/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */ Hey Everyone, This is pretty important. If you run a DNS server, upgrade to 8.2.2P5 ASAP. There is a root exploit against it! There is other stuff in here that will help with DNS security, etc. Ps. 296 update users and counting. Still pretty low I think but wait until the new SANS book "Securing Linux: Step-by-Step" co-authored by me comes out in December. I hope TrinityOS will get better exposure then. In a later update, I'll send out the Index for this book so you can see what it covers that TrinityOS doesn't cover. For now. :) --David ========================================================= Criticality -- Date What was changed and in what [Section] -------- --------------------------------------- ========================================================= G 11/16/99 - Added the master Mandrake updates URL *Sent [Section 5] Update* N - Fixed the permissions for the /etc/info/suid-results-checked file to 600. [Section 8] G - Added a blurb on checking for .rhosts and hosts.equiv files much like the SUID search. [Section 8] I - Made several changes to the DNS config section: - Moved the global "allow-transfer" parameter to each zone file. This give better granularity per zone. - Added the "allow-query" parameter PER zone file to restrict what internal DNS info is released to the Internet. This is somewhat like a split DNS setup but not quite. - Fixed the in-addr-arpa names to reflect the backwards TCP/IP address for acme123.com. It was something like 50.0.201.101 instead of 212.0.200.100 (remember, read that backwards octet for octet). - Added the "allow-transfer" paramer to disable slave servers from giving out DNS xfers. Important! - Doh! Missed the in-addr.arpa file for the slave section. [Section 24] G - Added the FEATURE(masquerade_envelope) feature to the Sendmail config to better hide internal hosts. [Section 25] G - It should be noted that I've been having a LOT of problems with the mirror sites offered by the MandrakeUpdate tool. The only reliable mechansim I've found is to edit the .mandrake-update file (usually in /root) and use the url: mirror: ftp://ftp.linux-mandrake.com/pub/ This worked for me. [Section 60] ------------------ G 11/15/99 - Added the email address on how to add yourself to the BIND Annoucement list. [Section 5] *C* - All versions of BIND v8.2.2p5 are vunerable to a ROOT attack. Upgrade your version of BIND NOW! [Section 24] G - Added a recommendation for ALL DNS admins to subscribe to the BIND announcement list. [Section 24] N - Moved the blurb on how to get your own Domain name and legal issues to the end of the section. [Section 24] G - Added a recommendation for ALL Sendmail admins to subscribe to the Sendmail announcement list. [Section 25] G - Noted the ROOT exploit to BIND in the Security hack section [Section 60] ------------------ G 11/13/99 - Changed the IPFWADM NON-MASQ firewall revision to 2A.97. Fixed a variable name typo in the non-MASQed IPFWADM BackOrofice filter. [Section 10] G - Added a line to create the empty files using the "touch" command for secondary DNS zone files. [Section 24] .----------------------------------------------------------------------------. | David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] | !---- ----! `----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----' _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
