What Was New: Jan. 25, 2001 - Nov. 12, 2003
- What Was New: Jan. - Mar. 2007
- What Was New: July - Dec. 2000
- What Was New: April - June 2000
Grub's incompatibility
(11/12/2003)
with the new UFS2 filesystem introduced in FreeBSD 5 is discussed
and a workaround provided.
The new FreeBSD Mirror part of
(2/6/2002) is discussed on a new page in the part of
/making/">Building GeodSoft section. The choice of
FreeBSD rather than a second Linux distribution is discussed as well
as why I put a web server on the oldest, slowest PC, I had available.
The FreeBSD Power Pack boxed set is briefly reviewed as is the install
process. Preliminary indications are that FreeBSD may be much more
like OpenBSD than I'd hoped, and may not posses the ease of
application setup that characterizes Linux and hoped to see in
FreeBSD. Performance, from the perspective of what any of these open
source systems can do with old hardware is discussed, and compared
with Linux and OpenBSD on much newer faster PCs.
Setup a new FreeBSD Mirror site
(2/4/2002). Unlike the other mirrors, this is not on comparable
hardware but on the oldest and slowest machine I had (a P 133 with
128MB RAM and a 1.6GB disk), that hadn't been used regularly for almost
3 years. This is temporarily using the
old NT server's DNS entries.
Dual and Multi Booting FreeBSD, Linux, and
OpenBSD
(1/23/2002) is a completely new section. It tries to
be a comprehensive guide to putting two or more bootable FreeBSD,
Linux, and or OpenBSD systems on a single drive in any combination of
systems up to the limits imposed by the PC disk architecture and the
inherent limits of each specific OS and of course available space on
the disk. A single disk could have up to 31 systems mixing 20 FreeBSD
systems with 11 Linux. The emphasis is on actual steps needed to boot
dual and multiple systems from a hard disk. The GNU GRUB boot loader
is an essential component of most installs and instructions are provided
for all GRUB procedures necessary to boot FreeBSD, Linux and OpenBSD
in any combination.
A Check List
(12/23/2001) has been added to the
Hardening OpenBSD Internet Servers section.
This reduces all the steps discussed in this section and related
items from other parts of the web site to short action items. Each
is rated by importance from 0 (not recommended) to 5 (essential) based
on the criteria from the new
Priorities page. Items
are presented in a suggested order of completion and a printer
friendly version is also available to assist in making this a
practical working form.
Priorities, Costs and Benefits
(12/20/2001) is a completely new page in the
Hardening OpenBSD Internet Servers section
that ranks the techniques discussed in terms security payoff versus
the effort and risks involved. Some background on the development of
the section is provided. The importance of staying up-to-date with
OpenBSD releases is discussed and how these techniques may make
upgrades more difficult is a factor in the ranking. Techniques with
the highest security benefits are ranked most highly but the variable
amount of up front and or ongoing effort are considered as well of the
risks of implementing some of the techniques.
Hardening OpenBSD Internet Servers
(12/15/2001) has been updated to cover the changes
from OpenBSD 2.9 to 3.0. The big change was the switch from IP Filter
to Packet Filter. Though the concepts and most of the rules remain
the same the mechanics are different and just about everything related
to firewall logs changed. There were several Sendmail surprises as
well. A variety of other edits and updates not directly related to
the 3.0 upgrade were also made. The update included a new page that
is an overview of the
2.9 to 3.0 changes as they relate to the hardening techniques
discussed.
Moving a Red Hat Linux 6.2 Web
Server to Red Hat 7.2 .
(11/29/2001) I replaced my Red Hat 6.2 web server
with a 7.2 server with less than 2 minutes down time. The old Linux
server had been a rock with an 11 month uptime record broken
by an accidental hardware reset. The migration process is described
in considerable detail. The article is an eclectic mixture of a
tutorial on migrating servers and partitioning disks, a historical
record documenting an important GeodSoft site change, and an
editorial on several Red Hat installation process deficiencies.
Bad Memory Caused the NT
Server Failure.
(11/19/2001) A recent install of OpenBSD on the
machine that had been the NT server resulted in "segmentation
fault" and "memory fault" errors that lead to the bad memory
diagnosis and fix. Despite these errors OpenBSD continued to
serve web pages without interruption. The
NT Server Failure page
has been updated to reflect the recent troubleshooting, including
the fact that Linux installs failed, and provided no
useful error messages leading to a problem fix.
Terms of Use
(10/10/2001) have been completely revised to
adopt an open content approach. Previously terms of use were
highly restrictive in an attempt to force anyone wishing to use
GeodSoft content to visit the web site. The new terms allow
liberal content distribution provided that certain restrictions
including retention of copyright notice and reference to the new
"GeodSoft Publication License" are retained.
The new terms were very loosely modeled after
the
Open Publication License.
While this works well for books and manuals, I did not think it
worked well for a web site that is a content delivery
application. Specifically, issues related to standard navigation
aids were not addressed.
The GeodSoft Publication License allows web pages to be printed
and photocopied or mirrored to other sites, where the appearance
of the full web page is faithfully preserved, or to separate the
unique page content and reformat it for other web pages or other
media, where textual content is preserved, but the original web
page design is discarded. This is a work in progress and is
likely to be adjusted in response to future developments.
Linux, OpenBSD, Windows NT & 2000
Server Comparison
(9/18/2001) This entirely new section is an in
depth (over 120 printed pages) comparison of three operating
systems used as servers. About one third is devoted to security
issues. Other significant comparison topics are application
support, stability and reliability, and usability. Also
discussed are scalability, staffing issues and total cost of
ownership.
The Limits of Open Source
(8/23/2001) states that the open source software
development model is not appropriate to all software. Government,
schools, medical office/patient management, and jet engine control
software are discussed. Why open source is appropriate to some
and not others is considered. These pages were extensively modified
between their initial display and Sept. 2, 2001.
NT Server Down, Won't Be Fixed
(8/20/2001) Following the failure of
my Windows NT 4, IIS 4 web server, triggered by a
recent Microsoft security patch, I won't maintain it any
longer. Restoring the system will require reinstalling
NT and restoring from backups. Without substantial
additional testing, I can't determine if I should restore the
pre-patch system (with the Code Red / IIS Index Server patch
applied in early July) and forego the rollup patch or restore the
post rollup patch system.
Beginner's Guide to SSH
(8/14/01) is the beginning of a new How-to
section covering the basics of setting up Secure Shell or
SSH connections between OpenBSD, Linux and Windows. The new
material covers OpenBSD and Linux sshd servers and clients
for all three systems. Later the additional commands and options
and hopefully a Windows SSH server will be covered. I decided
to put up useful material now and will add to it as I work
through the issues. I wanted to avoid getting bogged down in
every growing projects that never seem to get finished like some
of the review projects I'm working on.
The Future
(8/12/01) In late 1999 I wrote a piece in the
Book section that predicted the demise of
mass printing (newspapers and magazines) and eventually paper
itself. Commentary prompted by the twentieth anniversary of the
IBM PC, August 2001, and the technology doldrums of the past
year and a half prompted me to review this piece. I concluded
that the piece should be left exactly as it was originally
written.
Bogus PHP DoS Attacks
(8/02/01) looks at a basic PHP feature that was
recently covered by the on-line press as some new security
threat. I ask that some knowledge and analysis be applied,
before the web press assists some publicity seeking miscreant,
who claims to have found a bug where none exits.
Apply security updates to
your systems (7/24/01) in the
Ten Practical Security Steps
section has been largely rewritten. Following a series of
large scale (250,000 compromised systems) security vulnerabilities
affecting Microsoft Windows NT and 2000 systems in the past
few months, it's no longer acceptable for administrators to wait
for the next service pack. Administrators need to stay informed
and actively move to prevent threats where their systems may be
used to attack others. Though I hate this waste of resources,
today's hostile environment pretty much demands it. My own
small LAN received more than 300 attempts to spread the Code Red
Worm from infected systems all over the world and my NT server would
have been infected many times if it had not already been patched.
Cracking "Good"
Passwords (6/23/01) After showing how easy
it is to crack passwords based on two short words separated by
a non letter, a new section has been added titled
Alternative
Manual Passwords. Passwords derived from sentences, phrases
and other personal algorithms are discussed. If the resulting
passwords are sufficiently long and contain enough character
diversity, some "personal" algorithms for creating passwords are
likely to create passwords stronger than those created by
combining two words with non letters.
Hardening OpenBSD Internet
servers (6/18/01) has been updated to
reflect the changes in 2.9. This is based on the official
2.9 release CD and includes IP Filter even though IP Filter
has since been removed from the source tree due to licensing
issues. The page of
detailed OpenBSD hardening
instructions which had grown unmanageably large has been
split into several smaller pages. Each focuses on a specific
aspect of the hardening process. Numerous subheadings were added
in the process. Hopefully this will make it easier to find
specific information related to hardening an OpenBSD system.
Installing NTP on
Windows (6/16/01) has been largely
rewritten with much new information. A reader, Dan Sydnes of
Data Junction Corporation,
suggested that I try the open source SNTP product, NetTime. I
found this to be an excellent product that may be best time
synchronization solution for most Windows PCs, both desktop and
server. This necessitated a rewrite and along with new
information regarding the Trimble port of ntpd, a re-evaluation
of the available Windows time products. I added a new
"Recommendations and Suggested Configurations" section that makes
comparative evaluations of the different products in various
environments and with different priorities. It includes some
specific configuration setting recommendations.
Improving
Password Security (6/8/01) - A new feature in
the Windows based, LC3, password cracker allows multiple
computers to participate in the same attempt to crack passwords.
Distributed password cracking, making use of the untapped CPU
power of desktop machines during off hours, has at least the
potential to make cracking tools move valuable to the victims of
crackers than to those who would use them for illicit purposes.
If so, some previous conclusions regarding the value of password
auditing might need revising. A new section discusses this.
NT's Poor Password
Encryption (6/8/01) has been updated to account
for the changed features of LC3 which has replaced l0phtcrack 2.
The price is much higher and trial version weakened. There is a new
multi machine feature, which if used, has significant implications
and changes some previous conclusions.
Comparing Commercial and Open Source
Licenses (6/6/01) discusses the essential
characteristics of commercial product software licenses and
compares these with the two very different types of open source
licenses: the GNU General Public License (GPL) and Berkeley
Standard Distribution (BSD) type licenses.
Open Source and Commercial
Product Comparisons (6/6/01) is a preface to
what will follow and explains why the reviews will be divided as
they are. It discusses how the packaging and licensing of open
source products complicates the comparison of competing open
source and commercial products.
Terms of Use and
Privacy Policy (5/27/01) have both
been revised.
Corel Linux OS,
Version 2, Review (5/26/01) is the first
page in a new section Reviews and
Commentary. This review explains why I do not think
Corel Linux is an adequate Linux distribution and that users
should try other distributions. I'm currently working on
reviews of Red Hat Linux 7.1 and StarOffice 5.2 which are
major products with much to recommend. Hopefully it won't
be too long before these are available.
IP Filter on Non
Firewalls (4/28/01) is a large new section in
Hardening OpenBSD Internet
Servers. The emphasis is on using IP Filter to protect the
machine on which it is being used. Specifically discussed are
using IP Filter on a host that is already behind a firewall or
on a host that must be exposed to an Internet connection without
the benefit of a dedicated firewall. Developing and testing a
basic rule set is covered. Firewall networking issues such as
routing and bridging and other issues related to multiple network
interfaces are not covered.
Hardening OpenBSD Internet
Servers updated (4/24/01):
Includes two new sections on
Immutable Files and
Security Levels and
Noexec, Nosuid and Nodev
Mount Options.
A number of
Custom Kernel
options have changed with several additional architecture
independent features disabled as well as some I386 specific
options. Most of the changes have been a result of reader
suggestions. I'd like to thank Gregor Binder, Carson Harding,
Tim Theisen, Christopher Witter and a couple others, whose e-mails
I've mislaid, for their comments.
New NT Anomalies (4/9/01):
Following a power outage, the NT server self destructed. This is
a mild overstatement but the fact is, following a UPS initiated
shutdown, the web and ftp servers would not run on the NT server
and there were no NT errors or warnings that there was any
problem. Considerable investigation found the definitive cause
of the problem which can reasonably be described as NT trashing
itself.
Good and Bad Passwords How-to (3/19/01)
Is an in depth analysis of good, bad, strong and weak passwords,
password cracking techniques and how-to reduce password
vulnerabilities. It's probably has more than you ever wanted to
know about passwords.
The new Password Evaluator
(3/19/01) is closely related to the Good and Bad Passwords
section. Think you know a good password? See what the evaluator
tells you about it. It can quickly find keyboard shifted and
rotated or reversed words that look like complete gibberish but
that password cracking tools can quickly create from dictionary
words to match that not so clever password you may have been
using. These are only a few of the many word transformations and
patterns looked for. If your password has no flaws (errors) that
make it too weak to use, it's given a relative strength rating. A
2 is ten times stronger than a 1 and a 3 is ten times stronger
than 2, etc.
Ten Practical Security Steps
for Resource Limited IT Staffs (2/21/01)
is a completely new section in the How-To
area. In contrast to the Hardening
OpenBSD section where significant effort is used to
achieve limited security gains, the emphasis is on the basics,
essentials and steps that have a large payback relative to
the resources they require.
Cheap Backup Solutions
(2/20/01)
has been extensively updated and all scripts referred to are
now included. Several visitors came to this page from different
search engines. Their searches were appropriate to the page's
subject but the page didn't deliver what the search results
suggested it should. Hopefully it now will.
Home Grown Intrusion Detection (2/14/01)
was updated to identify the kernel processes no longer listed by ps
in OpenBSD 2.8 that were previously always listed.
The OpenBSD mirror (2/13/01)
was moved to a new OpenBSD 2.8 server, installed and hardened as
described in
Hardening OpenBSD Internet Servers.
Detailed instructions (2/12/01)
for
password.pl, an automated password
generator, were added. All options are explained.
Hardening OpenBSD Internet Servers (2/7/01)
has been updated to cover OpenBSD 2.8. The
OpenBSD Install Instructions
are more detailed. The
Custom Kernel section
is significantly expanded with complete kernel configuration files
and the deleted lines only for both the i386 architecture and the
architecture independent kernel options. The
Recovery CD ROM page has
been substantially revised (2/8/01).
Time Synchronization: A Beginner's
Guide to Network Time Protocol (NTP) (1/30/01)
has been split from one very large page to several small ones.
A several minor updates and corrections were made.
Password.pl
(1/29/01)
I continued tinkering with the automated password generator until
every control constant and variable that affects the structure
and probabilities of generated passwords, is setable through the
CGI interface. The original
with source code
remains available.
More Microsoft MMC Problems
(1/28/01)
I had to reinstall Microsoft Management Console (MMC) again today
because it could not find the IIS configuration data. Since the
last update in September 2000, this "lost" / hidden IIS data problem
has recurred. Routine would be an over statement but I think this about
the third time I've reinstalled the Option Pack since September.
Password.pl
(1/25/01)
has a totally new password generation algorithm allowing user
specified patterns to control the structure of generated passwords.
Pseudo word patterns and unstructured, random passwords are now
possible. The original State Department style passwords, cvc99cvc
or consonant vowel consonant, digit digit, consonant vowel consonant,
and variations remain as options. The original
password.pl remains available as
does the source code for a
command line version of the original password.pl
- What Was New: Jan. - Mar. 2007
- What Was New: July - Dec. 2000
- What Was New: April - June 2000
Top of Page -
Site Map
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
http://GeodSoft.com/terms.htm
(or http://GeodSoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.
|