Linux GUIs are so slow

[Crusty]

Your hosts file is the first place that gets checked when doing a lookup... if hosts doesn't know about it then it's off to the dns servers listed in resolv.conf to find the IP of the hostname.

man hosts

for more information. You're making things far more complicated by trying to do things you shouldn't be doing, like firewalling lo.

 

[Red Squirrel]

I know what host is, but what do I have to do to "setup properly". I've never had to actually "setup" a host file before. It's just there.

 

[xSauronx]

Originally posted by: RedSquirrel
I know what host is, but what do I have to do to "setup properly". I've never had to actually "setup" a host file before. It's just there.

seriously? he told you

man hosts

christ, look in the file!

 

[Red Squirrel]

Originally posted by: xSauronx

Originally posted by: RedSquirrel
I know what host is, but what do I have to do to "setup properly". I've never had to actually "setup" a host file before. It's just there.

seriously? he told you

man hosts

christ, look in the file!

I already know all that. But, what is there to "setup properly"? It's already on the system. Do I need to specify extra specific host entries or something?

 

[xSauronx]

Originally posted by: RedSquirrel

Originally posted by: xSauronx

Originally posted by: RedSquirrel
I know what host is, but what do I have to do to "setup properly". I've never had to actually "setup" a host file before. It's just there.

seriously? he told you

man hosts

christ, look in the file!

I already know all that. But, what is there to "setup properly"? It's already on the system. Do I need to specify extra specific host entries or something?

well, yeah. if its not in the hosts file, but you want to look for it locally before you hit up a DNS server, you would have to, wouldnt you?

once again, man hosts gives examples of entries for a hosts file and would take all of 5 minutes, if that, to read through.

 

[Brazen]

Originally posted by: RedSquirrel

Originally posted by: xSauronx

Originally posted by: RedSquirrel
I know what host is, but what do I have to do to "setup properly". I've never had to actually "setup" a host file before. It's just there.

seriously? he told you

man hosts

christ, look in the file!

I already know all that. But, what is there to "setup properly"? It's already on the system. Do I need to specify extra specific host entries or something?

The default host file is fine. Just make sure lo interface is not firewalled. You'll also want to add "UseDNS no" to your sshd_config if you are going to block dns lookups, but that is off-topic from gui-responsiveness.

 

[n0cmonkey]

/etc/hosts:
127.0.0.1 localhost.localdomain localhost
EXTERNAL_IP SYSTEM_HOSTNAME.DOMAIN SYSTEM_HOSTNAME

/etc/resolv.conf (Not sure if Linux distros use a standard resolv.conf, but this is basically how a standard one would look):
lookup file bind
search DOMAIN
nameserver DNS_SERVER_IP[/quote]

iptables to ignore lo (replace FIREWALL_CHAIN with whatever you use, possibly INPUT and/or OUTPUT):
-A FIREWALL_CHAIN -i lo -j ACCEPT

iptables is so strange. *sigh*

EDIT: Fix my 1 coffee mistake.

 

[Crusty]

Originally posted by: n0cmonkey
/etc/hosts:
127.0.0.1 localhost.localdomain localhost
EXTERNAL_IP SYSTEM_HOSTNAME.DOMAIN SYSTEM_HOSTNAME

/etc/resolv.conf (Not sure if Linux distros use a standard resolv.conf, but this is basically how a standard one would look):
lookup file bind
search DOMAIN
nameserver DNS_SERVER_IP

iptables to ignore lo (replace FIREWALL_CHAIN with whatever you use, possibly INPUT and/or OUTPUT):
-A FIREWALL_CHAIN -i lo -j ACCEPT

iptables is so strange. *sigh*

EDIT: Fix my 1 coffee mistake.

take that back about iptables! :brokenheart:

 

[n0cmonkey]

Originally posted by: Crusty
take that back about iptables! :brokenheart:

Ignore lo0 using Packet Filter:
set skip on lo0

To skip on all loopback interfaces (group: lo):
set skip on lo

 

[Crusty]

Originally posted by: n0cmonkey

Originally posted by: Crusty
take that back about iptables! :brokenheart:

Ignore lo0 using Packet Filter:
set skip on lo0

To skip on all loopback interfaces (group: lo):
set skip on lo

Yeah yeah, but once you know iptables it's not that bad to setup. A pretty standard script can be used across most boxes with little tweaking.

 

[n0cmonkey]

Originally posted by: Crusty

Originally posted by: n0cmonkey

Originally posted by: Crusty
take that back about iptables! :brokenheart:

Ignore lo0 using Packet Filter:
set skip on lo0

To skip on all loopback interfaces (group: lo):
set skip on lo

Yeah yeah, but once you know iptables it's not that bad to setup. A pretty standard script can be used across most boxes with little tweaking.

That is, if you survive reading the plague that is the lovecraftian style man page for iptables without going mad from the horrors within. Messing with iptables generally makes me wish for the quick death of a hungry cthulu.

 

[Crusty]

Originally posted by: n0cmonkey

Originally posted by: Crusty

Originally posted by: n0cmonkey

Originally posted by: Crusty
take that back about iptables! :brokenheart:

Ignore lo0 using Packet Filter:
set skip on lo0

To skip on all loopback interfaces (group: lo):
set skip on lo

Yeah yeah, but once you know iptables it's not that bad to setup. A pretty standard script can be used across most boxes with little tweaking.

That is, if you survive reading the plague that is the lovecraftian style man page for iptables without going mad from the horrors within. Messing with iptables generally makes me wish for the quick death of a hungry cthulu.

LOL.

I agree it's a bit cryptic(which man pages aren't?), but that's part of using Linux

Besides the concepts of a firewall are the same, it's just the syntax of iptables that leaves a lot to be desired. Once you get past that(using a script) it's not bad at all . Same template gets put on all machines and the only edits needed are for special ports for any other services needed!

 

[n0cmonkey]

Originally posted by: Crusty
I agree it's a bit cryptic(which man pages aren't?), but that's part of using Linux

Besides the concepts of a firewall are the same, it's just the syntax of iptables that leaves a lot to be desired. Once you get past that(using a script) it's not bad at all . Same template gets put on all machines and the only edits needed are for special ports for any other services needed!

I can do the same thing with pf. I may have to change the interface name, but with a MACRO that's easy to do.

ext_if = "sk0"
pass in on $ext_if proto tcp from any to ($ext_if) port 22

Change ext_if, and I'm good to go on my machine using fxp0.

Using tables I can block 572 nasty ssh scanners with 1 rule, and 4714 potentially nasty hosts with another (I've got 810 other IPs in an experimental rule but I can't remember where I got them or why I'm blocking them ). Can you do that with iptables? I seriously don't know how easy mass blockings are in iptables...

 

[Crusty]

My rules automatically add IPs that it detects trying to brute force through ssh(which rarely happens on non-standard ports), but there are various other scripts that help automate IP blocking like CSF or BFD. Not like it matters anyways now with a VPN to the private networks in the datacenters, no more public facing SSH ftw

I personally use a series txt file list of IP/network addresses to block and my iptables startup script just loops the IPs and adds a rule for each item. While you can't use wildcards you can certainly use network addresses to block whole subnets.

 

[n0cmonkey]

Originally posted by: Crusty
My rules automatically add IPs that it detects trying to brute force through ssh(which rarely happens on non-standard ports), but there are various other scripts that help automate IP blocking like CSF or BFD. Not like it matters anyways now with a VPN to the private networks in the datacenters, no more public facing SSH ftw

I personally use a series txt file list of IP/network addresses to block and my iptables startup script just loops the IPs and adds a rule for each item. While you can't use wildcards you can certainly use network addresses to block whole subnets.

And that seems dirty. It has got to make troubleshooting difficult if you have thousands of block rules in there. I've got 20 rules in my (admittedly open) ruleset. Seems nicer some how.

I don't automatically block SSH at home because I make too many mistakes. I hate locking myself out.

 

[Crusty]

Originally posted by: n0cmonkey

Originally posted by: Crusty
My rules automatically add IPs that it detects trying to brute force through ssh(which rarely happens on non-standard ports), but there are various other scripts that help automate IP blocking like CSF or BFD. Not like it matters anyways now with a VPN to the private networks in the datacenters, no more public facing SSH ftw

I personally use a series txt file list of IP/network addresses to block and my iptables startup script just loops the IPs and adds a rule for each item. While you can't use wildcards you can certainly use network addresses to block whole subnets.

And that seems dirty. It has got to make troubleshooting difficult if you have thousands of block rules in there. I've got 20 rules in my (admittedly open) ruleset. Seems nicer some how.

I don't automatically block SSH at home because I make too many mistakes. I hate locking myself out.

For the most part my rules are pretty clean, I'll only load the mass blockings if we're having particular trouble with a server. Usually that includes a blanket block of China, Korea, and Taiwan plus a few others . I've found that if you present a small footprint to the outside world people generally leave you alone because their scripts are too stupid to try ssh on a port other then 22 or their port scanner can't figure out what ports I've actually got open.

For a generic web/ftp/mail server I've got no more then 15 rules per chain, in fact I just checked one production box and it's got 0 IPs listed as flat out blocked atm but that could change

 

[Red Squirrel]

Actually I don't mind iptables I just wish there was more straightforward resources online on how to do certain things and what each parameter does specificly. man pages are generally useless for that stuff unless you're an engineer using it while designing a nuclear weapon or something.

Oh and NEVER type iptables --flush remotely. I learned that the hard way.

 

[Brazen]

I've moved away from using iptables and just not running any unneeded services, or configure some services to only run on lo.

 

[sourceninja]

Originally posted by: Crusty

Originally posted by: n0cmonkey

Originally posted by: Crusty
My rules automatically add IPs that it detects trying to brute force through ssh(which rarely happens on non-standard ports), but there are various other scripts that help automate IP blocking like CSF or BFD. Not like it matters anyways now with a VPN to the private networks in the datacenters, no more public facing SSH ftw

I personally use a series txt file list of IP/network addresses to block and my iptables startup script just loops the IPs and adds a rule for each item. While you can't use wildcards you can certainly use network addresses to block whole subnets.

And that seems dirty. It has got to make troubleshooting difficult if you have thousands of block rules in there. I've got 20 rules in my (admittedly open) ruleset. Seems nicer some how.

I don't automatically block SSH at home because I make too many mistakes. I hate locking myself out.

For the most part my rules are pretty clean, I'll only load the mass blockings if we're having particular trouble with a server. Usually that includes a blanket block of China, Korea, and Taiwan plus a few others . I've found that if you present a small footprint to the outside world people generally leave you alone because their scripts are too stupid to try ssh on a port other then 22 or their port scanner can't figure out what ports I've actually got open.

For a generic web/ftp/mail server I've got no more then 15 rules per chain, in fact I just checked one production box and it's got 0 IPs listed as flat out blocked atm but that could change

I just let them brute force. If they have to get my key, then my password, and finally my account password to do anything. And if they want it that bad they will probably find an easier way in, such as though my bosses desktop.

 

[Nothinman]

I just let them brute force. If they have to get my key, then my password, and finally my account password to do anything. And if they want it that bad they will probably find an easier way in, such as though my bosses desktop.

That's kinda dumb cause it fills your logs with failed attempts.

 

[sourceninja]

Originally posted by: Nothinman

I just let them brute force. If they have to get my key, then my password, and finally my account password to do anything. And if they want it that bad they will probably find an easier way in, such as though my bosses desktop.

That's kinda dumb cause it fills your logs with failed attempts.

My log server can handle it. Logs are rotated daily, I have more storage then I'll ever know what to do with. So why bother wasting my time stopping people from wasting theirs?

 

[Crusty]

Originally posted by: sourceninja

Originally posted by: Nothinman

I just let them brute force. If they have to get my key, then my password, and finally my account password to do anything. And if they want it that bad they will probably find an easier way in, such as though my bosses desktop.

That's kinda dumb cause it fills your logs with failed attempts.

My log server can handle it. Logs are rotated daily, I have more storage then I'll ever know what to do with. So why bother wasting my time stopping people from wasting theirs?

Even so, it still eats up resources which = money and why give someone the opportunity when we're talking about what 5 minutes of work to set it up and not worry about it? I'd much rather deal with 5 more minutes of work up front then the shit storm that would ensue if a server did get compromised.

 

[Nothinman]

My log server can handle it. Logs are rotated daily, I have more storage then I'll ever know what to do with. So why bother wasting my time stopping people from wasting theirs?

Because if the signal to noise ratio is that bad it makes it that much less likely that you'll notice when something bad happens.

 

[Red Squirrel]

For ssh I have it running on a non standard port + I use fail2ban and ban the IP for 1 hour after 5 failed attempts. I want to do the same for my game server which runs on Windows, once I figure out a way to route it properly through iptables. The game server is on a VM on the same server so think it's doable.

Oh and as for the original issue opening up port 53 to both DCs fixed the problem. (the DCs act as DNS) I also opened up local host completely.

 

[Nothinman]

The game server is on a VM on the same server so think it's doable.

Not without you jumping through some fairly big hoops. For all intents and purposes a VM that's setup to use a bridged network interface should be considered a seperate entity on the network. If you switch it to NAT then it'll be fairly simple.

Oh and as for the original issue opening up port 53 to both DCs fixed the problem. (the DCs act as DNS) I also opened up local host completely.

See? ...