philosopher dissidents behind 0
hifalutin,inactive 75%off for all New Softwares. WindowXP,Photoshop,Window2003...etcMore http://www.knowingly.ds.barely.EDJIHJEM.info/?uJw3wfu1eyBTMuuhesitantly Opt-out: http://www.overwhelmingly.xr.overwhelmingly.EDJIHJEM.info/frozen?i1knQ3iR2SpHAOirevered|[EMAIL PROTECTED] someone quahog menagerie bray encephalitis dadaism adirondack cheshire symptomatic bedspring botanist tucker djakarta forgery ordinal althea hew istanbul glossolalia taxonomic nat automat tennyson lawbreaking merganser aural bow summitry sled handyman horseman ben carbonate
Re: nat ipchains on debian woody
Hola Francisco Francisco Castillo wrote: Enrique, IÂm novice on debian, i have decided recently to change from redhat or mandrake (fatal experiencie in two years), so excuse my ignorance. First i dont know how to do this step "The first thinng you must do is to install a kernel with IPTABLES support" How can I do it ? How can i test if it is on my server? all stock kernels > 2.4.x have iptables support. if you would compile one for your needs you must make sure that iptables support is checked. But for the kernel images you can install with apt this is true. perhaps it helps you to test some things with helper scripts. you can search the available packages with apt-cache search debian:~# apt-cache search iptables |less acidlab - Analysis Console for Intrusion Databases ferm - maintain and setup complicated firewall rules firewall-easy - Easy to use packet filter firewall (usually zero config) fwanalog - iptables log-file report generator (using analog) fwbuilder-iptables - Linux iptables policy compiler for Firewall Builder fwlogwatch - Firewall log analyzer ipac-ng - IP Accounting for iptables( kernel >=2.4) ipmenu - A cursel iptables/iproute2 GUI kernel-patch-ttl - TTL matching and setting kernel-patch-ulog - Netfilter userspace logging patch. knetfilter - A GUI for configuring the 2.4 kernel IP Tables ulogd - The Userspace Logging Daemon iptables - Linux kernel 2.4+ iptables administration tools iptables-dev - development files for iptable's libipq and libiptc reaim - Enable AIM and MSN file transfer on Linux iptables based NAT shorewall - Shoreline Firewall (Shorewall) shorewall-doc - Shoreline Firewall (Shorewall) Documentation then apt-cache show tells you more on a specific package: i.e.: apt-cache show shorewall perhaps you can install this and look how it works. read the documentation and look at the source to see what is installed by a package do dpkg -L shorewall | less greetings chris
Re: nat ipchains on debian woody
Hola Francisco Francisco Castillo wrote: Enrique, IÂm novice on debian, i have decided recently to change from redhat or mandrake (fatal experiencie in two years), so excuse my ignorance. First i dont know how to do this step "The first thinng you must do is to install a kernel with IPTABLES support" How can I do it ? How can i test if it is on my server? all stock kernels > 2.4.x have iptables support. if you would compile one for your needs you must make sure that iptables support is checked. But for the kernel images you can install with apt this is true. perhaps it helps you to test some things with helper scripts. you can search the available packages with apt-cache search debian:~# apt-cache search iptables |less acidlab - Analysis Console for Intrusion Databases ferm - maintain and setup complicated firewall rules firewall-easy - Easy to use packet filter firewall (usually zero config) fwanalog - iptables log-file report generator (using analog) fwbuilder-iptables - Linux iptables policy compiler for Firewall Builder fwlogwatch - Firewall log analyzer ipac-ng - IP Accounting for iptables( kernel >=2.4) ipmenu - A cursel iptables/iproute2 GUI kernel-patch-ttl - TTL matching and setting kernel-patch-ulog - Netfilter userspace logging patch. knetfilter - A GUI for configuring the 2.4 kernel IP Tables ulogd - The Userspace Logging Daemon iptables - Linux kernel 2.4+ iptables administration tools iptables-dev - development files for iptable's libipq and libiptc reaim - Enable AIM and MSN file transfer on Linux iptables based NAT shorewall - Shoreline Firewall (Shorewall) shorewall-doc - Shoreline Firewall (Shorewall) Documentation then apt-cache show tells you more on a specific package: i.e.: apt-cache show shorewall perhaps you can install this and look how it works. read the documentation and look at the source to see what is installed by a package do dpkg -L shorewall | less greetings chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: restricting sftp/ssh login access
Robert, There has been extensive discussion on this topic on the ssh mailing lists. Before going on the list I would highly recommend reading up as this is a fairly common topic and the developers have basically said they won't provide this functionality, it is something that belongs in the OS or shell. If you want it in ssh you can use the third party patch. I personally like the way the proftpd jails work, but I do agree with the ssh developers that a chroot is not a real security method, more of a file system abstraction in my opinion. My more oblivious users find it convenient but most of them wouldn't be using sftp anyways. Cheers, Ehren Wilson > -Original Message- > From: Robert Cates [mailto:[EMAIL PROTECTED] > Sent: Monday, June 28, 2004 12:22 PM > To: debian-isp@lists.debian.org > Cc: Andreas John > Subject: Re: restricting sftp/ssh login access > > > Hi, > > I don't exactly like the idea of having to setup a "mini-system" in > everybodies home dir, so maybe the Jailkit will be the answer.(?) Somehow > I'm a little surprised that the OpenSSH project hasn't provided > this feature > in SSH and sftp that I'm looking for. Maybe somebody knows the > reason why? > I think my next e-mail will be to the OpenSSH project ;-) > > Thanks, > Robert > - Original Message - > From: "Andreas John" <[EMAIL PROTECTED]> > To: > Cc: "Robert Cates" <[EMAIL PROTECTED]> > Sent: Monday, June 28, 2004 2:28 PM > Subject: Re: restricting sftp/ssh login access > > > > Hi! > > > > 1.) Set users shell to /bin/false and add it to /etc/shells. > > This will prevent ssh access for users, but allows ftp etc. > > > > But what you are asking for is that (I think) > > 2.) http://chrootssh.sourceforge.net/index.php > > Chroot your ssh for non-admin users by > > - patching ssh > > - replacing Users homedir from /home/username/ to /home/username/./ > > (sshd recognizes "/./" at the end of the homedir and > chroots that user > > - build a "mini-system" in users homedir (necessary!). I played around > > with that but had not much success because I don't want to set up a > > *real* whole system for every user, because I would run in "apt-ing" > > probs. I had a look at busybox, which could solve that problem. > > If anyone knows how this works (login-shell with busybox-static + basic > > commands) please write a howto for me ;) ! > > > > rgds, > > Andreas > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > >
Re: nat ipchains on debian woody
Christoph, You are right. Looks like he should also modprobe or insmod iptables and many other modules. I insmod a whole list of routing modules: ipt_REDIRECT ipt_MASQUERADE iptable_mangle iptable_nat ipt_REJECT iptable_filter ip_tables ( and some others... ) Mark --- Enrique Dorantes <[EMAIL PROTECTED]> wrote: > On Mon, 28 Jun 2004 21:35:40 +0200 > Christoph Löffler <[EMAIL PROTECTED]> wrote: > Hello Fraancisco: > The first thinng you must do is to install a kernel with IPTABLES > support, the ipchains is not recomendable for kernels up to 2.4. The > kernel packages of woody distro have this support > Next you MUST install iptables: ip-tables apt-get install iptables > Then you should enable ip forward and ipfilter, with the instructions > early mentioned by Mark, but if you want to run a proxy ip forward is > not necesary > > You must read a lot of documentation of Squid and IPtables > > Enrique Dorantes > > Ahora en español, > > Hola franciso: > > Lo primero que tienes que hacer es bajar un kernel que soporte > iptables, ipchains esta desconntinuado. > Despues tienes que instalar ip-tables apt-get install iptables > Deespues hacer lo que te indicaron con anterioridad habilitar el ip > forward quee no es necesario si vas a poner un proxxy y el ipfilter. > > Hay que leer mucha documentaciion de Squid y de IPtabless. > > Saludos > Enrique > > > Hello Francisco, > > > > Francisco Castillo wrote: > > > > > I have read doc to do it but when i apply this doc i have a "your > > > kernel seems to not support ipchains" messages when i try to do > > > this. > > > > For what reason do you want to use ipchains? If you just set up > > debian successfully i think you have also an actual kernel (> > 2.4.x) > > > > From Version 2.4.x there is a new packet filter which is called > > iptables. On www.netfilter.org you find a lot of documentation. > > > > > Did you know how to give a NAT (ipmasquerade support) on a debian > > > woody kernel in order to solve my problem? > > > > Sorry, do not know about that. > > > > > > Chris > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > >
Re: nat ipchains on debian woody
Enrique, IÂm novice on debian, i have decided recently to change from redhat or mandrake (fatal experiencie in two years), so excuse my ignorance. First i dont know how to do this step "The first thinng you must do is to install a kernel with IPTABLES support" How can I do it ? How can i test if it is on my server? Second, I have see this on my server morpheo:~# apt-get install iptables Reading Package Lists... Done Building Dependency Tree... Done Sorry, iptables is already the newest version. 0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. morpheo:~# It seems to be iptables installed but the previos errors said that iptables where not avaliable. Thanks in advance, and for your spanish response, I have a poor english too, Francisco. - Original Message - From: "Enrique Dorantes" <[EMAIL PROTECTED]> To: Sent: Monday, June 28, 2004 10:09 PM Subject: Re: nat ipchains on debian woody On Mon, 28 Jun 2004 21:35:40 +0200 Christoph LÃffler <[EMAIL PROTECTED]> wrote: Hello Fraancisco: The first thinng you must do is to install a kernel with IPTABLES support, the ipchains is not recomendable for kernels up to 2.4. The kernel packages of woody distro have this support Next you MUST install iptables: ip-tables apt-get install iptables Then you should enable ip forward and ipfilter, with the instructions early mentioned by Mark, but if you want to run a proxy ip forward is not necesary You must read a lot of documentation of Squid and IPtables Enrique Dorantes Ahora en espaÃol, Hola franciso: Lo primero que tienes que hacer es bajar un kernel que soporte iptables, ipchains esta desconntinuado. Despues tienes que instalar ip-tables apt-get install iptables Deespues hacer lo que te indicaron con anterioridad habilitar el ip forward quee no es necesario si vas a poner un proxxy y el ipfilter. Hay que leer mucha documentaciion de Squid y de IPtabless. Saludos Enrique > Hello Francisco, > > Francisco Castillo wrote: > > > I have read doc to do it but when i apply this doc i have a "your > > kernel seems to not support ipchains" messages when i try to do > > this. > > For what reason do you want to use ipchains? If you just set up > debian successfully i think you have also an actual kernel (> 2.4.x) > > From Version 2.4.x there is a new packet filter which is called > iptables. On www.netfilter.org you find a lot of documentation. > > > Did you know how to give a NAT (ipmasquerade support) on a debian > > woody kernel in order to solve my problem? > > Sorry, do not know about that. > > > Chris > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: nat ipchains on debian woody
On Mon, 28 Jun 2004 21:35:40 +0200 Christoph Löffler <[EMAIL PROTECTED]> wrote: Hello Fraancisco: The first thinng you must do is to install a kernel with IPTABLES support, the ipchains is not recomendable for kernels up to 2.4. The kernel packages of woody distro have this support Next you MUST install iptables: ip-tables apt-get install iptables Then you should enable ip forward and ipfilter, with the instructions early mentioned by Mark, but if you want to run a proxy ip forward is not necesary You must read a lot of documentation of Squid and IPtables Enrique Dorantes Ahora en español, Hola franciso: Lo primero que tienes que hacer es bajar un kernel que soporte iptables, ipchains esta desconntinuado. Despues tienes que instalar ip-tables apt-get install iptables Deespues hacer lo que te indicaron con anterioridad habilitar el ip forward quee no es necesario si vas a poner un proxxy y el ipfilter. Hay que leer mucha documentaciion de Squid y de IPtabless. Saludos Enrique > Hello Francisco, > > Francisco Castillo wrote: > > > I have read doc to do it but when i apply this doc i have a "your > > kernel seems to not support ipchains" messages when i try to do > > this. > > For what reason do you want to use ipchains? If you just set up > debian successfully i think you have also an actual kernel (> 2.4.x) > > From Version 2.4.x there is a new packet filter which is called > iptables. On www.netfilter.org you find a lot of documentation. > > > Did you know how to give a NAT (ipmasquerade support) on a debian > > woody kernel in order to solve my problem? > > Sorry, do not know about that. > > > Chris > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: restricting sftp/ssh login access
how about using rbash? Only does the shell part, and it is not very hard to break out of the jail, but then again, allowing shell when you think users are going to purposely try to break it isn't a good idea...
Re: nat ipchains on debian woody
Hi Mark, I have test your script but my woody give me this response: morpheo:~# cat compartir2 echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -i eth1 -o eth0 -j MASQUERADE morpheo:~# ./compartir2 modprobe: Can't locate module ip_tables iptables v1.2.6a: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. morpheo:~# What can i do to solve this new issue? My fisrt script which use ipchains was this: morpheo:~# cat compartir echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -j MASQ -s 192.168.0.0/16 Thanks in advance, - Original Message - From: "MB" <[EMAIL PROTECTED]> To: "Francisco Castillo" <[EMAIL PROTECTED]>; Sent: Monday, June 28, 2004 9:16 PM Subject: Re: nat ipchains on debian woody Have you tried iptables instead? If your kernel supports iptables, then: echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/$both_eth_devs/rp_filter iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -i eth1 -o eth0 -j MASQUERADE iptables also does the firewalling in other chains, btw Mark --- Francisco Castillo <[EMAIL PROTECTED]> wrote: > > Hello Gurus, > > I have installed a debian woody with to interfaces eth0 and eth1. I > has configured the internet conexion on eth0 which has got a static > ip on internet. And on eth1 i want to put a interface to do a proxy > nat gateway on my internal lan (i want to put a 192.168.0.1 on it). > > I have read doc to do it but when i apply this doc i have a "your > kernel seems to not support ipchains" messages when i try to do this. > After this i have a 192.168.0.1 ip on eth1 but my pc´s on the > internal lan can´t have internet access througth the eth0 (internet > conexion). > > I think that the problem is that the kernel do not have a > ipmasquerade support (NAT suppport), so i think that this is the only > steep i need to do in order to apply correct the steps of the > configuration that i has a problem with. So > > Did you know how to give a NAT (ipmasquerade support) on a debian > woody kernel in order to solve my problem? > > What do exactly the command "apt-get install ipmasq" in this context > ? > > Thanks in advance, > > Francisco. > >
Re: nat ipchains on debian woody
Hello Francisco, Francisco Castillo wrote: I have read doc to do it but when i apply this doc i have a "your kernel seems to not support ipchains" messages when i try to do this. For what reason do you want to use ipchains? If you just set up debian successfully i think you have also an actual kernel (> 2.4.x) From Version 2.4.x there is a new packet filter which is called iptables. On www.netfilter.org you find a lot of documentation. Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? Sorry, do not know about that. Chris
Re: nat ipchains on debian woody
Hello Francisco, Francisco Castillo wrote: I have read doc to do it but when i apply this doc i have a "your kernel seems to not support ipchains" messages when i try to do this. For what reason do you want to use ipchains? If you just set up debian successfully i think you have also an actual kernel (> 2.4.x) From Version 2.4.x there is a new packet filter which is called iptables. On www.netfilter.org you find a lot of documentation. Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? Sorry, do not know about that. Chris
Re: nat ipchains on debian woody
Have you tried iptables instead? If your kernel supports iptables, then: echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/$both_eth_devs/rp_filter iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -i eth1 -o eth0 -j MASQUERADE iptables also does the firewalling in other chains, btw Mark --- Francisco Castillo <[EMAIL PROTECTED]> wrote: > > Hello Gurus, > > I have installed a debian woody with to interfaces eth0 and eth1. I > has configured the internet conexion on eth0 which has got a static > ip on internet. And on eth1 i want to put a interface to do a proxy > nat gateway on my internal lan (i want to put a 192.168.0.1 on it). > > I have read doc to do it but when i apply this doc i have a "your > kernel seems to not support ipchains" messages when i try to do this. > After this i have a 192.168.0.1 ip on eth1 but my pc´s on the > internal lan can´t have internet access througth the eth0 (internet > conexion). > > I think that the problem is that the kernel do not have a > ipmasquerade support (NAT suppport), so i think that this is the only > steep i need to do in order to apply correct the steps of the > configuration that i has a problem with. So > > Did you know how to give a NAT (ipmasquerade support) on a debian > woody kernel in order to solve my problem? > > What do exactly the command "apt-get install ipmasq" in this context > ? > > Thanks in advance, > > Francisco. > >
weird http probes
Hi, I noticed the following just now in my apache logs: 208.200.158.49 - - [28/Jun/2004:20:11:46 +0200] "GET / HTTP/1.0" 200 6137 "-" "-" 208.200.158.49 - - [28/Jun/2004:20:12:00 +0200] "GET /index.php HTTP/1.0" 404 269 "-" "-" 208.200.158.49 - - [28/Jun/2004:20:12:00 +0200] "GET /main.php HTTP/1.0" 404 268 "-" "-" 208.200.158.49 - - [28/Jun/2004:20:12:00 +0200] "GET /test.php HTTP/1.0" 404 268 "-" "-" 208.200.158.49 - - [28/Jun/2004:20:12:01 +0200] "GET /index.php3 HTTP/1.0" 404 270 "-" "-" 208.200.158.49 - - [28/Jun/2004:20:12:01 +0200] "GET /phpinfo.php HTTP/1.0" 200 14249 "-" "-" What could this be? I run a very small webserver on this host (just a few personal docs actually, not even a 'site'), and as far as I know I haven't signed up for some kind of security probe lately. Notice the very uncool double reverse resolve of that ip: $ host 208.200.158.49 49.158.200.208.in-addr.arpa domain name pointer nth1.net1plus.com. 49.158.200.208.in-addr.arpa domain name pointer web.rresults.com. I don't have any connection to those companies. I don't know what's the dominant feeling on this right now... I'm concerned this meight be some kind of security scan (not worried about that machine, but just about a new attack in general). I'm a little angry because I meight be used into online statistics without my permission, and I fear for my privacy if I've ended up on some "probe these hosts" list. Could someone shed some light on this? -- Greetings, Joris <[EMAIL PROTECTED]>
RE: restricting sftp/ssh login access
Robert, There has been extensive discussion on this topic on the ssh mailing lists. Before going on the list I would highly recommend reading up as this is a fairly common topic and the developers have basically said they won't provide this functionality, it is something that belongs in the OS or shell. If you want it in ssh you can use the third party patch. I personally like the way the proftpd jails work, but I do agree with the ssh developers that a chroot is not a real security method, more of a file system abstraction in my opinion. My more oblivious users find it convenient but most of them wouldn't be using sftp anyways. Cheers, Ehren Wilson > -Original Message- > From: Robert Cates [mailto:[EMAIL PROTECTED] > Sent: Monday, June 28, 2004 12:22 PM > To: [EMAIL PROTECTED] > Cc: Andreas John > Subject: Re: restricting sftp/ssh login access > > > Hi, > > I don't exactly like the idea of having to setup a "mini-system" in > everybodies home dir, so maybe the Jailkit will be the answer.(?) Somehow > I'm a little surprised that the OpenSSH project hasn't provided > this feature > in SSH and sftp that I'm looking for. Maybe somebody knows the > reason why? > I think my next e-mail will be to the OpenSSH project ;-) > > Thanks, > Robert > - Original Message - > From: "Andreas John" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Cc: "Robert Cates" <[EMAIL PROTECTED]> > Sent: Monday, June 28, 2004 2:28 PM > Subject: Re: restricting sftp/ssh login access > > > > Hi! > > > > 1.) Set users shell to /bin/false and add it to /etc/shells. > > This will prevent ssh access for users, but allows ftp etc. > > > > But what you are asking for is that (I think) > > 2.) http://chrootssh.sourceforge.net/index.php > > Chroot your ssh for non-admin users by > > - patching ssh > > - replacing Users homedir from /home/username/ to /home/username/./ > > (sshd recognizes "/./" at the end of the homedir and > chroots that user > > - build a "mini-system" in users homedir (necessary!). I played around > > with that but had not much success because I don't want to set up a > > *real* whole system for every user, because I would run in "apt-ing" > > probs. I had a look at busybox, which could solve that problem. > > If anyone knows how this works (login-shell with busybox-static + basic > > commands) please write a howto for me ;) ! > > > > rgds, > > Andreas > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
nat ipchains on debian woody
Hello Gurus, I have installed a debian woody with to interfaces eth0 and eth1. I has configured the internet conexion on eth0 which has got a static ip on internet. And on eth1 i want to put a interface to do a proxy nat gateway on my internal lan (i want to put a 192.168.0.1 on it). I have read doc to do it but when i apply this doc i have a "your kernel seems to not support ipchains" messages when i try to do this. After this i have a 192.168.0.1 ip on eth1 but my pc´s on the internal lan can´t have internet access througth the eth0 (internet conexion). I think that the problem is that the kernel do not have a ipmasquerade support (NAT suppport), so i think that this is the only steep i need to do in order to apply correct the steps of the configuration that i has a problem with. So Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? What do exactly the command "apt-get install ipmasq" in this context ? Thanks in advance, Francisco.
Re: nat ipchains on debian woody
Christoph, You are right. Looks like he should also modprobe or insmod iptables and many other modules. I insmod a whole list of routing modules: ipt_REDIRECT ipt_MASQUERADE iptable_mangle iptable_nat ipt_REJECT iptable_filter ip_tables ( and some others... ) Mark --- Enrique Dorantes <[EMAIL PROTECTED]> wrote: > On Mon, 28 Jun 2004 21:35:40 +0200 > Christoph Löffler <[EMAIL PROTECTED]> wrote: > Hello Fraancisco: > The first thinng you must do is to install a kernel with IPTABLES > support, the ipchains is not recomendable for kernels up to 2.4. The > kernel packages of woody distro have this support > Next you MUST install iptables: ip-tables apt-get install iptables > Then you should enable ip forward and ipfilter, with the instructions > early mentioned by Mark, but if you want to run a proxy ip forward is > not necesary > > You must read a lot of documentation of Squid and IPtables > > Enrique Dorantes > > Ahora en español, > > Hola franciso: > > Lo primero que tienes que hacer es bajar un kernel que soporte > iptables, ipchains esta desconntinuado. > Despues tienes que instalar ip-tables apt-get install iptables > Deespues hacer lo que te indicaron con anterioridad habilitar el ip > forward quee no es necesario si vas a poner un proxxy y el ipfilter. > > Hay que leer mucha documentaciion de Squid y de IPtabless. > > Saludos > Enrique > > > Hello Francisco, > > > > Francisco Castillo wrote: > > > > > I have read doc to do it but when i apply this doc i have a "your > > > kernel seems to not support ipchains" messages when i try to do > > > this. > > > > For what reason do you want to use ipchains? If you just set up > > debian successfully i think you have also an actual kernel (> > 2.4.x) > > > > From Version 2.4.x there is a new packet filter which is called > > iptables. On www.netfilter.org you find a lot of documentation. > > > > > Did you know how to give a NAT (ipmasquerade support) on a debian > > > woody kernel in order to solve my problem? > > > > Sorry, do not know about that. > > > > > > Chris > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: nat ipchains on debian woody
Enrique, IÂm novice on debian, i have decided recently to change from redhat or mandrake (fatal experiencie in two years), so excuse my ignorance. First i dont know how to do this step "The first thinng you must do is to install a kernel with IPTABLES support" How can I do it ? How can i test if it is on my server? Second, I have see this on my server morpheo:~# apt-get install iptables Reading Package Lists... Done Building Dependency Tree... Done Sorry, iptables is already the newest version. 0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. morpheo:~# It seems to be iptables installed but the previos errors said that iptables where not avaliable. Thanks in advance, and for your spanish response, I have a poor english too, Francisco. - Original Message - From: "Enrique Dorantes" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 28, 2004 10:09 PM Subject: Re: nat ipchains on debian woody On Mon, 28 Jun 2004 21:35:40 +0200 Christoph LÃffler <[EMAIL PROTECTED]> wrote: Hello Fraancisco: The first thinng you must do is to install a kernel with IPTABLES support, the ipchains is not recomendable for kernels up to 2.4. The kernel packages of woody distro have this support Next you MUST install iptables: ip-tables apt-get install iptables Then you should enable ip forward and ipfilter, with the instructions early mentioned by Mark, but if you want to run a proxy ip forward is not necesary You must read a lot of documentation of Squid and IPtables Enrique Dorantes Ahora en espaÃol, Hola franciso: Lo primero que tienes que hacer es bajar un kernel que soporte iptables, ipchains esta desconntinuado. Despues tienes que instalar ip-tables apt-get install iptables Deespues hacer lo que te indicaron con anterioridad habilitar el ip forward quee no es necesario si vas a poner un proxxy y el ipfilter. Hay que leer mucha documentaciion de Squid y de IPtabless. Saludos Enrique > Hello Francisco, > > Francisco Castillo wrote: > > > I have read doc to do it but when i apply this doc i have a "your > > kernel seems to not support ipchains" messages when i try to do > > this. > > For what reason do you want to use ipchains? If you just set up > debian successfully i think you have also an actual kernel (> 2.4.x) > > From Version 2.4.x there is a new packet filter which is called > iptables. On www.netfilter.org you find a lot of documentation. > > > Did you know how to give a NAT (ipmasquerade support) on a debian > > woody kernel in order to solve my problem? > > Sorry, do not know about that. > > > Chris > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: nat ipchains on debian woody
On Mon, 28 Jun 2004 21:35:40 +0200 Christoph Löffler <[EMAIL PROTECTED]> wrote: Hello Fraancisco: The first thinng you must do is to install a kernel with IPTABLES support, the ipchains is not recomendable for kernels up to 2.4. The kernel packages of woody distro have this support Next you MUST install iptables: ip-tables apt-get install iptables Then you should enable ip forward and ipfilter, with the instructions early mentioned by Mark, but if you want to run a proxy ip forward is not necesary You must read a lot of documentation of Squid and IPtables Enrique Dorantes Ahora en español, Hola franciso: Lo primero que tienes que hacer es bajar un kernel que soporte iptables, ipchains esta desconntinuado. Despues tienes que instalar ip-tables apt-get install iptables Deespues hacer lo que te indicaron con anterioridad habilitar el ip forward quee no es necesario si vas a poner un proxxy y el ipfilter. Hay que leer mucha documentaciion de Squid y de IPtabless. Saludos Enrique > Hello Francisco, > > Francisco Castillo wrote: > > > I have read doc to do it but when i apply this doc i have a "your > > kernel seems to not support ipchains" messages when i try to do > > this. > > For what reason do you want to use ipchains? If you just set up > debian successfully i think you have also an actual kernel (> 2.4.x) > > From Version 2.4.x there is a new packet filter which is called > iptables. On www.netfilter.org you find a lot of documentation. > > > Did you know how to give a NAT (ipmasquerade support) on a debian > > woody kernel in order to solve my problem? > > Sorry, do not know about that. > > > Chris > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
RE: restricting sftp/ssh login access
I agree that a jail is the cleanest way. My setup is as follows: chroot jail: /home/jailedUsers dirs and files within the jail: ./lib ./lib/libnsl.so.1 ./lib/libnsl-2.3.2.so ./lib/libc.so.6 ./lib/libc-2.3.2.so ./lib/ld-linux.so.2 ./lib/ld-2.3.2.so ./lib/libnss_compat.so.2 ./lib/libnss_compat-2.3.2.so ./lib/libnss_files.so.2 ./lib/libnss_files-2.3.2.so ./lib/libresolv.so.2 ./lib/libresolv-2.3.2.so ./lib/libutil.so.1 ./lib/libutil-2.3.2.so ./lib/libcrypt.so.1 ./lib/libcrypt-2.3.2.so ./lib/libdl.so.2 ./lib/libdl-2.3.2.so ./lib/libncurses.so.5 ./lib/libncurses.so.5.4 ./lib/librt.so.1 ./lib/librt-2.3.2.so ./lib/libpthread.so.0 ./lib/libpthread-0.10.so ./lib/libacl.so.1 ./lib/libacl.so.1.1.0 ./lib/libattr.so.1 ./lib/libattr.so.1.1.0 ./lib/libm.so.6 ./lib/libm-2.3.2.so ./lib/libpam.so.0 ./lib/libpam_misc.so.0 ./etc ./etc/nsswitch.conf ./etc/passwd ./etc/group ./etc/jailkit ./etc/jailkit/jk_lsh.ini ./etc/resolv.conf ./etc/host.conf ./etc/hosts ./etc/protocols ./etc/motd ./etc/issue ./etc/bash.bashrc ./etc/profile ./etc/terminfo -- bunch of dirs in here --- ./usr ./usr/bin ./usr/bin/jk_lsh ./usr/bin/ssh ./usr/bin/nvi ./usr/bin/scp ./usr/bin/awk ./usr/bin/bzip2 ./usr/bin/bunzip2 ./usr/bin/away ./usr/lib ./usr/lib/sftp-server ./usr/lib/i586 ./usr/lib/i586/libcrypto.so.0.9.7 ./usr/lib/libz.so.1 ./usr/lib/libz.so.1.2.1 ./usr/lib/libbz2.so.1.0 ./usr/lib/libbz2.so.1.0.2 ./dev ./dev/urandom ./dev/tty ./dev/log ./bin ./bin/sh ./bin/bash ./bin/ls ./bin/cat ./bin/chmod ./bin/mkdir ./bin/cp ./bin/cpio ./bin/date ./bin/dd ./bin/echo ./bin/egrep ./bin/false ./bin/sleep ./home ./home/drocke ./root And by only allowing the user write access to his/her own directory (within the jail) will limit the liability to the system. Mark --- Ehren Wilson <[EMAIL PROTECTED]> wrote: > The cleanest way I have found was using rssh. All you do is change > the > shell to /usr/bin/rssh. The only issue I have with it is that to > jail them > to their home directory you need a separate chroot for each folder of > the > following. I jailed the /home folder and thus only need one jail, if > you > want each user to be jailed to ~/ as / then you need a separate jail > for > each user through copying or linking the files. > > > Ehren Wilson > > jail components: > ./etc > ./etc/ld.so.cache > ./etc/ld.so.conf > ./usr > ./usr/bin > ./usr/bin/scp > ./usr/lib > ./usr/lib/i686 > ./usr/lib/i686/cmov > ./usr/lib/i686/cmov/libcrypto.so.0.9.7 > ./usr/lib/libz.so.1 > ./usr/lib/rssh > ./usr/lib/rssh/rssh_chroot_helper > ./usr/lib/sftp-server > > > -Original Message- > > From: Robert Cates [mailto:[EMAIL PROTECTED] > > Sent: Monday, June 28, 2004 11:54 AM > > To: debian-isp@lists.debian.org > > Cc: Andreas John; MB; [EMAIL PROTECTED] > > Subject: Re: restricting sftp/ssh login access > > > > > > Hi, and thanks for the quick replies! > > Just to be a bit clearer in what I'm asking: I would like to be > able to > > allow my customers to access their accounts (update their web > sites) with > > sftp which as I understand it is an extention to (Open)SSH, and > > not FTP. I > > know for example that the Windows application - WS_FTP Pro - has an > option > > to use sftp/ssh on port 22 and when I tested it, I landed way up at > root > > "/". So, I'd like to be able to allow secure access, but with an > > ftp client > > like WS_FTP Pro using sftp, and not a Secure SHell. I have my > > server setup > > so that the customer can use SSH to change their password, and > that's all > > they can do with SSH. > > > > Is there nothing in the ssh_config or sshd_config which can be set > to > > restrict sftp access to a designated directory? > > > > It seems to me that the patched OpenSSH way that Hiren pointed out > is > > workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html > but I'm > > open to other maybe better ways. > > > > Thanks again, > > Robert > > - Original Message - > > From: "MB" <[EMAIL PROTECTED]> > > To: "Andreas John" <[EMAIL PROTECTED]> > > Cc: > > Sent: Monday, June 28, 2004 6:47 PM > > Subject: Re: restricting sftp/ssh login access > > > > > > > John, > > > > > > First off, I make a small mistake, the package I used was > "jailkit", > > > from either: > > > > > > > http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html > > > or > > > http://freshmeat.net/projects/jailkit/ > > > > > > It has tons of documentation to help you create a jailed > environment, > > > including loading your jail with whatever executables needed. > > > > > > Looks like I simplified my script to one line: > > > > > > --- > > > #!/bin/bash > > > > > > /usr/sbin/jk_socketd > > > > > > > > > This produces a group of daemonized processes: > > > nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd] > > > > > > > > > but I think that I had a much more elaborate script to > > > {start|stop|restart} this daemon, something like: > > > > > > > > > /etc/init.d/chroot_jail > > > -
Re: restricting sftp/ssh login access
Hi, I don't exactly like the idea of having to setup a "mini-system" in everybodies home dir, so maybe the Jailkit will be the answer.(?) Somehow I'm a little surprised that the OpenSSH project hasn't provided this feature in SSH and sftp that I'm looking for. Maybe somebody knows the reason why? I think my next e-mail will be to the OpenSSH project ;-) Thanks, Robert - Original Message - From: "Andreas John" <[EMAIL PROTECTED]> To: Cc: "Robert Cates" <[EMAIL PROTECTED]> Sent: Monday, June 28, 2004 2:28 PM Subject: Re: restricting sftp/ssh login access > Hi! > > 1.) Set users shell to /bin/false and add it to /etc/shells. > This will prevent ssh access for users, but allows ftp etc. > > But what you are asking for is that (I think) > 2.) http://chrootssh.sourceforge.net/index.php > Chroot your ssh for non-admin users by > - patching ssh > - replacing Users homedir from /home/username/ to /home/username/./ > (sshd recognizes "/./" at the end of the homedir and chroots that user > - build a "mini-system" in users homedir (necessary!). I played around > with that but had not much success because I don't want to set up a > *real* whole system for every user, because I would run in "apt-ing" > probs. I had a look at busybox, which could solve that problem. > If anyone knows how this works (login-shell with busybox-static + basic > commands) please write a howto for me ;) ! > > rgds, > Andreas > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: restricting sftp/ssh login access
how about using rbash? Only does the shell part, and it is not very hard to break out of the jail, but then again, allowing shell when you think users are going to purposely try to break it isn't a good idea... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: restricting sftp/ssh login access
The cleanest way I have found was using rssh. All you do is change the shell to /usr/bin/rssh. The only issue I have with it is that to jail them to their home directory you need a separate chroot for each folder of the following. I jailed the /home folder and thus only need one jail, if you want each user to be jailed to ~/ as / then you need a separate jail for each user through copying or linking the files. Ehren Wilson jail components: ./etc ./etc/ld.so.cache ./etc/ld.so.conf ./usr ./usr/bin ./usr/bin/scp ./usr/lib ./usr/lib/i686 ./usr/lib/i686/cmov ./usr/lib/i686/cmov/libcrypto.so.0.9.7 ./usr/lib/libz.so.1 ./usr/lib/rssh ./usr/lib/rssh/rssh_chroot_helper ./usr/lib/sftp-server > -Original Message- > From: Robert Cates [mailto:[EMAIL PROTECTED] > Sent: Monday, June 28, 2004 11:54 AM > To: debian-isp@lists.debian.org > Cc: Andreas John; MB; [EMAIL PROTECTED] > Subject: Re: restricting sftp/ssh login access > > > Hi, and thanks for the quick replies! > Just to be a bit clearer in what I'm asking: I would like to be able to > allow my customers to access their accounts (update their web sites) with > sftp which as I understand it is an extention to (Open)SSH, and > not FTP. I > know for example that the Windows application - WS_FTP Pro - has an option > to use sftp/ssh on port 22 and when I tested it, I landed way up at root > "/". So, I'd like to be able to allow secure access, but with an > ftp client > like WS_FTP Pro using sftp, and not a Secure SHell. I have my > server setup > so that the customer can use SSH to change their password, and that's all > they can do with SSH. > > Is there nothing in the ssh_config or sshd_config which can be set to > restrict sftp access to a designated directory? > > It seems to me that the patched OpenSSH way that Hiren pointed out is > workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html but I'm > open to other maybe better ways. > > Thanks again, > Robert > - Original Message - > From: "MB" <[EMAIL PROTECTED]> > To: "Andreas John" <[EMAIL PROTECTED]> > Cc: > Sent: Monday, June 28, 2004 6:47 PM > Subject: Re: restricting sftp/ssh login access > > > > John, > > > > First off, I make a small mistake, the package I used was "jailkit", > > from either: > > > > http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html > > or > > http://freshmeat.net/projects/jailkit/ > > > > It has tons of documentation to help you create a jailed environment, > > including loading your jail with whatever executables needed. > > > > Looks like I simplified my script to one line: > > > > --- > > #!/bin/bash > > > > /usr/sbin/jk_socketd > > > > > > This produces a group of daemonized processes: > > nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd] > > > > > > but I think that I had a much more elaborate script to > > {start|stop|restart} this daemon, something like: > > > > > > /etc/init.d/chroot_jail > > > > #!/bin/bash > > > > case "$1" in > > start) > > echo -n "Starting Chroot Jail Server: chroot jail" > > start-stop-daemon --start --quiet --pidfile > > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > > echo "." > > ;; > > stop) > > echo -n "Stopping Chroot Jail Server: chroot jail" > > start-stop-daemon --stop --quiet --oknodo --pidfile > > /var/run/jk_socketd.pid > > echo "." > > ;; > > > > restart) > > echo -n "Restarting Chroot Jail Server: chroot jail" > > start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile > > /var/run/jk_socketd.pid > > start-stop-daemon --start --quiet --pidfile > > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > > echo "." > > ;; > > > > *) > > echo "Usage: /etc/init.d/chroot_jail {start|stop|restart}" > > exit 1 > > esac > > > > exit 0 > > --- > > > > > > Mark > > > > > > --- Andreas John <[EMAIL PROTECTED]> wrote: > > > Hi Mark! > > > > > > > You will need to run a special daemon (jk_socketd) to log users > > > into the > > > > jail, but that is about the hardest part. I'll post my startup > > > script > > > > if you would like. > > > > > > Do I need the ssh-patch if I run this jk_socketd? Does it replace > > > that > > > patch? It's pain in the ass to maintain an ssh package that is > > > seperate > > > from the debian tree. > > > > > > And yes - please post me that startup-script. Would be nice. > > > > > > Best regards and many pengiuns, > > > Andreas > > > > > > > > > -- > > > Andreas John > > > net-lab GmbH > > > Luisenstrasse 30b > > > 63067 Offenbach > > > Tel: +49 69 85700331 > > > > > > http://www.net-lab.net > > >
Re: restricting sftp/ssh login access
Hi, and thanks for the quick replies! Just to be a bit clearer in what I'm asking: I would like to be able to allow my customers to access their accounts (update their web sites) with sftp which as I understand it is an extention to (Open)SSH, and not FTP. I know for example that the Windows application - WS_FTP Pro - has an option to use sftp/ssh on port 22 and when I tested it, I landed way up at root "/". So, I'd like to be able to allow secure access, but with an ftp client like WS_FTP Pro using sftp, and not a Secure SHell. I have my server setup so that the customer can use SSH to change their password, and that's all they can do with SSH. Is there nothing in the ssh_config or sshd_config which can be set to restrict sftp access to a designated directory? It seems to me that the patched OpenSSH way that Hiren pointed out is workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html but I'm open to other maybe better ways. Thanks again, Robert - Original Message - From: "MB" <[EMAIL PROTECTED]> To: "Andreas John" <[EMAIL PROTECTED]> Cc: Sent: Monday, June 28, 2004 6:47 PM Subject: Re: restricting sftp/ssh login access > John, > > First off, I make a small mistake, the package I used was "jailkit", > from either: > > http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html > or > http://freshmeat.net/projects/jailkit/ > > It has tons of documentation to help you create a jailed environment, > including loading your jail with whatever executables needed. > > Looks like I simplified my script to one line: > > --- > #!/bin/bash > > /usr/sbin/jk_socketd > > > This produces a group of daemonized processes: > nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd] > > > but I think that I had a much more elaborate script to > {start|stop|restart} this daemon, something like: > > > /etc/init.d/chroot_jail > > #!/bin/bash > > case "$1" in > start) > echo -n "Starting Chroot Jail Server: chroot jail" > start-stop-daemon --start --quiet --pidfile > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > echo "." > ;; > stop) > echo -n "Stopping Chroot Jail Server: chroot jail" > start-stop-daemon --stop --quiet --oknodo --pidfile > /var/run/jk_socketd.pid > echo "." > ;; > > restart) > echo -n "Restarting Chroot Jail Server: chroot jail" > start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile > /var/run/jk_socketd.pid > start-stop-daemon --start --quiet --pidfile > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > echo "." > ;; > > *) > echo "Usage: /etc/init.d/chroot_jail {start|stop|restart}" > exit 1 > esac > > exit 0 > --- > > > Mark > > > --- Andreas John <[EMAIL PROTECTED]> wrote: > > Hi Mark! > > > > > You will need to run a special daemon (jk_socketd) to log users > > into the > > > jail, but that is about the hardest part. I'll post my startup > > script > > > if you would like. > > > > Do I need the ssh-patch if I run this jk_socketd? Does it replace > > that > > patch? It's pain in the ass to maintain an ssh package that is > > seperate > > from the debian tree. > > > > And yes - please post me that startup-script. Would be nice. > > > > Best regards and many pengiuns, > > Andreas > > > > > > -- > > Andreas John > > net-lab GmbH > > Luisenstrasse 30b > > 63067 Offenbach > > Tel: +49 69 85700331 > > > > http://www.net-lab.net > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: nat ipchains on debian woody
Hi Mark, I have test your script but my woody give me this response: morpheo:~# cat compartir2 echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -i eth1 -o eth0 -j MASQUERADE morpheo:~# ./compartir2 modprobe: Can't locate module ip_tables iptables v1.2.6a: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. morpheo:~# What can i do to solve this new issue? My fisrt script which use ipchains was this: morpheo:~# cat compartir echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -P forward DENY /sbin/ipchains -A forward -j MASQ -s 192.168.0.0/16 Thanks in advance, - Original Message - From: "MB" <[EMAIL PROTECTED]> To: "Francisco Castillo" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, June 28, 2004 9:16 PM Subject: Re: nat ipchains on debian woody Have you tried iptables instead? If your kernel supports iptables, then: echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/$both_eth_devs/rp_filter iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -i eth1 -o eth0 -j MASQUERADE iptables also does the firewalling in other chains, btw Mark --- Francisco Castillo <[EMAIL PROTECTED]> wrote: > > Hello Gurus, > > I have installed a debian woody with to interfaces eth0 and eth1. I > has configured the internet conexion on eth0 which has got a static > ip on internet. And on eth1 i want to put a interface to do a proxy > nat gateway on my internal lan (i want to put a 192.168.0.1 on it). > > I have read doc to do it but when i apply this doc i have a "your > kernel seems to not support ipchains" messages when i try to do this. > After this i have a 192.168.0.1 ip on eth1 but my pc´s on the > internal lan can´t have internet access througth the eth0 (internet > conexion). > > I think that the problem is that the kernel do not have a > ipmasquerade support (NAT suppport), so i think that this is the only > steep i need to do in order to apply correct the steps of the > configuration that i has a problem with. So > > Did you know how to give a NAT (ipmasquerade support) on a debian > woody kernel in order to solve my problem? > > What do exactly the command "apt-get install ipmasq" in this context > ? > > Thanks in advance, > > Francisco. > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: nat ipchains on debian woody
Hello Francisco, Francisco Castillo wrote: I have read doc to do it but when i apply this doc i have a "your kernel seems to not support ipchains" messages when i try to do this. For what reason do you want to use ipchains? If you just set up debian successfully i think you have also an actual kernel (> 2.4.x) From Version 2.4.x there is a new packet filter which is called iptables. On www.netfilter.org you find a lot of documentation. Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? Sorry, do not know about that. Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: nat ipchains on debian woody
Hello Francisco, Francisco Castillo wrote: I have read doc to do it but when i apply this doc i have a "your kernel seems to not support ipchains" messages when i try to do this. For what reason do you want to use ipchains? If you just set up debian successfully i think you have also an actual kernel (> 2.4.x) From Version 2.4.x there is a new packet filter which is called iptables. On www.netfilter.org you find a lot of documentation. Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? Sorry, do not know about that. Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: nat ipchains on debian woody
Have you tried iptables instead? If your kernel supports iptables, then: echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/$both_eth_devs/rp_filter iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -i eth1 -o eth0 -j MASQUERADE iptables also does the firewalling in other chains, btw Mark --- Francisco Castillo <[EMAIL PROTECTED]> wrote: > > Hello Gurus, > > I have installed a debian woody with to interfaces eth0 and eth1. I > has configured the internet conexion on eth0 which has got a static > ip on internet. And on eth1 i want to put a interface to do a proxy > nat gateway on my internal lan (i want to put a 192.168.0.1 on it). > > I have read doc to do it but when i apply this doc i have a "your > kernel seems to not support ipchains" messages when i try to do this. > After this i have a 192.168.0.1 ip on eth1 but my pc´s on the > internal lan can´t have internet access througth the eth0 (internet > conexion). > > I think that the problem is that the kernel do not have a > ipmasquerade support (NAT suppport), so i think that this is the only > steep i need to do in order to apply correct the steps of the > configuration that i has a problem with. So > > Did you know how to give a NAT (ipmasquerade support) on a debian > woody kernel in order to solve my problem? > > What do exactly the command "apt-get install ipmasq" in this context > ? > > Thanks in advance, > > Francisco. > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
weird http probes
Hi, I noticed the following just now in my apache logs: 208.200.158.49 - - [28/Jun/2004:20:11:46 +0200] "GET / HTTP/1.0" 200 6137 "-" "-" 208.200.158.49 - - [28/Jun/2004:20:12:00 +0200] "GET /index.php HTTP/1.0" 404 269 "-" "-" 208.200.158.49 - - [28/Jun/2004:20:12:00 +0200] "GET /main.php HTTP/1.0" 404 268 "-" "-" 208.200.158.49 - - [28/Jun/2004:20:12:00 +0200] "GET /test.php HTTP/1.0" 404 268 "-" "-" 208.200.158.49 - - [28/Jun/2004:20:12:01 +0200] "GET /index.php3 HTTP/1.0" 404 270 "-" "-" 208.200.158.49 - - [28/Jun/2004:20:12:01 +0200] "GET /phpinfo.php HTTP/1.0" 200 14249 "-" "-" What could this be? I run a very small webserver on this host (just a few personal docs actually, not even a 'site'), and as far as I know I haven't signed up for some kind of security probe lately. Notice the very uncool double reverse resolve of that ip: $ host 208.200.158.49 49.158.200.208.in-addr.arpa domain name pointer nth1.net1plus.com. 49.158.200.208.in-addr.arpa domain name pointer web.rresults.com. I don't have any connection to those companies. I don't know what's the dominant feeling on this right now... I'm concerned this meight be some kind of security scan (not worried about that machine, but just about a new attack in general). I'm a little angry because I meight be used into online statistics without my permission, and I fear for my privacy if I've ended up on some "probe these hosts" list. Could someone shed some light on this? -- Greetings, Joris <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
nat ipchains on debian woody
Hello Gurus, I have installed a debian woody with to interfaces eth0 and eth1. I has configured the internet conexion on eth0 which has got a static ip on internet. And on eth1 i want to put a interface to do a proxy nat gateway on my internal lan (i want to put a 192.168.0.1 on it). I have read doc to do it but when i apply this doc i have a "your kernel seems to not support ipchains" messages when i try to do this. After this i have a 192.168.0.1 ip on eth1 but my pc´s on the internal lan can´t have internet access througth the eth0 (internet conexion). I think that the problem is that the kernel do not have a ipmasquerade support (NAT suppport), so i think that this is the only steep i need to do in order to apply correct the steps of the configuration that i has a problem with. So Did you know how to give a NAT (ipmasquerade support) on a debian woody kernel in order to solve my problem? What do exactly the command "apt-get install ipmasq" in this context ? Thanks in advance, Francisco.
Re: restricting sftp/ssh login access
John, Looks like there is a debian package created for jailkit now: http://olivier.sessink.nl/jailkit/jailkit_0.9-1_i386.deb md5 sums for these packages: de67f1dbf6cec002290fe4faadf53821 jailkit_0.9-1_i386.deb Mark --- MB <[EMAIL PROTECTED]> wrote: > John, > > First off, I make a small mistake, the package I used was "jailkit", > from either: > > http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html > or > http://freshmeat.net/projects/jailkit/ > > It has tons of documentation to help you create a jailed environment, > including loading your jail with whatever executables needed. > > Looks like I simplified my script to one line: > > --- > #!/bin/bash > > /usr/sbin/jk_socketd > > > This produces a group of daemonized processes: > nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd] > > > but I think that I had a much more elaborate script to > {start|stop|restart} this daemon, something like: > > > /etc/init.d/chroot_jail > > #!/bin/bash > > case "$1" in > start) > echo -n "Starting Chroot Jail Server: chroot jail" > start-stop-daemon --start --quiet --pidfile > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > echo "." > ;; > stop) > echo -n "Stopping Chroot Jail Server: chroot jail" > start-stop-daemon --stop --quiet --oknodo --pidfile > /var/run/jk_socketd.pid > echo "." > ;; > > restart) > echo -n "Restarting Chroot Jail Server: chroot jail" > start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile > /var/run/jk_socketd.pid > start-stop-daemon --start --quiet --pidfile > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > echo "." > ;; > > *) > echo "Usage: /etc/init.d/chroot_jail {start|stop|restart}" > exit 1 > esac > > exit 0 > --- > > > Mark > > > --- Andreas John <[EMAIL PROTECTED]> wrote: > > Hi Mark! > > > > > You will need to run a special daemon (jk_socketd) to log users > > into the > > > jail, but that is about the hardest part. I'll post my startup > > script > > > if you would like. > > > > Do I need the ssh-patch if I run this jk_socketd? Does it replace > > that > > patch? It's pain in the ass to maintain an ssh package that is > > seperate > > from the debian tree. > > > > And yes - please post me that startup-script. Would be nice. > > > > Best regards and many pengiuns, > > Andreas > > > > > > -- > > Andreas John > > net-lab GmbH > > Luisenstrasse 30b > > 63067 Offenbach > > Tel: +49 69 85700331 > > > > http://www.net-lab.net > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > >
Re: restricting sftp/ssh login access
John, First off, I make a small mistake, the package I used was "jailkit", from either: http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html or http://freshmeat.net/projects/jailkit/ It has tons of documentation to help you create a jailed environment, including loading your jail with whatever executables needed. Looks like I simplified my script to one line: --- #!/bin/bash /usr/sbin/jk_socketd This produces a group of daemonized processes: nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd] but I think that I had a much more elaborate script to {start|stop|restart} this daemon, something like: /etc/init.d/chroot_jail #!/bin/bash case "$1" in start) echo -n "Starting Chroot Jail Server: chroot jail" start-stop-daemon --start --quiet --pidfile /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- echo "." ;; stop) echo -n "Stopping Chroot Jail Server: chroot jail" start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/jk_socketd.pid echo "." ;; restart) echo -n "Restarting Chroot Jail Server: chroot jail" start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/jk_socketd.pid start-stop-daemon --start --quiet --pidfile /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- echo "." ;; *) echo "Usage: /etc/init.d/chroot_jail {start|stop|restart}" exit 1 esac exit 0 --- Mark --- Andreas John <[EMAIL PROTECTED]> wrote: > Hi Mark! > > > You will need to run a special daemon (jk_socketd) to log users > into the > > jail, but that is about the hardest part. I'll post my startup > script > > if you would like. > > Do I need the ssh-patch if I run this jk_socketd? Does it replace > that > patch? It's pain in the ass to maintain an ssh package that is > seperate > from the debian tree. > > And yes - please post me that startup-script. Would be nice. > > Best regards and many pengiuns, > Andreas > > > -- > Andreas John > net-lab GmbH > Luisenstrasse 30b > 63067 Offenbach > Tel: +49 69 85700331 > > http://www.net-lab.net >
RE: restricting sftp/ssh login access
I agree that a jail is the cleanest way. My setup is as follows: chroot jail: /home/jailedUsers dirs and files within the jail: ./lib ./lib/libnsl.so.1 ./lib/libnsl-2.3.2.so ./lib/libc.so.6 ./lib/libc-2.3.2.so ./lib/ld-linux.so.2 ./lib/ld-2.3.2.so ./lib/libnss_compat.so.2 ./lib/libnss_compat-2.3.2.so ./lib/libnss_files.so.2 ./lib/libnss_files-2.3.2.so ./lib/libresolv.so.2 ./lib/libresolv-2.3.2.so ./lib/libutil.so.1 ./lib/libutil-2.3.2.so ./lib/libcrypt.so.1 ./lib/libcrypt-2.3.2.so ./lib/libdl.so.2 ./lib/libdl-2.3.2.so ./lib/libncurses.so.5 ./lib/libncurses.so.5.4 ./lib/librt.so.1 ./lib/librt-2.3.2.so ./lib/libpthread.so.0 ./lib/libpthread-0.10.so ./lib/libacl.so.1 ./lib/libacl.so.1.1.0 ./lib/libattr.so.1 ./lib/libattr.so.1.1.0 ./lib/libm.so.6 ./lib/libm-2.3.2.so ./lib/libpam.so.0 ./lib/libpam_misc.so.0 ./etc ./etc/nsswitch.conf ./etc/passwd ./etc/group ./etc/jailkit ./etc/jailkit/jk_lsh.ini ./etc/resolv.conf ./etc/host.conf ./etc/hosts ./etc/protocols ./etc/motd ./etc/issue ./etc/bash.bashrc ./etc/profile ./etc/terminfo -- bunch of dirs in here --- ./usr ./usr/bin ./usr/bin/jk_lsh ./usr/bin/ssh ./usr/bin/nvi ./usr/bin/scp ./usr/bin/awk ./usr/bin/bzip2 ./usr/bin/bunzip2 ./usr/bin/away ./usr/lib ./usr/lib/sftp-server ./usr/lib/i586 ./usr/lib/i586/libcrypto.so.0.9.7 ./usr/lib/libz.so.1 ./usr/lib/libz.so.1.2.1 ./usr/lib/libbz2.so.1.0 ./usr/lib/libbz2.so.1.0.2 ./dev ./dev/urandom ./dev/tty ./dev/log ./bin ./bin/sh ./bin/bash ./bin/ls ./bin/cat ./bin/chmod ./bin/mkdir ./bin/cp ./bin/cpio ./bin/date ./bin/dd ./bin/echo ./bin/egrep ./bin/false ./bin/sleep ./home ./home/drocke ./root And by only allowing the user write access to his/her own directory (within the jail) will limit the liability to the system. Mark --- Ehren Wilson <[EMAIL PROTECTED]> wrote: > The cleanest way I have found was using rssh. All you do is change > the > shell to /usr/bin/rssh. The only issue I have with it is that to > jail them > to their home directory you need a separate chroot for each folder of > the > following. I jailed the /home folder and thus only need one jail, if > you > want each user to be jailed to ~/ as / then you need a separate jail > for > each user through copying or linking the files. > > > Ehren Wilson > > jail components: > ./etc > ./etc/ld.so.cache > ./etc/ld.so.conf > ./usr > ./usr/bin > ./usr/bin/scp > ./usr/lib > ./usr/lib/i686 > ./usr/lib/i686/cmov > ./usr/lib/i686/cmov/libcrypto.so.0.9.7 > ./usr/lib/libz.so.1 > ./usr/lib/rssh > ./usr/lib/rssh/rssh_chroot_helper > ./usr/lib/sftp-server > > > -Original Message- > > From: Robert Cates [mailto:[EMAIL PROTECTED] > > Sent: Monday, June 28, 2004 11:54 AM > > To: [EMAIL PROTECTED] > > Cc: Andreas John; MB; [EMAIL PROTECTED] > > Subject: Re: restricting sftp/ssh login access > > > > > > Hi, and thanks for the quick replies! > > Just to be a bit clearer in what I'm asking: I would like to be > able to > > allow my customers to access their accounts (update their web > sites) with > > sftp which as I understand it is an extention to (Open)SSH, and > > not FTP. I > > know for example that the Windows application - WS_FTP Pro - has an > option > > to use sftp/ssh on port 22 and when I tested it, I landed way up at > root > > "/". So, I'd like to be able to allow secure access, but with an > > ftp client > > like WS_FTP Pro using sftp, and not a Secure SHell. I have my > > server setup > > so that the customer can use SSH to change their password, and > that's all > > they can do with SSH. > > > > Is there nothing in the ssh_config or sshd_config which can be set > to > > restrict sftp access to a designated directory? > > > > It seems to me that the patched OpenSSH way that Hiren pointed out > is > > workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html > but I'm > > open to other maybe better ways. > > > > Thanks again, > > Robert > > - Original Message - > > From: "MB" <[EMAIL PROTECTED]> > > To: "Andreas John" <[EMAIL PROTECTED]> > > Cc: <[EMAIL PROTECTED]> > > Sent: Monday, June 28, 2004 6:47 PM > > Subject: Re: restricting sftp/ssh login access > > > > > > > John, > > > > > > First off, I make a small mistake, the package I used was > "jailkit", > > > from either: > > > > > > > http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html > > > or > > > http://freshmeat.net/projects/jailkit/ > > > > > > It has tons of documentation to help you create a jailed > environment, > > > including loading your jail with whatever executables needed. > > > > > > Looks like I simplified my script to one line: > > > > > > --- > > > #!/bin/bash > > > > > > /usr/sbin/jk_socketd > > > > > > > > > This produces a group of daemonized processes: > > > nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd] > > > > > > > > > but I think that I had a much more elaborate script to > > > {start|stop|restart} this daemon, something like: > > > > > > > > > /etc/init.d/chroot_jail > > >
Re: restricting sftp/ssh login access
Hi, I don't exactly like the idea of having to setup a "mini-system" in everybodies home dir, so maybe the Jailkit will be the answer.(?) Somehow I'm a little surprised that the OpenSSH project hasn't provided this feature in SSH and sftp that I'm looking for. Maybe somebody knows the reason why? I think my next e-mail will be to the OpenSSH project ;-) Thanks, Robert - Original Message - From: "Andreas John" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: "Robert Cates" <[EMAIL PROTECTED]> Sent: Monday, June 28, 2004 2:28 PM Subject: Re: restricting sftp/ssh login access > Hi! > > 1.) Set users shell to /bin/false and add it to /etc/shells. > This will prevent ssh access for users, but allows ftp etc. > > But what you are asking for is that (I think) > 2.) http://chrootssh.sourceforge.net/index.php > Chroot your ssh for non-admin users by > - patching ssh > - replacing Users homedir from /home/username/ to /home/username/./ > (sshd recognizes "/./" at the end of the homedir and chroots that user > - build a "mini-system" in users homedir (necessary!). I played around > with that but had not much success because I don't want to set up a > *real* whole system for every user, because I would run in "apt-ing" > probs. I had a look at busybox, which could solve that problem. > If anyone knows how this works (login-shell with busybox-static + basic > commands) please write a howto for me ;) ! > > rgds, > Andreas > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: restricting sftp/ssh login access
The cleanest way I have found was using rssh. All you do is change the shell to /usr/bin/rssh. The only issue I have with it is that to jail them to their home directory you need a separate chroot for each folder of the following. I jailed the /home folder and thus only need one jail, if you want each user to be jailed to ~/ as / then you need a separate jail for each user through copying or linking the files. Ehren Wilson jail components: ./etc ./etc/ld.so.cache ./etc/ld.so.conf ./usr ./usr/bin ./usr/bin/scp ./usr/lib ./usr/lib/i686 ./usr/lib/i686/cmov ./usr/lib/i686/cmov/libcrypto.so.0.9.7 ./usr/lib/libz.so.1 ./usr/lib/rssh ./usr/lib/rssh/rssh_chroot_helper ./usr/lib/sftp-server > -Original Message- > From: Robert Cates [mailto:[EMAIL PROTECTED] > Sent: Monday, June 28, 2004 11:54 AM > To: [EMAIL PROTECTED] > Cc: Andreas John; MB; [EMAIL PROTECTED] > Subject: Re: restricting sftp/ssh login access > > > Hi, and thanks for the quick replies! > Just to be a bit clearer in what I'm asking: I would like to be able to > allow my customers to access their accounts (update their web sites) with > sftp which as I understand it is an extention to (Open)SSH, and > not FTP. I > know for example that the Windows application - WS_FTP Pro - has an option > to use sftp/ssh on port 22 and when I tested it, I landed way up at root > "/". So, I'd like to be able to allow secure access, but with an > ftp client > like WS_FTP Pro using sftp, and not a Secure SHell. I have my > server setup > so that the customer can use SSH to change their password, and that's all > they can do with SSH. > > Is there nothing in the ssh_config or sshd_config which can be set to > restrict sftp access to a designated directory? > > It seems to me that the patched OpenSSH way that Hiren pointed out is > workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html but I'm > open to other maybe better ways. > > Thanks again, > Robert > - Original Message - > From: "MB" <[EMAIL PROTECTED]> > To: "Andreas John" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Monday, June 28, 2004 6:47 PM > Subject: Re: restricting sftp/ssh login access > > > > John, > > > > First off, I make a small mistake, the package I used was "jailkit", > > from either: > > > > http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html > > or > > http://freshmeat.net/projects/jailkit/ > > > > It has tons of documentation to help you create a jailed environment, > > including loading your jail with whatever executables needed. > > > > Looks like I simplified my script to one line: > > > > --- > > #!/bin/bash > > > > /usr/sbin/jk_socketd > > > > > > This produces a group of daemonized processes: > > nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd] > > > > > > but I think that I had a much more elaborate script to > > {start|stop|restart} this daemon, something like: > > > > > > /etc/init.d/chroot_jail > > > > #!/bin/bash > > > > case "$1" in > > start) > > echo -n "Starting Chroot Jail Server: chroot jail" > > start-stop-daemon --start --quiet --pidfile > > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > > echo "." > > ;; > > stop) > > echo -n "Stopping Chroot Jail Server: chroot jail" > > start-stop-daemon --stop --quiet --oknodo --pidfile > > /var/run/jk_socketd.pid > > echo "." > > ;; > > > > restart) > > echo -n "Restarting Chroot Jail Server: chroot jail" > > start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile > > /var/run/jk_socketd.pid > > start-stop-daemon --start --quiet --pidfile > > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > > echo "." > > ;; > > > > *) > > echo "Usage: /etc/init.d/chroot_jail {start|stop|restart}" > > exit 1 > > esac > > > > exit 0 > > --- > > > > > > Mark > > > > > > --- Andreas John <[EMAIL PROTECTED]> wrote: > > > Hi Mark! > > > > > > > You will need to run a special daemon (jk_socketd) to log users > > > into the > > > > jail, but that is about the hardest part. I'll post my startup > > > script > > > > if you would like. > > > > > > Do I need the ssh-patch if I run this jk_socketd? Does it replace > > > that > > > patch? It's pain in the ass to maintain an ssh package that is > > > seperate > > > from the debian tree. > > > > > > And yes - please post me that startup-script. Would be nice. > > > > > > Best regards and many pengiuns, > > > Andreas > > > > > > > > > -- > > > Andreas John > > > net-lab GmbH > > > Luisenstrasse 30b > > > 63067 Offenbach > > > Tel: +49 69 85700331 > > > > > > http://www.net-lab.net > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SCSI Controller for Linux
Am 2004-06-28 16:12:19, schrieb Andrew Miehs: >Hi all, > >What SCSI controller is recommended nowardays for connecting an external >U160 SCSI storage system? NCR? Adaptec? Speed is good, STABILITY is most >important however - one will be for a postgres database the other for a >mail server. "Adaptec" is good, but "IPC Vortex" is better. >Thanks for your help, > >Andrew Greetings Michelle -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: SCSI Controller for Linux
You can get a IBM server RAID card for about $200. http://froogle.google.com/froogle?hl=en&lr=&ie=UTF-8&tab=wf&q=%22ibm+serveraid+4l%22&scoring=p I like the IBM server RAID card on our mailserver: 01:02.0 RAID bus controller: IBM Netfinity ServeRAID controller Subsystem: IBM: Unknown device 020e Flags: bus master, 66Mhz, slow devsel, latency 96, IRQ 21 Memory at f4ffc000 (32-bit, prefetchable) [size=8K] Expansion ROM at [disabled] [size=512K] Capabilities: [80] Power Management version 2 Uses kernel module 'isp.o' Adaptec also makes good ones. On 28/06/04 16:12 +0200, Andrew Miehs wrote: > Hi all, > > What SCSI controller is recommended nowardays for connecting an external > U160 SCSI storage system? NCR? Adaptec? Speed is good, STABILITY is most > important however - one will be for a postgres database the other for a > mail server. > Thanks for your help, > > Andrew > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- -- Ted Knab Chester, Maryland 21619 USA -- Conquest is easy. Control is not. -- Kirk, "Mirror, Mirror", stardate unknown
Re: restricting sftp/ssh login access
Hi, and thanks for the quick replies! Just to be a bit clearer in what I'm asking: I would like to be able to allow my customers to access their accounts (update their web sites) with sftp which as I understand it is an extention to (Open)SSH, and not FTP. I know for example that the Windows application - WS_FTP Pro - has an option to use sftp/ssh on port 22 and when I tested it, I landed way up at root "/". So, I'd like to be able to allow secure access, but with an ftp client like WS_FTP Pro using sftp, and not a Secure SHell. I have my server setup so that the customer can use SSH to change their password, and that's all they can do with SSH. Is there nothing in the ssh_config or sshd_config which can be set to restrict sftp access to a designated directory? It seems to me that the patched OpenSSH way that Hiren pointed out is workable - http://chrootssh.sourceforge.net/docs/chrootedsftp.html but I'm open to other maybe better ways. Thanks again, Robert - Original Message - From: "MB" <[EMAIL PROTECTED]> To: "Andreas John" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, June 28, 2004 6:47 PM Subject: Re: restricting sftp/ssh login access > John, > > First off, I make a small mistake, the package I used was "jailkit", > from either: > > http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html > or > http://freshmeat.net/projects/jailkit/ > > It has tons of documentation to help you create a jailed environment, > including loading your jail with whatever executables needed. > > Looks like I simplified my script to one line: > > --- > #!/bin/bash > > /usr/sbin/jk_socketd > > > This produces a group of daemonized processes: > nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd] > > > but I think that I had a much more elaborate script to > {start|stop|restart} this daemon, something like: > > > /etc/init.d/chroot_jail > > #!/bin/bash > > case "$1" in > start) > echo -n "Starting Chroot Jail Server: chroot jail" > start-stop-daemon --start --quiet --pidfile > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > echo "." > ;; > stop) > echo -n "Stopping Chroot Jail Server: chroot jail" > start-stop-daemon --stop --quiet --oknodo --pidfile > /var/run/jk_socketd.pid > echo "." > ;; > > restart) > echo -n "Restarting Chroot Jail Server: chroot jail" > start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile > /var/run/jk_socketd.pid > start-stop-daemon --start --quiet --pidfile > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > echo "." > ;; > > *) > echo "Usage: /etc/init.d/chroot_jail {start|stop|restart}" > exit 1 > esac > > exit 0 > --- > > > Mark > > > --- Andreas John <[EMAIL PROTECTED]> wrote: > > Hi Mark! > > > > > You will need to run a special daemon (jk_socketd) to log users > > into the > > > jail, but that is about the hardest part. I'll post my startup > > script > > > if you would like. > > > > Do I need the ssh-patch if I run this jk_socketd? Does it replace > > that > > patch? It's pain in the ass to maintain an ssh package that is > > seperate > > from the debian tree. > > > > And yes - please post me that startup-script. Would be nice. > > > > Best regards and many pengiuns, > > Andreas > > > > > > -- > > Andreas John > > net-lab GmbH > > Luisenstrasse 30b > > 63067 Offenbach > > Tel: +49 69 85700331 > > > > http://www.net-lab.net > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to prevent being a 'bouncer' of evil mail?
Yves Junqueira wrote: > On Fri, 25 Jun 2004 18:21:20 -0400, Kris Deugau <[EMAIL PROTECTED]> > wrote: > > I've been lucky enough to only work with *nix mail servers except > > for that one Novell system- and it had some advantages I've yet to > > see in any *nix system. > Interesting. Was that Novell server old? In what architecture did it > run on? x86 Novell Netware 4.11, supporting Novell's "Internet Messaging System" mail package. It had some truly *peculiar* behaviour in some respects, and some horrible bugs with respect to some DNS-related operations, but it integrated *very* nicely with the Netware administration system and was ideal for a small ISP. > Exchange 2003, the final server in the case I said, is ok. It is not > that stupid. The problem is with Norton for Gateways. In our current > setting, it gets the message before Exchange does, and it is very > dumb. Ah. You'd think that a tool designed to integrate in some way with Exchange would be able to hook in to things like a recipient check. > We will be removing NAV in the future, when we are more > confident on Clamav (it still misses some old MS Word "Macro > viruses"). I can't say I've seen much trouble with Clam, and the most recent release (0.73) has fixed the problems I've had. > But, hmmm..., even we didn't have NAV, it wouldn't help much. Let's > say Postfix (the gateway) delivers the message to Exchange, which is > "smart". Even so, AFAIR, we would have another e-mail created > notifying the failure, instead of a so desired SMTP error code. After > Postfix gets the message, it sends a success reply to the client, and > just then tries to send the mail to the destination, that will give > postfix a failure reply code. Postfix will then have to send a DSN, > right? As a fresh new message, yes. At least, that's what happens by default on any MTA I've ever met, in such a setup. > Or could you issue the RCPT TO command to the other server > BEFORE sending the final result to the client, in the front server? Hmm. I know sendmail doesn't support anything like this out of the box; but I don't know for sure about any other MTAs. I've used a very nice milter for sendmail (MIMEDefang) to do exactly this- check a recipient against the next server in the chain when the remote "client" server attempts RCPT TO:- and it worked very well. > The world would be so much easier if Debian ruled from the > beginning... *shrug* I've had some problems using Debian for email handling; I've ended up having to build custom .deb's for a number of Perl modules, and use packages from backports.org to get the functionality I wanted. It didn't help that in one case I was converting from a RedHat system in production use. :/ On the other hand, apt-get is *very* nice... -kgd -- "Sendmail administration is not black magic. There are legitimate technical reasons why it requires the sacrificing of a live chicken." - Unknown
Re: restricting sftp/ssh login access
John, Looks like there is a debian package created for jailkit now: http://olivier.sessink.nl/jailkit/jailkit_0.9-1_i386.deb md5 sums for these packages: de67f1dbf6cec002290fe4faadf53821 jailkit_0.9-1_i386.deb Mark --- MB <[EMAIL PROTECTED]> wrote: > John, > > First off, I make a small mistake, the package I used was "jailkit", > from either: > > http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html > or > http://freshmeat.net/projects/jailkit/ > > It has tons of documentation to help you create a jailed environment, > including loading your jail with whatever executables needed. > > Looks like I simplified my script to one line: > > --- > #!/bin/bash > > /usr/sbin/jk_socketd > > > This produces a group of daemonized processes: > nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd] > > > but I think that I had a much more elaborate script to > {start|stop|restart} this daemon, something like: > > > /etc/init.d/chroot_jail > > #!/bin/bash > > case "$1" in > start) > echo -n "Starting Chroot Jail Server: chroot jail" > start-stop-daemon --start --quiet --pidfile > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > echo "." > ;; > stop) > echo -n "Stopping Chroot Jail Server: chroot jail" > start-stop-daemon --stop --quiet --oknodo --pidfile > /var/run/jk_socketd.pid > echo "." > ;; > > restart) > echo -n "Restarting Chroot Jail Server: chroot jail" > start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile > /var/run/jk_socketd.pid > start-stop-daemon --start --quiet --pidfile > /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- > echo "." > ;; > > *) > echo "Usage: /etc/init.d/chroot_jail {start|stop|restart}" > exit 1 > esac > > exit 0 > --- > > > Mark > > > --- Andreas John <[EMAIL PROTECTED]> wrote: > > Hi Mark! > > > > > You will need to run a special daemon (jk_socketd) to log users > > into the > > > jail, but that is about the hardest part. I'll post my startup > > script > > > if you would like. > > > > Do I need the ssh-patch if I run this jk_socketd? Does it replace > > that > > patch? It's pain in the ass to maintain an ssh package that is > > seperate > > from the debian tree. > > > > And yes - please post me that startup-script. Would be nice. > > > > Best regards and many pengiuns, > > Andreas > > > > > > -- > > Andreas John > > net-lab GmbH > > Luisenstrasse 30b > > 63067 Offenbach > > Tel: +49 69 85700331 > > > > http://www.net-lab.net > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: restricting sftp/ssh login access
John, First off, I make a small mistake, the package I used was "jailkit", from either: http://www.gnu.org/directory/All_Packages_in_Directory/jailkit.html or http://freshmeat.net/projects/jailkit/ It has tons of documentation to help you create a jailed environment, including loading your jail with whatever executables needed. Looks like I simplified my script to one line: --- #!/bin/bash /usr/sbin/jk_socketd This produces a group of daemonized processes: nobody 13659 13658 0 Apr18 ?00:00:00 [jk_socketd] but I think that I had a much more elaborate script to {start|stop|restart} this daemon, something like: /etc/init.d/chroot_jail #!/bin/bash case "$1" in start) echo -n "Starting Chroot Jail Server: chroot jail" start-stop-daemon --start --quiet --pidfile /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- echo "." ;; stop) echo -n "Stopping Chroot Jail Server: chroot jail" start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/jk_socketd.pid echo "." ;; restart) echo -n "Restarting Chroot Jail Server: chroot jail" start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/jk_socketd.pid start-stop-daemon --start --quiet --pidfile /var/run/jk_socketd.pid --exec /usr/sbin/jk_socketd -- echo "." ;; *) echo "Usage: /etc/init.d/chroot_jail {start|stop|restart}" exit 1 esac exit 0 --- Mark --- Andreas John <[EMAIL PROTECTED]> wrote: > Hi Mark! > > > You will need to run a special daemon (jk_socketd) to log users > into the > > jail, but that is about the hardest part. I'll post my startup > script > > if you would like. > > Do I need the ssh-patch if I run this jk_socketd? Does it replace > that > patch? It's pain in the ass to maintain an ssh package that is > seperate > from the debian tree. > > And yes - please post me that startup-script. Would be nice. > > Best regards and many pengiuns, > Andreas > > > -- > Andreas John > net-lab GmbH > Luisenstrasse 30b > 63067 Offenbach > Tel: +49 69 85700331 > > http://www.net-lab.net > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: restricting sftp/ssh login access
Hi, It sounds to me like you are looking for a chroot jail for some users. apt-get install jailer ( jailer - Builds and maintains chrooted environments ) You will need to run a special daemon (jk_socketd) to log users into the jail, but that is about the hardest part. I'll post my startup script if you would like. Mark p.s. If this were my machine, I would turn off ftp and only allow sftp, btw. Andreas John wrote: Hi! 1.) Set users shell to /bin/false and add it to /etc/shells. This will prevent ssh access for users, but allows ftp etc. But what you are asking for is that (I think) 2.) http://chrootssh.sourceforge.net/index.php Chroot your ssh for non-admin users by - patching ssh - replacing Users homedir from /home/username/ to /home/username/./ (sshd recognizes "/./" at the end of the homedir and chroots that user - build a "mini-system" in users homedir (necessary!). I played around with that but had not much success because I don't want to set up a *real* whole system for every user, because I would run in "apt-ing" probs. I had a look at busybox, which could solve that problem. If anyone knows how this works (login-shell with busybox-static + basic commands) please write a howto for me ;) ! rgds, Andreas
SCSI Controller for Linux
Hi all, What SCSI controller is recommended nowardays for connecting an external U160 SCSI storage system? NCR? Adaptec? Speed is good, STABILITY is most important however - one will be for a postgres database the other for a mail server. Thanks for your help, Andrew
Re: SCSI Controller for Linux
Am 2004-06-28 16:12:19, schrieb Andrew Miehs: >Hi all, > >What SCSI controller is recommended nowardays for connecting an external >U160 SCSI storage system? NCR? Adaptec? Speed is good, STABILITY is most >important however - one will be for a postgres database the other for a >mail server. "Adaptec" is good, but "IPC Vortex" is better. >Thanks for your help, > >Andrew Greetings Michelle -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSM LinuxMichi 0033/3/8845235667100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: SCSI Controller for Linux
You can get a IBM server RAID card for about $200. http://froogle.google.com/froogle?hl=en&lr=&ie=UTF-8&tab=wf&q=%22ibm+serveraid+4l%22&scoring=p I like the IBM server RAID card on our mailserver: 01:02.0 RAID bus controller: IBM Netfinity ServeRAID controller Subsystem: IBM: Unknown device 020e Flags: bus master, 66Mhz, slow devsel, latency 96, IRQ 21 Memory at f4ffc000 (32-bit, prefetchable) [size=8K] Expansion ROM at [disabled] [size=512K] Capabilities: [80] Power Management version 2 Uses kernel module 'isp.o' Adaptec also makes good ones. On 28/06/04 16:12 +0200, Andrew Miehs wrote: > Hi all, > > What SCSI controller is recommended nowardays for connecting an external > U160 SCSI storage system? NCR? Adaptec? Speed is good, STABILITY is most > important however - one will be for a postgres database the other for a > mail server. > Thanks for your help, > > Andrew > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- -- Ted Knab Chester, Maryland 21619 USA -- Conquest is easy. Control is not. -- Kirk, "Mirror, Mirror", stardate unknown -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to prevent being a 'bouncer' of evil mail?
Yves Junqueira wrote: > On Fri, 25 Jun 2004 18:21:20 -0400, Kris Deugau <[EMAIL PROTECTED]> > wrote: > > I've been lucky enough to only work with *nix mail servers except > > for that one Novell system- and it had some advantages I've yet to > > see in any *nix system. > Interesting. Was that Novell server old? In what architecture did it > run on? x86 Novell Netware 4.11, supporting Novell's "Internet Messaging System" mail package. It had some truly *peculiar* behaviour in some respects, and some horrible bugs with respect to some DNS-related operations, but it integrated *very* nicely with the Netware administration system and was ideal for a small ISP. > Exchange 2003, the final server in the case I said, is ok. It is not > that stupid. The problem is with Norton for Gateways. In our current > setting, it gets the message before Exchange does, and it is very > dumb. Ah. You'd think that a tool designed to integrate in some way with Exchange would be able to hook in to things like a recipient check. > We will be removing NAV in the future, when we are more > confident on Clamav (it still misses some old MS Word "Macro > viruses"). I can't say I've seen much trouble with Clam, and the most recent release (0.73) has fixed the problems I've had. > But, hmmm..., even we didn't have NAV, it wouldn't help much. Let's > say Postfix (the gateway) delivers the message to Exchange, which is > "smart". Even so, AFAIR, we would have another e-mail created > notifying the failure, instead of a so desired SMTP error code. After > Postfix gets the message, it sends a success reply to the client, and > just then tries to send the mail to the destination, that will give > postfix a failure reply code. Postfix will then have to send a DSN, > right? As a fresh new message, yes. At least, that's what happens by default on any MTA I've ever met, in such a setup. > Or could you issue the RCPT TO command to the other server > BEFORE sending the final result to the client, in the front server? Hmm. I know sendmail doesn't support anything like this out of the box; but I don't know for sure about any other MTAs. I've used a very nice milter for sendmail (MIMEDefang) to do exactly this- check a recipient against the next server in the chain when the remote "client" server attempts RCPT TO:- and it worked very well. > The world would be so much easier if Debian ruled from the > beginning... *shrug* I've had some problems using Debian for email handling; I've ended up having to build custom .deb's for a number of Perl modules, and use packages from backports.org to get the functionality I wanted. It didn't help that in one case I was converting from a RedHat system in production use. :/ On the other hand, apt-get is *very* nice... -kgd -- "Sendmail administration is not black magic. There are legitimate technical reasons why it requires the sacrificing of a live chicken." - Unknown -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: restricting sftp/ssh login access
Hi! 1.) Set users shell to /bin/false and add it to /etc/shells. This will prevent ssh access for users, but allows ftp etc. But what you are asking for is that (I think) 2.) http://chrootssh.sourceforge.net/index.php Chroot your ssh for non-admin users by - patching ssh - replacing Users homedir from /home/username/ to /home/username/./ (sshd recognizes "/./" at the end of the homedir and chroots that user - build a "mini-system" in users homedir (necessary!). I played around with that but had not much success because I don't want to set up a *real* whole system for every user, because I would run in "apt-ing" probs. I had a look at busybox, which could solve that problem. If anyone knows how this works (login-shell with busybox-static + basic commands) please write a howto for me ;) ! rgds, Andreas
Re: restricting sftp/ssh login access
Hi, It sounds to me like you are looking for a chroot jail for some users. apt-get install jailer ( jailer - Builds and maintains chrooted environments ) You will need to run a special daemon (jk_socketd) to log users into the jail, but that is about the hardest part. I'll post my startup script if you would like. Mark p.s. If this were my machine, I would turn off ftp and only allow sftp, btw. Andreas John wrote: Hi! 1.) Set users shell to /bin/false and add it to /etc/shells. This will prevent ssh access for users, but allows ftp etc. But what you are asking for is that (I think) 2.) http://chrootssh.sourceforge.net/index.php Chroot your ssh for non-admin users by - patching ssh - replacing Users homedir from /home/username/ to /home/username/./ (sshd recognizes "/./" at the end of the homedir and chroots that user - build a "mini-system" in users homedir (necessary!). I played around with that but had not much success because I don't want to set up a *real* whole system for every user, because I would run in "apt-ing" probs. I had a look at busybox, which could solve that problem. If anyone knows how this works (login-shell with busybox-static + basic commands) please write a howto for me ;) ! rgds, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: restricting sftp/ssh login access
On Monday 28 June 2004 12.17, Robert Cates wrote: > I would like to know if there is a way to restrict user logins to > their home directories (or any other designated directory for that > matter) using sftp/ssh. I've got my ftp server configured so that rssh is what you are looking for. Be sure to read and understand the README.Debian thoroughly - when you do it wrong, you grant full shell access to the accounts, and that's exactly what you don't want, after all... cheers -- vbi -- Si tu vecino te alaba y felicita, en algo te necesita. pgpzdkAeEZjs4.pgp Description: signature
SCSI Controller for Linux
Hi all, What SCSI controller is recommended nowardays for connecting an external U160 SCSI storage system? NCR? Adaptec? Speed is good, STABILITY is most important however - one will be for a postgres database the other for a mail server. Thanks for your help, Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: restricting sftp/ssh login access
Hi! 1.) Set users shell to /bin/false and add it to /etc/shells. This will prevent ssh access for users, but allows ftp etc. But what you are asking for is that (I think) 2.) http://chrootssh.sourceforge.net/index.php Chroot your ssh for non-admin users by - patching ssh - replacing Users homedir from /home/username/ to /home/username/./ (sshd recognizes "/./" at the end of the homedir and chroots that user - build a "mini-system" in users homedir (necessary!). I played around with that but had not much success because I don't want to set up a *real* whole system for every user, because I would run in "apt-ing" probs. I had a look at busybox, which could solve that problem. If anyone knows how this works (login-shell with busybox-static + basic commands) please write a howto for me ;) ! rgds, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: restricting sftp/ssh login access
On Monday 28 June 2004 12.17, Robert Cates wrote: > I would like to know if there is a way to restrict user logins to > their home directories (or any other designated directory for that > matter) using sftp/ssh. I've got my ftp server configured so that rssh is what you are looking for. Be sure to read and understand the README.Debian thoroughly - when you do it wrong, you grant full shell access to the accounts, and that's exactly what you don't want, after all... cheers -- vbi -- Si tu vecino te alaba y felicita, en algo te necesita. pgpdxeriM82Ly.pgp Description: signature
restricting sftp/ssh login access
Hi, I would like to know if there is a way to restrict user logins to their home directories (or any other designated directory for that matter) using sftp/ssh. I've got my ftp server configured so that normal ftp access is restricted to their home directories, but since sftp uses (Open)SSH, it uses the ssh configuration, and I just can't seem to find any mention of how to do this anywhere (if it's even possible). I have OpenSSH 3.7 installed on my Woody server. Thanks much! Robert
restricting sftp/ssh login access
Hi, I would like to know if there is a way to restrict user logins to their home directories (or any other designated directory for that matter) using sftp/ssh. I've got my ftp server configured so that normal ftp access is restricted to their home directories, but since sftp uses (Open)SSH, it uses the ssh configuration, and I just can't seem to find any mention of how to do this anywhere (if it's even possible). I have OpenSSH 3.7 installed on my Woody server. Thanks much! Robert -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]