Re: [SLUG] Linux client for Citrix Access Gateway?
Sridhar Dhanapalan [EMAIL PROTECTED] writes: We're trying to deploy a Linux server into an all-Windows company. Our client is actually quite happy with this solution, but we were informed a couple of days ago that they have a Citrix Access Gateway VPN server that we must go through in order to interact with their network. I can't seem to find any clear information on how to connect to the VPN with our Linux server. The client Citrix refers to appears to be for remote desktop use through a Web browser, and is hence useless for a server. Sadly, I think you are out of luck. My understanding is that the Citrix Access Gateway VPN server is actually a browser hosted RDP-over-SSL solution. Since there isn't, as far as I know, any functional RDP server for Linux available you are not going to have an easy path to getting this working, as I understand things. This may help, though: http://support.citrix.com/article/CTX109043 In a cruel twist of irony, I discovered that the Citrix device is essentially a Supermicro rackmount unit loaded with RHEL, with the proprietary Citrix software running on top. So despite our client being happy with a Linux-based solution, they seem to be locked into Windows by their VPN. Depending on how much this is worth you /may/ find that one of two options suits: Option one, install PuTTY or another SSH client on a Windows system within their network. Use RDP to access that system and then SSH to connect to your Linux server. Option two, pay for a commercial RDP server for Linux. Regards, Daniel You could also resurrect http://xrdp.sf.net/ -- but that doesn't look fun to me. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Linux client for Citrix Access Gateway?
(sorry Sridhar, replied to you directly instead of the list) On Sat, May 31, 2008 at 11:55 PM, Sridhar Dhanapalan [EMAIL PROTECTED] wrote: We're trying to deploy a Linux server into an all-Windows company. Our client is actually quite happy with this solution, but we were informed a couple of days ago that they have a Citrix Access Gateway VPN server that we must go through in order to interact with their network. I can't seem to find any clear information on how to connect to the VPN with our Linux server. The client Citrix refers to appears to be for remote desktop use through a Web browser, and is hence useless for a server. I don't know much about Citrix so I could be suggesting something silly, but I searched a bit of Google and found references to some Linux ICA Client that apparently connects to the Citrix Access Gateway. Have you used it? Is this the software they currently use on Windows desktops to connect to the access gateway? Failing that, maybe the Citrix Access Gateway VPN Server can be configured to allow other protocols? (like IPSec, and use something like FreeS/WAN to connect) Just throwing some ideas. - Gonzalo -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Open Source Medical Practice Management Software
Reviving an old thread, I just found this site: http://gplmedicine.org/ -- The thing he [Bill Gates] realised about the windows was this: because they had been converted into openable windows after they had first been designed to be impregnable, they were, in fact, much less secure than if they had been designed as openable windows in the first place. - Douglas Adams signature.asc Description: This is a digitally signed message part. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Linux client for Citrix Access Gateway?
On 01/06/2008, at 4:09 PM, Daniel Pittman wrote: Sridhar Dhanapalan [EMAIL PROTECTED] writes: We're trying to deploy a Linux server into an all-Windows company. Our client is actually quite happy with this solution, but we were informed a couple of days ago that they have a Citrix Access Gateway VPN server that we must go through in order to interact with their network. I can't seem to find any clear information on how to connect to the VPN with our Linux server. The client Citrix refers to appears to be for remote desktop use through a Web browser, and is hence useless for a server. Sadly, I think you are out of luck. My understanding is that the Citrix Access Gateway VPN server is actually a browser hosted RDP-over-SSL solution. Since there isn't, as far as I know, any functional RDP server for Linux available you are not going to have an easy path to getting this working, as I understand things. There is xrdp.sourceforge.net (a friend told me about it - I have not tried it). Alternatively there are commercial packages available. I'm not sure this helps if the server is on the evil side of the network and needs to VPN in. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] upgrading complicated installs
Daniel Pittman wrote: Without that commitment you well, eventually, get to join the legions of poorly maintained, compromised Linux boxes out there. This hurts everyone, but especially you -- potentially legally, certainly in terms of a lot of work when your ISP (or the police) call up about all that SPAM you have been sending out or those warez you are distributing... Are you implying that a zombied box can be a legal liability for the hapless owner? If that is the case, a heck of a lot of Winders lusers should face the courts. But I doubt this is the case. cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor The user's going to pick dancing pigs over security every time. -- Bruce Schneier -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Linux client for Citrix Access Gateway?
Sridhar Dhanapalan wrote: We're trying to deploy a Linux server into an all-Windows company. Our client is actually quite happy with this solution, but we were informed a couple of days ago that they have a Citrix Access Gateway VPN server that we must go through in order to interact with their network. You might be able to convince them to let your server 'phone home' through an OpenVPN tunnel, https if need be and get back into it that way. We have done that successfully in the past dave -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Linux client for Citrix Access Gateway?
Sridhar, Not sure exactly which version of the CAG your customer has - but it sounds like an older version. The newer Citrix Access Gateway Enterprise Edition (version 8.0 and up) is built on the Netscaler platform (which is BSD based). This does have a Java client which will run under Linux to give transparent access. I have a deployment of this under my belt (though the customer isn't using the Java client - I did verify that it works.) Martin On Sun, Jun 1, 2008 at 12:55 PM, Sridhar Dhanapalan [EMAIL PROTECTED] wrote: We're trying to deploy a Linux server into an all-Windows company. Our client is actually quite happy with this solution, but we were informed a couple of days ago that they have a Citrix Access Gateway VPN server that we must go through in order to interact with their network. I can't seem to find any clear information on how to connect to the VPN with our Linux server. The client Citrix refers to appears to be for remote desktop use through a Web browser, and is hence useless for a server. In a cruel twist of irony, I discovered that the Citrix device is essentially a Supermicro rackmount unit loaded with RHEL, with the proprietary Citrix software running on top. So despite our client being happy with a Linux-based solution, they seem to be locked into Windows by their VPN. -- Need to fork out $$$ for the next software upgrade? Break the cycle! http://www.linux.org.au/linux -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Regards, Martin Martin Visser -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] upgrading complicated installs
Rick Welykochy [EMAIL PROTECTED] writes: Daniel Pittman wrote: Without that commitment you well, eventually, get to join the legions of poorly maintained, compromised Linux boxes out there. This hurts everyone, but especially you -- potentially legally, certainly in terms of a lot of work when your ISP (or the police) call up about all that SPAM you have been sending out or those warez you are distributing... Are you implying that a zombied box can be a legal liability for the hapless owner? Yep. As one example, consider the case of Julie Amero, who was convicted for exposing school age children to pornography because of a compromised PC: http://www.msnbc.msn.com/id/17134607/ Also, consider the handful of cases where people have been arrested for having child pornography on their computers and have offered a defence of their system being compromised. Couple that with the fairly well established (I think) fact that botnet infections are used for a range of illegal activity including hosting child pornography. I can't offer a firm example of a case where there was clear proof of the defence, one way or another, but I could certainly believe it after having to clean up the mess that infection makes of systems -- including Linux servers. Finally, I know of a number of people who have had, professionally, to deal with threats of legal action based on their networks being used for DDoS activity, illegal content distribution and other things that botnets or Linux compromises are abused for. If that is the case, a heck of a lot of Winders lusers should face the courts. But I doubt this is the case. They probably should, but this is still an area in infancy. Your legal risks are quite small, because only a tiny fraction of people who suffer (or allow) their machines to be compromised are pursued. You are much more likely to end up having your ISP cut you off -- if you are lucky, only until you clean up your act. Regards, Daniel -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Linux client for Citrix Access Gateway?
On Sun, 2008-06-01 at 03:51 -0300, Gonzalo Servat wrote: I don't know much about Citrix so I could be suggesting something silly, but I searched a bit of Google and found references to some Linux ICA Client that apparently connects to the Citrix Access Gateway. Have you used it? Is this the software they currently use on Windows desktops to connect to the access gateway? Failing that, maybe the Citrix Access Gateway VPN Server can be configured to allow other protocols? (like IPSec, and use something like FreeS/WAN to connect) I did that for my old company very often. Not an issue really. There was a Java client and a built in client. There are instructions on the internet for installing Linux versions. Trick was installing the certificates properly. Ken -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Granville TAFE Linux Are they courses there for next term enrolments
Hi all Linux courses at Granville TAFE. Are they still happening? Normal website is down it seems. www.gonzo.edu.au/moodle/ Has it moved somewhere else? Anyone know! Thx Roger -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Re: Partitions
The following is the output of my MOUNT command: [EMAIL PROTECTED]:~$ mount /dev/sda3 on / type ext3 (rw,relatime,errors=remount-ro) proc on /proc type proc (rw,noexec,nosuid,nodev) /sys on /sys type sysfs (rw,noexec,nosuid,nodev) varrun on /var/run type tmpfs (rw,noexec,nosuid,nodev,mode=0755) varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777) udev on /dev type tmpfs (rw,mode=0755) devshm on /dev/shm type tmpfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) lrm on /lib/modules/2.6.24-17-generic/volatile type tmpfs (rw) /dev/sdb5 on /boot type ext3 (rw,relatime) /dev/sda5 on /home type ext3 (rw,relatime) /dev/sda1 on /media/windows type fuseblk (rw,nosuid,nodev,noatime,allow_other,blksize=4096) /dev/sdb1 on /media/famvids type fuseblk (rw,nosuid,nodev,noatime,allow_other,blksize=4096) /dev/sda6 on /media/myvids type fuseblk (rw,nosuid,nodev,noatime,allow_other,blksize=4096) securityfs on /sys/kernel/security type securityfs (rw) //192.168.0.145/users on /media/hp-laptop type cifs (rw,mand) gvfs-fuse-daemon on /home/david/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=david) [EMAIL PROTECTED]:~$ >From this it appears (to me) that I can clean out my /home folder and use it to keep 'My Documents' and other stuff like that. David -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Granville TAFE Linux Are they courses there for next term enrolments
As far as I know yes, but Geoffreys server and name servers are down yesterday and today, so no details, and I cant find his number. cheers Ken R.G.Salisbury(default) wrote: Hi all Linux courses at Granville TAFE. Are they still happening? Normal website is down it seems. www.gonzo.edu.au/moodle/ Has it moved somewhere else? Anyone know! Thx Roger -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Linux client for Citrix Access Gateway?
On Sunday 01 June 2008 21:35:38 [EMAIL PROTECTED] wrote: We're trying to deploy a Linux server into an all-Windows company. Our client is actually quite happy with this solution, but we were informed a couple of days ago that they have a Citrix Access Gateway VPN server that we must go through in order to interact with their network. I can't seem to find any clear information on how to connect to the VPN with our Linux server. The client Citrix refers to appears to be for remote desktop use through a Web browser, and is hence useless for a server. Sadly, I think you are out of luck. My understanding is that the Citrix Access Gateway VPN server is actually a browser hosted RDP-over-SSL solution. Since there isn't, as far as I know, any functional RDP server for Linux available you are not going to have an easy path to getting this working, as I understand things. This may help, though: http://support.citrix.com/article/CTX109043 I'm using xrdp to connect WinCE UMPC to a linux server POS-GUI. It works well. But ... http://xrdp.sourceforge.net/ And at last look the protocol for rdp changed with vista and xrdp had not caught up James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] upgrading complicated installs
On Sunday 01 June 2008 21:35:38 [EMAIL PROTECTED] wrote: Without that commitment you well, eventually, get to join the legions of poorly maintained, compromised Linux boxes out there. This hurts everyone, but especially you -- potentially legally, certainly in terms of a lot of work when your ISP (or the police) call up about all that SPAM you have been sending out or those warez you are distributing... Are you implying that a zombied box can be a legal liability for the hapless owner? Yep. As one example, consider the case of Julie Amero, who was convicted for exposing school age children to pornography because of a compromised PC: http://www.msnbc.msn.com/id/17134607/ Also, consider the handful of cases where people have been arrested for having child pornography on their computers and have offered a defence of their system being compromised. Couple that with the fairly well established (I think) fact that botnet infections are used for a range of illegal activity including hosting child pornography. Clarke 1 notwithstanding http://en.wikipedia.org/wiki/Clarke's_three_laws and as an elderly (damn not distinguished) I proclaim your concern/rant unadulterated balderdash The one about: if you build your own packages and don't pay attention then your linux box will contract plague etc. Frankly, no one I know, has ever had, or knows someone who has ever had a compromised linux box. Frankly I doubt if all of SLUG ever has ... Here compromised means: someone has taken control of the machine and is using it for some nepharious purpose eg spam DoS etc James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] upgrading complicated installs
jam [EMAIL PROTECTED] writes: On Sunday 01 June 2008 21:35:38 [EMAIL PROTECTED] wrote: Without that commitment you well, eventually, get to join the legions of poorly maintained, compromised Linux boxes out there. This hurts everyone, but especially you -- potentially legally, certainly in terms of a lot of work when your ISP (or the police) call up about all that SPAM you have been sending out or those warez you are distributing... Are you implying that a zombied box can be a legal liability for the hapless owner? Yep. As one example, consider the case of Julie Amero, who was convicted for exposing school age children to pornography because of a compromised PC: http://www.msnbc.msn.com/id/17134607/ Also, consider the handful of cases where people have been arrested for having child pornography on their computers and have offered a defence of their system being compromised. Couple that with the fairly well established (I think) fact that botnet infections are used for a range of illegal activity including hosting child pornography. Clarke 1 notwithstanding http://en.wikipedia.org/wiki/Clarke's_three_laws and as an elderly (damn not distinguished) I proclaim your concern/rant unadulterated balderdash The one about: if you build your own packages and don't pay attention then your linux box will contract plague etc. Fair enough. You are not obliged to believe me, and I certainly encourage y'all to take account of your own experience in evaluating my claims. Frankly, no one I know, has ever had, or knows someone who has ever had a compromised linux box. Frankly I doubt if all of SLUG ever has ... Here compromised means: someone has taken control of the machine and is using it for some nepharious purpose eg spam DoS etc I don't believe there is any way I can convince you of anything other than this statement of faith, so don't intend to try. Regards, Daniel -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] upgrading complicated installs
I've managed to avoid taking part in this thread to date, mostly because enough people have been beating the FOR THE LOVE OF GOD USE YOUR DISTRIBUTION'S PACKAGES drum. And I'm not entirely sure this even dignifies a response but hey, why not. On Mon, 2008-06-02 at 10:06 +0800, jam wrote: Clarke 1 notwithstanding http://en.wikipedia.org/wiki/Clarke's_three_laws and as an elderly (damn not distinguished) I proclaim your concern/rant unadulterated balderdash The one about: if you build your own packages and don't pay attention then your linux box will contract plague etc. Frankly, no one I know, has ever had, or knows someone who has ever had a compromised linux box. Frankly I doubt if all of SLUG ever has ... Here compromised means: someone has taken control of the machine and is using it for some nepharious purpose eg spam DoS etc Hi. Six. The majority handed to me by potential/new customers or friends with servers that have started acting funny, the others resulting from exploits in both inhouse and third party software. Oh, and one very memorable case of an extremely weak user password. All used for assorted nefarious purposes ranging from hosting IRC servers/bots through to FTP drop boxes and DDoS zombies. Quite a few of those were the direct result of software installed outside of the distribution's package management system, and then never updated, documented, or in some cases even used, again. I don't have any significant issues with choosing to use software that isn't provided by your distribution vendor. But packaging it up properly means you've got an easily reproducible version that you can reinstall when (*not* if) you want to expand or rebuild a dead box. And tracking announce/security lists for said software is now completely mandatory, no matter how much you might cry that these things never happen to you. -- Pete -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] upgrading complicated installs
jam wrote: Frankly, no one I know, has ever had, or knows someone who has ever had a compromised linux box. Frankly I doubt if all of SLUG ever has ... Here's someone asking on this mailing list for help on cleaning up a compromised RedHat 7 system: http://lists.slug.org.au/archives/slug/2005/04/msg00087.html Erik -- - Erik de Castro Lopo - Q. What is the difference between Jurassic Park and Microsoft? A. One is an over-rated high tech theme park based on prehistoric information and populated mostly by dinosaurs, the other is a Steven Spielberg movie. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
I suspect a bunch of people are going to jump into this thread, but to get in early, some stories: - a Red Hat 5 box left to rot (this was some time ago now!), became a host for warez and ended up comprising something like half of its very substantial network's total traffic. - a sendmail install which was either set up as an open relay or compromised and turned into one, noticed almost immediately because of massive network usage - an up-to-date machine run by a competant hobbyist sysadmin of a skill level comprable to many people posting here, turned out to be an compromise through a WordPress install that wasn't up to date, took a while to track down apparently, it was participating in DDoS attacks And of course, in November 2003, debian.org itself was the victim of an attack by, I think, a still unknown vector: http://www.debian.org/News/2003/20031121 but that might not meet your criteria of having been used for a nefarious purpose as opposed to 'just' having been broken into. The (few) security consultants I know seem to have universally had their personal machines compromised at some point, this seems to partly be a result of being more likely to notice, and partly due to attending security conferences, where the networks are extremely hostile. I suspect attacks through web apps like WordPress are pretty common causes of comprise of machines run by essentially knowledgable people at the moment, because there doesn't seem yet to be a good set of best practices for packaging and updating them (upstream tends to aims their instructions at people who might not even have shell access, let alone root access, and there's the whole plugin universe too). -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
This one time, at band camp, Mary Gardiner wrote: I suspect attacks through web apps like WordPress are pretty common causes of comprise of machines run by essentially knowledgable people at the moment, because there doesn't seem yet to be a good set of best practices for packaging and updating them (upstream tends to aims their instructions at people who might not even have shell access, let alone root access, and there's the whole plugin universe too). Yet people regularly ask me why there's no comments on my blog. This and the fact I couldn't be bothered keeping it up-to-date with the latest comment spam blocking hacks. -- Rev Simon Rumble [EMAIL PROTECTED] www.rumble.net The Tourist Engineer Nerds need vacations too. http://engineer.openguides.org/ Famous remarks are very seldom quoted correctly. - Simeon Strunsky -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Mary Gardiner wrote: I suspect attacks through web apps like WordPress are pretty common causes of comprise of machines run by essentially knowledgable people at the moment, because there doesn't seem yet to be a good set of best practices for packaging and updating them (upstream tends to aims their instructions at people who might not even have shell access, let alone root access, and there's the whole plugin universe too). Out of curiosity, I often query the server used in the links provided in phishing scam emails. More often than not, the phishing box is a compromised Linux server running Apache and PHP. Rarely do I see a Windows server :( I would tend to blame an out-of-date PHP install rather than Apache as being the attack vector. If you are on AusCert or DebSec, you will know how many exploits are disovered in PHP 4 and 5. And they keep finding more. I did do a PHP install and was amazed at the server info p[ag. There are a myriad of hacks and fixes in PHP, as reflected in the PHP system variables, to turn off all sorts of insecure features. I got the feeling that out of the box and with little technical knowledge, PHP is not a healthy addition to any Linux server. Not wishing to start an OS war, but I rarely if ever have seen a BSD or Sun box compromised. Is this due to sheer numbers of Linux and Doze? cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor The user's going to pick dancing pigs over security every time. -- Bruce Schneier -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Not wishing to start an OS war, but I rarely if ever have seen a BSD or Sun box compromised. Is this due to sheer numbers of Linux and Doze? there are a lot of people out there setting up linux machines who really havent got the skills to do so. not listing any names... ausgamers.com Dean -- http://fragfest.com.au -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Not wishing to start an OS war, but I rarely if ever have seen a BSD or Sun box compromised. Is this due to sheer numbers of Linux and Doze? More than likely. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Rick Welykochy [EMAIL PROTECTED] writes: Mary Gardiner wrote: I suspect attacks through web apps like WordPress are pretty common causes of comprise of machines run by essentially knowledgable people at the moment, because there doesn't seem yet to be a good set of best practices for packaging and updating them (upstream tends to aims their instructions at people who might not even have shell access, let alone root access, and there's the whole plugin universe too). Out of curiosity, I often query the server used in the links provided in phishing scam emails. More often than not, the phishing box is a compromised Linux server running Apache and PHP. Rarely do I see a Windows server :( I would tend to blame an out-of-date PHP install rather than Apache as being the attack vector. If you are on AusCert or DebSec, you will know how many exploits are disovered in PHP 4 and 5. Much as I love putting the boot into PHP, this isn't actually *directly* the fault of the language. This is usually that there are a stupidly large number of remote command injection and remote file inclusion vulnerabilities in PHP applications.[1] And they keep finding more. I did do a PHP install and was amazed at the server info p[ag. There are a myriad of hacks and fixes in PHP, as reflected in the PHP system variables, to turn off all sorts of insecure features. I got the feeling that out of the box and with little technical knowledge, PHP is not a healthy addition to any Linux server. I would argue that *any* remotely accessible service is not a good addition to a Linux box with only a little technical knowledge. Many years ago, when I was younger and dinosaurs walked the earth, Perl was the hateful language of the day: most of the crappy CGI software out there that let people break in was written in Perl.[2] PHP has taken over the role of popular, easy to use web language, so has pickup up many of the same people who used to cause trouble with poorly written Perl scripts. Not wishing to start an OS war, but I rarely if ever have seen a BSD or Sun box compromised. Is this due to sheer numbers of Linux and Doze? Yes. Back when *BSD had significant technical advantages in TCP/IP performance, and when Sun was much more prevalent on the Internet, they were often compromised. These days, not so much, just because they are not as easy to find and most attacks are now very much automated try everything and see what sticks attacks that don't run outside their mainline platform. Compromises of !x86 Linux boxes are also much lower, for the same reason: many of the binary exploits just don't work, and no one bothers porting them to the underlying architecture. Regards, Daniel Footnotes: [1] PHP is arguably indirectly responsible for this, through poor design of the language and encouraging poor use of the tools, but I don't see a great deal of value in arguing about that. ;) [2] formmail. I say no more. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
This one time, at band camp, Daniel Pittman wrote: [2] formmail. I say no more. Matt's Script Archive, anyone? -- Rev Simon Rumble [EMAIL PROTECTED] www.rumble.net The Tourist Engineer Just because you're on holiday, doesn't mean you're not a geek. http://engineer.openguides.org/ A conservative is a man who believes that nothing should be done for the first time. - Alfred E Wiggam -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Daniel Pittman wrote: [2] formmail. I say no more. The perl language has been pretty bullet proof. I do recall one string-based exploit in the many many years I have been using it. That said, yup, scripts like formmail are written by monkeys in the 11th level hell and sent to torment sys admins. I was running an ISP and in my early days I stupidly allowed some customers to upload their own perl CGI scripts to our (only) main web server. After watching the machine being brought down to its knees due to inexperienced coding (don't ask) I learnt my lesson very quickly. They only way to allow user-supplied scripts nowadays is via some sort of virtualisation scheme with solid sandboxing. Even then, poor coding can gobble up heaps of resources needlessly. cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor The user's going to pick dancing pigs over security every time. -- Bruce Schneier -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Mon, Jun 02, 2008, Rick Welykochy wrote: Daniel Pittman wrote: [2] formmail. I say no more. The perl language has been pretty bullet proof. I do recall one string-based exploit in the many many years I have been using it. Shit code can be written on all platforms. That said, yup, scripts like formmail are written by monkeys in the 11th level hell and sent to torment sys admins. I was running an ISP and in my early days I stupidly allowed some customers to upload their own perl CGI scripts to our (only) main web server. After watching the machine being brought down to its knees due to inexperienced coding (don't ask) I learnt my lesson very quickly. They only way to allow user-supplied scripts nowadays is via some sort of virtualisation scheme with solid sandboxing. Even then, poor coding can gobble up heaps of resources needlessly. The trouble is that the entry barrier for coding is so low, you can code without any clue. Adrian -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Adrian Chadd wrote: The trouble is that the entry barrier for coding is so low, you can code without any clue. This very issue gave rise to some heated debate over on the LINK mailing list, which some of you attend. Many of us computer professionals were peeved by this low barrier to entry into the software industry. Computer software creation is not a certified profession like engineering. There are far toomany shiesters out there peddling crap software because they can. This gives rise to many many problems in IT. But, enough said. Yup, you can code up crap in any language. Especially INTERCAL! cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor The user's going to pick dancing pigs over security every time. -- Bruce Schneier -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html