Any USB 3G broadband usable under Linux?
Hello All, I have a friend currently running Windows on a laptop, where IE was so woeful that they were looking to upgrade the USB wireless broadband dongle. When I installed Firefox, matters improved, but some of the AV and malware software is not playing nice. As a result, I would like for them to be able to run Linux from a USB stick as a first trial before expunging Windows. This will require supporting the current connection with a Telstra Elite Mobile Broadband USB Modem, which is activated. I am aware that it has a dual personality, with the storage holding the install software, and having to be switched into the modem mode for communications. What I would appreciate is personal experience with this device, and what it can be made to do, and what the limitations are. I would also appreciate any pointers to what I might also consider for my personal use, where I will not require to run Windows for the activation phase. I am currently on dialup, but I have "issues" when I try to get the digital version of Linux Journal. Specifically, there is something in the network path causing undue ping times, whereas I can do much the same to grab similarly sized files from other sites, and it does work. Having limited amounts of prepaid quota would be very helpful for intermittent use, as would further information that will assist in dealings with Telstra's marketing, and ostensibly not supporting Linux. Regards, Mark Trickett
I don't have any personal experience with that device, it looks like it is the following http://www.zte.com.au/telstra/MF668.htm I would do a search based on the model, it will hopefully be on the device or packaging somewhere. Slight variations can make a difference in terms of how well it works eg. XXX will be supported but XXXa may not be. If it is the above model, it looks like it does work but I would check based on the distribution you are intending to use. http://forums.linuxmint.com/viewtopic.php?f=53&t=89232&p=516732 On 9 July 2012 20:38, Mark Trickett <marktrickett@bigpond.com> wrote:
Hello All,
I have a friend currently running Windows on a laptop, where IE was so woeful that they were looking to upgrade the USB wireless broadband dongle. When I installed Firefox, matters improved, but some of the AV and malware software is not playing nice.
As a result, I would like for them to be able to run Linux from a USB stick as a first trial before expunging Windows. This will require supporting the current connection with a Telstra Elite Mobile Broadband USB Modem, which is activated. I am aware that it has a dual personality, with the storage holding the install software, and having to be switched into the modem mode for communications.
What I would appreciate is personal experience with this device, and what it can be made to do, and what the limitations are. I would also appreciate any pointers to what I might also consider for my personal use, where I will not require to run Windows for the activation phase. I am currently on dialup, but I have "issues" when I try to get the digital version of Linux Journal. Specifically, there is something in the network path causing undue ping times, whereas I can do much the same to grab similarly sized files from other sites, and it does work. Having limited amounts of prepaid quota would be very helpful for intermittent use, as would further information that will assist in dealings with Telstra's marketing, and ostensibly not supporting Linux.
Regards,
Mark Trickett
_______________________________________________ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
On Mon, Jul 9, 2012 at 8:38 PM, Mark Trickett <marktrickett@bigpond.com>wrote:
This will require supporting the current connection with a Telstra Elite Mobile Broadband USB Modem, which is activated.
I used one of these (ZTE MF668) for about 3 weeks while waiting for my ADSL to be connected, a year or so ago. I used Sakis3g (http://www.sakis3g.org/), and it worked fine from the CLI on my Ubuntu HTPC. My only gripe with these devices is that if you don't use them every 6 months, Telstra will 'disable' the SIM card. It will connect, and let you view the telstra website, but you can't put any more credit on it. You need to then go into a Telstra store, and buy a new SIM card for it. And then you get the next issue that Telstra won't let you buy a sim card, and put credit on it in one transaction. You must buy it, activate it, wait 2 hours, and THEN put credit on it. Bunch of ridiculousness. / Brett
I use Virgin moble broadband using the 12gig for $149 plan. The modem being a Huawei E1762. Its now quite a time since I set ip up but there was no real issue. Under linux the device appears as 5 devices...... usbcore: registered new driver usbserial drivers/usb/serial/usb-serial.c: USB Serial support registered for generic usbcore: registered new driver usbserial_generic drivers/usb/serial/usb-serial.c: USB Serial Driver core drivers/usb/serial/usb-serial.c: USB Serial support registered for GSM modem (1-port) option 1-3:1.0: GSM modem (1-port) converter detected usb 1-3: GSM modem (1-port) converter now attached to ttyUSB0 option 1-3:1.1: GSM modem (1-port) converter detected usb 1-3: GSM modem (1-port) converter now attached to ttyUSB1 option 1-3:1.2: GSM modem (1-port) converter detected usb 1-3: GSM modem (1-port) converter now attached to ttyUSB2 usbcore: registered new driver option drivers/usb/serial/option.c: USB Driver for GSM modems: v0.7.1 eth1: no IPv6 routers present Vendor: HUAWEI Model: Mass Storage Rev: 2.31 Type: CD-ROM ANSI SCSI revision: 02 Vendor: HUAWEI Model: SD Storage Rev: 2.31 Type: Direct-Access ANSI SCSI revision: 02 sd 5:0:0:0: Attached scsi removable disk sdd sd 5:0:0:0: Attached scsi generic sg3 type 0 usb-storage: device scan complete I cannot now remember the complete details, Try and have a look through previous posts on this list as I did post details when I installed it. Try a search around june july 2010, June being the date on the chatscript. The system works well although compared to what most people are used to its expensive and somewhat limited. below is the peers and chatscripts......... The user and password can be anything, it not being used. /etc/ppp/peers #debug /dev/ttyUSB0 crtscts #modem refuse-chap require-pap noauth #nodetach #usepeerdns defaultroute noipdefault noccp nobsdcomp novj user "irrelevant" password "irrelevant" connect "/usr/sbin/chat -v -f /etc/chatscripts/virgin" /etc/chatscript/virgin ABORT BUSY ABORT ERROR ABORT 'NO CARRIER' REPORT CONNECT TIMEOUT 10 "" "ATZ" OK AT+CGDCONT=1,"ip","VirginBroadband" OK "ATE1V1&D2&C1S0=0+IFC=2,2" OK "AT+IPR=115200" OK "ATE1" TIMEOUT 60 "" "ATD*99#" CONNECT \c Lindsay
Lindsay Sprinter wrote:
I use Virgin moble broadband using the 12gig for $149 plan. The modem being a Huawei E1762.
I also used a USB 3g dongle for a while, IIRC it was this one. Making it work was reasonably straightforward pppd configuration, once I stole the secret magic AT handshaking from a post on this list (thanks, btw). It didn't have split-personality thing where the device pretends to be a CD-ROM until you say "the driver is installed, now present as a modem". IIRC there is a utility in Debian to force that, but I don't remember its name.
On 2012-07-10 12:47, Trent W. Buck wrote:
Lindsay Sprinter wrote:
I use Virgin moble broadband using the 12gig for $149 plan. The modem being a Huawei E1762.
I also used a USB 3g dongle for a while, IIRC it was this one. Making it work was reasonably straightforward pppd configuration, once I stole the secret magic AT handshaking from a post on this list (thanks, btw).
It didn't have split-personality thing where the device pretends to be a CD-ROM until you say "the driver is installed, now present as a modem". IIRC there is a utility in Debian to force that, but I don't remember its name.
mattcen@andy:tmp$ aptitude show usb-modeswitch Package: usb-modeswitch New: yes State: not installed Version: 1.1.4-2 Priority: extra Section: comm Maintainer: Didier Raboud <didier@raboud.com> Uncompressed Size: 180 k Depends: libc6 (>= 2.3), libusb-0.1-4 (>= 2:0.1.12), tcl | tclsh, usb-modeswitch-data (>= 20100127) Suggests: comgt, wvdial Description: mode switching tool for controlling "flip flop" USB devices Several new USB devices have their proprietary Windows drivers onboard, especially WAN dongles. When plugged in for the first time, they act like a flash storage and start installing the driver from there. If the driver is already installed, the storage device vanishes and a new device, such as an USB modem, shows up. This is called the "ZeroCD" feature. On Debian, this is not needed, since the driver is included as a Linux kernel module, such as "usbserial". However, the device still shows up as "usb-storage" by default. usb-modeswitch solves that issue by sending the command which actually performs the switching of the device from "usb-storage" to "usbserial". This package contains the binaries and the brother scripts. Homepage: http://www.draisberghof.de/usb_modeswitch/ Tags: admin::hardware, hardware::usb, implemented-in::c, implemented-in::tcl, interface::commandline, role::program, use::configuring, use::driver -- Regards, Matthew Cengia
Aother point, I believe some of these USB GSM modems on power up appears as a cdrom, a linux progam does exist that will switch the rest of the devices on, I have never used it though but it should not be to diffcult to find. Lindsay
I've run a couple of Huwei usb modems under Debian Linux for a few years. The main difficulty is the setup, you'll need to save the configuration in the modem in Windows (I've had to do this for a modem for different providers), otherwise its pretty simple to run. The other nice thing is that if you get the gammu package you can get/send text messages on it concurrently, mine uses ttyUSB3 for that. -- I love deadlines. I love the whooshing noise they make as they go by.
Additionally, if you want to really play with a Huawei, this seems to be a great site: http://3g-modem.wetpaint.com/page/common+AT-commands -- Unattributed this email sig is. -- Darth Vader
An additional point the may be of some use. I have now used the 3G internet access over two summers. I found the USB modem does not real like high temperatures. Under these conditions it slows way down. Asking around I have found this is a known problem with these. For the comming summer I am building a cooling unit consisting of a fan and a couple of peltier modules to keep the usb modem cool. The thing works great in winter though. For normal intenet access the service is great for any large downloads its WAY to expensive. For these I go into town to the intenet cafe, one can get 4 gig for 3 dollars there AND its fast, I can get 700 meg bytes (1 debian CD) in around 9 minutes. You can get the first 7 which is usually all one needs in around an hour. Lindsay
On 11/07/12 11:30, Lindsay Sprinter wrote:
For normal intenet access the service is great for any large downloads its WAY to expensive. For these I go into town to the intenet cafe, one can get 4 gig for 3 dollars there AND its fast, I can get 700 meg bytes (1 debian CD) in around 9 minutes. You can get the first 7 which is usually all one needs in around an hour.
If there's reasonable access in town, maybe you could try something a former colleague managed.. he set up a kind of bucket chain of wifi links out from the edge of the town to his rural property. With directional antennas and line-of-sight you can get long distances, so not too many nodes are required. Just need a few windmills, silos or comms towers to attach 'em to.
On 11/07/12 11:30, Lindsay Sprinter wrote:
For normal intenet access the service is great for any large downloads its WAY to expensive. For these I go into town to the intenet cafe, one can get 4 gig for 3 dollars there AND its fast, I can get 700 meg bytes (1 debian CD) in around 9 minutes. You can get the first 7 which is usually all one needs in around an hour.
If there's reasonable access in town, maybe you could try something a former colleague managed.. he set up a kind of bucket chain of wifi links out from the edge of the town to his rural property.
With directional antennas and line-of-sight you can get long distances, so not too many nodes are required. Just need a few windmills, silos or comms towers to attach 'em to.
How are these being powered? Just curious :) James
On 11/07/12 12:11, James Harper wrote:
On 11/07/12 11:30, Lindsay Sprinter wrote:
For normal intenet access the service is great for any large downloads its WAY to expensive. For these I go into town to the intenet cafe, one can get 4 gig for 3 dollars there AND its fast, I can get 700 meg bytes (1 debian CD) in around 9 minutes. You can get the first 7 which is usually all one needs in around an hour.
If there's reasonable access in town, maybe you could try something a former colleague managed.. he set up a kind of bucket chain of wifi links out from the edge of the town to his rural property.
With directional antennas and line-of-sight you can get long distances, so not too many nodes are required. Just need a few windmills, silos or comms towers to attach 'em to.
How are these being powered? Just curious :)
Good question, I don't remember. I guess he was able to get power up to most of them somehow. I suppose solar would be an option too.
Toby Corkindale wrote:
On 11/07/12 12:11, James Harper wrote:
With directional antennas and line-of-sight you can get long distances, so not too many nodes are required. Just need a few windmills, silos or comms towers to attach 'em to.
How are these being powered? Just curious :)
Good question, I don't remember. I guess he was able to get power up to most of them somehow. I suppose solar would be an option too.
You did mention windmills... devices whose whole purpose is to generate power. :-)
Toby Corkindale wrote:
On 11/07/12 12:11, James Harper wrote:
With directional antennas and line-of-sight you can get long distances, so not too many nodes are required. Just need a few windmills, silos or comms towers to attach 'em to.
How are these being powered? Just curious :)
Good question, I don't remember. I guess he was able to get power up to most of them somehow. I suppose solar would be an option too.
You did mention windmills... devices whose whole purpose is to generate power. :-)
Power comes in many forms... I suspect that the power to mill grain isn't directly usable by a router though! james
Hi, On 11/07/2012 11:52 AM, Toby Corkindale wrote:
On 11/07/12 11:30, Lindsay Sprinter wrote:
For normal intenet access the service is great for any large downloads its WAY to expensive. For these I go into town to the intenet cafe, one can get 4 gig for 3 dollars there AND its fast, I can get 700 meg bytes (1 debian CD) in around 9 minutes. You can get the first 7 which is usually all one needs in around an hour.
If there's reasonable access in town, maybe you could try something a former colleague managed.. he set up a kind of bucket chain of wifi links out from the edge of the town to his rural property.
With directional antennas and line-of-sight you can get long distances, so not too many nodes are required. Just need a few windmills, silos or comms towers to attach 'em to.
It would be great if you can find out all the details, I am sure others could benefit from this too ... those on poor DSL links because they are too far from the exchange for instance. -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP Current Land Line No: 03 9012 2102 Mobile: 04 2574 1827 Fax: 03 9012 2178 National No: 1300 85 3804 Affinity Vision Australia Pty Ltd http://www.affinityvision.com.au http://adsl2choice.net.au In Case of Emergency -- http://www.affinityvision.com.au/ice.html
On Wed, 11 Jul 2012, Toby Corkindale wrote:
On 11/07/12 11:30, Lindsay Sprinter wrote:
For normal intenet access the service is great for any large downloads its WAY to expensive. For these I go into town to the intenet cafe, one can get 4 gig for 3 dollars there AND its fast, I can get 700 meg bytes (1 debian CD) in around 9 minutes. You can get the first 7 which is usually all one needs in around an hour.
If there's reasonable access in town, maybe you could try something a former colleague managed.. he set up a kind of bucket chain of wifi links out from the edge of the town to his rural property.
With directional antennas and line-of-sight you can get long distances, so not too many nodes are required. Just need a few windmills, silos or comms towers to attach 'em to.
I looked into this sometime back, the problem is no way is there a line of site and to get line of site would not really be feasable not to say way to expensive. Security did not appear to be an issue as the radio link itself can be encrypted and all I talked to said this was OK. The current setup does what I need (Note 1) although I would say most would find it to restrictve. Rememeber this is a rural area, there is plenty to do outside one is not forced by population pressure to stay inside. Lindsay Note 1: Even getting Debian now is no longer an issue as I can download the CD's from the cafe.
On 13/07/12 16:12, Lindsay Sprinter wrote:
On Wed, 11 Jul 2012, Toby Corkindale wrote:
On 11/07/12 11:30, Lindsay Sprinter wrote:
For normal intenet access the service is great for any large downloads its WAY to expensive. For these I go into town to the intenet cafe, one can get 4 gig for 3 dollars there AND its fast, I can get 700 meg bytes (1 debian CD) in around 9 minutes. You can get the first 7 which is usually all one needs in around an hour.
If there's reasonable access in town, maybe you could try something a former colleague managed.. he set up a kind of bucket chain of wifi links out from the edge of the town to his rural property.
With directional antennas and line-of-sight you can get long distances, so not too many nodes are required. Just need a few windmills, silos or comms towers to attach 'em to.
I looked into this sometime back, the problem is no way is there a line of site and to get line of site would not really be feasable not to say way to expensive.
You mentioned before that you "use Virgin moble broadband using the 12gig for $149 plan." What about getting a satellite connection? 9G for $35/month at 512kbps, or $100 for 15G at 1Mbps (based on the first provider I hit on google)
On Fri, 13 Jul 2012, Toby Corkindale wrote:
On 13/07/12 16:12, Lindsay Sprinter wrote:
On Wed, 11 Jul 2012, Toby Corkindale wrote:
On 11/07/12 11:30, Lindsay Sprinter weote: With directional antennas and line-of-sight you can get long distances, so not too many nodes are required. Just need a few windmills, silos or comms towers to attach 'em to.
I looked into this sometime back, the problem is no way is there a line of site and to get line of site would not really be feasable not to say way to expensive.
You mentioned before that you "use Virgin moble broadband using the 12gig for $149 plan."
What about getting a satellite connection? 9G for $35/month at 512kbps, or $100 for 15G at 1Mbps (based on the first provider I hit on google)
Thanks for the reply, Like all (most?) people I am limited with what I can do by personal choices. I do not have any kind of plastic money and I do NOT do direct debit. This is because I have had the unfortunate luck to have two of these go astray. The second being the killer as it involved alarge sum of money ($6000) and both financial institutions refused to believe a problem existed and it took over 4 months to correct a problem that was the fault of one of the said institutions. The whole exersize being a real eye opener and how these people work. This choice severely limits how I can work in to days society, but it does of course go with my general philosphy of life. Both ISP's I work with have counter staff and allow direct payment in cash, both ISP's some of the last of the rugged individualists. This of course suits me well. Running Linux now for 19 years, Lindsay
Hi All, On 9/07/2012 8:38 PM, Mark Trickett wrote:
I have a friend currently running Windows on a laptop, where IE was so woeful that they were looking to upgrade the USB wireless broadband dongle. When I installed Firefox, matters improved, but some of the AV and malware software is not playing nice.
I am surprised that nobody seems to be concerned about the security of having your public IP address directly on the attached computer. Sure, you can firewall everything, but without a suitable firewall, your machine [Windows, Linux, Mac or other...] will be directly exposed to the Internet. I prefer to use MyFi type devices or mobiles as portable hotspots. Then there are also no issues with drivers on ANY machine and you only have to cater for local WiFi and/or a wired connection from the device. Here is one that I use: http://media.netcomm.com.au/public/assets/pdf_file/0014/33143/N3GT1W-Spec-Sh... - it has it's own battery, takes a USB modem and provides portable hotspot WITH security in mind. Cheers -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP Current Land Line No: 03 9012 2102 Mobile: 04 2574 1827 Fax: 03 9012 2178 National No: 1300 85 3804 Affinity Vision Australia Pty Ltd http://www.affinityvision.com.au http://adsl2choice.net.au In Case of Emergency -- http://www.affinityvision.com.au/ice.html
On Wed, 11 Jul 2012, Andrew McGlashan <andrew.mcglashan@affinityvision.com.au> wrote:
I am surprised that nobody seems to be concerned about the security of having your public IP address directly on the attached computer. Sure, you can firewall everything, but without a suitable firewall, your machine [Windows, Linux, Mac or other...] will be directly exposed to the Internet.
If you use Windows (particularly the older versions) this is a problem. Modern Linux distributions tend to have almost nothing listening for inbound connections by default so this shouldn't be an issue. Most people here probably started using Linux after ssh obsoleted telnet and rsh for remote logins and after shadow password became mandatory everywhere. There are probably very few people here who can remember the old days when Unix was insecure. http://www.coker.com.au/selinux/play.html Let me know if there's any particular application which you think is a security risk which is typically listening for connections from the outside world and I'll add it to my Play Machine. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On Wed, 11 Jul 2012, Andrew McGlashan <andrew.mcglashan@affinityvision.com.au> wrote:
I am surprised that nobody seems to be concerned about the security of having your public IP address directly on the attached computer. Sure, you can firewall everything, but without a suitable firewall, your machine [Windows, Linux, Mac or other...] will be directly exposed to the Internet.
If you use Windows (particularly the older versions) this is a problem.
Modern Linux distributions tend to have almost nothing listening for inbound connections by default so this shouldn't be an issue.
Most people here probably started using Linux after ssh obsoleted telnet and rsh for remote logins and after shadow password became mandatory everywhere. There are probably very few people here who can remember the old days when Unix was insecure.
http://www.coker.com.au/selinux/play.html
Let me know if there's any particular application which you think is a security risk which is typically listening for connections from the outside world and I'll add it to my Play Machine.
It's been a while since I installed a Debian machine via any other means than debootstrap... do any flavours of Linux these days take any steps to ensure you choose a sensible password? A computer without a firewall is only as secure as the user that set it up, regardless of the OS. So if the user didn't choose a good password, and ran openssh-server with password authentication, then we have a problem. (or maybe modern distributions don't enable password authentication on ssh by default?? In which case I withdraw my remarks :) For my kids at home, I just used their name as a password (a 2 year old can easily learn to type their name (or a shortened version of), but probably not a password that anyone would consider secure), but I separated that machine from anything that could attack it. Someone without any network knowledge wouldn't be able to do that. James
On Wed, 11 Jul 2012, James Harper <james.harper@bendigoit.com.au> wrote:
It's been a while since I installed a Debian machine via any other means than debootstrap... do any flavours of Linux these days take any steps to ensure you choose a sensible password? A computer without a firewall is only as secure as the user that set it up, regardless of the OS.
I recently installed a Ubuntu 12.04 on my test network and it whinged about the password.
So if the user didn't choose a good password, and ran openssh-server with password authentication, then we have a problem. (or maybe modern distributions don't enable password authentication on ssh by default?? In which case I withdraw my remarks :)
I think that most of them enable passwords by default.
For my kids at home, I just used their name as a password (a 2 year old can easily learn to type their name (or a shortened version of), but probably not a password that anyone would consider secure), but I separated that machine from anything that could attack it. Someone without any network knowledge wouldn't be able to do that.
For such systems the best thing to do is use AllowUsers or one of the related options. Young kids don't need to ssh in to a system. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
James Harper <james.harper@bendigoit.com.au> wrote:
It's been a while since I installed a Debian machine via any other means than debootstrap... do any flavours of Linux these days take any steps to ensure you choose a sensible password? A computer without a firewall is only as secure as the user that set it up, regardless of the OS.
I think there are checks performed on passwords entered by users other than root, but I'm not sure.
So if the user didn't choose a good password, and ran openssh-server with password authentication, then we have a problem. (or maybe modern distributions don't enable password authentication on ssh by default?? In which case I withdraw my remarks :)
Debian enable password authentication by default; I always turn it off, though. People who don't have keys or who don't know how to use them have no business logging into my machines remotely.
Jason White <jason@jasonjgw.net> wrote:
James Harper <james.harper@bendigoit.com.au> wrote:
It's been a while since I installed a Debian machine via any other means than debootstrap... do any flavours of Linux these days take any steps to ensure you choose a sensible password? A computer without a firewall is only as secure as the user that set it up, regardless of the OS.
I think there are checks performed on passwords entered by users other than root, but I'm not sure.
I can confirm that checks are performed: /etc/pam.d/common-password: password [success=1 default=ignore] pam_unix.so obscure sha512 The obscure option performs the checks listed in the pam_unix(8) manual page.
Quoting Jason White (jason@jasonjgw.net):
I can confirm that checks are performed: /etc/pam.d/common-password: password [success=1 default=ignore] pam_unix.so obscure sha512
The obscure option performs the checks listed in the pam_unix(8) manual page.
Eh, you're right. That's the modern implementation. (Obsoletes what I posted a few minutes ago.) People with ongoing users from a long time ago may still be using weak passwords with quaint hashing methods no longer recommended by anyone, e.g., md5 or DES. You can tell by noting the hashing prefix in /etc/shadow. $6 is sha512. Anything lower is a somewhat obsolete hashing method. Not exactly an emergency, though: If someone is able to steal your /etc/shadow, you have much bigger worries than weak password hashes.
James Harper wrote:
It's been a while since I installed a Debian machine via any other means than debootstrap... do any flavours of Linux these days take any steps to ensure you choose a sensible password? A computer without a firewall is only as secure as the user that set it up, regardless of the OS.
Last time I looked, in d-i Ubuntu checked password strength (but not enforce it); Debian did not check it. I cannot comment on ubiquity. This is for the initial user. Once install has completed, it would depend on how you were adding accounts (e.g. adduser, or LDAP, or what?) and whether strength checking was enabled in e.g. /etc/pam*. I don't know offhand. As at lucid, RFC2307 accounts in slapd do not have password strength checking when setting passwords with exop. There is an option for it in the slapo_ppolicy overlay, but you must write your own C function to perform the check.
So if the user didn't choose a good password, and ran openssh-server with password authentication, then we have a problem. (or maybe modern distributions don't enable password authentication on ssh by default?? In which case I withdraw my remarks :)
I am repeatedly annoyed that "apt-get install openssh-server" results in a daemon binding to *:22 by default. IMO it should behave like all other daemons and either not run, or bind only to lo by default. Otherwise, there is an (admittedly small) window between installing sshd, and locking down sshd_config, in which people can attack sshd in its default configuration.
I am repeatedly annoyed that "apt-get install openssh-server" results in a daemon binding to *:22 by default. IMO it should behave like all other daemons and either not run, or bind only to lo by default.
Otherwise, there is an (admittedly small) window between installing sshd, and locking down sshd_config, in which people can attack sshd in its default configuration.
Unless you are running a firewall ;) James
Quoting Trent W. Buck (trentbuck@gmail.com):
Otherwise, there is an (admittedly small) window between installing sshd, and locking down sshd_config, in which people can attack sshd in its default configuration.
(For values of 'attack' approximating twisting a house's front doorknob.) Anyone who's run a public sshd and noted automated attempts to login using 'joe' account/password combinations will have noticed that the rate of traffic involved is really slow. It would be interesting to run the numbers on that; I'll readily confess I haven't, but breaking into systems that way strikes me as pretty improbable under most circumstances, and basically not worth worrying about unless you have users who use _literally_ trivially guessable credentials. (I've run Linux servers fully exposed to the Internet since 1993, FWIW.) Anyway, to enforce password strength on all non-root users: 1. Install libpam_cracklib . (In Debian, that's the literal package name.) 2. Add this to /etc/pam.d/common-password password required pam_cracklib.so retry=2 minlen=10 difok=3 'difok' should be visually parsed as 'diff OK', and specifies the number of characters permitted to be the same between password N and password N+1.
On Fri, 13 Jul 2012, Rick Moen <rick@linuxmafia.com> wrote:
(For values of 'attack' approximating twisting a house's front doorknob.)
Anyone who's run a public sshd and noted automated attempts to login using 'joe' account/password combinations will have noticed that the rate of traffic involved is really slow.
http://etbe.coker.com.au/2012/07/09/postfwd-local-email/ I recently had a SMTP AUTH account compromised. It took almost two years and the user-name was test@coker.com.au which would have to be in the top five most guessable addresses in my domain. But I guess the issue with ssh would be whether people get to the next step. I'm sure that sometimes people do the "install openssh-server" step but then get distracted before the "lock it down to only accounts with good passwords" step. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Quoting Russell Coker (russell@coker.com.au):
http://etbe.coker.com.au/2012/07/09/postfwd-local-email/
I recently had a SMTP AUTH account compromised.
Connection attempts to an MTA can be made at a rate orders of magnitude faster than can be made to an sshd. As I said, anyone who's run a public sshd and noted automated attempts to login using 'joe' account/password combinations will have noticed that the rate of traffic involved is really slow. Also, I'll note your blog takes as given that guessing the password was the vector for compromise. Could be, or might not be. Anyway, FWIW, net.randoms' SSH password guessing attempts against the 'rick' login on linuxmafia.com have been ongoing for about 19 years, now. No luck yet.
On Fri, 13 Jul 2012, Rick Moen <rick@linuxmafia.com> wrote:
Quoting Russell Coker (russell@coker.com.au):
http://etbe.coker.com.au/2012/07/09/postfwd-local-email/
I recently had a SMTP AUTH account compromised.
Connection attempts to an MTA can be made at a rate orders of magnitude faster than can be made to an sshd.
If they did make lots of connections then I would have noticed. The number of login errors etc didn't increase much.
Also, I'll note your blog takes as given that guessing the password was the vector for compromise. Could be, or might not be.
If they had some better way of gaining access then they would have done something more useful than send out spam from the test account. If they were doing something more useful then they wouldn't have sent out spam to avoid drawing attention to themselves. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Quoting Russell Coker (russell@coker.com.au):
If they did make lots of connections then I would have noticed. The number of login errors etc didn't increase much.
If you're saying they guessed your SMTP auth credentials without very many connection attempts, maybe you ought to be trying to figure out _how_ they arrived at the right solution so quickly. I'd love to help figure that out, but lack the raw data.
If they had some better way of gaining access then they would have done something more useful than send out spam from the test account.
Oh, I wouldn't be so sure. Many security breakins are not only not very intelligent but in fact are run by completely automated (and necessarily single-minded) processes.
Rick Moen <rick@linuxmafia.com> wrote:
Oh, I wouldn't be so sure. Many security breakins are not only not very intelligent but in fact are run by completely automated (and necessarily single-minded) processes.
They are. I've even had such scripts probe the same port on my machine for days despite the "port unreachable" replies. That isn't very intelligent, but as they're very likely to be attacking from stolen resources (compromised Windows machines) the crackers just don't care even if they're smart enough to know.
Rick Moen <rick@linuxmafia.com> wrote:
Anyone who's run a public sshd and noted automated attempts to login using 'joe' account/password combinations will have noticed that the rate of traffic involved is really slow. It would be interesting to run the numbers on that; I'll readily confess I haven't, but breaking into systems that way strikes me as pretty improbable under most circumstances, and basically not worth worrying about unless you have users who use _literally_ trivially guessable credentials.
I agree, and if you do have such users there is every reason to follow Rick's excellent advice (not quoted here) for strengthening the checks performed on candidate passwords. It doesn't take long to shut down ssh before editing /etc/ssh/sshd_config to set PasswordAuthentication no. If I didn't want ssh to listen on non-local interfaces, I wouldn't install the package in the first place.
Trent W. Buck <trentbuck@gmail.com> wrote:
But we all (well, Russell and I) just agreed that stuff shouldn't listen until explicitly told to! Why should sshd be an exception?
I suppose I don't agree with the principle. I think that if you run, say, Postfix, it's perfectly reasonable to have a default configuration that listens to non-local interfaces. I don't want to get into a disagreement about this, but I really don't think there's much point in installing and starting something which exists primarily or only to accept network connections unless you want it to do precisely that. Of course, I think the default configuration should include reasonable security precautions, but that's a separate issue. For example, perhaps PasswordAuthentication no should be the default for ssh, except in live distributions where keys may not be available and quick access is paramount.
Quoting Trent W. Buck (trentbuck@gmail.com):
But we all (well, Russell and I) just agreed that stuff shouldn't listen until explicitly told to! Why should sshd be an exception?
The world would be a better and more wondrous place if more people were aware of and used ssh localhost. 'ssh -X root@localhost', for example. In this sad world of ours, alas, an intent to offer remote access is generally deemed implicit in enabling an sshd. (Some universes may differ. Offer void where prohibited.)
On 13 July 2012 11:54, Rick Moen <rick@linuxmafia.com> wrote:
The world would be a better and more wondrous place if more people were aware of and used ssh localhost. 'ssh -X root@localhost', for example.
Too scary; what if I get the answer to the following wrong? brian@aquitard:~$ ssh localhost The authenticity of host 'localhost (::1)' can't be established. RSA key fingerprint is 2c:6d:99:8b:b8:92:99:e4:29:9c:e0:27:f9:e9:9b:a2. Are you sure you want to continue connecting (yes/no)? ^C Somebody might be intercepting packages on my lo network! How can I be sure that I am really me? -- Brian May <brian@microcomaustralia.com.au>
Jason White wrote:
If I didn't want ssh to listen on non-local interfaces, I wouldn't install the package in the first place.
But we all (well, Russell and I) just agreed that stuff shouldn't listen until explicitly told to! Why should sshd be an exception?
I'm sure there was an implied "where it makes sense" for that agreement though. Why would you install ssh server if you didn't want to use it remotely? I don't think it installs by default on any of the distributions I'm familiar with (which these days is 2!) and it's next to useless without remote access unlike (say) mysql which definitely shouldn't listen on anything but 127.0.0.1 by default. James
Quoting Jason White (jason@jasonjgw.net):
It doesn't take long to shut down ssh before editing /etc/ssh/sshd_config to set PasswordAuthentication no.
Personally, I wouldn't even do that. (In fact, I don't do it.) The PAM details mentioned upthread prevent non-root users from using trivially guessable 'joe account' passwords. Once those are out of the picture, guessing just isn't a credible threat. Stolen credentials, by contrast, are -- and both passwords and keypairs can be equally easily stolen on a compromised host and then used to impersonate users in connection sessions to elsewhere. Illustrative example: http://linuxmafia.com/faq/Security/breakin-without-remote-vulnerability.html Rumours that the unnamed enterprise was VA Linux Systems, Inc. and that it was hax0red because an IT Department member incautiously ssh'ed _inwards_ from shells.sourceforge.net, will not be confirmed. ;-> Also relevant is the lessons of the Debian Project security incident of 2003: http://linuxmafia.com/~rick/constructive-paranoia.html
Quoting Jason White (jason@jasonjgw.net):
It doesn't take long to shut down ssh before editing /etc/ssh/sshd_config to set PasswordAuthentication no.
Personally, I wouldn't even do that. (In fact, I don't do it.)
The PAM details mentioned upthread prevent non-root users from using trivially guessable 'joe account' passwords. Once those are out of the picture, guessing just isn't a credible threat.
I'm glad to hear someone else say that.
Stolen credentials, by contrast, are -- and both passwords and keypairs can be equally easily stolen on a compromised host and then used to impersonate users in connection sessions to elsewhere.
For us know-it-all IT types that might be true, but many people use the same username and password _everywhere_, so it is far more likely to have a username/password combination stolen than a key and I wouldn't say "equally easily stolen". There's a scam going around that involves smsing the stolen username and password back to the user... I'm not sure exactly how the scam works (or even if I am correct in calling it a scam) but I have spoken to someone who has had this happen to them, and it seems to be happening to others as well http://whocallsme.com/Phone-Number.aspx/0458702000 (that's the same number as the person I spoke to). I wonder if the sms-back is a way of getting confirmation of the credentials before trying them (eg waiting for a response like "wtf hw did u no my pass?!1!?1?"). Or maybe it's a whitehat letting people know that they have access to a username, password, and mobile number. James
Quoting James Harper (james.harper@bendigoit.com.au):
For us know-it-all IT types that might be true, but many people use the same username and password _everywhere_, so it is far more likely to have a username/password combination stolen than a key and I wouldn't say "equally easily stolen".
I submit that someone who uses the same username/password everywhere is rather likely to use the same keypair and passphrase in as many places as possible, too. If he/she merely uses the same SSH passphrase everywhere, that's just about as bad, because it means the private key can get stolen and used locally, and then the imposter sshes to the next system, repeats the theft, und so weiter. But yes, users' attraction to credential reuse is one of the Big Problems. FWIW, my own solution is to run Martin Pool's Keyring on a PalmOS PDA. http://gnukeyring.sourceforge.net/
Rick Moen wrote:
If he/she merely uses the same SSH passphrase everywhere, that's just about as bad, because it means the private key can get stolen and used locally, and then the imposter sshes to the next system, repeats the theft, und so weiter.
That sounds like the user leaves private keys on intermediary hops (cf. -oProxyCommand or -oForwardAgent, which have different attack profiles).
Quoting Trent W. Buck (trentbuck@gmail.com):
That sounds like the user leaves private keys on intermediary hops (cf. -oProxyCommand or -oForwardAgent, which have different attack profiles).
A commendable tactic to eliminate risk from SSH gateways. In case you haven't seen it: http://chainssh.sourceforge.net/ Also worthy of note: https://www.ibm.com/developerworks/linux/library/l-keyc3/ My point concerned anywhere the user _does_ for whatever reason feel a need to house private keys. Even professional paranoics (sysadmins) tend to find themselves unable to restrict ssh/scp connections strictly to ones outbound from the Sanctum Sanctorum host, and have private keys reside _only_ there. -- Cheers, "Overheard a hipster say 'Quinoa is kind of 2011', Rick Moen so I lit his beard on fire." -- Kelly Oxford rick@linuxmafia.com McQ! (4x80)
Rick Moen wrote:
Stolen credentials, by contrast, are -- and both passwords and keypairs can be equally easily stolen on a compromised host and then used to impersonate users in connection sessions to elsewhere.
It's worth noting that a passphrase-protected SSH private key, once stolen, can have its passphrase cracked offline at leisure. With existing tools -- ssh-keygen -p.
Rick Moen wrote:
Quoting Trent W. Buck (trentbuck@gmail.com):
Otherwise, there is an (admittedly small) window between installing sshd, and locking down sshd_config, in which people can attack sshd in its default configuration.
(For values of 'attack' approximating twisting a house's front doorknob.)
I realize that; it's the principle of the thing.
1. Install libpam_cracklib . (In Debian, that's the literal package name.)
- not _ ;-)
On 13/07/12 05:51, Rick Moen wrote:
Anyone who's run a public sshd and noted automated attempts to login using 'joe' account/password combinations will have noticed that the rate of traffic involved is really slow.
What is your definition of really slow? cheers, Chris -- Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC
Quoting Chris Samuel (chris@csamuel.org):
What is your definition of really slow?
I already said I haven't run the numbers. However, you are welcome to put an ssh up and see for yourself. -- Cheers, "Overheard a hipster say 'Quinoa is kind of 2011', Rick Moen so I lit his beard on fire." -- Kelly Oxford rick@linuxmafia.com McQ! (4x80)
Rick Moen wrote:
Quoting Chris Samuel (chris@csamuel.org):
What is your definition of really slow?
I already said I haven't run the numbers. However, you are welcome to put an ssh up and see for yourself.
I was getting enough of them that I instructed my firewall to blacklist (for an hour) any IP making more than three SSH attempts in a minute. All traffic in the blacklist gets tarpitted. Subsequent traffic resets the blacklist timer back to one hour. Password auth is off ANYWAY, but log flooding was annoying me. Hopefully tarpitting also increases operational-costs-per-compromise for the attackers, too. http://cyber.com.au/~twb/doc/iptab.ips
Rick Moen wrote:
Quoting Chris Samuel (chris@csamuel.org):
What is your definition of really slow?
I already said I haven't run the numbers. However, you are welcome to put an ssh up and see for yourself.
I was getting enough of them that I instructed my firewall to blacklist (for an hour) any IP making more than three SSH attempts in a minute. All traffic in the blacklist gets tarpitted. Subsequent traffic resets the blacklist timer back to one hour.
I found that a 5 minutes (vs your 1 hour) was enough to be entirely effective, and I used xt_recent (or ipt_recent depending on your netfilter version), and applied the same trick to all the RDP and FTP servers running in the same subnet. Additionally, I have nominated a few IP addresses in the /24's that nothing is published on which trigger the same blacklisting so anyone attempting a sweep finds all services unresponsive very quickly.
Password auth is off ANYWAY, but log flooding was annoying me. Hopefully tarpitting also increases operational-costs-per-compromise for the attackers, too.
Yes that was my reason for blocking too... too much noise in the logs makes log analysis difficult. For the same reason I've changed ports in a lot of cases too - now when I see traffic its probably worth following up. James
Quoting James Harper (james.harper@bendigoit.com.au):
Yes that was my reason for blocking too... too much noise in the logs makes log analysis difficult. For the same reason I've changed ports in a lot of cases too - now when I see traffic its probably worth following up.
Personally, I regard that as solving the wrong problem. Instead, I tweak logfile analysis to ignore basically meaningless so-called 'attacks' (net.randoms' doorknob-twisting of the sshd, etc.). (Noise in your logs? Of course there's noise in your logs. It's the Internet, after all. If the 'flooding' bothers you, don't look at it.) Automated iptables blacklists are mostly just a clever way to DoS yourself, in my experience, and add to system complexity and impair the goal of deterministic behaviour without any benefit worth having. Your Mileage May Differ[tm].
Rick Moen wrote:
Quoting James Harper (james.harper@bendigoit.com.au):
Yes that was my reason for blocking too... too much noise in the logs makes log analysis difficult. For the same reason I've changed ports in a lot of cases too - now when I see traffic its probably worth following up.
Personally, I regard that as solving the wrong problem. Instead, I tweak logfile analysis to ignore basically meaningless so-called 'attacks' (net.randoms' doorknob-twisting of the sshd, etc.).
(Noise in your logs? Of course there's noise in your logs. It's the Internet, after all. If the 'flooding' bothers you, don't look at it.)
I use logcheck to ignore routine logs. However it is still annoying, once my attention is drawn to the raw logs, to have to grep out all the SSH noise each time. Further, if I am too heavy-handed / inattentive in my grep -v, I might elide something relevant to whatever made me look at the logs.
Automated iptables blacklists are mostly just a clever way to DoS yourself,
I have SSH on a high port, only open to blacklisted IPs, that allows logins with a particular key, with a forced command that causes the source IP to be whitelisted for an hour. The SSH key in question is distributed to staff. If they manage to lock out their IP, they can unlock it again (assuming they realize what's happened). A bunch of staff, all related, were connecting from home (NATted to a single public IP), and were all using autossh. They were routinely blacklisting themselves when their ADSL cut out and came back, and all their autossh's tried to get in at once. Their IP is permanently whitelisted now (grumble), but whitelisting was mostly working for them before that.
in my experience, and add to system complexity and impair the goal of deterministic behaviour without any benefit worth having. Your Mileage May Differ[tm].
I cannot argue that it makes the system more complex.
All of this in reply to a 3G network though. I've not yet seen any 3G provider actually provide a non-rfc1918 internal IP which is not NATed to the Internet.. Unless you actually pay for that function. Thereby rendering most of this thread moot :) That is until mobile provides actually bother to implement IPv6 on their subscriber networks
On Sun, 15 Jul 2012, hannah commodore <hannah@tinfoilhat.net> wrote:
All of this in reply to a 3G network though. I've not yet seen any 3G provider actually provide a non-rfc1918 internal IP which is not NATed to the Internet.. Unless you actually pay for that function. Thereby rendering most of this thread moot :)
That is until mobile provides actually bother to implement IPv6 on their subscriber networks
http://en.wikipedia.org/wiki/4g#IPv6_support 4G AKA LTE is going to be pretty much IPv6 everywhere. While technically this isn't 3G, I think that most users don't care much about the difference, in both cases it's just mobile net access. Also rumor has it that Telstra LTE is giving better performance than expected due to the lack of users... -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On Sun, 15 Jul 2012, hannah commodore <hannah@tinfoilhat.net> wrote:
All of this in reply to a 3G network though. I've not yet seen any 3G provider actually provide a non-rfc1918 internal IP which is not NATed to the Internet.. Unless you actually pay for that function. Thereby rendering most of this thread moot :)
That is until mobile provides actually bother to implement IPv6 on their subscriber networks
http://en.wikipedia.org/wiki/4g#IPv6_support
4G AKA LTE is going to be pretty much IPv6 everywhere. While technically this isn't 3G, I think that most users don't care much about the difference, in both cases it's just mobile net access. Also rumor has it that Telstra LTE is giving better performance than expected due to the lack of users...
Rumour also has it that Telstra has pinched some 3G spectrum for use on its 4G network. We have some customers in Bendigo CBD where Telstra 3G is effectively useless since 4G trials started (Optus works fine), so the rumour would be one explanation for that... james
On 15/07/12 17:26, Russell Coker wrote:
On Sun, 15 Jul 2012, hannah commodore <hannah@tinfoilhat.net> wrote:
All of this in reply to a 3G network though. I've not yet seen any 3G provider actually provide a non-rfc1918 internal IP which is not NATed to the Internet.. Unless you actually pay for that function. Thereby rendering most of this thread moot :)
That is until mobile provides actually bother to implement IPv6 on their subscriber networks
http://en.wikipedia.org/wiki/4g#IPv6_support
4G AKA LTE is going to be pretty much IPv6 everywhere. While technically this isn't 3G, I think that most users don't care much about the difference, in both cases it's just mobile net access. Also rumor has it that Telstra LTE is giving better performance than expected due to the lack of users...
Even 3G HSPA is surprisingly good if you can get onto a tower that isn't congested, out in the country.
hannah commodore <hannah@tinfoilhat.net> wrote:
All of this in reply to a 3G network though. I've not yet seen any 3G provider actually provide a non-rfc1918 internal IP which is not NATed to the Internet.. Unless you actually pay for that function. Thereby rendering most of this thread moot :)
That is until mobile provides actually bother to implement IPv6 on their subscriber networks
I've heard that there's at least one North American mobile provider which already offers IPv6 on its subscriber network. I can't remember the name, however.
On 15/07/2012, at 17:30, Jason White <jason@jasonjgw.net> wrote:
hannah commodore <hannah@tinfoilhat.net> wrote:
All of this in reply to a 3G network though. I've not yet seen any 3G provider actually provide a non-rfc1918 internal IP which is not NATed to the Internet.. Unless you actually pay for that function. Thereby rendering most of this thread moot :)
That is until mobile provides actually bother to implement IPv6 on their subscriber networks
I've heard that there's at least one North American mobile provider which already offers IPv6 on its subscriber network. I can't remember the name, however.
t-mobile offer a ipv6 via LTE, but it requires a bit of hacking to get working. no major Australian carriers, as a company, provide *any* IPv6 to normal subscribers. Telstra have native v6 for TesltraClear, but even then they recently sold off that business It will be quite some time yet before we can expect v6 on our mobiles with any provider in Aus
At 05:10 PM 7/15/2012, hannah commodore wrote:
All of this in reply to a 3G network though. I've not yet seen any 3G provider actually provide a non-rfc1918 internal IP which is not NATed to the Internet.. Unless you actually pay for that function. Thereby rendering most of this thread moot :)
Internode does, I am able to use apps which require non NAT'd connectivity on Internode without any workarounds. Downside is they don't offer voice services, so it's only good for iPads and 3G dongles.
That is until mobile provides actually bother to implement IPv6 on their subscriber networks
I'm not aware of any in Australia. 73 de VK3JED / VK3IRL http://vkradio.com
Tony Langdon <vk3jed@gmail.com> wrote:
Internode does, I am able to use apps which require non NAT'd connectivity on Internode without any workarounds. Downside is they don't offer voice services, so it's only good for iPads and 3G dongles.
Unless, of course, the latency and jitter are tolerable for RTP traffic.
At 06:03 PM 7/15/2012, Jason White wrote:
Tony Langdon <vk3jed@gmail.com> wrote:
Internode does, I am able to use apps which require non NAT'd connectivity on Internode without any workarounds. Downside is they don't offer voice services, so it's only good for iPads and 3G dongles.
Unless, of course, the latency and jitter are tolerable for RTP traffic.
Yes, VoIP does seem to work well when I've tried, though the RTP based protocols I'm using are a bit more tolerant to delay and jitter than the format used for telephony. 73 de VK3JED / VK3IRL http://vkradio.com
At 06:03 PM 7/15/2012, Jason White wrote:
Tony Langdon <vk3jed@gmail.com> wrote:
Internode does, I am able to use apps which require non NAT'd connectivity on Internode without any workarounds. Downside is they don't offer voice services, so it's only good for iPads and 3G dongles.
Unless, of course, the latency and jitter are tolerable for RTP traffic.
Yes, VoIP does seem to work well when I've tried, though the RTP based protocols I'm using are a bit more tolerant to delay and jitter than the format used for telephony.
I've used Skype on my Android phone on the Optus 3G network and it's better than a GSM call. James
Hello Hannah, On Sun, 2012-07-15 at 17:10 +1000, hannah commodore wrote:
All of this in reply to a 3G network though. I've not yet seen any 3G provider actually provide a non-rfc1918 internal IP which is not NATed to the Internet.. Unless you actually pay for that function. Thereby rendering most of this thread moot :)
I have read the thread with interest, there has been a great deal of information to glean, but minimal information about actually using such, and more particularly, no pointers to initialising under Linux rather than Windows or a Mac. It makes me think that I really need a 3G (or maybe 4G?)device that provides WiFi connection, or an ethernet port, rather than a USB device.
That is until mobile provides actually bother to implement IPv6 on their subscriber networks
It is coming to a crunch where it should be IPv6, and nothing else, but I am certain that they will not move soon enough, citing "legacy" systems that cannot cope. The sooner that Microsoft Windows is _NOT_ supported, the better for all of us. I cannot see why they cannot do perl scripts for both Mac and generic GNU/Linux, both have perl installed by default, it is not on Windows by default, but can be installed, or run from a minimalist installation on the USB device. It should be a lot more robust, but less obscure, and more open to the hacker (and cracker) communities. Regards, Mark Trickett
I recently purchased a Telstra Prepaid SIM for my toughbook, it has an internal MODEM that shows up as a USB device. I went with Telstra as the connection manager (In Windows) showed that I could only "See" the telstra network inside my house and only Telsta and Vodafone outside, I was with Amaysim (Using Optus Infrastructure) and could not find the network (A downfall of living rural) I went with Telstra solely for coverage reasons. When I activated the SIM via a phone call to Telstra I was asked what version of Windows I was using, when I said I was using Linux I was told it would not work with linux and that I should install Windows. I stated I was not using a Telstra Dongle but an internal MODEM and that I was not looking for technical support but that I just wanted the SIM activated. I am running Ubuntu 12.04 and it was really easy to setup, my son runs a DCSI (Optus Network) dongle on his linux laptop and it automagically switched to MODEM mode when plugged in to a Ubuntu 11.10 install. Ubuntu Network Manager already had Telstra in its list of providers and it was a simple matter of selecting Telstra then selecting the appropriate APN form the list to suit your account type. This information was found by using the setup page on Telstras website for Android Devices. -- Mark "Hiddensoul" Clohesy Mob Phone: (+61) 406 417 877 Email: hiddensoul@twistedsouls.com G-Talk: mark.clohesy@gmail.com - www.shed.twistedsouls.com - GNU/Linux.. Linux Counter #457297 "I would love to change the world, but they won't give me the source code" "Linux is user friendly...its just selective about who its friends are" "Never underestimate the bandwidth of a V8 station wagon full of tapes hurtling down the highway" "The difference between e-mail and regular mail is that computers handle e-mail, and computers never decide to come to work one day and shoot all the other computers"
Sorry for not being clearer Mark. Most 3G devices if they are supported by the kernel will work 'out of the box' - ie. whatever network manager you are using will recognise it and perhaps have the setup needed (APN etc) for Australian providers supplied. Which means clicking the network icon and selecting it... To determine whether it's supported, I would find the model no. of the device and do a search based on the distro you are intending to use. Be sure to search for the exact model, a slight variation may mean it is not yet supported. I have been using a Huawei E160 for 3.5 years and it has been fully supported under the 2.6 or 3 kernels I have used in that time - I remember someone couldn't get an E160g to work though. Occasionally the network manager will not play nice, as in early versions of KDE4 - in such circumstances I have used the wvdial utility, with the config information found from a quick search. Other devices may require the use of usb modeswitch, but with this additional configuration will work fine. On 15 July 2012 20:43, Hiddensoul (Mark Clohesy) < hiddensoul@twistedsouls.com> wrote:
I recently purchased a Telstra Prepaid SIM for my toughbook, it has an internal MODEM that shows up as a USB device. I went with Telstra as the connection manager (In Windows) showed that I could only "See" the telstra network inside my house and only Telsta and Vodafone outside, I was with Amaysim (Using Optus Infrastructure) and could not find the network (A downfall of living rural)
I went with Telstra solely for coverage reasons. When I activated the SIM via a phone call to Telstra I was asked what version of Windows I was using, when I said I was using Linux I was told it would not work with linux and that I should install Windows. I stated I was not using a Telstra Dongle but an internal MODEM and that I was not looking for technical support but that I just wanted the SIM activated.
I am running Ubuntu 12.04 and it was really easy to setup, my son runs a DCSI (Optus Network) dongle on his linux laptop and it automagically switched to MODEM mode when plugged in to a Ubuntu 11.10 install.
Ubuntu Network Manager already had Telstra in its list of providers and it was a simple matter of selecting Telstra then selecting the appropriate APN form the list to suit your account type. This information was found by using the setup page on Telstras website for Android Devices.
--
Mark "Hiddensoul" Clohesy Mob Phone: (+61) 406 417 877 Email: hiddensoul@twistedsouls.com G-Talk: mark.clohesy@gmail.com - www.shed.twistedsouls.com - GNU/Linux.. Linux Counter #457297
"I would love to change the world, but they won't give me the source code"
"Linux is user friendly...its just selective about who its friends are"
"Never underestimate the bandwidth of a V8 station wagon full of tapes hurtling down the highway"
"The difference between e-mail and regular mail is that computers handle e-mail, and computers never decide to come to work one day and shoot all the other computers"
_______________________________________________ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
It is coming to a crunch where it should be IPv6, and nothing else, but I am certain that they will not move soon enough, citing "legacy" systems that cannot cope. The sooner that Microsoft Windows is _NOT_ supported, the better for all of us.
I'm all for Microsoft bashing, but if you are implying that Windows doesn't support IPv6 then you are very wrong. In fact you'll have trouble with some of their server software if you disable IPv6. James
On 15 July 2012 21:16, James Harper <james.harper@bendigoit.com.au> wrote:
I'm all for Microsoft bashing, but if you are implying that Windows doesn't support IPv6 then you are very wrong. In fact you'll have trouble with some of their server software if you disable IPv6.
Lots of people still use Windows XP, which doesn't have built in IPv6 support. I believe there is an add-on that provides IPv6 support, however this was the first attempt Microsoft made, and as a result not recommended for serious use. Or so I have read. On this particular issue, I would rephrase the original comment as "The sooner that Microsoft Windows XP is _NOT_ supported, the better for all of us." -- Brian May <brian@microcomaustralia.com.au>
On 15 July 2012 21:16, James Harper <james.harper@bendigoit.com.au> wrote:
I'm all for Microsoft bashing, but if you are implying that Windows doesn't support IPv6 then you are very wrong. In fact you'll have trouble with some of their server software if you disable IPv6.
Lots of people still use Windows XP, which doesn't have built in IPv6 support. I believe there is an add-on that provides IPv6 support, however this was the first attempt Microsoft made, and as a result not recommended for serious use. Or so I have read.
On this particular issue, I would rephrase the original comment as "The sooner that Microsoft Windows XP is _NOT_ supported, the better for all of us."
Can't argue with that one :) James
Hello James, On Sun, 2012-07-15 at 11:16 +0000, James Harper wrote:
It is coming to a crunch where it should be IPv6, and nothing else,
but I am
certain that they will not move soon enough, citing "legacy" systems that cannot cope. The sooner that Microsoft Windows is _NOT_ supported, the better for all of us.
I'm all for Microsoft bashing, but if you are implying that Windows doesn't support IPv6 then you are very wrong. In fact you'll have trouble with some of their server software if you disable IPv6.
James
My comments were prompted by the fact that the biggest competitor to Microsoft's latest versions has been the installed base of prior versions. Given the escalating hardware requirements, and propensity to rape wallets, it would be good to be vendor and OS neutral. The legacy of older versions of Microsoft Widows that will not cope with IPv6, and the relative costs of the upgrades, Linux is looking good to those of us with knowledge and competence. Regards, Mark Trickett
Hi, On 16/07/2012 7:53 PM, Mark Trickett wrote:
My comments were prompted by the fact that the biggest competitor to Microsoft's latest versions has been the installed base of prior versions. Given the escalating hardware requirements, and propensity to rape wallets, it would be good to be vendor and OS neutral. The legacy of older versions of Microsoft Widows that will not cope with IPv6, and the relative costs of the upgrades, Linux is looking good to those of us with knowledge and competence.
XP, if fresh, can run quite well on limited hardware so long as it has 1GB of RAM, it is usually quite good -- especially for it's age. And it's support timeframe ends in 2014, so a bit more time to go with it. Lots of older XP machines actually run better with a new installation of Windows 7 too, without any hardware upgrades. Sure, those older machines don't enjoy the benefits of multi-core CPU and mega amounts of RAM by comparison, but it can be quite surprising how well some older machines can perform today. Lots of people don't need the horsepower of today's mid-level machines, let alone the high end ones. Cheers -- Kind Regards AndrewM
I have read the thread with interest, there has been a great deal of information to glean, but minimal information about actually using such, and more particularly, no pointers to initialising under Linux rather than Windows or a Mac. It makes me think that I really need a 3G (or maybe 4G?)device that provides WiFi connection, or an ethernet port, rather than a USB device.
I regularly use my Android phone as a 3G modem, either wireless or tethered via USB depending on if I forgot my cable or not. It has the advantage that the phone can be on charge near a window to get good reception and I can be a short distance away where it is more comfortable :) James
On 15/07/12 20:30, Mark Trickett wrote:
That is until mobile provides actually bother to implement IPv6 on their subscriber networks
It is coming to a crunch where it should be IPv6, and nothing else, but I am certain that they will not move soon enough, citing "legacy" systems that cannot cope. The sooner that Microsoft Windows is _NOT_ supported, the better for all of us.
Non sequitur. What does Microsoft Windows have to do with implementing IPv6 on subscriber networks? The mobile phone towers don’t run Windows. Nor do their switches or routers. And their accounting software don’t need to use IPv6 as a transport — and that’s an application level problem, not an operating system problem. And, as James Turnbull correctly points out, Windows fully supports IPv6 anyway, [0] making your argument not just a non sequitur but baloney. -- [0] Ever tried setting up a 100% IPv6 network, including Active Directory, MS Exchange, all the usual? Yep, I’ve done it. It Works.™ Many IPv6 technologies that OS X and Linux have only just started supporting by default in 2011/2012 have been supported solidly in Windows since 2006. [1] [1] Beware of the “fallacy fallacy”. Just because you may be able to find one area where Windows is lacking in IPv6 compared to OS X or Linux doesn’t mean it’s not miles ahead in almost all other areas.
On 15/07/12 17:10, hannah commodore wrote:
All of this in reply to a 3G network though. I've not yet seen any 3G provider actually provide a non-rfc1918 internal IP which is not NATed to the Internet.. Unless you actually pay for that function. Thereby rendering most of this thread moot :)
Every Optus 3G connection I’ve checked (personal mobile phone services) has a public IPv4 address attached (albeit dynamic). Really handy actually, as I do like to SSH into my mobile phone from time to time. Though this is probably already common knowledge by now, if you quote ‘GPTEXB3’ to Telstra, they will grant you access to the ‘telstra.extranet’ APN which gives you a public IPv4 address. (Only ever tried it on business connections, but haven’t heard a single failure story yet.)
On 15/07/2012, at 21:18, Jeremy Visser <jeremy@visser.name> wrote:
Every Optus 3G connection I’ve checked (personal mobile phone services) has a public IPv4 address attached (albeit dynamic). Really handy actually, as I do like to SSH into my mobile phone from time to time.
Sorry. I stand corrected. Is it just Telstra consumer plans that use internal ip addresses on 3G then?
On 16 July 2012 08:55, hannah commodore <hannah@tinfoilhat.net> wrote:
Sorry. I stand corrected. Is it just Telstra consumer plans that use internal ip addresses on 3G then?
I think Three also does that too. Yes, Three is still a separate network to Vodofone, at least last time I checked, even if now owned by the same company. I would assume Vodofone also uses internal IP addresses, but can't confirm/deny. -- Brian May <brian@microcomaustralia.com.au>
Hi, On 15/07/2012 5:10 PM, hannah commodore wrote:
All of this in reply to a 3G network though. I've not yet seen any 3G provider actually provide a non-rfc1918 internal IP which is not NATed to the Internet.. Unless you actually pay for that function. Thereby rendering most of this thread moot :)
I use [and can sell] a premium service, it gives me static IP on 3G service using Optus network. Cheers -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP Current Land Line No: 03 9012 2102 Mobile: 04 2574 1827 Fax: 03 9012 2178 National No: 1300 85 3804 Affinity Vision Australia Pty Ltd http://www.affinityvision.com.au http://adsl2choice.net.au In Case of Emergency -- http://www.affinityvision.com.au/ice.html
James Harper wrote:
Rick Moen wrote:
Quoting Chris Samuel (chris@csamuel.org):
What is your definition of really slow?
I already said I haven't run the numbers. However, you are welcome to put an ssh up and see for yourself.
I was getting enough of them that I instructed my firewall to blacklist (for an hour) any IP making more than three SSH attempts in a minute. All traffic in the blacklist gets tarpitted. Subsequent traffic resets the blacklist timer back to one hour.
I found that a 5 minutes (vs your 1 hour) was enough to be entirely effective,
You are probably right. I started at 1h and never bothered to dial it down.
and I used xt_recent (or ipt_recent depending on your netfilter version), and applied the same trick to all the RDP and FTP servers running in the same subnet.
Hm, I don't have any FTP or RDP servers, but it might be a good idea to have connections to their ports trigger my blacklisting.
Additionally, I have nominated a few IP addresses in the /24's that nothing is published on which trigger the same blacklisting so anyone attempting a sweep finds all services unresponsive very quickly.
Not a bad idea either. I had thought about setting up a honeypot that actually responds, but I couldn't work out a way to do so that would APPEAR to be comporomised without actually being compromised. Simply designating an unused IP to trigger blacklisting would give nearly as good functionality, though.
On 13/07/12 15:09, Rick Moen wrote:
Quoting Chris Samuel (chris@csamuel.org):
What is your definition of really slow?
I already said I haven't run the numbers. However, you are welcome to put an ssh up and see for yourself.
We have quite a few here at work (comes with the territory) and we have gone to rate limiting incoming SSH connections with iptables because of the brute forcers connecting so much. I was just wondering if that meant we were more of an attraction than other sites. cheers, Chris -- Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC
Quoting Chris Samuel (chris@csamuel.org):
I was just wondering if that meant we were more of an attraction than other sites.
What I mean is merely that: Both personal experience with making ssh connections and long-term monitoring of logfiles, along with shirtsleeve estimates of credential combinatorics, suggests that brute-forcing sshds would require on average at minimum decades if not a lot more, except against literal 'joe' passwords (e.g., very common dictioanry words) that modern *ixes have for a very long time disallowed even the dumbest users to pick. And that's without rate limiting, fail2ban, non-standard service ports, and all the rest of that lot. And also that I have about 19 years of direct Internet exposure to illustrate the point.
Quoting Trent W. Buck (trentbuck@gmail.com):
The plural of anecdote is not data :-)
In that case, I'll point out that I've also adminstered thousands of other people's Linux and Solaris machines on the open Internet for various employers and clients over those same decades, and my experience and that of my co-workers has been as previously indicated with no exceptions. To be quite serious about this for a moment, Internet security is a fascinating and difficult topic, but one of the many ways to go wrong with it is to lose perspective and deploy complex mechanisms to avert non-credible threats. I worry about management blunders; I don't worry about ssh password guessing. ;->
Hey, if what you're doing works for you, great.
Likewise, of course.
On Mon, Jul 16, 2012 at 01:51:39PM +1000, Chris Samuel wrote:
We have quite a few here at work (comes with the territory) and we have gone to rate limiting incoming SSH connections with iptables because of the brute forcers connecting so much.
yep, me too. i whitelist known good addresses (incl. our own :-) and everything else is subject to iptables recent-match rules. i also use /etc/security/access.conf via the pam_access module to limit who is allowed to login (and from where), and only allow password auth from whitelisted hosts - other access to ssh is either blocked or key-based auth only, e.g.: PubkeyAuthentication yes PasswordAuthentication no Match Address IP.IP.IP.IP/MASK,127.0.0.0/8 PasswordAuthentication yes NOTE: the Match Address feature of sshd_config is fairly recent, only a year or two old IIRC so it won't work if you are running an ancient or crap distro.
I was just wondering if that meant we were more of an attraction than other sites.
probably not. if you put a machine on the net then it's going to get probed for all sorts of potential exploits, real or imaginary or obsolete or just hopeful - including ssh and mysql and ms sql and smb and telnet and rpc and hundreds/thousands of other ports, many of which haven't even had an exploitable version for over a decade. since it's all done by bots, one IP address is as "attractive" as any other. of course, if you've got some highly desirable or valuable data then your known IP address ranges may be specifically targeted, but mere presence or number of accessible machines doesn't make your site a more attractive target. craig -- craig sanders <cas@taz.net.au>
I was just wondering if that meant we were more of an attraction than other sites.
probably not. if you put a machine on the net then it's going to get probed for all sorts of potential exploits, real or imaginary or obsolete or just hopeful - including ssh and mysql and ms sql and smb and telnet and rpc and hundreds/thousands of other ports, many of which haven't even had an exploitable version for over a decade.
since it's all done by bots, one IP address is as "attractive" as any other.
of course, if you've got some highly desirable or valuable data then your known IP address ranges may be specifically targeted, but mere presence or number of accessible machines doesn't make your site a more attractive target.
I've wondered about this. It really does seem that some IP addresses get hit much more often than others, for no otherwise obvious reason. There are various rbl lists around that provide free information about IP address blocks, and maybe this information could make some blocks more attractive than others? A home user would almost certainly be using a router of some sort which are almost always completely blocked off from outside access by default, while a server in a hosting center set up by a kid as a torrent drop point could likely be full of holes. An IP that is blacklisted as an open relay may also have all sorts of other security weaknesses (or not? That's just a guess). All this information about IP addresses, with a small degree of error, is easily obtainable by a bot. James
On 11/07/2012 2:48 PM, Russell Coker wrote:
If you use Windows (particularly the older versions) this is a problem.
Modern Linux distributions tend to have almost nothing listening for inbound connections by default so this shouldn't be an issue.
It's important to remain factual. All current desktop versions of Windows in use today (XP SP2+, Vista, Win 7) include the Windows Firewall, enabled by default, which filters all services unless you explicitly unblock them. [0] -- [0] A server process that opens a listening socket will trigger a Windows Firewall dialog asking the user whether to "Unblock" the application. As a result, most users would have a very large firewall exception list after a short period of using the computer. This doesn't devalue the fact that it is firewalled by default, however.
On 11/07/2012 2:48 PM, Russell Coker wrote:
If you use Windows (particularly the older versions) this is a problem.
Modern Linux distributions tend to have almost nothing listening for inbound connections by default so this shouldn't be an issue.
It's important to remain factual. All current desktop versions of Windows in use today (XP SP2+, Vista, Win 7) include the Windows Firewall, enabled by default, which filters all services unless you explicitly unblock them. [0]
Also note that the first time someone has problems with anything network related (p2p, multiplayer games), the first troubleshooting step is often to turn off the firewall, and if that fixes the problem it will remain off. James
On Wed, 11 Jul 2012, James Harper <james.harper@bendigoit.com.au> wrote:
It's important to remain factual. All current desktop versions of Windows in use today (XP SP2+, Vista, Win 7) include the Windows Firewall, enabled by default, which filters all services unless you explicitly unblock them. [0]
This discussion is about firewalls and whether they are necessary. Stating that a firewall is enabled by default is not particularly relevant to the issue of whether it's necessary. Although the presence of a firewall by default may suggest that it is necessary. Someone could have responded to Andrew suggesting that his firewall suggestion might be obsoleted by the iptables configuration in RHEL or one of the variety of Windows firewall products.
Also note that the first time someone has problems with anything network related (p2p, multiplayer games), the first troubleshooting step is often to turn off the firewall, and if that fixes the problem it will remain off.
Yes. Also if you are setting up a server it's a good idea to turn off the firewall as it's a major PITA to have a server stop doing it's thing because the firewall gets in the way. I recently had this problem when dealing with some proprietary server software that only ran on Windows and was too broken to run correctly on Wine. To add to the fun there were two firewall products installed on the Windows server in question. The problem is that in most cases firewalls don't do much good. If a firewall is deny by default then it gets in the way every time the user installs a new Bittorrent program that uses different ports and is likely to get turned off. If it's allow by default then it probably won't do any good. http://en.wikipedia.org/wiki/SQL_Slammer Really the best thing is for applications to not listen for external connections unless explicitely configured to do so. This solves the problem of daemons the user didn't directly install being vulnerable, apparently some people who had their systems infected by Slammer were unaware that they had MSDE installed - including some MS employees. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
At 11:51 PM 7/11/2012, Russell Coker wrote:
This discussion is about firewalls and whether they are necessary. Stating that a firewall is enabled by default is not particularly relevant to the issue of whether it's necessary. Although the presence of a firewall by default may suggest that it is necessary.
I rarely run firewalls on Linux servers. I simply turn off the services I don't need. There have been exceptions, where services are intended for specific geographical regions, and other regions have been blocked to avoid issues, reduce server load or for some other reason. 73 de VK3JED / VK3IRL http://vkradio.com
Russell Coker wrote:
The problem is that in most cases firewalls don't do much good. If a firewall is deny by default then it gets in the way every time the user installs a new Bittorrent program that uses different ports
That's a *feature*.
and is likely to get turned off.
The user is broken. Swap in a new one.
Really the best thing is for applications to not listen for external connections unless explicitely configured to do so.
IMO both are desirable, and orthogonal to one another. Programs shouldn't listen until instructed to do so, but operating a default deny firewall is a defense-in-depth safety net to protect you when a program *does* listen by default.
hi for range extenders 24dB and external rated parabolic antenna http://www.tp-link.com/en/products/details/?model=TL-ANT2424B two of these may help, but alignment is necessary Steve
Hi Get yourself a 3g(4g) WIFI modem (aka Huwei), anybody can connect to that, no drivers required. I share mine with my partner, we have a WinXP laptop, a Fedora Laptop, two GalaxiesII's and two AsusTransformers. Optus sells them, do not know what brad Telstra's is but I know they have a similar one. Jobst -- If you think knowledge is expensive, try ignorance. | |0| | Jobst Schmalenbach, jobst@barrett.com.au, General Manager | | |0| Barrett Consulting Group P/L & The Meditation Room P/L |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
Jobst Schmalenbach wrote:
Get yourself a 3g(4g) WIFI modem (aka Huwei), anybody can connect to that, no drivers required. I share mine with my partner, we have a WinXP laptop, a Fedora Laptop, two GalaxiesII's and two AsusTransformers.
Well, you need at least a USB bus driver and USB serial device driver. They're just very likely to be enabled out of the box :-) -- twb, who occasionally runs into grief with his temporary-oops-permanent android kernel on his TF101, which has e.g. iso9660 compiled out and no .ko handy.
Trent W. Buck wrote:
Jobst Schmalenbach wrote:
Get yourself a 3g(4g) WIFI modem (aka Huwei), anybody can connect to that, no drivers required. I share mine with my partner, we have a WinXP laptop, a Fedora Laptop, two GalaxiesII's and two AsusTransformers.
Well, you need at least a USB bus driver and USB serial device driver. They're just very likely to be enabled out of the box :-)
-- twb, who occasionally runs into grief with his temporary-oops-permanent android kernel on his TF101, which has e.g. iso9660 compiled out and no .ko handy.
A lurker in email has kindly pointed out that I can't read, and my response is about something completely different to what Jobst said. Kindly ignore me.
On Tue, 31 Jul 2012 02:59:15 PM Jobst Schmalenbach wrote:
Get yourself a 3g(4g) WIFI modem (aka Huwei), anybody can connect to that, no drivers required. I share mine with my partner, we have a WinXP laptop, a Fedora Laptop, two GalaxiesII's and two AsusTransformers.
Optus sells them, do not know what brad Telstra's is but I know they have a similar one.
Telstra Sierra Wireless AirCard 760S Telstra Wi-Fi 4G modem works exactly like that, but it has to be activated first. Easy if you can use Windows computer but somewhat tricky if your run Windows-free system. I activated Sierra Wireless AirCard 760S Telstra Wi-Fi 4G modem on Linux mint recently. Most of it was pretty trivial using www.bigpond.4g over Firefox but as is often the case there was one part which was rather tricky - Sierra asks for executionable (Windows or Mac) to be executed! I saved the windows file BPSignMeUp.exe to disc, installed wine and after some tinkering with winecfg managed to run BPSignMeUp.exe enough to allow it to sign with Telstra. Unfortunately, wine did show only buttons "cancel" and "next" and nothing else! So I accepted blindly all options and www.bigpond.4g reported "connected". I had still no access to web but I was able to find in section: advanced settings | WAN | Setup | Add/Edit Profiles | my user name and password - which were obviously default place-holders only. When I substituted my correct user name and password as provided by Telstra Sierra finally worked as it should. All together it is nice that it is possible to get Sierra Wireless AirCard 760S working with common Linux tools only, but it is not entirely easy sailing. Easier way would be to ask in shop for unlocking of modem, it needs to be done only once. Detailed setup is easy with www.bigpond.4g afterwards. Petr -- <pb-luv@baum.com.au> Petr Baum, P.O.Box 2364, Rowville 3178 fax +61-3-97643342 This message was created in naturally virus-free operating system: Linux
participants (23)
-
Andrew McGlashan -
Brett Pemberton -
Brian May -
Chris Samuel -
Craig Sanders -
ewe2 -
hannah commodore -
Hiddensoul (Mark Clohesy) -
James Harper -
Jason White -
Jeremy Visser -
Jobst Schmalenbach -
Lindsay Sprinter -
Mark Trickett -
Matthew Cengia -
Petr Baum -
Rick Moen -
Russell Coker -
Steve Roylance -
thelionroars -
Toby Corkindale -
Tony Langdon -
Trent W. Buck