***: ballen has quit IRC (Remote host closed the connection)
ballen has joined #arpnetworks
ChanServ sets mode: +o ballen
ballen has quit IRC (Read error: Connection reset by peer)
ballen has joined #arpnetworks
ballen has quit IRC (Changing host)
ballen has joined #arpnetworks
ChanServ sets mode: +o ballen
ballen has quit IRC (Read error: Connection reset by peer)
ballen has joined #arpnetworks
ChanServ sets mode: +o ballen
ballen_ has joined #arpnetworks
ballen_ has quit IRC (Changing host)
ballen_ has joined #arpnetworks
ChanServ sets mode: +o ballen_
ballen has quit IRC (Ping timeout: 240 seconds)
ballen_ has quit IRC (Ping timeout: 272 seconds)
fink has quit IRC (Quit: fink)
mattx86 has quit IRC (Ping timeout: 240 seconds)
mattx86 has joined #arpnetworks
mattx86 has quit IRC (Ping timeout: 240 seconds)
mattx86 has joined #arpnetworks
mattx86 has quit IRC (Quit: Leaving)
mattx86 has joined #arpnetworks
mattx86 has quit IRC (Quit: Leaving)
mattx86 has joined #arpnetworks
mattx86 has quit IRC (Client Quit)
mattx86 has joined #arpnetworks
mattx86 has quit IRC (Client Quit)
nerdd has joined #arpnetworks
nerdd_ has quit IRC (Ping timeout: 276 seconds)
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer dxtr: Hey guys RandalSchwartz: hey dxtr: Just the guy I wanted to get ahold of! RandalSchwartz: in what sense? :) dxtr: I want to run my (untrusted) users in a separate jail. But I've got into problems when I'm running an identd on the host
Specifically the identd on the host listens to all available IPs
And that's not good RandalSchwartz: well - the WTF there is "identd??" -: RandalSchwartz looks at the calendar RandalSchwartz: yeah, 2010 dxtr: What's the future then? :) RandalSchwartz: identd was invented in 1990 to solve a non-problem, badly
just stop running it dxtr: Bleh RandalSchwartz: why should *that* machine over *there* care which *username* I've assigned to *this* process *here*?
it's a different protection realm
there's a fakeidentd that just answers "root" to all requests"
you could run that one :) dxtr: hehe RandalSchwartz: it's just as fvalid dxtr: The problems come with IRC ;) RandalSchwartz: again, anyone who demands identd on IRC is nuts
I'm not running it here. dxtr: Some IRC servers (I think I'm looking at you, EFNet) won't let people connect without an identd and as I'm running a small shell I need an identd to allow more than X hosts on some servers RandalSchwartz: ... The ident protocol is considered dangerous because it allows crackers to gain a list of usernames on a computer system which can later be used for attacks. A generally accepted solution to this is to set up a generic/generated identifier, returning node information or even gibberish (from the requesters point of view) rather than usernames.
I'm on EFNet all the time without identd
seriously.. just run the fake one that returns gibberish dxtr: Hmm.. Yeah RandalSchwartz: ... http://www.freshports.org/net/widentd/
... widentd is a small ident/rfc1413 deamon which provides a fixed
(and fake) auth reply regardless of the ip/port pair quoted. dxtr: see, that's why I asked you
:) RandalSchwartz: indeed
I am a veritable font of knowledge dxtr: You learn something every day!
something new* RandalSchwartz: I learn *two* new things a day to keep up with your questions. :) dxtr: If i had the money I would have you kidnapped and use you as my information slave -: RandalSchwartz wanders off now dxtr: Anyway, thanks
Shouldn't be too hard to create my own RandalSchwartz: why bother when it's a port? dxtr: I can't find one that always replies with a random string
That would be awesome
That's why I'd like to create my own
hidentd is apparently capable of that but it doesn't seem to work :P RandalSchwartz: did you look at widentd?
the one I linked? dxtr: Yeah
it's fixed reply RandalSchwartz: oh. didn't see dxtr: Anyway
shouldn't be too hard to modify ***: mattx86 has joined #arpnetworks dxtr: RandalSchwartz: Fixed it RandalSchwartz: fixed what? dxtr: Modified widentd and added a random string-generator from hidentd :p
Booya! RandalSchwartz: oh heh!
yeay dxtr: Under 220 lines of code
That was awesome
It even has ipv6 support I think :p RandalSchwartz: Now... don't you feel more safe and secure?
see how identd really makes a difference? :)
which is why ircd's that demand it are being stupid dxtr: Hehe hawk: Are there any noteworthy irc networks that still demand ident? ***: tinono has joined #arpnetworks
tinono has quit IRC (Client Quit) dxtr: Some servers on EFNet I think (i've seen them) - and QuakeNet if you want more than five connections per host :P ***: owda has joined #arpnetworks
sentabi has quit IRC (Changing host)
sentabi has joined #arpnetworks vcs: ident is still important on places like EFNet
what if you had a wraith/eggdrop net with all the same ident, they could be banned with one mode change and the channel taken over dxtr: vcs: Solution: Don't run an identd
:P vcs: uhhh
/mode +b *!~*@*
the correct solution is to use oidentd, and spoof each bots ident to its nickname dxtr: The correct solution would be for the irc server to not prepend ~ to users without an identd and/or run each bot as different users vcs: thats stupid tooth: ....there's a correct solution to irc?
;-) vcs: being able to ban ~ is an effecient way of banning drones dxtr: Not really vcs: and also non technical users dxtr: And the point with that being?
Elitism? vcs: also, often trolls will keep changing their ident
so i guess it is kindof pointless dxtr: And that isn't possible with an identd? vcs: but then you can just ban by host
the real point of identd
is to stop abuse on shells
by banning ident, not hostname
so non abusive users are not effective
it also links users back to their accounts for filing abuse repots
ident definitley is still relevant on networks like EFNet
where most people connect from a shell RandalSchwartz: how is it relevent?
unless you control root on the box you're getting identd from
otherwise, the data is completely untrustworthy vcs: the point is RandalSchwartz: as dxtr just demostrated vcs: most people who have a shell for IRC
do NOT have root
so at least to some extent RandalSchwartz: that's not true for most of freenode
maybe some other nets vcs: EFNet is very unlike freenode... RandalSchwartz: it's still putting trust in something fundamentally untrustworthy
that's worse than not doing it at all
that's fake security vcs: RandalSchwartz: after being on EFNet many years
it has served me well
and who cares if they spoof and come back? RandalSchwartz: that's an indepdendent variable vcs: alot of the time, you can stop after you ban their ident RandalSchwartz: it has nothing to do with identid vcs: it can be fake security
but it also can be very useful
when dealing with abusive shell users dxtr: RandalSchwartz: http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzab6/xacceptboth.htm <- according to that binding to in6addr_any should bind to both :: and 0.0.0.0
Do you know anything about that+
Because I can't get it to work in FreeBSD RandalSchwartz: when I go there... I get blank
I bet it's frames
which you can't bookmark properly
what language are you in?
C? dxtr: Yeah
It work for me, btw :P RandalSchwartz: wait - you just said "can't get it to work"
which is it?
I was about to start helping you dxtr: I can't get ipv4/ipv6-stuff to work, but that page I sent you works for me RandalSchwartz: Oh - you probably have a cookie or something dxtr: What I can get to work is ipv6 connectivity. But, as I said, according to that page in6addr_any should listen to both ipv4 and ipv6
Then I thought that it might be Linux-specific - but I found that FreeBSD also has the IPV6_V6ONLY flag
And what's the point of having that flag if it doesn't do anything anyway? RandalSchwartz: I know it works on OSX
I've connected to apps and gotten an IPv6 addr of 0::nnnn dxtr: Yeah, that should work RandalSchwartz: which is the way v4 gets mapped in v6 for these sockets dxtr: Exactly RandalSchwartz: did you look at the manpage? dxtr: I've look at many man pages RandalSchwartz: setsockopt doesn't appear to have a v6-only flag
nor is there such a definition in /usr/incldue dxtr: man 4 ip6
/IPV6_V6ONLY RandalSchwartz: didn't make its way to setsockopt() though dxtr: Yeah, I noticed :P RandalSchwartz: ahh - what happens if you get that option? dxtr: http://www.ops.ietf.org/lists/v6ops/v6ops.2003/msg01141.html
I was just about to try it RandalSchwartz: Uhh - not sure why you keep bringing up non-freebsd URLs :)
if you're asking about freebsd
you *are* using AF_INET6, right? dxtr: Yeah
That URL was kind of relevant RandalSchwartz: ok
not authoritative though dxtr: "do you know of any OS that sets the IPV6_V6ONLY socket option on by default?" "netbsd, freebsd (version >= 5), openbsd" RandalSchwartz: sure - one guy says that
is he on the freebsd dev team?
Oh - right
on by default would be bad
for you anyway
so set it off :) dxtr: Yeah
And as I thought
It's on
And it works
Awesome!
vcs: My identd will revolutionize identds
Reconnect and you get a new ident!
Bwahaha! vcs: lol
the one thing you two do not understand
is shell providers DO NOT allow spoofs
so it is relevant in context of shell providers
sure, on any of my boxes i cant do whatever i want with ident
but not everyone has their own VPS / Colo box BarberRonny: evening up_the_irons: BarberRonny: afternoon! (PST)
finally published a piece-meal price list (see "Extras"), b/c I keep getting asked for it
http://arpnetworks.com/vps dxtr: awesoem
Awesome* jpalmer: up_the_irons: you might want to add what the price is for things like bandwidth overages. as in, lets say I have 200gb/mo included.. but use 250gb up_the_irons: oh yeah.. it's in the FAQ, but i should put it there, yes jpalmer: *nod*
it's always nice to have a centralized "what will it cost me if..." page
oh, I have to get you the UUID of my vps where the disk changed on me. one sec RandalSchwartz: not PST yet dxtr: up_the_irons: What benefits would I get from running my own caching DNS server vs. using your? RandalSchwartz: not for another few weeks dxtr: yours* up_the_irons: dxtr: yours would be faster dxtr: Would it? jpalmer: well, it kinda depends actually. ***: owda has quit IRC (Quit: Leaving) jpalmer: if you're using a cache only NS, that only serves a few clients.. and you're doing lookups for hosts that'd be present in the providers NS's.. (ie, already cached) the ARP NS's would be faster. dxtr: Yeah
up_the_irons: But you know what you should do? have your DNS servers on IPv6 too :)
That would be sweet up_the_irons: yeah i know jpalmer: (and website!) up_the_irons: that too :) jpalmer: from my short time here, it sounds like up_the_irons is neck deep in work already, though. ;) up_the_irons: that's why these things don't get done :) jpalmer: it's the chicken/egg problem. sounds like you need to write some automation processes for some of these things.. but you don't have time to automate because you're too busy doing the things you need to automate. heh up_the_irons: yup, exactly
or i just need to hire someone to do the small support tasks (change ISOs, DNS, etc...) jpalmer: I'll offer this: I don't have a strong programming background.. but if you want some additional help for things where you don't need to hand me keys to the castle, I'd happily help. I enjoy doing DNS stuff ;) ISO's would probably be simple-ish. up_the_irons: thanks for the offer!
need to cut my hair, bbl jpalmer: later vcs: but not everyone has their own VPS / Colo box
woops, wrong screen
ment to up + enter into bash >_> ***: fink has joined #arpnetworks
fink has quit IRC (Quit: fink)
[FBI] starts logging #arpnetworks at Sun Oct 10 23:15:50 2010
[FBI] has joined #arpnetworks