From rick Mon Jan 19 06:42:05 1998 Return-Path: Received: (from rick@localhost) by hugin.imat.com (8.8.8/8.8.8) id GAA18573; Mon, 19 Jan 1998 06:34:56 -0800 From: Rick Moen Message-Id: <199801191434.GAA18573@hugin.imat.com> Subject: Improvements at hugin To: alicem@hugin.imat.com (Alice Mercer), wot@hugin.imat.com, cydny@hugin.imat.com (Cydny Fire Eisner), duncan@substance.com (Duncan MacKinnon), jbpuig@hugin.imat.com (Joseph B. Puig III), mikeh@hugin.imat.com (Mike Higashi), sheaffer@hugin.imat.com (Robert Sheaffer) Date: Mon, 19 Jan 1998 06:34:55 -0800 (PST) Content-Type: text Status: RO I just fixed a bunch of things. 1. Installed quite a lot of update packages to Red Hat 4.2, including perl 5.004 (security fix), elm 2.4.25 rev. 8, lynx 2.7.1 rev. 8, ncftp 2.4.2 rev. 4, and quite a number of others, which you'll find among the files in /usr/local/src/installed/. 2. New Apache 1.2.5. Now runs as user & group "httpd", rather than "nobody". You'll see new generic icons in /usr/local/etc/httpd/icons/, reachable in "http://" references as directory /icons/. Logs in /var/log/httpd/ will now be properly aged by the logrotate facility. Also put in a newer version of the ftp daemon (another security fix). 3. Sendmail 8.8.8, with extensive anti-spam filtering. Mail from hosts/ domains, e-mail addresses, and IP addresses listed in /etc/mail/deny will now be rejected, systemwide. Also, hugin will no longer relay e-mail. (That is, mail originating from another host will no longer be accepted if it's addressed to a non-hugin address.) 4. In case anyone else cares, I've compiled & installed the very latest tin v. 1.4 beta (newsreader). 5. Compiled and installed pgp 5.0 (international), beta 8a. 6. Compiled and installed ssh v. 1.2.21. We are once again running sshd (the ssh daemon), and offer all ssh client services (such as scp). 7. Compiled and installed HSC v. 0.915 and SP 1.2 (HTML/SGML preprocessors). 8. Configured and installed file-upload.cgi in /usr/local/etc/httpd/cgi-bin. You'll find a test script for it in /usr/local/etc/httpd/html/waygate/upload.html. Haven't checked it, yet. Similarly, there's a "man.cgi" script that's said to give Web-based access to system "man" pages. Haven't tested that, either. 9. Installed support for Network Time Protocol (as a client). 10. Repaired dangling symlinks throughout the system, and converted them to relative directory references, where they used absolute paths. As always, if you see anything wrong, please let me know. -- Cheers, The Viking's Reminder: Rick Moen Pillage first, _then_ burn. rick (at) hugin.imat.com From rick Tue Sep 14 02:13:52 1999 Received: (from rick@localhost) by hugin.imat.com (8.9.3/8.9.3/Debian/GNU) id BAA09066; Tue, 14 Sep 1999 01:13:17 -0700 Date: Tue, 14 Sep 1999 01:13:17 -0700 From: Rick Moen To: Alice Mercer , Robert Sheaffer , Anson Kennedy , Duncan MacKinnon , Richard Couture , Bill Garrett , "Joseph B. Puig III" , Doug Lym , "Viren R. Shah" , Cydny Fire Eisner , Karl-Johan Noren , Matthew Hunter , Don Marti , Kate Talbot , Terry Preston , "R.M. Boye" , Mike Higashi , "P. Korda" , Nick Moffitt , Hironori Sato , Hiroyuki Nishimura , Deirdre Saoirse , John Mark Walker , Ed Tast , Nicole Harrington Subject: Hello, ssh & scp. Goodbye, telnet and (non-anonymous) ftp Message-ID: <19990914011316.E8674@hugin.imat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i X-WebTV-Stationery: Standard; BGColor=black; TextColor=black X-fnord: +++ath X-CABAL: There is no CABAL. X-CABAL-URL: There is no http://linuxmafia.com/cabal/ X-Eric-Conspiracy: There is no conspiracy. X-Eric-regex-matching: There are no stealth members of the conspiracy. Status: RO Content-Length: 4441 Lines: 124 Greetings, O Users. You're about to make the acquaintance of ssh (secure sh=shell -- a secure replacement for telnet) and scp (secure cp=copy -- a secure replacement for ftp & rcp). Why? Because I'm disabling all incoming telnet and ftp connections (except for anonymous incoming ftp). For security reasons. Any time you open a telnet or ftp connection, you send your password in plaintext across the open Internet, allowing people sniffing passwords to effortlessly log your password and then pretend to be you. So, I am closing off those protocols (in-bound), on this system. You will (or may) need new client software. Ordinary telnet clients will not do ssh, and ordinary ftp clients will not do scp. A complete list of such software is at http://linuxmafia.com/pub/linux/security/ssh-clients A few obvious choices: UNIX PLATFORMS (Linux, *BSD, etc.): SSH -- ftp://ftp.cs.hut.fi/pub/ssh/ssh-1.2.27.tar.gz or http://linuxmafia.com/pub/linux/security/ssh-1.2.27.tar.gz (Heck, if you're on Unix, you probably already have it.) Licence: Effectively free. Distributed as source code, sometimes also as binaries. MICROSOFT WIN32 PLATFORMS (Win9x, WinNT): Chaffee SSH -- ftp://ftp.cs.hut.fi/pub/ssh/contrib/ ssh-1.2.22-Win32-Beta1.zip ...requires Cygnus-GNUWin32 DLLS from ftp://sourceware.cygnus.com/pub/cygwin/latest/usertools.exe Licence: Effectively free. Binary or source. MACINTOSH OS: NiftyTelnet SSH -- http://www.lysator.liu.se/~jonasw/download/niftytelnet-1.1-ssh-r3.hqx Licence: Free-usage, no charge. Binary only. All three of the above support _both_ ssh (remote shell) and scp (file copying between machines). Other clients on the list at http://linuxmafia.com/pub/linux/security/ssh-clients sometimes do only ssh, not scp. SSH clients are available for: Java, MacintoshOS, PalmOS, Unix, VMS, Win32, and WinCE. Anticipated Questions --------------------- Q: Does this mean I have to _buy_ new software? A: No. The zero-cost ssh/scp client packages work just fine. (So do the payware proprietary ones, such as F-Secure SSH.) Q: How about for Windows 3.x? A: Run the Java client inside 16-bit Netscape for Windows. Q: scp doesn't allow me to view directories the way ftp does! A: So, open a second window, ssh here in that window, and do a directory listing in _that_. ("ls -al") Q: But what if I'm visiting a machine that doesn't have an ssh client? A: Install one. Open your Web browser to http://linuxmafia.com/pub/linux/security/, and browse the "ssh-clients" listing to find a suitable client package. Q: But what if they won't let me install software? A: Then you lose. Suggest they join the 20th century before it's over. Q: Are you going to remove the telnet and ftp _clients_ from your system? A: No. I'm just disabling the servers for _incoming_ telnet and (non-anonymous) ftp connections. Outgoing is unaffected. Q: Why is anonymous ftp OK, but all other ftp is bad? A: As with regular ftp, anonymous ftp transmits a password in plaintext, but that password has no security significance. (By convention, it's the user's e-mail address.) The bad guys can sniff and log those all they want. Q: How do I run an ssh/scp _server_ on my end? A: On Unix, get and install ssh 1.2.27. Otherwise, I have no idea. Q: What's the syntax for command-line ssh and scp? A: (Note that for some ssh or scp clients, such as PuTTY for MS Windows and NiftyTelnet SSH for Macintosh OS, this is irrelevant because they're GUI programs.) Like this: ssh username@linuxmafia.com scp localfile username@linuxmafia.com:[directorypath][/remotefilename] Q: Are you doing this just to make my life complicated. A: No, that's just a fringe-benefit. (Actually, it's necessary for some semblance of system security.) Q: Isn't the POP3 protocol equally a problem because of plaintext passwords? A: Regular POP3 is. APOP (Advanced POP) isn't, and I'll be migrating towards that, soon. Q: Is there anything else I can or should do to help. A: Yes! FOR CRYING OUT LOUD, _don't_ use the same password here as on other systems. OK? I'm sure y'all will have more questions. Feel free to hit me with 'em. -- Cheers, Linux: It is now safe to turn on your computer. Rick Moen rick (at) linuxmafia.com From rick Thu Sep 2 16:28:58 1999 Received: (from rick@localhost) by hugin.imat.com (8.9.3/8.9.3/Debian/GNU) id QAA16656 for tpreston; Thu, 2 Sep 1999 16:28:57 -0700 Date: Thu, 2 Sep 1999 16:28:57 -0700 From: Rick Moen To: Terry Preston Subject: All .GIFs must be gone by 31 Dec 1999 Message-ID: <19990902162856.G15426@hugin.imat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i X-WebTV-Stationery: Standard; BGColor=black; TextColor=black X-fnord: +++ath X-CABAL: There is no CABAL. X-CABAL-URL: There is no http://linuxmafia.com/cabal/ X-Eric-Conspiracy: There is no conspiracy. X-Eric-regex-matching: There are no stealth members of the conspiracy. Status: RO Content-Length: 2196 Lines: 46 As you may or may not have read, Unisys Corp. is now enforcing against _all Web sites_ its patent on the LZW compression used in GIF images. Sites that contain .gif images are being required to pay $5000 licence fees (unless all their .gifs were produced by Unisys-licenced software). Because of this, I am forced to require removal of all GIF images from my Web server. Including yours. All must be gone by 31 December 1999, or I will delete them on New Year's Day. You may want to convert your images to a suitable format. "PNG" format is best. Failing that, I use JPEG. "hugin" has a command-line tool (gif2png) that works to convert _some_ GIF files to PNG. It always terminates with an error ("segmentation fault"), but sometimes produces a usable PNG image before dying. Other useful software on Unix desktop OSes include xv and Electric Eyes. (I used xv to convert all GIFs in hugin's main Web tree and my personal pages.) I'm not sure what you would use on legacy Windows or Macintosh OSes. Don't forget to change references to those files on your Web pages! For your convenience, following is a list of all publicly-accessible .GIF files in your directories. All _will_ be deleted if they're still around after year's end. (Please note that I don't care about .GIFs you keep in directories that aren't Web-accessible.) /home/tpreston/public_html/bulldogl.gif /home/tpreston/public_html/images/about.gif /home/tpreston/public_html/images/articles.gif /home/tpreston/public_html/images/blueline.gif /home/tpreston/public_html/images/events.gif /home/tpreston/public_html/images/home.gif /home/tpreston/public_html/images/leftdonk.gif /home/tpreston/public_html/images/links.gif /home/tpreston/public_html/images/member.gif /home/tpreston/public_html/images/midnite.gif /home/tpreston/public_html/images/redline.gif /home/tpreston/public_html/images/skull2.gif /home/tpreston/public_html/images/skulline.gif /home/tpreston/public_html/images/starline.gif /home/tpreston/public_html/images/tiedye.gif /home/tpreston/public_html/images/treasure.gif /home/tpreston/public_html/images/usflag.gif /home/tpreston/public_html/images/welcome.gif /home/tpreston/public_html/top10.gif From rick Tue Jan 13 02:49:30 1998 Return-Path: Received: (from rick@localhost) by hugin.imat.com (8.8.5/8.8.4) id CAA01860; Tue, 13 Jan 1998 02:49:19 -0800 From: Rick Moen Message-Id: <199801131049.CAA01860@hugin.imat.com> Subject: Re: What's changed; what's not To: garrett@midnight.engr.sgi.com (Bill Garrett) Date: Tue, 13 Jan 1998 02:49:18 -0800 (PST) Cc: sysadmins@mail.sfpcug.org, sheaffer@hugin.imat.com (Robert Sheaffer), alicem@hugin.imat.com (Alice Mercer), cydny@hugin.imat.com (Cydny Fire Eisner), kjn@hugin.imat.com (Karl-Johan Noren), mhunter@hugin.imat.com (M. Hunter), viren@hugin.imat.com (Viren R. Shah) In-Reply-To: <199801121734.JAA20695@midnight.engr.sgi.com> from "Bill Garrett" at Jan 12, 98 09:34:23 am Content-Type: text Status: RO Content-Length: 1514 Lines: 31 Bill Garrett wrote: > I'm unable to ftp or telnet to hugin right now (c. 9:30am, Monday). > In both cases, the computer prompts for my name and password but > denies access. Is this a problem remaining from hugin's troubles > last week? On Monday morning, hugin had hardware problems coming out its metaphorical ears, which I noticed when I came back from the East Bay, Monday morning. It was getting a large number of SCSI errors whenever it tried to read its root drive (again), and, among other things, large portions of the System V init tree were unreadable. I took just enough time to copy /var/spool/mail/rick to another machine, then tried a shutdown. The filesystem was so damaged that it wouldn't even do an orderly shutdown, so I power-cycled, and the root filesystem turned out to be so damaged that it wouldn't boot at all. I've now switched to a different hard drive entirely, a new, short SCSI cable, and active termination. Hugin has had to be, once again, built from saved files, and I believe it to be back on-line. We're still using a slow, 11-year-old SCSI adapter, because the machine's EISA configuration is so whacked out that it won't recognise either of my EISA SCSI adapters. Thus, the machine will be a bit slow until I can find out how to clear the EISA CMOS, and put my EISA adapter back. -- Cheers, The Viking's Reminder: Rick Moen Pillage first, _then_ burn. rick (at) hugin.imat.com