Broadband Security - Mandriva

This is a discussion on Broadband Security - Mandriva ; On Wed, 13 Jun 2007 00:15:07 GMT, Adam wrote: > > I get "no package named aide" when I do that. That's why I downloaded > it. And I checked my four installation CDs and it wasn't there either. It ...

+ Reply to Thread
Page 3 of 7 FirstFirst 1 2 3 4 5 ... LastLast
Results 41 to 60 of 130

Thread: Broadband Security

  1. Re: Broadband Security

    On Wed, 13 Jun 2007 00:15:07 GMT, Adam wrote:
    >
    > I get "no package named aide" when I do that. That's why I downloaded
    > it. And I checked my four installation CDs and it wasn't there either.


    It can be found on a contrib mirror.
    contrib-2007.0.idx:aide-0.11-2mdv2007.0.i586.rpm 526082 Sep 20 2006

    You might want to set a contrib mirror. Plug this url
    http://easyurpmi.zarb.org/
    into your browser, Click Proceed to step and when you get to 3,
    click up a terminal,
    su - root

    and paste from step 3 results.

    If works, you can then do a

    urpmi --wget aide to install the package/rpm.

  2. Re: Broadband Security

    On Wed, 13 Jun 2007 00:15:06 GMT, Adam wrote:
    >
    > Okay, my /etc/sysconfig/network now looks exactly like that, except for
    > the HOSTNAME of course. At the moment it reads "HOSTNAME=Ozymandias"
    > ("Round the decay of that colossal Wreck"), but I gather I ought to add
    > ".invalid" and maybe even something before that.


    That was the suggestion/recommendation.
    You could make the domain name sea.invalid and your full eamil address
    on your lan would be adam@Ozymandias.sea.invalid

    You hosts file should also have the FQDN. Two examples:

    $ cat /etc/hosts
    127.0.0.1 Ozymandias.sea.invalid Ozymandias localhost

    or
    $ cat /etc/hosts
    127.0.0.1 localhost
    192.168.1.46 Ozymandias.sea.invalid Ozymandias


  3. Re: Broadband Security

    On 13 Jun 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
    , Bit Twister wrote:

    >On Wed, 13 Jun 2007 00:15:07 GMT, Adam wrote:
    >
    >> I get "no package named aide" when I do that. That's why I downloaded
    >> it. And I checked my four installation CDs and it wasn't there either.

    >
    >It can be found on a contrib mirror.
    >contrib-2007.0.idx:aide-0.11-2mdv2007.0.i586.rpm 526082 Sep 20 2006


    Minor quibble - from http://sourceforge.net/projects/aide

    Latest News

    * Aide 0.13.1 released 2006-12-15
    * Aide 0.13 released 2006-12-07
    * Aide 0.11 released 2006-02-18

    Looking at the ChangeLog file, there were 25 bug-fix/change/improvements
    between 0.11 and 0.13, and three more to 0.13.1, though none of them look
    to be critical/deadly. There was also a version 0.12 released in October,
    but I'd prefer the later version (which I compiled from scratch, but
    recall some hassle doing so). There were some .rpms available though who
    knows what distribution/release they are meant for.

    Old guy

  4. Re: Broadband Security

    On Wed, 13 Jun 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
    , Adam wrote:

    >Moe Trin wrote:


    >> You can use any hostname you want, BUT it's not a good idea to use a
    >> hostname (or domain name) _may_ exist in the world.


    >Looks like I better change HOSTNAME=Ozymandias ("Round the decay of that
    >colossal Wreck") to Ozymandias.foo.invalid or Ozymandias.example.org or
    >something like that.


    I like Bit's suggestion of Ozymandias.sea.invalid. Note that hostnames
    are supposed to be caseless. RFC0952 which detailed the old DARPA hosts
    file that was used before DNS was invented is the defacto standard for
    this, and it requires the name to begin with a letter and contain only
    the ASCII [A-Za-z0-9-] (alphanumerics and dash only) and the last
    character could not be the dash. Dots divide domain/sub-domain/host
    only. RFC1034 says 63 octets between dots (para 3.1), 255 octets total
    (para 3.1). See also RFC1035.

    Hostname can be fun, or a nightmare, depending on who has to choose
    them. Since the late 1980s, we made it a rule that the user has to
    supply the name (and two alternates) when they put in the paperwork to
    get a new system - monkey is off our backs. We _suggest_ using themes
    for names (beverages, cars, countries, currencies, elements, cartoon
    and fairy-tale characters, famous/historic warships - there really is
    a vast selection to work from), and include URLs to RFC1178 and 2100

    1178 Choosing a name for your computer. D. Libes. August 1990.
    (Format: TXT=18472 bytes) (Also FYI0005) (Status: INFORMATIONAL)

    2100 The Naming of Hosts. J. Ashworth. April 1 1997. (Format: TXT=4077
    bytes) (Status: INFORMATIONAL)

    but sometimes we have to grit our teeth and reject a name for one reason
    or another. One of our scientists has a last name of "Chi", and she
    decided (1988 give or take) to have the computer named "chi-s_whiz".
    This was allowed even though it violated the RFCs - until late 1996
    when a new version of BIND required strict compliance.

    >[adam@Ozymandias ~]$ sudo urpmi glibc
    >The package(s) are already installed


    Yes, but rpm (which urpmi is a front end for) doesn't do wild card
    expansion. Try 'rpm -qa | grep glibc' (should be no need for sudo).

    Old guy

  5. Re: Broadband Security

    Bit Twister wrote:
    >> I get "no package named aide" when I do that. That's why I downloaded
    >> it. And I checked my four installation CDs and it wasn't there either.

    >
    > It can be found on a contrib mirror.
    > contrib-2007.0.idx:aide-0.11-2mdv2007.0.i586.rpm 526082 Sep 20 2006
    >
    > You might want to set a contrib mirror. Plug this url
    > http://easyurpmi.zarb.org/
    > into your browser, Click Proceed to step and when you get to 3,
    > click up a terminal,
    > su - root
    >
    > and paste from step 3 results.


    Hmmm. I know step 3 is actually 5 command lines, all something like:

    urpmi.addmedia ... with media_info/hdlist.cz

    and I tried several times with different servers, but kept getting
    errors like:

    ...retrieving failed: curl: (9) Server denied you to change to the
    given directory

    ...retrieving failed: curl: (7) couldn't connect to host

    ...retrieving failed: curl: (28) connect() timed out!

    rsync: failed to connect to mirrors.usc.edu: Connection timed out (110)
    rsync error: error in socket IO (code 10) at clientserver.c(107)
    [receiver=2.6.8]

    which all result in:

    retrieval of source hdlist (or synthesis) failed

    and I also found a lot of links to aide-0.11-2mdv2007.0.i586.rpm and
    aide-0.13-1mdv2007.1.i586 but not a single one turned out to be valid.

    Is there some sort of secret conspiracy here? :-)

    Thanks again!

    Adam

  6. Re: Broadband Security

    Bit Twister wrote:
    > Your hosts file should also have the FQDN. Two examples:
    >
    > $ cat /etc/hosts
    > 127.0.0.1 Ozymandias.sea.invalid Ozymandias localhost
    >
    > or
    > $ cat /etc/hosts
    > 127.0.0.1 localhost
    > 192.168.1.46 Ozymandias.sea.invalid Ozymandias


    I don't have a static IP so maybe I'd better go with the first way.

    Speaking of /etc/hosts, I found http://everythingisnt.com/hosts.html
    which is "a very simple hack which takes ad server URLs and redirects
    them to non-existant numerical addresses," like "127.0.0.1
    www.doubleclick.net" and a few hundred entries like that. Of course the
    first entry is "127.0.0.1 localhost" (plus FQDN) as you suggested. Does
    that cause any problems, or is it really that easy to get rid of so many
    banner ads? Thanks!

    Adam

  7. Re: Broadband Security

    On Thu, 14 Jun 2007 02:14:06 GMT, Adam wrote:
    >
    > Hmmm. I know step 3 is actually 5 command lines, all something like:
    >
    > urpmi.addmedia ... with media_info/hdlist.cz


    Hmm, depends on what you selected. I count 1 line starting with
    urpmi.addmedia through media_info/hdlist.cz

    If you did not cut/paste that "1 line", that will cause you problems.

    > and I tried several times with different servers, but kept getting
    > errors like:


    Pick another set of mirrors. What could have happened, you were trying
    while the mirrors were in the mist of doing downloads from Mandriva's
    master server.

    I do want you to add a command line switch to use /wget/ instead of /curl/.

    Example:

    urpmi.addmedia --wget ... with media_info/hdlist.cz

    If you still have problems, cut/paste commands and error messages from
    the root terminal and paste them in your reply. Otherwise we cannot
    help you.


  8. Re: Broadband Security

    On Thu, 14 Jun 2007 02:14:08 GMT, Adam wrote:
    > Bit Twister wrote:
    >> $ cat /etc/hosts
    >> 127.0.0.1 localhost
    >> 192.168.1.46 Ozymandias.sea.invalid Ozymandias

    >
    > I don't have a static IP so maybe I'd better go with the first way.


    Been there. It is possible to create a script to keep your /etc/hosts
    file synced to the new ip.


    > Speaking of /etc/hosts, I found http://everythingisnt.com/hosts.html
    > which is "a very simple hack which takes ad server URLs and redirects
    > them to non-existant numerical addresses," like "127.0.0.1
    > www.doubleclick.net" and a few hundred entries like that. Of course the
    > first entry is "127.0.0.1 localhost" (plus FQDN) as you suggested. Does
    > that cause any problems, or is it really that easy to get rid of so many
    > banner ads? Thanks!


    You would think everythingisnt.com is easy until you use the Mandriva
    Control Center (MCC) network interface screen.
    I had over 1500 of those dummy entries in my
    hosts file. After playing in the network screen, MCC placed all FQDNs
    on the 127.0.0.1 line. :-(

    Took me a little while to run down why I was having problems.

    Currently running privoxy to do the same thing for me.
    Snippit from my Admin Diary.

    urpmi --wget privoxy --auto
    service privoxy restart
    exit

    User account: Bring up firefox
    Edit->Preference->Advanced->Network tab
    Connection Settings

    click Manual proxy configuration:
    HTTP Proxy: 127.0.0.1 Port: 8118
    SSL Proxy: 127.0.0.1 Port: 8118
    Click OK

    # add the noscript extension to block/enable java
    http://noscript.net/getit

    exit firefox and start it again

    # test java, and noscript,
    http://java.com/en/download/installed.jsp

  9. Re: Broadband Security

    On 14 Jun 2007 02:54:49 GMT, Bit Twister wrote:
    >
    > Currently running privoxy to do the same thing for me.


    Forgot the link about privoxy http://www.privoxy.org/


  10. Re: Broadband Security

    On 14 Jun at 3:14 Adam wrote in message


    > Bit Twister wrote:
    > > Your hosts file should also have the FQDN. Two examples:
    > >
    > > $ cat /etc/hosts 127.0.0.1 Ozymandias.sea.invalid Ozymandias
    > > localhost
    > >
    > > or $ cat /etc/hosts 127.0.0.1 localhost 192.168.1.46
    > > Ozymandias.sea.invalid Ozymandias

    >
    > I don't have a static IP so maybe I'd better go with the first way.
    >

    I used to do that, and it worked fine. As my local network grew, I installed
    BIND, to simplify admin.

    I spent days trying to figure out why I could no longer access the server
    from the network, although pinging it worked fine. It turned out that I was
    fetching an IP of 127.0.0.1 for the server, which, of course was wrong for
    anything but the server

    Probably doesn't apply to you, but a cautionary tale, nontheless!

    [snip]


    --
    Tony van der Hoff | mailto:tony@vanderhoff.org
    Buckinghamshire, England

  11. Re: Broadband Security

    On Wed, 13 Jun 2007 22:54:49 -0400, Bit Twister wrote:

    > You would think everythingisnt.com is easy until you use the Mandriva
    > Control Center (MCC) network interface screen.
    > I had over 1500 of those dummy entries in my
    > hosts file. After playing in the network screen, MCC placed all FQDNs
    > on the 127.0.0.1 line. :-(


    You beat me to the warning.
    http://qa.mandriva.com/show_bug.cgi?id=30168
    Reported back in April. Perhaps you could vote for the bug, and
    maybe that would help it get some attention.

    Regards, Dave Hodgins

    --
    Change nomail.afraid.org to ody.ca to reply by email.
    (nomail.afraid.org has been set up specifically for
    use in usenet. Feel free to use it yourself.)

  12. Re: Broadband Security

    On 2007-06-14, Bit Twister wrote:
    > Currently running privoxy to do the same thing for me.
    > Snippit from my Admin Diary.
    >
    > urpmi --wget privoxy --auto
    > service privoxy restart
    > exit
    >
    > User account: Bring up firefox
    > Edit->Preference->Advanced->Network tab
    > Connection Settings
    >
    > click Manual proxy configuration:
    > HTTP Proxy: 127.0.0.1 Port: 8118
    > SSL Proxy: 127.0.0.1 Port: 8118
    > Click OK
    >
    > # add the noscript extension to block/enable java
    > http://noscript.net/getit
    >
    > exit firefox and start it again
    >
    > # test java, and noscript,
    > http://java.com/en/download/installed.jsp


    A different approach (or complimentary depending on which way you look
    at it). get a local dns server and get it to do adblocking and link to openDNS

    1. get bind / caching-nameserver

    2. add openDns servers as forwarders in named.conf
    (for a bit of extra zip + anti phishing)
    ---
    forwarders { 208.67.220.220; 208.67.222.222; };
    ---


    3. get adblock file from http://pgl.yoyo.org/adservers/ using 'bind' format
    (This can block per domain or host )
    Save to /var/lib/named/etc/adblock.conf
    Replace null.zone.file with "/etc/db.adblock"
    Create /var/lib/named/etc/db.adblock as
    ------
    $TTL 604800
    @ IN SOA localhost. root.localhost. (
    2 ; Serial
    604800 ; Refresh
    86400 ; Retry
    2419200 ; Expire
    604800 ) ; Negative Cache TTL
    ;
    @ IN NS localhost.
    @ IN A 0.0.0.0 ;82.165.150.34
    * IN A 0.0.0.0 ;82.165.150.34
    ------

    Add following line to named.conf
    include "/etc/adblocking.conf";

    I ripped most of this content from pgl.yoyo.org and another site that escapes
    me at the mo..

    Lordy



  13. Re: Broadband Security

    On Thu, 14 Jun 2007, in the Usenet newsgroup alt.os.linux.mandriva, in article
    , Adam wrote:

    >Speaking of /etc/hosts, I found http://everythingisnt.com/hosts.html
    >which is "a very simple hack which takes ad server URLs and redirects
    >them to non-existant numerical addresses," like "127.0.0.1
    >www.doubleclick.net" and a few hundred entries like that.


    Look in the Usenet newsgroups "alt.privacy", "alt.privacy.spyware", and
    at google - there are several of these lists, some quite extensive (and
    some quite useless).

    >Of course the first entry is "127.0.0.1 localhost" (plus FQDN) as you
    >suggested. Does that cause any problems, or is it really that easy to
    >get rid of so many banner ads? Thanks!


    Some resolver code wants to see exactly one line with a given IP
    address, and one line with a given FQDN. The way around this is to use
    all 16.777 million addresses in 127.0.0.0/8, but this also may slow
    up name resolution (if the kernel has to look through 16 million lines
    in /etc/hosts before trying a DNS lookup) and is a real SOB to manage.
    Make sure your firewall is NOT blocking access to 127.0.0.0/8:80, or you
    will have a further delay in the web page loading while you wait for the
    connections to time out.

    The ad servers are also scattered all over IP-space, with netblocks from
    255.255.255.254 on up to 255.255.0.0 (though I take the lists with a
    shovel-full of salt). You need to be somewhat careful of what you are
    blocking, as some of these servers are both content providers and
    advertisement providers. Also, some ad URLs are hard-coded directly to
    IPs - you need a firewall rule to block them.

    Personally, I don't bother, as I primarily use a text-based browser
    rather than a "dazzle-'em-with-graphics" tool unless it is absolutely
    required.

    Old guy

  14. Re: Broadband Security

    Moe Trin wrote:
    > I like Bit's suggestion of Ozymandias.sea.invalid. Note that hostnames
    > are supposed to be caseless.


    [adam@ozymandias ~]$ echo $HOSTNAME
    ozymandias.sands.invalid

    Anyone who's wondering why I changed it from "sea" to "sands", check out
    http://www.rc.umd.edu/rchs/reader/ozymandias.html .

    > Hostname can be fun, or a nightmare, depending on who has to choose
    > them.


    I remember looking at a complete list of BITnet hosts, or something like
    that, in the mid-80s. Some of the hostnames were clever, if you "get"
    hacker humor.

    > We _suggest_ using themes
    > for names (beverages, cars, countries, currencies, elements, cartoon
    > and fairy-tale characters, famous/historic warships - there really is
    > a vast selection to work from)


    I'm a volunteer at the local SPCA, and every week the front desk staff
    has to come up with names for the new arrivals. Sometimes they don't
    have any ideas but they name them anyway. Last week a litter of five
    kittens ended up being named Reebok, Nike, Adidas, etc.

    [problems compiling aide-0.13.1 from source]
    > Yes, but rpm (which urpmi is a front end for) doesn't do wild card
    > expansion. Try 'rpm -qa | grep glibc' (should be no need for sudo).


    [adam@ozymandias ~]$ rpm -qa | grep glibc
    glibc-2.4-4mdk
    glibc-devel-2.4-4mdk

    Anyway as described in another post, I managed to get hooked up to the
    repositories, and then 'urpmi --wget aide' got me version 0.11
    downloaded and installed. I consider the problem solved. Now all I
    have to do is figure out how to use the darn thing.

    Adam

  15. Re: Broadband Security

    Bit Twister wrote:
    > Pick another set of mirrors. What could have happened, you were trying
    > while the mirrors were in the mist of doing downloads from Mandriva's
    > master server.
    >
    > I do want you to add a command line switch to use /wget/ instead of /curl/.
    >
    > Example:
    >
    > urpmi.addmedia --wget ... with media_info/hdlist.cz
    >
    > If you still have problems, cut/paste commands and error messages from
    > the root terminal and paste them in your reply. Otherwise we cannot
    > help you.


    Bingo! I added --wget, tried a few sets of mirrors, and finally got a
    winner -- the one at Indiana University (except for plf-nonfree,
    obviously). All five urpmi.addmedia commands worked (some said,
    basically, "you already did that"), and then

    urpmi --wget aide

    worked just like you said! It got aide-0.11 although source is out for
    0.13.1, but I figure that's close enough. Thanks so much!

    Adam

  16. Re: Broadband Security

    Bit Twister wrote:
    >> I don't have a static IP so maybe I'd better go with the first way.

    >
    > Been there. It is possible to create a script to keep your /etc/hosts
    > file synced to the new ip.


    Good idea, but as long as

    127.0.0.1 localhost ozymandias ozymandias.sands.invalid

    works, I'll leave the scriptwriting for later.

    > You would think everythingisnt.com is easy until you use the Mandriva
    > Control Center (MCC) network interface screen.
    > I had over 1500 of those dummy entries in my
    > hosts file. After playing in the network screen, MCC placed all FQDNs
    > on the 127.0.0.1 line. :-(


    I noticed that at one point my ad-blocking /etc/hosts got all munged up,
    and that must have been why. I just recopied it, rather than try to
    track things down.

    > Currently running privoxy to do the same thing for me.
    >
    > Forgot the link about privoxy http://www.privoxy.org/


    Thanks! I'll look into that as soon as I have everything moved over to
    my new address. Thanks again for your help and patience with my various
    problems!

    Adam

  17. Re: Broadband Security

    Tony van der Hoff wrote:
    >>> $ cat /etc/hosts
    >>> 127.0.0.1 Ozymandias.sea.invalid Ozymandias localhost
    >>>

    >> I don't have a static IP so maybe I'd better go with the first way.
    >>

    > I used to do that, and it worked fine. As my local network grew, I installed
    > BIND, to simplify admin.
    >
    > I spent days trying to figure out why I could no longer access the server
    > from the network, although pinging it worked fine. It turned out that I was
    > fetching an IP of 127.0.0.1 for the server, which, of course was wrong for
    > anything but the server
    >
    > Probably doesn't apply to you, but a cautionary tale, nonetheless!


    Thanks, Tony! Both you and Bit Twister have pointed out the problems
    when "127.0.0.1" gets where it shouldn't be. I'll try to remember that
    when I have access problems.

    Adam

  18. Re: Broadband Security

    lordy wrote:
    > On 2007-06-14, Bit Twister wrote:
    >> Currently running privoxy to do the same thing for me.

    >
    > A different approach (or complimentary depending on which way you look
    > at it). get a local dns server and get it to do adblocking and link to openDNS


    [useful directions snipped]

    Thanks, Lordy! When I have a better understanding of what I'm doing,
    I'll look into that. Anything that cuts down on ads sounds good to me!

    Adam

  19. Re: Broadband Security

    On Fri, 15 Jun 2007 00:40:12 GMT, Adam wrote:
    >
    > urpmi --wget aide


    Yes, you may also want to get into the mirror section of the Mandriva
    Control Center and under Options set wget as default fetch utility.


    > worked just like you said!


    Yep, you do not need to fight two problems at the same time.
    urpmi for a copy that is supposed to run, learn how to configure it,
    then get the lastest release and start hacking again.

    > It got aide-0.11 although source is out for 0.13.1,
    > but I figure that's close enough.


    For starters, but go look at the release notes to see what you are
    going to be short of.

    Crackers, are turning around known exploit cracks within about 48 hours or
    so of an update and go hunting for systems without the updates.

    That is one of the reasons I check for updates every night.

  20. Re: Broadband Security

    On Fri, 15 Jun 2007 00:40:16 GMT, Adam wrote:
    > Bit Twister wrote:
    >>> I don't have a static IP so maybe I'd better go with the first way.

    >>
    >> Been there. It is possible to create a script to keep your /etc/hosts
    >> file synced to the new ip.

    >
    > Good idea, but as long as
    >
    > 127.0.0.1 localhost ozymandias ozymandias.sands.invalid


    Yuck, how about

    127.0.0.1 ozymandias.sands.invalid ozymandias localhost


+ Reply to Thread
Page 3 of 7 FirstFirst 1 2 3 4 5 ... LastLast