> On Wed, Dec 19, 2007 at 09:06:08AM -0600, Richard Reina wrote: > Does anyone have an idea if spliting a USB flash key with a USB hub > would allow two pc's to simultaneously access the flash drive? No. -- David Terrell dbt@meat.net ((meatspace)) http://meat.net/ From jason at hostedlabs.com Wed Dec 19 09:48:19 2007 From: jason at hostedlabs.com (Jason Rexilius) Date: Wed Dec 19 09:49:04 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: References: <974893.50131.qm@web610.biz.mail.mud.yahoo.com> <4761E396.5050007@comcast.net> <489cf9d0712190706y2d58c590k9714abd611d4e1e3@mail.gmail.com> Message-ID: <47693D43.9010700@hostedlabs.com> You could mount one of them read-only, but to have both write you would have to run some kind of cluster filesystem to handle locking on the separate machines. Eric Ellington wrote: > Hurm... That sound a bit complicated. Why not put the USB drive into > computer A and share it over the network with computer B? > > On Dec 19, 2007 9:06 AM, Richard Reina wrote: >> Does anyone have an idea if spliting a USB flash key with a USB hub >> would allow two pc's to simultaneously access the flash drive? >> >> >> >> On 12/13/07, Carey Tyler Schug wrote: >>> The original problem also stated "send reports over the internet". >>> >>> Doesn't sound like a continuous 24x7 kind of task. Plug the web enabled >>> computer into the internal network, create and send email, unplug. Or, >>> connect web enabled computer into internal network (only), create email, >>> unplug and plug into www (or dial-up) and send email. The exploit would >>> have to be intelligent enough to work unsupervised and store-and-forward >>> whatever it did. >>> >>> Also, If you want it, a 100% security solution. Connect two serial >>> ports together, with the internal computer configured as an output port >>> and the web computer configured as input. No amount of hacking on the >>> web computer can affect the internal network, since it only WRITES to >>> the connection. This could be custom or some software unknown to me, or >>> the internal computer could run a terminal emulator (via a script) to >>> talk to a terminal session on the www, and create a file (in edit) and >>> "type" the report into that computer, and close the file. >>> >>> Another 100% solution, more costly, but simpler. Get some kind of >>> shared storage with two separate connections, one for the web side and >>> one for the internal side. Write the report to disk from the internal >>> side, read from web enabled side. This could also be an automated tape >>> (or writable DVD) library, perhaps more of them have dual porting than >>> current disk arrays, and might be useful in its own right for backups >>> (and maybe you already have a tape library?). here are some examples of >>> dual port SCSI disk arrays on ebay: >>> http://cgi.ebay.com/HP-SFS20-Storage-Array-Enclosure-MSA20-with-Dual-Port_W0QQitemZ270196591601QQihZ017QQcategoryZ64072QQssPageNameZWDVWQQrdZ1QQcmdZViewItem >>> http://cgi.ebay.com/HP-SFS20-Storage-Array-Enclosure-MSA20-with-Dual-Port_W0QQitemZ270196598912QQihZ017QQcategoryZ64072QQssPageNameZWDVWQQrdZ1QQcmdZViewItem >>> There may be other shared storage solutions, but SAN connected via >>> Ethernet *MAY* be susceptible to being compromised via commands sent >>> over Ethernet. I am much more confident that a SCSI connected storage >>> array cannot be hacked into via SCSI commands, and even if it was, it >>> could not attack your internal network that only talks to it via a SCSI >>> interface. >>> >>> This last could be more general, the www computer could request a >>> specific report which the internal network would then create for it. >>> The other solutions tend to imply some fixed set of reports that go out >>> on some fixed schedule. >>> >>> -- >>> Carey Tyler Schug >>> >>> -- >>> Linux Users Of Northern Illinois - Technical Discussion >>> http://luni.org/mailman/listinfo/luni >>> >> -- >> Linux Users Of Northern Illinois - Technical Discussion >> http://luni.org/mailman/listinfo/luni >> > > > From scott at cashnetusa.com Wed Dec 19 09:52:44 2007 From: scott at cashnetusa.com (William Scott Lockwood III) Date: Wed Dec 19 10:12:31 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <20071219153009.GB14699@sphinx.chicagopeoplez.org> References: <974893.50131.qm@web610.biz.mail.mud.yahoo.com> <4761E396.5050007@comcast.net> <489cf9d0712190706y2d58c590k9714abd611d4e1e3@mail.gmail.com> <20071219153009.GB14699@sphinx.chicagopeoplez.org> Message-ID: <1198079564.12068.49.camel@scott-640m.checkgiant.com> This CAN be done. Just not with a hub. I've seen drive enclosures setup to allow it. On Wed, 2007-12-19 at 09:30 -0600, David Terrell wrote: > On Wed, Dec 19, 2007 at 09:06:08AM -0600, Richard Reina wrote: > > Does anyone have an idea if spliting a USB flash key with a USB hub > > would allow two pc's to simultaneously access the flash drive? > > No. > > -- > David Terrell > dbt@meat.net > ((meatspace)) http://meat.net/ -- William Scott Lockwood III CashNetUSA.com From gatorreina at gmail.com Wed Dec 19 10:43:25 2007 From: gatorreina at gmail.com (Richard Reina) Date: Wed Dec 19 10:43:28 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <1198079564.12068.49.camel@scott-640m.checkgiant.com> References: <974893.50131.qm@web610.biz.mail.mud.yahoo.com> <4761E396.5050007@comcast.net> <489cf9d0712190706y2d58c590k9714abd611d4e1e3@mail.gmail.com> <20071219153009.GB14699@sphinx.chicagopeoplez.org> <1198079564.12068.49.camel@scott-640m.checkgiant.com> Message-ID: <489cf9d0712190843n3688033cs8f204892573007f1@mail.gmail.com> Do you know where I can get more info on doing it? On 12/19/07, William Scott Lockwood III wrote: > This CAN be done. Just not with a hub. I've seen drive enclosures setup > to allow it. > > On Wed, 2007-12-19 at 09:30 -0600, David Terrell wrote: > > On Wed, Dec 19, 2007 at 09:06:08AM -0600, Richard Reina wrote: > > > Does anyone have an idea if spliting a USB flash key with a USB hub > > > would allow two pc's to simultaneously access the flash drive? > > > > No. > > > > -- > > David Terrell > > dbt@meat.net > > ((meatspace)) http://meat.net/ > -- > William Scott Lockwood III > CashNetUSA.com > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > From ken at stox.org Wed Dec 19 10:52:43 2007 From: ken at stox.org (Kenneth P. Stox) Date: Wed Dec 19 10:52:52 2007 Subject: [LUNI] Help save Fermilab Message-ID: <1198083163.8678.5.camel@stox.dyndns.org> It seems that our congress has made a horrible oversight, and has cut Fermilab off at the knees. I urge everyone to call their congressmen to rectify this travesty: http://www.chicagotribune.com/news/local/chi-fermi_19dec19,1,2424810.story Personally, I will be reminding Judy Biggert that hundreds of Fermilab staff live in her district, and millions go to companies located in her district. From scott at cashnetusa.com Wed Dec 19 11:00:26 2007 From: scott at cashnetusa.com (William Scott Lockwood III) Date: Wed Dec 19 11:00:36 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <489cf9d0712190843n3688033cs8f204892573007f1@mail.gmail.com> References: <974893.50131.qm@web610.biz.mail.mud.yahoo.com> <4761E396.5050007@comcast.net> <489cf9d0712190706y2d58c590k9714abd611d4e1e3@mail.gmail.com> <20071219153009.GB14699@sphinx.chicagopeoplez.org> <1198079564.12068.49.camel@scott-640m.checkgiant.com> <489cf9d0712190843n3688033cs8f204892573007f1@mail.gmail.com> Message-ID: <1198083626.12068.102.camel@scott-640m.checkgiant.com> I'll dig out what I had - we had devices with two fire wire connectors, that we were going to use to make an ultra cheap very low rent array between several devices. We ended up just getting a NAS instead. :-) On Wed, 2007-12-19 at 10:43 -0600, Richard Reina wrote: > Do you know where I can get more info on doing it? > > On 12/19/07, William Scott Lockwood III wrote: > > This CAN be done. Just not with a hub. I've seen drive enclosures setup > > to allow it. > > > > On Wed, 2007-12-19 at 09:30 -0600, David Terrell wrote: > > > On Wed, Dec 19, 2007 at 09:06:08AM -0600, Richard Reina wrote: > > > > Does anyone have an idea if spliting a USB flash key with a USB hub > > > > would allow two pc's to simultaneously access the flash drive? > > > > > > No. -- W. Scott Lockwood III CashNetUSA System Administrator 200 W. Jackson Blvd #2400 scott@cashnetusa.com Chicago, Il 60606 (312) 586 4224 or xHELP http://cashnetusa.com/ From e.ellington at gmail.com Wed Dec 19 11:08:24 2007 From: e.ellington at gmail.com (Eric Ellington) Date: Wed Dec 19 11:08:26 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: <489cf9d0712190843n3688033cs8f204892573007f1@mail.gmail.com> References: <974893.50131.qm@web610.biz.mail.mud.yahoo.com> <4761E396.5050007@comcast.net> <489cf9d0712190706y2d58c590k9714abd611d4e1e3@mail.gmail.com> <20071219153009.GB14699@sphinx.chicagopeoplez.org> <1198079564.12068.49.camel@scott-640m.checkgiant.com> <489cf9d0712190843n3688033cs8f204892573007f1@mail.gmail.com> Message-ID: The only way I know how to do this is with a type of NFS, AFS or Coda store set up. http://nfs.sourceforge.net/ http://www.openafs.org/ http://www.coda.cs.cmu.edu/ On Dec 19, 2007 10:43 AM, Richard Reina wrote: > Do you know where I can get more info on doing it? > > > On 12/19/07, William Scott Lockwood III wrote: > > This CAN be done. Just not with a hub. I've seen drive enclosures setup > > to allow it. > > > > On Wed, 2007-12-19 at 09:30 -0600, David Terrell wrote: > > > On Wed, Dec 19, 2007 at 09:06:08AM -0600, Richard Reina wrote: > > > > Does anyone have an idea if spliting a USB flash key with a USB hub > > > > would allow two pc's to simultaneously access the flash drive? > > > > > > No. > > > > > > -- > > > David Terrell > > > dbt@meat.net > > > ((meatspace)) http://meat.net/ > > -- > > William Scott Lockwood III > > CashNetUSA.com > > > > -- > > Linux Users Of Northern Illinois - Technical Discussion > > http://luni.org/mailman/listinfo/luni > > > -- > Linux Users Of Northern Illinois - Technical Discussion > http://luni.org/mailman/listinfo/luni > -- Eric Ellington e.ellington@gmail.com From jason at hostedlabs.com Wed Dec 19 11:22:03 2007 From: jason at hostedlabs.com (Jason Rexilius) Date: Wed Dec 19 11:22:49 2007 Subject: [LUNI] Making a private network somewhat public. In-Reply-To: References: <974893.50131.qm@web610.biz.mail.mud.yahoo.com> <4761E396.5050007@comcast.net> <489cf9d0712190706y2d58c590k9714abd611d4e1e3@mail.gmail.com> <20071219153009.GB14699@sphinx.chicagopeoplez.org> <1198079564.12068.49.camel@scott-640m.checkgiant.com> <489cf9d0712190843n3688033cs8f204892573007f1@mail.gmail.com> Message-ID: <4769533B.1030001@hostedlabs.com> You can mount a shared physical drive with one machine as read-write and others read only without causing too many problems. You can also create separate partitions on the device like such as: /dev/hda1 /dev/hda2 machine 1 can mount /dev/hda1 read-write and /dev/hda2 as read-only machine 2 can mount /dev/hda2 read-write and /dev/hda1 as read-only The only way to have both machines read-write on the same parition is to have a distributed lock manager and a cluster filesystem that supports that model (gfs, lustre, etc.) Eric Ellington wrote: > The only way I know how to do this is with a type of NFS, AFS or Coda > store set up. > http://nfs.sourceforge.net/ > http://www.openafs.org/ > http://www.coda.cs.cmu.edu/ > > On Dec 19, 2007 10:43 AM, Richard Reina wrote: >> Do you know where I can get more info on doing it? >> >> >> On 12/19/07, William Scott Lockwood III wrote: >>> This CAN be done. Just not with a hub. I've seen drive enclosures setup >>> to allow it. >>> >>> On Wed, 2007-12-19 at 09:30 -0600, David Terrell wrote: >>>> On Wed, Dec 19, 2007 at 09:06:08AM -0600, Richard Reina wrote: >>>>> Does anyone have an idea if spliting a USB flash key with a USB hub >>>>> would allow two pc's to simultaneously access the flash drive? >>>> No. >>>> >>>> -- >>>> David Terrell >>>> dbt@meat.net >>>> ((meatspace)) http://meat.net/ >>> -- >>> William Scott Lockwood III >>> CashNetUSA.com >>> >>> -- >>> Linux Users Of Northern Illinois - Technical Discussion >>> http://luni.org/mailman/listinfo/luni >>> >> -- >> Linux Users Of Northern Illinois - Technical Discussion >> http://luni.org/mailman/listinfo/luni >> > > > From r_a_smith3530 at sbcglobal.net Wed Dec 19 13:50:48 2007 From: r_a_smith3530 at sbcglobal.net (Robert Smith) Date: Wed Dec 19 15:50:56 2007 Subject: [LUNI] Help save Fermilab In-Reply-To: <1198083163.8678.5.camel@stox.dyndns.org> Message-ID: <714117.18771.qm@web81302.mail.mud.yahoo.com> --- "Kenneth P. Stox" wrote: > It seems that our congress has made a horrible > oversight, and has cut > Fermilab off at the knees. I urge everyone to call > their congressmen to > rectify this travesty: > > http://www.chicagotribune.com/news/local/chi-fermi_19dec19,1,2424810.story > Is there any way to get figures on how this would negatively impact a given county? I'm up in McHenry County, and I would imagine that there are a number of Fermilab people up here, plus possibly some businesses that would be impacted. Having dealt with Congressional Representatives in the past though, I know that they seem to only be impressed with numbers, especially when it is numbers of voters that might not vote for them. Rob Smith From sqrfolkdnc at comcast.net Wed Dec 19 17:30:15 2007 From: sqrfolkdnc at comcast.net (Carey Tyler Schug) Date: Wed Dec 19 17:30:42 2007 Subject: [LUNI] North Shore CCS: windows to linux Message-ID: <4769A987.7000509@comcast.net> The north shore chapter of the CCS is having a presentation on Linux. Should we go and pack the audience? If anybody who feels fairly knowledgeable plans to go (I do not feel I am) please let me know. I may go if nobody else is, but may not otherwise. 12/20/2007 Speaker: John Wendt Company: CCS NORTH SHORE COMPUTER CLUB Next meeting Thur. Dec. 20 7:00 PM (3rd Thur.) Topic: Is Linux OS For You Niles Public Library -- Room A Oakton St. & Waukegan Rd. -- NE Corner Refreshments 7:00 to 7:30 PM -- Prize Drawing 8:30 PM FREE -- Open to the public -- Bring Friends !!! -- Carey Tyler Schug From lance at spitzner.net Wed Dec 19 21:50:50 2007 From: lance at spitzner.net (Lance Spitzner) Date: Wed Dec 19 21:50:56 2007 Subject: [LUNI] Fedora8 RPM/YUM question Message-ID: <1A6EC4E9-317C-4C8D-8DAC-CD48C9823D56@spitzner.net> I'm running a default Fedora8 install on a VM host. I've been attempting to "yum install" a variety of pkgs. However, the past 2 pkgs I've attempted to install it only gives me the 64bit version (Ruby and Wireshark-Gnome). I have to go to rpm.pbone.net and manually find these in the regular i368 version. Why would yum be showing me only the 64bit versions of RPM pkgs when I'm not running a 64bit OS? Of the over 1,400 pkgs on my system, none are in 64bit mode. Words of wisdom appreciated, thanks! lance From linux at unliketea.com Fri Dec 21 15:06:23 2007 From: linux at unliketea.com (Steve Pribyl) Date: Fri Dec 21 15:06:32 2007 Subject: [LUNI] heartbeat Message-ID: <48273.69.17.21.59.1198271183.squirrel@mail.unliketea.com> Has anyone used heartbeat 2? Do you know of some *good* documentation? I am having problems processing, using my brain, their home page. Thanks Steve From richard at rushlogistics.com Mon Dec 24 15:06:05 2007 From: richard at rushlogistics.com (Richard Reina) Date: Mon Dec 24 17:06:14 2007 Subject: [LUNI] What to do with an rsynced file? -- Advice Sought Message-ID: <134066.45706.qm@web601.biz.mail.mud.yahoo.com> I have files that are periodically transfered over to a local pc. I would like that these files to be sent to a local serial port. I now do this manually via cat /dev/ttyD0. I was looking for advice on the best way to automate this. I though about perhaps creating a perl script that checks the local directory every ten seconds or so, but thought that there may be a better way. I was wondering if anyone had any experience with something similar that might lead to ideas, do and don't to this sort of situation? Any ideas would be greatly appreciated. Happy Holidays! Richard Your beliefs become your thoughts. Your thoughts become your words. Your words become your actions. Your actions become your habits. Your habits become your values. Your values become your destiny. -- Mahatma Gandhi From brian at planetshwoop.com Mon Dec 24 21:15:14 2007 From: brian at planetshwoop.com (Brian Sobolak) Date: Mon Dec 24 20:15:23 2007 Subject: [LUNI] ANN: UFO Chicago This Thursday at El Cid Message-ID: <51982.71.239.174.233.1198548914.squirrel@magenta.planetshwoop.com> This Thursday is a UFO-Thursday! UFO-Chicago is a group of open source enthusiasts. We gather to top about issues of relevance to the Chicago's technical community with an emphasis on open source. Sometimes we discuss the finer points of Postscript programming, make jokes about PAM, and decide how to rid the world of SPAM. Note: We will be meeting at El Cid #2 for this meeting, NOT at the Golden Nugget. El Cid #2 is at 2645 N Kedzie in Logan Square. It's directly across the street from the Blue Line station, and there is also on-street parking or a (cheap) city lot nearby. El Cid has tasty and inexpensive Mexican fare as well as beer and margaritas. The meeting will start at 8pm, as usual. If you're new and don't know what we look like, ask the hostess. For more info, check out our website: http://ufo.chicago.il.us/ brian -- brian sobolak brian@planetshwoop.com http://www.planetshwoop.com/ -- Linux Users Of Northern Illinois - Announcements Mailing List http://luni.org/mailman/listinfo/luni-announce From sobolak at gmail.com Tue Dec 25 18:26:42 2007 From: sobolak at gmail.com (Brian Sobolak) Date: Tue Dec 25 18:26:47 2007 Subject: [LUNI] What to do with an rsynced file? -- Advice Sought In-Reply-To: <134066.45706.qm@web601.biz.mail.mud.yahoo.com> References: <134066.45706.qm@web601.biz.mail.mud.yahoo.com> Message-ID: On Dec 24, 2007 5:06 PM, Richard Reina wrote: > I have files that are periodically transfered over to a local pc. I would like that these files to be sent to a local serial port. I now do this manually via cat /dev/ttyD0. I was looking for advice on the best way to automate this. I though about perhaps creating a perl script that checks the local directory every ten seconds or so, but thought that there may be a better way. I was wondering if anyone had any experience with something similar that might lead to ideas, do and don't to this sort of situation? > Umm, use cron to run cat /dev/ttyD0 every 10 seconds? If you need more tricky logic than that, have cron call a bash/perl script to add smarts. brian -- Brian Sobolak http://www.planetshwoop.com/ From gordon at knoppe.net Fri Dec 28 10:59:04 2007 From: gordon at knoppe.net (Gordon A. Knoppe) Date: Fri Dec 28 10:59:22 2007 Subject: [LUNI] What to do with an rsynced file? -- Advice Sought In-Reply-To: References: <134066.45706.qm@web601.biz.mail.mud.yahoo.com> Message-ID: <47752B58.6050407@knoppe.net> Have you looked into iNotify? http://en.wikipedia.org/wiki/Inotify Brian Sobolak wrote: > On Dec 24, 2007 5:06 PM, Richard Reina wrote: >> I have files that are periodically transfered over to a local pc. I would like that these files to be sent to a local serial port. I now do this manually via cat /dev/ttyD0. I was looking for advice on the best way to automate this. I though about perhaps creating a perl script that checks the local directory every ten seconds or so, but thought that there may be a better way. I was wondering if anyone had any experience with something similar that might lead to ideas, do and don't to this sort of situation? >> > > Umm, use cron to run cat /dev/ttyD0 every 10 seconds? > > If you need more tricky logic than that, have cron call a bash/perl > script to add smarts. > > brian > > > -- > Brian Sobolak > http://www.planetshwoop.com/ From luni at pyewacket.org Sat Dec 29 14:59:11 2007 From: luni at pyewacket.org (Mike Scott) Date: Sat Dec 29 16:05:59 2007 Subject: [LUNI] A couple of (k)ubuntu install questions Message-ID: <20071229145911.6095274834031e3691077dcdffae0724.7ba2c53d56.wbe@email.secureserver.net> Does anyone have a simple way to get a listing of all packages installed un Kubuntu Linux? I typically use Adept, but don't see a way to generate reports. Is there some command-line tool like apt? I do have that installed as well, but don't know if it shares data with Adept. I am looking for a simple text file so I can do a clean reinstall and not miss anything. I have never had good luck with upgrades and I think my system is currently a bit hinky from trying. I have a new disc (500GB SATA) and want to partition it so I can have two system partitions and alternately install new versions on one for testing without trashing the active one (kinda like the way TiVo does it). When I install the new disc, I can just copy my home partition to the new drive and life should be good. Also, somebody mentioned dedicating most of the drive to /var, placing a home folder there and mounting it so that it appears in the filesystem as /home. CAn this be done during install, or is it better to do a stock install, move home and add the mountpoint to fstab after the system is running? - Mike Scott From maney at two14.net Sat Dec 29 16:37:29 2007 From: maney at two14.net (Martin Maney) Date: Sat Dec 29 16:37:42 2007 Subject: [LUNI] A couple of (k)ubuntu install questions In-Reply-To: <20071229145911.6095274834031e3691077dcdffae0724.7ba2c53d56.wbe@email.secureserver.net> References: <20071229145911.6095274834031e3691077dcdffae0724.7ba2c53d56.wbe@email.secureserver.net> Message-ID: <20071229223729.GA21134@furrr.two14.net> On Sat, Dec 29, 2007 at 02:59:11PM -0700, Mike Scott wrote: > Does anyone have a simple way to get a listing of all packages installed > un Kubuntu Linux? dpkg --get-selections Though you might need to filter out a few packages in states other than "install", though those may have been the result of deferring some updates until I was ready to reboot the machine... hmmm, still need to do that sometime... > I am looking for a simple text file so I can do a clean reinstall and > not miss anything. Then you'll probably want to know about --set-selections, too > I have a new disc (500GB SATA) and want to partition it so I can have > two system partitions and alternately install new versions on one for > testing without trashing the active one (kinda like the way TiVo does > it). One thing to watch out for: if you use the same /home with it, you *will* sooner or later find some app's dotfiles and/or data files "helpfully" updated by the new version of some browser\\\\\\\ application. Oddly, those helpful apps don't seem to have thought to provide a way to back out that change. ;-( > When I install the new disc, I can just copy my home partition to the > new drive and life should be good. > Also, somebody mentioned dedicating most of the drive to /var, placing a > home folder there and mounting it so that it appears in the filesystem > as /home. CAn this be done during install, or is it better to do a > stock install, move home and add the mountpoint to fstab after the > system is running? You'd do that after install, and it might be a little tricky if you haven't changed the default config where there's no direct login to root. It also sounds as though you're talking about sharing one big /var between two "separate" system images, but maybe I misunderstand 'cause you really wouldn't want to do that... Of the usual suspects in my world, the swap space and /tmp can be shared between two images without any worries (unless you're going to play around with VMs or some such using both at once); the root (of course), /usr, /var cannot. /home can, with the caveat that some browsers\\\\\\\\ apps may "helpfully" update their dotfiles and even other files while you're testing the newer release and not provide any way to go back. :-( -- This is like making a car shorter by cutting off a few inches from each end with a Sawzall. Of course there's little benefit, because that's a dumb way to do it. -- Neil R. Ormos