mikaowx

Hi all! I am in a situation where I urgently need to run a vnc server on my MDK 10.1 box. The connection works just fine. The bothering thing is that we have 100Mbit ethernet there and as you may have recognized when a vnc client tries to connect to the server, the server automatically offers authenticated users the Xkbor (whatever it is called) the simpliest and most bandwidth savy environment. However we would need more comfortable environment to get our job easily done. How is it possible to switch the default desktop for vnc connections? thanks in advance: mikaowx

Solved! Now I have it! Thanks.

I've just noticed I cant find draksec on the 2005LE Download edition. Have I overlooked something? Isnt draksec included in this edition?

Jeez! I havent thought this would solve my problem but it did! Since I dont run ssh from xinetd I figured it has nothing to do with hosts.allow. Now I know it has. Thanks again

Here's the only entry I've found in /var/log/auth.log Apr 1 10:12:20 mooo sshd[4438]: Received signal 15; terminating. Apr 1 10:12:21 mooo sshd[4500]: Server listening on 192.168.200.10 port 22. Other logs just wont show any valuable info about what happened. The interesting thing is, I havent changed anything in the configuration files since it has been working. I am therefore suspecting something is wrong with draksec or the way it handles file permissions. I'll try to set the original values of permissions on files back to normal manually. Would someone with a working sshd post me the listing of /etc/sshd and its contents, file and directory permissions? I would also need the orig perm of /etc/sshd directory itself. Thanks in advance

I have two Mdk 10.1 boxes which had been installed months ago with sshd enabled on them. Sshd was working at the beginning on both macines. I could login from any other boxes. Then I set http service up on both. Since those services have to be running to serve clients from the internet I decided to use draksec to make them more secure. Now I cant connect to any of these boxes even if I set security level to low and have iptables emptied. What went wrong? Has anyone had similar experience? Any help would be appreciated, Thanks

Meanwhile another question arose; the previous installation had been done automatically by the mandrake installer at sysinstall , therefore am I to suspect that it had created the necessary certificates automatically? Are certs made automatically at reinstall? Thanks

I have reinstalled sshd which has worked absolutely fine but for other reasons I had uninstalled it before. Now it wouldnt let users in, here's /var/log/auth.log: Apr 1 10:12:20 mooo sshd[4438]: Received signal 15; terminating. Apr 1 10:12:21 mooo sshd[4500]: Server listening on 192.168.200.10 port 22. What on earth does address already in use mean? ps axu dont provide me any further information on this since there arent any other instances of sshd running. I've tried to switch the service off and back on again but that wouldnt help either? I hope it's not a ufo playing tricks on me unnoticed :) Anyways, firewall switched off, msec has been set to level 3. Although it has been set to higher in the past. Do you think I have spioiled up something with msec?

Finally I have digged up some usefull info about how to stop the ssl version from starting up along with apache, -for those of you who havent got a clue it's in /usr/lshare/doc/apachexxx/ssl.conf where the pattern SSLEngine=on/off directive is meant to control whether to start the ssl version with apache.- but in my case it's the other way around. I am about to stop the service listening on port 80. Other infos are pointing out to this like; one should change the IFDefine directive in commonhttpd.conf where the ports apache listening on are determined. It says you should modify this directive to have apache listen only on 443 not on the regular port 80. Why isnt that working? IMHO it's simply because both versions are using the same config file and if the ssl service started the regular service throws an error message saying "port 443 already in use". It's logical isnt it? Would be pleased to hear about any solutions to this.

Yes, I would need just that! In this case though I am trying to get the ssl version running. Do I have to comment the ssl module out avoiding it from loading to get rid of the ssl service if I wanted to have apache to run normally? What should I do if I wanted to run the ssl service only? Cuz basically this is what I am about to do now. Dont know how to do that or what to change in the configuration files?

I mean apache2 is compiled in a way that you cant start the normal http or the ssl service separately, both come alive when starting the service. Some years back when I used apache 1.3 there were apachectl and apachectl-ssl or you could also start them from init.d as two different types of service. I even saw there's a sample ssl.conf somewhere among the librarys, which used to be the way if one wanted to configure and run apache ssl. Is there a way to this with the shipped version?

Hi. My problem is that I cant actually start apache2 listening only on port 80 or 443 on Mandrake 10.1 as it was on apache 1.3. There arent even separate apachectl commands or any other commands to do that. Is there a solution to solve this in the configuration or is this the way apache2 has been precompiled? Do I need to download and compile apache2 to suit this need of mine? Thanks

It's all up and running! I havent had the slightest clue about this service. The most convenient way tough! They also have services like ip cloaking, MX host backup and superior dns. Never mind, that I dont even know what some of those services are ! :D You guys both deserve a good pint for helping me out! Thanks again sellis, Qchem!

This advice makes sense.This is meaningful. Are you saying you have this up and running already? I must must have overlooked something when I read about dyndns. How have you configured it regarding the site? Wasnt it too hard? What kind of records do you have to create at the site? A pointer? This router also has the ability to handle dynamic dns so I might just go ahead and try it. Concerning the mailing process I have found one very lightweight MTA which I would like to share with you all who are or in the future might be interested in such a "mission", some might have heard of ssmail. It's basically a Local SMTP relay,with options like sender and domain can of course be masquaraded so this one would simply shoot the mail out to space. No doubt it's tiny but it doesnt even become a demon so there arent many security issues to worry about. thanks in advance

Hi. Why dyndns isnt the way? Because all of your users have to be configured with it I guess. What would anyone out of the unknown benefit of me being registered at dyndns if they dont even know how to set their own dns server settings? Right? You flicked a switch in my mind while I've been thinking of this and I think I have the solution! I am gratefull! Qchem! How about having your script somehow insert the result into a local copy of the html? After that have automated ftp upload it (I already know how to do it since I have done this several times when I was working with login scripts) to the website's ftp at scheduled intervals where it can be loaded and displayed from. I admit I havent seen cron doing hourly jobs tough. Daily jobs maybe. Is this hourly schedule possible to do with cron? Obviously this is the simpliest idea so far. The posting trouble still active tough!

Cool! Variables are understood. What does A1 stand for in the grep tunnel part of the expression and why are we using navy? Is that the color of the particular pattern in the html code we're looking for? My other question is; what tr -d ' ' is all about? I would personally need it to update a link in an html code at a public server on the internet (which would automatically guide users to a server on a lan) but the e-mail notification of ip change would also be great if applicable. I also run ssh and sometimes other services too behind this router and those would become unreachable if I hadnt been notified of ip changes. Perhaps a small, easily configurable SMTP sever could fix this for us. What MTA in your opinion would be best for the purpose? I am now considering something that works right out of the box since I am not intended to chew myself through hundreds of documents on how to set sendmail or postfix up knowing that postfix even uses databases for access control. Setting up postfix would involve setting up an sql server as well, wouldnt it? That's why i am about to use the simpliest possible. any suggestions?

I Might be better off if I had a static ip thats true. But it costs much more and thats a stonecold fact. I just wanted to know if there's a relatively easy solution to this thats all there's to it. Thanks again...

I've not yet been involved into this deep so I am thinking of something like cron would call lynx with the appropriate url (ipchicken) then the data would be analized with sed and awk and be sent over to a local MTA to post it? The realization would be kinda hard for me tough. :P So the question arises; -How could an MTA post data without user interaction or without using any MUA? I am not a programmer you see. I might just stick to ssh from the outside and see ipchicken sometimes with lynx. What do you guys reckon?

Hi! I agree with you, most people dont need it. Unfortunately in this case, we do need it since the service prvider of this small LAN is a local cable provider that changes the IP sometimes. We need to be up to date if our IP changes to be able to tune page links, notify users etc. We could just go ahead and read the routing table on the router by logging in to the router and see what's changed which wouldnt be too secure and cozy either since leaving a dsl router's remote controll service open to the internet is a serious risk. What's left for us? Somehow need to query the router to get it's routing table from the LAN side and have the machine set up with cron to automate this job or even send us notifications. I know this can be done because a local dude showed me how he has done it on windows with a smal program called "ip monitor" I guess. any clues?

Exactly. The only difference is that the router is a DSL router which only has arp routing table, no resolve.conf. I've heard about a couple of third party vendors that have software solution and those can even notify you in an email at preconfigured intervals if your WAN IP has changed. Useful if you dont have a dedicated IP and your provider changes it sometimes. The only trouble is that those softwares are made only for windows and I am trying to configure this on a linux box.

Hi. 1.) Has anyone ever run into getting the WAN IP address of a router on a linux workstation behind router? Does anybody have the solution? A script maybe? 2.) I am currently setting up a file server behind a Linksys router. I have forwarded port 22 on the router to the appropriate address. However cant connect to ssh. Some of you might remember, we had an earlier discussion on this topic not long ago and i've found security level had been set higher than normal. Now I've just set sec level in MCC to normal with nothing else hardened but "only allowlocal x11 connections". Is this enough reason why ssh disconnects clients? I have a suspicion that if I'd set security level to low the system would allow connections again cuz that's exactly what happened when I first succeeded with it. any help would be appreciated thanks

I mean is there an easy solution for restricting normal users moves in the filesystem? Would be ridiculous to have them log in through ssh while letting them see the whole file system even if they cant do a thing with their permissions. That would somehow defeat the purpose of having ssh, dont you think? My goal in this case would be to place them in an environment where they cant even see other than what's provided in their home directories like proftpd can be configured to do so. Root could still log in, -if permitted in sshd_config- allowing him to do things to the whole OS due to his "omnipotent" permissions in the system? I've just read articles on this but they dont seem easily applicable. One says chroot jail is a perfect idea another says not not; chroot patch is your friend. What do you guys think?

Hi all! Problem solved! Didnt remember that I set security level higher than normal. Now it all works fine! Cheers! Am I to understand that key generation must be used only when setting up login based on secure id so that one can log in remotely without typing a password? Otherwise sshd does it automatically? Would there be a solution, -I think its called chroot environment- if I wanted to give my users access to my machines? How's that possible? Anyone has any idea/info/links on this? Thanks!

MCC has normal security settings, so I would say the problem might be related to key generation or sshd_config since I havent yet run/configured it.

Yeah, I saw there hasnt been any key generation going on at start, -like back in the good ol' days- so I thought there might be a difference. You're saying all I have to do is create DSA keys and copy them to the appropriate locations? What about sshd_config? I even recognized loads of options are commented out. Do I have to configure them if I only want password authentication?