From the latest RHN alert: ... A read buffer overflow vulnerability exists in the glibc resolver code in versions of glibc up to and including 2.2.5. The vulnerability is triggered by DNS packets larger than 1024 bytes and can cause applications to crash.

This is potentially a bad one. More information on the CERT Vulnerability Note.

Updates can be downloaded from this page [RHN membership probably required].

Michael Bauer, author of Building Secure Servers with Linux, explains some of the reasons why it's both possible and worthwhile to secure Linux for use as an Internet server platform. [an O'Reilly Network Article]

Æleen Frisch: Top Five Open Source Packages for System Administrators - Number 5 [in O'Reilly Network's Newsletter].

Thanks to Jon Udell for reminding me what s l a m stands for :-)

He's right of course, I've always been fascinated by outlines, and he's the one responsible for exposing me to Radio Userland and its semi-hidden outliner.

Just when I thought I had got over my addiction - I spent a lot more time without More than Dave has spent without smoke - bam, I relapsed :-)

Well, it's comforting to know that, according to one of the Surgeon General's lesser known warnings, outlining can seriously increase your productivity.

As for logging and monitoring, I'm still and always doing a lot of it, I even use all kind of DHTML, RSS and XSLT tricks for that, but it'll take some time before I'm available to publish anything about it.

Go to the Software Update panel in System Preferences to grab the latest system software security update, a 5.2MB download. From the Read Me:

Security Update 2002-08-02 includes the following updated components which provide increased security to prevent unauthorized access to applications, servers, and the operating system.

Apache v1.3.26
OpenSSH v3.4p1
OpenSSL v0.9.6e
SunRPC
mod_ssl v2.8.10

Installing the security update does require a restart... [Mac Net Journal]

I've just installed the Security Update, July 2002 edition on my MacOS X machines after reading this

Apple issues security update. In response to recent reports about shortcomings in the security for the versions of Apache and OpenSSH bundled with OS X, Apple has released a Security Update.[Mac Net Journal]

Additional comments available from MacCentral , MacSlash and CNet News.

This catchy phrase is printed on the cool openBSD t-shirt I got at the expo.

Sysadmins being the cheeky fellows they are, a roster of clear text passwords captured on the conference wireless network is posted at the door of the 'terminal room'.

This room is actually sponsored by Apple Computers and filled with G4s and iMacs, which is quite a new sight for a Unix geek convention.

Even more impressive, among the thousand of laptop toting sysadmins roaming the Monterey Conference Center, almost 1 in 4 is equiped with some variant of iBook or Powerbook.

I'm currently sitting at one of the laptop tables in the 'terminal room', next to Jordan Hubbard actually: on the 12 laptops sitting on the table, 5 are coming from Apple.

in Yesterday's tutorial, Marcus Ranum presented the latest data on the cracker population, as gathered by the honeynet group, and, while talking way too fast for a presentation, made a good case for honeypots as tools for intrusion detection.

Marcus defines a honeypot as "a security resource whose value lies in being probed, attacked, or compromised".

He further distinguishes between production honeypots, which are "low interaction" systems - giving the attacker access to limited resources thru some sort of emulation - designed to secure an organization, and research honeypots, which are "high interaction" systems - basically giving the attacker control of a whole server - targeted at counter intelligence and gaining information on the so called "black hat" community.

Production honeypots are getting easy to set up, thanks to a new breed of tools. I learned about honeyd during the tutorial, it compiles on most flavours of BSD, GNU/Linux and Solaris, and emulates dozens of systems, including several variations of Windows.

The nice thing about a honeypot is nobody is supposed to access it as long as it's not advertised. Therefore, any traffic directed at the honeypot is probably suspect. Any traffic coming out of the honeypot is definitely suspect and should trigger an alarm.

Therefore, an honeypot, coupled with a station running a network sniffer such as snort, fits nicely as a network-wide intrusion detection system.

A follow up on David Blank-Edelman Perl for System Administration tutorial on Tuesday.

David emphasized the 3 rules a sysadmin should respect when programming some script that reports by email to its master:

• Beware of overzealous message sending: you don't want your mailbox to be flooded by the same message repeating itself
  • Build delay functions into the code.
  • send aggregate messages
• Do not waste the subject line of the message: it is made for quick, to the point, if short information.
• Make sure the message body is relevant: include the answers to following questions - who, where, when, what, why, what next.

I think we should add a fourth rule these days, that mitigates the third one some: do not assume you'll be the only person reading the message.

All SMTP traffic goes out in the clear, and is a prime target for any network sniffer. This is not paranoïa, this is renewed experience.

If your script report includes sensitive or revealing data, encrypt it (with GnuPG for instance, and Ashish Gulhati's Crypt::GPG module) before sending it, or store it on some restricted access web server, and include a link in the body of the message.