Re: /etc/passwd-shell
En réponse à Hubert Chan [EMAIL PROTECTED]: Anything that is not a real user can have its shell set to /bin/false. In fact, depending on how your system is set up, you could probably even set root's shell to /bin/false. ok Just make sure that you have some way of doing stuff as root (e.g. sudo), and that you don't kill single mode. (Never tried this, but I don't see why you couldn't do this.) ok for sudo, but what do you mean by don t kill single mode? So daemon, bin, sys, ftp, www-data, mail, mysql, etc. can probably be set to /bin/false. (Why does Debian not do this by default?) i just tried to put /bin/false in /etc/passwd for ftp, www-data, mysql, man and that s ok. i ll try to do so for daemon, bin and sys at home (i prefer than to do this at work :p) I don't know what the sync user is for, though, so I don't know if you can set it to /bin/false. /bin/sync looks like it was put there for a reason. yes, you re right too. sync is called by updated to flush the filesystem buffers every 30 seconds. i ll tell you what about daemon, bin and sys soon. thanks for all ;D - Ivan R. sysadmin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: /etc/passwd-shell
En réponse à Christian Hammers [EMAIL PROTECTED]: Apart from the ftp users which (sometimes) need their ftp password to be stored in /etc/shadow and thus would making it a valid login password to, I can see no reason why not giving a user, that has *no* password, a shell. ok, but we can see that at the opposite, if a user don t need a shell, why should we give him one? and perhaps am i too stiff (excuse me for my english :p) but i thing a linux distribution like the debian must be coherent : why www-data and mail have got a shell and not mysql??? it s just a principle for me :D Without a password in /etc/shadow or /etc/passwd he could not login and if someone cracks the server with i.e. a buffer overflow he does not depend on the passwd entries but executes /bin/bash directly. ok, that s right. On the other hand when executing su -c daemonxy cronscriptxy from your crontab or similar than you need a valid shell because the shell relies on it when executing child programs. ok BTW: for ftp and pop3 users I could imagine /bin/passwd beeing a nice shell because it would allow the users to change their password via ssh. thanks for this advice, and for all the rest ;D - Ivan R. sysadmin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How can I change my domainname on my server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi I Have a trouble with my e-mail server. I have to change it to my domain name and not .local ... I need mailserver.domainname.no If I want to change hostname or IP I use a combination of find grep and sed and just replace every occurance under /etc or even / of the old string with the new. That may be a verry crude aproach but it worked perfectly for several times. However I'm not shure with NIS. Hendrik - -- PGP ID 21F0AC0265C92061 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8QHFgIfCsAmXJIGERAiocAJ9oSvMBB6A501tEw4gYqgpEOAsJ9wCeOGgt Ugggt9XLusizWLDSnQu88tg= =4hEK -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
Thanks to all who responded. The DevilSoul rootkit was a nasty one which planted a man-in-the-middle attack on my debian linux box. Apparently I was not secure enough or watchful enough , as the intruder was able to install a kit on my root drive which installed new versions of telnetd, passwd, ifconfig, ps, top, ssh, and started evesdropping on my ssh and authentication logins. Of course I took it off the net and had to rebuild the whole system, and now I am not allowing ssh, rsh, telnet or ANY logins. It is not a machine that needs logins anyway, all it does is VPN proxy and authentication on certain ports. Anyway.. watch out for it. It puts a directory with all of the setup programs in /dvsrk Thanks again all alan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul - confusion
I wish I did know how the hacker got in, but I am pretty sure they won't be able to now. Someone mentioned tripwire. Is that a good monitor for hacker activity? alan - Original Message - From: Alvin Oga [EMAIL PROTECTED] To: Patrice Neff [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, January 11, 2002 7:42 AM Subject: Re: I've been hacked by DevilSoul - confusion hi patrice yup .. sillicon valley has nothing to do with getting backonline but was intended ...that i could go over ahd help figure out what happened to the box... before the reinstall ... but never mind... scaramento is not too far awayeither.. on the way up to go skiing on a fri-weekend.. - am assuming the server back online by now and know how they hacker got in... c ya alvin On 11 Jan 2002, Patrice Neff wrote: [EMAIL PROTECTED] writes: if in silicon valley... you can be back online within 1hr or so... What does the Silicon Valley have to do with the time to getting back online? - maybe just sniffing your passwds ??? - maybe using it to hack other boxes ?? Oh if it's not more... ;-) - you need to see what its doing... and than prevent that from happening on oyour next install This can be quite difficult. If you really want to do this you should certainely take the box offline during this time. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
oh yeah.. by the way, that chkrootkit that someone mentioned pointed me right to the problems. that is a great tool. thanks alan - Original Message - From: Jacques Lav!gnotte [EMAIL PROTECTED] To: Alvin Oga [EMAIL PROTECTED] Cc: Alan Aldrich [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, January 11, 2002 4:32 AM Subject: Re: I've been hacked by DevilSoul -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: /etc/passwd-shell
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ivan == \Ivan R \ Ivan writes: Just make sure that you have some way of doing stuff as root (e.g. sudo), and that you don't kill single mode. (Never tried this, but I don't see why you couldn't do this.) Ivan ok for sudo, but what do you mean by don t kill single mode? I think that if you boot into single mode (e.g. type linux single at the LILO prompt), you'll drop into whatever shell is defined for root. (Again, I've never tried changing root's shell.) If you set root's shell to /bin/false, you won't be able to use single mode, so you may want to give yourself another back door, in case you need to fix a messed up configuration file that's preventing your system from starting up properly. (But then, I think that linux init=/bin/sh will always work, so it may be fine to give root a dummy shell. Again, I've never tried this, so you're on your own.) - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8QJKuZRhU33H9o38RArscAJ9sdsmVQGz8wLiWspIeg6Rp/018UQCgjNMF Nv45t7pBCT55bZ8CLKaH29A= =UVpI -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
Alan Aldrich wrote: Snip Of course I took it off the net and had to rebuild the whole system, and now I am not allowing ssh, rsh, telnet or ANY logins. It is not a machine that needs logins anyway, all it does is VPN proxy and authentication on certain ports. Snip The way it should be. No unnesescary services. Alan Aldrich also wrote: I wish I did know how the hacker got in, but I am pretty sure they won't be able to now. Someone mentioned tripwire. Is that a good monitor for hacker activity? alan tripwire monitors for changes. in example, say a cracker adds his own super user account to /etc/passwd, tripwire can notify you that there was a change to that file. this is good for recovering by the maybe it'll be safe once i remove all the changes method and/or identifying a break in. however if you have been following this thread, you will have noticed the discussions about subverting apps like tripwire, so it is certainly not fool-proof. and then even if the tactics involving the kernel are not used, there is still the possibilty of the tripwire system to be compromised also. Then, shortly thereafter, Alan Aldrich wrote: oh yeah.. by the way, that chkrootkit that someone mentioned pointed me right to the problems. that is a great tool. thanks alan I am curious as to how great of a tool it is. I haven't bothered looking yet, but I assume that it runs along the same lines as AV software for the lesser OS. Please correct me if I am wrong about this, but I see the update for each new virus approach to be horrible, and I would think that would be the same tactic used against root kits. Anybody have comments on this? -Will Wesley, CCNA For God's sake, stop researching for a while and begin to think! _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
configuring Checksecurity to email reports to root
Hi, I was going through the Securing Debian HOW-TO and noticed the section on setuid check (4.11). I would like for the checksecurity script to email root of any changes to the system. Will this work if I have exim installed? Currently, exim forwards all mail from root to my day-to-day user. I would like to be able to read any information that this script would have for me through kmail :D Has anybody set this up? Stef -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuring Checksecurity to email reports to root
Thus spake Stefan Srdic: Hi, I was going through the Securing Debian HOW-TO and noticed the section on setuid check (4.11). I would like for the checksecurity script to email root of any changes to the system. Will this work if I have exim installed? Currently, exim forwards all mail from root to my day-to-day user. I would like to be able to read any information that this script would have for me through kmail :D Has anybody set this up? Stef I'm fairly sure this is handled by /etc/aliases for exim. I have lines like: postmaster: root root: steve #Steve being my ordinary account, obviously and it works great. I think this is part of eximconfig, although I don't remember exactly. HTH, Steve msg05177/pgp0.pgp Description: PGP signature
Re: configuring Checksecurity to email reports to root
On January 12, 2002 02:28 pm, Stephen Gran wrote: Thus spake Stefan Srdic: Hi, I was going through the Securing Debian HOW-TO and noticed the section on setuid check (4.11). I would like for the checksecurity script to email root of any changes to the system. Will this work if I have exim installed? Currently, exim forwards all mail from root to my day-to-day user. I would like to be able to read any information that this script would have for me through kmail :D Has anybody set this up? Stef I'm fairly sure this is handled by /etc/aliases for exim. I have lines like: postmaster: root root: steve #Steve being my ordinary account, obviously and it works great. I think this is part of eximconfig, although I don't remember exactly. HTH, Steve You might have misunderstood me, my question was, will the checksecurity script that runs from cron e-mail it's report to root if I have exim installed? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuring Checksecurity to email reports to root
Thus spake Stefan Srdic: On January 12, 2002 02:28 pm, Stephen Gran wrote: Thus spake Stefan Srdic: Hi, I was going through the Securing Debian HOW-TO and noticed the section on setuid check (4.11). I would like for the checksecurity script to email root of any changes to the system. Will this work if I have exim installed? Currently, exim forwards all mail from root to my day-to-day user. I would like to be able to read any information that this script would have for me through kmail :D Has anybody set this up? Stef I'm fairly sure this is handled by /etc/aliases for exim. I have lines like: postmaster: root root: steve #Steve being my ordinary account, obviously and it works great. I think this is part of eximconfig, although I don't remember exactly. HTH, Steve You might have misunderstood me, my question was, will the checksecurity script that runs from cron e-mail it's report to root if I have exim installed? Yes, in fact I did misunderstand. Sorry. I have no knowledge of checksecurity, so I will back out of this. Steve msg05179/pgp0.pgp Description: PGP signature
RE: configuring Checksecurity to email reports to root
I've never used checksecurity, but I assume any reports it creates will be sent to root. Assuming you have root aliased to a regular user account, that's where the reports will end up. j. -- Jeremy L. Gaddis [EMAIL PROTECTED] -Original Message- From: Stefan Srdic [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 12, 2002 5:59 AM To: Stephen Gran; [EMAIL PROTECTED] Subject: Re: configuring Checksecurity to email reports to root On January 12, 2002 02:28 pm, Stephen Gran wrote: Thus spake Stefan Srdic: Hi, I was going through the Securing Debian HOW-TO and noticed the section on setuid check (4.11). I would like for the checksecurity script to email root of any changes to the system. Will this work if I have exim installed? Currently, exim forwards all mail from root to my day-to-day user. I would like to be able to read any information that this script would have for me through kmail :D Has anybody set this up? Stef I'm fairly sure this is handled by /etc/aliases for exim. I have lines like: postmaster: root root: steve #Steve being my ordinary account, obviously and it works great. I think this is part of eximconfig, although I don't remember exactly. HTH, Steve You might have misunderstood me, my question was, will the checksecurity script that runs from cron e-mail it's report to root if I have exim installed? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuring Checksecurity to email reports to root
On January 12, 2002 03:18 pm, Jeremy L. Gaddis wrote: I've never used checksecurity, but I assume any reports it creates will be sent to root. Assuming you have root aliased to a regular user account, that's where the reports will end up. j. -- Jeremy L. Gaddis [EMAIL PROTECTED] I just tested it and it works!! I wasn't sure that it would, the details available warent very specific. Thanks, Stef -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[security] What's being done?
Considering that an upload hasn't been made to rectify this root hole, why hasn't something else been done about it - regular or security NMU? One would think that this is definitely serious. Oh and BTW, Slackware released an update today. Without trolling, I can say that I was honestly surprised to note that Debian, a distro with ~850 developers and a dedicated security team, is behind Slackware on security issues. d -- Daniel Stone[EMAIL PROTECTED] WARNING: The consumption of alcohol may make you think you have mystical Kung Fu powers, resulting in you getting your arse kicked. msg05182/pgp0.pgp Description: PGP signature
Re: Bug#126441: [security] What's being done?
Ben is merely behind with updating the BTS, by the looks of it... Can't close it till I fix woody/sid too. Which will be when 2.2.5 is released (days). -- .--===-=-==-=---==-=-. / Ben Collins--Debian GNU/Linux \ ` [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] ' `---=--===-=-=-=-===-==---=--=---' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH configuration problem
On Mon, Jan 07, 2002 at 08:00:02PM +0100, Luc MAIGNAN wrote: Hi, my SSH connections don't go to the 'auth.log' file, but the sshd_config seems to be good. What can happen ? Without much information to go on, I would have a stab at /etc/syslog.conf... Do you currently have *anything* ending up in auth.log (e.g. su should be logged in here by default) If you have other stuff going to auth.log, then chances are that you /etc/syslog.conf is OK, but you sshd_config is somehow at fault. Hope this helps Best regards -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: 1. is qmail as secure as they say? Depends on what they were saying, but most likely yes. -- Seen on debian-devel msg05185/pgp0.pgp Description: PGP signature
Re: [security] What's being done?
Previously Daniel Stone wrote: Considering that an upload hasn't been made to rectify this root hole, why hasn't something else been done about it - regular or security NMU? One would think that this is definitely serious. Waiting for the m68k build, I intend to release a DSA tomorrow. Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH configuration problem
On Mon, Jan 07, 2002 at 08:00:02PM +0100, Luc MAIGNAN wrote: Hi, my SSH connections don't go to the 'auth.log' file, but the sshd_config seems to be good. What can happen ? Do you mean that you're not seeing *any* messages from sshd in the log file, or that sshd is logging, but that you only get messages about authentication, but not about connections being established - this: Jan 12 20:56:04 badkey sshd[14882]: Accepted password for waoki from 127.0.0.1 port 4075 ssh2 instead of this: Jan 12 20:54:43 badkey sshd[14848]: Connection from 127.0.0.1 port 4074 Jan 12 20:54:43 badkey sshd[14848]: Enabling compatibility mode for protocol 2.0 Jan 12 20:54:43 badkey sshd[14848]: Failed none for waoki from 127.0.0.1 port 4074 ssh2 Jan 12 20:54:46 badkey sshd[14848]: Accepted password for waoki from 127.0.0.1 port 4074 ssh2 If so, you need to change a line in /etc/ssh/sshd_config from the default: LogLevel INFO to LogLevel VERBOSE and restart the ssh daemon. The name chosen for that configuration directive bothers me a bit, because it's too easily mistaken for syslog priority level - to someone who hasn't gone through the sshd manpage, the default configuration looks like it means log at 'auth.info', not use verbosity level 'info'. -- William Aoki [EMAIL PROTECTED] /\ ASCII Ribbon Campaign 3B0A 6800 8A1A 78A7 9A26 BB92 \ / No HTML in mail or news! 9A26 BB92 6329 2D3E 199D 8C7B X / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: /etc/passwd-shell
On Mon, Jan 14, 2002 at 06:52:49AM -0500, Ivan R. wrote: to, I can see no reason why not giving a user, that has *no* password, a shell. if a user don t need a shell, why should we give him one? Because a sysadmin could like to execute scripts under this uid via sudo as he thinks it's a security gain to not run every cronscript under root. (security in this case more in the sense secure that this script does not 'rm -rf /' and beeing secure that he does not forgets a chown afterwards which could otherwise be necessary). but i thing a linux distribution like the debian must be coherent : why www-data and mail have got a shell and not mysql??? Well, um, I as the mysql maintainer should be able to tell it but mainly I guess because I was told (years ago) the same thing about /bin/bash in /etc/passwd is a securty problem. In the meantime, I'm didn't found a valid argument for this sentence but I can't change it easily because people could have used the account mysql for e.g. ftp user (for whatever reason) and if I would give this user a shell they would immediately and maybe without the admin realizing it be able to login via ssh. BTW, speaking of FTP servers, I would encourage everybody to use recent servers like e.g. proftpd which have their own passwd/group files and need the system accounts only to get the UID and ignore the systems shell and password so a www-data user could not login via ssh even if he had a valid ftp account and a valid shell in /etc/passwd. bye, -christian- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuring Checksecurity to email reports to root
On Sat, Jan 12, 2002 at 03:59:12AM -0700, Stefan Srdic wrote: On January 12, 2002 02:28 pm, Stephen Gran wrote: Thus spake Stefan Srdic: Hi, You might have misunderstood me, my question was, will the checksecurity script that runs from cron e-mail it's report to root if I have exim installed? Exim doesnt reports anything by itself. Only the MUA (mailx, mutt, anymua) can drive a report the right way to you. All Unix[script/programs] uses to talk to stdout, so a simple prayer like : /usr/local/cqritytchek | mutt -x -s Subject [EMAIL PROTECTED] will send me the report issued by cqritytchek, no matter you run Exim, Sendmail or Postfix. hth,Jacques -- 0CBE 3F8A 5A77 A35C 27C7 2D42 3EC5 806B 9178 088D -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [d-security] Re: /etc/passwd-shell
En réponse à Christian Hammers [EMAIL PROTECTED]: Apart from the ftp users which (sometimes) need their ftp password to be stored in /etc/shadow and thus would making it a valid login password to, I can see no reason why not giving a user, that has *no* password, a shell. ok, but we can see that at the opposite, if a user don t need a shell, why should we give him one? and perhaps am i too stiff (excuse me for my english :p) but i thing a linux distribution like the debian must be coherent : why www-data and mail have got a shell and not mysql??? it s just a principle for me :D Without a password in /etc/shadow or /etc/passwd he could not login and if someone cracks the server with i.e. a buffer overflow he does not depend on the passwd entries but executes /bin/bash directly. ok, that s right. On the other hand when executing su -c daemonxy cronscriptxy from your crontab or similar than you need a valid shell because the shell relies on it when executing child programs. ok BTW: for ftp and pop3 users I could imagine /bin/passwd beeing a nice shell because it would allow the users to change their password via ssh. thanks for this advice, and for all the rest ;D - Ivan R. sysadmin
Re: How can I change my domainname on my server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi I Have a trouble with my e-mail server. I have to change it to my domain name and not .local ... I need mailserver.domainname.no If I want to change hostname or IP I use a combination of find grep and sed and just replace every occurance under /etc or even / of the old string with the new. That may be a verry crude aproach but it worked perfectly for several times. However I'm not shure with NIS. Hendrik - -- PGP ID 21F0AC0265C92061 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8QHFgIfCsAmXJIGERAiocAJ9oSvMBB6A501tEw4gYqgpEOAsJ9wCeOGgt Ugggt9XLusizWLDSnQu88tg= =4hEK -END PGP SIGNATURE-
Re: I've been hacked by DevilSoul
Thanks to all who responded. The DevilSoul rootkit was a nasty one which planted a man-in-the-middle attack on my debian linux box. Apparently I was not secure enough or watchful enough , as the intruder was able to install a kit on my root drive which installed new versions of telnetd, passwd, ifconfig, ps, top, ssh, and started evesdropping on my ssh and authentication logins. Of course I took it off the net and had to rebuild the whole system, and now I am not allowing ssh, rsh, telnet or ANY logins. It is not a machine that needs logins anyway, all it does is VPN proxy and authentication on certain ports. Anyway.. watch out for it. It puts a directory with all of the setup programs in /dvsrk Thanks again all alan
Re: I've been hacked by DevilSoul - confusion
I wish I did know how the hacker got in, but I am pretty sure they won't be able to now. Someone mentioned tripwire. Is that a good monitor for hacker activity? alan - Original Message - From: Alvin Oga [EMAIL PROTECTED] To: Patrice Neff [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Sent: Friday, January 11, 2002 7:42 AM Subject: Re: I've been hacked by DevilSoul - confusion hi patrice yup .. sillicon valley has nothing to do with getting backonline but was intended ...that i could go over ahd help figure out what happened to the box... before the reinstall ... but never mind... scaramento is not too far awayeither.. on the way up to go skiing on a fri-weekend.. - am assuming the server back online by now and know how they hacker got in... c ya alvin On 11 Jan 2002, Patrice Neff wrote: [EMAIL PROTECTED] writes: if in silicon valley... you can be back online within 1hr or so... What does the Silicon Valley have to do with the time to getting back online? - maybe just sniffing your passwds ??? - maybe using it to hack other boxes ?? Oh if it's not more... ;-) - you need to see what its doing... and than prevent that from happening on oyour next install This can be quite difficult. If you really want to do this you should certainely take the box offline during this time. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I've been hacked by DevilSoul
oh yeah.. by the way, that chkrootkit that someone mentioned pointed me right to the problems. that is a great tool. thanks alan - Original Message - From: Jacques Lav!gnotte [EMAIL PROTECTED] To: Alvin Oga [EMAIL PROTECTED] Cc: Alan Aldrich [EMAIL PROTECTED]; debian-security@lists.debian.org Sent: Friday, January 11, 2002 4:32 AM Subject: Re: I've been hacked by DevilSoul
Re: /etc/passwd-shell
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ivan == \Ivan R \ Ivan writes: Just make sure that you have some way of doing stuff as root (e.g. sudo), and that you don't kill single mode. (Never tried this, but I don't see why you couldn't do this.) Ivan ok for sudo, but what do you mean by don t kill single mode? I think that if you boot into single mode (e.g. type linux single at the LILO prompt), you'll drop into whatever shell is defined for root. (Again, I've never tried changing root's shell.) If you set root's shell to /bin/false, you won't be able to use single mode, so you may want to give yourself another back door, in case you need to fix a messed up configuration file that's preventing your system from starting up properly. (But then, I think that linux init=/bin/sh will always work, so it may be fine to give root a dummy shell. Again, I've never tried this, so you're on your own.) - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8QJKuZRhU33H9o38RArscAJ9sdsmVQGz8wLiWspIeg6Rp/018UQCgjNMF Nv45t7pBCT55bZ8CLKaH29A= =UVpI -END PGP SIGNATURE-
Re: I've been hacked by DevilSoul
Alan Aldrich wrote: Snip Of course I took it off the net and had to rebuild the whole system, and now I am not allowing ssh, rsh, telnet or ANY logins. It is not a machine that needs logins anyway, all it does is VPN proxy and authentication on certain ports. Snip The way it should be. No unnesescary services. Alan Aldrich also wrote: I wish I did know how the hacker got in, but I am pretty sure they won't be able to now. Someone mentioned tripwire. Is that a good monitor for hacker activity? alan tripwire monitors for changes. in example, say a cracker adds his own super user account to /etc/passwd, tripwire can notify you that there was a change to that file. this is good for recovering by the maybe it'll be safe once i remove all the changes method and/or identifying a break in. however if you have been following this thread, you will have noticed the discussions about subverting apps like tripwire, so it is certainly not fool-proof. and then even if the tactics involving the kernel are not used, there is still the possibilty of the tripwire system to be compromised also. Then, shortly thereafter, Alan Aldrich wrote: oh yeah.. by the way, that chkrootkit that someone mentioned pointed me right to the problems. that is a great tool. thanks alan I am curious as to how great of a tool it is. I haven't bothered looking yet, but I assume that it runs along the same lines as AV software for the lesser OS. Please correct me if I am wrong about this, but I see the update for each new virus approach to be horrible, and I would think that would be the same tactic used against root kits. Anybody have comments on this? -Will Wesley, CCNA For God's sake, stop researching for a while and begin to think! _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
configuring Checksecurity to email reports to root
Hi, I was going through the Securing Debian HOW-TO and noticed the section on setuid check (4.11). I would like for the checksecurity script to email root of any changes to the system. Will this work if I have exim installed? Currently, exim forwards all mail from root to my day-to-day user. I would like to be able to read any information that this script would have for me through kmail :D Has anybody set this up? Stef
Re: configuring Checksecurity to email reports to root
Thus spake Stefan Srdic: Hi, I was going through the Securing Debian HOW-TO and noticed the section on setuid check (4.11). I would like for the checksecurity script to email root of any changes to the system. Will this work if I have exim installed? Currently, exim forwards all mail from root to my day-to-day user. I would like to be able to read any information that this script would have for me through kmail :D Has anybody set this up? Stef I'm fairly sure this is handled by /etc/aliases for exim. I have lines like: postmaster: root root: steve #Steve being my ordinary account, obviously and it works great. I think this is part of eximconfig, although I don't remember exactly. HTH, Steve pgpdkD9BidE4u.pgp Description: PGP signature
Re: configuring Checksecurity to email reports to root
On January 12, 2002 02:28 pm, Stephen Gran wrote: Thus spake Stefan Srdic: Hi, I was going through the Securing Debian HOW-TO and noticed the section on setuid check (4.11). I would like for the checksecurity script to email root of any changes to the system. Will this work if I have exim installed? Currently, exim forwards all mail from root to my day-to-day user. I would like to be able to read any information that this script would have for me through kmail :D Has anybody set this up? Stef I'm fairly sure this is handled by /etc/aliases for exim. I have lines like: postmaster: root root: steve #Steve being my ordinary account, obviously and it works great. I think this is part of eximconfig, although I don't remember exactly. HTH, Steve You might have misunderstood me, my question was, will the checksecurity script that runs from cron e-mail it's report to root if I have exim installed?
Re: configuring Checksecurity to email reports to root
Thus spake Stefan Srdic: On January 12, 2002 02:28 pm, Stephen Gran wrote: Thus spake Stefan Srdic: Hi, I was going through the Securing Debian HOW-TO and noticed the section on setuid check (4.11). I would like for the checksecurity script to email root of any changes to the system. Will this work if I have exim installed? Currently, exim forwards all mail from root to my day-to-day user. I would like to be able to read any information that this script would have for me through kmail :D Has anybody set this up? Stef I'm fairly sure this is handled by /etc/aliases for exim. I have lines like: postmaster: root root: steve #Steve being my ordinary account, obviously and it works great. I think this is part of eximconfig, although I don't remember exactly. HTH, Steve You might have misunderstood me, my question was, will the checksecurity script that runs from cron e-mail it's report to root if I have exim installed? Yes, in fact I did misunderstand. Sorry. I have no knowledge of checksecurity, so I will back out of this. Steve pgpd4FHhVx8HK.pgp Description: PGP signature
RE: configuring Checksecurity to email reports to root
I've never used checksecurity, but I assume any reports it creates will be sent to root. Assuming you have root aliased to a regular user account, that's where the reports will end up. j. -- Jeremy L. Gaddis [EMAIL PROTECTED] -Original Message- From: Stefan Srdic [mailto:[EMAIL PROTECTED] Sent: Saturday, January 12, 2002 5:59 AM To: Stephen Gran; debian-security@lists.debian.org Subject: Re: configuring Checksecurity to email reports to root On January 12, 2002 02:28 pm, Stephen Gran wrote: Thus spake Stefan Srdic: Hi, I was going through the Securing Debian HOW-TO and noticed the section on setuid check (4.11). I would like for the checksecurity script to email root of any changes to the system. Will this work if I have exim installed? Currently, exim forwards all mail from root to my day-to-day user. I would like to be able to read any information that this script would have for me through kmail :D Has anybody set this up? Stef I'm fairly sure this is handled by /etc/aliases for exim. I have lines like: postmaster: root root: steve #Steve being my ordinary account, obviously and it works great. I think this is part of eximconfig, although I don't remember exactly. HTH, Steve You might have misunderstood me, my question was, will the checksecurity script that runs from cron e-mail it's report to root if I have exim installed? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: configuring Checksecurity to email reports to root
On January 12, 2002 03:18 pm, Jeremy L. Gaddis wrote: I've never used checksecurity, but I assume any reports it creates will be sent to root. Assuming you have root aliased to a regular user account, that's where the reports will end up. j. -- Jeremy L. Gaddis [EMAIL PROTECTED] I just tested it and it works!! I wasn't sure that it would, the details available warent very specific. Thanks, Stef
[security] What's being done?
Considering that an upload hasn't been made to rectify this root hole, why hasn't something else been done about it - regular or security NMU? One would think that this is definitely serious. Oh and BTW, Slackware released an update today. Without trolling, I can say that I was honestly surprised to note that Debian, a distro with ~850 developers and a dedicated security team, is behind Slackware on security issues. d -- Daniel Stone[EMAIL PROTECTED] WARNING: The consumption of alcohol may make you think you have mystical Kung Fu powers, resulting in you getting your arse kicked. pgp7tbg8iRWHS.pgp Description: PGP signature
Re: [security] What's being done?
On Sun, Jan 13, 2002 at 10:38:40AM +1100, Daniel Stone wrote: Considering that an upload hasn't been made to rectify this root hole, why hasn't something else been done about it - regular or security NMU? One would think that this is definitely serious. I saw this recently... From: Ben Collins [EMAIL PROTECTED] To: debian-changes@lists.debian.org Subject: Installed glibc 2.1.3-20 (i386 sparc source all) [...] Date: Wed, 9 Jan 2002 01:34:56 -0500 Source: glibc [...] Architecture: source all sparc i386 Version: 2.1.3-20 Distribution: stable [...] Changes: glibc (2.1.3-20) stable; urgency=high . * Glob security patch. Is that what you are looking for? Oh and BTW, Slackware released an update today. Without trolling, I can say that I was honestly surprised to note that Debian, a distro with ~850 developers and a dedicated security team, is behind Slackware on security issues. Ben is merely behind with updating the BTS, by the looks of it... -- 2. That which causes joy or happiness.
Re: SSH configuration problem
On Mon, Jan 07, 2002 at 08:00:02PM +0100, Luc MAIGNAN wrote: Hi, my SSH connections don't go to the 'auth.log' file, but the sshd_config seems to be good. What can happen ? Do you mean that you're not seeing *any* messages from sshd in the log file, or that sshd is logging, but that you only get messages about authentication, but not about connections being established - this: Jan 12 20:56:04 badkey sshd[14882]: Accepted password for waoki from 127.0.0.1 port 4075 ssh2 instead of this: Jan 12 20:54:43 badkey sshd[14848]: Connection from 127.0.0.1 port 4074 Jan 12 20:54:43 badkey sshd[14848]: Enabling compatibility mode for protocol 2.0 Jan 12 20:54:43 badkey sshd[14848]: Failed none for waoki from 127.0.0.1 port 4074 ssh2 Jan 12 20:54:46 badkey sshd[14848]: Accepted password for waoki from 127.0.0.1 port 4074 ssh2 If so, you need to change a line in /etc/ssh/sshd_config from the default: LogLevel INFO to LogLevel VERBOSE and restart the ssh daemon. The name chosen for that configuration directive bothers me a bit, because it's too easily mistaken for syslog priority level - to someone who hasn't gone through the sshd manpage, the default configuration looks like it means log at 'auth.info', not use verbosity level 'info'. -- William Aoki [EMAIL PROTECTED] /\ ASCII Ribbon Campaign 3B0A 6800 8A1A 78A7 9A26 BB92 \ / No HTML in mail or news! 9A26 BB92 6329 2D3E 199D 8C7B X / \
