 WebProWorld IT Forum |
XP networking trouble
I am trying to connect a laptop with XP home to a Tower with XP Pro. and intergrated lan socket. I follow all instructions with the wizard, but it says the cable is disconected, which it isn't.
old reverse dns causing me grief -- HELP
I have not been with them for 3 months. I have contacted them repeatedly to remove the reverse dns from "the web" for the two IPs. I tried yet again today and received another nasty reply from them as follows:
Cant open pages with certin links
As of Friday I have not been able to open pages with affiliate links particularly Clickbank and eMarketmakers. I have posted on other boards and people there say they open on their systems fine. I get a server not found message.
|
| Recent Articles |
Understanding PAM
PAM is the Pluggable Authentication Module, invented by Sun. It's a beautiful concept, but it can be confusing and even intimidating at first. We're going to look at it on a RedHat system, but other Linuxes will be similar...
Troubleshooting: Preserve the scene
You've seen it on television or in the movies: important evidence is lost at a crime scene because someone wasn't careful enough to preserve it. A crowd of curiousity seekers destroys important footprints, a helpful housekeeper thoughtfully washes the bathroom sink, wiping away fingerprints.
Transferring Mail to a New Mail Server
Sometimes we just have to move on. Your current mail server may just not be meeting your needs, so you've put up something new. But what about old mail? If your servers are identical (Sendmail to Sendmail, etc.) or use the same mailbox storage format, you may be able to just transfer files directly. If not, read on..
Basic DNS: PTR Records and Why You Care
A PTR record is what lets someone do a "reverse" DNS lookup - that is, they have your IP address and want to know what your host/domain is. At any Unix/Linux command line, you can use "dig -x" to do a reverse lookup:
SME Server Software Raid Failure, Grub 0x10 error
An SME customer called this morning saying that his system had apparently stopped working (web pages and mail were unavailable) and therefore he had rebooted. Unfortunately, the grub boot would start to load the SME kernel and then fail with a 0x10 message.
Creating ext3 File Systems
The ext3 filesystem is a journaled file system that is compatible with ext2 (an ext3 filesystem can be mounted as ext2 if necessary). It's faster and more reliable than ext2, and therefore has become popular (though so has Reiserfs).
Waiting Too Long to Upgrade
had related at Another Raid Failure that an initial attempt to rebuild the raid had failed, and left the story with fresh drives on order and winging their way toward us. The drives did arrive, but unfortunately the rebuild still failed.
Another RAID failure
There must be something in the air. I've had another RAID failure. This time, it was a hardware RAID, specifically a seven year old DPT controller (DPT was subsequently bought by Adaptec).
F-Secure SSH for Unix 5.0
WRQ announced the availability of F-Secure SSH (Secure Shell) for UNIX 5.0, providing customers a solid solution for priority security needs including reliability, broad platform support, manageability, and usability.
Unix for Higher Education
Higher education institutions using HP servers and workstations for teaching or research can now receive the HP-UX 11i operating system through the HP Campus Investment Program Academic Offer.
|
| |
| 03.08.05
Hardening Your Kernel With OpenWall
 By A.P. Lawrence
The Openwall Project provides security related kernel patches for Linux and BSD kernels.
I read about this in Hardening Linux by James Turnbull. The patch that most interested me was to prevent executable code from running in the stack. That won't prevent all buffer overflow attacks, but it can stop some of them. I really don't understand why this isn't just the default nowadays - I know it can break some programs and debuggers, but it seems smart to me.
I installed this on a RedHat ES system. That system was running a 2.4.21 kernel, and had never installed kernel source, so the first step was to go get a newer kernel. I cd'd to /usr/src and did a
cd /usr/src
get ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.29.tar.gz
tar zxvf linux-2.4.29.tar.gz
ln -s linux-2.4.29 linux
wget http://www.openwall.com/linux/linux-2.4.29-ow1.tar.gz
cp cp linux-2.4.29-ow1/*diff .
This patched the 2.4.29 kernel with the Openwall enhancements. I then copied the existing RedHat kernel config file so that I wouldn't have to answer a zillion questions (most of which I probably wouldn't have half a clue how to answer).
cd /usr/src/linux
cp /boot/config-2.4.21-27.0.2.EL /usr/src/linux/.config
make oldconfig
This did leave me with a few questions to answer for things new in the 29 kernel. I took the defaults until it got to the Openwall stuff. I then answered "y" for hardening the stack, but not for GCC trampolines because that's apparently for older 2.0 kernels. I also said "n" to the "Destroy shared memory segments" because of warnings in the FAQ that it can break some apps and the advice of the "Hardening Linux" book. I probably don't have anything here that would break, but I left it "n". This ended up with these settings:
CONFIG_HARDEN_STACK=y
# CONFIG_HARDEN_STACK_SMART is not set
CONFIG_HARDEN_LINK=y
CONFIG_HARDEN_FIFO=y
CONFIG_HARDEN_PROC=y
CONFIG_HARDEN_RLIMIT_NPROC=y
I then ran the typical "make dep" etc. and after a long, long wait everything completed and I ran "make install". That broke, complaining
grubby fatal error: unable to find a suitable template
Grubby? I had never heard of it, but "man" showed me that it is used to update /etc/lilo.conf or /etc/grub.conf. The man page mentioned templates, but didn't explain enough to tell me what its problem might be. However, looking in /boot, I could see that everything I needed had been installed there, so I went ahead and edited /etc/grub.conf by hand. Unfortunately, I fat fingered it and ended up with this:
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/hda2
# initrd /initrd-version.img
#boot=/dev/hda
default=0
timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
title Red Hat Enterprise Linux ES (2.4.29-ow1)
root (hd0,0)/grub
kernel (hd0,0)/vmlinuz-2.4.21-27.0.2.EL ro root=/dev/hda2 hdb=ide-scsi
initrd (hd0,0)/initrd-2.4.29-ow1.img
title Red Hat Enterprise Linux ES (2.4.21-4.EL)
root (hd0,0)/grub
kernel (hd0,0)/vmlinuz-2.4.29-ow1 ro root=/dev/hda2 hdb=ide-scsi
initrd (hd0,0)/initrd-2.4.21-27.0.2.EL.img
Do you see the mistake? It should have looked like this:
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to /boot/, eg.
# root (hd0,0)
# kernel /vmlinuz-version ro root=/dev/hda2
# initrd /initrd-version.img
#boot=/dev/hda
default=0
timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
title Red Hat Enterprise Linux ES (2.4.29-ow1)
root (hd0,0)/grub
kernel (hd0,0)/vmlinuz-2.4.29-ow1 ro root=/dev/hda2 hdb=ide-scsi
initrd (hd0,0)/initrd-2.4.29-ow1.img
title Red Hat Enterprise Linux ES (2.4.21-4.EL)
root (hd0,0)/grub
kernel (hd0,0)/vmlinuz-2.4.21-4.EL ro root=/dev/hda2 hdb=ide-scsi
initrd (hd0,0)/initrd-2.4.21-27.0.2.EL.img
That gave me a lovely "file not found" when I attempted to boot. Not quite realizing what I had done, I then tried to boot the second kernel, and of course that failed with the same error. Looking more closely, I spotted my problem and used the "edit" capability of grub to point it at the right kernel.
That got me back up again. Openwall includes the source code for a program to test the stack changes, so I compiled that and tried it out:
cd /usr/src/linux-2.4.29-ow1/optional
gcc -o stacktest stacktest.c
./stacktest -e
Attempting to simulate a buffer overflow exploit...
Segmentation fault
I still haven't found out what template is needed for grubby, but I did find a patch for it: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=83512
*Originally published at APLawrence.com
About the Author:
A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com |
