main

main@lists.alug.org.uk

10364 discussions

Security - part II
by Chris G 25 Nov '08

25 Nov '08

I.e. thoughts and questions on backups. Continuing on from making my system secure against the most likely attacks etc. I need to make backups of the 'important' data. Currently I backup from my main server system (the pre-update one at the moment) to a system on the home LAN in the garage. The garage is a fair way from the house so in the event of a serious disaster (e.g. a fire) it should survive. I also backup the *most* important files off-site to my account at my hosting provider. At the moment these backups are 'pushed' from the main system, i.e. it is cron in that system that runs the backups. This requires that I have passwordless access to the destination system and here I see a hole! If a hacker got into my main system [s]he could immediately gain access to the backup destinations as well and destroy data there. How can one overcome this issue? I can see a partial way around it for the LAN backups, I can remove the passwordless access to the system in the garage and change to a 'pull' backup that is run by cron on the garage system. The garage system can have passwordless access to the main system to enable this, there's no access through the firewall to the garage system so a hacker would need to guess the garage system passwords to get to it. This at least provides another layer of pretection against malicious attacks. However I can see no way to pretect the off-site (across the internet) backups from similar attacks. If the shell account at my hosting provider was to have passwordless access to my home system that would lay me open to all sorts of malicious attacks so obviously that's not possible so I can't use the 'pull' backup from there. If I'm going to backup as at present the passwordless access to the off-site system needs to remain and therefore is open to a malicious attacker. It occurs to me that I could *possibly* do the backups from the garage system to the off-site system, that would improve things somewhat. How does the world at large do backups to remote systems without incurring security problems? -- Chris Green

4 7

ALUG Ipswich Xmas Meal 2008
by samwise 25 Nov '08

25 Nov '08

Hi, At the last Ipswich meet we discussed repeating the Xmas meal we had last year. Would anyone else on the list be interested in attending? We talked about having it on a different day to the usual December meet so if anyone else wants to join in, drop me a line and I'll try and co-ordinate a day that fits for everyone. Cheers, Peter.

1 0

Is it possible to use DHCP for DNS only?
by Chris G 25 Nov '08

25 Nov '08

Is it possible to set up a Linux system so that it has a fixed IP address on the LAN but uses the addresses given to it by a router (using DHCP) for DNS? -- Chris Green

5 12

mySql - problems with passwords etc., is there no easy way?
by Chris G 24 Nov '08

24 Nov '08

I always seem to get in a tangle with installing and setting up mySql. The essential problem seems to be that mySql wants to refer to the local machine as 'localhost', and 127.0.0.1, and 'chris'. Thus when I try and add a user it seems that the user gets added with privileges for one (or some) but not all of 'localhost', and 127.0.0.1, and 'chris' and then doesn't work because I need to acces the database as one of the other host names. Adding a user as 'user'@* seems to be even worse and doesn't work at all. I also seem to be having trouble changing the password for the mySql super user, I tried doing it via phpmyadmin and that seems to have done nothing, I can't quite fathom the syntax for doing it in mySql from the command line in the mysql front-end. I *do* know SQL fairly well and usually once I have the password/host chaos sorted out mysql works well for me but this part of it really stinks IMHO when you're working on localhost (or is it 127.0.0.1 or is it chris?). It's fine when working remotely, there's only one possible name for the place where the database is. -- Chris Green

3 4

Some thoughts/questions re: ssh security
by Chris G 24 Nov '08

24 Nov '08

As I'm in the process of moving my 'home server' across to a new machine it seems a good time to check out the security aspects. The machine runs behind an ADSL router which provides the firewall. I have the firewall set up so that the only access allowed from outside the home LAN is:- ssh port access from two specific IP addresses http and https access from anywhere I have data on the machine which I don't want to lose but it's not valuable or particularly confidential so I don't think I need to protect myself against concerted attacks from the CIA or MI5. :-) What I do want to prevent as far as possible is malicious attacks from hackers who, if they did get access, would probably just 'make a mess of things' for fun. The two IP addresses from which ssh access is allowed are the public address of my work machine and a machine where I have a shell login at my hosting company. Thus they are both moderately secure themselves but there is always a possibility that someone 'unfriendly' might get access. The choice (for ssh) lies between public/private key and ordinary passwords. I *know* that in general public/private key is regarded as more secure but I'm leaning towards using password security for the following reasons:- The machine where the password shadow file is stored is (relatively) secure, the only user is me. If someone (hacker) has access to the shadow file to apply brute-force/dictionary attacks then I've already lost the battle. I make very sure that passwords on my home machine bear no similarity to those on systems outside so knowledge of my 'outside' passwords will not make guessing my home machine's passwords easy. Someone who has access to my work/hosting accounts may well get access to the public key part of the public/private key pair. This, ultimately, lays it open to attack. They have *no* access to my home machine and thus, although the shadow file is fundamentally weaker in itself there is no opportunity at all to attack it. The *only* way that an attacker can break in is by guessing passwords. Does the above make reasonable sense or have I overlooked anything obvious? Obviously physical security matters and also I need to have the 'other half' of security based on backups etc. (probably subject of another E-Mail). Final question, how vulnerable does running apache2 on the system with general access make it? Are buffer overflow exploits and other such things likely to make my careful ssh security pointless? -- Chris Green

1 0

Re: [ALUG] Red Hat Enterprise insanity
by Richard Bensley 24 Nov '08

24 Nov '08

> Been handed a Red Hat Enterprise 4.x box that needs nagios plugins. > > Problem: How do I download and install together with dependencies. I'm a > Debian user myself, so going after the individual rpm files is driving > myself and my colleague crazy. Don't really want to go down the tarball > route either. > > We've been under the impression that these issues must have been resolved > years ago, but I can't find much help through Google. > > TIA > > James Hi, I assume you don't have a support contract? Best to do would be to add the rpm repositories (https://rpmrepo.org/RPMforge). RHEL is pretty useless without support. CentOS is built off the same source but you don't need a subscription. I can highly recommend centos. To do things apt-get style use the program 'yum' i.e.: sudo yum install PACKAGENAME Synaptic can also be used for RPM repositories. Rich

1 0

Gnome "Wastebasket" puzzle
by Ted.Harding＠manchester.ac.uk 23 Nov '08

23 Nov '08

Hi Folks, Something's happened whilch puzzles me a bit; and also I don't know how I should deal with it. What I did: 1: Insert a USB stick that I wanted to delete the files on. When it's Icon appeared on the Gnome desktop, I opened that. I could see the files stored on the USB stick, but the menu for each file (right-click on file icon) offered no explicit option to delete it, except "Move to Wastebasket". So, for each file I did that. 2: I then unmounted the USB stick, removed it, and opened the Wastebasket (to empty the files out of that). There I found two Icons: A: "Ted's Downloads" [folder] B: "Ted's Downloads (Copy") [folder] I have no idea how they got there. When I look in them, they contain the files which are in my real "Ted's Downloads" folder. Some of these were on the USB stick too, but only a few of them. My Dilemma: I do NOT want to destroy the real "Ted's Downloads". However, the only vaguely relevant Menu option I can find is "Empty Wastebasket". Presumably, this would destroy the real "Ted's Downloads" folder, since apparently that (with its full current contents) is apparently now in the Wastebasket, though still accessible both from its own Desktop icon and from the command line. If, in the command line from /home/ted, I do: $ ls -l .Trash total 4 drwxr-xr-x 2 ted ted 4096 2008-09-17 20:42 Ted's Downloads lrwxrwxrwx 1 ted ted 19 2008-09-17 20:52 Ted's Downloads (copy) -> /home/ted/Downloads and: $ ls -l Desktop total 8 drwxr-x--- 2 ted ted 4096 2007-10-30 17:07 Downloads -rw------- 1 ted ted 474 2007-09-22 23:29 Google-googleearth.desktop lrwxrwxrwx 1 ted ted 19 2008-09-17 21:35 Ted's Downloads -> /home/ted/Downloads What I want to do: Get "Ted's Downloads" out of the Wastebasket (if it's really there ... ) without destroying it, so that in future I can move other files to the Wastebasket and "Empty Wastebasket" without destroying "Ted's Downloads". And: NO, I did not find any of the files I "Moved to Wastebasket" from the USB stick where I would have expcted to, namely at the top level of Wastebasket (i.e. Trash). Any ideas, comments? With thanks, Ted. -------------------------------------------------------------------- E-Mail: (Ted Harding) <Ted.Harding(a)manchester.ac.uk> Fax-to-email: +44 (0)870 094 0861 Date: 22-Nov-08 Time: 18:43:57 ------------------------------ XFMail ------------------------------

3 5

1TB External Hard Drives
by Mark Reid 22 Nov '08

22 Nov '08

Hi Folks I'm thinking of getting a 1TB external hard drive to use as file storage. I plan to connect via USB. Does anyone have any experience of using one on a Linux system and can warn of any potential problems or pitfalls? I'm running Ubuntu Intrepid on a Dell Inspiron 6400. Thanks Mark Reid

3 2

Wiki upgrade
by Jonathan McDowell 22 Nov '08

22 Nov '08

I've upgraded the wiki to the latest Moin release; we were somewhat out of date. I think it should all be working fine but let me know if you have any problems. J. -- If it was easy, the hardware people would take care of it.

1 0

Red Hat Enterprise insanity
by James Green 21 Nov '08

21 Nov '08

Been handed a Red Hat Enterprise 4.x box that needs nagios plugins. Problem: How do I download and install together with dependencies. I'm a Debian user myself, so going after the individual rpm files is driving myself and my colleague crazy. Don't really want to go down the tarball route either. We've been under the impression that these issues must have been resolved years ago, but I can't find much help through Google. TIA James

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

main