 |
 |
 |
|
| A.P. Lawrence > |
|
An iPod Virus An Apple contractor who supplies iPod hard drives uses a Windows machine as part of its manufacturing/testing process.
The VPN That Wouldn't Some time ago one of my clients said he needed to work from home now and then. As we were already using a Multitech RouteFinder, I just added a PPTP vpn user for him.
Tough Passwords We've had this talk before. Unfortunately we are sure to have it again. And again.
Are We Tired of Easy Yet? I wish this morning's security issues were unexpected...
Kerio Mail Server Spam Filtering Kerio Mail Server has several configuration options to protect against spam email. For maximum protection, you should investigate and set all appropriate items.
Fake Blacklists? A customer had momentary trouble sending mail to someone. The first attempt failed, but the second went through. An examination of the logs revealed a couple of interesting things.
SARA Secuity Scanner I installed and tested SARA on Linux and Mac OS X. It compiled easily and cleanly on both platforms: ./configure;make; sudo make install.
Virtualize or Die? 'Blue Pill' Prototype Creates 100% Undetectable Malware...
Protecting rm It was once very fashionable in Linux distros to alias rm to "rm -i". I don't see that as often as I used to, which surprises me: it can only mean that everyone else hates that as much as I do.
Death of a Thousand Cuts "It's just a flesh wound."
Ssh Forwarding Security Ssh forwarding is powerful stuff, but using it can be confusing. For example, let's say we have a machine that our firewall will send traffic to, but we actually want to ssh to another internal machine.
ClamAV on Mac with Kerio MailServer I downloaded ClamAV source from http://www.clamav.net. A simple ./configure; make; make install in the source directory was all that was required...
Windows: Security or Not? Windows Vista was originally conceived to be extremely tight in the security area.
Crippled Vista Microsoft announced that Vista (whenever it becomes a real product) will ship with...
OS X Security Apple Mac is a growing security risk. That theme has been popular recently. Mac's probably are a growing security risk (as opposed to Microsoft, which has a mature, fully grown security risk), but I doubt this baby is ever going to match Microsoft's size.
IE7 beta 2: Security Microsoft has released IE7 beta 2 and they really want you to try it. If you are running IE (45% of people visiting here still are), even I want you to try it, because it fixes most of the problems IE6 has with these pages.
Two Safari's Look carefully at the image below. You see two Safari icons in the Dock (one third from the left, the other next to the app/doc divider), and also two Safari browsers open, both on the same site and page, but displaying very differently. The Font preferences are also shown, and this is what makes them different.
Recovering System After Upgrade Usually upgrades are binary: either they work or they don't. Actually, my experience with SME upgrades has been very good: I've only had a very few where the upgrade process didn't work at all. In those cases, you install new, apply all applicable blades, and then restore from backup. That's annoying, but fairly simple.
Transferring to New Hardware With a Supertar With any of the Supertars, transferring to new hardware is easy. If the new hardware uses the same disk controller (or the same driver) as the old, you can just boot from your recovery media and proceed to recover the system. But what about when the new hardware is different?
Neglect and Misunderstanding of Backups I had a call this week from a client who needed a file restored from backup. I had set them up with DVD-RAM and a Supertar a year ago, and had labeled five cartridges with Mon, Tues, etc. I know that (or thought I knew) they followed this rotation for a while, because I had used the previous day's backup to restore files for them earlier this year.
SME Server Local Networks and VPN's The SME Server (formerly E-Smith) normally rejects attempt to send mail outside of its own domain if you are connecting from somewhere other than the local lan. This is correct behaviour; otherwise anyone could use your server as a mail relay and you'd become an inadvertent spammer rather quickly.
Xinetd Xinetd is a replacement for inetd, which was the original Unix super-daemon used to start network services on demand. The reason for inetd goes back to days of low memory and poor memory management: you didn't want to keep a service running in memory if it was infrequently used. One process (inetd) would listen for connections on appropriate ports, and fire off the appropriate service when a request came in.
Kerio Mail Server The Kerio Mail Server is a cross platform ( Windows, Linux, and Mac OSX) mail server. I tested it on RedHat Linux 8.
MacOSX lookupd and NetInfo Changing Name Resolution Order Name resolution is how your system figures out the actual IP address for host.xyz.com (and vice-versa). For most Unix systems, that function is provided by "named" and the configuration files are /etc/resolv.conf, named.conf, and perhaps nsswitch.conf. While you'll find a resolv.conf and even a named.conf on Mac OS X, you won't find named in the process list. Instead, MacOSX has a neat resolver capability controlled by "lookupd".
Random Numbers Random numbers are important for computers. Aside from making games like Solitaire more interesting, the use of randomness in generating passwords and encrypting data is critical to security.
Tightvnc, Chicken of the VNC VNC is "Virtual Network Computing" and is a crossplatform method of allowing remote access to desktops (Windows or Unix/Linux, Mac and others)). It is conceptually like using Terminal Services or PcAnywhere etc for Windows but is license free and of course capable of serving Linux/Unix machines also.
Microsoft's Services For Unix Gosh, you'd never expect me to say something pleasant about a Windows machine, would you? Well, actually that's not entirely true: I've been known to grudgingly admit that while it isn't Unix, Windows XP Professional really isn't awful. In fact, if you can live without Unixy stuff at your beck and call, Windows XP is pretty good - there are even things I actually LIKE about it.
Lost Root Password (Linux) I have a very good memory. I remember most of my client's passwords (there are a few I forget regularly for no reason that I can understand, but I really do know most), I remember telephone numbers, and of course I know my own passwords. That last isn't as easy as it might sound, because I have quite a few different systems and each has its own password, but though I might use the wrong one now and then, I'll get it on the second or third try.
Securing POP mail access in MacOSX I always worry about my website. Security is serious stuff, and you really can't be too careful. I don't enable telnet, rlogin and use long, complicated passwords with ssh and so on. I use a shared webserver (http://www.interland.com) that allows me virtual root access, and I fortunately don't have to worry about things like sendmail; Interland keeps on top of that sort of thing for me.
Numeric Unix Error Messages It's an unfortunate fact that many programmers are lazy about error messages. Very often, all you get is a cryptic "Error 5", and you may be lucky to get that: sometimes all you get is an error return that you have to examine yourself with "echo $?". You can't even depend on that being the actual Unix error, but even if it is, what does it mean?
Mac OS X Panther upgrade A lot of folks have grumbled about paying $130.00 to upgrade to Panther, the latest version of Mac OS X (October 2003). I have to say that it is definitely worth it: maybe you feel cheated because you just paid for Jaguar six months ago, but you will be happy after you install this. The hype, for once, has reality behind it: this is as good as Apple said it would be.
Monitoring File or Directory Changes Many modern systems provide a way to watch a directory for events (new files, reading the directory, modification of a file in the directory, etc.). This facility can be done in various ways, from providing hooks in the filesystem code itself to something that watches for inode changes. Linux and BSD have several possibilities in that regard, including dnotify, changedfiles, and watch.
My Wife Hates my Mac First: I LOVE my Mac. It's my wife that hates it. I say that in the hopes of heading off a flood of defensive email. Don't bother to write me telling me how wrong this article is: you would be preaching to the converted. I already know that she's wrong, that's she is just hopelessly corrupted by the Microsoft way. I also know that I'm guilty of not training her in the basics of using this iBook, so yes, it's partly my fault. Or all my fault if you like.
In Defense of Unix (and Linux, of course) Warning: This article contains strong language and unpopular opinions. Reading of this material by Windows advocates may cause severe gastric distress followed by a desire to strike the author sharply about the head. As the author does not enjoy being pummeled, such persons are kindly requested to return whence they came and do something else.
Microsoft's Services For Unix Gosh, you'd never expect me to say something pleasant about a Windows machine, would you? Well, actually that's not entirely true: I've been known to grudgingly admit that while it isn't Unix, Windows XP Professional really isn't awful. In fact, if you can live without Unixy stuff at your beck and call, Windows XP is pretty good - there are even things I actually LIKE about it.
VPN's and Other Remote Access A VPN is a Virtual Private Network. The concept is that you are using public or other shared lines (generally the Internet) to connect machines, but that all packets are encrypted (so your connections are "private").
Installing a Small Office Network For many of us in the SCO world, office networks are a fairly new phenomenon. Many SCO systems are still happily using serial connectivity exclusively, even when Windows machines are part of the enterprise, and even when those machines maybe be networked between each other. In fact, some people even refer to serially connected terminals as a "network" (I won't use that here: if I say network, I mean an Ethernet network).
NT vs. Unix I think it was some Sun piece that said something like: "If all you ever had to do with an OS is install it, NT would be a great operating system".
Unix Permissions These are classic Unix permissions. However, many modern Unixes support extended attributes that go beyond this. We'll look at one example of that later in the article. You also need to know that Unix and Windows permissions don't map well to each other, so if you are using something like Samba or Visionfs , you need to understand how permissions will be shown and honored. Some examples of that are shown later.
Virtual PC for Mac OS X Virtual PC for Windows, Mac (OS 9 or X) and OS/2 creates virtual machines that can run multiple Windows versions. This is particularly advantageous for Mac users, but even ordinary PC users can find value in this. It's easy to have Linux, Windows 98, Windows ME, 2000, XP Home and XP professional all on the same machine.
Kernel Link Failures That's a pretty awful feeling, isn't it? You've got to link a new kernel because you need to change a value or needed to add something, and it fails.
Granite Digital SMARTVue for Mac OS X Self-Monitoring, Analysis and Reporting Technology (S.M.A.R.T) is built into most newer hard drives. S.M.A.R.T records a number of "attributes" that can be reported. These are things like Seek Error Rate, Spin Up Time and more which could help warn of impending difficulties. This predictive and warning function is part of the value for products like Granite Digital's SMARTVue.
Operating System Concepts The CPU (Central Processing Unit) is the heart of any computer, but the operating system is the brain. Unfortunately, understanding exactly how these things really work can be difficult, because it's fairly hard to "play" with the operating system that you are actually using. You can do quite a bit with sophisticated debuggers, but eventually you run into confusion and difficulty.
Using the shell (Terminal) in Mac OS X Many Mac OS X users won't have any need to use the Unix shell that underlies their graphical interface. Some will likely disdain the very idea, but for those adventurous enough to try it, a whole new world awaits.
Setting up Netcat Printers Boy, I like netcat. Just finished converting one client's SCO 5.0.5 system from Berkeley LPD to netcat and recommend the change to anyone now using LPD to print to dedicated print servers.
How secure do you want to be You probably get a good deal of email, letters and phone calls warning you about computer security. The general idea is the same: your systems are threatened, we can stop the threat. The cost of the remedy is seldom mentioned up front. but there are lots of buzz words to make up for any lack of specifics. "Intrusion detection", "secure firewall", "hackers", "Security assessment" and more.
How can I print to a remote PC that does not have a static IP address? This is a fairly common problem: you have a PC at home and you make some sort of connection over the internet to your server, but your application needs to print to your PC. That would be easier if your PC had a fixed, constant IP address, but your connection is dynamic so it changes. There are many, many ways to solve this problem. So many, in fact. that I'll probably miss one or two in this write up. If I do miss something, do let me know: it may help someone else down the line.
Triple Threat Good things come in small packages, but large things aren't always bad either. That must have been the thought someone had in designing an email newsletter for their customers. Apparently they had quite a bit of news; this particular piece of email was 34 megabytes when it arrived at the Mitel SME (E-Smith) server of one of my customers.
Network Neighborhood, Visionfs, Samba Authentication and all that Unix and Linux machines have been able to provide Network Neighborhood style file and print services for some time now, but I constantly see confusion and problems due to misunderstanding of how these things work. I'm going to use an example from a real situation involving an XP user and a SCO Visionfs network. The concepts of this apply to Linux, Mac, Samba: it doesn't really matter.
Device::SerialPort on Redhat 8 The end of life for Redhat 6.2 security updates happened at the end of March. Because of this, I have been upgrading our remote buildings with Redhat 8. Since each building has a T1 router, I wrote a small program to log the routers messages to a text file.
DSL and Cable Modem Security Although high speed internet access may not have reached you yet, it probably will soon. The advantages are obvious, but there's a dark side: security. I'm not going to talk about the more general aspects of securing your system here (I've done that in General Security), but only specifically about the issue of clear text passwords with telnet, pop, and ftp.
Counterpoint on Red Hat Linux Counterpoint (http://www.synchronics.com) is a provider of point of sale and accounting software.
Shell Bashing It was about three o'clock on a Thursday afternoon when Kevin called me.
Hylafax for OSR5 You'll probably save yourself a lot of trouble if you just decide now that a better place to run Hylafax is on a Linux machine.
SCO OSR5.0.6 Because of an unexpected schedule change, I found myself with a whole day open one recent Tuesday.
Peek Peek, by Computronics (http://www.computron.com/), is a user monitoring/control tool for character based applications. Most Unix platforms are supported, including Linux and SCO OSR5.
Cron, Batch and At These three commands are used to run commands at some other time. They differ in their usage, their environment, and their default actions, so are sometimes a source of confusion.
User Friendly Date Script Setdate The "setdate" is just a more user-friendly front end to changing the date and time:
Connecting to the Internet Connecting to the Internet This article is a basic overview to get you started. There are other articles here that cover certain details in more depth. You may also want to read:
Why is my system so slow? This is not a performance tuning article. If your system is always slow, this article may not be what you are looking for. I'll be covering some general performance related issues here, but the main focus is for the system that was running fine yesterday but is sucking mud today. The typical response to such problems is "Reboot it", and while that may indeed fix the problem, it does not address the root cause, so you are likely to have the situation again.
Sendmail Sendmail can be a little scary. If the 1,000+ page O'Reilly reference doesn't give you pause, the cryptic configuration files probably will. But actually, if you can put up with a little pain to get by the basics, Sendmail really isn't all that difficult. It is complicated, but a few "rules of the road" will allow you to understand it.
Why not differential backups? I get this question frequently. It's usually triggered either because the tape device can't hold an entire backup set or because the time required for backup interferes with productive work. Most of the time this can be easily remedied by a larger or faster storage device, but someone is bound to bring up the idea of differential backups. The idea is that you create a full backup that has everything, and from then on, you only backup the files that have changed. Presumably that's a smaller set of files and therefore this solves the space or time problems. Usually the full backup is refreshed on some schedule and the process starts again. There are variants on the theme; for example the differential may include all files that have changed since the last full backup rather than just those that have changed since the last differential. That sort of scheme eventually ends up with the differential containing any and all files that ever change, no matter how infrequently; the full backup is the source of everything else.
Library Cross Reference This is a cross reference of libraries needed by Skunkware and other binary packages and where to obtain the library or other needed tool. You know you need a library when the program fails to work; sometimes it is friendly enough to tell you what it needs, but sometimes it is not.
Multitech RF550VPN SOHO VPN Router Multitech's new SOHO RF550VPN Router is an inexpensive ($179.00 list ) Internet access router with VPN capabilities suitable for home or small office use. Features not found in lower end products include
Using sudo Most Unix systems have some way of letting ordinary users perform certain tasks as root or some other privileged user. SCO Open Server has "asroot" and can also directly assign "authorizations" such as backup privileges or being able to change other user's passwords. SCO Unixware/Open Unix 8 have a similar facility in "tfadmin". Many Unixes, and Linux, use "sudo". The configuration of sudo is by the /etc/sudoers file. I'm sure that there are more poorly written man pages, but "man sudoers" is among my all time favorites for obfuscation and poor explanation. The creation of the file and the actual use of sudo isn't all that bad though.
RS232 Wiring Diagrams Meanings of pins in DB25 order:
Backlinks (http_referrers) When a web page is accessed by a link from some other page, the address of the other page (the "referring page") is made available to the web server. We can pick that information up from logs or as the page is being displayed. For example, if we have Server Side Includes or php, we can pickup the referring page from an environment variable. Here's a snippet of Perl code that does that: $frompage=$ENV{HTTP_REFERER};
$thispage=$ENV{REQUEST_URI};
Yes, there's a missing R in HTTP_REFERER. Yes, that's wrong, but that's what the variable is so that's what you use.
Tape Drive or CDROM Not Found Creating a tape drive or cdrom should be simple: run "mkdev tape" or "mkdev cdrom" and answer the questions, relink a new kernel, reboot and it is done. Unfortunately, people seem to have a lot of problems with this. (For the remainder of this article I'll be referring only to tape drives. Everything said applies equally to cdroms or indeed any scsi or ide device being added).
SME Server (E-Smith) Mail Forwarding, Lists, Etc. The Mitel Networks SME Server (formerly E-Smith)is a friendly web server and e-mail gateway. The original E-Smith is now called Mitel SME Server V5. There is also a hardware/software bundle referred to as the Mitel 6000 Managed Application Server. Here we cover forwarding email to another mail account and mailing lists.
Noted in Passing June 2002 These are things I'm too busy too look into in depth, but caught my interest somewhere recently, and might be of interest to you also.
SME Server V5 Virtual Domains The Mitel Networks SME Server (formerly E-Smith) is a friendly web server and e-mail gateway. Here we cover creating a virtual domain and giving a user or users ftp access to it.
Notify Cell Phone of Incoming Mail Read this Disclaimer Many cell phones now have the ability to receive email. While that can be very useful, large messages are often a problem both because they are hard to read and because one large message may be split up into multiple messages at the phone. Sometimes, though, it's important that certain messages get to you even though they may be large. That's the situation one of my Mitel (E-Smith) mail server customers had: mail sent to a certain account was very important to know about, but he didn't want the entire message shipped to his cell phone. As it turns out, this was an easy problem to solve.
SCO Openserver release 5.0.7 Disclaimer There is a lot to like in the 5.0.7 release of SCO Openserver. Support for IDE CD-RW and DVD-RAM (you need other tools to actually write to this media, but the important kernel support is built in), more USB devices (though not printers or modems), P4, Xeon, and AMD Athlon processors, UDMA 100 and 133 hard drives, PCI serial and parallel cards, LS-120 and LS-240 IDE drives (see "man Sflp", not "sflp" as the documentation suggests) , several Gigabit network cards, and more PCMCIA support. The Netscape server is gone, replaced by Apache, OpenSSH is built in, sendmail is at 8.11 (which of course will need immediate updating), and you now have a choice of Mozilla or Netscape for GUI browsers and Lynx is included for character mode.
Too many messages for Outlook Express Read the Disclaimer Recently one of my Mitel SME Server clients took two weeks off. When he returned, Outlook Express told him he had 23,000 messages waiting on the server! Unfortunately, Outlook Express couldn't bring any of those messages to his PC; it just hung.
Why Production servers shouldn't have external interfaces Read the Disclaimer People sometimes want to use their application servers as firewalls. This seems attractive at first glance: slap in another network card, add some packet filtering, tighten the system down a bit and connect it to the outside world. Cheap and quick, but a very bad idea.
Linux Logical Volume Manager (LVM) on Software RAID Read the Disclaimer Logical Volume Manager is now included with most Linux distributions. The RedHat 8.0 installer even allows you to create LVM volumes during initial install. LVM offers capabilities previously only found in expensive products like Veritas.
3.2v4.2 System Recovery Disclaimer I was called in recently to help with the recovery of an old SCO 3.2v4.2 system that had crashed. The crash had initially been caused by a power supply failure, but after replacing that hardware, the machine would not boot - it just hung after the kernel i/o buffers message. As a common cause for that is simply a missing or damaged inittab, I thought we might be able to fix it by booting from floppies and doing a manual repair. Unfortunately, there were no emergency boot floppies.
Understanding IPTABLES Disclaimer Packet filtering is something I've always hard a hard time getting my head around. Not the basics; that's easy enough. It's just the incredible level of detail, the difficulty of keeping it all in your head at once. And then, of course, there are all the different flavors: ipfw, ipfilters, ipchains, and now iptables. It gets more than a little confusing, and I've never taken the time for more than a cursory look at any of them.
Why run your own mail server? Disclaimer First, The Consultant Recently I was working with another "consultant". I've deliberately put that in quotes because this person really lacked the skills to do the job he was doing, but for political reasons I had to refrain from pushing him out of the way and taking over. His lack of basic knowledge was frustrating, but I gritted my teeth and kept my comments friendly. It wasn't easy. Anyway, part of what he was doing was configuring a router. I had to hold my breath as he explained that he always left the default password unchanged because "it's easy to remember". After he left, and with the permission of the owner, I changed that. It's just this funny idea I have that a router sitting on the Internet ought not to have a password that is known by a few million people and published on hundreds of websites. I'm funny like that.
How secure do you want to be? Please read this disclaimer You probably get a good deal of email, letters and phone calls warning you about computer security. The general idea is the same: your systems are threatened, we can stop the threat. The cost of the remedy is seldom mentioned up front. but there are lots of buzz words to make up for any lack of specifics. "Intrusion detection", "secure firewall", "hackers", "Security assessment" and more
|
|
 |
iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us |
 |
| Contact
Us | Advertise
| Newsletter
Archive | Sitemap
| Submit an
Article | News
Feeds SecurityProNews is an iEntry, Inc.® publication - 1998-2008 All Rights Reserved | Privacy Policy and Legal |
Join the WebProWorld Forums: Click Here |
|
|||||||||||||||||||||||||
