Re: Experiences (was Re: prfile)
Martin Hargreaves (martinh@paston.co.uk)
Sat, 2 Sep 1995 15:46:32 +0100
>I am sorry for taking so long to get back to this issue, I was on
>vacation. :-)
What is that? :-)
>>martinh@paston.co.uk (Martin Hargreaves) wrote:
> Diane Davidowicz wrote:
>> Maybe they've never seen a Challenge? Some supercomputer centers are going
>> to move entirely to Challenge and PowerChallenge arrays due to cost reasons
>
>Well, in their defense, how many people have an SGI Challenge (other than
>you and I :) What I really mean to say here is I am willing to bet that their
>are much more sites which have SGIs without any Challanges then there are that
>do.
This is true, there are a lot of sites that use them for the graphics, but
this is still a large market.
>But, even the latest versions of SGI workstations really scream, so I didn't
>get his point.
This is true, now we are starting to see R8000's in desktops (R8000s
according to SGI outperform a Cray YMP CPU) people can move computations off
of big Challenge's onto Power Indigo^2 and Challnge S and M sizes.
>Maybe we should get an email address for Haystack and send requests to
>port the code to SGIs. If they get enough of them, the company might change
>their position.
Is it possible to have the SGI's log their information to a host running
Stalker or is that also impossible currently?
>Yes really, and no you can't restart it any other way except to reboot.
>This is most unfortunate. It affects 4.0.x thru 5.3, especially
>the 5.3 machines. Wietse Venema, author of tcp_wrappers points this problem
>out in his README.IRIX file.
Wietse's file said it may be possible to do it be including the new line
commented out, restarting inetd, then uncommenting the line and restarting
again. Don't know if that would work?
>We have honed in on the problem a little bit
>more and are putting our facts together for SGI to look at. Unfortunately,
>like Wieste says, the SGIs are just broken.
>Tiger is highly portable with its latest release. I don't think Dan Farmer
>has touched COPS for a couple of years now.
Agreed.
>Another thing I should have included in my "etc" is creating md5 checksums
>using something like tripwire. File integrity checking is essential.
I think TIGER does this. There's an FTP site with "standard checksums" for
different system, but I think you can generate your own. I recently had to
reinvent the wheel and write a system to just this....
[site that broken into]
> Recovery time was worsened
>by the age of the system's hardware and lack of support from the vendor to
>fix VERY OLD holes.
Any clue as to the vendor? I thought most were pretty good these days...
Mind you getting holes fixed on MIPS Risc/OS is a laugh...
>Again, my comments thus far are on freeware. Though I have yet to see a
>freeware product as thorough as a product like Stalker from Haystack Labs,
>one can still accomplish some very good security strategies through
>layering of freeware products.
This is what I tend to do, I say tend to, invariably since I have never had
a budget of my own and since no systems I have run have been broken into
colleagues / superiors can be rather complacent abouot it.
Regards,
Martin.
########################################################################
# Martin Hargreaves Contract Unix System Administrator #
# (martinh@paston.co.uk) Unix & Network Security, WWW #
# Computational Chemistry #
########################################################################