Re: (no subject)
On Tue, Jun 25, 2002 at 05:14:49PM -0400, [EMAIL PROTECTED] wrote: Unable to log onto secure sites. Followed http://pandor etc directions Got an index of / ~kitamd/morzilla without the ability to download apt-get update or apt-get install mozilla What can you suggest? apt-get install mozilla-psm Nailed me, too. :-) KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin, Historical Review of Pennsylvania, 1759 pgpflYb8FJJGb.pgp Description: PGP signature
Re: IPtables log summary?
I've not used it, but in looking for another package (!) I found fwlogwatch: Description: Firewall log analyzer fwlogwatch produces ipchains, netfilter/iptables, ipfilter, Cisco IOS and Cisco PIX log summary reports in text and HTML form and has a lot of options to find and display relevant patterns in connection attempts. With the data found it can also generate customizable incident reports from a template and send them to abuse contacts at offending sites or CERT coordination centers. Finally, it can also run as daemon and report anomalies or start countermeasures. might be worth looking at? Yes, definitely. And now that I have another keyword (firewall, duh) to search with, there are a few other options, too. Thanks... KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin, Historical Review of Pennsylvania, 1759 msg06487/pgp0.pgp Description: PGP signature
IPtables log summary?
I use logcheck right now to analyze my logs on an hourly basis. As it turns out, the iptables entries (about denied connections, etc.) are most of what's in the logcheck emails. This is a little tiring because a lot of the time, I don't do anything based on these entries. I know I sometimes miss other entries in the middle of a pile of iptables entries, too. What I'd like to do is filter these iptables entries out of the logcheck emails (which is easy), but I don't want to lose the information entirely. What I want is a daily summary of iptables problems, i.e. number of denied connections, list of the hosts that were disallowed, list of the closed ports that were hit, etc., etc. If I see something disturbing, I'll go back and look at the logs for specifics. Can anyone suggest an existing package that does this? Anyone out there written a home-grown script that sounds like this? Thanks for the suggestions... KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin, Historical Review of Pennsylvania, 1759 pgpfVc9oXl74Q.pgp Description: PGP signature
Re: failed ssh breakins on my exposed www box ..
Does this work? Going to civil court against a cracker? YES. It comes down to: Do you have the time to wait for a result or lawsuit? Do you know or have a lawyer that is net-smart or willing to learn? Do you have the start-up money for the lawsuit? (at least $1,000-$5000) Sorry to disagree, but I personally don't think that civil court is worth it unless the stakes are pretty high and the person you're suing undoubtedly has the ability to pay a judgement. This may be very difficult (or expensive) to pin down unless the person who's causing you problems is physically somewhere near you. Also, remember that a civil suit (IHMO) will only be of use against someone who cares about their reputation and who ultimately has some ability to pay. I care about my credit rating, but do you think some script kiddie who likes breaking things and works at McDonald's part-time does? I don't want my employer to see garnishment on my check, and I'm not willing to quit my job, but that same script kiddie might not feel the same way. Once you get garnishment set up, if the cracker switches jobs (and forgets to tell you) your garnishment won't follow to their new job, and you may have to find them all over again (or pay someone to find them again, same difference). Even better, sometimes garnishment orders don't cross jurisdictions, etc., etc. (pay the lawyer some more money). There are lots of potential pitfalls. So, yes - get a lawyer, then think long and hard about whether it's really worth it to you. If it is, go for it. Good luck! KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin, Historical Review of Pennsylvania, 1759 msg06077/pgp0.pgp Description: PGP signature
Re: failed ssh breakins on my exposed www box ..
Does this work? Going to civil court against a cracker? YES. It comes down to: Do you have the time to wait for a result or lawsuit? Do you know or have a lawyer that is net-smart or willing to learn? Do you have the start-up money for the lawsuit? (at least $1,000-$5000) Sorry to disagree, but I personally don't think that civil court is worth it unless the stakes are pretty high and the person you're suing undoubtedly has the ability to pay a judgement. This may be very difficult (or expensive) to pin down unless the person who's causing you problems is physically somewhere near you. Also, remember that a civil suit (IHMO) will only be of use against someone who cares about their reputation and who ultimately has some ability to pay. I care about my credit rating, but do you think some script kiddie who likes breaking things and works at McDonald's part-time does? I don't want my employer to see garnishment on my check, and I'm not willing to quit my job, but that same script kiddie might not feel the same way. Once you get garnishment set up, if the cracker switches jobs (and forgets to tell you) your garnishment won't follow to their new job, and you may have to find them all over again (or pay someone to find them again, same difference). Even better, sometimes garnishment orders don't cross jurisdictions, etc., etc. (pay the lawyer some more money). There are lots of potential pitfalls. So, yes - get a lawyer, then think long and hard about whether it's really worth it to you. If it is, go for it. Good luck! KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin, Historical Review of Pennsylvania, 1759 pgpgLLHNxKq6t.pgp Description: PGP signature
Re: Say, wheres 2.2.20?
Personally, I compile and install kernels by hand (i.e. make menuconfig; make bzImage; make install) What's the advantage of using make-kpkg? I use stable/2.2.20 on my servers and testing/2.4 or 2.5 on development boxes. I used to make them by hand, too, but what I like about make-kpkg is that if you use it, you get a .deb that you can save off. The .deb includes your kernel and the modules you built, plus when you install it, it takes care of the links in / to /boot and also takes care of LILO configuration, etc. I find that this makes recovery or reinstallation really easy... I save off a .deb for every different kernel I build, so it's easy to fall back if I really screw something up with a new kernel. IMHO, anyway, the move to make-kpkg is worth it unless you're maintaining several machines with the same kernel that aren't all running Debian. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin, Historical Review of Pennsylvania, 1759 msg05903/pgp0.pgp Description: PGP signature
Re: Say, wheres 2.2.20?
Personally, I compile and install kernels by hand (i.e. make menuconfig; make bzImage; make install) What's the advantage of using make-kpkg? I use stable/2.2.20 on my servers and testing/2.4 or 2.5 on development boxes. I used to make them by hand, too, but what I like about make-kpkg is that if you use it, you get a .deb that you can save off. The .deb includes your kernel and the modules you built, plus when you install it, it takes care of the links in / to /boot and also takes care of LILO configuration, etc. I find that this makes recovery or reinstallation really easy... I save off a .deb for every different kernel I build, so it's easy to fall back if I really screw something up with a new kernel. IMHO, anyway, the move to make-kpkg is worth it unless you're maintaining several machines with the same kernel that aren't all running Debian. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin, Historical Review of Pennsylvania, 1759 pgp5nD3VLKg6c.pgp Description: PGP signature
Re: problems with ssh
i have problems with the ssh server.. im trying to connect to a server via ssh but i dont want the server to ask for the password. how can i fix it? From 'man ssh' ssh implements the RSA authentication protocol automatically. The user creates his/her RSA key pair by running ssh-keygen(1). This stores the private key in $HOME/.ssh/identity and the public key in $HOME/.ssh/identity.pub in the user's home directory. The user should then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home directory on the remote machine (the authorized_keys file corresponds to the conventional $HOME/.rhosts file, and has one key per line, though the lines can be very long). After this, the user can log in without giving the password. RSA authentication is much more secure than rhosts authentication. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin, Historical Review of Pennsylvania, 1759 pgpHoxFThkZSC.pgp Description: PGP signature
Interpreted Network Service?
This might be a bit off topic...if it is, please take replies to me directly. Can anyone tell me if there is any reason, from a security standpoint, that one would not want to write a publicly-available network service in an interpreted language such as Python or Perl? Thanks... KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin, Historical Review of Pennsylvania, 1759 msg04190/pgp0.pgp Description: PGP signature
Interpreted Network Service?
This might be a bit off topic...if it is, please take replies to me directly. Can anyone tell me if there is any reason, from a security standpoint, that one would not want to write a publicly-available network service in an interpreted language such as Python or Perl? Thanks... KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin, Historical Review of Pennsylvania, 1759 pgpA6ds3ofgoU.pgp Description: PGP signature
Re: SPAM was RE: INSURE GOOD RECEPTION! VITAL EMERGENCY STRATEGY!!!
On Friday 09 November 2001 17:46 pm, Robert Davidson wrote: Wouldn't it just be better if the lists accepted mail from members only, I have always thought so, but whenever that suggestion comes up on any of the debian lists it gets a pretty violent response. yeah I know - I've seen it happen before a few times, but I think thats probably the only real solution. Until something like that happens it's probably a waste of time even talking about it. There was a long discussion about this on the Curiosa list last month. It's probably not worth repeating the entire thread here (we're starting down that track). http://lists.debian.org/debian-curiosa/2001/debian-curiosa-200110/msg00030.html KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin, Historical Review of Pennsylvania, 1759 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SPAM was RE: INSURE GOOD RECEPTION! VITAL EMERGENCY STRATEGY!!!
On Friday 09 November 2001 17:46 pm, Robert Davidson wrote: Wouldn't it just be better if the lists accepted mail from members only, I have always thought so, but whenever that suggestion comes up on any of the debian lists it gets a pretty violent response. yeah I know - I've seen it happen before a few times, but I think thats probably the only real solution. Until something like that happens it's probably a waste of time even talking about it. There was a long discussion about this on the Curiosa list last month. It's probably not worth repeating the entire thread here (we're starting down that track). http://lists.debian.org/debian-curiosa/2001/debian-curiosa-200110/msg00030.html KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin, Historical Review of Pennsylvania, 1759
Re: Strange auth.log entry
the **unknown* is due to if there is not a correct uid (number) match to a username (your login name) in /etc/passwd. I only know this because of a bug in the dialy server I use (connectd) which didn't for whatever reason collect the correct uid for the user 'nobody'. Obviously something (maybe in yer cron job or an application running as root) is trying to lower its privilages but failing. It could be a normal application (such as apache) trying to change its userid to 'www-data' only to find its not there. Look out for these kind of things. As for the 4704 I think if I'm correct that is the PID (process id, use top or ps ax to find out) that tried to lower its privilages. When you see this error again do a 'ps ax' and see if you can match up the 'upset' application. I see entries like this when someone attempts to log into the machine (i.e. with telnet) but doesn't enter a username. Off the top of my head, I can't remember whether I get this entry when I goof up an ssh login or not. I just remember seeing it for telnet. That might be easy to reproduce... or maybe you remember goofing up a login that you can correlate to this entry? KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin, Historical Review of Pennsylvania, 1759 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: FTP and security
On Thu, Nov 08, 2001 at 04:57:22PM -0500, Adam Spickler wrote: Is there a decent Windows FTP application that supports sftp? Unfortunately, I have to use Windows at work. :/ cygwin includes openssh... and the sftp it has supports everything you need. Or, try Putty: http://www.chiark.greenend.org.uk/~sgtatham/putty/ It's not bad - small footprint and runs pretty well. The ssh client is pretty much like an xterm (it's what I'm using from work right now). KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin, Historical Review of Pennsylvania, 1759 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strange auth.log entry
the **unknown* is due to if there is not a correct uid (number) match to a username (your login name) in /etc/passwd. I only know this because of a bug in the dialy server I use (connectd) which didn't for whatever reason collect the correct uid for the user 'nobody'. Obviously something (maybe in yer cron job or an application running as root) is trying to lower its privilages but failing. It could be a normal application (such as apache) trying to change its userid to 'www-data' only to find its not there. Look out for these kind of things. As for the 4704 I think if I'm correct that is the PID (process id, use top or ps ax to find out) that tried to lower its privilages. When you see this error again do a 'ps ax' and see if you can match up the 'upset' application. I see entries like this when someone attempts to log into the machine (i.e. with telnet) but doesn't enter a username. Off the top of my head, I can't remember whether I get this entry when I goof up an ssh login or not. I just remember seeing it for telnet. That might be easy to reproduce... or maybe you remember goofing up a login that you can correlate to this entry? KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin, Historical Review of Pennsylvania, 1759
Re: FTP and security
On Thu, Nov 08, 2001 at 04:57:22PM -0500, Adam Spickler wrote: Is there a decent Windows FTP application that supports sftp? Unfortunately, I have to use Windows at work. :/ cygwin includes openssh... and the sftp it has supports everything you need. Or, try Putty: http://www.chiark.greenend.org.uk/~sgtatham/putty/ It's not bad - small footprint and runs pretty well. The ssh client is pretty much like an xterm (it's what I'm using from work right now). KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin, Historical Review of Pennsylvania, 1759
Re: AIDE database corrupt
My AIDE database keeps getting corrupt so that aide --check stops working. I have to issue a aide --init to get it back. Then after a couple of days the database will have gone corrupt again. Anyone seen this behaviour before? I use AIDE under potato and woody. I recall that a while ago, I stopped using the --update switch in potato due to corruption - I always just recreate the database from scratch with --init. This sounds like what you're seeing. It wasn't a big deal to me (--init just takes longer than --update), and it seems to not happen in woody, so I never reported a bug. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: AIDE database corrupt
My AIDE database keeps getting corrupt so that aide --check stops working. I have to issue a aide --init to get it back. Then after a couple of days the database will have gone corrupt again. Anyone seen this behaviour before? I use AIDE under potato and woody. I recall that a while ago, I stopped using the --update switch in potato due to corruption - I always just recreate the database from scratch with --init. This sounds like what you're seeing. It wasn't a big deal to me (--init just takes longer than --update), and it seems to not happen in woody, so I never reported a bug. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies.
Re: BugTraq Kernel 2.2.19
i think Linus has already approved the patch. im not sure yet when will it arrive though.. Yes, the email linked to by that /. posting : http://www.securityfocus.com/cgi-bin/archive.pl?id=1mid=221337start=2001-10-15end=2001-10-21 has attached to it the Linus-blessed 2.2.19 patch. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: BugTraq Kernel 2.2.19
Has anyone else noticed that the included exploit does not affect 2.2.19? I tested it on one of my boxes and got the expected 'Operation not permitted'. Maybe I'm misunderstanding the problem, but I thought taht 2.2.19 took care of (well hindered) the ptrace problems. I can't make the ptrace exploit work on my 2.2.19 system... but I might be doing something wrong (I'm not quite sure what to expect). I get: attached exec ./insert_shellcode 30505 execl: Operation not permitted The mklink.sh script definitely works as advertised. If I use an argument of 10, I'm dead in the water until the script finishes. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: BugTraq Kernel 2.2.19
i think Linus has already approved the patch. im not sure yet when will it arrive though.. Yes, the email linked to by that /. posting : http://www.securityfocus.com/cgi-bin/archive.pl?id=1mid=221337start=2001-10-15end=2001-10-21 has attached to it the Linus-blessed 2.2.19 patch. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies.
Re: BugTraq Kernel 2.2.19
Has anyone else noticed that the included exploit does not affect 2.2.19? I tested it on one of my boxes and got the expected 'Operation not permitted'. Maybe I'm misunderstanding the problem, but I thought taht 2.2.19 took care of (well hindered) the ptrace problems. I can't make the ptrace exploit work on my 2.2.19 system... but I might be doing something wrong (I'm not quite sure what to expect). I get: attached exec ./insert_shellcode 30505 execl: Operation not permitted The mklink.sh script definitely works as advertised. If I use an argument of 10, I'm dead in the water until the script finishes. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies.
Gateway Login
I've been looking for a way to have my firewall act as a login gateway for my internal machines, i.e. be able to login as [EMAIL PROTECTED] in order to log into the internal machine rather than the firewall itself. A friend pointed this package out: http://www.stat.auckland.ac.nz/~blom001/gatelogin/ I was wondering whether anyone has used this package before, or knows of some other, better way to do this (maybe with some sort of PAM module?). Thanks! KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Gateway Login
I have taken a look at the gatelogin source code and seems to be pretty simple to change in order to use ssh instead of rlogin. Have you tried it? I haven't done it, but I agree... that change should be pretty simple. I'm just a bit leery of putting my own (slightly-tested) code out on a network connection for the world to see (re: the *long* discussion on code reviews from a few months ago). That's why I decided to look here for alternatives first. ;-) KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Gateway Login
I've been looking for a way to have my firewall act as a login gateway for my internal machines, i.e. be able to login as [EMAIL PROTECTED] in order to log into the internal machine rather than the firewall itself. A friend pointed this package out: http://www.stat.auckland.ac.nz/~blom001/gatelogin/ I was wondering whether anyone has used this package before, or knows of some other, better way to do this (maybe with some sort of PAM module?). Thanks! KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies.
Re: Gateway Login
If youre using ssh/telnet you can forward all packets from the external interface incoming to port 22, etc. to the internal machines ip. Yep, that works if there's just one internal machine... but what if there's more than one? I end up with a separate port-forwarding rule and a separate port for each internal machine, which is what I want to avoid. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies.
Re: Gateway Login
Indeed, this gets you to one internal machine, but this is better than loggin into your firewall isn't it? From your internal machine you can then get to any other box you need to. Agreed, I can make it work this way if I need to... what I'm trying to emulate is a corporate gateway that I've logged in through in the past. I would be nice to be able to generalize and say these internal machines may be logged into via the firewall somehow, which is what that corporate gateway allowed me to do, i.e. ftp gateway username: [EMAIL PROTECTED] got me an FTP connection to the internal machine, not the firewall. Opinions about the safety/appropriateness of an FTP login aside, this is the sort of thing I'm looking for, and it's basically what the link in my original email provides (except that program only does rsh connections). KEN
Re: Gateway Login
I have taken a look at the gatelogin source code and seems to be pretty simple to change in order to use ssh instead of rlogin. Have you tried it? I haven't done it, but I agree... that change should be pretty simple. I'm just a bit leery of putting my own (slightly-tested) code out on a network connection for the world to see (re: the *long* discussion on code reviews from a few months ago). That's why I decided to look here for alternatives first. ;-) KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies.
Re: firewall
[snip] Now only if there was as nifty a debian tool to make the package system think that a particular package was installed, without actually having it installed. Have you tried 'equiv' ?? You can build a dummy package to provide the capability that is required by other packages. I used it to make potato think Perl 5.005 was installed after I installed Perl 5.6 (which doesn't provide the Perl 5.005 as needed by some utilities). KEN
Re: apt-get issue(s)
is ftp2.sourceforge.net a debian mirror? I got it off the mirrors list, and it looked like everything was sensible from checking with lynx. deb http://ftp.de.debian.org/debian/ testing main non-free contrib and an apt-get update what´s the exact output? First, note that 'lynx http://ftp.de.debian.org' works fine. Here's the output: Err http://ftp.de.debian.org testing/main Packages Could not connect to ftp.de.debian.org (141.76.2.4). Err http://ftp.de.debian.org testing/main Release Could not connect to ftp.de.debian.org (141.76.2.4). Err http://ftp.de.debian.org testing/non-free Packages Could not connect to ftp.de.debian.org (141.76.2.4). Err http://ftp.de.debian.org testing/non-free Release Could not connect to ftp.de.debian.org (141.76.2.4). Err http://ftp.de.debian.org testing/contrib Packages Could not connect to ftp.de.debian.org (141.76.2.4). Err http://ftp.de.debian.org testing/contrib Release Could not connect to ftp.de.debian.org (141.76.2.4). Failed to fetch http://ftp.de.debian.org/debian/dists/testing/main/binary-i386/Packages Could not connect to ftp.de.debian.org (141.76.2.4). Failed to fetch http://ftp.de.debian.org/debian/dists/testing/main/binary-i386/Release Could not connect to ftp.de.debian.org (141.76.2.4). Failed to fetch http://ftp.de.debian.org/debian/dists/testing/non-free/binary-i386/Packages Could not connect to ftp.de.debian.org (141.76.2.4). Failed to fetch http://ftp.de.debian.org/debian/dists/testing/non-free/binary-i386/Release Could not connect to ftp.de.debian.org (141.76.2.4). Failed to fetch http://ftp.de.debian.org/debian/dists/testing/contrib/binary-i386/Packages Could not connect to ftp.de.debian.org (141.76.2.4). Failed to fetch http://ftp.de.debian.org/debian/dists/testing/contrib/binary-i386/Release Could not connect to ftp.de.debian.org (141.76.2.4). Reading Package Lists... Done Building Dependency Tree... Done W: Couldn't stat source package list 'http://ftp.de.debian.org testing/main Packages' (/var/state/apt/lists/ftp.de.debian.org_debian_dists_testing_main_binary-i386_Packages) - stat (2 No such file or directory) W: Couldn't stat source package list 'http://ftp.de.debian.org testing/non-free Packages' (/var/state/apt/lists/ftp.de.debian.org_debian_dists_testing_non-free_binary-i386_Packages) - stat (2 No such file or directory) W: Couldn't stat source package list 'http://ftp.de.debian.org testing/contrib Packages' (/var/state/apt/lists/ftp.de.debian.org_debian_dists_testing_contrib_binary-i386_Packages) - stat (2 No such file or directory) W: You may want to run apt-get update to correct these missing files E: Some index files failed to download, they have been ignored, or old ones used instead. Do you use an apt.conf? is the syntax correct (man apt.conf) I don't believe I've ever modified this file. Here it is: // Pre-configure all packages before they are installed. // (Automatically added by debconf.) DPkg::Pre-Install-Pkgs {/usr/sbin/dpkg-preconfigure --apt;}; p.p.s: try debian-user mailing list. the better place for your problem. and definitely better guys to help you! I did cross-post to debian-user... but you were the only one who answered. ;-) The main reason I posted on security was my question about the ftp URL for security.debian.org... I was expecting help on most of the rest from the user list. If you don't have any other ideas after this round, that's fine... since I have a workaround, there's no need for you to continue spending time on this. Thanks for all of the help, though! KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies.
Re: apt-get issue(s)
do you use a proxy with lynx, if so you may need to use one with apt! Ah.. that got asked before privately; I should have posted a reply to the list. No, there's no proxy needed. KEN
Re: apt-get issue(s)
Err http://security.debian.org potato/updates/main Packages Could not connect to security.debian.org (132.229.131.40). My guess is that this was a temporary server or network outage. I just did an apt-get update with this same source. It hung and 99% the first try and I Ctrl C to break and immediately ran it again and it worked fine. That was my first thought, too... except apt-get worked on one of my other machines running the 'testing' distribution (I should have mentioned that in my original post). Incidentally, it still doesn't work now. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies.
Re: apt-get issue(s)
do you use any kind of firewall? In the network or local? Eventually a configuration mistake in netfilterIs your specific machine allowed to connect to debian.org? can you ping 132.229.131.40? ping security.debian.org? What does telnet security.debian.org 80 say? Yes, I'm using a firewall (gShield) but configuration for it hasn't changed recently (rather, I changed it and put it back but it didn't seem to make a difference). Telnet, ping, lynx to security.debian.org with either IP address or name work fine... just not apt-get. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies.
Re: apt-get issue(s)
Hmm... Any logs about? /var/log/syslog? /var/log/messages? are you able to apt another server? Is your apt installation fine or is any file missing? Try to fetch the aptdeb, purge your existing apt (dpkg --force-depends --purge apt), and reinstall it, to assure no file´s missing and try again. Ok... nothing at all in /var/log about this (as far as I can tell). I cannot apt to a different server. I tried ftp2.sourceforge.net - which I can use lynx to connect to - but I get similar apt errors. Reinstalling apt-0.3.19 based on a newly-downloaded .deb file from http.us.debian.org using dpkg didn't seem to make a difference. I would be happy to compile and manually install a version of apt newer than 0.3.19 to see if that makes a difference, but I'm not exactly sure where to find it in the tree on http.us.debian.org (or elsewhere). KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies.
apt-get issue(s)
I'm cross-posting this to user and security, because there are really two (possibly-related) issues here. Feel free to take replies to just one list or the other. On my firewall (running potato), I have been using these apt sources.list entries: deb http://security.debian.org potato/updates main contrib non-free deb http://http.us.debian.org/debian/ potato main non-free contrib deb http://non-us.debian.org/debian-non-US/ potato/non-US main contrib non-free However, suddenly, 'apt-get update' started failing with errors of the form: Err http://security.debian.org potato/updates/main Packages Could not connect to security.debian.org (132.229.131.40). for each of the entries. I've finally worked around this by using these sources.list entries: deb ftp://security.debian.org/debian-security potato/updates main contrib non-free deb ftp://http.us.debian.org/debian/ potato main non-free contrib deb ftp://non-us.debian.org/debian-non-US/ potato/non-US main contrib non-free First question: any idea why the original http source.list entries suddenly stopped working? The URLs that apt-get complains about seem to be available via lynx, so connectivity is apparently not the issue. Running strace on 'apt-get update' shows me an error 400 URI Failure, but I'm not sure where that leads me. I can go dig through the code next, but... Second question: what's up with the security URL that I needed for FTP? I would have expected to use ftp://security.debian.org;, but the dists directory exists under ftp://security.debian.org/debian-security; instead. Thanks in advance for the information. I guess I've worked around this for now, but I'd like to know what happened. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
apt-get issue(s)
I'm cross-posting this to user and security, because there are really two (possibly-related) issues here. Feel free to take replies to just one list or the other. On my firewall (running potato), I have been using these apt sources.list entries: deb http://security.debian.org potato/updates main contrib non-free deb http://http.us.debian.org/debian/ potato main non-free contrib deb http://non-us.debian.org/debian-non-US/ potato/non-US main contrib non-free However, suddenly, 'apt-get update' started failing with errors of the form: Err http://security.debian.org potato/updates/main Packages Could not connect to security.debian.org (132.229.131.40). for each of the entries. I've finally worked around this by using these sources.list entries: deb ftp://security.debian.org/debian-security potato/updates main contrib non-free deb ftp://http.us.debian.org/debian/ potato main non-free contrib deb ftp://non-us.debian.org/debian-non-US/ potato/non-US main contrib non-free First question: any idea why the original http source.list entries suddenly stopped working? The URLs that apt-get complains about seem to be available via lynx, so connectivity is apparently not the issue. Running strace on 'apt-get update' shows me an error 400 URI Failure, but I'm not sure where that leads me. I can go dig through the code next, but... Second question: what's up with the security URL that I needed for FTP? I would have expected to use ftp://security.debian.org;, but the dists directory exists under ftp://security.debian.org/debian-security; instead. Thanks in advance for the information. I guess I've worked around this for now, but I'd like to know what happened. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies.
Re: apt-get install apache (was red worm amusement)
Yes, but when you're upgrading your existing packages, and the dependencies have changed to such a degree to require *new* packages, that almost always implies a major change, such as a stable - testing transition, not a security fix for a package in stable (which is what security.debian.org is for). Yes, that makes sense. I guess my point is that from the manpage paragraph, this wasn't immediately clear, so I wouldn't be surprised if there are other people who misinterpreted it the same way I did. Thanks for the clarification. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies.
Re: apt-get install apache (was red worm amusement)
If you're upgrading for security and bug fixes, you use upgrade. In michael's defense, take this entry from the apt-get mapage: dist-upgrade dist-upgrade, in addition to performing the func tion of upgrade, also intelligently handles chang ing dependencies with new versions of packages; apt-get has a smart conflict resolution system, and it will attempt to upgrade the most important packages at the expense of less important ones if necessary. The /etc/apt/sources.list file contains a list of locations from which to retrieve desired package files. I agree we all need to know the tools we use, and I'll be the first to admit that I have learning to do too, just like michael. However, the manpage is where I start... and when I read this, it sure seemed like a good idea to use dist-upgrade rather than upgrade. Maybe I should have dug deeper to be sure, but... KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Security Feedback - Backup Process?
I realize this is a little off-topic for this list, but based on some of the other discussions that I've followed over the last month, I'm hopeful that I might be able to get some feedback from some of you, either on the list or privately. Basically, what I'm looking for is a security-based critique of a backup method I'm using. It works fine for me right now, but I'm considering rewriting it for broader distribution, and I'd like to know what you guys think about how fundamentally secure it is. This is how it works: there is some set of Linux machines that I want to back up. Each of these machines is available on a network and each has ssh available. One of the machines (call it the backup machine) has a CD-RW on it, and I use that machine to write a daily backup to a multi-session CD-RW disc. The batch backup process is divided into four pieces: o collect [each machine]: builds tarballs based on configuration o stage [backup machine]: stages all collected data from other machines o store [backup machine]: builds ISO image and writes staged data to disc o purge [each machine]: purges old archived tarballs and/or ISO disc images The scripts are run as root from /etc/crontab. When files are created, they are created in a directory owned by and readable only by the 'backup' user, and they are changed to be owned by the 'backup' user, which has very limited privileges. Staging of files to the backup machine is done via ssh as the 'backup' user, again to a directory owned by and only readable by the 'backup' user. Old tarballs and ISO images are kept around for some configurable number of days, in case the ssh transfer across the network or the actual write to disc fails. It seems to me that the main flaw with my process is in saving the old collected and staged files on each machine for some amount of time before the purge process runs. Since these files can be read by the 'backup' user and could contain backups of directories such as /etc, someone who gains access as the 'backup' user could get access to priviledged information. I haven't decided exactly what to do with this yet. Other than the problem with the saved-off files, is it safe to say that this process is as reasonably secure as any batch process which relies on ssh can be, or are there other things I can change to make the whole thing more secure? I really appreciate any feedback any of you might provide. I read the list, or you can send email privately to [EMAIL PROTECTED]. Thanks! KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ I have zero tolerance for zero-tolerance policies.
Re: sshd port config and security
Yep. Ssh does. But telnet doesn't. And it *does* look a bit suspicious if your firewall administrator tries to encourage telnet and block ssh... Personally, I think this is more a case of the administrator just wanting to open "standard" services... and ssh isn't considered "standard". Most of the places I've worked have just opened http, telnet and ftp to the outside world... and no employee wants to ask for ssh, because then they'd have to explain what they were using ssh for on company computers. ;-) KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ "The phrase, 'Happy as a clam' has never really held much meaning for me." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sshd port config and security
Yep. Ssh does. But telnet doesn't. And it *does* look a bit suspicious if your firewall administrator tries to encourage telnet and block ssh... Personally, I think this is more a case of the administrator just wanting to open standard services... and ssh isn't considered standard. Most of the places I've worked have just opened http, telnet and ftp to the outside world... and no employee wants to ask for ssh, because then they'd have to explain what they were using ssh for on company computers. ;-) KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ The phrase, 'Happy as a clam' has never really held much meaning for me.
Re: MD5 sums of individual files?
You remount it, or you umount it and change the read/write tab on the actual floppy? Yes, sorry, I wasn't clear about that. The floppy is mounted RO, plus the disk's tab is moved to the RO position. I agree... I wouldn't feel comfortable or safe if the floppy was just mounted RO. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ "The phrase, 'Happy as a clam' has never really held much meaning for me." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: MD5 sums of individual files?
Ok with that said, how feasable is it for a cracker to install their rootkit, and mimic the checksummed files to match the contents of the floppy? Wouldn't he/she just have to unmount the exising floppy drive, remount it to his/her pseudo check sums? I'm probably missing the howto detail where the alert is generated before rootkit is installed. That is something that I hadn't considered. The cracker could potentially unmount /var/lib/aide/ro (where I have the floppy containing the AIDE checksums mounted) and place in that directory a newly-generated list of checksums, which AIDE would read the next time it runs. When I got the report in my inbox, it would look like everything is fine. IMHO, definitely a hole that's there regardless of whether I use a RO floppy or a CD-R. I see two ways to get around this: one solution is for me to GPG-sign the AIDE checksum list when I create it. Then I could check the signature in my script that runs AIDE, and I would know that it was me who created it. This would be more like what Tripwire's latest release does. Another option would be to not store the AIDE configuration file anywhere that the cracker could see it. Without that configuration file, the cracker would have no way to generate a valid, substitute list of checksums. This is less workable, because that configuration file would have to be "unhidden" every time AIDE needed to run, making a cron-based schedule more difficult. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ "The phrase, 'Happy as a clam' has never really held much meaning for me." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of individual files?
Of course. I'd have to burn a CDROM or something. But it's something I've been meaning to find out about, just in case... I have a CD-R drive, but I don't use it for AIDE. Instead, I keep my (otherwise-unused) floppy drive with an AIDE floppy in it always mounted as read-only. When I need to update the AIDE database, I re-mount the floppy as read-write, make the update, then remount it as read-only. This leaves the CD-R free for other tasks (like backups) but keeps the AIDE database relatively safe. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ The phrase, 'Happy as a clam' has never really held much meaning for me.
Re: MD5 sums of individual files?
You remount it, or you umount it and change the read/write tab on the actual floppy? Yes, sorry, I wasn't clear about that. The floppy is mounted RO, plus the disk's tab is moved to the RO position. I agree... I wouldn't feel comfortable or safe if the floppy was just mounted RO. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ The phrase, 'Happy as a clam' has never really held much meaning for me.
RE: MD5 sums of individual files?
Ok with that said, how feasable is it for a cracker to install their rootkit, and mimic the checksummed files to match the contents of the floppy? Wouldn't he/she just have to unmount the exising floppy drive, remount it to his/her pseudo check sums? I'm probably missing the howto detail where the alert is generated before rootkit is installed. That is something that I hadn't considered. The cracker could potentially unmount /var/lib/aide/ro (where I have the floppy containing the AIDE checksums mounted) and place in that directory a newly-generated list of checksums, which AIDE would read the next time it runs. When I got the report in my inbox, it would look like everything is fine. IMHO, definitely a hole that's there regardless of whether I use a RO floppy or a CD-R. I see two ways to get around this: one solution is for me to GPG-sign the AIDE checksum list when I create it. Then I could check the signature in my script that runs AIDE, and I would know that it was me who created it. This would be more like what Tripwire's latest release does. Another option would be to not store the AIDE configuration file anywhere that the cracker could see it. Without that configuration file, the cracker would have no way to generate a valid, substitute list of checksums. This is less workable, because that configuration file would have to be unhidden every time AIDE needed to run, making a cron-based schedule more difficult. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ The phrase, 'Happy as a clam' has never really held much meaning for me.
Re: MD5 sums of individual files?
If they root your box, they could mess with your gpg keyring and/or binary. They could just spew out fake emails that say the thing was checked, and even spin the floppy disk in case you were watching to make sure it was doing a real check. OK, I give up. ;-) You can't use a possibly-cracked machine to check itself, unless you are checking for breakins on non-root accounts. (e.g. web page defacement if they got in through httpd.) Agreed... or if only one machine is available, we're back to periodically booting from a safe, known, bootable CD-R with a kernel, a copy of the checksums and all of required binaries on it (which is fine unless someone broke into my house and replaced the CD-R ;-)). I guess I'll stick with what I have (i.e. the RO floppy) and hope that the script kiddie isn't thinking that far ahead (the last one that got through onto a previous RedHat box of mine wasn't, fortunately). KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ The phrase, 'Happy as a clam' has never really held much meaning for me.
Re: Allow FTP in, but not shell login
you can change user's shell to /dev/null Well... it doesn't look like I can log in via telnet or FTP without a valid login shell. I tried that with various entries other than /dev/null ... KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ "The phrase, 'Happy as a clam' has never really held much meaning for me." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Allow FTP in, but not shell login
Use proftpd. It supports anonymous users and users that have /bin/false as shell in the /etc/passwd which makes logins via ssh/telnet impossible. This is exactly what I needed. I gave the user a /bin/false shell, and then in /etc/proftp.conf, I added an anonymous section for that user such that a password is required, but a valid shell is not. ProFTPd takes care of the rest. Perfect! Thanks for all of the responses from all of you. Quick, useful conversations like this are one of the things that makes using Debian enjoyable. ;-) KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ "The phrase, 'Happy as a clam' has never really held much meaning for me." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Allow FTP in, but not shell login
Hello - I'm not sure exactly where to look for this information, so if I should RTFM, just point me toward the right one. I have a situation where I've volunteered to host a few webpages for some users. They're at a university and are having problems getting timely access to their organizational websites on their school's server. Anyway, I'm happy to be the host, but I want these people to be able to FTP in ONLY, without interactive access. I want to do this specifically for a set of users, not for all users on the machine. My feeling is that PAM supports this somehow, but I'm not sure where to start. Anyone have any suggestions? Thanks for the help. KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ The phrase, 'Happy as a clam' has never really held much meaning for me.
Re: Allow FTP in, but not shell login
you can change user's shell to /dev/null Well... it doesn't look like I can log in via telnet or FTP without a valid login shell. I tried that with various entries other than /dev/null ... KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ The phrase, 'Happy as a clam' has never really held much meaning for me.
Re: Allow FTP in, but not shell login
Use proftpd. It supports anonymous users and users that have /bin/false as shell in the /etc/passwd which makes logins via ssh/telnet impossible. This is exactly what I needed. I gave the user a /bin/false shell, and then in /etc/proftp.conf, I added an anonymous section for that user such that a password is required, but a valid shell is not. ProFTPd takes care of the rest. Perfect! Thanks for all of the responses from all of you. Quick, useful conversations like this are one of the things that makes using Debian enjoyable. ;-) KEN -- Kenneth J. Pronovici [EMAIL PROTECTED] Personal Homepage: http://www.skyjammer.com/~pronovic/ The phrase, 'Happy as a clam' has never really held much meaning for me.
Re: Debian or Linux 7???
It might be more secure, because the packages chosen for distribution or often more tested - not the latest versions with brand new bugs but (somewhat) older packages with known bugs removed. I would also have to add: I find it easier to keep Debian secure because it is easier to get and install updated packages with Debian than with Redhat. Typing 'apt-get install package' beats digging around Redhat's FTP site hands down... and switching would be worthwhile even just for that. I have been hacked myself twice in the past two years while running RedHat systems, and it was because I was not diligent enough in the way I kept up with security updates. Get Debian, read the HOWTOs to get an idea how to secure it, and then stay on the security annoucement mailing list. That really should get you most of the way there... (Just my $0.02, anyway) KEN -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian or Linux 7???
It might be more secure, because the packages chosen for distribution or often more tested - not the latest versions with brand new bugs but (somewhat) older packages with known bugs removed. I would also have to add: I find it easier to keep Debian secure because it is easier to get and install updated packages with Debian than with Redhat. Typing 'apt-get install package' beats digging around Redhat's FTP site hands down... and switching would be worthwhile even just for that. I have been hacked myself twice in the past two years while running RedHat systems, and it was because I was not diligent enough in the way I kept up with security updates. Get Debian, read the HOWTOs to get an idea how to secure it, and then stay on the security annoucement mailing list. That really should get you most of the way there... (Just my $0.02, anyway) KEN