Discussions of private networks typically point the user at the IP address ranges - such as 192.168... - reserved for private networks.
But they often also show those networks named something like "...MyHome.Net" Murphy says that any name you pick will eventually be a real domain to which you want access.
For a private network, you do *not* have to use a ".net", ".com", ".org" ending. I've been happily using an adaption of my street address - i.e., something like ".MainSt123" - for some time, yielding nodes such as Hub.MainSt123 = 192.168.0.1 for a (Linux) gateway, and things like FamilyRoom.MainSt123 for other machines scattered around the house.
I run things such as DNS (early Bind, now Bind8), Apache, Squid, Samba, etc. on the hub machine and have had no configuration problems from *not* using a standard, 3-character ending.
And I sleep easy knowing that I'm *not* using something that may also be a *real* domain name ... at least not in the foreseeable future :-)
Barry Johnson - [email protected]
Here's a little Spell ckeck script, I call it "wspell" you can call "wspell" alone, and anwser the questions or place up to two portions of the word into the command line as in
wspell re quir reacquired require required requirement requirements requires requiring
the requirement of this script is, get the first few letters correct
wspell (shell script)
hello,
I just wanted to say, did you know that Playstation 2 is using a Linux interface, while the Dreamcast is using Windows.
later
(((LeX)))
That's what I though the first time I used the program wget. If you don't know why some port is listening and you are a little bit paranoid and think that's a backdoor, try first this command:
fuser -vnThis will display the program that opened that port, it's PID and the user who executed it. If you are sure that's a backdoor and want to close it, type this:
fuser -knThis will close this port till the next reboot (unless the backdoor program is runned by cron). Check your system to eliminate the backdoor. Here's my 2cents_tip
I have a firewall, and the logs show when a packet is deined. Denied packets from the internet can be a warning sign. But i became tired of searching through the logs for this info, and the ips were not resolved. So i wrote some scripts that look through a log file, pull out the DENY lines, resolve the ip addresses and remove any duplicates.
These scripts are perhaps the height of kludgeyness, but they work. I know i like to learn from examples, so maybe this can help others.
the script to run is show_denied_packets.sh
This script filters out any lines dealing with my local LAN, because I am only looking for packets from the internet. You may want to set LOCAL_LAN to the ip address of your local lan, if you have one.
It then calls strip_log.pl
This perl script takes the info from the log and prints out just the ip addresses and ports involved. This info is then piped into the logresolve program.
logresolve is a c program that came with my apache, although not compiled. i found it in /var/lib/httpd/support/ . To compile it i ran
gcc -o logresolve logresolve.cand then moved the logresolve binary into my bin directory. Its path needs to be set in the show_denied_packets.sh script.
Finally, I was getting many duplicate entries, so i pipe the info to the unix sort command to sort it all, and the unix uniq command to take out all the duplicate entries.
And viola! you now have a list of all the computers that tried to send you packets that bounced off your firewall. To keep an eye on this, i put an entry in my crontab to have this info mailed to me once a week. The line looks like this:
# once a week check for denied packets 0 2 * * mon /home/marc/bin/show_denied_packets.sh
Using different scripts together is a strength of unix. Still, this is a bit kludgy, and if there is any interest, i could whip all this up into one program.
Hi -
First thing, I'd like to thank you for putting out the LG; it's been a mentor/SuperFAQ/"AHA!" generator ever since I first installed Linux, over a year ago. "What a long, strange trip it's been". Thanks to LG (as well as a myriad other Linux sources), I'm now very comfortable (not yet a guru, though) with it, and learning more every day.
Second - a contribution, if you will. Here's one of the shell scripts that I've written, bkgr; it's been a really nifty gadget for me, selecting random backgrounds for my X-Windows. I hope other folx here will find it of as much use.
Drum roll, please... :)
There is lots of configurable stuff in there - graphics prog, window manager, etc. - but the comments should make it sorta simple to adapt. *Hint*: the backgrounds for E-term (this is where about half of my pics came from) are rather bright and wonderful...
Keep up the good work!
Dear Jim
Your email did help me to solve the problem with the telnet in linux. It works fine now. Thanks a million.....
I have a small doubt. Let me explain...... My network has a NT server, LINUX server and 20 windows 95 clients. I followed your instructions and added the address of all the clients into the /etc/hosts file on the LINUX machine and voila the telnet worked immediately.
But the NT server was the one who was running a DHCP server and dynamically allocating the addresses to the clients. The clients were configured to use DHCP and were not statically given and ip addresses. I managed to see the current DHCP allocation for each client and add those address into the /etc/hosts file on the LINUX server but my doubt is what happens when the DHCP address for the client changes? Then again we'll have to change the address in the /etc/hosts file right? This seems silly. Is there anyway to make the LINUX hosts file to automatically pick up the DHCP address from the NT server?
Also another important thing is I am still unable to ping from the NT server to the LINUX server using the name. It works only with the IP address. Is there any way to make the NT DHCP to recognize the LINUX server?
Well, either you shouldn't use dynamic addressing (DHCP) or you should use dynamic DNS. You could also disable TCP Wrappers (edit your /etc/inetd.conf to change lines like:
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd... to look more like:
telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd
(and comment out all of the services you don't need while you're at it).
Thanks Jim for all your help....you've become my LINUX guru.............
Perhaps you should consider getting a support contract (or joining a local users group). I may not always respond as quickly nor as thoroughly as you'd like.
"R.Smith" wrote:
Sir, Since my previous letter about Dalnet providers trying to connect to my Linux box via telnet port 23, I have found out that they are also trying port 1080. I have instigated a policy of dropping all incoming connections via a command run by host.deny:/sbin/ipfwadm -I -i deny -S %aI hate to do this to my niece, but I don't know of any alternative until these dalnet jerks stop this intrusive practice. Anyway, my niece has moved to other irc providers that don't do this kind of thing.
Why should I care if Dalnet is trying to connect to ports 23 and 1080? I don't run any services on port 1080 and port 23 is closed via hosts.deny. I care because WITH JUST ONE dalnet user, I sometimes have dozens of syslog messages per day. I have to go through them and decide if there is a problem. I have to run whois, nslookup, traceroute, etc. on them to see if they are bogus. And many of the dalnet domain and IP's ARE bogus.
I could ignore connect attempts to port 23 and miss that one attempt that really was important. I could ignore port 1080... I could turn off my firewall and let everyone in...
Imagine what a workload I would have if I was an sysadm with 20-30 people on dalnet.
It is simpler to just drop all connect attempts and let my niece use other irc services that aren't abusive.
Hi Jeff,
after you compile the network card driver, you should place it an a directory where insmod searches for it. I think /lib/modules/x.y.z/net would be appropriate, where x.y.z is your current kernel version, e.g. 2.2.10 or 2.0.38.
Altarnatively you can set the MODPATH environment variable to point to the directory where your module is located. See "man insmod".
Erik,
I read your question in issue 46 of the Linux Gazette.
To deny remote logins as root, add the following to the /etc/login.acess file:
-:root:ALL EXCEPT LOCAL
This means you can only login as root from a local console.
But if I where you I would disable telnet entirely and use ssh (secure shell). You can disable telnet by adding a "#" in front of the "telnet" line in /etc/inetd.conf.
If you are not running a server, I would disable inetd entirely. To do this, comment out the lines that start inetd in the start-up scripts. For Debian this is /etc/init.d/netbase, for Slackware the /etc/rc?.d scripts ("?" is your runlevel, look at /etc/inittab for the default runlevel). I don't know about Red Hat, but you can do a "grep inetd /etc/init.d/*" to find it there.
Ian Carr-de Avelon < says:
From: Erik Fleischer <>
For security reasons, I would like to make it impossible for anyone logging in remotely (via telnet etc.) to log in as root, but so far haven't been able to figure out how to do that. Any suggestions?
This is an easy one, at least under Slackware; other distributions may differ. The file /etc/securetty has the terminals root can use. It looks something like:
tty1 tty2 tty3 tty4 tty5 tty6 ttyS0 ttyS1 ttyp0 ttyp1
The tty(number) entries are what you use normally with the PC video card and keyboard. ttyS(number) entries are serial lines, so for example if you connect to your Linux box via a modem. ttyp(number) entries are "pseudo terminals" which you get if you come in via telnet. Delete all the ttyp entries and you can't telnet in as root.
Yours
Ian
[Jeremy Johnstone < and Stephen Crane < also sent in the same suggestion. -Ed.]
Jonathan Marsden < adds:
You don't say what sort of login you have in mind: telnet? FTP? SSH? rlogin? I'll try to deal with all of those!
(1) Set the file /etc/securetty to contain only the local console device(s). This is actually what is done in most or all well known Linux installations by default. It will prevent root login on telnet connections (or dialin lines, or any tty except the ones listed!).
(2) Make sure root is included in the file /etc/ftpusers. Again this is done by default on most or all curent Linux distributions. This file lists all users who will be denied FTP login (one user per line), even if they use the "correct" password for that user.
(3) In /etc/ssh/sshd_config (may be /etc/sshd_config on some distributions), set PermitRootLogin no. This prevents users logging in as root using SSH.
(4) Disable rlogin by commenting it out of /etc/inetd.conf, where it is referred to as the 'login' service -- in other words, put a # sign before the line that starts with the word login, and then do kill -HUP `cat /var/run/inetd.pid` to tell inetd of the change.
You will also need to keep current with security updates for your distribution, avoid running unnecessary services, and generally be aware of network security issues, if your computer is connected to the Internet; reading the Linux Security HOWTO and the more comprehensive "Linux administrator's Security Guide" at
is also worthwhile to learn more about keeping your Linux systems secure.
Russ Johnson wrote replying to a plea for help from a new Linux user with ATI rage LT PRO in a new laptop:
You bet there's a solution. It's not perfect (yet) but it works well until XFree86 gets a new server out there. The solution is to use the Frame Buffer server. Details are here: www.0wned.org/~cain/ragefury.htm Other than that, the only solution available is to purchase a commercial X server.
The answer is correct in this that this is a solution but this is not the only one nor the best. A few months ago I found myself in a similar situation installing Linux for somebody with a Gericom (a German company) laptop. Looking around on Internet I found fairly quickly (don't ask me how as I do not remeber that now, but it was fairly easy :-) the following web page:
www.fachschaften.uni-bielefeld.de/physik/leute/marc/X/
Among other things one can find there binaries of an X server supporting LT PRO which works very well. The card is similar to other ATI Rage cards but different enough to require a special treatment.
You may also want to consult ruff.cs.jmu.edu/~beetle/ragefury.htm.
I do not know if LT PRO support found its way in the recent XFree86 releases; pretty likely.
For starters, the bash(1) manual (type "man bash" at the command prompt) gives a detailed if somewhat cryptic listing of all the shell language features.
I'd recommend reading a lot of other peoples' shell scripts. For instance, look at the system startup scripts in /etc/init.d, or (if /etc/init.d doesn't exist) in /etc/rc2.d.
Rakesh,
First you need to know what authentification method your ISP uses. This can be PAP or CHAP or just a plain-text password.
Then you need to tell kppp to use that authentification method. I'm not familiar with kppp, so look at the documentation. :-)
If kppp doesn't have options to configure PAP or CHAP, you'll have to create a file called /etc/ppp/pap-secrets or /etc/ppp/chap-secrets yourself.
These files should contain a line in the following format
# client server secret IP addresses rsmith * foobar
First comes your login name, then a *, then your password. Lines beginning with "#" are comments.
For more information read the pppd man-page (type "man pppd" at the prompt).
I think you should ask this question on the cygwin mailing list: [email protected]
There is als an archive of the mailing lists at http://www.delorie.com/archives
For more information, check the homepage: http://sourceware.cygnus.com/cygwin/
It looks to me that you want to use Linux as a client, not as a server, right?
In that case you should use the smbfs utilities. You'll find them at http://samba.SerNet.DE/linux-lan/
Rick Smith asked for a way to prevent unwanted telnet access. I recommend a package called portsentry which automatically detects port scans and multiple failed telnet attempts. It denies access and doesn't return any IP packets to that host. It's free for non-commercial use. Available from
http://www.psionic.com/abacus/portsentry/
Bob T.
From: Jim Dennis
We call that "losing the lottery." It always seems to happen when you're in a hurry to get the system back up and running.
Yup. Note that even once we have journalling support in ext2, you will want to occasionally force an fsck over the filesystem just to make sure there haven't been any errors caused by memory errors, disk errors, cosmic rays, etc.
If you need your laptop to reboot quickly just before a demo (and your laptop doesn't have a hiberate feature or some such), something you can do is to sync your disks, make sure your system is quiscient (i.e., nothing is running), and then force a power cycle and let your system reboot. Your system will then fsck all of your disks, and you can then shutdown your system, confident that the dreaded "maximal mount count" message won't appear during that critical demo.
If you want to live dangerously you can change the the maximal mount count value on a filesystem using the 'tune2fs' command's -c option. You can also manually set the mount value using the -C (upper case) option. You can see the current values using a command like:tune2fs -l /dev/hda1
If you know that your system is fairly reliable --- you've been running it for a while and you're not seeing wierd failures due to cheasy cheap memory or overly long IDE or SCSI cables, etc. it's actually not so dangerous to set a longer maximal count time.
One approach if your system is constantly getting shutdown and restarted is to set the filesystem so it uses the time the filesystem was last checked as a criteria instead of a maximal count. For example:
tune2fs -c 100 -i 3m /dev/hda1
This will cause the filesystem to be checked after 100 mounts, or 3 months, whichever comes first.
(It should be safe to change some values when you have a filesystem mounted read-only; though it might be worth asking an expert, so I've copied Ted T'so and Remy Card on this message).
Yes, it's safe these values if the filesystem is mounted read-only. If you're ***sure*** that the filesystem is quiscent, and nothing is changing on the filesystem, you can even get away with changing it while the filesystem is mounted read-write. It's not something I'd really recommend, but if you know what you're doing, you can get away from it. It really depends on how much you working without a safety net.
As far as I know there is no way in which this volume label is currently used. It seems to be a wholly optional feature; I guess we can use these to keep track of our removable media or something.
You can use the volume label in your /etc/fstab if you like: For example:
LABEL=temp /tmp ext2 defaults 1 2
or
UUID=3a30d6b4-08a5-11d3-91c3-e1fc5550af17 /usr ext2 defaults 1 2
The advantage of doing this is that the filesystems are specified in a device independent way. So for example, if your SCSI chain gets reordered, the filesystems will get mounted corrected even though the device names may have changed.
- Ted
NVidia has released its own drivers for Riva TNT / TNT 2 under XFree86
Check them out at:
www.nvidia.com/Products.nsf/htmlmedia/software_drivers.html
This fix for Netscape distributed with RH6 appears at http://www.linux-now.com
I do not take credit for this, it is not my work...
Edit the file: /etc/X11/fs/config change this: catalogue = /usr/X11R6/lib/X11/fonts/misc:unscaled, /usr/X11R6/lib/X11/fonts/75dpi:unscaled, /usr/X11R6/lib/X11/fonts/100dpi:unscaled, /usr/X11R6/lib/X11/fonts/misc, /usr/X11R6/lib/X11/fonts/Type1, /usr/X11R6/lib/X11/fonts/Speedo to this: catalogue = /usr/X11R6/lib/X11/fonts/misc:unscaled, /usr/X11R6/lib/X11/fonts/75dpi:unscaled, /usr/X11R6/lib/X11/fonts/100dpi:unscaled, /usr/X11R6/lib/X11/fonts/misc, /usr/X11R6/lib/X11/fonts/Type1, /usr/X11R6/lib/X11/fonts/Speedo, /usr/X11R6/lib/X11/fonts/75dpi And then restart the font server with this command: /etc/rc.d/init.d/xfs restart
Tue, 28 Sep 1999 21:18:37 -0500
From: Larry Settle <
This is a reply to: [email protected]
He wrote on Mon, 20 Sept, 1999:
I am running Netscape Comm 4.51 on Red Hat Linux 6.0. It crashes invariably if I load a site with any Java applet etc. Is there something I am missing or is this a known bug?Mahesh
I had the same problem on Red Hat 6.0. I fixed Netscape Comm 4.6, but 4.5.1 was broken in the same way.
Use this URL to Netscape's knowledge base: help.netscape.com/kb/consumer/990807-8.html
In case you can't reach it:
execute: chkfontpath --list
If "/usr/X11R6/lib/X11/fonts/75dpi" is not listed
execute: chkfontpath --add /usr/X11R6/lib/X11/fonts/75dpi
Note that "/usr/X11R6/lib/X11/fonts/75dpi:unscaled" will be listed. You still need the one without the ":unscaled" suffix.
Larry Settle
Mon, 11 Oct 1999 23:34:43 -1000
From: Kevin Brammer <
Yes, it's a known bug with Redhat 6.0. The fix is simple, type this (as root) in a console window:
chkfontpath --add /usr/X11R6/lib/X11/fonts/75dpi
For more bugs/fixes/issues with Redhat 6.0, check out: www.redhat.com/cgi-bin/support?faq
Wed, 27 Oct 1999 07:50:36 +1300 (NZDT)
From: Tobor <
It's a well known bug and Netscape is one of the worst piece of software on Linux IMHO. Do a search on www.searchlinux.com or dejanews and you'll see how many hate postings there're on Linux newsgroups.
Anyway, there's one way to stop Netscape crashing as often. Do you download netscape from their ftp server or from your distro? If you download from netscape, don't use the link from their http pages. They only have a links to binaries that's linked to libc5 which crashes very often on my redhat 6.1 box. On their ftp server, there's another set of binaries linked to glibc2.0 which is much more stable. Try them out and see which ones are better.
PS. I always turn java off.
To avoid possible BIOS limitations just make a /boot partition which ends before cylinder 1023.
-Noah
Regarding the posting "Re: Help wanted for a (Cheap) COBOL compiler for Linux", we offer a product called CobolScript for US$49.95. CobolScript=99 is a COBOL-like interpreted language with specialized syntax for file processing, CGI programming, and internetworking. CobolScript also has a wide range of advanced math and business functions available to facilitate quick and easy calculating.
See www.cobolscript.com for more information.
Whoops, a small error in the address. This will work!
This is an email I sent to our local linux users group after a somewhat tricky setup of a zip drive. You might want to add some of the info here to the atapi zip drive entry in 2cent tips and tricks.
I have an ATAPI zip on the second IDE interface as the slave device - ie /dev/hdd.
Oh, and thanks for the tips and tricks article - it was a great help for most of the job.
Date: Mon, 11 Oct 1999 13:25:21 +1000 (EST) From: Richard Wraith To: Linux Users of Victoria <> Subject: Re: Mounting a zip diskThanks to all those who replied, particulary Derek Clarkson and George Georgakis - the answer was in the fine detail.
The important points to note that aren't so clear from the HOW-TO:
1) Compile in IDE Floppy support in the kernel - there is no need for scsi emulation unless you want auto-eject support. Also remember to compile in support for the filesystems you wish to have on your zip disks.
2) Zip drives actually appear to have two mount points depending on the history of the zip disk. If the disk has previously been password protected by Iomega's zip tools it needs to be mounted at /dev/hdd1 (or what ever the /dev/hd location for your system). Whereas if the drive was never password protected it gets mounted at /dev/hdd4. This is where I think I got caught.
3) vfat is the filesystem type, but msdos and auto will work fine as long as you get the mount point right.
4) ext2 (ie Linux) formatted disks mount at /dev/hdd ie without the extra number - whether the disk has been password protected before or not.
5) Formatting a disk from vfat to ext2 and back to vfat does not clear the previous password protection stuff - interesting huh!
Hi Dave,
You seem to have installed Linux with your Cd-Rom in working condition so it must be ok. Your cdrom has worked in Winxyz, I presume. My advise is first to check cabeling and jumper setting. Let's assume you have one hard disk and one cdrom. /dev/hda will be the device for communicating with your harddisk ( I am leaving out the numbers to describe which partition, but you get my drift). Now the question is where did you put your cdrom?
1 In case of: slave on primary IDE controler: it should be /dev/hdb, if so did you jumper the cdrom accordingly?. 2 In case of master on secondary IDE : it should be /dev/hdc ( you think it is ) you should check the jumpersetting. In the sloppy DOS/Win world it will work fine with good or bad jumpersettings. Not so in Linux. You must be sure that you jumpered it master. If you did there remains one thing to do ( it worked fine for me) at boot time, type at the LILO boot: hdc=cdrom The kernel will display at boottime: hdc=cdrom? which means it will accept your instruction but does not grok the message. Your cdrom should work after that. This is a so called boot parameter and can be inserted in de LILO configuration file. 3. In case of slave on 2nd IDE, check jumpersettings. Cdrom should work in /dev/hdd and you should at boottime instruct the kernel that hdd=cdrom.
The reason, I think, is that it is logical ( in the Vulcan sense:-) ) to put the cdrom in the next empty spot: /dev/hdb ( slave on first IDE). It will probe at boottime the slave on primary IDE and if it detects zilch it 'knows' there will be no other devices. So no cdrom on master on IDE2 will be detected. There for if you instruct the kernel with: hdc=cdrom it will respond with, ok I will accept what you said but I think that's stupid because it's not loggical...:-).
Good luck...
PS. if this does not work you should check your fstab file in /etc (?)...
groetjes [email protected] ( Paul).
Manuel & everybody,
I noticed your article in the Gazette about problems compiling IRC, and while I haven't done it in Linux, I compiled IRC and run it on my site (http://www.pfpconsortium.org). I did it under Solaris 2.7 (Sparc HW), so I'm not sure how 'portable' will be my help, but I'm willing to try.
Could you please send me information on what error messages you were getting when trying to compile, your compiler (gcc, cc, etc) and platform ? I noticed a few tweaks during the configuration process, and a few library files needed during the compile, but other than that it was straight forward (the hard part was getting the executable to run with the right arguments, and setting up the ircd.conf file correctly, if I remember correctly).
Anyway, send your details and I'll try to take a look.
Cheers,
Scott Swafford
There are several well-used channels. On the Undernet IRC Network, you can get on via us.undernet.org or eu.undernet.org On the EfNet Network, try irc.emory.edu On DalNet try irc.dal.net Then, when connected, go to the #Linux channel. Chris
In the need to define hotspots on some images in HTML documents, I found a total lack of programs for Linux that enable you to accomplish this task. Does somebody know what I'm searching for?
There are a couple of choices. First, there is the ImageMap plug-in for the Gimp. It wil allow you to define hot spot regions and outputs the HTML tags for the image map. registry.gimp.org
Another option is MapEdit, from Thomas Boutell. It does pretty much the same thing the first option does, but with a different interface. /www.boutell.com/mapedit/
Hope that helps.
I have a 690c and encountered the same problem (printing from KDevelop using enscript), that following the text a solid black line was printed. After much trial and error I found using the cdj550 driver solved the problem and still allowed me to print in colour.
In /usr/local/bin/psjetfilter:
/usr/bin/gs -q -dSAFER -dNOPAUSE -sDEVICE=cdj550 -sOutputFile=- -
In the FAQ you say that PDF is only visible by a custom viewer. Actually gv and xpdf both can display PDF files. Also, if you do the Netscape "Print to file....", and get a postscript file, using ps2pdf in the ghost(script/view?) package then you can get PDF files.