|FROM ||Ruben Safir
|SUBJECT ||Re: [NYLXS - HANGOUT] Apache Security tips
|From owner-hangout-outgoing-at-mrbrklyn.com Sun Oct 12 23:13:48 2014
Received: by mrbrklyn.com (Postfix)
id 23AB2161166; Sun, 12 Oct 2014 23:13:48 -0400 (EDT)
Received: by mrbrklyn.com (Postfix, from userid 28)
id 10422161168; Sun, 12 Oct 2014 23:13:47 -0400 (EDT)
Received: from mailbackend.panix.com (mailbackend.panix.com [184.108.40.206])
by mrbrklyn.com (Postfix) with ESMTP id C3A78161166
for ; Sun, 12 Oct 2014 23:13:46 -0400 (EDT)
Received: from [10.0.0.42] (unknown [220.127.116.11])
by mailbackend.panix.com (Postfix) with ESMTP id A7E842E83E
for ; Sun, 12 Oct 2014 23:13:46 -0400 (EDT)
Date: Sun, 12 Oct 2014 23:14:19 -0400
From: Ruben Safir
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0
Subject: Re: [NYLXS - HANGOUT] Apache Security tips
Content-Type: text/plain; charset=utf-8
On 09/17/2014 12:29 AM, Paul Robert Marino wrote:
> Well Gnome was never that good. If you think it was just think back to
> the first Gnome developers conference.
> I remember asking why they had their own host name lookup caching
> daemon and getting told that dispute the fact that it used a huge
> amount of ram and CPU for what it did it responded 2ms faster than nscd.
How about the Bounjour Services. It has been a long time since I had
time to get under the hood an look at what things are doing.
Increasingly it really seems gnome has flipped off the deep end.
> Oddly enough it only got those numbers when used in combination with
> nscd and when properly tuned nscd was and is still faster.
> My best memories of that conference was cowering in a corner with you
> the guys from Novel several other NYLXS members and someone else who
> shall remain nameless with bottles of Scotch, then building new
> firewall for the place because we were over running their business
> class appliances capabilities. And that was a fun build by drunken
> NYLXS comity if I remember correctly we spent 15 minutes debating
> about the mount points and the result was the thing had at least 6
> partitions each using a different filesystem optimized to the role of
> the subdirectory tree. The actual firewall and dhcp server only took
> about 2 minutes to configure LOL.
you have unusual memories of things.
> Rant: By the way any one who has issues with nscd crashing its because
> you are using the default config which is tuned for desktops which
> aren't expected to run for years at a time. Turn off shared and
> persistent then double the record size on each of the databases and
> you will be pleasantly shocked at its stability and statistical
> reporting capabilities to help with further fine tuning.There is even
> a way to easily detecting its not responding just check the statistics
> which only works if you turn off shared mode (shared mode is IPC via
> persistent memory mapped file instead of sockets connecting to threads
> ) any way and I've never seen it freeze up when shared mode was turned
If you have dns running, why do you need this?
> While I don't agree with what some Distros are doing namely systemd
> other distros are doing some really inventive useful replacements for
> rc.d and the system V init structure. Frankly its long over due
> however I admit a lot of it especially systemd is far too desktop
> centric and terrible for mission critical and or secure servers.
That has not proven to be the real problem. The real problem, and the
cause of its adoption, is that it is a wrapper for the kernel that
allows for the distro distributor to enforce a level of locked down
control that has, up until now, escaped them. With commercial
proprietary operating systems, they consider this as an asset, that all
the systems look the same, act the same and have centralized control.
This has not been the case with free os's That flexibility has been
exploited until now. But we have reached a time where copyright is not
locking up technology, but technological surveillance and control is
what locks up system. They would take away your shell if they could,
and systemd almost does.
> As for how the distros package Apache. I rarely say this so
> definitively but you are wrong. Most I'd the distributions do an
> excellent job. And as I said in a previous post on this string you
> can compile the module independently you don't need to recompile all
> of apache. Further more I don't know of a distro which doesn't include
> mod_rewrite its just your custom compiled version that has this issue,
> and you can fix it easily.
> Finally the reason you are ripping out all of this stuff is you still
> caught in a very UNIX design way of thinking.
That is god damn correct. More importantly, I use actually use my damn
systems, and have a fairly thorough knowledge and hands on configuration
of the majority of the system based on nearly 20 years of background and
investigation. I rip them out because I can build them simpler, more
straight forward, easier to debug and with great flexibility.
I don't NEED SuSE to tell me how to configure my named server.
> Remember what GNU stands for its multiple philosophies its free speech
> software which takes the bet of the UNIX history and moves beyond the
> stale old bogged down in closed comity standards which cater to the
> lowest common denominator
That is wrong. It is not the lowest common denominator that these
systems were pointed at. They were pointed at the highest expectation
of the users to be able to become educated in fundamental computing and
to exercise ones accumulation of knowledge to flex the power of these
systems for your own purposes.
This philosophy is now dead. Now LinuxMint installs asking you TWO
questions and explaining NOTHING. It treats you like an IDIOT and a
slave to the system.
That is sad. It will just be time then to move to a different platform.
Years ago, in the 1990's I became very fustrated over not being able to
get what I needed or my work done on windows 3.1 because it kept
crashing. And there was no software. I downloaded 144 floppy disks of
slackware 3.1 and installed it and I have essentially worked on that
same platform, using the same home directory, since that time. For the
last 10 years or so, I had been using opensuse, and before that suse.
the last upgrades were so bad that it forced me to begin a search for
something new and better. Simple cut and past stopped functioning. X11
failed to work. Access to the core system and getting my custom
configuration files to work ended. Systemd was a large cause of this
maymam. I've now tried, in the last 2 weeks, Mint, Salckware, Chakru (so
something like that), Umbuntu, netrunner, puupylinux (slacko), and that
is so far.
I have to say that not since the 1990s have we had a situation as dire
as it presently is. Many of these distros JUST DON'T INSTALL. Opensuse
with a gdm boot manager just kicks up a black screen. This is a combined
function of not properly identifying the display and having X11 run out
of systemd. When I changed the x display manager, it was "OK" but
running on lousy resolution. All the tools to configure the monitor and
information that might be needed to handle an /etc/x.conf file are GONE.
Systems that required gpart simple refused to partition the hard drive
correctly. *** Slackware explained how to fix this by hand (That god for
Patrick)***, but the system couldn't find the USB device once it booted up.
But there was an important point to learn here. The Slackware method of
installation that ENGAGES the user and EXPLAINS to them how things work
and how they will proceed. It is a system of POWER and that talks to
the highest levels of peoples intellect, and not the least common
I could have moved it all to a DVD burn but I just opted to move on.
Mint was surprisingly OK. Its installation without asking any questions
made me nervous. I LIKE to know how the partition tables are being made
and laid out. But it worked the laptop fairly well except for the
problem with cut and paste on the native touchpad thingie. When I moved
my laptop home directory fromt he backup to the laptop, it started to
fail in a dozen little ways. The Debian back end frustrated me. It just
seems to me that debian package handlers do the job 90% of the way. I
tried to rm -rf / the thing out of frustration and it refused. That
really ticked me off so I went back to slackware method and
repartitioned the drives again.
That finally lead me to netrunner.
The good news of netrunner is that it installed and worked out of the
box nicely and I like the way they derived the kde interface. the
actually kde interface ticks me off because it does things that I'm not
aware of. I say drive right, it makes a left and then flies to Colorado
looking for a joint and comes back. This was a problem with
Enlightenment decades ago. It was a great desktop but you never knew
what the hell it was doing. You seem to have tamed KDE, which is good.
But better, I downloaded Wmaker and it worked correctly. The
menugeneration program functioned and pacman is very impressive. It is
not a sweet as zypper, but the ability to download SOURCE files and get
them to work ports style is very cool.
Now if all this sounds too Unix like, FUCK IT.
> design concept and don't take what the actual users ideas into
> account. Now you are not the only one caught in this way of thinking,
> foe example I only convinced one of my relatives who is a fantastic
> well respected SA a few years ago that using the conf.d directory in
> apache 2 made more sense than a monolithic config after years of on
> and off debate.