INFO-VAX Fri, 05 Sep 2008 Volume 2008 : Issue 487 Contents: Re: Archive strategy Re: Archive strategy Re: Archive strategy Automated Shutdown/Reboot Re: Automated Shutdown/Reboot Re: Automated Shutdown/Reboot Re: Current status? Re: Current status? Re: Current status? Re: Current status? Re: Current status? Re: Current status? Re: Current status? Re: Current status? Re: Current status? Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: HP TestDrive systems to be shutdown Re: HP TestDrive systems to be shutdown huge USB disks and VMS Re: huge USB disks and VMS Re: huge USB disks and VMS Re: huge USB disks and VMS Re: huge USB disks and VMS Re: huge USB disks and VMS Re: Loose Cannon-dian Re: Loose Cannon-dian Re: Loose Cannon-dian open TCPIP ports Re: open TCPIP ports Re: open TCPIP ports Re: OpenVMS upgrade checklists Re: OpenVMS upgrade checklists Re: OT: Flying with Diabetes (was RE: SMGRTL patch available on ITRC ftp site) Re: Phase 2 and delayed ampersand substitution with the ON command Receiving Customer Advisories and Security Updates Re: What has happened to RMS ECO? Re: [RBL] Current status? ---------------------------------------------------------------------- Date: Fri, 5 Sep 2008 06:04:48 -0700 (PDT) From: tadamsmar Subject: Re: Archive strategy Message-ID: On Sep 4, 7:11=A0pm, B...@rabbit.turquoisewitch.com (Brad Hamilton) wrote: > In article <729c5ebc-a6ae-4de6-9aae-a4bd70776...@p10g2000prf.googlegroups= .com>,=A0tadamsmar wrote: > > [...] > > >Well, I proposed to my management that we simply institute a periodic > >(monthly) tape backup of the archive. =A0Turns out the archive was > >always on hard disk as well as on the defunct optical media. > > >They accepted that idea. =A0No need for a DVD or removable disk. > > >The assumption is that the act of backing up the disk confirms that > >the disk is good. > > >Any comments to improve this plan? > > An obvious improvement (but one that may be hard to implement) is a regul= ar > *restore* of the information from tape; the idea is to "prove" that you c= ould > successfully recover the data "at a moment's notice". > > Of course, you would need to have a "spare" system to demonstrate the > effectiveness of the "recovery". =A0I used to work at a company where we = had > replicated systems (not "active/active") where we would periodically "swi= ng" > the user base after a restore. =A0The users didn't know (and could have c= ared > less) which site they were using. =A0Management, internal, and external a= uditors > were satisfied with this system. > Could be recoved onto a spare disk, or even a spare 12 gigs if it was not an image. This is a archive of data, not a system disk. But if /verify is used, it seems secure to me without a recovery demonstration. Not sure what the extra assurance gains. I am not sure if they will stick with a monthly tape backup. Yearly was suggested. I wonder what the longest trustworthy inteval is? Taping it off refreshes the tape and verifies the disk. The disk could be setting around with no access attempts for a year. > >We only have a dozen gigs or so to worry about. > > Should be a piece of cake. =A0 =A0 =A0:-) ------------------------------ Date: Fri, 5 Sep 2008 07:24:41 -0700 (PDT) From: johnwallace4@yahoo.co.uk Subject: Re: Archive strategy Message-ID: On Sep 5, 2:04 pm, tadamsmar wrote: > On Sep 4, 7:11 pm, B...@rabbit.turquoisewitch.com (Brad Hamilton) > wrote: > > > > > In article <729c5ebc-a6ae-4de6-9aae-a4bd70776...@p10g2000prf.googlegroups.com>, tadamsmar wrote: > > > [...] > > > >Well, I proposed to my management that we simply institute a periodic > > >(monthly) tape backup of the archive. Turns out the archive was > > >always on hard disk as well as on the defunct optical media. > > > >They accepted that idea. No need for a DVD or removable disk. > > > >The assumption is that the act of backing up the disk confirms that > > >the disk is good. > > > >Any comments to improve this plan? > > > An obvious improvement (but one that may be hard to implement) is a regular > > *restore* of the information from tape; the idea is to "prove" that you could > > successfully recover the data "at a moment's notice". > > > Of course, you would need to have a "spare" system to demonstrate the > > effectiveness of the "recovery". I used to work at a company where we had > > replicated systems (not "active/active") where we would periodically "swing" > > the user base after a restore. The users didn't know (and could have cared > > less) which site they were using. Management, internal, and external auditors > > were satisfied with this system. > > Could be recoved onto a spare disk, or even a spare 12 gigs if it was > not an image. This is a archive of data, not a system disk. > > But if /verify is used, it seems secure to me without a recovery > demonstration. Not sure what the extra assurance gains. > > I am not sure if they will stick with a monthly tape backup. Yearly > was suggested. I wonder what the longest trustworthy inteval is? > Taping it off refreshes the tape and verifies the disk. The disk > could be setting around with no access attempts for a year. > > > >We only have a dozen gigs or so to worry about. > > > Should be a piece of cake. :-) I would not be comfortable with a disk unused for a year. I'm just in the process of replacing a Maxtor 20GBish disk which, as luck would have it, was used as a place to store backups every now and then (more frequently than once a year, but maybe not much). It appears to have developed a media fault which went undetected because the drive was active only occasionally (even though it was powered up and spun up whenever the PC was on). When the drive was used, it was a case of writing new files to previously unused space, and readability of old files wasn't checked. The most recent set of writes failed, and it turns out there are unrecoverable bad blocks by the thousand (maybe more, I gave up). Next time round, a monthly full surface scan will be on the "to do" list. On VMS, BACKUP's "redundancy group" feature in a saveset can sometimes be used to recover from a small number of unrecoverable blocks, but this got way beyond that (and wasn't VMS, but similar error-recovery options are available for those who care). Mind you, if your known good data is also on tape, the odds of being completely without your data are small. Only you can tell if they are small enough :) ------------------------------ Date: Fri, 05 Sep 2008 13:41:19 -0400 From: "Richard B. Gilbert" Subject: Re: Archive strategy Message-ID: <_s6dnV0Wf4Ut81zVnZ2dnUVZ_h-dnZ2d@comcast.com> tadamsmar wrote: > On Sep 4, 7:11 pm, B...@rabbit.turquoisewitch.com (Brad Hamilton) > wrote: >> In article <729c5ebc-a6ae-4de6-9aae-a4bd70776...@p10g2000prf.googlegroups.com>, tadamsmar wrote: >> >> [...] >> >>> Well, I proposed to my management that we simply institute a periodic >>> (monthly) tape backup of the archive. Turns out the archive was >>> always on hard disk as well as on the defunct optical media. >>> They accepted that idea. No need for a DVD or removable disk. >>> The assumption is that the act of backing up the disk confirms that >>> the disk is good. >>> Any comments to improve this plan? >> An obvious improvement (but one that may be hard to implement) is a regular >> *restore* of the information from tape; the idea is to "prove" that you could >> successfully recover the data "at a moment's notice". >> >> Of course, you would need to have a "spare" system to demonstrate the >> effectiveness of the "recovery". I used to work at a company where we had >> replicated systems (not "active/active") where we would periodically "swing" >> the user base after a restore. The users didn't know (and could have cared >> less) which site they were using. Management, internal, and external auditors >> were satisfied with this system. >> > > Could be recoved onto a spare disk, or even a spare 12 gigs if it was > not an image. This is a archive of data, not a system disk. > > But if /verify is used, it seems secure to me without a recovery > demonstration. Not sure what the extra assurance gains. > The recovery demonstration proves that: a. You made a readable backup, b. You were able to restore it, and c. That you backed up the right things. Some really terrible day, you may have to actually do this for real! It's good to reassure yourself, and any others concerned, that you CAN do it. If you can't do it, NOW is a really good time to find the problems and fix them. ------------------------------ Date: Fri, 5 Sep 2008 03:18:47 -0700 (PDT) From: urbancamo Subject: Automated Shutdown/Reboot Message-ID: <9ed0692b-83d3-40b4-ab02-176388bb6f8f@34g2000hsh.googlegroups.com> Hi group, I have a ZX6000 running OpenVMS that I would like to (a) boot when power is applied and (b) have a scheduled shutdown so that in combination with a timer I can have the machine automatically power on and off for working hours. (a) the ZX6000 doesn't have the management card option, but I believe there is a way to program the EFI so that the server boots on detecting power. Can anyone enlighten me with the command please? (b) I trawled comp.os.vms and found the attached script to do a detached reboot. How do I schedule this reboot automatically onto a batch queue? Presumably I can do this in the SYSTARTUP_VMS.COM script? Thanks for the help, Mark %<-----------%<--------%< $! $! This procedure will create a detached process that will issue the $! system shutdown/reboot commands for the node it is running on. $! Note that this job is typically submitted to the batch queue for $! the node which is to reboot. The purpose of the DETACHED process is $! to get around the problem of the SHUTDOWN procedure abort itself $! when the batch queues are stopped. Note that this will also work on $! DECWindows systems as well as it does not rely on the DECWindows $! Session Manager for support. $! $! Input parameters: $! P1 = "REBOOT" or "SHUTDOWN" text string to indicate what type of $! shutdown to perform on the node. $! P2 = number of minutes to hold off doing the reboot when the SHUTDOWN $! procedure starts up. $! P3 = "FORCE" will force a reboot regardless of when a node was $! rebooted last. $! P4 = "ALL", "BOOT" or "WORKSTATION" to tell what type of nodes in $! general are to be booted. $! $! pdc - 8/24/90 $! $set verify $set noon $@sys$manager:login.com !get special symbols... $now = f$time() !get the current date and time... $boot = f$getsyi("BOOTTIME") !get the time the node was booted $if "''f$extract(0,11,now)'" .eqs. - !if the current time and the system "''f$extract(0,11,boot)'" - ! boot time match, then do not boot .and. "''P3'" .eqs. "" ! and if no FORCE is set $then ! the system again. $ exit !simply get out of this procedure $endif !end if $! $! Now we will go through and find out if this shutdown should occur on the $! node to start with. $! $if "''P4'" .eqs. "BOOT" .and. - Boot_type .eqs. "BOOT_NODE" $then $gosub do_shutdown $else $ if "''P4'" .eqs. "WORKSTATION" .and. - Boot_type .eqs. "SATELLITE" $ then $ gosub do_shutdown $ else $ if "''P4'" .eqs. "ALL" $ then $ gosub do_shutdown $ endif $ endif $endif $exit $! $! Now for the subroutine that actually goes about and does the startup of the $! shutdown procedure. $! $do_shutdown: $file_name = "''f$trnlnm("sys$login")'boot_seq_''f $getjpi("","PID")'.com" $open/write output 'file_name' $write output "$delete ''file_name';*/nolog/noconfirm" $! $! The parameters on the SHUTDOWN.COM procedure: $! P1 = Number of minutes before starting shutdown $! P2 = Reason text to be displayed on broadcast message $! P3 = Want the disks spun down? (Y/N) $! P4 = Invoke site specific shutdown procedure (Y/N) $! P5 = Text of when the system will reboot. $! P6 = Perform an automatic reboot (Y/N) $! P7 = Shutdown options. Text. $! $if "''p1'" .eqs. "REBOOT" $then $write output "$@SYS$SYSTEM:SHUTDOWN ''p2' REBOOT NO YES LATER YES REMOVE" $else !otherwise shutdown node for keeps $write output "$@SYS$SYSTEM:SHUTDOWN ''p2' SHUTDOWN NO YES LATER NO REMOVE" $endif !end if $close output !close new command file $! $run/detach/input='file_name'/output=nl:/process_name='p1' - sys$system:loginout !create a process to conduct the system $ ! shutdown. $! $return !back to caller $exit ! ------------------------------ Date: Fri, 5 Sep 2008 08:15:37 -0700 (PDT) From: Ken.Fairfield@gmail.com Subject: Re: Automated Shutdown/Reboot Message-ID: <03bef3da-5d77-4597-aa8c-d8064d98ee04@k36g2000pri.googlegroups.com> On Sep 5, 3:18=A0am, urbancamo wrote: > Hi group, > > I have a ZX6000 running OpenVMS that I would like to (a) boot when > power is applied and (b) have a scheduled shutdown so that in > combination with a timer I can have the machine automatically power on > and off for working hours. > > (a) the ZX6000 doesn't have the management card option, but I believe > there is a way to program the EFI so that the server boots on > detecting power. Can anyone enlighten me with the command please? I don't have access to any IA64 systems, but every VAX and Alpha I've touched over the years allows you to set a console variable to "boot" (vs. "restart" or "halt"). On Alpha that console variable is named AUTO_ACTION. On various VAX consoles, it was much more obscure, and terse, but documented. With auto_action set to "boot", the system *will* boot on power-up as desired. > (b) I trawled comp.os.vms and found the attached script to do a > detached reboot. How do I schedule this reboot automatically onto a > batch queue? Presumably I can do this in the SYSTARTUP_VMS.COM script? The _shutdown_ piece is easy as the command procedure you included shows. That procedure is more robust and verbose than you need. You just need (essentially) a one-liner to issue the shutdown command with appropriate qualifiers. Well, there's one additional level of indirection: you need one command file to submit /After to a batch queue, and then that procedure needs to Run/Detached the one-liner with the actual shutdown command in it (run sys$system:loginout.exe and use the command procedure as the /Input parameter). But you said "reboot" (in your first paragraph). I don't know of any way to have a system shutdown and /wait/ for designated period of time, and then boot. Especially if you've pulled its power! But perhaps that's not what you meant... -Ken ------------------------------ Date: Fri, 05 Sep 2008 16:24:26 GMT From: VAXman- @SendSpamHere.ORG Subject: Re: Automated Shutdown/Reboot Message-ID: <00A7F2DA.CCE04ABF@SendSpamHere.ORG> In article <03bef3da-5d77-4597-aa8c-d8064d98ee04@k36g2000pri.googlegroups.com>, Ken.Fairfield@gmail.com writes: >On Sep 5, 3:18=A0am, urbancamo wrote: >> Hi group, >> >> I have a ZX6000 running OpenVMS that I would like to (a) boot when >> power is applied and (b) have a scheduled shutdown so that in >> combination with a timer I can have the machine automatically power on >> and off for working hours. >> >> (a) the ZX6000 doesn't have the management card option, but I believe >> there is a way to program the EFI so that the server boots on >> detecting power. Can anyone enlighten me with the command please? > >I don't have access to any IA64 systems, but every VAX and Alpha >I've touched over the years allows you to set a console variable to >"boot" (vs. "restart" or "halt"). On Alpha that console variable is >named AUTO_ACTION. On various VAX consoles, it was much >more obscure, and terse, but documented. With auto_action set >to "boot", the system *will* boot on power-up as desired. > >> (b) I trawled comp.os.vms and found the attached script to do a >> detached reboot. How do I schedule this reboot automatically onto a >> batch queue? Presumably I can do this in the SYSTARTUP_VMS.COM script? > >The _shutdown_ piece is easy as the command procedure you >included shows. That procedure is more robust and verbose >than you need. You just need (essentially) a one-liner to issue >the shutdown command with appropriate qualifiers. Well, there's >one additional level of indirection: you need one command file to >submit /After to a batch queue, and then that procedure needs >to Run/Detached the one-liner with the actual shutdown >command in it (run sys$system:loginout.exe and use the >command procedure as the /Input parameter). > >But you said "reboot" (in your first paragraph). I don't know of >any way to have a system shutdown and /wait/ for designated >period of time, and then boot. Especially if you've pulled its >power! But perhaps that's not what you meant... Put the boot item as the first item in the COnsole menu and the system should automatically boot. -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM ... pejorative statements of opinion are entitled to constitutional protection no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC) Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside of usenet _must_ include its contents in its entirety including this copyright notice, disclaimer and quotations. ------------------------------ Date: Fri, 5 Sep 2008 09:28:40 +0000 (UTC) From: david20@alpha2.mdx.ac.uk Subject: Re: Current status? Message-ID: In article <6ib9tbFpklicU1@mid.individual.net>, billg999@cs.uofs.edu (Bill Gunshannon) writes: >In article , > helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) writes: >> In article , >> =?ISO-8859-1?Q?Jan-Erik_S=F6derholm?= >> writes: >> >>> >> Log watchers, webcam watchers, >>> >> etc, anything which sends notification by email when something >>> >> "interesting" happens, using its own built-in mail server; >>> >>> *Server* ?? I set up my cheap Zyxel DSL modem/router to send >>> notifications to me, but it not a *server*. It uses whatever mail >>> server it get's after doing a DSN-MX lookup on the receiver >>> address, and that should be the official SMTP server of my >>> ISP, as far as I understand. >>> >>> Why whould anything just needing to *send* a mail have a >>> smtp *server* implementation ? >> >> You use "server" to mean "receiving end". A more general use, intended >> here, is "handles traffic". Thus, incoming server and outgoing server. >> You are sending your email TO the proper receiving server (via MX), but >> it is still coming from your machine, not an "official email server". >> Technically, there is no problem with your scheme, but in practice, such >> machines on dial-up, volatile IP addresses are the main source of spam, >> and are thus blocked by more and more people. >> >> Many STMP servers are neither senders nor receivers, but relays. > >Actually, the correct terminology is MUA and MTA. >MUA = Mail User Agent. >MUA's originate and terminate email. > >MTA = Mail Transport Agent >MTA'a exchange email across the INTERNET. > >Nothing but MTA's should talk between email domains. No MUA shoud be >allowed to acess anything but the local MTA. Thus the reason for blocking >port 25 at your firewall for all internal hosts other than your designated >MTA(s). >User machines should never be considered MTA's. Totally agree. >MTA's are the machines with the MX record in tghe DNS system. Not necessarily. Many organisations have separate MTAs for incoming and outgoing mail. Only those which accept incoming mail are listed in the DNS MX records. As well as blocking connections to port 25 on external systems from your internal systems (apart from for your designated MTAs) you should also block connections from the external world to your internal systems on port 25 (apart again from your designated MTAs). This stops someone setting up an internal system as an MTA which sends out through your designated MTAs. Because such systems are often poorly configured and are accessible from the outside world they maybe open-relays and because they send out through your designated MTAs they may cause your MTAs to be listed as "secondary" open-relays on certain blacklists. David Webb Security team leader CCSS Middlesex University > Violating this simple >network engineering principle is why we have the SPAM probledm that we have. >As for relaying, some MTA's relay. One should be very careful about who >one relays for. You shold relay for your internal machines (all the MUA's) >as that is the purpose of an MTA. You should not relay for external >machines and if you do, that is a real quick way to find yourself on >a blacklist. > >Email is really not that hard to manage. > >bill > >-- >Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves >billg999@cs.scranton.edu | and a sheep voting on what's for dinner. >University of Scranton | >Scranton, Pennsylvania | #include ------------------------------ Date: Fri, 5 Sep 2008 10:06:57 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: Current status? Message-ID: In article , =?ISO-8859-1?Q?Jan-Erik_S=F6derholm?= writes: > Phillip Helbig---remove CLOTHES to reply wrote: > > > such > > machines on dial-up, volatile IP addresses are the main source of spam, > > I do have a hard time thinking that *dial up* has > that much to do with modern spam, has it ? OK, not real dialup with the acoustic modem, but in the sense of "I want to go online now; my provider should give me an IP address", which probably takes place via DSL in most cases today. ------------------------------ Date: Fri, 5 Sep 2008 10:11:59 +0000 (UTC) From: david20@alpha2.mdx.ac.uk Subject: Re: Current status? Message-ID: In article <7h%vk.609$393.335@trnddc05>, John Santos writes: >Bill Gunshannon wrote: >> In article , >> helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) writes: >> >>>In article , >>>=?ISO-8859-1?Q?Jan-Erik_S=F6derholm?= >>>writes: >>> >>> > >Yup. I think that many of the problems arise because MUAs use the same >protocol (SMTP) and port (25) to send mail to MTAs as MTAs use to relay >mail to each other. Modern MTAs can be configured to allow mail clients to submit mail to them on the mail submission port (port 587) rather than port 25. See RFC 2476 http://www.faqs.org/rfcs/rfc2476.html > On the other hand MTAs talk to MUAs (when delivering >mail) using either of 2 different protocols (that I know of), POP3 on >port 110 and IMAP on port 143. (I don't think anything does POP2 on >port 109 any more.) Logically there are three parties involved not two. MTA, MUA and Message store. The MTA delivers mail to another MTA or to a message store. The MUA originates mail and sends it to a MTA. Mail clients generally incorporate the above MUA functionality together with the ability to display and manipulate mail in the message store. POP and IMAP are protocols used to access and manipulate the message store. They are NOT used to deliver mail to the message store. Note. The SMTP servers which come with the TCPIP stacks (TCPWARE, MULTINET or TCPIP SERVICES/UCX) are NOT fully fledged modern MTAs. For that you would need either PMDF or MX. ( PMDF is a commercial product but is available free for hobbyist use. MX is now an open-source free product see http://www.madgoat.com/ However I'm not aware of anyone currently continuing development of MX. ) David Webb Security team leader CCSS Middlesex University >I think if the mail origination and mail relay >functions and protocols had been kept distinct from the start, everything >would be much cleaner and under better control. For example, the way >you want to authenticate a mail originator is very different from the >way you want to authenticate a mail transport agent. > >In their defense, SMTP is a "push" protocol (both for originating and >relaying mail), but POP3 and IMAP are "pull" protocols, so there's a >lot more commonality between an MUA sending to an MTA, and an MTA >forwarding mail to another MTA, than between them and mail delivery. >Also, these protocols originated before SPAM was an issue. > > >-- >John Santos >Evans Griffiths & Hart, Inc. >781-861-0670 ext 539 ------------------------------ Date: Fri, 5 Sep 2008 10:12:48 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: Current status? Message-ID: In article <4w_vk.522$1a2.373@trnddc04>, John Santos writes: > AKAIK, there is no standard, reliable way for a client to > identify its own SMTP server for sending messages. The > person setting up the client generally needs to be *told* > this by the networking powers that be, and then set up the > client appropriately. $ TCPIP SET CONF SMTP/GATEWAY=ALTERNATE= In my case: Alternate gateway: SMTP-RELAY.DYNACCESS.DE > This leads to 2 problems. 1) I've figured out how to > coerce UCX (really HP TCP/IP Services for OpenVMS, but that > is too damn long to type) into using "domain.com" instead > of "host.domain.com", Substitute domain? > but I haven't figured out how to make > it send from "known.user" instead of "username". DEFINE TCPIP$SMTP_FROM ? ------------------------------ Date: Fri, 5 Sep 2008 10:15:13 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: Current status? Message-ID: In article , david20@alpha2.mdx.ac.uk writes: > As well as blocking connections to port 25 on external systems from your > internal systems (apart from for your designated MTAs) you should also > block connections from the external world to your internal systems on port 25 > (apart again from your designated MTAs). This stops someone setting up an > internal system as an MTA which sends out through your designated MTAs. > Because such systems are often poorly configured and are accessible from the > outside world they maybe open-relays and because they send out through your > designated MTAs they may cause your MTAs to be listed as "secondary" > open-relays on certain blacklists. I receive email locally on my VMS cluster, so the outside world has to be able to connect. Misusing me as a relay? Not a problem: SMTP Configuration Options Initial interval: 0 00:30:00.00 Address_max: 16 EIGHT_BIT Retry interval: 0 01:00:00.00 Hop_count_max: 16 NORELAY Maximum interval: 3 00:00:00.00 HEADERS I think NORELAY is even the default. ------------------------------ Date: Fri, 5 Sep 2008 10:45:02 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: Current status? Message-ID: In article , david20@alpha2.mdx.ac.uk writes: > The SMTP servers which come with the TCPIP stacks (TCPWARE, MULTINET or TCPIP > SERVICES/UCX) are NOT fully fledged modern MTAs. For that you would need either > PMDF or MX. What's missing? ------------------------------ Date: Fri, 5 Sep 2008 11:18:30 +0000 (UTC) From: david20@alpha2.mdx.ac.uk Subject: Re: Current status? Message-ID: In article , helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) writes: >In article , david20@alpha2.mdx.ac.uk >writes: > >> As well as blocking connections to port 25 on external systems from your >> internal systems (apart from for your designated MTAs) you should also >> block connections from the external world to your internal systems on port 25 >> (apart again from your designated MTAs). This stops someone setting up an >> internal system as an MTA which sends out through your designated MTAs. >> Because such systems are often poorly configured and are accessible from the >> outside world they maybe open-relays and because they send out through your >> designated MTAs they may cause your MTAs to be listed as "secondary" >> open-relays on certain blacklists. > >I receive email locally on my VMS cluster, so the outside world has to >be able to connect. Misusing me as a relay? Not a problem: > >SMTP Configuration > >Options >Initial interval: 0 00:30:00.00 Address_max: 16 EIGHT_BIT >Retry interval: 0 01:00:00.00 Hop_count_max: 16 NORELAY >Maximum interval: 3 00:00:00.00 HEADERS > >I think NORELAY is even the default. > In which case your system should either 1) Be one of your designated MTAs or 2) Send and receive its mail through your organisations designated MTAs NORELAY may be good enough - I haven't really looked at a UCX SMTP configuration in almost a decade. But if your mailserver was just one of a large number in a big domain which I was responsible for I wouldn't want to rely on you and all those others outside my direct control having set them up correctly to prevent inappropriate relaying. At Middlesex University we were getting lots of people (especially in the computer science department) setting up a Linux or other server and just installing Sendmail or another mailserver. Before we put in the above block (a longtime ago now) we were getting such internal mailservers setup without notice fairly regularly and lots of them were badly configured and open-relays. David Webb Security team leader CCSS Middlesex University ------------------------------ Date: Fri, 5 Sep 2008 12:15:37 +0000 (UTC) From: david20@alpha2.mdx.ac.uk Subject: Re: Current status? Message-ID: In article , helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) writes: >In article , david20@alpha2.mdx.ac.uk >writes: > >> The SMTP servers which come with the TCPIP stacks (TCPWARE, MULTINET or TCPIP >> SERVICES/UCX) are NOT fully fledged modern MTAs. For that you would need either >> PMDF or MX. > >What's missing? > A quick list from my knowledge of UCX SMTP compared to PMDF Generic address rewriting for centralised naming etc Callouts to antivirus/anti-spam products (content scanning products etc) SMTP AUTH/SASL both client and server LDAP lookups Support for SMTP SUBMISSION SPF/SRS SMTP/TLS (though this is an extra cost item for non-hobbyists) Ability to setup separate channels with different options for sending to different MTAs Header trimming Addition of own headers ( I can't remember does UCX SMTP server support EHLO responses such as SIZE ? TCPWARE and MULTINET probably do but I'm not sure about TCPIP Services. ) That is just a few off the top of my head. The SMTP Servers which come with the TCPIP stacks are just meant to be very simple systems which receive mail for local users and send mail from local users. A fully fledged MTA can also act as a central mailhub which directs mail to multiple internal and external systems in a controlled manner. They are much larger more flexible systems. David Webb Security team leader CCSS Middlesex University ------------------------------ Date: Fri, 05 Sep 2008 12:25:11 GMT From: =?ISO-8859-1?Q?Jan-Erik_S=F6derholm?= Subject: Re: Current status? Message-ID: david20@alpha2.mdx.ac.uk wrote: > The SMTP Servers which come with > the TCPIP stacks are just meant to be very simple systems which receive mail for > local users and send mail from local users. OK. And if *that* is what you need, would you say that the smtp parts of TCPIP Services are OK as-is ? ------------------------------ Date: Fri, 05 Sep 2008 09:04:57 +0200 From: Johnny Billquist Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: Bill Gunshannon skrev: > In article , > Johnny Billquist writes: >> Bill Gunshannon skrev: >>> In article , >>> koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes: >>>> In article , Roger Ivie writes: >>>>> DR780, indeed. Fun device. It looked things up in the page tables, so >>>>> you could give it user-space addresses. I thought there were manuals >>>>> over at bitsavers, but I'm sure not finding them. There was also a VAXBI >>>>> equivalent called the DRB32, but I never dealt with that one. >>>> We had array processors from APS hung off of DR780. >>> I watched one of those, brand new, still fastened to the pallet, get thrown >>> in a dumpster. Sure wish I could have got my hands on it. I'm sure I could >>> have found a way to hook it up to one of my PDP-11's or even a VAX. :-) >> You would never have been able to hook it up to a PDP-11. A VAX-11/78x, or a >> VAX-86x0 would have been your only options. > > Or a Prime 850 like it was originally destined for. :-) Doh! Did you mean the array processors? I thought you meant the DR780. :-) Johnny -- Johnny Billquist || "I'm on a bus || on a psychedelic trip email: bqt@softjar.se || Reading murder books pdp is alive! || tryin' to stay hip" - B. Idol ------------------------------ Date: 5 Sep 2008 12:03:15 GMT From: billg999@cs.uofs.edu (Bill Gunshannon) Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <6iclg3FptgokU1@mid.individual.net> In article , Johnny Billquist writes: > Bill Gunshannon skrev: >> In article , >> Johnny Billquist writes: >>> Bill Gunshannon skrev: >>>> In article , >>>> koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes: >>>>> In article , Roger Ivie writes: >>>>>> DR780, indeed. Fun device. It looked things up in the page tables, so >>>>>> you could give it user-space addresses. I thought there were manuals >>>>>> over at bitsavers, but I'm sure not finding them. There was also a VAXBI >>>>>> equivalent called the DRB32, but I never dealt with that one. >>>>> We had array processors from APS hung off of DR780. >>>> I watched one of those, brand new, still fastened to the pallet, get thrown >>>> in a dumpster. Sure wish I could have got my hands on it. I'm sure I could >>>> have found a way to hook it up to one of my PDP-11's or even a VAX. :-) >>> You would never have been able to hook it up to a PDP-11. A VAX-11/78x, or a >>> VAX-86x0 would have been your only options. >> >> Or a Prime 850 like it was originally destined for. :-) > > Doh! Did you mean the array processors? I thought you meant the DR780. :-) > No, the Array Processor. Seeing a DR780 go in the dumpster would be a bad thing, but watching the Array Processor end up there was a tragedy!! bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves billg999@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ Date: 5 Sep 2008 09:36:47 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: In article <6iaju6Fpl207U1@mid.individual.net>, billg999@cs.uofs.edu (Bill Gunshannon) writes: > In article , > koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes: >> >> We had array processors from APS hung off of DR780. > > I watched one of those, brand new, still fastened to the pallet, get thrown > in a dumpster. Sure wish I could have got my hands on it. I'm sure I could > have found a way to hook it up to one of my PDP-11's or even a VAX. :-) Defogging the grey matter, I think it was FPS, not APS. ------------------------------ Date: 5 Sep 2008 09:35:06 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: HP TestDrive systems to be shutdown Message-ID: In article , Marty Kuhrt writes: > > So do you think this means that there will be an HP blessed VM (or PVP > in their parlance)? Could I run OpenVMS in a VM on my dual quad core > Xeon Mac? That would be neat. I'm pretty sure the VM they're talking about is the HP-UX based VM that runs on I64. VMS already runs on top of it. Only on I64. ------------------------------ Date: Fri, 05 Sep 2008 09:28:41 -0700 From: Marty Kuhrt Subject: Re: HP TestDrive systems to be shutdown Message-ID: <0KSdnSq_Dc-nw1zVnZ2dnUVZ_g2dnZ2d@speakeasy.net> Craig A. Berry wrote: > Marty Kuhrt wrote: > >> So do you think this means that there will be an HP blessed VM (or PVP >> in their parlance)? > > Yes, of course: > > http://h71028.www7.hp.com/ERC/downloads/4AA0-5801ENW.pdf > > and see Hoff's blog entry: > > http://64.223.189.234/node/640 Fine. Go ahead and ruin my hopes with facts. :^p > > >> Could I run OpenVMS in a VM on my dual quad core Xeon Mac? That would >> be neat. > > It all pretty clearly states HP Integrity VM so what you're asking seems > quite unlikely. It's probably more of a VMWare- or Parallels > Desktop-like model rather than an emulator, so running on a foreign > processor isn't part of the picture. Or were you assuming OpenVMS will > be ported to Xeon? ;-) After thinking about it for three or four seconds, I realized that this statement... HP PVP provides the latest and greatest state of the art HP BladeSystems technology (BL870c Integrity, BL460c quad core Xeon) as hosts for your dedicated virtual machines. didn't necessarily mean I could run a VMS PVP on a Quad Core Xeon. Just wanted it to. > Like a lot of what HP does, shutting down the testdrive systems and > replacing them with something individuals can't get to doesn't make a > lot of sense. At least they are keeping the OpenVMS TD systems available until another "solution" is available. Not quite the same "logic" that had them killing the Alpha long before IA64 was ready for primetime. > Hopefully whoever had this brilliant idea doesn't know > about the hobbyist program. Shhh. Don't jinx it. ;^) ------------------------------ Date: Fri, 5 Sep 2008 10:17:26 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: huge USB disks and VMS Message-ID: I recently saw an ad for a 1-GB RAID-1 external USB disk for EUR 179. Is there any VMS machine (presumably Itaniuum) one could connect this to? What are the largest officially supported SCSI-1, SCSI-2 and SCSI-3 disks for VMS? What are the largest which will work? ------------------------------ Date: Fri, 5 Sep 2008 03:20:40 -0700 (PDT) From: urbancamo Subject: Re: huge USB disks and VMS Message-ID: I'm presuming you meant a 1 TB disk? I'm not sure a 1 GB disk is considered 'huge' anymore (even in 1994 when I got my DEC 3000/600 with 2x1GB drives I thought they were a bit pokey.) :) Mark. ------------------------------ Date: Fri, 5 Sep 2008 10:46:04 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: Re: huge USB disks and VMS Message-ID: In article , urbancamo writes: > I'm presuming you meant a 1 TB disk? Yes, of course! > I'm not sure a 1 GB disk is > considered 'huge' anymore (even in 1994 when I got my DEC 3000/600 > with 2x1GB drives I thought they were a bit pokey.) Indeed. ------------------------------ Date: Fri, 5 Sep 2008 05:10:09 -0700 (PDT) From: urbancamo Subject: Re: huge USB disks and VMS Message-ID: What about one that hangs off the network - doesn't VMS support samba shares? ------------------------------ Date: Fri, 5 Sep 2008 08:06:25 -0700 (PDT) From: johnwallace4@yahoo.co.uk Subject: Re: huge USB disks and VMS Message-ID: On Sep 5, 1:10 pm, urbancamo wrote: > What about one that hangs off the network - doesn't VMS support samba > shares? Don't know about VMS and SAMBA, but the low-end unbranded NAS box I bought a while back has basically no security on its SAMBA shares (one username/password gets access to everything in the box), which might not fit well in any environment where folks care about security, e.g. a typical VMS environment. The innards of many low-end NAS boxes may well be similar, whether they come with a well-known ("trusted"?) name or not. ------------------------------ Date: Fri, 5 Sep 2008 15:52:41 +0000 (UTC) From: moroney@world.std.spaamtrap.com (Michael Moroney) Subject: Re: huge USB disks and VMS Message-ID: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) writes: >I recently saw an ad for a 1-GB RAID-1 external USB disk for EUR 179. >Is there any VMS machine (presumably Itaniuum) one could connect this >to? What are the largest officially supported SCSI-1, SCSI-2 and SCSI-3 >disks for VMS? What are the largest which will work? AFAIK, VMS should be fine with any disk up to 1TB, for which the driver can handle all possible blocks. This would exclude IDE drives over 137G unless work has been done in that area recently. Due to the way SCSI drives work, ones up to 1TB should just work. This doesn't mean supported. VMS might have issues for drives with more than 2147483647 blocks, which works out to be 1.099 TB because the block number, if it's ever treated as a signed longword, could go negative. I know shadowing would have problems with that unless work has been done to address that recently. This 2147483647 figure may be hard-coded as a limit in MOUNT or something. ------------------------------ Date: Fri, 5 Sep 2008 06:24:43 -0700 (PDT) From: DaveG Subject: Re: Loose Cannon-dian Message-ID: On Sep 4, 6:02=A0pm, b...@signedness.org wrote: > On Sep 4, 3:37=A0pm, billg...@cs.uofs.edu (Bill Gunshannon) wrote: > > > > > > > In article , > > =A0 =A0 =A0 =A0 John Santos writes: > > > > Bill Gunshannon wrote: > > >> In article <48be1d20$0$9641$c3e8...@news.astraweb.com>, > > >> =A0 =A0 =A0 =A0JF Mezei writes: > > > >>>b...@signedness.org wrote: > > > >>>>trouble of finding all the relevant dates, I estimate that HP had a > > >>>>patch linked around 6 weeks before it was even clear to the majorit= y > > >>>>of comp.os.vms that it was a real issue and exploitable. > > > >>>You need to wonder why HP would have sat on that patch so long witho= ut > > >>>telling you the problem was fixed and without releasing the patch. I= s it > > >>>really a coincidence that it was released very shortly after people = on > > >>>C.O.V. were given proper details to understand *and reproduce* this > > >>>serious vulnerability ? > > > >>>I'd be willing to bet there was nobody from the VMS group at the DEF= CON > > >>>conference. So the fact that you published a vulnerability there wou= ld > > >>>not have made a difference. > > > >>>The VMS community knows very well that the "newer" software like the > > >>>TCPIP stack or anything ported from Unix is riddled with bugs and bu= ffer > > >>>overflow risks because it is not really "native" VMS software. The > > >>>POP/IMAP and XDM servers do not honour VMS intrusion detection for > > >>>instance. That is a serious security weakness since it allows > > >>>brute-force attacks that do not generate alarms. Anbd this has been > > >>>present for years. > > > >> Oh, cut the crap. =A0It isn't Unix's fault that there are bugs in VM= S. > > >> One of the reported exploits is in SMG which is pure VMS. =A0Not onl= y > > >> that, it was written in Bliss, not C. =A0No language or OS is immune > > >> to bad programming. > > > > Since this was exactly the point JF made in the next paragraph, in wh= at > > > way was it crap? =A0Did you respond without reading the entire post? = =A0Or > > > do you just like crowing about it? > > > I wasn't responding to the next paragraph but to the comment above that= . > > like is done here frequently, he once again refered to "anything ported > > from Unix" and described it as "riddled with bugs and buffer overflow > > risks because it is not really 'native' VMS software". =A0I was merely > > pointing out that SMG , while not "ported from Unix" and "really 'nativ= e' > > VMS software" was found to have "bugs and buffer overflow risks". > > > >>>Your vulnerability surprised many because it affected software that > > >>>dates back to the glory days of VMS when software quality and securi= ty > > >>>was job #1 at Digital and Digital really prided itself on having > > >>>experienced coders that wouldn't make such mistakes (especially sinc= e > > >>>most system services provide buffer limits to prevent buffer overflo= ws). > > > >> Or maybe it just destroyed that myth, too. =A0Programmers are progra= mmers. > > >> Some are good and some are bad and any idea that DEC never hired a b= ad > > >> programmer is just plain ludicrous. =A0The fact that these bugs remn= ained > > >> (apparently) undetected just further proves how long ago VMS became > > >> insignificant in the IT world and thus never saw the scrutiny other > > >> systems saw. > > > > It's not a myth. =A0It's checks and balances. =A0DEC never just trust= ed that > > > they would hire good programmers and then everything would work. =A0T= here > > > were code reviews, walk-throughs, programming standards (including > > > relatively safe languages and safe programming techniques such as str= ing > > > descriptors as opposed to null-terminated strings), regression testin= g, > > > field testing, and many eyes. =A0The system isn't (or wasn't) perfect= ; this > > > is proof. =A0But it's still dozens or hundreds of times better than t= he > > > typical Unix method, and thousands of times better than M$. > > > That remains to be seen. =A0Because they have never been reported or tr= acked > > by any outside source (look at the reluctance to trport any of these re= cent > > discoveries to CERT) there really is no way of knowing how many problem= s > > of the same type as found in Unix have been quietly fixed and rolled in= to > > the next upgrade rather than making them public and sending out very vi= sible > > patches. =A0The apparent age of some of these recent vulnerabilities be= lies > > the idea that DEC's "checks and balances" and "code reviews, walk-throu= ghs, > > programming standards" were any better than anyone elses. =A0VMS just h= as a > > much lower visibility profile. =A0And, as for "safe languages", someone > > has already stated that the offending SMG code is Bliss. =A0Or was that= a > > mistake? =A0Surely it wasn't C all those years ago on the VAX? > > There are good reason for people to be reluctant to report to CERT. > CERT is no longer a good source for vulnerability information. I'm > pretty sure HP will publish their own advisory about this eventually > and when they do maybe CERT will reword and publish their own > version. > > I don't believe people are more reluctant to report vulnerabilities in > VMS than anything else. I think the simple reason you don't see more > VMS vulnerabilities reported is that few people looking for bugs knows > VMS (ourselves included) and other targets for bug hunting are more > attractive since they don't require learning a new OS. > > BTW other sources do track VMS vulnerabilities. A good starting point > ishttp://secunia.com/search/?search=3Dopenvms > > > > > > > > If you really think there are just as many undiscovered exploits in V= MS > > > as there are in Unix, then you must think there is no value at all to > > > any of these things. =A0Sheesh! > > > I think no one outside of DEC/Compaq/HP has any idea how many exploits > > equivalent to those found in Unix have or still exist in VMS. =A0It's a > > matter of visibility and not code quality. =A0Every little bug in Unix > > (most of which are in external programs rather then Unix itself) gets > > reported publicly and usually loudly. =A0Even these recent ones have se= en > > no mention outside of a very small group of VMS users. =A0I am going to > > give our VMS System Manager a call in just a couple of minutes. =A0What= do > > you think the odds are that he is aware of any of these? =A0Or the exis= tence > > of a MUP to fix them? =A0I know he doesn't read c.o.v!! =A0I'll let you= know. > > > >>>And since the "legacy" portions of VMS such as SMG haven't been acti= vely > > >>>developped/improved in over a decade, so we would have still expecte= d > > >>>this software to date back to the days of the high quality standards= . > > > >> And yet, there they are. =A0Bugs, just like in everything else. =A0G= o figure! > > > > Innumeracy. > > > bill > > > -- > > Bill Gunshannon =A0 =A0 =A0 =A0 =A0| =A0de-moc-ra-cy (di mok' ra see) n= . =A0Three wolves > > billg...@cs.scranton.edu | =A0and a sheep voting on what's for dinner. > > University of Scranton =A0 | > > Scranton, Pennsylvania =A0 | =A0 =A0 =A0 =A0 #include =A0- Hide quoted text - > > > - Show quoted text -- Hide quoted text - > > > - Show quoted text -- Hide quoted text - > > - Show quoted text -- Hide quoted text - > > - Show quoted text - Both OpenVMS and VMS return 0 results at the Secunia site bugs mentioned. ------------------------------ Date: Fri, 5 Sep 2008 07:03:32 -0700 (PDT) From: DaveG Subject: Re: Loose Cannon-dian Message-ID: <61cca491-5267-4ab4-9ad7-ab4e23442ef5@k7g2000hsd.googlegroups.com> On Sep 5, 8:28=A0am, Jan-Erik S=F6derholm wrote: > DaveG wrote: > > On Sep 4, 6:02 pm, b...@signedness.org wrote: > >> BTW other sources do track VMS vulnerabilities. A good starting point > >> ishttp://secunia.com/search/?search=3Dopenvms > > > Both OpenVMS and VMS return 0 results at the Secunia site bugs > > mentioned. > > Try : > > http://secunia.com/advisories/search/?search=3Dopenvms Thanks. Funny the search function page didn't produce the same results. Onward and upward. ------------------------------ Date: Fri, 5 Sep 2008 07:10:59 -0700 (PDT) From: IanMiller Subject: Re: Loose Cannon-dian Message-ID: On Sep 5, 3:03=A0pm, DaveG wrote: > On Sep 5, 8:28=A0am, Jan-Erik S=F6derholm > wrote: > > > DaveG wrote: > > > On Sep 4, 6:02 pm, b...@signedness.org wrote: > > >> BTW other sources do track VMS vulnerabilities. A good starting poin= t > > >> ishttp://secunia.com/search/?search=3Dopenvms > > > > Both OpenVMS and VMS return 0 results at the Secunia site bugs > > > mentioned. > > > Try : > > >http://secunia.com/advisories/search/?search=3Dopenvms > > Thanks. =A0Funny the search function page didn't produce the same > results. =A0Onward and upward. Down, no across See also DECnet/Plus V7 http://secunia.com/advisories/product/13160/ DECnet/Plus V8 http://secunia.com/advisories/product/13161/ HP TCPIP for OpenVMS V5 http://secunia.com/advisories/product/2949/ ------------------------------ Date: Fri, 5 Sep 2008 15:36:23 +0000 (UTC) From: helbig@astro.multiCLOTHESvax.de (Phillip Helbig---remove CLOTHES to reply) Subject: open TCPIP ports Message-ID: My old router was quite easy to configure with regard to ports; one could specify a range of ports as well as an individual port, and select TCP, UDP or both. The new one requires an explicit entry in a form, in which the (usually wrong) defaults must be corrected, and separate entries for TCP and UDP. Also, it isn't possible to specify a range. And this has to be done via a web interface. As a quick fix, I set the cluster alias to "exposed host", i.e. all ports get forwarded to that (which is essentially what I want). Is there any reason not to keep this configuration, i.e. individually specify the ports I need instead? With the old router, I could also see logs of incoming connections, and there was one every few seconds, often to port 445 IIRC. Some Windows system trying to infect another one virally, probably. Since most bogus connections will assume a non-VMS system, I don't think there are any security issues involved. What about performance---if they get blocked at the router, they won't make it to VMS at all. Of course, there is nothing listening on the ports I don't need, but some overhead will result nevertheless. If it would be better to specify the ports individually, here's my list. Comments, suggestions and criticism welcome. 20 FTP control 21 FTP data 22 SSH 23 telnet 25 SMTP 43 whois 53 DNS 63 whois++ 69 tftp 79 finger 80 http 81 unassigned!!! (commonly used for no-cache HTTP) 119 nntp 443 https 989 ftps 990 ftps 992 telnets 993 telnets 8000 I use this for HTTP 8001 I use this for HTTP 6000-6063 X11 33434 traceroute I won't necessarily need all of these, but I hope there are none which I do which are not on the list. According to http://www.iana.org/assignments/port-numbers most (all?) port numbers are for both TCP and UDP. I'm sure about some, but not all; for which should I open the port for TCP and for which for UDP? ------------------------------ Date: Fri, 05 Sep 2008 15:41:47 GMT From: =?ISO-8859-1?Q?Jan-Erik_S=F6derholm?= Subject: Re: open TCPIP ports Message-ID: <%qcwk.2111$U5.1228@newsb.telia.net> Phillip Helbig---remove CLOTHES to reply wrote: > My old router was quite easy to configure with regard to ports; one > could specify a range of ports as well as an individual port, and select > TCP, UDP or both. The new one requires an explicit entry in a form, in > which the (usually wrong) defaults must be corrected, and separate > entries for TCP and UDP. Also, it isn't possible to specify a range. > And this has to be done via a web interface. > > As a quick fix, I set the cluster alias to "exposed host", i.e. all > ports get forwarded to that (which is essentially what I want). Is > there any reason not to keep this configuration, i.e. individually > specify the ports I need instead? With the old router, I could also see > logs of incoming connections, and there was one every few seconds, often > to port 445 IIRC. Some Windows system trying to infect another one > virally, probably. Since most bogus connections will assume a non-VMS > system, I don't think there are any security issues involved. What > about performance---if they get blocked at the router, they won't make > it to VMS at all. Of course, there is nothing listening on the ports I > don't need, but some overhead will result nevertheless. > > If it would be better to specify the ports individually, here's my list. > Comments, suggestions and criticism welcome. > > 20 FTP control > 21 FTP data > 22 SSH > 23 telnet > 25 SMTP > 43 whois > 53 DNS > 63 whois++ > 69 tftp > 79 finger > 80 http > 81 unassigned!!! (commonly used for no-cache HTTP) > 119 nntp > 443 https > 989 ftps > 990 ftps > 992 telnets > 993 telnets > 8000 I use this for HTTP > 8001 I use this for HTTP > 6000-6063 X11 > 33434 traceroute > > I won't necessarily need all of these, but I hope there are none which I > do which are not on the list. > > According to http://www.iana.org/assignments/port-numbers most (all?) > port numbers are for both TCP and UDP. I'm sure about some, but not > all; for which should I open the port for TCP and for which for UDP? > I simply open rellevant ports *when actualy needed*. How would anyone else know what ports *your* server needs ? Am I missing something here ? Jan-Erik. ------------------------------ Date: Fri, 05 Sep 2008 18:39:31 +0200 From: Joseph Huber Subject: Re: open TCPIP ports Message-ID: Phillip Helbig---remove CLOTHES to reply schrieb: > My old router was quite easy to configure with regard to ports; one > could specify a range of ports as well as an individual port, and select > TCP, UDP or both. The new one requires an explicit entry in a form, in > which the (usually wrong) defaults must be corrected, and separate > entries for TCP and UDP. Also, it isn't possible to specify a range. > And this has to be done via a web interface. > > As a quick fix, I set the cluster alias to "exposed host", i.e. all > ports get forwarded to that (which is essentially what I want). Is > there any reason not to keep this configuration, i.e. individually > specify the ports I need instead? With the old router, I could also see > logs of incoming connections, and there was one every few seconds, often > to port 445 IIRC. Some Windows system trying to infect another one > virally, probably. Since most bogus connections will assume a non-VMS > system, I don't think there are any security issues involved. What > about performance---if they get blocked at the router, they won't make > it to VMS at all. Of course, there is nothing listening on the ports I > don't need, but some overhead will result nevertheless. > > If it would be better to specify the ports individually, here's my list. > Comments, suggestions and criticism welcome. > ... list omitted ... > According to http://www.iana.org/assignments/port-numbers most (all?) > port numbers are for both TCP and UDP. I'm sure about some, but not > all; for which should I open the port for TCP and for which for UDP? > If on VMS this TCPIP services (UCX), simply do a TCPIP SHOW DEVICE It will give the list of ports listened to on this system. Nothing else is needed to be directed to VMS. Type STREAM are TCP, DGRAM are UDP. -- Joseph Huber - http://www.huber-joseph.de ------------------------------ Date: Fri, 5 Sep 2008 06:54:32 -0700 (PDT) From: Rich Jordan Subject: Re: OpenVMS upgrade checklists Message-ID: On Sep 4, 6:33=A0pm, B...@rabbit.turquoisewitch.com (Brad Hamilton) wrote: > In article ,Rich Jordan wrote: > > [...] > > >This isn't really a formal document though. =A0In the past it was > >something which (I assume) VMS engineering put together as an aid to > >installer/upgraders. =A0I'm familiar with the staged doc updates (as > >needed). =A0I don't think thats the case here though. =A0More like it ju= st > >didn't get done; perhaps its been dropped. > > Just for completeness' sake - I found the doc using the HP search tool on= the > VMS website. =A0I avoided this search tool for years after my initial use= s of it > were unsuccessful. =A0It looks as though the tool has improved considerab= ly over > the years. =A0 > > I found and looked at the document quickly - it looks as though it's gene= ric > enough to use for V8.3, perhaps in conjunction with the "new features and > release notes" for V8.3. =A0I can understand wanting to have a separate d= ocument > for V8.3, though. =A0Perhaps I'll try using it when I upgrade my hobbyist= system > from V8.3 to V8.4-mumble. > > Thanks for the information. =A0Every little bit helps. I have the V8.2 doc also. It really is a handy thing to have as a "sanity check", to make sure you haven't missed a critical to-do from the install guide or release notes. Rich ------------------------------ Date: Fri, 05 Sep 2008 13:49:36 -0400 From: "Richard B. Gilbert" Subject: Re: OpenVMS upgrade checklists Message-ID: Rich Jordan wrote: > On Sep 4, 6:33 pm, B...@rabbit.turquoisewitch.com (Brad Hamilton) > wrote: >> In article ,Rich Jordan wrote: >> >> [...] >> >>> This isn't really a formal document though. In the past it was >>> something which (I assume) VMS engineering put together as an aid to >>> installer/upgraders. I'm familiar with the staged doc updates (as >>> needed). I don't think thats the case here though. More like it just >>> didn't get done; perhaps its been dropped. >> Just for completeness' sake - I found the doc using the HP search tool on the >> VMS website. I avoided this search tool for years after my initial uses of it >> were unsuccessful. It looks as though the tool has improved considerably over >> the years. If so, it was LONG overdue. For many years the ONLY way to find anything on the HP site was to Google for it and add "site:HP.COM to your search string. If you used HP's search engine to search for "foo" you would get 50,000 hits that mentioned foo. Google would return hits that were ABOUT "foo". ------------------------------ Date: Fri, 05 Sep 2008 12:07:18 GMT From: VAXman- @SendSpamHere.ORG Subject: Re: OT: Flying with Diabetes (was RE: SMGRTL patch available on ITRC ftp site) Message-ID: <00A7F2B6.E14EF30C@SendSpamHere.ORG> In article <48c0955d$0$9672$c3e8da3@news.astraweb.com>, JF Mezei writes: >Richard B. Gilbert wrote: > >> When your blood glucose drops below sixty you are in trouble; > >Just for the record, outside of the USA, the normal blood sugar is >around 4. Above 7, sugar levels are too high. Below 3, you get weak. >Above 13, you gosub (eventually just a goto) hospital ASAP. In the US, blood sugar is measured in mg/dl (80-100 being considered normal). Outside, the measurement is mmol/l (4-6 being considered a normal blood sugar reading). >Note that high blood sugar also influences the brain. Those with >alzheimer's will see very obvious degraded brain performance when blood >sugar rises. (and diabetes is often a trigger of alzheimer's (or makes >it appear faster that it would have otherwise appeared). And degraded >performance is not as obvious as passing out but can be dangerous too >when making serious work. > >Brain runs on sugar (glycogen) alone. People do not pass out from high blood sugar unless it is extremely high. The dangers of high blood sugar are (long term high levels): Ketoacidosis Vascular damage Neuropathy >The liver can convert sugar into fat, it can convert some fructose into >glucose and can store glucose as glycogen for release when needed. This is where meds like glocophage/metphormin (oral anti-diabetic) work. The liver also converts fats back into sugar (hepatic gluconogenesis). Glucogon is a hormone that causes the liver to release glucose into the blood stream. It is an emergency measure for _low_ blood sugar. >Milk is the recommended drink when blood sugar is low. Quick but limited >release of sugar, followed by slower release of sugar. Easier to control >sugar levels. With Coke, you get a huge uncontrolled rush of sugar into >the blood, and this is not recommended if you have sugar control problems. I don't do milk. I grew up in dairy farm country and worked on a dairy farm. I don't drink the product. There were also turkey farms in the area, so I won't eat turkey either. ;) I'm surprised that the ADA (American Diabetes Assoc) suggests milk as a good alternative. There are problems with taking milk with some of the oral anti-diabetics, its fat and cholesterol content is very high even in skim milk, and milk protiens have been linked to the trigger of the auto-immune response responsible for type I (ID) diabetes. -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM ... pejorative statements of opinion are entitled to constitutional protection no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC) Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside of usenet _must_ include its contents in its entirety including this copyright notice, disclaimer and quotations. ------------------------------ Date: Fri, 05 Sep 2008 01:04:50 -0800 From: glen herrmannsfeldt Subject: Re: Phase 2 and delayed ampersand substitution with the ON command Message-ID: AEF wrote: > $ I1 = "ON" ! Set items > $ I2 = "WARNING" > $ I3 = "THEN" > $ I4 = "DIRECTORY" > $ I5 = "AFTER_ON.COM" > $ &I1 &I2 &I3 &I4 &I5 ! Build and run ON command (snip) > The ampersands don't operate on I4 and I5 until the ON condition > occurs. You would think that changing the items after the command > should have no effect, right? Well, _I_ did before I somehow stumbled > upon this some years ago. (snip) > Is this delayed-substitution effect somehow part of the ON command, or > is this just an unintentional, though slightly useful, consequence of > more general command processing? (See ON_SEVERITY.COM below for > something useful.) > Now the User's Manual says > 12.13.2 Phase 2: Command Parsing > In the command parsing phase: > * The command interpreter analyzes the command line. It checks the > first item on the line to see if it is a symbol. If it is, it is > evaluated. > * The command interpreter evaluates symbols preceded by ampersands > from left to right. Symbol substitution during this phase is not > iterative. It could be that it replaces &I1 then tries the command: ON &I2 &I3 &I4 &I5 now it finds that it needs &I2, replaces that: ON WARNING &I3 &I4 &I5 oops, now replace &I3 ON WARNING THEN &I4 &I5 > But here we see that ampersand substitution for &I1 thru &I3 occurs > before command execution, while for &I4 and &I5 it occurs only later > when there is an error condition (or a control/y interrupt)! I can't say that is completely obvious, but it seems consistent with the description. It might be that with more examples you can figure out what it really does. -- glen ------------------------------ Date: Fri, 5 Sep 2008 07:42:40 -0700 (PDT) From: "george.pagliarulo@hp.com" Subject: Receiving Customer Advisories and Security Updates Message-ID: <91282657-f08f-49ea-9fd9-d8d668f7c299@k37g2000hsf.googlegroups.com> HP=92s notification process for things such as Customer Advisories and Security Updates is different form what we have had in the past, rather than being a push process, it is a pull process. Customers need to register for Subscriber=92s Choice at the ITRC site in order to receive these advisories. I know that having to register is anathema for some users but that is the Corporate notification system that we are required to use. To help alleviate some of the pain, I also send all notices to openvms.org for distribution. The advisories and such that I send to openvms.org get released with none of the Subscriber's Choice overhead. However, even at openvms.org users need to sign-up for the mail list. I urge all customers to sign up for these two services. George Pagliarulo ECO Release Process OpenVMS Sustaining Engineering Hewlett-Packard Company ------------------------------ Date: Fri, 5 Sep 2008 07:28:52 -0700 (PDT) From: "george.pagliarulo@hp.com" Subject: Re: What has happened to RMS ECO? Message-ID: <3fe42ece-c884-4497-95b7-26c073e34472@i76g2000hsf.googlegroups.com> Hi, The VMS83A_RMS-V0900 ECO has been delayed waiting for a new change to be incorporated that corrects a customer issue. Since this change was already in development it ws decided to delay the kit until we could ship all known changes. The kit should be available in two weeks. George Pagliarulo ECO Release Process OpenVMS Sustaining Engineering Hewlett-Packard Company On Aug 26, 12:29=A0pm, DaveG wrote: > On Aug 26, 11:06=A0am, pe...@langstoeger.at (Peter 'EPLAN' LANGSTOeGER) > wrote: > > > What has happened to the VMS83A_RMS ECO? V8 was out, then recalled (ON-= HOLD). > > And then, nothing so far. What was V8 intended to fix (which is now ope= n yet)? > > > Any insight? > > > TIA > > > -- > > Peter "EPLAN" LANGST=D6GER > > Network and OpenVMS system specialist > > E-mail =A0Pe...@LANGSTOeGER.at > > A-1030 VIENNA =A0AUSTRIA =A0 =A0 =A0 =A0 =A0 =A0 =A0I'm not a pessimist= , I'm a realist > > george dot pagliarulo at hp dot com would know. ------------------------------ Date: 5 Sep 2008 09:41:00 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: [RBL] Current status? Message-ID: In article <6iakmbFpl207U2@mid.individual.net>, billg999@cs.uofs.edu (Bill Gunshannon) writes: > > Not really. Those particular devices should be sending their email to > the real mailserver which should be the only one communicating with mail > servers in the the outside world. If network/system managers, in particular > ISP's, followed this rule 99% of SPAM cold be dealt with in ver short order. The problem isn't the path, it's the sending. They want to send via SMTP, not POP, IMAP, or some other client protocol. As far as the "security experts" are concerned, only servers send via SMTP. I can't really fault a COTS vendor for sending email via SMTP. ------------------------------ End of INFO-VAX 2008.487 ************************