From trs80 at ucc.gu.uwa.edu.au Fri Nov 7 21:25:27 2003 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Wed Oct 27 01:28:11 2004 Subject: [tech] piggery Message-ID: piggery has been reinstalled sanely, it now uses all the disk. The graphics driver is installed and working, but apparently needs a PAK to do opengl - mustang?. Speaking of PAKs, there's no OSF-BASE (or UNIX-WORKSTATION) PAK in any of the license files that I can find - does anyone have one? Anyway, I'll start compiling all the standard stuff on it, so that once it does have OSF-BASE and people can log in it'll be useful. -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC President http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From elixxir at ucc.asn.au Fri Nov 7 22:01:27 2003 From: elixxir at ucc.asn.au (Paul Marinceu) Date: Wed Oct 27 01:28:12 2004 Subject: [tech] piggery In-Reply-To: References: Message-ID: <20031107140127.GA399151@morwong.ucc.gu.uwa.edu.au> On Fri, Nov 07, 2003 at 09:25:27PM +0800, James Andrewartha wrote: > piggery has been reinstalled sanely, it now uses all the disk. The > graphics driver is installed and working, but apparently needs a PAK to do > opengl - mustang?. Speaking of PAKs, there's no OSF-BASE (or > UNIX-WORKSTATION) PAK in any of the license files that I can find - does > anyone have one? Anyway, I'll start compiling all the standard stuff on > it, so that once it does have OSF-BASE and people can log in it'll be > useful. Coolness. Glad the pixmap issues are gone then. Nice work James...now all it needs is 100Mbit ;D -- Paul Marinceu http://elixxir.ucc.asn.au From trs80 at ucc.gu.uwa.edu.au Sun Nov 9 23:07:33 2003 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Wed Oct 27 01:28:13 2004 Subject: [tech] /home on morowng Message-ID: Ok, /home on morwong is now 18gig, composed of two 9gig volumes, each of which is a RAID 1 LSM volume across two 9gig disks. It seems reasonably happy, except that one of the plexes (homemirror00-02 on home03 on dsk10) had an IOFAIL. I went to reattach the plex, but it seems that LSM automagically decided to reattach it itself (it hasn't completed yet, and I can't find out how to monitor the status - it's not showing in volprint -l homemirror00-02). Anyway, as part of the moving about, /home should also have been defragged, although I haven't actually verified this. -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC President http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From nick at ucc.gu.uwa.edu.au Tue Nov 11 09:29:14 2003 From: nick at ucc.gu.uwa.edu.au (Nick Bannon) Date: Wed Oct 27 01:28:13 2004 Subject: [tech] /home on morowng In-Reply-To: References: Message-ID: <20031111012914.GD87617@morwong.ucc.gu.uwa.edu.au> On Sun, Nov 09, 2003 at 11:07:33PM +0800, James Andrewartha wrote: > Ok, /home on morwong is now 18gig, composed of two 9gig volumes, each of > which is a RAID 1 LSM volume across two 9gig disks. It seems reasonably > happy, except that one of the plexes (homemirror00-02 on home03 on dsk10) > had an IOFAIL. I went to reattach the plex, but it seems that LSM > automagically decided to reattach it itself (it hasn't completed yet, and > I can't find out how to monitor the status - it's not showing in volprint > -l homemirror00-02). > > Anyway, as part of the moving about, /home should also have been > defragged, although I haven't actually verified this. Wonderful! I can't be sure if the performance has actually improved, but it certainly seems alright. The redundancy is a huge relief - I'm amazed the anti-redundant disk concatenation hadn't bitten us before now. We never got any SCA SBBs, did we? How's the licensing? Has it all come from UCS? Where are they stored? How's piggery and centuri ? "lmf list" looks interesting... Nick. -- Nick Bannon | "I made this letter longer than usual because nick-sig@rcpt.to | I lack the time to make it shorter." - Pascal From trs80 at ucc.gu.uwa.edu.au Tue Nov 11 11:11:10 2003 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Wed Oct 27 01:28:13 2004 Subject: [tech] /home on morowng In-Reply-To: <20031111012914.GD87617@morwong.ucc.gu.uwa.edu.au> Message-ID: On Tue, 11 Nov 2003, Nick Bannon wrote: > On Sun, Nov 09, 2003 at 11:07:33PM +0800, James Andrewartha wrote: > > Ok, /home on morwong is now 18gig, composed of two 9gig volumes, each of > > which is a RAID 1 LSM volume across two 9gig disks. It seems reasonably > > happy, except that one of the plexes (homemirror00-02 on home03 on dsk10) > > had an IOFAIL. I went to reattach the plex, but it seems that LSM > > automagically decided to reattach it itself (it hasn't completed yet, and > > I can't find out how to monitor the status - it's not showing in volprint > > -l homemirror00-02). Well, the disk failed again, so I ripped it out and swapped it with one from UCS (which is where the failed disk came from) and it's happy now. > We never got any SCA SBBs, did we? No, we didn't. > How's the licensing? Has it all come from UCS? Where are they stored? > How's piggery and centuri ? "lmf list" looks interesting... We didn't get a response from UCS about licensing LSM, so I just set the date back two years briefly to launch the software. piggery now has a working license, and centuri should be fine too. -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC President http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From bernard at blackham.com.au Wed Nov 12 09:49:05 2003 From: bernard at blackham.com.au (Bernard Blackham) Date: Wed Oct 27 01:28:14 2004 Subject: [tech] mooneye mail Message-ID: <20031112014905.GH17558@amidala> mooneye now does the postfix thing thanks to Matt. Flame mail also works again thanks to James (it hadn't for a while). I've turned off bounce notification as it was a little too noisy (about 50 or so overnight of just random spammers spamming random or old addresses). Also bind now longer runs as root. Yay :) Bernard. -- Bernard Blackham bernard at blackham dot com dot au From mattj at tartarus.uwa.edu.au Wed Nov 12 13:06:05 2003 From: mattj at tartarus.uwa.edu.au (Matt Johnston) Date: Wed Oct 27 01:28:14 2004 Subject: [tech] Hopefully postfix works? Message-ID: <20031112050605.GV1414@tartarus.uwa.edu.au> Does it work now? Just testing with spam filtering back on. Matt From matt at ucc.asn.au Wed Nov 12 13:11:08 2003 From: matt at ucc.asn.au (Matt Johnston) Date: Wed Oct 27 01:28:14 2004 Subject: [tech] Just testing, please ignore Message-ID: <20031112051108.GB476779@morwong.ucc.gu.uwa.edu.au> Just testing if this will be eaten. Cheers, Matt From tieryn at coman.com.au Wed Nov 12 13:25:49 2003 From: tieryn at coman.com.au (Chris Coman) Date: Wed Oct 27 01:28:14 2004 Subject: [tech] Just testing, please ignore In-Reply-To: <20031112051108.GB476779@morwong.ucc.gu.uwa.edu.au> Message-ID: <006801c3a8dd$72f03710$fd02a8c0@krondor> *munch munch munch munch munch* Mmm Coman > -----Original Message----- > From: tech-bounces@ucc.gu.uwa.edu.au > [mailto:tech-bounces@ucc.gu.uwa.edu.au] On Behalf Of Matt Johnston > Sent: Wednesday, 12 November 2003 1:11 PM > To: tech@ucc.gu.uwa.edu.au > Subject: [tech] Just testing, please ignore > > > Just testing if this will be eaten. > > Cheers, > Matt > > From matt at ucc.asn.au Wed Nov 12 14:11:09 2003 From: matt at ucc.asn.au (Matt Johnston) Date: Wed Oct 27 01:28:15 2004 Subject: [tech] Mail working again Message-ID: <20031112061108.GD476779@morwong.ucc.gu.uwa.edu.au> Hopefully all mail should be working now, this mail is kind of a test as well. Spam filtering was breaking mails with multiple recipients (like these lists), that should be fixed now. Hopefully this didn't affect too many people, mails with CCs/multiple TOs (at ucc addresses) only went to the first recipient, from ~9 last night to ~10 this morning. Thanks to Bernard for noticing it and stopping it. Below is Bernard's email which didn't go through. Cheers, Matt Forwarded message from Bernard, Wed, 12 Nov 2003 09:49:05 +0800: mooneye now does the postfix thing thanks to Matt. Flame mail also works again thanks to James (it hadn't for a while). I've turned off bounce notification as it was a little too noisy (about 50 or so overnight of just random spammers spamming random or old addresses). Also bind now longer runs as root. Yay :) Bernard. -- Bernard Blackham bernard at blackham dot com dot au From david_luyer at pacific.net.au Thu Nov 13 14:03:30 2003 From: david_luyer at pacific.net.au (David Luyer) Date: Wed Oct 27 01:28:15 2004 Subject: [tech] FreeBSD systems? Message-ID: <20031113060330.GB9394@pacific.net.au> Does UCC have a FreeBSD system? I need to compile something I can't give away source to, for someone to use on FreeBSD. Answer by direct email please, I haven't read any mailing list email or non-direct email for the last few months... Thanks, David. -- David Luyer Phone: +61 3 9674 7525 Network Development Manager P A C I F I C Fax: +61 3 9698 4825 Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 BYTE http://www.pacific.net.au/ NASDAQ: PCNTF From david_luyer at pacific.net.au Sat Nov 15 00:02:11 2003 From: david_luyer at pacific.net.au (David Luyer) Date: Wed Oct 27 01:28:15 2004 Subject: [tech] the aftermath In-Reply-To: <20030817111100.GD9075@morwong.ucc.gu.uwa.edu.au> References: <20030816163950.GB5197@amidala> <20030817034303.GB9075@morwong.ucc.gu.uwa.edu.au> <20030817040706.GB29815@morwong.ucc.gu.uwa.edu.au> <20030817111100.GD9075@morwong.ucc.gu.uwa.edu.au> Message-ID: <20031114160211.GA12928@pacific.net.au> On Sun, Aug 17, 2003 at 07:11:00PM +0800, Adrian Chadd wrote: > On Sun, Aug 17, 2003, Nick Bannon wrote: > > On Sun, Aug 17, 2003 at 11:43:03AM +0800, Adrian Chadd wrote: > > > .. once the network upgrade happens. It'll suck otherwise. > > > What about a firewire caddy and a fat removeable hard disk? > > > > Those are useful, but insufficient. They save us from "oh dear the > > hardware exploded", but they don't help for "someone fucked up the > > config/deleted something/rootkit'ed the machine but no-one noticed > > until a month later". > > Err, thats an application layer thing, _not_ the physical media. > you can do incremental (dump, rsync, tar, etc) backup/restores > quite happily onto hard disk. Has anyone done copy-on-write snapshots for Linux or *BSD? (most SANs do them, but I can't think of a Unix FS which does) David, a little behind on email. From nick at ucc.gu.uwa.edu.au Sat Nov 15 11:17:26 2003 From: nick at ucc.gu.uwa.edu.au (Nick Bannon) Date: Wed Oct 27 01:28:15 2004 Subject: Disc based backups, snapshots, syncing (was Re: [tech] the aftermath) In-Reply-To: <20031114160211.GA12928@pacific.net.au> References: <20030816163950.GB5197@amidala> <20030817034303.GB9075@morwong.ucc.gu.uwa.edu.au> <20030817040706.GB29815@morwong.ucc.gu.uwa.edu.au> <20030817111100.GD9075@morwong.ucc.gu.uwa.edu.au> <20031114160211.GA12928@pacific.net.au> Message-ID: <20031115031726.GS87617@morwong.ucc.gu.uwa.edu.au> On Sat, Nov 15, 2003 at 03:02:11AM +1100, David Luyer wrote: > Has anyone done copy-on-write snapshots for Linux or *BSD? > (most SANs do them, but I can't think of a Unix FS which does) There's a few options - Linux LVM of course, at the block layer. At the FS layer, there's BSD Union FS and http://translucency.sourceforge.net/ , or a few other/older approaches at the same thing. User-Mode-Linux can, which would be quite a neat solution. Then there's a bunch of disc-based backup systems. These would indeed match a removable Firewire disc or something - I _do_ think they'd be worth getting a nice big one (a dual drive LaCie?) and using exclusively for backups: http://www.mikerubel.org/computers/rsync_snapshots/ http://www.mikerubel.org/computers/rsync_snapshots/#References (Links) http://rsnapshot.scubaninja.com/ And a few syncing-type links for luck: How to do a consistent mirror, using sequence files: http://www.ussg.iu.edu/hypermail/linux/kernel/0311.1/0442.html http://0pointer.de/lennart/projects/syrep/ apt-cache show unison RAID over NBD/ENBD/iSCSI/HyperSCSI? http://www.drbd.org/ http://www.cs.bgu.ac.il/~srfs/overview.html http://www.lustre.org/ It would of course be wonderful to pick up a secondhand NetApp filer, in a complete and operational state. They keep getting put on ebay for stupidly high prices, and... not selling. Nick. -- Nick Bannon | "I made this letter longer than usual because nick-sig@rcpt.to | I lack the time to make it shorter." - Pascal From david_luyer at pacific.net.au Sat Nov 15 18:24:30 2003 From: david_luyer at pacific.net.au (David Luyer) Date: Wed Oct 27 01:28:16 2004 Subject: Disc based backups, snapshots, syncing (was Re: [tech] the aftermath) In-Reply-To: <20031115031726.GS87617@morwong.ucc.gu.uwa.edu.au> References: <20030816163950.GB5197@amidala> <20030817034303.GB9075@morwong.ucc.gu.uwa.edu.au> <20030817040706.GB29815@morwong.ucc.gu.uwa.edu.au> <20030817111100.GD9075@morwong.ucc.gu.uwa.edu.au> <20031114160211.GA12928@pacific.net.au> <20031115031726.GS87617@morwong.ucc.gu.uwa.edu.au> Message-ID: <20031115102429.GA31354@pacific.net.au> On Sat, Nov 15, 2003 at 11:17:26AM +0800, Nick Bannon wrote: > It would of course be wonderful to pick up a secondhand NetApp filer, > in a complete and operational state. They keep getting put on ebay for > stupidly high prices, and... not selling. Network Remarketing in Sydney had a stack of them going cheap, I think. David. From adrian at ucc.gu.uwa.edu.au Tue Nov 18 13:58:59 2003 From: adrian at ucc.gu.uwa.edu.au (Adrian Chadd) Date: Wed Oct 27 01:28:16 2004 Subject: [tech] the aftermath In-Reply-To: <20031114160211.GA12928@pacific.net.au> References: <20030816163950.GB5197@amidala> <20030817034303.GB9075@morwong.ucc.gu.uwa.edu.au> <20030817040706.GB29815@morwong.ucc.gu.uwa.edu.au> <20030817111100.GD9075@morwong.ucc.gu.uwa.edu.au> <20031114160211.GA12928@pacific.net.au> Message-ID: <20031118055859.GA22388@morwong.ucc.gu.uwa.edu.au> On Sat, Nov 15, 2003, David Luyer wrote: > On Sun, Aug 17, 2003 at 07:11:00PM +0800, Adrian Chadd wrote: > > On Sun, Aug 17, 2003, Nick Bannon wrote: > > > On Sun, Aug 17, 2003 at 11:43:03AM +0800, Adrian Chadd wrote: > > > > .. once the network upgrade happens. It'll suck otherwise. > > > > What about a firewire caddy and a fat removeable hard disk? > > > > > > Those are useful, but insufficient. They save us from "oh dear the > > > hardware exploded", but they don't help for "someone fucked up the > > > config/deleted something/rootkit'ed the machine but no-one noticed > > > until a month later". > > > > Err, thats an application layer thing, _not_ the physical media. > > you can do incremental (dump, rsync, tar, etc) backup/restores > > quite happily onto hard disk. > > Has anyone done copy-on-write snapshots for Linux or *BSD? > (most SANs do them, but I can't think of a Unix FS which does) FreeBSD does copy-on-write UFS snapshots in FreeBSD-5. Adrian From elixxir at ucc.asn.au Wed Nov 19 18:57:15 2003 From: elixxir at ucc.asn.au (Paul Marinceu) Date: Wed Oct 27 01:28:16 2004 Subject: [tech] SGI Security and r00tability Message-ID: <20031119105715.GA76010@morwong.ucc.gu.uwa.edu.au> So, I was going to do this since before the all-too-well-known event... Unfortunately, I was busy. Now, I've told some of you about it but here is what I'm planning: In order to be _really_ paranoid about ucc's security, we also have to secure the sgis, seeing that they now make up quite a big slice of the ucc user machines and Irix in itself is quite powerful when r00ted (although the only licensed compiler is on Adrian's machine). I think James(?) remarked the security issue, or lack thereof, as well. If you look at my machine, you'll see what I mean about paranoia. All I have is dropbear which I hacked for sgi. It still doesn't work 100%, but I'll make it fully portable and get Matt to patch his official version as well. Then I'll install it on all sgis (Adrian's excepted). Unless people want special services enabled, I plan to have all services disabled and/or firewalled. Most currently running are useless anyway, except for nfs. How does the above sound? Please, no flames people, I know wheel's had a hard time, but try and be constructive. And remember, try to have fun! -- Paul Marinceu http://elixxir.ucc.asn.au From elixxir at ucc.asn.au Wed Nov 19 22:47:00 2003 From: elixxir at ucc.asn.au (Paul Marinceu) Date: Wed Oct 27 01:28:16 2004 Subject: [tech] SGI Security and r00tability In-Reply-To: <20031119140301.GA8829@angrygoats.net> References: <20031119105715.GA76010@morwong.ucc.gu.uwa.edu.au> <20031119140301.GA8829@angrygoats.net> Message-ID: <20031119144700.GA81841@morwong.ucc.gu.uwa.edu.au> On Wed, Nov 19, 2003 at 10:03:01PM +0800, Grahame Bowland wrote: > Adrian has got Netfilter (is it that?) - some sort of BSDish IP filter, > anyway, working on his IRIX machine in the office. It might be worth > getting him to impart the knowledge of how to link that into the > kernel into someone, and setting that up too. Ipfilterd. At least that's what comes with the Irix os. Is this the one Adrian? Seems like a very basic, but useable, fw. Prolly not as nifty as netfilter. > The thing with the SGIs is local security.. I don't think you can > really trust them once someone has access. Who knows if we care, > but probably worth thinking about. Yeah. True. But hopefully everyone in ucc picks good passwords for their accounts ;) Bah, who am I kidding... > I guess if we apply all the SGI-provided patches we're probably > save *enough* from local exploits.. mm. well, let's hope ucc members don't go exploiting irix and spend their time on other, more interesting stuff ;) -- Paul Marinceu http://elixxir.ucc.asn.au From adrian at ucc.gu.uwa.edu.au Thu Nov 20 11:59:48 2003 From: adrian at ucc.gu.uwa.edu.au (Adrian Chadd) Date: Wed Oct 27 01:28:16 2004 Subject: [tech] SGI Security and r00tability In-Reply-To: <20031119144700.GA81841@morwong.ucc.gu.uwa.edu.au> References: <20031119105715.GA76010@morwong.ucc.gu.uwa.edu.au> <20031119140301.GA8829@angrygoats.net> <20031119144700.GA81841@morwong.ucc.gu.uwa.edu.au> Message-ID: <20031120035948.GE65167@morwong.ucc.gu.uwa.edu.au> On Wed, Nov 19, 2003, Paul Marinceu wrote: > On Wed, Nov 19, 2003 at 10:03:01PM +0800, Grahame Bowland wrote: > > Adrian has got Netfilter (is it that?) - some sort of BSDish IP filter, > > anyway, working on his IRIX machine in the office. It might be worth > > getting him to impart the knowledge of how to link that into the > > kernel into someone, and setting that up too. > > Ipfilterd. At least that's what comes with the Irix os. Is this the one > Adrian? Seems like a very basic, but useable, fw. Prolly not as nifty as > netfilter. ipfilterd is the suck. Don't use it. Use ipfilter. Google search for it, SGI provide a pre-built package for your convienence. > > The thing with the SGIs is local security.. I don't think you can > > really trust them once someone has access. Who knows if we care, > > but probably worth thinking about. > > Yeah. True. > But hopefully everyone in ucc picks good passwords for > their accounts ;) > Bah, who am I kidding... Gah. Just turn off external SSH into the SGI. Require people to log in at the console. ANd yes, I have 6.5.22 plus lotsa patches here. I just have to get them going. I have a sacrificial indy to install it on when I find the time. From alastair at ucc.gu.uwa.edu.au Thu Nov 20 13:00:38 2003 From: alastair at ucc.gu.uwa.edu.au (Alastair Irvine) Date: Wed Oct 27 01:28:17 2004 Subject: [tech] mutt on mooneye Message-ID: <20031120050038.GA101755@morwong.ucc.gu.uwa.edu.au> In my .procmailrc, the spam detector rule has the following action: |cat > /tmp/spam.msg ; echo blah|mutt -a /tmp/spam.msg -s "hwaaarf" (where is my spam reporting address at spamcop.net) This fails, presumably since mutt is no longer present on morwong. Can someone please recommend an alternative that can do MIME attachments or install mutt? -- ... Circle: A line that meets its other end without ending. _____________________________________________________________________ | | | -=*Alastair Irvine*=- | | C-monkey/wanderer/board&RPGer/net-nut alastair@ucc.gu.uwa.edu.au | |_____________________________________________________________________| From elixxir at ucc.asn.au Thu Nov 20 13:45:15 2003 From: elixxir at ucc.asn.au (Paul Marinceu) Date: Wed Oct 27 01:28:17 2004 Subject: [tech] SGI Security and r00tability In-Reply-To: <20031120035948.GE65167@morwong.ucc.gu.uwa.edu.au> References: <20031119105715.GA76010@morwong.ucc.gu.uwa.edu.au> <20031119140301.GA8829@angrygoats.net> <20031119144700.GA81841@morwong.ucc.gu.uwa.edu.au> <20031120035948.GE65167@morwong.ucc.gu.uwa.edu.au> Message-ID: <20031120054513.GA102824@morwong.ucc.gu.uwa.edu.au> On Thu, Nov 20, 2003 at 11:59:48AM +0800, Adrian Chadd wrote: > Gah. Just turn off external SSH into the SGI. Require people to log in at the > console. That can work ;) However, I'd like to keep logins at least for one sgi, just for reference, when I screw things up on my indy at 11pm. > ANd yes, I have 6.5.22 plus lotsa patches here. I just have to get them > going. I have a sacrificial indy to install it on when I find the time. That's excellent. -- Paul Marinceu http://elixxir.ucc.asn.au From bernard at blackham.com.au Fri Nov 21 01:23:21 2003 From: bernard at blackham.com.au (Bernard Blackham) Date: Wed Oct 27 01:28:17 2004 Subject: [tech] whats happened Message-ID: <20031120172321.GF16698@amidala> Brain dump: - removed a bunch of system gids from NIS, as they were clashing and contained no actual users. pre-change version is in /var/yp/src/group.presystemripout. I don't *think* this should break anything, but if it does, just put the offending ones back. - dispense is happy again. Took some hacking to get it to work properly, but it'll get a rewrite these holidays. I promise :) - door should open too. hasn't been tested though. - IMAP server is now dovecot. It's more secure, faster, and doesn't let people crawl all over mooneye's filesystem - firewalls on all the reinstalled machines are in /etc/init.d/ucc-fw . They're pretty tight, so if something network related isn't working, it's most probably this. They are activated from /etc/rcS.d/S41ucc-fw, and also when bringing up the world-accessible aliases (ssh, telnet, flame-tunnel), to make sure the NAT stuff works. Methinks that's all for now. Bernard. -- Bernard Blackham bernard at blackham dot com dot au From grahame at angrygoats.net Fri Nov 21 04:16:33 2003 From: grahame at angrygoats.net (Grahame Bowland) Date: Wed Oct 27 01:28:17 2004 Subject: [tech] whats happened In-Reply-To: <20031120172321.GF16698@amidala> References: <20031120172321.GF16698@amidala> Message-ID: <20031120201633.GA31928@angrygoats.net> On Fri, Nov 21, 2003 at 01:23:21AM +0800, Bernard Blackham wrote: > Brain dump: > > - removed a bunch of system gids from NIS, as they were clashing > and contained no actual users. pre-change version is in > /var/yp/src/group.presystemripout. I don't *think* this should > break anything, but if it does, just put the offending ones back. > > - dispense is happy again. Took some hacking to get it to work > properly, but it'll get a rewrite these holidays. I promise :) > > - door should open too. hasn't been tested though. > > - IMAP server is now dovecot. It's more secure, faster, and doesn't > let people crawl all over mooneye's filesystem > > - firewalls on all the reinstalled machines are in > /etc/init.d/ucc-fw . They're pretty tight, so if something > network related isn't working, it's most probably this. > They are activated from /etc/rcS.d/S41ucc-fw, and also when > bringing up the world-accessible aliases (ssh, telnet, > flame-tunnel), to make sure the NAT stuff works. > > Methinks that's all for now. In /etc/init.d/ucc-fw: # and now the v6 firewall. ip6tables -F ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP ip6tables -P FORWARD DROP Style *grin* Thanks for all your work Bernard and everyone else that got UCC back. Sorry for not helping much, I'll erm, help more in future :-) From trent at ucc.gu.uwa.edu.au Fri Nov 21 09:36:22 2003 From: trent at ucc.gu.uwa.edu.au (Trent Lloyd) Date: Wed Oct 27 01:28:17 2004 Subject: [tech] whats happened In-Reply-To: <20031120201633.GA31928@angrygoats.net> References: <20031120172321.GF16698@amidala> <20031120201633.GA31928@angrygoats.net> Message-ID: <20031121013622.GA134008@morwong.ucc.gu.uwa.edu.au> > In /etc/init.d/ucc-fw: > # and now the v6 firewall. > > ip6tables -F > ip6tables -P INPUT DROP > ip6tables -P OUTPUT DROP > ip6tables -P FORWARD DROP > > Style *grin* *grrr* ip6tables -A INPUT -p tcp -p tcp -m multiport --ports 22,80 -j ACCEPT ip6tables -A INPUT -p tcp ! --syn -j ACCEPT From elixxir at ucc.asn.au Fri Nov 21 12:41:46 2003 From: elixxir at ucc.asn.au (Paul Marinceu) Date: Wed Oct 27 01:28:18 2004 Subject: [tech] whats happened In-Reply-To: <20031120172321.GF16698@amidala> References: <20031120172321.GF16698@amidala> Message-ID: <20031121044146.GA138650@morwong.ucc.gu.uwa.edu.au> On Fri, Nov 21, 2003 at 01:23:21AM +0800, Bernard Blackham wrote: > > - firewalls on all the reinstalled machines are in > /etc/init.d/ucc-fw . They're pretty tight, so if something > network related isn't working, it's most probably this. > They are activated from /etc/rcS.d/S41ucc-fw, and also when > bringing up the world-accessible aliases (ssh, telnet, > flame-tunnel), to make sure the NAT stuff works. > > Methinks that's all for now. Nice. How about some logging rules...may come in handy Also: - rp_filter and other various things in /proc/sys/net/ipv4/ - syn_cookies (useful??) - other... I can add these changes if people don't mind. -- Paul Marinceu http://elixxir.ucc.asn.au From elixxir at ucc.asn.au Fri Nov 21 12:51:45 2003 From: elixxir at ucc.asn.au (Paul Marinceu) Date: Wed Oct 27 01:28:18 2004 Subject: [tech] whats happened In-Reply-To: <20031121044146.GA138650@morwong.ucc.gu.uwa.edu.au> References: <20031120172321.GF16698@amidala> <20031121044146.GA138650@morwong.ucc.gu.uwa.edu.au> Message-ID: <20031121045145.GA139308@morwong.ucc.gu.uwa.edu.au> On Fri, Nov 21, 2003 at 12:41:46PM +0800, Paul Marinceu wrote: > How about some logging rules...may come in handy actually, maybe not. -- Paul Marinceu http://elixxir.ucc.asn.au From bernard at blackham.com.au Fri Nov 21 14:04:45 2003 From: bernard at blackham.com.au (Bernard Blackham) Date: Wed Oct 27 01:28:18 2004 Subject: [tech] whats happened In-Reply-To: <20031121044146.GA138650@morwong.ucc.gu.uwa.edu.au> References: <20031120172321.GF16698@amidala> <20031121044146.GA138650@morwong.ucc.gu.uwa.edu.au> Message-ID: <20031121060444.GL16698@amidala> On Fri, Nov 21, 2003 at 12:41:46PM +0800, Paul Marinceu wrote: > How about some logging rules...may come in handy In my experience firewall logs on busy machines become *very* noisy. Though, what do people think should be usefully logged? Broadcast traffic can probably be silently dropped (generally the biggest offender of noisy logs). > - rp_filter and other various things in /proc/sys/net/ipv4/ rp_filter is on by default. Most of the other settings have sensible defaults - turning things on breaks random and obscure IP stacks. > - syn_cookies (useful??) Could be. Kernels weren't compiled with syn cookie support, but I can redo them with it on the weekend. > - other... Mmmm, vagueness :) I think they're relatively secure against being rooted by exploits for the moment (ie, until the next security update comes along). They should all be pretty safe from undiscovered buffer-overflow exploits too. Bernard. -- Bernard Blackham bernard at blackham dot com dot au From elixxir at ucc.asn.au Fri Nov 21 15:42:35 2003 From: elixxir at ucc.asn.au (Paul Marinceu) Date: Wed Oct 27 01:28:18 2004 Subject: [tech] whats happened In-Reply-To: <20031121060444.GL16698@amidala> References: <20031120172321.GF16698@amidala> <20031121044146.GA138650@morwong.ucc.gu.uwa.edu.au> <20031121060444.GL16698@amidala> Message-ID: <20031121074234.GA143468@morwong.ucc.gu.uwa.edu.au> On Fri, Nov 21, 2003 at 02:04:45PM +0800, Bernard Blackham wrote: > In my experience firewall logs on busy machines become *very* noisy. > Though, what do people think should be usefully logged? Broadcast > traffic can probably be silently dropped (generally the biggest > offender of noisy logs). yeah, realized the unfeasibility of it and posted again. (forgot to cc you) > Could be. Kernels weren't compiled with syn cookie support, but I > can redo them with it on the weekend. oh, don't bother then. recompiling the kernel isn't worth it > > > - other... > > Mmmm, vagueness :) heh. yeah. left it open ended in case I think of more ;) > I think they're relatively secure against being rooted by exploits > for the moment (ie, until the next security update comes along). > They should all be pretty safe from undiscovered buffer-overflow > exploits too. yeah should be good now. And as James pointed out, the network's not always the problem, though it pays to have a secure one. damn. one can't have it both. security and openness. -- Paul Marinceu http://elixxir.ucc.asn.au From acolyte at ucc.gu.uwa.edu.au Fri Nov 21 16:03:07 2003 From: acolyte at ucc.gu.uwa.edu.au (Andrew Bailey) Date: Wed Oct 27 01:28:18 2004 Subject: [tech] whats happened In-Reply-To: <20031121074234.GA143468@morwong.ucc.gu.uwa.edu.au> References: <20031120172321.GF16698@amidala> <20031121044146.GA138650@morwong.ucc.gu.uwa.edu.au> <20031121060444.GL16698@amidala> <20031121074234.GA143468@morwong.ucc.gu.uwa.edu.au> Message-ID: <20031121080307.GA131778@morwong.ucc.gu.uwa.edu.au> On Fri, Nov 21, 2003 at 03:42:35PM +0800, Paul Marinceu wrote: > > damn. one can't have it both. security and openness. > Shh! The open source weeni^H^H^H^H^Hpeople might hear you! Andrew. -- "The hot dog eating contest is not only a beautiful display of athleticism, it is a fundamental way for citizens of all nations to display patriotism," - Wayne Norbitz From bernard at blackham.com.au Sat Nov 22 14:48:59 2003 From: bernard at blackham.com.au (Bernard Blackham) Date: Wed Oct 27 01:28:19 2004 Subject: [tech] whats happened In-Reply-To: <20031120172321.GF16698@amidala> References: <20031120172321.GF16698@amidala> Message-ID: <20031122064858.GP16698@amidala> On Fri, Nov 21, 2003 at 01:23:21AM +0800, Bernard Blackham wrote: > - removed a bunch of system gids from NIS, as they were clashing > and contained no actual users. pre-change version is in > /var/yp/src/group.presystemripout. I don't *think* this should > break anything, but if it does, just put the offending ones back. Oh yeah, the other thing: - killed morwong's yppasswd and replaced it from one compiled out of debian sources, and hacked the nis init script to match. This unfortunately got rid of the long pause after changing passwords and the infamous "Your password may or may not have been changed" message. -- Bernard Blackham bernard at blackham dot com dot au From lathiat at sixlabs.org Sun Nov 23 23:32:33 2003 From: lathiat at sixlabs.org (Trent Lloyd) Date: Wed Oct 27 01:28:19 2004 Subject: [tech] transfer speeds Message-ID: <20031123153233.GA7595@sixlabs.org> Hrm, think somethings up with the network or something. FTP ftp.uwa.edu.au->cobbler = 1.20MB/s SCP mussel.ucc->seven.sixlabs = 60KB/s FTP ftp.uwa.edu.au_.seven = 3MB/s hrm... -- [ Trent "Lathiat" Lloyd lathi@sixlabs.org ]/ "You sure as hell shouldn't be \ [ tlhIngan Hol Dajatlh'e www.sixlabs.org ]| fingering my toaster" -Linus | [ GPG Key Id: 0x04AB3C5D www.bur.st ]| Torvalds, LCA2003 Speakers dinner| [ IPv6 Conference http://conf.sixlabs.org ]\ talking about ipv6 with me / From bernard at blackham.com.au Mon Nov 24 08:55:55 2003 From: bernard at blackham.com.au (Bernard Blackham) Date: Wed Oct 27 01:28:19 2004 Subject: [tech] transfer speeds In-Reply-To: <20031123153233.GA7595@sixlabs.org> References: <20031123153233.GA7595@sixlabs.org> Message-ID: <20031124005555.GK859@amidala> On Sun, Nov 23, 2003 at 11:32:33PM +0800, Trent Lloyd wrote: > FTP ftp.uwa.edu.au->cobbler = 1.20MB/s > SCP mussel.ucc->seven.sixlabs = 60KB/s > FTP ftp.uwa.edu.au_.seven = 3MB/s Using ~dagobah/speed-test-server.pl, I'm getting ~9MB/s most places, except anything involving mussel. Could be it's dodgy cable (see ifconfig eth0 on mussel) - will have a look today. -- Bernard Blackham bernard at blackham dot com dot au From adrian at ucc.gu.uwa.edu.au Mon Nov 24 12:04:14 2003 From: adrian at ucc.gu.uwa.edu.au (Adrian Chadd) Date: Wed Oct 27 01:28:19 2004 Subject: [tech] whats happened In-Reply-To: <20031122064858.GP16698@amidala> References: <20031120172321.GF16698@amidala> <20031122064858.GP16698@amidala> Message-ID: <20031124040413.GH65167@morwong.ucc.gu.uwa.edu.au> On Sat, Nov 22, 2003, Bernard Blackham wrote: > On Fri, Nov 21, 2003 at 01:23:21AM +0800, Bernard Blackham wrote: > > - removed a bunch of system gids from NIS, as they were clashing > > and contained no actual users. pre-change version is in > > /var/yp/src/group.presystemripout. I don't *think* this should > > break anything, but if it does, just put the offending ones back. > > Oh yeah, the other thing: > > - killed morwong's yppasswd and replaced it from one compiled out > of debian sources, and hacked the nis init script to match. > > This unfortunately got rid of the long pause after changing > passwords and the infamous "Your password may or may not have > been changed" message. Make sure its a symlink and you have a copy somewhere else. You might find it replaced by an upgrade. adrian From bernard at blackham.com.au Mon Nov 24 23:15:35 2003 From: bernard at blackham.com.au (Bernard Blackham) Date: Wed Oct 27 01:28:19 2004 Subject: [tech] whats happened In-Reply-To: <20031124040413.GH65167@morwong.ucc.gu.uwa.edu.au> References: <20031120172321.GF16698@amidala> <20031122064858.GP16698@amidala> <20031124040413.GH65167@morwong.ucc.gu.uwa.edu.au> Message-ID: <20031124151535.GA18208@amidala> On Mon, Nov 24, 2003 at 12:04:14PM +0800, Adrian Chadd wrote: > > - killed morwong's yppasswd and replaced it from one compiled out > > of debian sources, and hacked the nis init script to match. > > Make sure its a symlink and you have a copy somewhere else. > You might find it replaced by an upgrade. Old one was moved to /usr/sbin/rpc.yppasswdd.old. New one is in /usr/local/sbin/rpc.yppasswdd, so if worst comes to worst, the init script also changes on upgrade and fires up Tru64's one. Bernard.