Re: speaking of squid ports...
[EMAIL PROTECTED] said: > Umm... No. > > It's used for ICP, a protocol for intercommunication between squid > caches. For example, at my site we have two different caches. One is > basically transparent. The other provides anonymizing services. But, > through ICP, both caches can make use of each other's cached objects. no, Kevin's right. squid has its own built-in caching dns resolver, and since it's a client it shows up on a different port every time. It seems the only way to turn it off is to disable squid's internal resolver and use an external one, but that's a whole new can of worms. > Dunno how you turn it off, though. Iptables? As I said, icp can be turned off with "icp_port 0", as noted in the squid.conf comments. It uses udp port 3130 by default. Jason
Re: speaking of squid ports...
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes: > On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote: > > > > I believe that UDP port is for receiving DNS responses. > > Umm... No. > > It's used for ICP, a protocol for intercommunication between squid > caches. For example, at my site we have two different caches. One is > basically transparent. The other provides anonymizing services. But, > through ICP, both caches can make use of each other's cached objects. > > Dunno how you turn it off, though. Iptables? > > noah He already said he turned off the ICP port, so I'm guessing that isn't it. Also, the ICP port is 3130 by default, not 1414. Squid also can use a udp port for snmp (default 3401). FWIW, I found a couple of references to squid's use of a random high udp port on the squid-user list. The only responses I could find indicated that this port is used for DNS. -Kevin
Re: speaking of squid ports...
On Wed, Mar 26, 2003 at 03:18:36PM -0500, Noah L. Meyerhans wrote: > On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote: > > I believe that UDP port is for receiving DNS responses. > It's used for ICP, a protocol for intercommunication between squid > caches. For example, at my site we have two different caches. One is > basically transparent. The other provides anonymizing services. But, > through ICP, both caches can make use of each other's cached objects. > > Dunno how you turn it off, though. Iptables? Should work by setting the icp_port to '0'... If it is written via -u in the init scripts the config file settings are overwritten, so beware. Regards, Alexander -- Alexander Reelsen http://tretmine.org
Re: speaking of squid ports...
On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote: > > I believe that UDP port is for receiving DNS responses. Umm... No. It's used for ICP, a protocol for intercommunication between squid caches. For example, at my site we have two different caches. One is basically transparent. The other provides anonymizing services. But, through ICP, both caches can make use of each other's cached objects. Dunno how you turn it off, though. Iptables? noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpTmaxDw5SGb.pgp Description: PGP signature
Re: speaking of squid ports...
[EMAIL PROTECTED] said: > Umm... No. > > It's used for ICP, a protocol for intercommunication between squid > caches. For example, at my site we have two different caches. One is > basically transparent. The other provides anonymizing services. But, > through ICP, both caches can make use of each other's cached objects. no, Kevin's right. squid has its own built-in caching dns resolver, and since it's a client it shows up on a different port every time. It seems the only way to turn it off is to disable squid's internal resolver and use an external one, but that's a whole new can of worms. > Dunno how you turn it off, though. Iptables? As I said, icp can be turned off with "icp_port 0", as noted in the squid.conf comments. It uses udp port 3130 by default. Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: speaking of squid ports...
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes: > On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote: > > > > I believe that UDP port is for receiving DNS responses. > > Umm... No. > > It's used for ICP, a protocol for intercommunication between squid > caches. For example, at my site we have two different caches. One is > basically transparent. The other provides anonymizing services. But, > through ICP, both caches can make use of each other's cached objects. > > Dunno how you turn it off, though. Iptables? > > noah He already said he turned off the ICP port, so I'm guessing that isn't it. Also, the ICP port is 3130 by default, not 1414. Squid also can use a udp port for snmp (default 3401). FWIW, I found a couple of references to squid's use of a random high udp port on the squid-user list. The only responses I could find indicated that this port is used for DNS. -Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: speaking of squid ports...
I believe that UDP port is for receiving DNS responses. -Kevin Jason Lunz <[EMAIL PROTECTED]> writes: > does anyone know what squid's udp sockets are for, and how to close > them? As far as I can tell, I don't need them, but I've been unable to > find a combination of squid directives to make them all go away. The icp > port can be closed using "icp_port 0", but the other one is dynamic and > isn't referred to in the squid docs as far as I can tell: > > [kahlua](0) # netstat -lp | grep squid > tcp0 0 *:3128 *:* LISTEN 673/(squid) > udp0 0 *:1414 *:* 673/(squid) > > the udp port isn't there immediately after starting squid, but it always > shows up after a client uses the proxy. port 1414 isn't constant; it's > different every time. > > Jason
Re: speaking of squid ports...
On Wed, Mar 26, 2003 at 03:18:36PM -0500, Noah L. Meyerhans wrote: > On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote: > > I believe that UDP port is for receiving DNS responses. > It's used for ICP, a protocol for intercommunication between squid > caches. For example, at my site we have two different caches. One is > basically transparent. The other provides anonymizing services. But, > through ICP, both caches can make use of each other's cached objects. > > Dunno how you turn it off, though. Iptables? Should work by setting the icp_port to '0'... If it is written via -u in the init scripts the config file settings are overwritten, so beware. Regards, Alexander -- Alexander Reelsen http://tretmine.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: speaking of squid ports...
On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote: > > I believe that UDP port is for receiving DNS responses. Umm... No. It's used for ICP, a protocol for intercommunication between squid caches. For example, at my site we have two different caches. One is basically transparent. The other provides anonymizing services. But, through ICP, both caches can make use of each other's cached objects. Dunno how you turn it off, though. Iptables? noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp0.pgp Description: PGP signature
Re: speaking of squid ports...
I believe that UDP port is for receiving DNS responses. -Kevin Jason Lunz <[EMAIL PROTECTED]> writes: > does anyone know what squid's udp sockets are for, and how to close > them? As far as I can tell, I don't need them, but I've been unable to > find a combination of squid directives to make them all go away. The icp > port can be closed using "icp_port 0", but the other one is dynamic and > isn't referred to in the squid docs as far as I can tell: > > [kahlua](0) # netstat -lp | grep squid > tcp0 0 *:3128 *:* LISTEN 673/(squid) > udp0 0 *:1414 *:* 673/(squid) > > the udp port isn't there immediately after starting squid, but it always > shows up after a client uses the proxy. port 1414 isn't constant; it's > different every time. > > Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
speaking of squid ports...
does anyone know what squid's udp sockets are for, and how to close them? As far as I can tell, I don't need them, but I've been unable to find a combination of squid directives to make them all go away. The icp port can be closed using "icp_port 0", but the other one is dynamic and isn't referred to in the squid docs as far as I can tell: [kahlua](0) # netstat -lp | grep squid tcp0 0 *:3128 *:* LISTEN 673/(squid) udp0 0 *:1414 *:* 673/(squid) the udp port isn't there immediately after starting squid, but it always shows up after a client uses the proxy. port 1414 isn't constant; it's different every time. Jason
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 10:50:48AM -0500, Noah L. Meyerhans wrote: > On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: > > Well yes it could :) As long as the user has no valid password it's not very > > usefull. Take a look into the /etc/shadow and in the second field you'll > > find > > ! or * indicating that this user has a invalid password. See man 5 shadow. > > That's hardly true. If an attacker could somehow create an ssh > authorized_keys file, they could log in without a password. and if he can somehow create the non existing home dir. or if he can somehow change the $HOME ... oh forgot when he has the power to somehow change the $HOME he can change the $SHELL or if he can edit the /etc/passwd he's root ... who cares about nobody. Yeah there are so many side conditions that could happen, what a horror - time to take the internet offline. *hrhr* Well at least you shouldn't run all your daemons under one uid. Create one for the ftpd one for your httpd and so on. SCNR Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]
Removing invalid keys from keyring
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I guess this question might be more suited on gnupg-users, but as I'm not subscribed to that list, I hope you can forgive me for asking here... It is a really short question... Is there a way to remove revoked/expired and otherwise invalid or useless keys from a GPG keyring, in batch? I once downloaded the 4500 keys that were closest to me, but many of them are invalid now, and I'd like to remove those in a quick way? Are there possibly any scripts lying around? Cheers, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+gdVUlE/Gp2pqC7wRAuMfAJ0S6ZCqvbwqOWvniKll0VS2yFJ3GACdH7O5 n1/6EF0XsnD3E7QuCduh/WQ= =Q6Zm -END PGP SIGNATURE-
speaking of squid ports...
does anyone know what squid's udp sockets are for, and how to close them? As far as I can tell, I don't need them, but I've been unable to find a combination of squid directives to make them all go away. The icp port can be closed using "icp_port 0", but the other one is dynamic and isn't referred to in the squid docs as far as I can tell: [kahlua](0) # netstat -lp | grep squid tcp0 0 *:3128 *:* LISTEN 673/(squid) udp0 0 *:1414 *:* 673/(squid) the udp port isn't there immediately after starting squid, but it always shows up after a client uses the proxy. port 1414 isn't constant; it's different every time. Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: bind squid to interface
* Michael West <[EMAIL PROTECTED]> [26-03-03 15:16]: > I would like to bind squid to a specific interface. Look at /etc/squid.conf: # NETWORK OPTIONS # - # TAG: http_port # Usage: port # hostname:port # 1.2.3.4:port # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, then Squid binds the socket to that specific # address. This replaces the old 'tcp_incoming_address' # option. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # The default port number is 3128. # # If you are running Squid in accelerator mode, then you # probably want to listen on port 80 also, or instead. # # The -a command line option will override the *first* port # number listed here. That option will NOT override an IP # address, however. # # You may specify multiple socket addresses on multiple lines. # #Default: http_port 127.0.0.1:3128 HTH Jens
Re: bind squid to interface
Michael West wrote: > > I would like to bind squid to a specific interface. [...] > What am I doing wrong with xinetd? What other ways are there to make > squid bind to an interface? IIRC there used to be an option "tcp_incoming_adress" in /etc/squid.conf, but I think lately it was changed to be included in the "http_port" option. HTH Frank
Re: bind squid to interface
## Michael West ([EMAIL PROTECTED]): > I would like to bind squid to a specific interface. http_port hostname:port http_port ip:port http_port port It's documented. Regards, cmt -- Spare Space
Re: Re: noboby with a shell !!
Dit e-mail adres bestaat niet
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 10:50:48AM -0500, Noah L. Meyerhans wrote: > On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: > > Well yes it could :) As long as the user has no valid password it's not very > > usefull. Take a look into the /etc/shadow and in the second field you'll find > > ! or * indicating that this user has a invalid password. See man 5 shadow. > > That's hardly true. If an attacker could somehow create an ssh > authorized_keys file, they could log in without a password. and if he can somehow create the non existing home dir. or if he can somehow change the $HOME ... oh forgot when he has the power to somehow change the $HOME he can change the $SHELL or if he can edit the /etc/passwd he's root ... who cares about nobody. Yeah there are so many side conditions that could happen, what a horror - time to take the internet offline. *hrhr* Well at least you shouldn't run all your daemons under one uid. Create one for the ftpd one for your httpd and so on. SCNR Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: > Well yes it could :) As long as the user has no valid password it's not very > usefull. Take a look into the /etc/shadow and in the second field you'll find > ! or * indicating that this user has a invalid password. See man 5 shadow. That's hardly true. If an attacker could somehow create an ssh authorized_keys file, they could log in without a password. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpe68AZnJ3WP.pgp Description: PGP signature
Removing invalid keys from keyring
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I guess this question might be more suited on gnupg-users, but as I'm not subscribed to that list, I hope you can forgive me for asking here... It is a really short question... Is there a way to remove revoked/expired and otherwise invalid or useless keys from a GPG keyring, in batch? I once downloaded the 4500 keys that were closest to me, but many of them are invalid now, and I'd like to remove those in a quick way? Are there possibly any scripts lying around? Cheers, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+gdVUlE/Gp2pqC7wRAuMfAJ0S6ZCqvbwqOWvniKll0VS2yFJ3GACdH7O5 n1/6EF0XsnD3E7QuCduh/WQ= =Q6Zm -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: bind squid to interface
On Wednesday 26 March 2003 15:16, Michael West wrote:
Hi there,
how about :
http_port xxx.xxx.xxx.xxx:8000
tcp_outgoing_address xxx.xxx.xxx.xxx
udp_outgoing_address xxx.xxx.xxx.xxx
in the squid config and run squid as daemon ?
Michi
> I would like to bind squid to a specific interface.
>
> I thought the easy way to do this would be with xinetd, but I get:
>
> Mar 26 06:05:09 localhost squid: Cannot open HTTP Port
> Mar 26 06:05:49 localhost last message repeated 10 times
>
> When I try to use it. Normally this would mean there is a squid process
> already running, but there is no other squid process.
>
> service squid
> {
> disable = no
> socket_type = stream
> wait= no
> user= root
> bind= 192.0.0.1
> server = /usr/sbin/squid
> server_args= -N -D -YC -u0
> }
>
> What am I doing wrong with xinetd? What other ways are there to make
> squid bind to an interface?
>
> ~Michael
--
Bisping & Bisping GmbH & Co. KG Michael Streb
internet and network [EMAIL PROTECTED]
Spitalstrasse 21-24-26 phone +49-9123-9740-630
D-91207 Lauf a. d. Pegnitzfax +49-9123-9740-97
http://photo.bisping.de *http://bisping.de *http://lauf.de
Re: noboby with a shell !!
Yoann <[EMAIL PROTECTED]> writes: > there is an * in /etc/shadow for nobody, but all services (ftp, web...) > are running with the uid nobody so if there is an attack on an unknow > bug (I keep up to date all services) on those services (buffer overflow > for example), It's will be unsercure.. . It will be unsecure even if the shell field is filled with garbage... 1) The buffer overflow kind of attack is to launch a program from within another, a shell for example. 2) The shell shield (more easy to write than to tell) is used by: - /bin/login to launch a shell, or a pppd in some case - /*/ftpd to allow (/bin/true) or disallow (/bin/false) ftp access - probably lot of others programs. HTH. -- Reality always seems harsher in the early morning. -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/
Re: bind squid to interface
Michael West wrote: > > I would like to bind squid to a specific interface. [...] > What am I doing wrong with xinetd? What other ways are there to make > squid bind to an interface? IIRC there used to be an option "tcp_incoming_adress" in /etc/squid.conf, but I think lately it was changed to be included in the "http_port" option. HTH Frank -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: bind squid to interface
* Michael West <[EMAIL PROTECTED]> [26-03-03 15:16]: > I would like to bind squid to a specific interface. Look at /etc/squid.conf: # NETWORK OPTIONS # - # TAG: http_port # Usage: port # hostname:port # 1.2.3.4:port # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, then Squid binds the socket to that specific # address. This replaces the old 'tcp_incoming_address' # option. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # The default port number is 3128. # # If you are running Squid in accelerator mode, then you # probably want to listen on port 80 also, or instead. # # The -a command line option will override the *first* port # number listed here. That option will NOT override an IP # address, however. # # You may specify multiple socket addresses on multiple lines. # #Default: http_port 127.0.0.1:3128 HTH Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: bind squid to interface
## Michael West ([EMAIL PROTECTED]): > I would like to bind squid to a specific interface. http_port hostname:port http_port ip:port http_port port It's documented. Regards, cmt -- Spare Space -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Re: noboby with a shell !!
Dit e-mail adres bestaat niet -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
bind squid to interface
I would like to bind squid to a specific interface.
I thought the easy way to do this would be with xinetd, but I get:
Mar 26 06:05:09 localhost squid: Cannot open HTTP Port
Mar 26 06:05:49 localhost last message repeated 10 times
When I try to use it. Normally this would mean there is a squid process
already running, but there is no other squid process.
service squid
{
disable = no
socket_type = stream
wait= no
user= root
bind= 192.0.0.1
server = /usr/sbin/squid
server_args= -N -D -YC -u0
}
What am I doing wrong with xinetd? What other ways are there to make
squid bind to an interface?
~Michael
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: > Well yes it could :) As long as the user has no valid password it's not very > usefull. Take a look into the /etc/shadow and in the second field you'll find > ! or * indicating that this user has a invalid password. See man 5 shadow. That's hardly true. If an attacker could somehow create an ssh authorized_keys file, they could log in without a password. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp0.pgp Description: PGP signature
Re: bind squid to interface
On Wednesday 26 March 2003 15:16, Michael West wrote:
Hi there,
how about :
http_port xxx.xxx.xxx.xxx:8000
tcp_outgoing_address xxx.xxx.xxx.xxx
udp_outgoing_address xxx.xxx.xxx.xxx
in the squid config and run squid as daemon ?
Michi
> I would like to bind squid to a specific interface.
>
> I thought the easy way to do this would be with xinetd, but I get:
>
> Mar 26 06:05:09 localhost squid: Cannot open HTTP Port
> Mar 26 06:05:49 localhost last message repeated 10 times
>
> When I try to use it. Normally this would mean there is a squid process
> already running, but there is no other squid process.
>
> service squid
> {
> disable = no
> socket_type = stream
> wait= no
> user= root
> bind= 192.0.0.1
> server = /usr/sbin/squid
> server_args= -N -D -YC -u0
> }
>
> What am I doing wrong with xinetd? What other ways are there to make
> squid bind to an interface?
>
> ~Michael
--
Bisping & Bisping GmbH & Co. KG Michael Streb
internet and network [EMAIL PROTECTED]
Spitalstrasse 21-24-26 phone +49-9123-9740-630
D-91207 Lauf a. d. Pegnitzfax +49-9123-9740-97
http://photo.bisping.de *http://bisping.de *http://lauf.de
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
Yoann <[EMAIL PROTECTED]> writes: > there is an * in /etc/shadow for nobody, but all services (ftp, web...) > are running with the uid nobody so if there is an attack on an unknow > bug (I keep up to date all services) on those services (buffer overflow > for example), It's will be unsercure.. . It will be unsecure even if the shell field is filled with garbage... 1) The buffer overflow kind of attack is to launch a program from within another, a shell for example. 2) The shell shield (more easy to write than to tell) is used by: - /bin/login to launch a shell, or a pppd in some case - /*/ftpd to allow (/bin/true) or disallow (/bin/false) ftp access - probably lot of others programs. HTH. -- Reality always seems harsher in the early morning. -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
Hi, I look at in the file /etc/passwd on my server today, and I saw the user nobody has a shell !!. When I installed my debian (sarge, I know it's bad, but it's just a server for me...) I put /bin/false. A few days ago, while an upgrade, apt asked to me to upgrade that file to the new version and answer yes, so I think it come from that action, but it could be unsecure to put /bin/sh for nobody ? Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. there is an * in /etc/shadow for nobody, but all services (ftp, web...) are running with the uid nobody so if there is an attack on an unknow bug (I keep up to date all services) on those services (buffer overflow for example), It's will be unsercure.. . nobody:x:65534:65534:nobody:/nonexistent:/bin/sh ^^^ I change to : nobody:x:65534:65534:nobody:/dev/null:/bin/false This might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. See your /var/log/syslog maybe you'll now get some errors from cron jobs at night. I will pay attention , thx Sven Yoann
bind squid to interface
I would like to bind squid to a specific interface.
I thought the easy way to do this would be with xinetd, but I get:
Mar 26 06:05:09 localhost squid: Cannot open HTTP Port
Mar 26 06:05:49 localhost last message repeated 10 times
When I try to use it. Normally this would mean there is a squid process
already running, but there is no other squid process.
service squid
{
disable = no
socket_type = stream
wait= no
user= root
bind= 192.0.0.1
server = /usr/sbin/squid
server_args= -N -D -YC -u0
}
What am I doing wrong with xinetd? What other ways are there to make
squid bind to an interface?
~Michael
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
Hi, I look at in the file /etc/passwd on my server today, and I saw the user nobody has a shell !!. When I installed my debian (sarge, I know it's bad, but it's just a server for me...) I put /bin/false. A few days ago, while an upgrade, apt asked to me to upgrade that file to the new version and answer yes, so I think it come from that action, but it could be unsecure to put /bin/sh for nobody ? Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. there is an * in /etc/shadow for nobody, but all services (ftp, web...) are running with the uid nobody so if there is an attack on an unknow bug (I keep up to date all services) on those services (buffer overflow for example), It's will be unsercure.. . nobody:x:65534:65534:nobody:/nonexistent:/bin/sh ^^^ I change to : nobody:x:65534:65534:nobody:/dev/null:/bin/false This might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. See your /var/log/syslog maybe you'll now get some errors from cron jobs at night. I will pay attention , thx Sven Yoann -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
Does the user nobody has got a password in /etc/shadow ? greets Robbert Citeren Yoann <[EMAIL PROTECTED]>: > hi, > > I look at in the file /etc/passwd on my server today, and I saw the user > nobody has a shell !!. When I installed my debian (sarge, I know it's > bad, but it's just a server for me...) I put /bin/false. A few days ago, > while an upgrade, apt asked to me to upgrade that file to the new > version and answer yes, so I think it come from that action, but it > could be unsecure to put /bin/sh for nobody ? > > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh > > I change to : > > nobody:x:65534:65534:nobody:/dev/null:/bin/false > > Yoann > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > __ http://www.wanadoo.nl/
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 11:35:38AM +0100, Yoann wrote: Hi, > I look at in the file /etc/passwd on my server today, and I saw the user > nobody has a shell !!. When I installed my debian (sarge, I know it's > bad, but it's just a server for me...) I put /bin/false. A few days ago, > while an upgrade, apt asked to me to upgrade that file to the new > version and answer yes, so I think it come from that action, but it > could be unsecure to put /bin/sh for nobody ? Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh > > I change to : > > nobody:x:65534:65534:nobody:/dev/null:/bin/false This might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. See your /var/log/syslog maybe you'll now get some errors from cron jobs at night. Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]
noboby with a shell !!
hi, I look at in the file /etc/passwd on my server today, and I saw the user nobody has a shell !!. When I installed my debian (sarge, I know it's bad, but it's just a server for me...) I put /bin/false. A few days ago, while an upgrade, apt asked to me to upgrade that file to the new version and answer yes, so I think it come from that action, but it could be unsecure to put /bin/sh for nobody ? nobody:x:65534:65534:nobody:/nonexistent:/bin/sh I change to : nobody:x:65534:65534:nobody:/dev/null:/bin/false Yoann
Re: noboby with a shell !!
Does the user nobody has got a password in /etc/shadow ? greets Robbert Citeren Yoann <[EMAIL PROTECTED]>: > hi, > > I look at in the file /etc/passwd on my server today, and I saw the user > nobody has a shell !!. When I installed my debian (sarge, I know it's > bad, but it's just a server for me...) I put /bin/false. A few days ago, > while an upgrade, apt asked to me to upgrade that file to the new > version and answer yes, so I think it come from that action, but it > could be unsecure to put /bin/sh for nobody ? > > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh > > I change to : > > nobody:x:65534:65534:nobody:/dev/null:/bin/false > > Yoann > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > __ http://www.wanadoo.nl/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 11:35:38AM +0100, Yoann wrote: Hi, > I look at in the file /etc/passwd on my server today, and I saw the user > nobody has a shell !!. When I installed my debian (sarge, I know it's > bad, but it's just a server for me...) I put /bin/false. A few days ago, > while an upgrade, apt asked to me to upgrade that file to the new > version and answer yes, so I think it come from that action, but it > could be unsecure to put /bin/sh for nobody ? Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh > > I change to : > > nobody:x:65534:65534:nobody:/dev/null:/bin/false This might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. See your /var/log/syslog maybe you'll now get some errors from cron jobs at night. Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
Hi all, On Tue, Mar 25, 2003 at 01:46:32PM -0600, Jones wrote: > One thing they forgot to mention was that they used Exchange for > email. That means instead of running exim, I will have to forward > SMTP & POP traffic to their Exchange server. The Exchange server > will not be directly connected to the Internet. If you only port-forward the connections to the Exchange Server you will expose it to the world like you would run it on the firewall itself. You are right about forwarding the traffic (how else should they get their mail :), but IMHO it is far better to still use exim, but "only" as a smart-host to redirect mail from the internet to the Exchange-server and back. If you update your debian-box regularly, you don't have to worry about the security of the Exchange-server that much. later Steffen Burmeister, Dipl. Wirtschaftsinformatiker (BA) -- ebios informationssysteme volker birk gut-betha-platz 1 88339 bad waldsee germany phone +49 (7524) 93421fax +49 (7524) 93423 mailto:[EMAIL PROTECTED]http://www.ebios.de pgpCWb3BeQjTl.pgp Description: PGP signature
noboby with a shell !!
hi, I look at in the file /etc/passwd on my server today, and I saw the user nobody has a shell !!. When I installed my debian (sarge, I know it's bad, but it's just a server for me...) I put /bin/false. A few days ago, while an upgrade, apt asked to me to upgrade that file to the new version and answer yes, so I think it come from that action, but it could be unsecure to put /bin/sh for nobody ? nobody:x:65534:65534:nobody:/nonexistent:/bin/sh I change to : nobody:x:65534:65534:nobody:/dev/null:/bin/false Yoann -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
Hi all, On Tue, Mar 25, 2003 at 01:46:32PM -0600, Jones wrote: > One thing they forgot to mention was that they used Exchange for > email. That means instead of running exim, I will have to forward > SMTP & POP traffic to their Exchange server. The Exchange server > will not be directly connected to the Internet. If you only port-forward the connections to the Exchange Server you will expose it to the world like you would run it on the firewall itself. You are right about forwarding the traffic (how else should they get their mail :), but IMHO it is far better to still use exim, but "only" as a smart-host to redirect mail from the internet to the Exchange-server and back. If you update your debian-box regularly, you don't have to worry about the security of the Exchange-server that much. later Steffen Burmeister, Dipl. Wirtschaftsinformatiker (BA) -- ebios informationssysteme volker birk gut-betha-platz 1 88339 bad waldsee germany phone +49 (7524) 93421fax +49 (7524) 93423 mailto:[EMAIL PROTECTED]http://www.ebios.de pgp0.pgp Description: PGP signature
