Hell Really Exists
There are a number of different software packages out there that do port and service-based scanning of machines or networks. SATAN, ISS, SAINT, and Nessus are some of the more well-known ones. This software connects to the target machine (or all the target machines on a network) on all the ports they can, and try to determine what service is running there. Based on this information, you can tell if the machine is vulnerable to a specific exploit on that server. SATAN (Security Administrator's Tool for Analyzing Networks) is a port scanner with a web interface. It can be configured to do light, medium, or strong checks on a machine or a network of machines. It's a good idea to get SATAN and scan your machine or network, and fix the problems it finds. Make sure you get the copy of SATAN from metalab or a reputable FTP or web site. There was a Trojan copy of SATAN that was distributed out on the net. Note that SATAN has not been updated in quite a while, and some of the other tools below...
In a lot of shops you do not want to enable every single printer and print queue. In this case you can create an exceptions file, which contains the queue printer names that you want to exclude from enabling. You also may have special considerations if your shop uses specific forms at different times on some of the floating printers. Some shops are just print queue hell Having the capability to keep the majority of the printers active all of the time and exclude a few is a nice thing to have.
Personal productivity tools need not be restricted to the home, however. For instance, although big word processors like StarOffice and WordPerfect are very useful in some situations, many office users don't need anything nearly so powerful. Slimmer tools like Maxwell (http www.eeyore-mule .demon.co.uk) suit some users' needs just fine. By foregoing the resource requirements of a larger package, using such programs can help save money by allowing employees to use less powerful computers than might otherwise be required.
APT is a rather foolproof way of installing programs nothing will go missing, since it automatically downloads and installs any files that the main application you are installing requires to run. Tracking down such files, called dependencies, proves to be a significant headache for most Linux users. The painful quest of finding and then installing this file or that, as well as any dependencies that those files themselves might have, has led to the missing dependency problem being referred to as dependency hell. APT makes that pretty much a thing of the past.
Because the system contains dynamically linked applications, you might sometimes get dependency errors when installing or upgrading software packages in those situations, a supporting library (or application) might not be present. See Chapter 7 for more information on working with dynamically linked applications and other methods of avoiding such problems. Thankfully, dependency hell is largely a thing of the past due to programs such as yum.
The new Linux 2.4 kernel ships with a kernel module called khttpd, which is a kernel-space HTTP server. This kernel module can serve static contents, such as an HTML file or an image, faster than Apache. This is because the module operates in kernel space and directly accesses the network without needing to operating in user-space like other Web servers, such as Apache. However, this module isn't a replacement for Apache or any other Web server, because it can only serve static contents. It can intercept the request for static contents and pass through requests that it can't service to a Web server such as Apache running on the same machine. You can learn more about this module at www.fenrus.demon.nl. I only recommend this module for those who need a dedicated static contents server such as an image server.
In 1993, Dan Farmer, who is also the author of the SATAN network-based audit tool, released a utility called COPS (Computer Oracle and Password System). A pioneer in the field of host-based security auditing, COPS is actually a collection of smaller tools, each of which targets a specific vulnerability in a typical Unix system that can lead to a network attack. These checks extend to areas like the anonymous FTP server, the etc rc.* directories, cron entries, and NFS and Sendmail vulnerabilities.
You might think that having two means of user authentication, etc passwd and etc shadow, is already enough choice, but you are wrong in this case. There are a number of other authentication methods with strange names, such as Kerberos authentication (so named after the dog from Greek mythology that guards the entrance to Hell). While we think that shadow passwords provide enough security for almost all cases, it all depends on how much security you really need and how paranoid you want to be.
Tip After doing some research myself, I purchased a Logitech QuickCam Pro 3000. The driver for this Webcam was made for a Philips USB Webcam, but it also works for Webcams from Logitech, Samsung, Creative Labs, and Askey. Before making the purchase, I checked out the description of the driver at www. smcc.demon.nl webcam. Nemosoft Unv.
It's also possible that the server is running, but simply refusing your connection. If so, the next item to check will be the presence of a database, in particular the default MySQL permissions database. The location var lib mysql is commonly used by default for Red Hat distributions, but other distributions use varying locations. Check the MySQL startup script (for example, in etc init.d) and the configuration file etc my.cnf. Alternatively, invoke the program directly, using mysqld --verbose -help, and look for the variable datadir. Once you find the database directory, verify that it contains at least a default permissions database (called mysql) and that the server demon is using this location as specified in my.cnf.
As the all-powerful sysadmin, you can monitor nearly everything your users do on the computer, held back only by the hours in the day. Fortunately for all concerned, even the Bastard Operator From Hell doesn't have time to do this. Any good sysadmin will check in periodically, just to keep the invaders at bay.
Once an application is marked for installation, Adept will also mark all of the dependent files for installation as well. This will prevent what is referred to as dependency hell in which not all of the required files are installed to get an application to function correctly. Notice that the requested action will change from no change to install. Figure 7-20 shows mysql-server (an Open Source database server) marked for installation.
Rory Toma wrote to suggest a prompt like this rory demon . How is this useful You can triple click on any previous command (in Linux, anyway) to highlight the whole line, then paste that line in front of another prompt and the stuff between the and the is ignored, like so rory demon rory demon rory demon
NOTE Bear in mind that dependencies typically have their own dependencies In other words, it's likely that you'll source all the dependencies needed by the program, only to be presented with an entirely new list This situation is known as dependency hell , and is the main reason why APT was invented.
You might ask, Why the hell are we playing with all these text files and commands Why can't we just use the nice GUI tools that come with RedHat . The simple answer is that knowing how to use a GUI tool isn't all that difficult, anyone can learn that. What's important for a computing professional, like a Systems Administrator, to know is what is going on underneath. There will be times when the GUI doesn't work or the problem you have can't be solved with the GUI. It is at times like this that you will need to understand what is going on underneath.
As discussed in Chapter 2, Moving from C++ to Java, Java object references feel much like C++ references. They are used in the source code without explicit dereferencing but are handled as pointers under the covers. This does not mean, however, that they are pointers. The only guarantee about a reference is that it resolves, somehow, to an object. The devil is in the details.
Of course, the devil is in the details. DNS is implemented by a complex network of name servers that pass requests up and down a distributed hierarchy of name servers. That part can get quite complex, but the core idea is that you have a name (the domain name) and a value (an IP address) that you join together. DNS can actually bind other information, such multiple alias names for a single canonical name IP pair, a mail handler name for a domain, and other general purpose data which the DNS administrator can choose to share.
A firewall is a very good application for a bootable Linux distribution. Using most any PC and a CD (or even a floppy disk) Linux distribution, you can protect your LAN from intruders and provide a route for multiple computers to the Internet. Popular firewall distributions include Devil-Linux (www.devil-linux.org) and Sentry Firewall CD (www.sentryfirewall.com). Firewall router distributions are described in Chapter 27.
TARA is a security auditing tool that runs directly on the host system. There are also network-based security auditing tools that externally probe the system. SATAN (Security Administrator's Tool for Analyzing Networks) was the first successful network-based security auditor. SATAN has had several follow-on products SAINT (Security Administrator's Integrated Network Tool), SARA (Security Auditor's Research Assistant), and now Nessus. Nessus is available as both a source code distribution and an RPM from ftp ftp.nessus.org .
While there have always been attempts to build a comprehensive tool for exposing network vulnerabilities on a system, it wasn't accomplished until 1995, when Dan Farmer and Wietse Venema (who also created TCP Wrappers) released the first version of SATAN (Security Administrator's Tool for Analyzing Networks). This network-based auditing tool quickly became a household word among network and systems administrators. In their 1993 landmark paper, Improving the Security of Your Site by Breaking Into It, Farmer and Venema capitalized on the concept of building an application that would systematically attempt to break into a target system, or even a range of systems within a subnet. Two years later, SATAN was born, and the initial response from the Linux community was overwhelmingly positive. However, the release of SATAN did not come without some controversy. Although this was clearly a useful tool for uncovering your own host's vulnerabilities, it could also be used by intruders to find...
Whether (or when) Linux becomes a serious contender on the business desktop has been controversial for some time. In terms of usability, the latest versions of the KDE and GNOME desktops are comparable to Windows for most tasks. In terms of manageability, running Linux on desktops in place of Windows could save companies money in license fees and take away a wide range of administrative headaches, particularly in terms of security and software licensing and auditing. OpenOffice and or StarOffice are now capable of almost everything that Microsoft Office can do. However, the devil is in the detail. A very powerful factor preventing change is the use of particular specialized applications that may be available only on Windows.
Whether (or when) Linux becomes a serious contender on the business desktop has been controversial for some time. In terms of usability, the latest versions of the KDE and GNOME desktops are comparable to Windows for most tasks. In terms of manageability, running Linux on desktops in place of Windows could save companies money in license fees and take away a wide range of administrative headaches, particularly in terms of security and software licensing and auditing. OpenOffice and StarOffice are now capable of almost everything that Microsoft Office can do. However, the devil is in the detail. A very powerful factor preventing change is the use of particular specialized applications that may be available only on Windows. (In practice, as we will discuss in Chapter 32, the need for particular Windows applications can often be handled fairly easily, particularly in a larger organization.) Other factors inhibiting the switch to Linux desktops are a common strong psychological resistance...
OpenGL (and its predecessor GL) has long been the de facto standard for 3D modeling. OpenGL provides an open API but not an open reference implementation. Mesa provides an open source (GPL) implementation of an API very similar to OpenGL that runs under Linux and many other platforms. Hardware acceleration is available for 3Dfx Voodoo-based cards. For more information on Mesa, visit http www.mesa3d.org . Metrolink provides a licensed OpenGL implementation as a commercial product visit http www.metrolink.com opengl for more information. Frame buffer devices provide an abstraction for access to the video buffer across different processor architectures. The Framebuffer HOWTO, at HOWTO-framebuffer-1.0pre3.html, provides more information. Vesafb provides frame buffer device support for VESA 2.0 video cards on Intel platforms. Unfortunately, the VESA specification appears to be a broken specification that only works when the CPU is in real mode instead of protected mode, so switching video...
You can automate many curtains by simply wrapping the U-shaped pulling cords around an electric motor. Naturally, the devil is in the details, so there are a few prebuilt motor and pulley systems on the market that are able to open and close curtains, mounted into a head rail. They include the Regency PowerMotion, Universal Curtain Motor (UCM), and the Add-a-Motor 80 (CM80).
In addition, Linux will work with the following Ethernet cards once you go out and grab patches from the Internet. 3Com Demon Ethercards (3C592, 3C597 (100 mbps)) (EISA), with the patch at http 3Com Vortex Ethercards (3C590, 3C595 (100 mbps)) (PCI), with the patch at DEC 21040 21140 Tulip, with a patch at SMC PCI EtherPower 10 100, with a patch at and the HP J2585 (PCI) and HP J2573 (ISA) (ATT2MDx1 100VG), with a patch at
NOTE Numerous older security applications are also available for Linux such as COPS (Computer Oracle and Password System) to check password security Tiger, which scans your system for unusual or unprotected files and SATAN (Security Administration Tool for Analyzing Networks), which checks your system for security holes. Crack is a newer password auditing tool that you can use to check how well your password security performs under dictionary attacks.
Because Linux competes with Wind River's closed source VxWorks operating system, the company has had a mixed view of Linux and open source, to the point of running a seven levels of open source hell campaign complete with gargoyles. Over the years, Wind River has warmed to Linux, but it's still viewed as a secondary offering to VxWorks.
Completing the MTA trilogy is Postfix, developed by Wietse Venema, who brought us other proven security packages (SATAN, TCP Wrappers). The Postfix project is at a much earlier stage than Sendmail and Qmail, and as of the writing of this book, Wietse still calls the shipping version Beta. In fact, releases are tagged with snapshot numbers (dates, really), rather than real (major.minor) version numbers.
Doing many things at the same time, that old multitasking demon, can create quite the clutter. Imagine you are copying a number of large files from one folder to another or from one system to another. Historically, you would see a number of little progress boxes telling you how each of those copies was progressing. On the right-hand side of the panel, KDE 4.2 now provides an enhanced system tray that multitasks as a notification area, so you can check the progress of those events or just hide them out of the way (Figure 11). The system tray also is configurable with a right-click so you can hide icons you rarely or never use.
The antiword package is no longer included in the SUSE Professional version. It can be obtained from www.winfield.demon.nl. Provided you have the necessary tools installed, it is very quick and easy to install unpack the archive and run make and make install. You can install it as a user without root privileges the binary will be copied to your bin directory.
Like desktop machines, there are a wide range of configurable options with ITX machines including TV (S-Video) and DVI output, compact flash (CF) adapters for diskless operation, wireless networking, and so on. They also have standard PCI ports for other cards. This configurability is both their manacle and demonic charm, because the workability of any particular device isn't necessarily known when you buy the machine. Although any ITX is powerful enough to run all the basic services of an HA setup, most machines cannot transcode media fast enough, and the older ones cannot play back modern formats (such as DivX, which has a fairly high CPU requirement). Furthermore, there are some issues with outputs, other than SVGA, being supported by the Linux drivers, making it an issue for using them as a head box for anything other than projectors. New combinations of ITX are released on a regularly basis, along with updated drivers, so always check with your dealer for support, along with the...
SATAN Security Analysis Tool for Auditing Networks (SATAN) collects information about networked hosts by examining certain services such as NFS, NIS, FTP, and others. The following list briefly describes twelve of the vulnerable areas that are checked Note Be careful using SATAN because it does have an exploratory mode that will scan SATAN is found at satan, where you can download the source, reconfigure it for your system, and compile it. Follow the instructions provided with the code. Similar to SATAN, Internet Security Scanner (ISS) also scans your system, but is limited to an IP range. It looks for known vulnerabilities left open by the administrator. The following list describes the services checked by this tool
Needham and M.D. Schroeder at MIT, Kerberos gets its name from the three-headed dog that, according to Greek mythology, guarded the entrance to the underworld. In real life, Kerberos is a service based on secret keys that is used for strong authentication of users and services. Instead of providing separate authentication credentials to each server on your network, Kerberos allows users to request their credentials once in the form of a Kerberos ticket and then use this ticket to authenticate themselves to any Kerberos-enabled server on your network. Both users and servers rely on a central Key Distribution Center (KDC) to obtain and authenticate tickets.
Again, the emphasis on this facet of planning may appear unwarranted it perhaps seems obvious that plans need to be kept up to date. One or two imaginary scenarios can help flesh out the possibilities here, and the need for attention to details. As the old saying goes, the devil is in the details, and that is perhaps nowhere more true than in the formulation of plans for recovering from disasters.
Demilitarized zone (DMZ), 355, 723 demonstration live CDs, 740 denial-of-service (DoS) attacks, 231, devices. See hardware devices Devil-Linux, 718, 728, 729, 747 dev midi00, 92 dev mixer, 92 dev sda, 230 dev sequencer, 92 df command, 342 df -h command, 229 -Dfoo bar, 791 desktop protection, 705-709 Devil-Linux, 718, 728, 729, 747
As it happens, there's a rich toolkit available to Linux users for building, securing and using file servers, mainly in the form of Jeremy Allison and Andrew Tridgell's Samba suite of demons and commands, plus various graphical tools that supplement them. For the next few columns, I'm going to show you how to build a secure Samba file server using both command-line and GUI tools. On your Samba server, you're going to need your distribution's packages for Samba's libraries the Samba demons smbd, nmbd and winbindd the Samba client commands smbclient, smbmount and so forth (which are useful even on servers for testing Samba configurations) and also the Web-based configuration tool SWAT (Figure 1). Naturally, nearly all these things are contained in packages whose names don't correspond neatly with the names of their component demons, libraries and so forth, but I give some pointers on those shortly.
Get LinCity from the Red Hat FTP site. Or, you can get it from the LinCity home page (www.floot.demon.co.uk lincity.html) and look for a download link. Download and install the package as directed. To start LinCity, type the following command (it's probably located in usr local bin)
Where To Download Hell Really Exists
You can safely download your risk free copy of Hell Really Exists from the special discount link below.