From benjamin at py-soft.co.uk Sat Jul 1 08:03:32 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sat, 01 Jul 2006 16:03:32 +0100 Subject: [cAos] caos3 development In-Reply-To: <001001c69954$7c101850$6600a8c0@astevens> References: <20060604050900.GB14645@aries.runlevelzero.net> <449FC207.7080203@py-soft.co.uk> <001001c69954$7c101850$6600a8c0@astevens> Message-ID: <44A68EC4.2000602@py-soft.co.uk> Arthur Stevens wrote: > We are working on a new kernel for v3 and I think you will like the new > added security options/features. I was quite surprised to discover that cAos-2 doesn't have things like syn flood protection enabled by default. Below are some entries which I've added to my /etc/sysctl.conf file, which may add to the security and stability of cAos-3: [...] # Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1 # Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0 # Enable always defragging Protection net.ipv4.ip_always_defrag = 1 # Enable bad error message Protection net.ipv4.icmp_ignore_bogus_error_responses = 1 # Enable ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts = 1 # Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 1 # Enable ignoring ping request net.ipv4.icmp_echo_ignore_all = 1 Take care, Ben From tmattox at gmail.com Sat Jul 1 10:59:50 2006 From: tmattox at gmail.com (Tim Mattox) Date: Sat, 1 Jul 2006 13:59:50 -0400 Subject: [cAos] caos3 development In-Reply-To: <44A68EC4.2000602@py-soft.co.uk> References: <20060604050900.GB14645@aries.runlevelzero.net> <449FC207.7080203@py-soft.co.uk> <001001c69954$7c101850$6600a8c0@astevens> <44A68EC4.2000602@py-soft.co.uk> Message-ID: That sysctl.conf list looks good, AFAIK, except I object to ignoring ping requests by default. Ping is a fundamental network diagnostic. For machines which are potential targets for ping DDOS attacks, the sysadmin can easily change that setting. Maybe having it in the default sysctl.conf file, but initially commented out would be good. On 7/1/06, Benjamin Donnachie wrote: > I was quite surprised to discover that cAos-2 doesn't have things like > syn flood protection enabled by default. Below are some entries which > I've added to my /etc/sysctl.conf file, which may add to the security > and stability of cAos-3: > [snip] > > # Enable ignoring ping request > net.ipv4.icmp_echo_ignore_all = 1 > > Take care, > > Ben -- Tim Mattox - tmattox at gmail.com http://homepage.mac.com/tmattox/ I'm a bright... http://www.the-brights.net/ From benjamin at py-soft.co.uk Sat Jul 1 14:38:07 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sat, 01 Jul 2006 22:38:07 +0100 Subject: [cAos] caos3 development In-Reply-To: References: <20060604050900.GB14645@aries.runlevelzero.net> <449FC207.7080203@py-soft.co.uk> <001001c69954$7c101850$6600a8c0@astevens> <44A68EC4.2000602@py-soft.co.uk> Message-ID: <44A6EB3F.4020105@py-soft.co.uk> Tim Mattox wrote: > That sysctl.conf list looks good, AFAIK, except I object to ignoring ping > requests by default. Ping is a fundamental network diagnostic. True - it makes sense to keep it for some machines. I'd also like to suggest a version of apache with TRACE disabled, or alternatively the following in the default config: RewriteEngine On # Disable trace RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] Take care, Ben From martyn at theendofhistether.org.uk Sat Jul 1 15:03:40 2006 From: martyn at theendofhistether.org.uk (Martyn) Date: Sat, 01 Jul 2006 23:03:40 +0100 Subject: [cAos] caos3 development In-Reply-To: <20060604050900.GB14645@aries.runlevelzero.net> References: <20060604050900.GB14645@aries.runlevelzero.net> Message-ID: <44A6F13C.4090109@theendofhistether.org.uk> Greg M. Kurtzer wrote: >Our targeted user-base is clustered systems and >servers for ISP, home and office. Secondary emphasis will include other >more general distribution aspects. > Okay, I know I've not been very active recently - been involved in a different type of community project, but just a couple of things I have to routinely do on our cAos-2 servers : * Recompile the kernel with the "register arguments" enabled - we use one of two dsl modems that both have closed source drivers and their binary modules require that. I know binary modules are yuk but for DSL modems at a sensible price they're a neccesary evil. An external(lan) dsl modem is not an option for us. * Install some external packages that I managed to lose the SRPMs for or I'd import straight into c2 : Jabberd with mysql backend; hylafax; beep (for remote diagnostics) * And one I'd like to do but haven't looked far enough into - PC Speaker dsp device - would you believe that even though we have two notes from our diagnostic setup - one long and low and one high and short - no matter what we ask (is it short or long, high or low, both) we still have to ask the customer to place the phone by the machine 'cos they give us impossible answers. Anyway, not that I have much time at the moment, but I'd like to help with c3, so first part is suggesting enhancements, I've done that, now I just have to create time... easily done in the right programming language I expect! -- Martyn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.infiscale.org/pipermail/caos/attachments/20060701/67725d76/attachment.html From tmattox at gmail.com Sat Jul 1 15:51:44 2006 From: tmattox at gmail.com (Tim Mattox) Date: Sat, 1 Jul 2006 18:51:44 -0400 Subject: [cAos] Audio Diagnostics for Clusters & Servers Message-ID: Martyn & others, You might be interested in this public domain package: http://aggregate.org/HELPME/ "Audio Diagnostics for Clusters & Server Farms" It is kind of fun to play with... On 7/1/06, Martyn wrote: [snip] > Install some external packages that I managed to lose the SRPMs for or I'd > import straight into c2 : Jabberd with mysql backend; hylafax; beep (for > remote diagnostics) > And one I'd like to do but haven't looked far enough into - PC Speaker dsp > device - would you believe that even though we have two notes from our > diagnostic setup - one long and low and one high and short - no matter what > we ask (is it short or long, high or low, both) we still have to ask the > customer to place the phone by the machine 'cos they give us impossible > answers. [snip] > -- > Martyn > -- Tim Mattox - tmattox at gmail.com http://homepage.mac.com/tmattox/ I'm a bright... http://www.the-brights.net/ From mej at caosity.org Wed Jul 5 12:04:50 2006 From: mej at caosity.org (Michael Jennings) Date: Wed, 5 Jul 2006 15:04:50 -0400 Subject: [cAos] Audio Diagnostics for Clusters & Servers In-Reply-To: References: Message-ID: <20060705190450.GA12917@kainx.org> On Saturday, 01 July 2006, at 18:51:44 (-0400), Tim Mattox wrote: > You might be interested in this public domain package: > http://aggregate.org/HELPME/ > "Audio Diagnostics for Clusters & Server Farms" > > It is kind of fun to play with... This is now packaged for caos as "helpme." Michael -- Michael Jennings (a.k.a. KainX) http://www.kainx.org/ n + 1, Inc., http://www.nplus1.net/ Author, Eterm (www.eterm.org) ----------------------------------------------------------------------- "It is possible to commit no mistakes and still lose. That is not a weakness; that is life." -- Captain Picard, "Peak Performance" From mej at caosity.org Wed Jul 5 13:31:11 2006 From: mej at caosity.org (Michael Jennings) Date: Wed, 5 Jul 2006 16:31:11 -0400 Subject: [cAos] caos3 development In-Reply-To: <44A6F13C.4090109@theendofhistether.org.uk> References: <20060604050900.GB14645@aries.runlevelzero.net> <44A6F13C.4090109@theendofhistether.org.uk> Message-ID: <20060705203111.GE12917@kainx.org> On Saturday, 01 July 2006, at 23:03:40 (+0100), Martyn wrote: > * Recompile the kernel with the "register arguments" enabled - we > use one of two dsl modems that both have closed source drivers and > their binary modules require that. I know binary modules are yuk > but for DSL modems at a sensible price they're a neccesary evil. > An external(lan) dsl modem is not an option for us. The best solution here may be to set up your own internal yum repo and build custom kernels based on the caos packages but with your config changes merged in. Mezzanine should make this pretty simple for you. > * Install some external packages that I managed to lose the SRPMs > for or I'd import straight into c2 : Jabberd with mysql backend; > hylafax; beep (for remote diagnostics) I'm currently working on a jabberd package. The autobuilder is having some trouble with it due to dependencies; you can view the build log here: http://mirror.caosity.org/cAos-2/ext/autobuilder/i386/00_LOGS/comm/jabberd/jabberd.log.broken I've committed a package for the "helpme" program Tim pointed out; it may be better than what you're using. As for hylafax, I just imported 4.3.0.5 from SF. Assuming the autobuilder doesn't have an issue with it, it should be available soon. Michael -- Michael Jennings (a.k.a. KainX) http://www.kainx.org/ n + 1, Inc., http://www.nplus1.net/ Author, Eterm (www.eterm.org) ----------------------------------------------------------------------- "Even in my heart I see you're not being true to me. Deep within my soul I feel nothing's like it used to be." -- Backstreet Boys, "Quit Playing Games (With My Heart)" From mej at caosity.org Wed Jul 5 13:35:46 2006 From: mej at caosity.org (Michael Jennings) Date: Wed, 5 Jul 2006 16:35:46 -0400 Subject: [cAos] caos3 development In-Reply-To: <44A6EB3F.4020105@py-soft.co.uk> <44A68EC4.2000602@py-soft.co.uk> <44A403FF.9040306@py-soft.co.uk> References: <001001c69954$7c101850$6600a8c0@astevens> <44A68EC4.2000602@py-soft.co.uk> <44A6EB3F.4020105@py-soft.co.uk> <20060604050900.GB14645@aries.runlevelzero.net> <449FC207.7080203@py-soft.co.uk> <001001c69954$7c101850$6600a8c0@astevens> <44A68EC4.2000602@py-soft.co.uk> <20060604050900.GB14645@aries.runlevelzero.net> <44A403FF.9040306@py-soft.co.uk> Message-ID: <20060705203546.GF12917@kainx.org> On Thursday, 29 June 2006, at 17:46:55 (+0100), Benjamin Donnachie wrote: > I just thought - are there any plans to incorporate the hardened php > patches from http://www.hardened-php.net ? Good idea. It should probably be a separate package, though. I'll see what I can put together. > # Enable TCP SYN Cookie Protection > net.ipv4.tcp_syncookies = 1 Good default. > # Disable ICMP Redirect Acceptance > net.ipv4.conf.all.accept_redirects = 0 Bad default. Some routing configurations require proper handling of redirects. > # Enable always defragging Protection > net.ipv4.ip_always_defrag = 1 Good. > # Enable bad error message Protection > net.ipv4.icmp_ignore_bogus_error_responses = 1 Good. > # Enable ignoring broadcasts request > net.ipv4.icmp_echo_ignore_broadcasts = 1 Bad. Broadcasts are useful and should work by default. > # Log Spoofed Packets, Source Routed Packets, Redirect Packets > net.ipv4.conf.all.log_martians = 1 Also bad. Logging "martians" has, in my experience, created significant spew in the syslog, little to none of which is actually useful. > # Enable ignoring ping request > net.ipv4.icmp_echo_ignore_all = 1 Very bad default. Someone already mentioned why. > I'd also like to suggest a version of apache with TRACE disabled, or > alternatively the following in the default config: > > RewriteEngine On > # Disable trace > RewriteCond %{REQUEST_METHOD} ^TRACE > RewriteRule .* - [F] Can you explain exactly what this does, or point to an explanation? If it does what it appears to do, wouldn't it be simpler to use a block and deny from all? Michael -- Michael Jennings (a.k.a. KainX) http://www.kainx.org/ n + 1, Inc., http://www.nplus1.net/ Author, Eterm (www.eterm.org) ----------------------------------------------------------------------- "Grief can take care of itself, but to get the full value from joy, you must have somebody to divide it with." -- Mark Twain From benjamin at py-soft.co.uk Wed Jul 5 15:04:13 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Wed, 05 Jul 2006 23:04:13 +0100 Subject: [cAos] caos3 development In-Reply-To: <20060705203546.GF12917@kainx.org> References: <001001c69954$7c101850$6600a8c0@astevens> <44A68EC4.2000602@py-soft.co.uk> <44A6EB3F.4020105@py-soft.co.uk> <20060604050900.GB14645@aries.runlevelzero.net> <449FC207.7080203@py-soft.co.uk> <001001c69954$7c101850$6600a8c0@astevens> <44A68EC4.2000602@py-soft.co.uk> <20060604050900.GB14645@aries.runlevelzero.net> <44A403FF.9040306@py-soft.co.uk> <20060705203546.GF12917@kainx.org> Message-ID: <44AC375D.1040609@py-soft.co.uk> Michael Jennings wrote: >>I just thought - are there any plans to incorporate the hardened php >>patches from http://www.hardened-php.net ? > Good idea. It should probably be a separate package, though. I'll > see what I can put together. That's great! :-) >># Enable TCP SYN Cookie Protection >>net.ipv4.tcp_syncookies = 1 > Good default. That's the one I was most interested in... :) >>I'd also like to suggest a version of apache with TRACE disabled, or >>alternatively the following in the default config: > Can you explain exactly what this does, or point to an explanation? It basically blocks all TRACE requests - see the following CERT vulnerability note, http://www.kb.cert.org/vuls/id/867593 > If it does what it appears to do, wouldn't it be simpler to use a > block and deny from all? Not according to the v2.0 docs, http://httpd.apache.org/docs/2.0/mod/core.html#limit ... [...] The method names listed can be one or more of: GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK. The method name is case-sensitive. If GET is used it will also restrict HEAD requests. **The TRACE method cannot be limited.** Take care, Ben From benjamin at py-soft.co.uk Wed Jul 5 15:06:19 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Wed, 05 Jul 2006 23:06:19 +0100 Subject: [cAos] caos3 development In-Reply-To: <000601c68796$8cb7d5a0$6600a8c0@astevens> References: <20060604050900.GB14645@aries.runlevelzero.net> <000601c68796$8cb7d5a0$6600a8c0@astevens> Message-ID: <44AC37DB.40606@py-soft.co.uk> Arthur Stevens wrote: > I could not agree more. Focusing on horsepower and not the cupholders is by > far the best decision yet! What about a decent default install of snort? Perhaps AIDE too? The latter could perhaps generate it's database in the background when it's installed... I was too lazy to install these before and now I really wish I had... Ben From mej at caosity.org Wed Jul 5 22:03:21 2006 From: mej at caosity.org (Michael Jennings) Date: Thu, 6 Jul 2006 01:03:21 -0400 Subject: [cAos] caos3 development In-Reply-To: <44AC37DB.40606@py-soft.co.uk> <44AC375D.1040609@py-soft.co.uk> References: <44A6EB3F.4020105@py-soft.co.uk> <20060604050900.GB14645@aries.runlevelzero.net> <449FC207.7080203@py-soft.co.uk> <001001c69954$7c101850$6600a8c0@astevens> <44A68EC4.2000602@py-soft.co.uk> <20060604050900.GB14645@aries.runlevelzero.net> <44A403FF.9040306@py-soft.co.uk> <20060705203546.GF12917@kainx.org> <44AC375D.1040609@py-soft.co.uk> Message-ID: <20060706050321.GB15559@kainx.org> On Wednesday, 05 July 2006, at 23:04:13 (+0100), Benjamin Donnachie wrote: > That's great! :-) Patch is in. I put it in the php5 package; I don't see any reason why our default PHP shouldn't be hardened. :-) > That's the one I was most interested in... :) I'm sure the appropriate changes can be merged into caos3. Any discussion of possibly modifying the initscripts package in caos2 should move to caos-devel. > It basically blocks all TRACE requests - see the following CERT > vulnerability note, http://www.kb.cert.org/vuls/id/867593 Right you are. Sounds like a good idea to me. :-) > What about a decent default install of snort? Perhaps AIDE too? The > latter could perhaps generate it's database in the background when it's > installed... > > I was too lazy to install these before and now I really wish I had... Please feel free to contribute good default configurations. I don't use snort myself, which has a lot to do with why the default config may not be working. :} Michael -- Michael Jennings (a.k.a. KainX) http://www.kainx.org/ n + 1, Inc., http://www.nplus1.net/ Author, Eterm (www.eterm.org) ----------------------------------------------------------------------- "What can I do to make you mine? Falling so hard, so fast this time. What did I say? What did you do? How did I fall in love with you?" -- Backstreet Boys, "How Did I Fall in Love with You" From benjamin at py-soft.co.uk Thu Jul 6 11:55:34 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Thu, 06 Jul 2006 19:55:34 +0100 Subject: [cAos] caos3 development In-Reply-To: <20060706050321.GB15559@kainx.org> References: <44A6EB3F.4020105@py-soft.co.uk> <20060604050900.GB14645@aries.runlevelzero.net> <449FC207.7080203@py-soft.co.uk> <001001c69954$7c101850$6600a8c0@astevens> <44A68EC4.2000602@py-soft.co.uk> <20060604050900.GB14645@aries.runlevelzero.net> <44A403FF.9040306@py-soft.co.uk> <20060705203546.GF12917@kainx.org> <44AC375D.1040609@py-soft.co.uk> <20060706050321.GB15559@kainx.org> Message-ID: <44AD5CA6.6000201@py-soft.co.uk> Michael Jennings wrote: > Patch is in. I put it in the php5 package; I don't see any reason why > our default PHP shouldn't be hardened. :-) Makes perfect sense - many thanks! :-) >> It basically blocks all TRACE requests - see the following CERT >> vulnerability note, http://www.kb.cert.org/vuls/id/867593 > Right you are. Sounds like a good idea to me. :-) Goodo! :-) [Snort/Aide] >> I was too lazy to install these before and now I really wish I had... > Please feel free to contribute good default configurations. I don't > use snort myself, which has a lot to do with why the default config > may not be working. :} I working on it (for cAos-2), but I'm far from having a "decent" default config... in fact, they're both pretty cr at p at the moment and need a fair bit of fine tuning... Sure I'll get there, eventually! :) Ben From charlieb-caos at budge.apana.org.au Fri Jul 28 12:53:53 2006 From: charlieb-caos at budge.apana.org.au (Charlie Brady) Date: Fri, 28 Jul 2006 15:53:53 -0400 (EDT) Subject: [cAos] postfix -> qmail (Re: caos3 development) In-Reply-To: <001001c69954$7c101850$6600a8c0@astevens> References: <20060604050900.GB14645@aries.runlevelzero.net> <449FC207.7080203@py-soft.co.uk> <001001c69954$7c101850$6600a8c0@astevens> Message-ID: On Mon, 26 Jun 2006, Arthur Stevens wrote: > We should hopefully be replacing postfix with qmail and some other > security related conversions as well. That's interesting indeed. I'm curious to know your reasons for replacing postfix with qmail. The SME server project is thinking of going the other way. We've been very happy with qmail, but there are a few corner cases where its behaviour can be problematic, and postfix is an easier sell than qmail. I'd very, very strongly recommend that you do not use qmail-smtpd. It lacks any capabilities for spam control, authentication and TLS, and its license doesn't allow it to be patched. We replaced it years ago and couldn't imagine going back. We originally used mailfront from Bruce Guenter, and in our latest release switched to qpsmtpd. If you do go ahead with the qmail conversion I'd suggest you have a close look at what we have done. What other security related conversions are in your plans? I'd suggest runit+ipsvd in place of *inetd. --- Charlie From charlieb-caos at budge.apana.org.au Fri Jul 28 12:55:08 2006 From: charlieb-caos at budge.apana.org.au (Charlie Brady) Date: Fri, 28 Jul 2006 15:55:08 -0400 (EDT) Subject: [cAos] php (Re: caos3 development) In-Reply-To: <44A403FF.9040306@py-soft.co.uk> References: <20060604050900.GB14645@aries.runlevelzero.net> <44A403FF.9040306@py-soft.co.uk> Message-ID: On Thu, 29 Jun 2006, Benjamin Donnachie wrote: > Greg M. Kurtzer wrote: >> To accommodate this, cAos-3 primary emphasis is performance, efficiency, >> services and security. Our targeted user-base is clustered systems and >> servers for ISP, home and office. > > I just thought - are there any plans to incorporate the hardened php > patches from http://www.hardened-php.net ? If you want a secure system, wouldn't you leave out php? From mej at caosity.org Fri Jul 28 15:43:39 2006 From: mej at caosity.org (Michael Jennings) Date: Fri, 28 Jul 2006 18:43:39 -0400 Subject: [cAos] php (Re: caos3 development) In-Reply-To: References: <20060604050900.GB14645@aries.runlevelzero.net> <44A403FF.9040306@py-soft.co.uk> Message-ID: <20060728224339.GB12944@kainx.org> On Friday, 28 July 2006, at 15:55:08 (-0400), Charlie Brady wrote: > If you want a secure system, wouldn't you leave out php? Some people need both. Like me. :-) Michael -- Michael Jennings (a.k.a. KainX) http://www.kainx.org/ n + 1, Inc., http://www.nplus1.net/ Author, Eterm (www.eterm.org) ----------------------------------------------------------------------- "When I was in prison, I was wrapped in all those deep books. That Tolstoy crap. People shouldn't read that stuff." -- boxer Mike Tyson on what he read before he decided he preferred comic books From charlieb-caos at budge.apana.org.au Fri Jul 28 12:14:14 2006 From: charlieb-caos at budge.apana.org.au (Charlie Brady) Date: Fri, 28 Jul 2006 15:14:14 -0400 (EDT) Subject: [cAos] noip-duc (Re: Quick question...) In-Reply-To: <4436A842.9000701@pythagoras.no-ip.org> References: <43886075.10504@pythagoras.no-ip.org> <20051126150634.GA19285@titan.runlevelzero.net> <438A38B3.5080800@pythagoras.no-ip.org> <20051128185421.GA14322@titan.runlevelzero.net> <4391E8FF.2080400@pythagoras.no-ip.org> <20051204020005.GA20378@titan.runlevelzero.net> <439B125B.9060908@pythagoras.no-ip.org> <44369B5E.8010609@pythagoras.no-ip.org> <20060407174240.GA29200@aries.runlevelzero.net> <4436A800.3010804@pythagoras.no-ip.org> <20060407175248.GB29200@aries.runlevelzero.net> <4436A842.9000701@pythagoras.no-ip.org> Message-ID: On Fri, 7 Apr 2006, Benjamin Donnachie wrote: > Greg M. Kurtzer wrote: >> Can you explain noip-duc a bit? I haven't seen that before. > > It's the dynamic IP update client for no-ip. Basically it regularly > checks your external IP and then updates your DNS record with no-ip if > it changes. Have you tried ddclient? I think it would be better for there to be one versatile DynDNS client than one special one for each DynDNS provider. From charlieb-caos at budge.apana.org.au Fri Jul 28 16:18:42 2006 From: charlieb-caos at budge.apana.org.au (Charlie Brady) Date: Fri, 28 Jul 2006 19:18:42 -0400 (EDT) Subject: [cAos] php (Re: caos3 development) In-Reply-To: <20060728224339.GB12944@kainx.org> References: <20060604050900.GB14645@aries.runlevelzero.net> <44A403FF.9040306@py-soft.co.uk> <20060728224339.GB12944@kainx.org> Message-ID: On Fri, 28 Jul 2006, Michael Jennings wrote: > On Friday, 28 July 2006, at 15:55:08 (-0400), > Charlie Brady wrote: > >> If you want a secure system, wouldn't you leave out php? > > Some people need both. Like me. :-) I don't think it is possible to have both. Unless you only use php as a command line tool. From mej at caosity.org Fri Jul 28 16:23:01 2006 From: mej at caosity.org (Michael Jennings) Date: Fri, 28 Jul 2006 19:23:01 -0400 Subject: [cAos] php (Re: caos3 development) In-Reply-To: References: <20060604050900.GB14645@aries.runlevelzero.net> <44A403FF.9040306@py-soft.co.uk> <20060728224339.GB12944@kainx.org> Message-ID: <20060728232301.GD12944@kainx.org> On Friday, 28 July 2006, at 19:18:42 (-0400), Charlie Brady wrote: > I don't think it is possible to have both. Unless you only use php > as a command line tool. I'm not sure that discussion is really on-topic here, and there's not much point in it anyway. Stuff is written in PHP. People want to run it on caos servers. That's pretty much the long and short of it. The only truly secure server is the one that's airgapped, powered off, and packed in a box. Everything above that is a series of tradeoffs between security and usefulness. Michael -- Michael Jennings (a.k.a. KainX) http://www.kainx.org/ n + 1, Inc., http://www.nplus1.net/ Author, Eterm (www.eterm.org) ----------------------------------------------------------------------- "It pleases me that you care for what I have become, but never forget who I was, what I am, and what I can do." -- Mira Furlan (Ambassador Delenn), Babylon Five From rick at linuxmafia.com Fri Jul 28 17:49:38 2006 From: rick at linuxmafia.com (Rick Moen) Date: Fri, 28 Jul 2006 17:49:38 -0700 Subject: [cAos] postfix -> qmail (Re: caos3 development) In-Reply-To: References: <20060604050900.GB14645@aries.runlevelzero.net> <449FC207.7080203@py-soft.co.uk> <001001c69954$7c101850$6600a8c0@astevens> Message-ID: <20060729004937.GX10411@linuxmafia.com> Quoting Charlie Brady (charlieb-caos at budge.apana.org.au): > I'd very, very strongly recommend that you do not use qmail-smtpd. It > lacks any capabilities for spam control, authentication and TLS, and its > license doesn't allow it to be patched. Quibble: The licence doesn't allow patched qmail to be redistributed. Nothing stops you from patching it, and an incredible number of patches exist and are freely distributed -- as is the "netqmail" metapackage that upon installation autopatches the pristine v. 1.03 sources. (/me cherishes the irony of getting to speak on behalf of that MTA, being generally regarded by the DJBware coterie as the Devil Himself.) -- Cheers, Your eyes are weary from staring at the CRT. You feel Rick Moen sleepy. Notice how restful it is to watch the cursor rick at linuxmafia.com blink. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise. From charlieb-caos at budge.apana.org.au Sat Jul 29 17:21:39 2006 From: charlieb-caos at budge.apana.org.au (Charlie Brady) Date: Sat, 29 Jul 2006 20:21:39 -0400 (EDT) Subject: [cAos] postfix -> qmail (Re: caos3 development) In-Reply-To: <20060729004937.GX10411@linuxmafia.com> References: <20060604050900.GB14645@aries.runlevelzero.net> <449FC207.7080203@py-soft.co.uk> <001001c69954$7c101850$6600a8c0@astevens> <20060729004937.GX10411@linuxmafia.com> Message-ID: On Fri, 28 Jul 2006, Rick Moen wrote: > Quoting Charlie Brady (charlieb-caos at budge.apana.org.au): > >> I'd very, very strongly recommend that you do not use qmail-smtpd. It >> lacks any capabilities for spam control, authentication and TLS, and its >> license doesn't allow it to be patched. > > Quibble: The licence doesn't allow patched qmail to be redistributed. Correct. Sorry I was imprecise, and thanks for correcting me. > Nothing stops you from patching it, and an incredible number of patches > exist and are freely distributed -- as is the "netqmail" metapackage > that upon installation autopatches the pristine v. 1.03 sources. All true, but I think that caos is distributed in binary and I don't think there is an intention to build packages on target hosts. A very high proportion of qmail patches are to qmail-smtpd, and there are very good alternatives to qmail-smtpd. The issue which qmail-send/qmail-remote have with 0.0.0.0 if it appears in MX records is significant (causing infinite mail loops), but you can work around that without patching using a pre-loaded library shim (as qmail-remote never usefully needs to connect to 0.0.0.0). There are a few other patches to qmail queue handling, but I've never found them to be necessary. > (/me cherishes the irony of getting to speak on behalf of that MTA, > being generally regarded by the DJBware coterie as the Devil Himself.) I'm sure you have competition :-) From gmk at runlevelzero.net Sat Jul 29 21:34:51 2006 From: gmk at runlevelzero.net (Greg Kurtzer) Date: Sat, 29 Jul 2006 21:34:51 -0700 Subject: [cAos] caos3 development In-Reply-To: <44AC37DB.40606@py-soft.co.uk> References: <20060604050900.GB14645@aries.runlevelzero.net> <000601c68796$8cb7d5a0$6600a8c0@astevens> <44AC37DB.40606@py-soft.co.uk> Message-ID: <87F68AE9-DA39-4D07-A5EB-D98B8C8FFAAD@runlevelzero.net> Once you get caos-3 installed, if you build packages for these, I can import them to the core distro. :) Let me know if you want a pre-release iso to start testing/building on. Thanks, Greg On Jul 5, 2006, at 3:06 PM, Benjamin Donnachie wrote: > Arthur Stevens wrote: >> I could not agree more. Focusing on horsepower and not the >> cupholders is by >> far the best decision yet! > > What about a decent default install of snort? Perhaps AIDE too? The > latter could perhaps generate it's database in the background when > it's > installed... > > I was too lazy to install these before and now I really wish I had... > > Ben > _______________________________________________ > cAos mailing list > cAos at caosity.org > http://lists.caosity.org/mailman/listinfo/caos -- Greg Kurtzer gmk at runlevelzero.net From gmk at runlevelzero.net Sat Jul 29 21:36:03 2006 From: gmk at runlevelzero.net (Greg Kurtzer) Date: Sat, 29 Jul 2006 21:36:03 -0700 Subject: [cAos] noip-duc (Re: Quick question...) In-Reply-To: References: <43886075.10504@pythagoras.no-ip.org> <20051126150634.GA19285@titan.runlevelzero.net> <438A38B3.5080800@pythagoras.no-ip.org> <20051128185421.GA14322@titan.runlevelzero.net> <4391E8FF.2080400@pythagoras.no-ip.org> <20051204020005.GA20378@titan.runlevelzero.net> <439B125B.9060908@pythagoras.no-ip.org> <44369B5E.8010609@pythagoras.no-ip.org> <20060407174240.GA29200@aries.runlevelzero.net> <4436A800.3010804@pythagoras.no-ip.org> <20060407175248.GB29200@aries.runlevelzero.net> <4436A842.9000701@pythagoras.no-ip.org> Message-ID: I am unfamiliar. If nobody else has any other suggestions or comments, I will add "ddclient" to my list of things to go into caos3. Thanks, Greg On Jul 28, 2006, at 12:14 PM, Charlie Brady wrote: > > On Fri, 7 Apr 2006, Benjamin Donnachie wrote: > >> Greg M. Kurtzer wrote: >>> Can you explain noip-duc a bit? I haven't seen that before. >> >> It's the dynamic IP update client for no-ip. Basically it regularly >> checks your external IP and then updates your DNS record with no- >> ip if >> it changes. > > Have you tried ddclient? I think it would be better for there to be > one > versatile DynDNS client than one special one for each DynDNS provider. > _______________________________________________ > cAos mailing list > cAos at caosity.org > http://lists.caosity.org/mailman/listinfo/caos -- Greg Kurtzer gmk at runlevelzero.net From gmk at runlevelzero.net Sat Jul 29 22:05:19 2006 From: gmk at runlevelzero.net (Greg Kurtzer) Date: Sat, 29 Jul 2006 22:05:19 -0700 Subject: [cAos] php (Re: caos3 development) In-Reply-To: References: <20060604050900.GB14645@aries.runlevelzero.net> <44A403FF.9040306@py-soft.co.uk> Message-ID: We made a joke the other day about a bug in our secure kernel and it panic'ing at boot. While, we can almost guarantee that this particular kernel will keep all attackers out, the system obviously won't be very usable. We are trying to achieve a balance of secure and usable. ;-) This applies to things like PHP. While it does increase risk, it is an extremely utilized component of the niche we are targeting. So, the solution is to harden the base system and then to include *but disable* the components that increase risk. For example, in sidekick you would have to enable httpd, and then on the following menu of httpd options, you would have to enable php. By default, both are disabled. Greg On Jul 28, 2006, at 12:55 PM, Charlie Brady wrote: > > On Thu, 29 Jun 2006, Benjamin Donnachie wrote: > >> Greg M. Kurtzer wrote: >>> To accommodate this, cAos-3 primary emphasis is performance, >>> efficiency, >>> services and security. Our targeted user-base is clustered >>> systems and >>> servers for ISP, home and office. >> >> I just thought - are there any plans to incorporate the hardened php >> patches from http://www.hardened-php.net ? > > If you want a secure system, wouldn't you leave out php? > _______________________________________________ > cAos mailing list > cAos at caosity.org > http://lists.caosity.org/mailman/listinfo/caos -- Greg Kurtzer gmk at runlevelzero.net From rick at linuxmafia.com Sun Jul 30 12:54:14 2006 From: rick at linuxmafia.com (Rick Moen) Date: Sun, 30 Jul 2006 12:54:14 -0700 Subject: [cAos] postfix -> qmail (Re: caos3 development) In-Reply-To: References: <20060604050900.GB14645@aries.runlevelzero.net> <449FC207.7080203@py-soft.co.uk> <001001c69954$7c101850$6600a8c0@astevens> <20060729004937.GX10411@linuxmafia.com> Message-ID: <20060730195413.GB16338@linuxmafia.com> Quoting Charlie Brady (charlieb-caos at budge.apana.org.au): > I'm sure you have competition :-) Well, one of the most fun things I've read in recent years was the epic confrontation between Dan and Theo de Raadt, upon DJB's packages being kicked out of the OpenBSD ports system. The thread started here: http://monkey.org/openbsd/archive/ports/0108/msg00459.html ...and I captured the gist of it for posterity, here: http://linuxmafia.com/pub/humour/dan-versus-theo From gmk at runlevelzero.net Mon Jul 31 07:48:02 2006 From: gmk at runlevelzero.net (Greg Kurtzer) Date: Mon, 31 Jul 2006 07:48:02 -0700 Subject: [cAos] qmail and postfix Message-ID: <4E755A27-92F1-4196-98D5-AB04870E954A@runlevelzero.net> I have decided to package Postfix as the default MTA. While there are certain advantages to both Qmail and Postfix and I personally don't mind DJB's license limitations, we haven't been able to get authorization from him to distribute our modified Qmail package. BTW, caos-3 alpha will be released in the next day or so. Stay tuned for the announcement! -- Greg Kurtzer gmk at runlevelzero.net From charlieb-caos at budge.apana.org.au Mon Jul 31 11:01:45 2006 From: charlieb-caos at budge.apana.org.au (Charlie Brady) Date: Mon, 31 Jul 2006 14:01:45 -0400 (EDT) Subject: [cAos] qmail and postfix In-Reply-To: <4E755A27-92F1-4196-98D5-AB04870E954A@runlevelzero.net> References: <4E755A27-92F1-4196-98D5-AB04870E954A@runlevelzero.net> Message-ID: On Mon, 31 Jul 2006, Greg Kurtzer wrote: > I have decided to package Postfix as the default MTA. While there are > certain advantages to both Qmail and Postfix and I personally don't > mind DJB's license limitations, we haven't been able to get > authorization from him to distribute our modified Qmail package. Why would you need to modify qmail? As long as a replacement smtp daemon is used instead of qmail-smtpd I don't see that any patches are essential. --- Charlie From gmk at runlevelzero.net Mon Jul 31 13:45:07 2006 From: gmk at runlevelzero.net (Greg Kurtzer) Date: Mon, 31 Jul 2006 13:45:07 -0700 Subject: [cAos] qmail and postfix In-Reply-To: References: <4E755A27-92F1-4196-98D5-AB04870E954A@runlevelzero.net> Message-ID: Well, we had to at least patch for the errno (bug/not-bug) for it to build. But aside from that, we wanted to get DJB's specific approval of our qmail RPM before going forward. On Jul 31, 2006, at 11:01 AM, Charlie Brady wrote: > > On Mon, 31 Jul 2006, Greg Kurtzer wrote: > >> I have decided to package Postfix as the default MTA. While there are >> certain advantages to both Qmail and Postfix and I personally don't >> mind DJB's license limitations, we haven't been able to get >> authorization from him to distribute our modified Qmail package. > > Why would you need to modify qmail? As long as a replacement smtp > daemon > is used instead of qmail-smtpd I don't see that any patches are > essential. > > --- > Charlie > _______________________________________________ > cAos mailing list > cAos at caosity.org > http://lists.caosity.org/mailman/listinfo/caos -- Greg Kurtzer gmk at runlevelzero.net From charlieb-caos at budge.apana.org.au Mon Jul 31 15:22:44 2006 From: charlieb-caos at budge.apana.org.au (Charlie Brady) Date: Mon, 31 Jul 2006 18:22:44 -0400 (EDT) Subject: [cAos] qmail and postfix In-Reply-To: References: <4E755A27-92F1-4196-98D5-AB04870E954A@runlevelzero.net>

Message-ID: On Mon, 31 Jul 2006, Greg Kurtzer wrote: > Well, we had to at least patch for the errno (bug/not-bug) for it to > build. No, not so. You just have to configure the compiler command correctly: echo gcc -O --include /usr/include/errno.h > conf-cc > But aside from that, we wanted to get DJB's specific approval > of our qmail RPM before going forward. Did you get a response? I would expect none, but if one came, I would expect just to be pointed to the set of already described conditions under which binary distributions are permitted. --- Charlie From mej at caosity.org Mon Jul 31 15:46:50 2006 From: mej at caosity.org (Michael Jennings) Date: Mon, 31 Jul 2006 18:46:50 -0400 Subject: [cAos] qmail and postfix In-Reply-To: References: <4E755A27-92F1-4196-98D5-AB04870E954A@runlevelzero.net> Message-ID: <20060731224649.GD31132@kainx.org> On Monday, 31 July 2006, at 14:01:45 (-0400), Charlie Brady wrote: > Why would you need to modify qmail? As long as a replacement smtp > daemon is used instead of qmail-smtpd I don't see that any patches > are essential. 1. It doesn't build without changes. 2. It doesn't build as non-root without changes. 3. Our package contains the netqmail patch set. 4. Using a "replacement SMTP daemon" is a change too. 5. We are trying to respect DJB's license as best we know how without violating our own policies and processes. Michael -- Michael Jennings (a.k.a. KainX) http://www.kainx.org/ n + 1, Inc., http://www.nplus1.net/ Author, Eterm (www.eterm.org) ----------------------------------------------------------------------- "I am the only one to blame for this. Somehow it all ends up the same. Soaring on the wings of selfish pride, I flew too high, and like Icarus I collide with a world I tried so hard to leave behind. To rid myself of all but love, to give and die." -- Jars of Clay, "Worlds Apart" From charlieb-caos at budge.apana.org.au Mon Jul 31 17:49:41 2006 From: charlieb-caos at budge.apana.org.au (Charlie Brady) Date: Mon, 31 Jul 2006 20:49:41 -0400 (EDT) Subject: [cAos] qmail and postfix In-Reply-To: <20060731224649.GD31132@kainx.org> References: <4E755A27-92F1-4196-98D5-AB04870E954A@runlevelzero.net> <20060731224649.GD31132@kainx.org> Message-ID: On Mon, 31 Jul 2006, Michael Jennings wrote: > On Monday, 31 July 2006, at 14:01:45 (-0400), > Charlie Brady wrote: > >> Why would you need to modify qmail? As long as a replacement smtp >> daemon is used instead of qmail-smtpd I don't see that any patches >> are essential. > > 1. It doesn't build without changes. It does. > 2. It doesn't build as non-root without changes. It does. It may not install using the rules in the Makefile provided with the source code, but that's a different issue. > 3. Our package contains the netqmail patch set. OK. That's significant. > 4. Using a "replacement SMTP daemon" is a change too. That is not a change to qmail. DJB's copyright allows him to control distribution of modifications of his software. It doesn't give him any control of how caos is configured - including which SMTP daemon is used. > 5. We are trying to respect DJB's license as best we know how without > violating our own policies and processes. OK. You are actually going beyond that. But I don't mean to quibble. I have mostly been trying to discover what people have been thinking. I'm still interested to know why serious consideration was given to replacing postfix with qmail. I know a lot about what is good with qmail, and about its flaws, but not much about what people find unsatisfactory with postfix. --- Charlie From gmk at runlevelzero.net Mon Jul 31 20:00:19 2006 From: gmk at runlevelzero.net (Greg Kurtzer) Date: Mon, 31 Jul 2006 20:00:19 -0700 Subject: [cAos] qmail and postfix In-Reply-To: References: <4E755A27-92F1-4196-98D5-AB04870E954A@runlevelzero.net> <20060731224649.GD31132@kainx.org> Message-ID: <9F0C455F-6E01-439A-93FE-A7ED434DA1A3@runlevelzero.net> Here are some of my reasons why postfix was put back instead of qmail: 1. According to my understanding of the license, we needed to get approval from DJB. I am not a lawyer and I was not about to take the risk of license violation without a clear written explanation about what we are allowed to do. Since I can't afford a lawyer, I wanted to get authorization from the author. 2. I am much less familiar with Qmail and without a confirmation from DJB that we are allowed to use it, I couldn't afford the time to do the research, testing and proper integration. 3. I was worried about application compatibility. For instance, having the ability to "just work" with other services and applications is a very nice feature. With Postfix, this is much less of a concern. 4. Postfix is trivial to configure. With a self documenting configuration file any moderate level admin can get the desired results. We originally evaluated Qmail over Postfix because of the security and scalability needs of some of our target users. If you would like to assist with the packaging of Qmail, the related services, and can get proper authorization, I would be happy to work with you to import Qmail again. cAos-3 can easily make use of either email subsystem. Thanks! Greg On Jul 31, 2006, at 5:49 PM, Charlie Brady wrote: > > On Mon, 31 Jul 2006, Michael Jennings wrote: > >> On Monday, 31 July 2006, at 14:01:45 (-0400), >> Charlie Brady wrote: >> >>> Why would you need to modify qmail? As long as a replacement smtp >>> daemon is used instead of qmail-smtpd I don't see that any patches >>> are essential. >> >> 1. It doesn't build without changes. > > It does. > >> 2. It doesn't build as non-root without changes. > > It does. It may not install using the rules in the Makefile > provided with > the source code, but that's a different issue. > >> 3. Our package contains the netqmail patch set. > > OK. That's significant. > >> 4. Using a "replacement SMTP daemon" is a change too. > > That is not a change to qmail. DJB's copyright allows him to control > distribution of modifications of his software. It doesn't give him any > control of how caos is configured - including which SMTP daemon is > used. > >> 5. We are trying to respect DJB's license as best we know how >> without >> violating our own policies and processes. > > OK. You are actually going beyond that. But I don't mean to quibble. I > have mostly been trying to discover what people have been thinking. > > I'm still interested to know why serious consideration was given to > replacing postfix with qmail. I know a lot about what is good with > qmail, > and about its flaws, but not much about what people find > unsatisfactory > with postfix. > > --- > Charlie > _______________________________________________ > cAos mailing list > cAos at caosity.org > http://lists.caosity.org/mailman/listinfo/caos -- Greg Kurtzer gmk at runlevelzero.net From charlieb-caos at budge.apana.org.au Mon Jul 31 20:42:38 2006 From: charlieb-caos at budge.apana.org.au (Charlie Brady) Date: Mon, 31 Jul 2006 23:42:38 -0400 (EDT) Subject: [cAos] qmail and postfix In-Reply-To: <9F0C455F-6E01-439A-93FE-A7ED434DA1A3@runlevelzero.net> References: <4E755A27-92F1-4196-98D5-AB04870E954A@runlevelzero.net> <20060731224649.GD31132@kainx.org> <9F0C455F-6E01-439A-93FE-A7ED434DA1A3@runlevelzero.net> Message-ID: On Mon, 31 Jul 2006, Greg Kurtzer wrote: > Here are some of my reasons why postfix was put back instead of qmail: OK, thanks, but that wasn't what I was asking. I was curious about the reason for the proposed move in the other way. > 1. According to my understanding of the license, we needed to get > approval from DJB. I am not a lawyer and I was not about to take the > risk of license violation without a clear written explanation about > what we are allowed to do. This writing says what you are allowed to do: http://cr.yp.to/qmail/var-qmail.html > Since I can't afford a lawyer, I wanted to get authorization from the > author. See my earlier mail. Dan provides a mailing list where you can ask for clarification about distributing qmail. He rarely posts there though. > 2. I am much less familiar with Qmail and without a confirmation from > DJB that we are allowed to use it, I couldn't afford the time to do > the research, testing and proper integration. OK > 3. I was worried about application compatibility. For instance, > having the ability to "just work" with other services and > applications is a very nice feature. With Postfix, this is much less > of a concern. Software "just works" unless it does something really weird. > 4. Postfix is trivial to configure. With a self documenting > configuration file any moderate level admin can get the desired results. qmail is very easy to configure. minimal configuration is: hostname -d > /var/qmail/control/me hostname -d > /var/qmail/control/rcpthosts > We originally evaluated Qmail over Postfix because of the security > and scalability needs of some of our target users. I'm curious to know what security and scalability deficiencies you are aware of with Postfix. > If you would like to assist with the packaging of Qmail, the related > services, and can get proper authorization, ... I believe that proper authorization has been given if you follow the rules which have already been published, and that seeking any other authoriation is likely to be a waste of time. > I would be happy to work with you to import Qmail again. You are welcome to use the qmail, dot-forward, and fastforward(*) src rpms from the SME server project. We believe we've complied with the conditions DJB imposes. You are also welcome to use our configuration and execution framework as a guide for what you do with cAos. And I can help explain any of that which isn't obvious. However ... > cAos-3 can easily make use of either email subsystem. Are you sure that it is worth it if Postfix simply does the job? --- Charlie (*) Unfortunately all three are required. I don't understand why Dan insists on the installation of sendmail backwards compatibility packages. qmail works fine without an /etc/aliases file and support for ~/.forwards files..