File: answer.html

package info (click to toggle)
lg-issue14 2-2
links: PTS
area: main
in suites: hamm, slink
size: 1,620 kB
ctags: 93
sloc: makefile: 30; sh: 3
file content (521 lines) | stat: -rw-r--r-- 19,654 bytes
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> 
<html>
<head>
<title>The Answer Guy Issue 14</title>
</head>

<BODY>
<H4>&quot;Linux Gazette...<I>making Linux just a little more lovable!</I>&quot;
<IMG ALIGN=MIDDLE SRC="../gx/heart.gif">
</H4>
<P> <hr> <P> 

<!-- =====================================================================  -->
<center>
<H1><A NAME="answer">
<img src="../gx/ans.gif" alt="" border=0 align=middle>
The Answer Guy
<img src="../gx/ans.gif" alt="" border=0 align=middle>
</A></H1> <BR>
<H4>By James T. Dennis,
<a href="mailto:jimd@starshine.org">jimd@starshine.org</a> </H4> 
</center>

<p><hr><p>
<H3>Contents:</H3>
<ul>
<li><a HREF="./answer.html#block">Netscape Mail Block</a>
<li><a HREF="./answer.html#mail">Dealing with e-mail on a pop3 server</a>
<li><a HREF="./answer.html#secure">Security Problem</a>
<li><a HREF="./answer.html#more">More on Security Problem</a>
<li><a HREF="./answer.html#dialup">Dial-up Problem</a>
<li><a HREF="./answer.html#window">X Window Problem</a>
</ul>

 <p><hr><p> 
<!--================================================================-->

<a name="block"></a>

<h3><img align=bottom alt=" " src="../gx/ques.gif">
Netscape Mail Block
</h3>
<p> 
Date: Sun, 15 Dec 1996 23:16:10 -0800 (PST)
<p> 
<B> 
hi... mitch here in mobile, alabama... <BR> 
i need to refuse to accept email from a particular person...
how can i configure netscape and/or cnd1.0 to bounce the
person's mail back to them?
</B>
<P>
<img align=bottom alt=" " src="../gx/ans2.gif">
	I'd use procmail.  CND uses procmail as your 
	&quot;local delivery agent&quot; (by default).  This means
	that sendmail passes any mail to a local account
	to procmail and lets procmail due the final delivery 
	to your mail box (/var/spool/mail/$YOUR_LOGIN_NAME).
<P> 
	However, when procmail does this, it checks for a 
	.procmailrc file in your home directory (and does
	some ownership and permissions checks on it for you).
<P> 
	procmail is a little programming language specifically
	for processing mail.
<P> 
	Your .procmailrc file can have a variety of settings 
	and clauses (which are called &quot;recipes&quot; by the author).  
	You can also modularize this by using a variety of 
	INCLUDE directives.  Here's a simple example that 
	should get you started.
<PRE>
:0 hr
* ^From.*spammer.you.despise@spamhaven.com
* !^FROM_MAILER
* !^FROM_DAEMON
* !^X-Loop: ${USERNAME}@`hostname`"
| (formail -r -A"X-Loop: ${USERNAME}@`hostname`" \
   -A"Precedence: junk" ;\
   echo "Your mail is not welcome here."
   echo "Please don't mail me again."
   echo 
   cat ~/your.signature.or.flame
   )
</PRE> 

	The :0 marks this as a new recipe (so each new
	recipe starts with a :0 line).  The 'h' on that 
	line is one of several flags to procmail about what
	parts of the message to hand to your action line
	(which comes up later).  'h' says: give me the header
	'r' says: treat the incoming data as &quot;raw&quot; (so his
	failure to put a blank line at the end of his message
	won't cause your response to fail).

<P> 
	The four &quot;star&quot; lines after that are conditions --
	the first specifies that the header indicates that 
	the message be &quot;from&quot; your spammer (or unwanted
	sender).   This will actually match any &quot;from&quot; or 
	&quot;From:&quot; line that contains your targets e-mail address.
	The next two lines try to ensure that you don't respond
	to daemons and mailers (mailing lists).   The next one
	(which you should fill in with your username and hostname)
	makes sure that your don't respond to your own response.
<P> 
	Those three conditions are to protect your script from 
	being tricked into doing bad things.  Consider them to 
	be the minimum overhead on any autoresponders that you
	write.
<P> 
	The next line (starting with a &quot;|&quot; pipe character) is
	the action to take.  
<P> 	
	In procmail there are three types of actions.  A 
	filename simply specifies an mbox (elm, pine, or mailx 
	compatible) folder to file this away in.  A directory 
	name specifies an mh or mmdf folder to store the message 
	in (mh and mmdf use different naming schemes for the 
	messages in their folder directories -- you don't need 
	to worry about this unless you use on of these mail
	user agents).  A '!' (bang) line specifies an e-mail 
	address to which to bounce the message.  A '|' (pipe)
	line specifies that the message should be filtered 
	through a local program.
<P> 
 	formail is a program that comes with the procmail package.
	It &quot;formats mail headers.&quot;  This particular formail command
	formats a &quot;reply&quot; (-r) header and adds two additional header
	lines -- a standard &quot;Precedence: junk&quot; line and a personal
	&quot;X-&quot; line (which the RFC822 spec allows you to use to embed
	custom information into a header).  This is where your
	message adds the line that would prevent an attack by routing
	your response back into your script (a mail loop).
<P> 
	The echo and cat statements after the formail line just 
	provide output that is appended after the mail header.  This
	becomes the body of your response.  You can add additional
	echo lines -- or you can create a file and just 'cat' it 
	here.

<P> 
	If you are new to procmail (which is almost certain given
	your question -- autoresponders are some of the first things
	procmail'ers learn) you may be nervous about 'breaking' 
	something and losing some of your mail.  So -- to protect
	yourself from that you might want start your .procmailrc
	with the following simple recipe:
<PRE> 
	:0 c
	fallback
</PRE> 

	Which (if it is the *first* recipe) simply appends a copy 
	of every incoming message to a file (in your ~/Mail directory
	by default) named fallback.  You can compare the contents of 
	that folder to your inbox until you're confident that things
	are working as you expect.
<P> 
	Please read the procmail and procmailex
	(examples) man pages for more details.  The author
	Stephen van der Berg, has also written an automated 
	mail list management package called SmartList -- which is
	highly regarded among people who've tried it.  I like
	SmartList *much* more than majordomo.
<P> 
--Jim

 <p><hr><p> 
<!--================================================================-->

<a name="mail"></a>

<h3><img align=bottom alt=" " src="../gx/ques.gif">
Dealing with e-mail on a pop3 server
</h3>
Date: Tue, 28 Jan 1997 04:02:06 -0800 (PST)
<P> <B> 
From Moe Green:
<P> 
Is there any way (or any program out there) which will not only get my
email from a pop3 server off of one account, then distribute it to
multiple users on my system by either the from: or subject: lines???
<P> 
Example: Perhaps popclient could get the mail and save to temp, then is
there a program which would go through and say, hmmm...this mail is from
johndoe@linux.org and it goes to root...then the next message is from
mike@canoe.net and it goes to dave???
<P> 
Thanks for your time, keep up the good work. <BR> 
-Moe Green, <A HREF="mailto:starved@ix.netcom.com">
starved@ix.netcom.com</A>
</B> <P> 
<img align=bottom alt=" " src="../gx/ans2.gif">
	It is possible to write procmail scripts that can do 
	this sort of thing.  However I don't recommend this
	approach at all.
<P> 
	The current version of 'popclient' is called 'fetchmail' 
	(because it supports IMAP and some other mail store and 
	forward protocols).  
<P> 
	It's default is to fetch the mail from your POP or IMAP
	server and feed it to the smtpd (sendmail) on your 
	local host.  This means that any special processing that
	would be done by the aliases or .forward files (especially
	any processing through procmail scripts) will be done 
	automatically.
<P> 
	It is possible to over-ride that feature and feed the
	messages through a pipe or into a file.  It is also 
	possible, using procmail or any scripting language,
	to parse and dispatch the file.  Using anything other
	than procmail would require that you know *alot* about
	RFC822 (the standard for internet mail headers) and 
	about e-mail in general.
<P> 
	I did write an article on procmail this month -- but
	may have submitted it too late for inclusion into 
	this month's Linux Gazette. The gist of it is available
	on my own mail server (send mail to info@starshine.org
	with a subject of ``procmail'' or ``mailbot'').
<P> 
	The reason I don't recommend all of this is that it 
	violates the intentions and design of internet e-mail.
	A better solution is to find a provider of UUCP services
	(or at least SMTP/MX services).  UUCP is the *right* way
	to provide e-mail to disconnected (dial-up) hosts and 
	networks.  It was designed and implemented over 25 years
	ago and all of the mail systems on the Internet know how
	to gateway to UUCP sites.	   
<P> 
	As for SMTP/MX services for disconnected hosts/networks.
	Various ways of hacking sendmail and DNS configurations have 
	been developed in the last few years -- with a variety of 
	shell scripts and custom programs to support them.  All of 
	these provide essentially the same services as mail via 
	UUCP over TCP -- but without conforming to any standard
	(meaning that whatever you learn and configure with one
	ISP probably won't work with the next one).
<P> 
	Glad I could help.  I hope that article on procmail 
	helps.
<P> 
--Jim

 <p><hr><p> 
<!--================================================================-->

<a name="secure"></a>

<h3><img align=bottom alt=" " src="../gx/ques.gif">
Security Problem
</h3>
Date: Tue, 28 Jan 1997 04:02:06 -0800 (PST)
<P> <B> 
From Jay:
<P> 
Recently a cracker got into my linux system on the internet.
He didn't do a lot of damage but he did turn off system logging.
I guess so I couldn't see what he'd done. Now I can't get it working
again....
<ol>
<li>I've made sure that the syslogd program is running using 'ps'
<li>I've read the syslogd.conf file to make sure it's logging everything,
and where it's going to.
<li>I've checked permissions on the log file
<li>I did a 'kill -HUP' on the syslogd process and it writes 'restart' to
the log
<li>'logger' does nothing when I run it (no log entry, no error)
<li>All my C programs that wrote to syslog don't anymore
</ol>
Anyone have any good ideas what to do from here?
<P> 
Thanks <BR> 
--Jay, <A HREF="mailto:jay@shadow.ashpool.com">jay@shadow.ashpool.com</A><BR> 
</B> <P> 
<img align=bottom alt=" " src="../gx/ans2.gif">
	I do but they are rather too involved for me to type
	up tonight.
<P> 
	I really recommend that you reinstall the OS and 
	all binaries from scratch whenever you think that 
	root has been compromised on a system.  I realize that 
	this is a time-consuming proposition -- but it is the 
	only way to really be sure.
<P> 
	I also recommend tripwire (<a 
href="ftp://ftp.cs.perdue.edu/">ftp.cs.perdue.edu</a>
 in the COAST archive -- and it's mirrors).
<P> 
	Please feel free to write me if you continue to have
	system security problems. <A HREF="mailto:jimd@starshine.org">
jimd@starshine.org</A> 
<P> 
	Sorry to take so long to respond.  I've been literally
	swamped all month.
<P> 
--Jim
 <p><hr><p> 
<!--================================================================-->

<a name="more"></a>

<h3><img align=bottom alt=" " src="../gx/ques.gif">
More on Security Problem
</h3>
Date: Tue, 28 Jan 1997 18:56:22 -0800 (PST)
<P> <B> 
From Jay:<p>
&gt;&gt;&gt; Recently a cracker got into my linux system on the internet.<br>
&gt;&gt;<br>
&gt;&gt; Did you restart the whole system?<br>
&gt;&gt; I would consider replacing syslog from your CD's and<br> 
&gt;&gt; restarting your system.<br>
&gt;<br>
I found that the cracker had replaced my syslogd with a packet
sniffer. I think he had copied the syslogd code and replaced parts
of it with his sniffer. It seemed to have some functionality but not
a lot...
<P> 
I also found a SUID version of bash in my /tmp directory.
My thought is that this is how he originally got root access.
</B> <P> 
<img align=bottom alt=" " src="../gx/ans2.gif">
	Not too surprising.  He was probably using a 'rootkit.'
	However he obviously didn't do a very good job of 
	covering his tracks.
<P> 
	You should consider all passwords for all of the systems 
	on the local net to be compromised.  Force password 
	changes across the board and consider installing ssh
	or stelnet (secure, encrypted replacements to rlogin/rsh
	and telnet respectively).
<P> 
	He probably got in through the "Leshka" sendmail
	bug (allowing any shell user to create a root
	owned SUID shell in /tmp/ on any system with an
	SUID root copy of sendmail (version ~8.6.x to 8.7.x 
	???) using a bug in sendmail's handling of ARGV[0]
	and it's subsequent SIGHUP handling.
<P> 
	Everyone using earlier versions of sendmail should
	upgrade to 8.8.3 or later 
(<a href="http://www.sendmail.org">www.sendmail.org</a> 
for details).
<P> 
	How important are this system and the other systems
	on the same LAN segment to your business?
<P> 
	I'd seriously consider hiring a qualified consultant
	for a full day risk assessment and audit.  Unfortunately
	you'll probably pay at least $125/hr for anyone that's
	worth talking to and many of the "security consultants"
	out there are snake oil salesmen.
<P> 
	I personally trust Peter Shipley (<a 
href="http://www.dis.org/">www.dis.org</a>) and
	Brent Chapman (<a 
href="http://www.greatcircle.com/">www.greatcircle.com</a>) (co-author of 
	the O'Reilly Firewalls book) Strat Rose (<a 
href="http://www.virtual.net/">www.virtual.net</a>)
	and Dan Farmer (<a href="http://www.trouble.org/">www.trouble.org</a>) 
(co-author of SATAN).  
	Most of them are live in the SF Bay Area (silicon valley)
	and most of them aren't available most of the time
	(Brent is working on a large project to integrate 
	the SGI and Cray WAN's; Strata has accepted a full-time
	position at synopsis.com, etc).
<P> 
	I only consider myself to be a student, at best an 
	apprentice, at data security.  I'm willing to help --
	but I can offer a list of satisfied clients for RASA
	services and I have no official "credentials."
<P> 
--Jim

 <p><hr><p> 
<!--================================================================-->

<a name="dialup"></a>

<h3><img align=bottom alt=" " src="../gx/ques.gif">
Dial-up Problem
</h3>
Date: Tue, 28 Jan 1997 22:56:35 -0800 (PST)
<P> 
<B> 
From Seth Vidal:

<p>I was reading your answer in LG(#13) to the individual who had slow rate
problems with ppp. Something which he did not mention that might be of
help is the MTU. Some isp's set the mtu or have ppp do the negotiation.
NOT all. Some of the newer ones have not quite figured out that a 14.4
or 28.8 is not going to get a packet size over 576 very often. If he
sets his mtu to 576 (or even 296 for a 14.4) he may be able to force the
provider's setting down. I have found that in a standard (slackware or
redhat) linux distribution that the mtu defaults to 1500 which will
result in slow downs and problems if your modem encounters errors
frequently. I know what ppp is "supposed to do" when set up correctly.
But he cannot control the ignorance of his ISP and therefore it would be
to his behest to give that a try. If you'd like to pass the information
along to the individual who wrote the message feel free.
I hope this helps him and any others.
<P> 
cheers,<br>
Seth Vidal, <A HREF="mailto:skvidal@terminus.ehc.edu">
skvidal@terminus.ehc.edu </A>
</b>
 <p><hr><p> 
<!--================================================================-->

<a name="window"></a>

<h3><img align=bottom alt=" " src="../gx/ques.gif">
X Window Problem
</h3>
Date: Tue, 28 Jan 1997 04:02:06 -0800 (PST)
<P> <B> 
From: Chris Lee, <A HREF="mailto:techno@usa.net">techno@usa.net</A>
<P> 
1.) X Windows
I got a Cirrus 5434 1mb video card, whenin 640x480x8bit the video is 
*fine* not great, I get little specs once in awhile on the screen, they 
go away with a simple [refresh] but still... When in 800x600x8bit I get 
lines, not specs anymore, alomst allways horizontial, and about 3pixels 
high, and allways croos the entire screen, not the virtual screen 
though, and they also go away with a simple [refresh] thses line occur 
alot more then the specs did. My vid card works fine in DOS/Windows. Any 
suggestions ?
</B> <P> 
<img align=bottom alt=" " src="../gx/ans2.gif">
	You can look for the SuperProbe utility that comes with most
	recent distributions.  This will provide info that can be
	autodetected about your video card.  
<P> 
	Frankly XWindows configuration under XFree86 is black magic.
	A few people are really good at it and mere mortals
	(such as I) just plug along and hope for the best.
<P> 
	The new XFree86 3.1.2 release seems to be better about 
	this but I'm sure that I'm not getting the optimal 
	color and clock settings from my various X installations
	either.
<p>
<B> 
2.)Is there any Linux or X-Windows mailing-lists ? would help alot for 
me.
</B> <P> 
	There are many Linux mailing lists -- and some of them
	and some independent ones cover XFree86 (which is used by
	Linux, FreeBSD and the rest of the free BSD derivatives
	(NetBSD and OpenBSD).
<P> 
	The three best web sites for information about 
	Linux seem to be:
<ul>
<li><a href="http://www.li.org/">http://www.li.org/</a>, Linux International
<li><a href="http://www.ch4549.org/lust/">http://www.ch4549.org/lust/</a>, L.U.S.T. (Linux User's Support Team)
<li><a href="http://www.ssc.com/linux/">http://www.ssc.com/linux/</a>, SSC Inc.
</ul>
<P> 
	I don't know much about X Windows and the XFree86 project
	but I think they maintain a web site -- probably at
	www.xfree86.org.
<P> 
	It's an often overlooked fact that there are competitors
	to Linux in the field of freely available Unix for PC's.
	You can look at 
<a href="http://www.freebsd.org/"> 
www.freebsd.org</a>, 
<a href="http://www.netbsd.org/">
www.netbsd.org</a> and 
<a href="http://www.openbsd.org/"> 
www.openbsd.org</a> 
for some of those.
<P> <B>  
Thanks for your time :) <BR> 
Chris Lee, Computer Science <BR> 
P.S. Damn you Linux people are great, so much out there, so many people 
helping you, nothing like this for DOS/Windows
</B> <P> 
	DOS heralded the "sharing" of software (shareware)
	while Linux and the GNU project has promoted a *giving*
	of software -- and support.
<P> 
	I think one is largely and extension of the other.
<P> 
	Personally some of the best news I've heard for die hard
	PC users in the last year is the announcement that
	Caldera purchased DR-DOS and intends to release the sources
	as soon as the clean up the code enough to compile cleanly 
	in a sane production environment.  Look at 
	<a href="http://www.caldera.com">www.caldera.com</a>
	for details about that.
<P> 
	OpenDOS will be one of the final pieces in the puzzle of
	how we (PC users, IS managers, and others) can truly 
	protect the investment we've made in our legacy software.
	(Currently, with dosemu -- the BIOS emulator, you have to 
	install a copy of DOS unto your system in addition to installing
	and configuring the Linux interface to your DOS programs
	-- which is want dosemu provides).
<P> 
-- Jim

<!--================================================================-->
<P> <hr> <P> 
<center><H5>Copyright &copy; 1997, James T. Dennis <BR> 
Published in Issue 14 of the Linux Gazette</H5></center>

<P> <hr> <P> 
<!--================================================================-->
<A HREF="./lg_toc14.html"><IMG SRC="../gx/indexnew.gif" ALT="[ TABLE OF 
CONTENTS ]"></A> <A HREF="../index.html"><IMG SRC="../gx/homenew.gif" 
ALT="[ FRONT PAGE ]"></A> 
<A HREF="lg_bytes14.html"><IMG SRC="../gx/back2.gif" ALT=" Back "></A>
<A HREF="./clueless.html"><IMG SRC="../gx/fwd.gif" ALT=" Next "></A>
</td></tr></table>
</body> 
</html>