network issue
Eric
I give myself a host name like mypc.mydomain.com
Also, resolve.conf has 2 dns's listed and lastly a line that
reads: search mydomain.com
If i ping mydomain.com shouldnt it send the pings to
192.168.1.55?
All my postfix traffic, ping and so forth are not going to
myself but off my network to another unrelated place on the net.
I must have something mis-configured?
Thanks
Eric
Jim Whitby
You have used a domainname that is in use.
mydomain.com is registered and has a dns of 66.150.120.131, so ping
mydomain.com should try to get an answer from 66.150.120.131.
--
I don't think I'm gonna agree with that. Way too much visual confusion...
-- Larry Wall in <1997090216...@wall.org>
----------------------
Mandriva Linux release 2008.1 (Official) for x86_64
2.6.24.7-server-1mnb AMD Athlon(tm) 64 X2 Dual Core Processor 5000+
----------------------
Eric
> On Sat, 16 Aug 2008 00:06:17 -0700, Eric wrote:
>
>> Suppose I'm a 1 machine local network: 192.16.1.55 I give myself a host
>> name like mypc.mydomain.com Also, resolve.conf has 2 dns's listed and
>> lastly a line that reads: search mydomain.com
>> If i ping mydomain.com shouldnt it send the pings to 192.168.1.55?
>> All my postfix traffic, ping and so forth are not going to myself but
>> off my network to another unrelated place on the net. I must have
>> something mis-configured? Thanks
>> Eric
>
> You have used a domainname that is in use.
>
> mydomain.com is registered and has a dns of 66.150.120.131, so ping
> mydomain.com should try to get an answer from 66.150.120.131.
>
>
>
>
>
Dont take mydomain.com literally, i just made it up as an example
Eric
Eric
> On Sat, 16 Aug 2008 00:06:17 -0700, Eric wrote:
>
>> Suppose I'm a 1 machine local network: 192.16.1.55 I give myself a host
>> name like mypc.mydomain.com Also, resolve.conf has 2 dns's listed and
>> lastly a line that reads: search mydomain.com
>> If i ping mydomain.com shouldnt it send the pings to 192.168.1.55?
>> All my postfix traffic, ping and so forth are not going to myself but
>> off my network to another unrelated place on the net. I must have
>> something mis-configured? Thanks
>> Eric
>
> You have used a domainname that is in use.
>
> mydomain.com is registered and has a dns of 66.150.120.131, so ping
> mydomain.com should try to get an answer from 66.150.120.131.
>
>
>
>
>
Actually, you are right, awhile after i read your post i went and and
checked the actual domain name i was using and had been using for a long
time, and found that some jerk registered over 1.6 million domain names
yesterday that he never intends to actually use. Mine was one of them.
I thought you could use any name you wanted on a non-internet, local
network behind a router. Shouldnt it check my hosts file and use that
information before it checks internet dns?
Wes Newell
When I ping my hostname:
[wes@wes2 ~]$ hostname
wes2.com
[wes@wes2 ~]$ ping wes2.com
PING wes2.com (127.0.0.1) 56(84) bytes of data. 64 bytes from wes2.com
(127.0.0.1): icmp_seq=1 ttl=64 time=0.041 ms 64 bytes from wes2.com
(127.0.0.1): icmp_seq=2 ttl=64 time=0.048 ms 64 bytes from wes2.com
(127.0.0.1): icmp_seq=3 ttl=64 time=0.053 ms 64 bytes from wes2.com
(127.0.0.1): icmp_seq=4 ttl=64 time=0.047 ms 64 bytes from wes2.com
(127.0.0.1): icmp_seq=5 ttl=64 time=0.051 ms
--- wes2.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms rtt
min/avg/max/mdev = 0.041/0.048/0.053/0.004 ms [wes@wes2 ~]$
--
Want the ultimate in free OTA SD/HDTV Recorder? http://mythtv.org
My Tivo Experience http://wesnewell.no-ip.com/tivo.htm
Tivo HD/S3 compared http://wesnewell.no-ip.com/mythtivo.htm
AMD cpu help http://wesnewell.no-ip.com/cpu.php
Bit Twister
> Actually, you are right, awhile after i read your post i went and and
> checked the actual domain name i was using and had been using for a long
> time, and found that some jerk registered over 1.6 million domain names
> yesterday that he never intends to actually use. Mine was one of them.
That is why you should use whatever.invalid or whatever.test
http://www.rfc-editor.org/rfc/rfc2606.txt
> I thought you could use any name you wanted on a non-internet, local
> network behind a router.
And what happens if a packet/message escapes your LAN. :(
Use 192.168.x.x and xxxx.invalid or xxxx.test
just to keep your experiments from getting out on the Internet.
> Shouldnt it check my hosts file and use that
> information before it checks internet dns?
Depends on what/how is doing the look up.
Something else which affects resolution order:
/etc/host.conf and /etc/nsswitch.conf
Line of interest in nsswitch.conf found with
$ grep hosts: /etc/nsswitch.conf
Eric
In everything i have ever seen concerning local private networks (the ones
on 192.168.x.x) I have never heard an admonishment to use .invalid or .test
If that were going to be a problem i would thing it would be very common
as people generally make up and use whatever name they want.
What your saying, in so many words, is: you must go and register a domain
name to use on your local network.
My nsswitch.conf
passwd: files compat
shadow: files
group: files compat
hosts: files nis dns
networks: files
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files
aliases: files
hosts:
127.0.0.1 wgf1.mypersonaldomain.net wgf1 localhost localhost.localdomain
I also tried
127.0.0.1 localhost localhost.localdomain
192.168.1.55 wgf1.mypersonaldomain.net wgf1
resolv.conf:
nameserver 68.87.69.146
search localhost
ping wgf1 will ping an internet host somewhere out there and not my system
host
host mypersonaldomain.net will return the address of some internet company
out there and not my system
The system is acting like /etc/hosts is being ignored
Eric
Bit Twister
> In everything i have ever seen concerning local private networks (the ones
> on 192.168.x.x) I have never heard an admonishment to use .invalid or .test
Ok, consider my reply to be your first. :-)
I do admit, I do not bother to verify /every one's/ domain when working
a network problem. I have more than once suggested .invalid or .test.
I have noticed more and more people using .invalid
> If that were going to be a problem i would thing it would be very common
> as people generally make up and use whatever name they want.
Heheheh, and look what happened when your's suddenly broke. :(
> What your saying, in so many words, is: you must go and register a domain
> name to use on your local network.
Not suggesting that at all.
I suggest adding .invalid or .test to whatever domain you want on the LAN.
If you were to run your own DNS resolver (say named/bind) then you can
have whatever you like and not bother anyone else on the Internet.
Assuming all nodes on the LAN use it.
> ping wgf1 pings an internet host somewhere out there and not my system host
Based on your nsswitch, I would have thought so.
What is the output from
cat /etc/host.conf
> host mypersonaldomain.net will return the address of some internet company
> out there and not my system
That I could believe.
One, mypersonaldomain.net is not in your hosts file.
Two, that will cause external DNS server querys.
$ host $(hostname)
wm81.home.test has address 192.168.1.131
$ hostname -d
home.test
$ host $(hostname -d)
$
See, attempting to look up my domain returned nothing.
It is not registered and I did not setup my DNS server named to
respond with a value.
$ host mail
mail.home.test is an alias for wm81.home.test.
wm81.home.test has address 192.168.1.131
but
$ grep mail /etc/hosts
$
returned nothing.
> The system is acting like /etc/hosts is being ignored
What is the contents of
cat /etc/sysconfig/network
and
hostname --fqdn
David W. Hodgins
> The system is acting like /etc/hosts is being ignored
The host and nslookup commands will ignore the /etc/hosts file, however the ping
command should check /etc/hosts ...
[dave@hodgins ~]$ cat /etc/hosts
127.0.0.1 hodgins.homeip.net hodgins localhost localhost.localdomain
193.193.193.3 fred.invalid
[dave@hodgins ~]$ host fred.invalid
Host fred.invalid not found: 3(NXDOMAIN)
[dave@hodgins ~]$ nslookup fred.invalid
** server can't find fred.invalid: NXDOMAIN
[dave@hodgins ~]$ ping -c 1 fred.invalid
PING fred.invalid (193.193.193.3) 56(84) bytes of data
[dave@hodgins ~]$ grep hosts /etc/nsswitch.conf
hosts: files dns
You should not be using email.net for usenet, unless you have permission
from the registered owner.
You can register a hostname for free. I have done so for hodgins.homeip.net
at http://www.dyndns.com/ and nomail.afraid.org at https://freedns.afraid.org:443/
In the case of hodgins.homeip.net, I've selected the wildcard option, so I can
use anything.hodgins.homeip.net.
I setup nomail.afraid.org specifically for use in usenet. Any email sent to it
is going to a spamtrap. I've given permission to everyone to use it in their from
addresses on usenet.
If you don't want to register a domain then you should follow
http://www.rfc-editor.org/rfc/rfc2606.txt
The only domain names reserved for "non-existent" domains are
.test, .example, .invalid and .localhost, and only those names.
All other domain names may, eventually be put into use.
I also have bind installed and running. In
/var/lib/named/etc/adblock.conf I have ...
adblock.conf:zone "hodgins.homeip.net" { type master; notify no; file "/etc/db.adblock"; };
so anything running on the localhost will get 127.0.0.1 as the ip for the
hostname. Anything running from another system will get the last ip my
ppp connect script has updated at dyndns.
Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
David W. Hodgins
> On Sat, 16 Aug 2008 13:02:45 -0700, Eric wrote:
>
>> In everything i have ever seen concerning local private networks (the ones
>> on 192.168.x.x) I have never heard an admonishment to use .invalid or .test
>
> Ok, consider my reply to be your first. :-)
One warning that should be added to this thread. If you do use a hostname
ending with .invalid, or .example, some programs like leafnode will refuse
to work. See http://groups.google.ca/group/alt.os.linux.mandriva/msg/1aec916f19438eec?
It's best to register and use your own hostname.
Bit Twister
> On Sat, 16 Aug 2008 16:46:25 -0400, Bit Twister <BitTw...@mouse-potato.com> wrote:
>
>> On Sat, 16 Aug 2008 13:02:45 -0700, Eric wrote:
>>
>>> In everything i have ever seen concerning local private networks (the ones
>>> on 192.168.x.x) I have never heard an admonishment to use .invalid or .test
>>
>> Ok, consider my reply to be your first. :-)
>
> One warning that should be added to this thread. If you do use a hostname
> ending with .invalid, or .example, some programs like leafnode will refuse
> to work. See http://groups.google.ca/group/alt.os.linux.mandriva/msg/1aec916f19438eec?
>
I still say .test should be valid in leafnode. :-D
In ether case, setting the hostname variable in leafnode.conf will let
leafnode run.
Eric
> On Sat, 16 Aug 2008 16:46:25 -0400, Bit Twister
> <BitTw...@mouse-potato.com> wrote:
>
>> On Sat, 16 Aug 2008 13:02:45 -0700, Eric wrote:
>>
>>> In everything i have ever seen concerning local private networks (the
>>> ones on 192.168.x.x) I have never heard an admonishment to use .invalid
>>> or .test
>>
>> Ok, consider my reply to be your first. :-)
>
> One warning that should be added to this thread. If you do use a hostname
> ending with .invalid, or .example, some programs like leafnode will refuse
> to work. See
> http://groups.google.ca/group/alt.os.linux.mandriva/msg/1aec916f19438eec?
>
> It's best to register and use your own hostname.
>
> Regards, Dave Hodgins
>
What about the millions of windows users who just make up a name?
surely this would have generated a flood of queries about mis-directed pings
to their own systems by now.
Another example: if i cant use any name i want, why does my laptop work
properly when it has my employers domain name?
My local network, being on 192.168.x.x behind a router (and a cable modem)
is address isolated from the internet. If my neighbor is on the same
192.168.x.x address and behind a router and cable modem it matters not a
bit and I'll never be able to resolve any host on his network. e.g ping
joe.whatever.net wont ever return a 192.168.x.x address. If joe pings
joe.whatever.net it will *always* return the 192.168.x.x address of joes
system and not my system of 192.168.x.x, not only that, but if joe decides
to name his network google.com then the only adverse effect he should see
is that he wont be able to get to the real google because the resolver will
always say "HEY! google.com is right here on 192.168.x.x" on joes network.
Good point about email.net, i fixed it
for bittwister:
# cat /etc/host.conf
order hosts,bind
multi on
nospoof on
Thanks
Eric
Bit Twister
> My local network, being on 192.168.x.x behind a router (and a cable modem)
> is address isolated from the internet. If my neighbor is on the same
> 192.168.x.x address and behind a router and cable modem it matters not a
> bit and I'll never be able to resolve any host on his network. e.g ping
> joe.whatever.net wont ever return a 192.168.x.x address.
That is correct, ISP gateway is supposed to drop 192.168.x.x address.
> # cat /etc/host.conf
> order hosts,bind
> multi on
> nospoof on
Figured that was ok, still waiting for
cat /etc/sysconfig/network
and hostname --fqdn
results.
Bit Twister
> ping wgf1 will ping an internet host somewhere out there and not my system
> host
> host mypersonaldomain.net will return the address of some internet company
> out there and not my system
>
> The system is acting like /etc/hosts is being ignored
Just for fun, put a # in front of your search line in /etc/resolv.conf,
save, and try the ping -c1 wgf1 again.
Do remember to remove the # on the search line.
David W. Hodgins
> What about the millions of windows users who just make up a name?
Most of them are not running any real servers, where the name matters.
How many windows users do you know, who run a smtp server? Most use either
their isp's smtp server, or webmail.
> Another example: if i cant use any name i want, why does my laptop work
> properly when it has my employers domain name?
It isn't that you cannot use any name you want, just that is is not a good idea
from a networking point of view, and can be abusive. There are two reasons for
using a valid hostname, or a rfc2606 compliant name.
The first reason, is that using a name that is registered to someone else
will break applications that pick up the ip address from a name server, that
is not under your control. Keep in mind that some applications, such as host
and nslookup will not use /etc/hosts, no matter what you have in /etc/resolv.conf,
so any scripts or programs that call them, also will fail.
The second reason, is that you may end up sending unwanted traffic to the
real owner.
> Good point about email.net, i fixed it
Do you have permission for junkemail.net, from the registered owner, Lycos Inc?
The problem with making up names, even if you check to ensure they are not currently
in use, is that they may be registered in the future. Even if you pick an invalid
top level domain, that tld may someday become valid.
For usenet, you are welcome to use @nomail.afraid.org.
Aragorn
wrote in /alt.os.linux.mandriva:/
> How many windows users do you know, who run a smtp server?
About 85% of them, I'd say... ;-)
http://en.wikipedia.org/wiki/Botnet
Sorry about that... With a cue like that, I just couldn't resist... :p
--
*Aragorn*
(registered GNU/Linux user #223157)
Bit Twister
> On Sunday 17 August 2008 02:52, someone identifying as *David W. Hodgins*
> wrote in /alt.os.linux.mandriva:/
>
>> How many windows users do you know, who run a smtp server?
>
> About 85% of them, I'd say... ;-)
>
> http://en.wikipedia.org/wiki/Botnet
>
> Sorry about that... With a cue like that, I just couldn't resist... :p
Heheheh, reminds me of when cracking boxes was for fun by the kids.
First thing they did was harden the box so no one else could crack it.
Newbie wound up with a more secure system.
Aragorn
in /alt.os.linux.mandriva:/
Well, one of the great things about UNIX systems and GNU/Linux in particular
is that the system itself is already so secure out of the box that a
serious system administrator doesn't have any difficulty at all at keeping
the system secure enough.
For instance, there's that whole firewall thing. For someone running
GNU/Linux on a box that's connected to the internet via a simple enduser
client connection, there's no need to run a firewall at all. A system
that's properly set up and that disallows root logins - especially remote
ones - is secure enough.
I've been running GNU/Linux since late November 1999, and I only got an
internet connection as of April 2000. I've never set up a firewall -
although I have used /iptables/ to set up NAT and PAT - and I've never had
any problems with malware or anyone trying to break into my system.
Of course - and as explained in my Partitioning Mini-HowTo posted in this
group recently - I do keep a lot of my filesystems mounted read-only, and
the ones mounted read/write all have carefully selected mount options.
Root logins over /ssh/ are disabled, as are direct root logins on the
console. Single user mode requires /sulogin./
I also don't believe in the "if I plug it in, it must be automagically
configured and set up" paradigm. That's single-user thinking, a Windows
mentality. I treat my system the way UNIX was developed, i.e. as a
multi-user system. No automounting, etc.
It's just that most users here come from the Windows world and some may even
still be using Windows alongside GNU/Linux. Windows is flawed by design,
and thus the experience with Windows makes people think that they are
exposed to the same kinds of threats in GNU/Linux that they were exposed to
in Windows.
And sadly enough, distromakers like Mandriva don't do anything to discourage
this misconception. If anything, they're actually feeding it.
Oh well... ;-)
Wes Newell
> hosts:
> 127.0.0.1 wgf1.mypersonaldomain.net wgf1 localhost
> localhost.localdomain
> I also tried
> 127.0.0.1 localhost localhost.localdomain 192.168.1.55
> wgf1.mypersonaldomain.net wgf1
Change this to;
127.0.0.1 mypersonaldomain.net mypersonaldomain localhost
Peter D.
> On Sat, 16 Aug 2008 17:16:03 -0400, David W. Hodgins wrote:
[snip]
>> One warning that should be added to this thread. If you do use a
>> hostname ending with .invalid, or .example, some programs like
>> leafnode will refuse
>> to work. See
>>
http://groups.google.ca/group/alt.os.linux.mandriva/msg/1aec916f19438eec?
>>
>
> I still say .test should be valid in leafnode. :-D
>
> In ether case, setting the hostname variable in leafnode.conf will
> let leafnode run.
It is quite easy to get a globally unique "FQDN" for free that
does not represent any real machine to identify posts from
your machine.
Point your browser to http://motzarella.org/ for an example.
Although, if your ISP was on the ball they should give you
one to put in leafnode's hostname variable. Don't hold
your breath.
--
Peter D.
Sig goes here...
Eric
ping works ok if i have no search line or if it says search localhost
host command always shows the foreign host
Eric
# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=wgf1.mypersonaldomain.net
#hostname --fqdn
wgf1.mypersonaldomain.net
Eric
> On Sat, 16 Aug 2008 17:14:12 -0700, Eric wrote:
>
>> My local network, being on 192.168.x.x behind a router (and a cable
>> modem) is address isolated from the internet. If my neighbor is on the
>> same 192.168.x.x address and behind a router and cable modem it matters
>> not a bit and I'll never be able to resolve any host on his network. e.g
>> ping joe.whatever.net wont ever return a 192.168.x.x address.
>
> That is correct, ISP gateway is supposed to drop 192.168.x.x address.
Do you agree with my statement that:
"If joe pings joe.whatever.net it will *always* return the 192.168.x.x
address of joes system and not my system of 192.168.x.x"
>
Bit Twister
> Bit Twister wrote:
>
>> On Sat, 16 Aug 2008 17:14:12 -0700, Eric wrote:
>>
>>> My local network, being on 192.168.x.x behind a router (and a cable
>>> modem) is address isolated from the internet. If my neighbor is on the
>>> same 192.168.x.x address and behind a router and cable modem it matters
>>> not a bit and I'll never be able to resolve any host on his network. e.g
>>> ping joe.whatever.net wont ever return a 192.168.x.x address.
>>
>> That is correct, ISP gateway is supposed to drop 192.168.x.x address.
>
> Do you agree with my statement that:
> "If joe pings joe.whatever.net it will *always* return the 192.168.x.x
> address of joes system and not my system of 192.168.x.x"
Yes.
Bit Twister
>
> ping works ok if i have no search line or if it says search localhost
Just for fun, modify /etc/hosts
127.0.0.1 localhost.localdomain localhost
127.0.0.1 wgf1.mypersonaldomain.net wgf1
set your search mypersonaldomain.net
ping -c1 wgf1
Looking at ping
$ strings /bin/ping | grep gethostby
gethostbyaddr
gethostbyname
I would have expected ping to call gethostbyname with wgf1
The resolver would add mypersonaldomain.net because of the
search mypersonaldomain.net
and look for wgf1.mypersonaldomain.net in /etc/hosts
and return 127.0.0.1 to ping.
> host command always shows the foreign host
And always will. DNS resolution tools, host, nslookup, dig... will
ignore /etc/hosts and use a DNS server.
Your options, worst to best choice.
1 pick another unregistered domain name :(
2 install bind, use opendns DNS servers (208.67.222.222 208.67.220.220)
as forwarders.
3 change .net to .invalid or .test
4 registered a domain name. :-)
Moe Trin
<op.ufz910r...@hodgins.homeip.net>, David W. Hodgins wrote:
>The problem with making up names, even if you check to ensure they are
>not currently in use, is that they may be registered in the future.
Hence RFC2606.
>Even if you pick an invalid top level domain, that tld may someday
>become valid.
By next spring, businesses and other organizations will be able to
apply for any top-level domain they can possibly think of, like
arstechnica.awesome or google.thegoogle. Joking aside, the Internet
Corporation for Assigned Names and Numbers (ICANN) voted today in Paris
on a measure that significantly expands the scope of generic Top Level
Domains (gTLDs), allowing organizations to apply for almost any domain
suffix they can dream up.
Up until now, the rules for TLDs are rather strict and tightly
regulated. Beyond the typical .com, .net, and .org, there are only a
handful of others TLDs that IP addresses can be registered under,
including .tv, .biz, .mobi, and .us. Thanks to today's unanimous vote,
however, the list of possible options will skyrocket. "What we're
effectively doing is opening up huge amounts of online real estate,"
ICANN president and CEO Paul Twomey told the Wall Street Journal before
the vote took place.
Late June 2008. The up-side for ICANN is that they will charge huge
amounts of ca$h for allowing you to create your own vanity TLD. The
down-side is that every freakin' id10t in the world knows that all
hostnames begin with 'www.' and end with '.com'. For those wondering
what TLDs exist now, see http://www.iana.org/domains/root/db/
Old guy
Moe Trin
<S9Mpk.12732$JM....@newsfe16.ams2>, Aragorn wrote:
>Well, one of the great things about UNIX systems and GNU/Linux in
>particular is that the system itself is already so secure out of the
>box that a serious system administrator doesn't have any difficulty at
>all at keeping the system secure enough.
Running *nix is not a magic bullet that makes you immune from all of
the nasties out in the world. Anyone can screw up just about anything
because nothing is fool proof, and they keep inventing improved fools
every day.
In the mid-1990s, the average open mail relay was an out-of-box Linux
system, usually running Red Hat or Caldera (Mandrake didn't come along
until 5.1 released in July 1998). Why? Because the default installs
included sendmail configured to be a relay. That's obviously changed.
>For instance, there's that whole firewall thing. For someone running
>GNU/Linux on a box that's connected to the internet via a simple enduser
>client connection, there's no need to run a firewall at all.
Depends what the system is running. A basic workstation - I'm inclined
to agree with you. The "install everything!!!111" setup beloved by the
eleet wanna-be's - quite another situation.
>A system that's properly set up and that disallows root logins -
>especially remote ones - is secure enough.
This goes along the ideas of an OpenBSD model, and Theo's mantra that
no OpenBSD box has ever been hacked (sic) in an out-of-box condition.
That may be true, but the reason is simple - even if you install
everything, no servers are enabled, and in order to get them working
you first have to find out how to enable them. It's the same thing as
saying that MS-DOS 3.3 was absolutely immune to network attacks as
installed.
>I've been running GNU/Linux since late November 1999, and I only got an
>internet connection as of April 2000. I've never set up a firewall -
>although I have used /iptables/ to set up NAT and PAT - and I've never
>had any problems with malware or anyone trying to break into my system.
Let's just say that my Linux experience goes back to the early 1990s,
and I've been using various forms of UNIX for over a decade before that.
No one trying to break in - what, not running sshd on port 22? ;-)
>It's just that most users here come from the Windows world and some may
>even still be using Windows alongside GNU/Linux. Windows is flawed by
>design, and thus the experience with Windows makes people think that
>they are exposed to the same kinds of threats in GNU/Linux that they
>were exposed to in Windows.
Let's face it - VERY FEW Linux users have had _any_ training in the
operating system. Thus, they are going with the flawed experience that
they do have - which means windoze.
>And sadly enough, distromakers like Mandriva don't do anything to
>discourage this misconception. If anything, they're actually feeding
>it.
When I started learning UNIX, it was six months before I realized who
this 'root' user was. It was close to a year before I got limited
access to some privileged commands - the equivalent of 'sudo' or
'su -c', and about 18 months before I got a root password. Even then,
I was terrified that I'd screw up, and fumble-finger some command which
would bring the entire system crashing down about me, and the users
would be running about with torches and pitch-forks looking for me.
Today, (with the exception of Ubuntu and clones) root is the first
account a new user gets access to. For a system that the unskilled
gain access to with no training/skills - what can you expect?
Old guy
Eric
so then it should matter, (except for masking) what name you choose to use
on private network. This is why winders users get away with picking any 8
letter name they like.
Anyway, i have this fixed now - for good.
The guy who bought all those domain names only owned my (the one i was
using) domain for 5 days, today he dropped it (go figure). I registered it
in my name and thats the end of that:-)
Eric
Jim Whitby
<snip>
> so then it should matter, (except for masking) what name you choose to
> use on private network. This is why winders users get away with picking
> any 8 letter name they like.
<snip>
Not exactly. The "8 letter name" is not a "domain name", but rather a
"netbios name" for the computer. A "domain name" ( IP type not an active
directory domain ) must be setup elsewhere, as in the networksetup/TCPIP
properties.
--
BOFH excuse #106:
The electrician didn't know what the yellow cable was so he yanked the
ethernet out.
----------------------
Mandriva Linux release 2008.1 (Official) for x86_64
2.6.24.7-server-1mnb AMD Athlon(tm) 64 X2 Dual Core Processor 5000+
----------------------
Aragorn
in /alt.os.linux.mandriva:/
> On Sun, 17 Aug 2008, in the Usenet newsgroup alt.os.linux.mandriva, in
> article <S9Mpk.12732$JM....@newsfe16.ams2>, Aragorn wrote:
>
>> Well, one of the great things about UNIX systems and GNU/Linux in
>> particular is that the system itself is already so secure out of the
>> box that a serious system administrator doesn't have any difficulty at
>> all at keeping the system secure enough.
>
> Running *nix is not a magic bullet that makes you immune from all of
> the nasties out in the world. Anyone can screw up just about anything
> because nothing is fool proof, and they keep inventing improved fools
> every day.
Well, I tend to agree with you there on the theory, but let's face it:
GNU/Linux is a de facto secure enough system, and the development
mechanisms of FOSS make it far less prone to bugs or security exploits.
Sure, security flaws do exist, but they're patched relatively soon in
comparison to proprietary software, and particularly compared to
Windows. :-)
> In the mid-1990s, the average open mail relay was an out-of-box Linux
> system, usually running Red Hat or Caldera (Mandrake didn't come along
> until 5.1 released in July 1998).
My first distribution was /Linux-Mandrake/ 6.0 PowerPack, with the 2.2.9
kernel, and KDE 1.1.1. :p I installed it on a Pentium II with 128 MB of
first-generation SD-RAM. :-)
>> For instance, there's that whole firewall thing. For someone running
>> GNU/Linux on a box that's connected to the internet via a simple enduser
>> client connection, there's no need to run a firewall at all.
>
> Depends what the system is running. A basic workstation - I'm inclined
> to agree with you. The "install everything!!!111" setup beloved by the
> eleet wanna-be's - quite another situation.
You would certainly introduce a promiscuity factor there, but let's face it,
enduser connections are usually quite anonymous. In Windows, even an
anonymous connection would be hazardous because Windows itself tends to
phone home, especially since some 85% of all enduser Windows machines is
part of at least one and possibly multiple botnets.
>> A system that's properly set up and that disallows root logins -
>> especially remote ones - is secure enough.
>
> This goes along the ideas of an OpenBSD model, and Theo's mantra that
> no OpenBSD box has ever been hacked (sic) in an out-of-box condition.
Actually, OpenBSD has been compromised on one and possibly two occasions,
but that was a long time ago. ;-)
>> I've been running GNU/Linux since late November 1999, and I only got an
>> internet connection as of April 2000. I've never set up a firewall -
>> although I have used /iptables/ to set up NAT and PAT - and I've never
>> had any problems with malware or anyone trying to break into my system.
>
> Let's just say that my Linux experience goes back to the early 1990s,
> and I've been using various forms of UNIX for over a decade before that.
I've had some minor UNIX experience in the early 1990s, but not with root
privileges, and no X Window stuff. I did however (and do still) own a
pocketbook on UNIX and XENIX.
It was actually only by installing GNU/Linux in 1999 that I got hands-on
access to the root account and that I got to be more familiar with the
system.
> No one trying to break in - what, not running sshd on port 22? ;-)
Yes, I am, but my network connection is low profile and my ISP blocks almost
all ports beneath 1024 to whatever lies outside of its own subnet. So if I
want to /ssh/ into my machine from anybody else's computer, then this
person would have to have the same ISP as I do.
Officially they do that for security reasons, but the truth is that block
those ports because your internet connection's EULA doesn't cover use as a
publicly accessible server.
>> It's just that most users here come from the Windows world and some may
>> even still be using Windows alongside GNU/Linux. Windows is flawed by
>> design, and thus the experience with Windows makes people think that
>> they are exposed to the same kinds of threats in GNU/Linux that they
>> were exposed to in Windows.
>
> Let's face it - VERY FEW Linux users have had _any_ training in the
> operating system. Thus, they are going with the flawed experience that
> they do have - which means windoze.
This is why I regret that Mandriva and so many other distributions tend to
cater to those habits and profile GNU/Linux as "a Windows alternative",
instead of profiling it as "a UNIX-like system".
>> And sadly enough, distromakers like Mandriva don't do anything to
>> discourage this misconception. If anything, they're actually feeding
>> it.
>
> When I started learning UNIX, it was six months before I realized who
> this 'root' user was.
Well, I had read the book - mentioned higher up - first, so I already did
know. :-)
> It was close to a year before I got limited access to some privileged
> commands - the equivalent of 'sudo' or 'su -c', and about 18 months before
> I got a root password. Even then, I was terrified that I'd screw up, and
> fumble-finger some command which would bring the entire system crashing
> down about me, and the users would be running about with torches and
> pitch-forks looking for me.
It's silly, but before I used GNU/Linux, I too had that very same feeling
when sitting at a UNIX console. I was constantly afraid that I'd screw up
somewhere and bring the whole system down or something. :-)
> Today, (with the exception of Ubuntu and clones) root is the first
> account a new user gets access to. For a system that the unskilled
> gain access to with no training/skills - what can you expect?
A wise man once said that if you treat your customers like idiots, idiots
will be the customers you get... :-)
Moe Trin
<Wu2qk.76047$Q%5.2...@newsfe27.ams2>, Aragorn wrote:
>*Moe Trin* wrote
>> Running *nix is not a magic bullet that makes you immune from all of
>> the nasties out in the world. Anyone can screw up just about
>> anything because nothing is fool proof, and they keep inventing
>> improved fools every day.
>
>Well, I tend to agree with you there on the theory, but let's face it:
>GNU/Linux is a de facto secure enough system, and the development
>mechanisms of FOSS make it far less prone to bugs or security exploits.
But it can't make it impossible for the clueless to screw up. The
separation of ownership of system verses user files makes it more
difficult, but windoze has this as well, and because the windoze user
prefers to log in as administrator, it's useless. But then, people
also log in as root.
>My first distribution was /Linux-Mandrake/ 6.0 PowerPack, with the
>2.2.9 kernel, and KDE 1.1.1. :p
I played with MCC Interim Linux, and TAMU, but the first one I was
using was SLS version 1.0something, which also used an 0.99 kernel.
There was no desktop (certainly not in the concept of KDE).
>You would certainly introduce a promiscuity factor there, but let's
>face it,end user connections are usually quite anonymous. In Windows,
>even an anonymous connection would be hazardous because Windows itself
>tends to phone home, especially since some 85% of all enduser Windows
>machines is part of at least one and possibly multiple botnets.
With Mandrake 6.0 as a starting point, you should still remember the
'ramen' worm (went after RH6.2 and 7.0 boxes exploiting a pair of holes
in wu-ftpd and rpc.statd in 6.2, and ldp in 7.0), or the 'luckgo' worm
(went after rpc.statd in several distributions). Both holes had been
patched months earlier, but... from section 3 of CERT Summary CS-98.06:
3. Root Compromises
We continue to receive daily reports of sites that have suffered a
root compromise. Many of these compromises can be traced to systems
that are unpatched or misconfigured, which the intruders exploit
using well-known vulnerabilities for which CERT advisories have
been published.
>> No one trying to break in - what, not running sshd on port 22? ;-)
>
>Yes, I am, but my network connection is low profile and my ISP blocks
>almost all ports beneath 1024 to whatever lies outside of its own
>subnet. So if I want to /ssh/ into my machine from anybody else's
>computer, then this person would have to have the same ISP as I do.
>
>Officially they do that for security reasons, but the truth is that
>block those ports because your internet connection's EULA doesn't
>cover use as a publicly accessible server.
I've also got an ISP like that. The residential accounts are not
allowed to run servers (including identd on 113/tcp). You need only
upgrade to a 'small business' account, and the holes magically
appear. My other ISPs allow 22/tcp, but block the "normal" ports,
like 21, 25, 80, 137-139, 443, 1433, and so on.
>> Let's face it - VERY FEW Linux users have had _any_ training in the
>> operating system. Thus, they are going with the flawed experience
>> that they do have - which means windoze.
>
>This is why I regret that Mandriva and so many other distributions
>tend to cater to those habits and profile GNU/Linux as "a Windows
>alternative", instead of profiling it as "a UNIX-like system".
Most users would be unable to cope with anything more complicated.
That is why the Gnome and KDE desktops developed administrative
helper tools.
Old guy