Journal de root 2002-
LDAP
, Mon Sep 30 03:18:08 UTC 2002
-
Une
démo
Lightweight Directory Access Protocol (LDAP).
L'authentification simple n'est pas satisfaisante,
TLS est absent du paquet Debian et
Kerberos n'est pas facile à mettre en oeuvre.
Nous n'en sommes donc pas à la mise en production
mais à la démo.
- Littérature, Tue Sep 24 13:38:29 UTC 2002
-
Envie de lire autre chose que la doc?
De la littérature
est disponible.
Le thème du moment est le logiciel libre.
-
IMAP
, Tue Sep 24 10:54:15 UTC 2002
-
Les boites à lettres “baizid.org”
sont accessibles en IMAP.
# aptitude install uw-imapd-ssl
Le démon IMAP de l'université de Washington
n'a pas de fichier de configuration.
Debian est encore tourné inetd.
J'ajoute manuellement l'entrée imaps à /etc/xinetd.conf.
# tail /etc/xinetd.conf
service imaps
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/imapd
}
# /etc/init.d/xinetd reload
Reloading internet superserver configuration: xinetd.
# nmap baizid.org
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on baizid.org (192.168.1.4):
(The 1592 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
443/tcp open https
993/tcp open imaps
995/tcp open pop3s
Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds
#
A vos clients: mutt, kmail, balsa, sylpheed, evolution, etc.
IMAP se rapproche plus de NFS que de POP.
Je ne suis pas sûr que la sécurité TLS soit opérationnelle.
Référence(s): IMAP.
-
Apache & TLS
, Tue Sep 10 10:58:16 UTC 2002
-
Apache et TLS (mod_ssl) permettent des choses intéressante:
Les sécurisé(e)s.
- Mailing lists, Mon Sep 9 13:47:47 UTC 2002
-
Mailman, the GNU Mailing List Manager, est là.
Le paquet Debian 2.0.12-1 n'est pas au point.
De petits ajustements sont nécessaires.
Tollef Fog Heen travaille dessus.
Essayez les
“baizid.org
Mailing Lists”.
L'accès, à distance, au dépôt CVS se fait avec SSH.
$ export CVS_RSH=ssh
$ export CVSROOT=:ext:ahmed@baizid.org:/var/cvs
$ cvs -q checkout var/www
ahmed@baizid.org's password: my secret password
U var/www/75-logo.png
U var/www/default.css
U var/www/eximXs.png
...
$ cd var/www/
$ gvim index.html
$ tidy -m -wrap 80 index.html
HTML Tidy for Linux/x86 (vers 1st March 2002; built on Mar 8 2002, at 11:02:47)
Parsing "index.html"
index.html: Doctype given is "-//W3C//DTD HTML 4.0 Transitional//EN"
index.html: Document content looks like HTML 4.01 Transitional
No warnings or errors were found.
$ cvs commit -m "CVS et SSH."
cvs commit: Examining .
ahmed@baizid.org's password: my secret password
Checking in index.html;
/var/cvs/var/www/index.html,v <-- index.html
new revision: 1.31; previous revision: 1.30
done
$
Vous vous identifierez à chaque opération.
Si cela vous semble lourd,
exploitez ssh:
Fabriquez une clé, distribuez la partie publique et
laissez ssh-agent s'authentifier pour vous.
Lire: A Minimalistic Guide to
CVS with SSH.
Pour utiliser CVS sur baizid.org,
il faut donc y avoir un compte Unix.
Il n'y a pas d'accès anonyme.
viewCVS
publie le dépôt sur le web.
Suivre le lien Download tarball pour obtenir des
CVS snapshots.
Fri Jul 26 18:30:45 UTC 2002
Ce serveur a été amélioré
(de l'anglais upgrade).
La configuration matérielle et logicielle diffère légérement.
Retrouver les mêmes services ou équivalents a prit une journée.
Exemple d'impact:
$ cvs diff index.html
Index: index.html
===================================================================
RCS file: /var/cvs/var/www/index.html,v
retrieving revision 1.28
diff -r1.28 index.html
21c21
< et <a href="http://www.baizid.org/cgi-bin/gnatsweb.pl">gnats</a>.</p>
---
> et <a href="http://www.baizid.org/bugzilla/">Bugzilla</a>.</p>
404,405c404,405
< "http://www.baizid.org/cgi-bin/cvsweb">cvsweb</a>. Dépôt de choix:
< <code>baizid.org:/var/cvs</code>.</p>
---
> "http://www.baizid.org/cgi-bin/viewcvs.cgi">viewCVS</a>. Dépôt de
> choix: <code>baizid.org:/var/cvs</code>.</p>
$
Vous êtes prié
(de l'anglais pray)
d'évaluer les services nouvellement sécurisés:
ftp et
pop.
Thu Jun 20 18:11:00 UTC 2002
Deux nouveaux services:
ht://Dig et
Bugzilla.
Fri May 10 14:13:47 CEST 2002
Sur internet, comme sur tout réseau,
se pose la question de la sécurité.
L'ouverture apporte la richesse mais aussi le risque.
Il est aussi débile de refuser la première
que de ne pas assumer le second.
Aidez-vous d'outils comme
nmap.
# nmap baizid.org
Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on aboukir-101-1-9-abaizid.adsl.nerim.net (62.212.97.139):
Port State Protocol Service
21 open tcp ftp
22 open tcp ssh
25 open tcp smtp
80 open tcp http
110 open tcp pop-3
111 open tcp sunrpc
443 open tcp https
2401 open tcp cvspserver
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
#
Sat May 4 10:34:58 CEST 2002
Exim is a
message transfer agent (MTA) developed at the University of Cambridge
for use on Unix systems connected to the Internet.
It is freely available under the terms of the GNU General Public Licence.
In style it is similar to Smail 3, but its facilities are more extensive,
and in particular it has some defences
against mail bombs and unsoliemphasisd junk mail
in the form of options for refusing messages from particular hosts, networks, or senders. sherpa est le serveur SMTP du réseau baizid.org.
Exim fait du
relaying.
Un dessin (extrait de la documentation d'Exim) vaut mille
mots...
Référence: The
Exim Mail Transfer Agent.
Lire le résumé:
HOWTO - Preventing Relaying.
mail
abuse prevention system vous propose un test.
Connectez-vous en telnet sur relay-test.mail-abuse.org.
$ telnet relay-test.mail-abuse.org
Trying 204.152.187.123...
Connected to cygnus.mail-abuse.org.
Escape character is '^]'.
Connecting to 62.212.97.139 ...
<<< 220 sherpa.baizid.org ESMTP Exim 3.12 #1 Fri, 10 May 2002 14:00:34 +0200
>>> HELO cygnus.mail-abuse.org
<<< 250 sherpa.baizid.org Hello cygnus.mail-abuse.org [204.152.187.123]
:Relay test: #Quote test
>>> mail from: <spamtest@aboukir-101-1-9-abaizid.adsl.nerim.net>
<<< 250 <spamtest@aboukir-101-1netstat -aept-9-abaizid.adsl.nerim.net>
is syntactically correct
>>> rcpt to: <"nobody@mail-abuse.org">
<<< 501 <"nobody@mail-abuse.org">: recipient address must contain a domain
>>> rset
<<< 250 Reset OK
:Relay test: #Test 1
>>> mail from: <nobody@mail-abuse.org>
<<< 250 <nobody@mail-abuse.org> is syntactically correct
>>> rcpt to: <nobody@mail-abuse.org>
<<< 550 relaying to <nobody@mail-abuse.org> prohibited by administrator
...
>>> QUIT
<<< 221 sherpa.baizid.org closing connection
Tested host banner: 220 sherpa.baizid.org ESMTP Exim 3.12 #1
System appeared to accept 1 relay attempts
Connection closed by foreign host.
$
Fri Mar 15 10:07:56 CET 2002
Les paramètres techniques:
| Nom de domaine |
baizid.org |
| DNS #1 |
62.212.97.139 (ns.baizid.org) |
| DNS #2 |
209.61.140.1 (ns3.zoneedit.com) |
| SMTP |
mail.baizid.org |
| POP |
mail.baizid.org |
| News |
news.baizid.org |
| FTP |
ftp.baizid.org |
| IRC |
irc.baizid.org |
| Webmail |
mail.baizid.org |
| Pages web personnelles |
http://www.baizid.org/~votre_login |
Thu Mar 14 22:44:17 CET 2002
Ouverture au public prévue le premier avril deux-mil deux.
Au premier septembre, ce n'est pas encore fait...
Un an plus tard, toujours rien.
Il reste le DNS, webmail, l'IRC, les news...
But du site: Promouvoir les systèmes GNU/Linux par l'exemple.
Thu Mar 14 02:52:05 CET 2002
exim se charge du courrier.
Ecrivez à nos utilisateurs:
ahmed AT baizid.org,
nazim AT baizid.org.
Changer le DNS.
Une ligne MX apparait.
# dnsquery baizid.org
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15322
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 3
;; baizid.org, type = ANY, class = IN
baizid.org. 1h49m17s IN SOA ns3.zoneedit.com. dnsadmin.zoneedit.com. (
1014906389 ; serial
4H ; refresh
2H ; retry
1w3d ; expiry
2H ) ; minimum
baizid.org. 1h50m56s IN NS ns3.zoneedit.com.
baizid.org. 1h50m56s IN NS ns5.zoneedit.com.
baizid.org. 1h53m57s IN MX 0 mail.baizid.org.
baizid.org. 1h57m53s IN A 62.212.97.139
baizid.org. 1h50m56s IN NS ns3.zoneedit.com.
baizid.org. 1h50m56s IN NS ns5.zoneedit.com.
ns3.zoneedit.com. 1d10h18m35s IN A 209.61.140.1
ns5.zoneedit.com. 1d5term3m30s IN A 207.41.71.245
mail.baizid.org. 1h50m56s IN A 62.212.97.139
# exim -bd -q 15m
# netstat -aept
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 *:smtp *:* LISTEN root 382 356/exim
tcp 0 0 *:https *:* LISTEN root 165 216/apache-ssl
tcp 0 0 *:www *:* LISTEN root 155 205/apache
tcp 0 0 *:ftp *:* LISTEN nobody 119 195/proftpd (accept
tcp 0 0 *:pop3 *:* LISTEN root 96 188/
tcp 0 0 *:cvspserver *:* LISTEn root 95 188/
tcp 0 0 *:ssh *:* LISTEN root 78 176/sshd
tcp 0 0 *:sunrpc *:* LISTEN root 33 85/
#
Thu Mar 14 01:27:24 CET 2002
Nous remercions les sponsors...
Liberté et gratuité sont deux notions différentes.
S'amuser à les confondre (It's free!) reste un amusement.
Référence:
The GNU Manifesto.
Wed Mar 13 16:10:11 CET 2002
Le logiciel est une distribution Debian qui vient d'internet.
# apt-get update
Hit http://ftp.fr.debian.org stable/main Packages
Hit http://ftp.fr.debian.org stable/main Release
Hit http://ftp.fr.debian.org stable/contrib Packages
Hit http://ftp.fr.debian.org stable/contrib Release
Hit http://ftp.fr.debian.org stable/non-US/main Packages
Hit http://ftp.fr.debian.org stable/non-US/main Release
Reading Package Lists... Done
Building Dependency Tree... Done
# apt-get dist-upgrade
Reading Package Lists... Done
Building Dependency Tree... Done
Calculating Upgrade... Done
0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
#
Wed Mar 13 15:31:44 CET 2002
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
baizid.org * 255.255.255.0 U 0 0 0 eth1
10.0.0.0 * 255.0.0.0 U 0 0 0 eth0
# ipchains -L
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
# adsl-start
.. Connected!
# ipchains -L
Chain input (policy ACCEPT):
target prot opt source destination ports
DENY udp ----l- anywhere anywhere any -> 0:1023
DENY tcp ----l- anywhere anywhere any -> 0:1023
DENY tcp -y--l- anywhere anywhere any -> any
DENY icmp ----l- anywhere anywhere echo-request
Chain forward (policy DENY):
Chain output (policy ACCEPT):
# adsl-stop
Killing pppd (335)
Killing adsl-connect (308)
# ipchains -L
Chain input (policy ACCEPT):
target prot opt source destination ports
DENY udp ----l- anywhere anywhere any -> 0:1023
DENY tcp ----l- anywhere anywhere any -> 0:1023
DENY tcp -y--l- anywhere anywhere any -> any
DENY icmp ----l- anywhere anywhere echo-request
Chain forward (policy DENY):
Chain output (policy ACCEPT):
#
Mon Mar 11 22:32:02 CET 2002
dwww est trop cool...
Développeur C, je ne me lassais pas des pages "info"
de la Librairie
C de GNU.
# apt-get install dwww
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
dwww
The following held packages will be changed:
dwww
0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 53.3kB of archives. After unpacking 180kB will be used.
Do you want to continue? [Y/n] Y
Get:1 http://ftp.fr.debian.org stable/main dwww 1.4.3.5-1.9 [53.3kB]
Fetched 53.3kB in 9s (5682B/s)
Selecting previously deselected package dwww.
(Reading database ... 21138 files and directories currently installed.)
Unpacking dwww (from .../dwww_1.4.3.5-1.9_i386.deb) ...
Setting up dwww (1.4.3.5-1.9) ...
Scanning web server configuration files...
Server Found: Apache
HTML Document Root Directory: /var/www
cgi-bin Directory: /usr/lib/cgi-bin
Server Name: (none specified)
Server Port: 80
CGI User: www-data
Congratulations! Web server is configured to Web Standard
Scanning /etc/dwww/dwww.conf...
/etc/dwww/dwww.conf file doesn't exist yet - using defaults
Previously Installed Server: (none specified)
HTML Document Root Directory: (none specified)
cgi-bin Directory: (none specified)
Server Name (and Port): (none specified)
CGI User: (none specified)
Scanning directories...
Pre-existing dwww symlink not found in document root.
Pre-existing dwww symlink not found in cgi-bin directory.
Attempting Automatic Install...
Creating symlinks to dwww in /var/www
Installing dwww cgi script in /usr/lib/cgi-netstat -aeptbin
Finished configuring dwww. You may re-configure
dwww at any time by running: /usr/sbin/dwwwconfig
Building dwww pages; this will take a while... done.
#
Voilà, c'est tout.
Pointer le navigateur web sur
http://www.baizid.org/dwww.
Mon Mar 11 22:33:09 CET 2002
Installez ntp.
Vous êtes à l'heure atomique.
# date
Mon Mar 11 22:32:02 CET 2002
# tzconfig
Your current time zone is set to Europe/Paris
Do you want to change that? [n]: n
Your time zone will not be changed
# cat /etc/ntp.conf
# /etc/ntp.conf, configuration for xntpd
driftfile /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
server ntp.obspm.fr
server ntp.tuxfamily.net
server ntp.univ-lyon1.fr
server ntp.via.ecp.fr
#
Pour remettre à l'heure votre PC, faites:
# ntpdate baizid.org
Si vous avez le son,
saytime
fait horloge parlante.
Mon Mar 11 23:06:38 CET 2002
Le "Concurrent Versions System" est là.
Dépôt de choix: baizid.org:/var/cvs.
L'utilisateur www-data s'en sert,
par exemple,
pour publier le site
http://www.baizid.org.
sherpa:~# su - www-data
www-data@sherpa:~$ cvs update
cvs update: Updating .
U index.html
? .bash_history
www-data@sherpa:~$
viewCVS
publie le dépôt sur le web.
L'accès, à distance, au dépôt CVS se fait avec SSH.
Voir le "Sun Sep 8 12:54:53 UTC 2002".
Mon Mar 11 23:06:38 CET 2002
baizid.org est accessible de l'extérieur.
trex:/home/abaizid/var/www# traceroute baizid.org
traceroute to baizid.org (62.212.97.139), 30 hops max, 38 byte packets
1 apollo.objective.fr (10.0.0.1) 0.537 ms 0.435 ms 0.904 ms
2 192.168.1.1 (192.168.1.1) 1.029 ms 1.209 ms 1.021 ms
3 gen-lns4.oleane.net (194.2.1.231) 62.169 ms 51.967 ms 51.041 ms
4 24.gig-9-0.geng1.gennevilliers.raei.francetelecom.net (194.2.1.226) 50.310 ms ...
5 195.101.89.170 (195.101.89.170) 54.181 ms 52.524 ms 54.781 ms
6 194.51.159.129 (194.51.159.129) 52.114 ms 51.888 ms 54.082 ms
7 p8-0.ntaub101.aubervilliers.francetelecom.net (193.251.126.166) 52.418 ms ...
8 193.251.126.154 (193.251.126.154) 55.157 ms 52.864 ms 54.143 ms
9 p11-0.bagcr2.bagnolet.opentransit.net (193.251.241.122) 54.399 ms ...
10 p5-0.boubb2.bourse.opentransit.net (193.251.241.141) 56.896 ms 52.848 ms ...
11 level3.gw.opentransit.net (193.251.240.214) 54.029 ms 51.581 ms ...
12 gige7-0.ipcolo2.paris1.level3.net (212.73.240.8) 54.490 ms 53.125 ms ...
13 unknown.level3.net (212.73.200.94) 212.136 ms 56.248 ms 54.514 ms
14 feth0-0-lns101-tip-telehouse.nerim.net (62.4.16.21) 63.448 ms 55.876 ms ...
15 aboukir-101-1-9-abaizid.adsl.nerim.net (62.212.97.139) 115.325 ms ...
trex:/home/abaizid/var/www#
Sun Mar 10 14:47:45 CET 2002
FTP est de la partie.
Site de choix: ftp://baizid.org.
proftp s'en charge.
Il tourne en démon, xinetd est hors-jeu.
L'accès anonyme est autorisé mais pas l'upload.
satow:~# apt-get install proftp
Reading Package Lists... Done
Building Dependency Tree... Done
E: Couldn't find package proftp
satow:~# apt-get install proftpd
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
proftpd
0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 357kB of archives. After unpacking 897kB will be used.
Get:1 http://ftp.debian.org stable/main proftpd 1.2.0pre10-2.0potato1 [357kB]
Fetched 357kB in 11s (32.2kB/s)
Selecting previously deselected package proftpd.
(Reading database ... 48635 files and directories currently installed.)
Unpacking proftpd (from .../proftpd_1.2.0pre10-2.0potato1_i386.deb) ...
Setting up proftpd (1.2.0pre10-2.0potato1) ...
Enable anonymous ftp access [y/N]? y
Editing /etc/proftpd.conf ...
Starting professional ftp daemon: proftpd.
satow:~# vi /etc/proftpd.conf
satow:~# vi /etc/xinetd.conf
satow:~#
Voir:
/etc/proftpd.conf.
Fri Mar 8 23:10:22 CET 2002
Les utilisateurs ont une page personelle:
Fri Mar 8 01:28:00 UTC 2002
postgresql est installé.
Il accompagnera apache et
Perl dans l'écriture d'applications qui tuent.
Fri Mar 8 01:28:00 UTC 2002
De l'extérieur, les accès sont encore fermés.
# ipchains --list
Chain input (policy ACCEPT):
target prot opt source destination ports
DENY udp ----l- anywhere anywhere any -> 0:1023
DENY tcp ----l- anywhere anywhere any -> 0:1023
DENY tcp -y--l- anywhere anywhere any -> any
DENY icmp ----l- anywhere anywhere echo-request
Chain forward (policy DENY):
target prot opt source destination ports
MASQ all ------ anywhere anywhere n/a
Chain output (policy ACCEPT):
#
Thu Mar 7 22:00:51 UTC 2002
ssh,
tidy et
cvs sont installés.
xinetd remplace inetd.
Thu Mar 7 22:00:51 UTC 2002
Thu Mar 7 22:00:51 UTC 2002
http://www.baizid.org change.
C'est les Hot news en ce moment.
La page originale est encore là.
| 
