MESSAGE
| DATE | 2014-09-17 |
| FROM | From: "Paul Robert Marino"
|
| SUBJECT | Re: [NYLXS - HANGOUT] Apache Security tips
|
From owner-hangout-outgoing-at-mrbrklyn.com Wed Sep 17 00:29:53 2014
Return-Path:
X-Original-To: archive-at-mrbrklyn.com
Delivered-To: archive-at-mrbrklyn.com
Received: by mrbrklyn.com (Postfix)
id 95374161168; Wed, 17 Sep 2014 00:29:51 -0400 (EDT)
Delivered-To: hangout-outgoing-at-mrbrklyn.com
Received: by mrbrklyn.com (Postfix, from userid 28)
id 7D35316116A; Wed, 17 Sep 2014 00:29:51 -0400 (EDT)
Delivered-To: hangout-at-mrbrklyn.com
Received: from mail-ig0-f172.google.com (mail-ig0-f172.google.com [209.85.213.172])
by mrbrklyn.com (Postfix) with ESMTP id 54CBD161168
for ; Wed, 17 Sep 2014 00:29:49 -0400 (EDT)
Received: by mail-ig0-f172.google.com with SMTP id h3so587980igd.17
for ; Tue, 16 Sep 2014 21:29:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=message-id:date:from:to:subject:in-reply-to:mime-version
:content-type;
bh=m0cudNxSlsEdnrQ5eba/yUnSiVitY2p5v0ljXJ4t4o8=;
b=udwb/GlmM9BY9rMl61v6wouBQTb1VghTJnYW81AMSPikYhCFqfVu6QF00sDQEKdwf8
rKNPghkDimYkCEDzgSSkVYVoYnu5SFQj/91fQdkFoPfzgyLIltf3GITzcT1R09oEypsX
4YisqTovnRO79m0QiqufwvrzEsuu8KpLNOULh9NCQyvWgApCrmzzFnkVgIymkZy9o5Z6
iXmf6z1h7JWDbtqNPb6j36jq8p/6oovPTyufxYXuzS89Yfy0e+/ATgm+kx0yxC5+mQb/
w6uCtNdbuvM6yo08KmpUETiuLtD1fRzkADdDAzmBnbJ0ewaB6gz9XnyTZrMKxULlwOwF
5LLw==
X-Received: by 10.42.237.197 with SMTP id kp5mr2851398icb.49.1410928189313;
Tue, 16 Sep 2014 21:29:49 -0700 (PDT)
Received: from www.palm.com ([172.56.0.5])
by mx.google.com with ESMTPSA id g7sm3406477igg.1.2014.09.16.21.29.47
for
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Tue, 16 Sep 2014 21:29:48 -0700 (PDT)
Message-ID: <54190e3c.0704320a.020c.ffffd420-at-mx.google.com>
Date: Wed, 17 Sep 2014 00:29:47 -0400
From: "Paul Robert Marino"
To:
Subject: Re: [NYLXS - HANGOUT] Apache Security tips
In-Reply-To: <5418E9C3.2010807-at-panix.com>
X-Mailer: Palm webOS
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="Alternative_=_Boundary_=_1410928186"
Sender: owner-hangout-at-mrbrklyn.com
Precedence: bulk
Reply-To: hangout-at-mrbrklyn.com
--Alternative_=_Boundary_=_1410928186
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Rubin
Well Gnome was never that good. If you think it was just think=
back to the first Gnome developers conference.
I remember asking =
why they had their own host name lookup caching daemon and getting told tha=
t dispute the fact that it used a huge amount of ram and CPU for what it di=
d it responded 2ms faster than nscd. Oddly enough it only got those numbers=
when used in combination with nscd and when properly tuned nscd was and is=
still faster. My best memories of that conference was cowering in a corner=
with you the guys from Novel several other NYLXS members and someone else =
who shall remain nameless with bottles of Scotch, then building new firewal=
l for the place because we were over running their business class appliance=
s capabilities. And that was a fun build by drunken NYLXS comity if I remem=
ber correctly we spent 15 minutes debating about the mount points and the r=
esult was the thing had at least 6 partitions each using a different filesy=
stem optimized to the role of the subdirectory tree. The actual firewall an=
d dhcp server only took about 2 minutes to configure LOL.
Rant: By t=
he way any one who has issues with nscd crashing its because you are using =
the default config which is tuned for desktops which aren't expected to run=
for years at a time. Turn off shared and persistent then double the record=
size on each of the databases and you will be pleasantly shocked at its st=
ability and statistical reporting capabilities to help with further fine tu=
ning.There is even a way to easily detecting its not responding just check =
the statistics which only works if you turn off shared mode (shared mode is=
IPC via persistent memory mapped file instead of sockets connecting to thr=
eads ) any way and I've never seen it freeze up when shared mode was turned=
off.
While I don't agree with what some Distros are doing namel=
y systemd other distros are doing some really inventive useful replacements=
for rc.d and the system V init structure. Frankly its long over due howeve=
r I admit a lot of it especially systemd is far too desktop centric and ter=
rible for mission critical and or secure servers.
As for how the dis=
tros package Apache. I rarely say this so definitively but you are wrong. M=
ost I'd the distributions do an excellent job. And as I said in a pre=
vious post on this string you can compile the module independently you don'=
t need to recompile all of apache. Further more I don't know of a distro wh=
ich doesn't include mod_rewrite its just your custom compiled version that =
has this issue, and you can fix it easily.
Finally the reason you ar=
e ripping out all of this stuff is you still caught in a very UNIX design w=
ay of thinking. Remember what GNU stands for its multiple philosophies its =
free speech software which takes the bet of the UNIX history and moves beyo=
nd the stale old bogged down in closed comity standards which cater to the =
lowest common denominator design concept and don't take what the actual use=
rs ideas into account. Now you are not the only one caught in this way of t=
hinking, foe example I only convinced one of my relatives who is a fantasti=
c well respected SA a few years ago that using the conf.d directory in apac=
he 2 made more sense than a monolithic config after years of on and o=
ff debate.
Now I will admit I don't like
pan style=3D"font-family:Prelude, Verdana, san-serif;">
id=3D"signature">12px;color: #999999;">-- Sent from my HP Pre3
=3D"color:navy; font-family:Prelude, Verdana, san-serif; ">
t" style=3D"width:75%">On Sep 16, 2014 9:53 PM, Ruben Safir <mrbrklyn-at-pa=
nix.com> wrote:
=0D
=0D
that only works if it is co=
mpiled=0D
> =0D
> Okay... what distribution is this?=0D
>=
=0D
> If apache wasn't compiled with support to allow using mod_rewri=
te=0D
> then it sounds like it'll require recompiling the package to =
support=0D
> it.=0D
>=0D
> -- Chris=0D
>=0D
>=
=0D
>=0D
=0D
=0D
I'm sorry for being so grumpy about this. =
I was deeply involved with=0D
another related problemand I only posted t=
he rewrite article for future=0D
reference or interest to anyone who is =
running apache. The article=0D
makes good first line of defense sense i=
n protecting your system.=0D
=0D
For my purposes, I don't want to spe=
nd the time learning the rules for=0D
mod_rewrite and opted for use of m=
odperl. I made that decision rather=0D
than compiling mod_rewrite. I'd=
rather spend time learning more about=0D
modperl, and actually I learne=
d more than I thought I would, as I'm=0D
looking at recompiling mod_perl=
in order to get around some issues,=0D
which also entails getting right=
into the mod_perl source code. Maybe=0D
I'll right a custom mod_perl h=
andler in C when I'm done with this hayride.=0D
=0D
Meanwhile, I just=
had an eye opening lecture in my computer architecture=0D
class on bina=
ry numbers, octs and hexes, which taught some nifty=0D
algorithms that I=
never saw before to transform the different base=0D
numbers. Then, the=
y moved into signed bytes, and 3 other types of=0D
binary representation=
s of negative numbers that I never saw before and=0D
actually wonder why=
anyone thought of them.=0D
=0D
As a fact though, I don't like how an=
y of the dirstros put apache=0D
together. I don't like how they put na=
med together, dhcpcd, or even=0D
routing. It is all spaghetti code. Ev=
ery time I install a system,=0D
lately, I end up ripping it apart and pu=
tting it back together again. =0D
And now they are screwing with rc.d wh=
ich is very bad. And I don't care=0D
why they are doing it, anymore tha=
n i care why they are fucking up=0D
gnome...I just want them to to stop.=
=0D
=0D
Ruben=0D
=0D
--Alternative_=_Boundary_=_1410928186--
--Alternative_=_Boundary_=_1410928186
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Rubin
Well Gnome was never that good. If you think it was just think=
back to the first Gnome developers conference.
I remember asking =
why they had their own host name lookup caching daemon and getting told tha=
t dispute the fact that it used a huge amount of ram and CPU for what it di=
d it responded 2ms faster than nscd. Oddly enough it only got those numbers=
when used in combination with nscd and when properly tuned nscd was and is=
still faster. My best memories of that conference was cowering in a corner=
with you the guys from Novel several other NYLXS members and someone else =
who shall remain nameless with bottles of Scotch, then building new firewal=
l for the place because we were over running their business class appliance=
s capabilities. And that was a fun build by drunken NYLXS comity if I remem=
ber correctly we spent 15 minutes debating about the mount points and the r=
esult was the thing had at least 6 partitions each using a different filesy=
stem optimized to the role of the subdirectory tree. The actual firewall an=
d dhcp server only took about 2 minutes to configure LOL.
Rant: By t=
he way any one who has issues with nscd crashing its because you are using =
the default config which is tuned for desktops which aren't expected to run=
for years at a time. Turn off shared and persistent then double the record=
size on each of the databases and you will be pleasantly shocked at its st=
ability and statistical reporting capabilities to help with further fine tu=
ning.There is even a way to easily detecting its not responding just check =
the statistics which only works if you turn off shared mode (shared mode is=
IPC via persistent memory mapped file instead of sockets connecting to thr=
eads ) any way and I've never seen it freeze up when shared mode was turned=
off.
While I don't agree with what some Distros are doing namel=
y systemd other distros are doing some really inventive useful replacements=
for rc.d and the system V init structure. Frankly its long over due howeve=
r I admit a lot of it especially systemd is far too desktop centric and ter=
rible for mission critical and or secure servers.
As for how the dis=
tros package Apache. I rarely say this so definitively but you are wrong. M=
ost I'd the distributions do an excellent job. And as I said in a pre=
vious post on this string you can compile the module independently you don'=
t need to recompile all of apache. Further more I don't know of a distro wh=
ich doesn't include mod_rewrite its just your custom compiled version that =
has this issue, and you can fix it easily.
Finally the reason you ar=
e ripping out all of this stuff is you still caught in a very UNIX design w=
ay of thinking. Remember what GNU stands for its multiple philosophies its =
free speech software which takes the bet of the UNIX history and moves beyo=
nd the stale old bogged down in closed comity standards which cater to the =
lowest common denominator design concept and don't take what the actual use=
rs ideas into account. Now you are not the only one caught in this way of t=
hinking, foe example I only convinced one of my relatives who is a fantasti=
c well respected SA a few years ago that using the conf.d directory in apac=
he 2 made more sense than a monolithic config after years of on and o=
ff debate.
Now I will admit I don't like
pan style=3D"font-family:Prelude, Verdana, san-serif;">
id=3D"signature">12px;color: #999999;">-- Sent from my HP Pre3
=3D"color:navy; font-family:Prelude, Verdana, san-serif; ">
t" style=3D"width:75%">On Sep 16, 2014 9:53 PM, Ruben Safir <mrbrklyn-at-pa=
nix.com> wrote:
=0D
=0D
that only works if it is co=
mpiled=0D
> =0D
> Okay... what distribution is this?=0D
>=
=0D
> If apache wasn't compiled with support to allow using mod_rewri=
te=0D
> then it sounds like it'll require recompiling the package to =
support=0D
> it.=0D
>=0D
> -- Chris=0D
>=0D
>=
=0D
>=0D
=0D
=0D
I'm sorry for being so grumpy about this. =
I was deeply involved with=0D
another related problemand I only posted t=
he rewrite article for future=0D
reference or interest to anyone who is =
running apache. The article=0D
makes good first line of defense sense i=
n protecting your system.=0D
=0D
For my purposes, I don't want to spe=
nd the time learning the rules for=0D
mod_rewrite and opted for use of m=
odperl. I made that decision rather=0D
than compiling mod_rewrite. I'd=
rather spend time learning more about=0D
modperl, and actually I learne=
d more than I thought I would, as I'm=0D
looking at recompiling mod_perl=
in order to get around some issues,=0D
which also entails getting right=
into the mod_perl source code. Maybe=0D
I'll right a custom mod_perl h=
andler in C when I'm done with this hayride.=0D
=0D
Meanwhile, I just=
had an eye opening lecture in my computer architecture=0D
class on bina=
ry numbers, octs and hexes, which taught some nifty=0D
algorithms that I=
never saw before to transform the different base=0D
numbers. Then, the=
y moved into signed bytes, and 3 other types of=0D
binary representation=
s of negative numbers that I never saw before and=0D
actually wonder why=
anyone thought of them.=0D
=0D
As a fact though, I don't like how an=
y of the dirstros put apache=0D
together. I don't like how they put na=
med together, dhcpcd, or even=0D
routing. It is all spaghetti code. Ev=
ery time I install a system,=0D
lately, I end up ripping it apart and pu=
tting it back together again. =0D
And now they are screwing with rc.d wh=
ich is very bad. And I don't care=0D
why they are doing it, anymore tha=
n i care why they are fucking up=0D
gnome...I just want them to to stop.=
=0D
=0D
Ruben=0D
=0D
--Alternative_=_Boundary_=_1410928186--
|
|
