Re: What to do about SSH brute force attempts?
Hi, * use a Firewall to prevent other IP address to connect to your ssh service. restrict just to yours (iptables script can be easy to find on the web) * use Fail2ban which can ban ssh auth failure and create iptables rules. (google can help your search about fail2ban) Third use a non standart ssh port (for example ) apt-get install fail2ban Have a nice day, Greg Hi all, since two days (approx.) I'm seeing an extremely high number of apparently coordinated (well, at least they are trying the same list of usernames) brute force attempts from IP addresses spread all over the world. I've got denyhosts and an additional iptables based firewall solution in place to mitigate these since quite some time already and this seems to do the trick in terms of blocking them fairly quickly. Nevertheless, I'd like to do something about it more proactively, so I also contact the abuse mailboxes as obtained from whois. From time to time I do even see responses stating that counter measures have been taken. In the current case, however, there rather seems to be a need for some more coordinated action instead of contacting the ISPs for each single IP -- this host might get blocked/shut down, but there is little hope of a more thorough investigation, trying to get closer to the root of these attacks. Well, probably I'm pretty naive in hoping that one could do anything about that at all, but maybe some of you are more experienced in security issues/dealing with CERTs, etc. and have some ideas what could be done. Further, what do you guys do about such attacks? Just sit back and hope they don't get hold of any passwords? Any ideas are welcome... Thanks, Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Allow password auth for one user with sftp?
On Tue, 2007-01-16 at 09:23 +0100, Maik Holtkamp wrote: Hi, Michel Messerschmidt wrote/schrieb @ 15.01.2007 20:39: [...] Public keys can be stolen too. If you consider this a risk, you should [Typ|Brain]o? s/Public/Private/ My thoughts exactly... stealing and placing *MY* public key means *I* get more access or they can communicate with me in encrypted format. I guess, a stolen public key is like a Free Information Brochure, only good to those that will understand and use it to contact me or want to have me do something for them. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: Security status of mozilla-* packages
On Thu, Apr 20, 2006 at 11:02:20AM +0100, James Davis wrote: Actually, the release of Thunderbird which fixes these vulnerabilities (1.5.0.2) has not completed testing and is not a 'release' yet. The vulnerability report is confusing, in that it implies that Thunderbird 1.5.0.2 should be available. I e-mailed Mozilla's security team yesterday and they said that it should be released shortly (within a day or so). It's out now... ftp://ftp.mozilla.org/pub/mozilla.org/thunderbird/releases/1.5.0.2/source/ signature.asc Description: Digital signature
Re: My machine was hacked - possibly via sshd?
On Tue, 2005-03-29 at 13:38 +0100, Simon Heywood wrote: On Tue, 29 Mar 2005 at 13:18:42 +, Maurizio Lemmo - Tannoiser wrote: On martedì 29 marzo 2005, alle 00:34, Adam M. wrote: But 2.4.18 is the Debian stable kernel, which gets security updates and patches, no? No, it doesn't. I really think that packages like this old kernel should be removed from the mirrors, or at least updated with big fat warning. Sorry, but this isn't correct. kernel 2.4.18-1 in woody is patched against known vulnerability. The security team have quietly stopped updating it, preferring to concentrate on the Sarge kernels. Please back this up with proof please. Otherwise you'll be disliked even more for your obvious lack of tact. Recent [vulnerabilities] involve code not present in this release of kernel. Some of them, maybe. But take a look at #289708 for an example of an unfixed vulnerability in Woody's 2.4.18. Maybe because of this little fact you might just want to point out: Maintainer for kernel-source-2.4.18 is Herbert Xu [EMAIL PROTECTED] As if you don't know the implications of that. IIRC, You were in the argument, though not hugely, which gave him cause to resign from Debian. Quit making assumptions based on your beliefs and provide real tangible proof. Otherwise please take it elsewhere. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: My machine was hacked - possibly via sshd?
On Tue, 2005-03-29 at 11:52 +0200, List (mitm) wrote: From: Michelle Konzack [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 11:21 AM Subject: Re: My machine was hacked - possibly via sshd? Your kernel is old. That's for starters. 2.4.30 is in rc2 now. It alone fixes some security issues. 2.4.18 is ancient, and there's most But 2.4.18 is the Debian stable kernel, which gets security updates and patches, no? NO, since one year. Is there an official policy on what gets updated and what not? Like Malcolm Ferguson I was under the impression that debian stable was always updated with the latest security patches. Besides kernel-images are there other packages that do not get updated? Mozilla for one. Not all kernel exploits for for 2.6 or much later versions of 2.4 (after 2.4.23) really have any effect on 2.4.18-blah in the Stable Distro, the problem areas aren't even there! But tell me, have they fixed the futex problems in 2.6? Also, when are they going to make it so modules (such as many IDE modules) are unloadable? If you can justify to me why a newer kernel will fix any of my problems on my woody systems, you will have succeeded where many other have failed. Just so you understand, I do like the newer kernels, but 2.6.x right now has big difficulties with java apps, due to the futex issues. Yes, there are other ways to implement workarounds, but why when 2.4.18 does just fine. My other machine is still running 2.4.20 with stack smashing protection and preemptive task switching on. I haven't had a single problem yet. And please, I already have tracked all the traffic on them. No point in showing any malice now. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: My machine was hacked - possibly via sshd?
On Mon, 2005-03-28 at 15:58 -0500, Malcolm Ferguson wrote: Mark Foster wrote: Malcolm Ferguson wrote: My machine was cracked on Thursday evening. I'm trying to understand how it happened so that it doesn't go down again. Sounds to me like you know exactly how it happened - ssh user enumeration won the jackpot. Thanks: you got me thinking. I see exactly what happened now. A dictionary attack via ssh found user 'steve' with a weak password. The auth.log shows this user login and su to root. Perhaps a local exploit? I have a short summary of my tracking of these Bruteforce SSH2 attempts that are taking up bandwidth. Here is what I have come up with ending 21mar2005 2100 GMT: * Starting July 26th, 2004 totals for recent Bruteforce attempts on knight.gregfolkert.net * Total of 8,988 events seperated by minutes sometimes, hours, days, never weeks, months or years * 158,913 bruteforce total attempts to password guess or stumble onto a no password user * 3727 unique combinations of username-(from)IP Address * 663 unique names used * 210 unique IP Addresses have been identified as sources of the attempts Amazing ain't it? So, indeed It has been on the increase. Time to review those password policies. This is just the SSH2 problems, not to mention the Apache related applications. We can basically quadruple the counts as a total for everything that machine has seen. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: SELinux in debian/sarge
On Mon, Jan 24, 2005 at 09:30:01PM +1100, Russell Coker wrote: dselect, initsctips, and sysv-rc don't matter. I will put new versions of dpkg and sysvinit on my site soon. Some other people are working on coreutils. I posted an updated version of coreutils (i386 and source) about a week ago, at http://people.debian.org/~adric/selinux/coreutils/;. It's not currently setup for apt-get (I hope to take care of this in the near future), so you'll need to download/install it directly. So far, I haven't encountered any problems with it on my sid SELinux box. signature.asc Description: Digital signature
Re: Any way to simulate traffic?
On Thu, 2005-01-13 at 20:37 +0100, Javier Pardo wrote: Hello. I´m looking after a way to simulate traffic in order to probe my iptables' rules. In other words. Is there any way, any command or any iptables parameter to ask iptables what is going to do (according with the active rules) when some traffic arrives? Thanks in advanced. RatÓn. nmap and other Security testing tools. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: Log file IDS package?
On Wed, 2005-01-12 at 16:57 +1100, Andrew Pollock wrote: Hi, I've done some cursory apt-cache searching, and nothing's jumped out at me... Is there software in Debian that will do something along the lines of a tail -f of a given logfile, looking for supplied regexs and do custom actions on matches? I want to tarpit excessive SSH login failures. Are you talking about the recent (since July 27th 2004) brute force ssh attempts? The ones with NO_USER attached to them? things like this: Jan 10 23:52:45 knight sshd[12863]: Failed password for illegal user test from 220.75.202.225 port 35881 ssh2 Jan 10 23:52:51 knight sshd[12865]: Failed password for illegal user guest from 220.75.202.225 port 35973 ssh2 Jan 10 23:52:55 knight sshd[12867]: Failed password for admin from 220.75.202.225 port 36117 ssh2 Jan 10 23:52:57 knight sshd[12869]: Failed password for admin from 220.75.202.225 port 36212 ssh2 Jan 10 23:53:00 knight sshd[12871]: Failed password for illegal user user from 220.75.202.225 port 36284 ssh2 Jan 10 23:53:03 knight sshd[12873]: Failed password for root from 220.75.202.225 port 36367 ssh2 Jan 10 23:53:07 knight sshd[12882]: Failed password for root from 220.75.202.225 port 36457 ssh2 Jan 10 23:52:45 knight sshd[12863]: Illegal user test from 220.75.202.225 Jan 10 23:52:45 knight sshd[12863]: error: Could not get shadow information for NOUSER Jan 10 23:52:50 knight sshd[12865]: Illegal user guest from 220.75.202.225 Jan 10 23:52:51 knight sshd[12865]: error: Could not get shadow information for NOUSER Jan 10 23:53:00 knight sshd[12871]: Illegal user user from 220.75.202.225 Jan 10 23:53:00 knight sshd[12871]: error: Could not get shadow information for NOUSER Or something else? If it is that... well unless you are doing something stupid for passwords, you really shouldn't worry about it. This goes back to tarpit setups for mail... it won't stop them, just increase number of connections you'll have tied up, possibly DoS style. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: [SECURITY] [DSA 557-1] New rp-pppoe packages fix potential root compromise
On Mon, 2004-10-11 at 21:13 +0200, Nils Rennebarth wrote: Martin Schulze wrote: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system. For the stable distribution (woody) this problem has been fixed in version 3.3-1.2. For the unstable distribution (sid) this problem has been fixed in version 3.5-4. Is there an estimation when the 3.5-4 Version for unstable will hit the archive? Okay, don't run it as setuid root. Nothing I can find on bugs.d.o or packages.d.o or alioth even begins to show 3.5-4 as existing yet. But, unless you run rp-pppoe/pppoe as setuid root... you should be fine. Minimizing ghe damage has already been done in the way it is setup by default in Debian. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: BAHAHA was (telnetd vulnerability from BUGTRAQ)
On Tue, 2004-09-28 at 12:23 +0200, Dariush Pietrzak wrote: I would suggest updating one's knowledge at least every ~5 years or so... (it's easy for me to say, because i'm still learning, maybe people with decades of IT experience find it more difficult to follow development of standards) Wow, the next thing you are going to say, is that Microsoft isn't standards friendly. Or that SCO doesn't own UNIX. Or that (the) SUN is setting. Every 5 years... I doubt *I* could keep up with that pace. BTW, I won't get into any further arguments about ftp, mainly I am convinced its usefulness is past. Remember *I* *AM* *CONVINCED*, which means *OPINION*. Sure other options exist, but FTP in the 5 years ago old school sense isn't even optimal anymore except for anonymous/chroot'd (or non-chroot'd for significantly larger values of sane FTPDs) UL/DL. I won't use it and haven't for 5+ years (/me grins). -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: telnetd vulnerability from BUGTRAQ
On Mon, 2004-09-27 at 09:24 +0200, Dariush Pietrzak wrote: The point remains that while telnet/ftp should be treated as deprecated Why is that exactly? There is no replacement for ftp, and I don't know of any problems with it? Please enlighten me. ftp == good enough for public upload and download in a chroot environment. scp == the preferred method for data transfer between machines. Nearly as fast on semi-modern machines. pscp == the windows equivalent for regault *NIXX scp. I have no problems with scp, best part there isn't the mistaken problem of transfer in ASCII mode, when it should be in IMAGE mode (or BINARY mode) or Vice-Versa. We should get rid of TelnetD (The Telnet Daemon) For practical purposes beyond place where there is no option, keep the telnet Client. About the only thing I can think of that is useful for port 23 == mud'ing At the very least, telnetd should not ever be installed as default. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: sshd: Logging illegal users
On Sun, 2004-08-15 at 19:46 -0600, s. keeling wrote: Incoming from Greg Folkert: Hey, I have found some thing. Rather than repost. I'll share where I posted it. http://z.iwethey.org/forums/render/content/show?contentid=169321 Zope Error Hmmm... try it again. I get it. I'd be surprised if you get it again. If you do, please send me the backtrace from the page source of the error page. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: sshd: Logging illegal users
On Sun, 2004-08-15 at 19:15 +0200, Thomas Hungenberg wrote: Hello, sshd included with Debian/sarge logs connection attempts with illegal usernames this way: sshd[xxx]: Illegal user username from xxx.xxx.xxx.xxx sshd[xxx]: Failed unknown for illegal user username from xxx.xxx.xxx.xxx port x ssh2 However, the older sshd version from Debian/woody by default only logs the following when trying to connect with an illegal username: sshd[xxx]: Connection from xxx.xxx.xxx.xxx port x sshd[xxx]: Enabling compatibility mode for protocol 2.0 Is there a way to make the sshd included with Debian/woody to also log the usernames an attacker tried to connect with? Hey, I have found some thing. Rather than repost. I'll share where I posted it. http://z.iwethey.org/forums/render/content/show?contentid=169321 Check it out. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: advice needed on how to proceed
On Fri, 2004-07-30 at 15:06, Martin-Éric Racine wrote: (note: I'm not subscribing to this list, please CC me) Bug#259993 was submitted on one of my package, tagged as a security risk. Upstream has been quite cooperative in asserting the gravity and is very willing to fix anything that the submitter can demonstrate. The problem is that some of the submitter's claims appear questionable and that he refuses to substanciate. I'm tempted to tag this as wont-fix, but would like this list's input first. This I believe is the same bug or Security Risk that caused our Mozilla Packager to remove the PS print engine from Mozilla and package it that way. Now, a specific switch passed onto ghostscript needs to be used to fix the issue. From the gs man page: -dSAFER Disables the deletefile and renamefile operators and the ability to open files in any mode other than read-only. This is desirable for spoolers or any other environments where a malicious or badly written PostScript program must be prevented from changing important files. This is what he is spouting about, I think. Cheers. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: preventing /dev/kmem and /dev/mem writes?
On Mon, 2004-07-26 at 10:58, [EMAIL PROTECTED] wrote: On Mon, Jul 26, 2004 at 10:23:21AM -0400, Michael Stone wrote: On Mon, Jul 26, 2004 at 11:38:33PM +1000, [EMAIL PROTECTED] wrote: /dev/kmem unusable. That, he says, will break lilo (I can't use GRUB as it doesn't support booting off RAID devices properly) Hmm. Seems to work here. Mike Stone This was with a Mylex AcceleRAID 170 RAID 5 with 6 disks. That was when I last tried it 2 years ago. Maybe they have added that capability.. Umm, yes. Update the Firmware on the Adapter. Then run grub-install /dev/sda Then (if this *IS* a Sarge or Sid machine) run update-grub, answer the questions. Voila. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: mod_ssl 2.8.19 for Apache 1.3.31
On Mon, 2004-07-19 at 17:44, Peter Holm wrote: On Mon, 19 Jul 2004 23:30:14 +0200, Phillip Hofmeister [EMAIL PROTECTED] wrote: Is this line in your /etc/apt/sources.list (or a line like it...) deb http://security.debian.org stable/updates main non-free contrib my /etc/apt/sources.list contains: deb http://security.debian.org/ stable/updates main does this affect updates for mod_ssl? I see nothing about an available update for this mod_ssl problem on debian.org/security? Are you sure this affects Woody? What version of Apache and mod_ssl is in Woody? Are you capable of providing and working on a patch to back port the issue fixes if it affects Woody? Have to make sure that you understand that if this DOES affect Woody, the fixes will have to be backported to the versions in Woody. It may even require another package or two to fix it fully. BTW, does the term Regression testing mean anything to you? Are you willing to do regression testing for the Security Team? Are you willing to do the research needed to help reduce the time to fix release? Can you in fact do anything to help out? Are you even willing to Volunteer? Are you just able to complain and expect people to JUMP and DO? A taker and not a helper? Debian needs people to HELP do the work, what ever work you can. Volunteers are the HEART and SOUL of Debian. Are you willing to be a Debian Volunteer? -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: Mozilla/Firefox PostScript/default security problems
Excuse the cross posting, but many are discussing on all of these lists. On Sat, 2004-07-10 at 06:47, Magnus Therning wrote: If I were to dselect today, would I still be able to print to file a website page as ps? [Y/N] Yes. Printing PS to a file is still possible. What is removed is the ability to have Mozilla/Firefox execute an external command (e.g. lpr) in order to print. H. Now since printing to a file is fine. (DING, light goes on.) What say we make a PIPE and attach it to something. Oh like say a print queue process, a redirect or something similar. That would allow us to use nearly anything we wanted to. Seems possible it'd be a simple process, given you could know what you are doing. Even for Epiphany or Galeon. Heck, we could even have insert favorite desktop environ here do the work. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
ISC DHCP3 Certs (yes multiple)
http://www.kb.cert.org/vuls/id/654390 http://www.kb.cert.org/vuls/id/317350 Look like uploads are in incoming.d.o ATM. 1517 UTC -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Spam fights
Sent to list. On Thu, 2004-06-10 at 14:31, Jaroslaw Tabor wrote: Hello! W licie z czw, 10-06-2004, godz. 19:06, Greg Folkert pisze: Don't do it. Confirmation systems are just as bad as the problems that they try to solve. Here, here. Agreement on all fronts. If I get a challenge, I put it into /dev/null I'm really surprised with your opinion. Is it so big problem, to press reply, when you are sending first email to someone new ? You are receving confirmation request whenever you are trying to update DNS, subscribe to newsgroup or talking with any automatic service. Is it so difficult ? You see there is a difference there. *I* initiated them, not some spammer. If someone doesn't want mail that could be very valuable to them, especially if they asked for it on D-U... forcing me to write another e-mail JUST to help them... nope, ain't gonna happen. Currently, in many cases when I'm sending email to address found on website I'm receiving challenge, and I fully understand people doing it. Whitelist with email/IP can decrease also number of challenges from spammers: email comming from different IP can be treated as spam automatically. I implemented SPAM Filtering software and have continued to train it with ham and spam. I started when last year when I was getting ~ 6,000 Swen e-mails a day. My e-mail address is posted EVERYWHERE. Since that point, I get maybe 3 a day. When they (they being the spmmers) find a new way to trick the Bayesian testing I use I'll get a spat of about 12 or so for a few days then back to maybe 3 a day. I use server side software (maildrop and procmail) to do the sorting after it has been graded by the filter. I still get upto 1000 e-mail messages a day, but those are from mailing lists and people I support via e-mail. If I had a CR system in place, I'd have to maintain more than I want. Consider in a given day, I e-mail about 30+ new people a day. I also can be and am very busy in Debian's Mailing list(s), Samba, Exim, Grip, Elitists and many other venues. If I got a CR back for every one of the e-mails I sent to a mailing list, I'd be answering thousands of NEW Challenges a week. Sounds like SPAM to me. When you understand that nearly every challenge I get comes from a forged envelope-from(or similar), I can't see how it reduces the problem, it just double perhaps triples the amount of mail traffic. Plus some are web-server driven auth, thereby causing a loading of the program and grabbing of the URI indicated in the e-mail I got from the Challenge. So, basically: You get a piece of SPAM, your systems sends out another piece of e-mail that is in response to the forged envelope, (assume) I get this e-mail and then have to delete this mail or respond to it (a third message) or goto a URI inside the Challenge (more processor time and bandwidth) just so *YOU* can verify my message was or was not SPAM? I consider sending me e-mail in Challenge form as unsolicited e-mail. Therefore under my classification SPAM. Why should *I* verify your SPAM problem for you. I deal with mine, and mine alone. I am not going to spend resources (at my cost of those resources) to verify or not it being SPAM. Of course if everyone just affirmed the Challenge every time, it would definitely not work. Where as my solution would continue to. I also drop all of the courtesy notifications that *I* sent an infected e-mail to a certain domain's user. There is another example of Unsolicited E-Mail. I don't care to know that someone forged my e-mail addy inside the one someone got. It does me absolutely ZERO good to even read these. I have an automated system to send those to /dev/null as well. I deal with enough mail per day, CR systems DO NOT reduce my number, Spam filtering does. BY the way, I do support Whitelisting and Blacklisting to make sure things I want to absolutely get through do, and things I don't won't. BTW, are you not glad *I* don't CR everyone that e-mails me? It could have taken you 3 messages to get me to see one. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Spam fights
Sent to list. On Thu, 2004-06-10 at 14:31, Jaroslaw Tabor wrote: Hello! W liście z czw, 10-06-2004, godz. 19:06, Greg Folkert pisze: Don't do it. Confirmation systems are just as bad as the problems that they try to solve. Here, here. Agreement on all fronts. If I get a challenge, I put it into /dev/null I'm really surprised with your opinion. Is it so big problem, to press reply, when you are sending first email to someone new ? You are receving confirmation request whenever you are trying to update DNS, subscribe to newsgroup or talking with any automatic service. Is it so difficult ? You see there is a difference there. *I* initiated them, not some spammer. If someone doesn't want mail that could be very valuable to them, especially if they asked for it on D-U... forcing me to write another e-mail JUST to help them... nope, ain't gonna happen. Currently, in many cases when I'm sending email to address found on website I'm receiving challenge, and I fully understand people doing it. Whitelist with email/IP can decrease also number of challenges from spammers: email comming from different IP can be treated as spam automatically. I implemented SPAM Filtering software and have continued to train it with ham and spam. I started when last year when I was getting ~ 6,000 Swen e-mails a day. My e-mail address is posted EVERYWHERE. Since that point, I get maybe 3 a day. When they (they being the spmmers) find a new way to trick the Bayesian testing I use I'll get a spat of about 12 or so for a few days then back to maybe 3 a day. I use server side software (maildrop and procmail) to do the sorting after it has been graded by the filter. I still get upto 1000 e-mail messages a day, but those are from mailing lists and people I support via e-mail. If I had a CR system in place, I'd have to maintain more than I want. Consider in a given day, I e-mail about 30+ new people a day. I also can be and am very busy in Debian's Mailing list(s), Samba, Exim, Grip, Elitists and many other venues. If I got a CR back for every one of the e-mails I sent to a mailing list, I'd be answering thousands of NEW Challenges a week. Sounds like SPAM to me. When you understand that nearly every challenge I get comes from a forged envelope-from(or similar), I can't see how it reduces the problem, it just double perhaps triples the amount of mail traffic. Plus some are web-server driven auth, thereby causing a loading of the program and grabbing of the URI indicated in the e-mail I got from the Challenge. So, basically: You get a piece of SPAM, your systems sends out another piece of e-mail that is in response to the forged envelope, (assume) I get this e-mail and then have to delete this mail or respond to it (a third message) or goto a URI inside the Challenge (more processor time and bandwidth) just so *YOU* can verify my message was or was not SPAM? I consider sending me e-mail in Challenge form as unsolicited e-mail. Therefore under my classification SPAM. Why should *I* verify your SPAM problem for you. I deal with mine, and mine alone. I am not going to spend resources (at my cost of those resources) to verify or not it being SPAM. Of course if everyone just affirmed the Challenge every time, it would definitely not work. Where as my solution would continue to. I also drop all of the courtesy notifications that *I* sent an infected e-mail to a certain domain's user. There is another example of Unsolicited E-Mail. I don't care to know that someone forged my e-mail addy inside the one someone got. It does me absolutely ZERO good to even read these. I have an automated system to send those to /dev/null as well. I deal with enough mail per day, CR systems DO NOT reduce my number, Spam filtering does. BY the way, I do support Whitelisting and Blacklisting to make sure things I want to absolutely get through do, and things I don't won't. BTW, are you not glad *I* don't CR everyone that e-mails me? It could have taken you 3 messages to get me to see one. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Spam fights
On Thu, 2004-06-10 at 04:58, Russell Coker wrote: On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. Here, here. Agreement on all fronts. If I get a challenge, I put it into /dev/null Whomever came up with those things (like TMDA and brethren), must have been pulling them out of /dev/ass -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Spam fights
On Thu, 2004-06-10 at 04:58, Russell Coker wrote: On Thu, 10 Jun 2004 18:21, Jaroslaw Tabor [EMAIL PROTECTED] wrote: I'm planning to develop this feauture, but It will be nice to hear from what you thing about this idea. Don't do it. Confirmation systems are just as bad as the problems that they try to solve. Here, here. Agreement on all fronts. If I get a challenge, I put it into /dev/null Whomever came up with those things (like TMDA and brethren), must have been pulling them out of /dev/ass -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: [Colo] [SECURITY] [DSA 512-1] New gallery packages fix unauthenticated access
Adding to the admin todo list: 1. gallery 2. mailman 3. setting up sshusers group and plain text group Greg -- Home is where the .bashrc is. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Colo] [SECURITY] [DSA 512-1] New gallery packages fix unauthenticated access
Adding to the admin todo list: 1. gallery 2. mailman 3. setting up sshusers group and plain text group Greg -- Home is where the .bashrc is.
Secure temporary fifo creation
Hello, What is the recommended method for securely creating a temporary named pipe in C code? Looking at the man pages for various library calls it appears that tmpfile(3) is probably an acceptable means of creating a temporary file, but this returns a FILE *. The upstram source I'm packaging needs to make a temporary fifo. It uses tempnam(3) to get a temporary file name as a char *, and then mkfifo(3) to make the fifo named pipe from the file name. Is this sufficiently secure? Thanks for your help. Greg Deitrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Secure temporary fifo creation
Hello, What is the recommended method for securely creating a temporary named pipe in C code? Looking at the man pages for various library calls it appears that tmpfile(3) is probably an acceptable means of creating a temporary file, but this returns a FILE *. The upstram source I'm packaging needs to make a temporary fifo. It uses tempnam(3) to get a temporary file name as a char *, and then mkfifo(3) to make the fifo named pipe from the file name. Is this sufficiently secure? Thanks for your help. Greg Deitrick
Re: Major TCP Vulnerability
On Tue, 2004-04-20 at 14:29, Eric Dantan Rzewnicki wrote: Has anyone heard about this? this article has no details ... appologies for the post's data-mining ... I'm still looking for other references. http://www.washingtonpost.com/wp-dyn/articles/A27403-2004Apr20.html SSDD, Same Stuff, Different Decade This Vulnerability is ancient news, and it is not really a Vulnerability. What happens if the route goes dead? Same effect. Overloading a router with too many MAC addresses(overflow) has a similar effect, when the router re-inits. Another thing with the same effect. I don't quite understand this. Poisoning BGP would be more effective. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Major TCP Vulnerability
On Tue, 2004-04-20 at 14:29, Eric Dantan Rzewnicki wrote: Has anyone heard about this? this article has no details ... appologies for the post's data-mining ... I'm still looking for other references. http://www.washingtonpost.com/wp-dyn/articles/A27403-2004Apr20.html SSDD, Same Stuff, Different Decade This Vulnerability is ancient news, and it is not really a Vulnerability. What happens if the route goes dead? Same effect. Overloading a router with too many MAC addresses(overflow) has a similar effect, when the router re-inits. Another thing with the same effect. I don't quite understand this. Poisoning BGP would be more effective. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: name based virtual host and apache-ssl
On Wed, 2004-03-24 at 08:01, Russell Coker wrote: On Wed, 24 Mar 2004 22:22, Michael Stone [EMAIL PROTECTED] wrote: The best you could do would be to attach different certificates to different ports, but that would be extremely cumbersome and probably would lead to confusion. What if you had http://www.company1.com/ redirect to https://www.company1.com:81/ and http://www.company2.com/ redirect to https://www.company2.com:82/ ? www.company1.com and www.company2.com would have the same IP address. This should work. Why go that route. Many Proxies do not allow :81 :82 etc... It would suck. How many instances would that force you to run anyway. Many. Almost be easier to just say SSL == Separate virtual/real machine, and that would suck as well. But, on the flip-side, most companies/people wanting SSL typically want their own machine to keep the info safe from other prying eyes. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: name based virtual host and apache-ssl
On Wed, 2004-03-24 at 08:01, Russell Coker wrote: On Wed, 24 Mar 2004 22:22, Michael Stone [EMAIL PROTECTED] wrote: The best you could do would be to attach different certificates to different ports, but that would be extremely cumbersome and probably would lead to confusion. What if you had http://www.company1.com/ redirect to https://www.company1.com:81/ and http://www.company2.com/ redirect to https://www.company2.com:82/ ? www.company1.com and www.company2.com would have the same IP address. This should work. Why go that route. Many Proxies do not allow :81 :82 etc... It would suck. How many instances would that force you to run anyway. Many. Almost be easier to just say SSL == Separate virtual/real machine, and that would suck as well. But, on the flip-side, most companies/people wanting SSL typically want their own machine to keep the info safe from other prying eyes. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Known vulnerabilities left open in Debian?
On Mon, 2004-03-22 at 16:05, Matt Zimmerman wrote: On Mon, Mar 22, 2004 at 09:45:00PM +0100, Jan L?hr wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings,... Am Montag, 22. M?rz 2004 21:05 schrieb Matt Zimmerman: On Mon, Mar 22, 2004 at 08:57:26PM +0100, Jan L?hr wrote: Cron is another example [...] If you have concrete information about unfixed bugs, bring it forth. Otherwise this is just more FUD. Moz bug 228176 [1] is an example. We have been over the mozilla situation several times; if you have something helpful to contribute, I would like to hear it. Vague allusions to insecure by definition don't fall into that category, though. THANK YOU! -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: Known vulnerabilities left open in Debian?
On Mon, 2004-03-22 at 16:05, Matt Zimmerman wrote: On Mon, Mar 22, 2004 at 09:45:00PM +0100, Jan L?hr wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings,... Am Montag, 22. M?rz 2004 21:05 schrieb Matt Zimmerman: On Mon, Mar 22, 2004 at 08:57:26PM +0100, Jan L?hr wrote: Cron is another example [...] If you have concrete information about unfixed bugs, bring it forth. Otherwise this is just more FUD. Moz bug 228176 [1] is an example. We have been over the mozilla situation several times; if you have something helpful to contribute, I would like to hear it. Vague allusions to insecure by definition don't fall into that category, though. THANK YOU! -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
chkrootkit - possible bad news`
I am running Debian on a Dec Alpha PC164. I decided to run chkrootkit and was surprised by the following line. Checking `bindshell'... INFECTED (PORTS: 1524 31337) I am not sure how no interpret this. I have checked logs, as well as binary checks and everything seems fine. Can someone help me interpret the logs. I will attach them at the tail of the email in case the may be helpful. I don't know what my next step would be. If in deed I have been 'rooted' then I should obviously format and rebuild the server. Thanks in advance. Greg MEATPLOW # #chkrootkit alpha:~# chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not found Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not found Checking `killall'... not found Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not found Checking `mail'... not infected Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not found Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not infected Checking `write'... not infected Checking `aliens'... /dev/st- /dev/sto Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... nothing found Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... INFECTED (PORTS: 1524 31337) Checking `lkm'... nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth0 is not promisc Checking `wted'... nothing deleted Checking `z2'... nothing deleted
chkrootkit - possible bad news`
I am running Debian on a Dec Alpha PC164. I decided to run chkrootkit and was surprised by the following line. Checking `bindshell'... INFECTED (PORTS: 1524 31337) I am not sure how no interpret this. I have checked logs, as well as binary checks and everything seems fine. Can someone help me interpret the logs. I will attach them at the tail of the email in case the may be helpful. I don't know what my next step would be. If in deed I have been 'rooted' then I should obviously format and rebuild the server. Thanks in advance. Greg MEATPLOW # #chkrootkit alpha:~# chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not found Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not found Checking `killall'... not found Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not found Checking `mail'... not infected Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not found Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not infected Checking `write'... not infected Checking `aliens'... /dev/st- /dev/sto Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... nothing found Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... INFECTED (PORTS: 1524 31337) Checking `lkm'... nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth0 is not promisc Checking `wted'... nothing deleted Checking `z2'... nothing deleted -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: W32/Mydoom@MM (was: Re: )
On Tue, 2004-01-27 at 11:50, s. keeling wrote:
Incoming from Eduardo Almeida:
I don't know if all of you already heard about this. This message is a
virus as you can see below.
Pardon me if this seems a bit thick headed, but why should I care? The
Windows world is always being attacked by crap like this. Why is this
news?
I don't use Windows. Since you're using Evolution, I assume you
aren't either. So what's the big deal?
Of course if you're using Debian as a mailserver for an internal
Windows network, this may affect you, but what's it got to do with
Debian?
I use Andreas Metzler's and Marc Haber's Exim4 Debian Package. I use the
Heavy Daemon with Exiscan-acl compiled in.
in the /etc/exim4/conf.d/acl/40_exim4-config_check_data
deny !senders = :
condition = ${if !def:h_Message-ID: {1}}
message = RFC2822 says you SHOULD have a Message-ID.\n\
Most messages without it are spam,\n\
so your mail has been rejected.
There now it pertains to Debian!
--
greg, [EMAIL PROTECTED]
REMEMBER ED CURRY! http://www.iwethey.org/ed_curry
signature.asc
Description: This is a digitally signed message part
Re: LKM
On Mon, 2004-01-26 at 10:06, Matthijs wrote: On Mon, 2004-01-26 at 11:40, Thiago Ribeiro wrote: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? You know what a LKM is ? It's a Loadable Kernel Module and it can hide himself and processes and files... So please check your computer Please make sure this isn't the faulty chrootkit... that mis-reported an LKM existing on you boxen. First off, what version of tiger and chrootkit are you using? If chkrootkit is not the misguided version, use the latest versions of both versions of both. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: LKM
On Mon, 2004-01-26 at 10:06, Matthijs wrote: On Mon, 2004-01-26 at 11:40, Thiago Ribeiro wrote: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? You know what a LKM is ? It's a Loadable Kernel Module and it can hide himself and processes and files... So please check your computer Please make sure this isn't the faulty chrootkit... that mis-reported an LKM existing on you boxen. First off, what version of tiger and chrootkit are you using? If chkrootkit is not the misguided version, use the latest versions of both versions of both. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: extrange passwd behaviour
On Thu, 2003-12-04 at 15:12, Ruben Porras wrote: I've discovered that login, sudo, gdm only take care of the first 8 characters of the passwd. The following characters don't count. See the following example (I've created a new user just to make the test) $$ adduser test Adding user test... Adding new group test (1006). Adding new user test (1006) with group test. Enter new UNIX password: qwertyuiop -- this, for example 10 letters Retype new UNIX password: qwertyuiop passwd: password updated successfully Changing the user information for test Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [y/n] y $$ su test Password: qwertyui --- only 8 letters (qwertyuivnksshfdd, for example would be also ok) $$ whoami test I don't see nothing about this in BTS, I'm puzzled. Why would it be ib BTS? That is standard SOP. If you are root... no password needed on that unless you have more than traditional *NIX security. Remember root OWNS the system. root RULES the roost. Now if you try it as an unprivileged user and it succeeds... then we gots LOTSA problems to deal with. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: extrange passwd behaviour
On Thu, 2003-12-04 at 15:12, Ruben Porras wrote: I've discovered that login, sudo, gdm only take care of the first 8 characters of the passwd. The following characters don't count. See the following example (I've created a new user just to make the test) $$ adduser test Adding user test... Adding new group test (1006). Adding new user test (1006) with group test. Enter new UNIX password: qwertyuiop -- this, for example 10 letters Retype new UNIX password: qwertyuiop passwd: password updated successfully Changing the user information for test Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [y/n] y $$ su test Password: qwertyui --- only 8 letters (qwertyuivnksshfdd, for example would be also ok) $$ whoami test I don't see nothing about this in BTS, I'm puzzled. Why would it be ib BTS? That is standard SOP. If you are root... no password needed on that unless you have more than traditional *NIX security. Remember root OWNS the system. root RULES the roost. Now if you try it as an unprivileged user and it succeeds... then we gots LOTSA problems to deal with. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: ssh + opie?
On Fri, Aug 08, 2003 at 04:21:50PM +1000, Geoff Crompton wrote: I have succesfully configued sshd to allow opie logons, without disabling PrivSep, by configuring pam to use the libpam-opie module for ssh. In this case the user gets the normal password prompt though, and no opie information to tell them what password they are upto. Could you post the configuration details? I've tried to do this a couple of times, but wasn't successful unless I disabled privilege separation. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh + opie?
On Fri, Aug 08, 2003 at 04:21:50PM +1000, Geoff Crompton wrote: I have succesfully configued sshd to allow opie logons, without disabling PrivSep, by configuring pam to use the libpam-opie module for ssh. In this case the user gets the normal password prompt though, and no opie information to tell them what password they are upto. Could you post the configuration details? I've tried to do this a couple of times, but wasn't successful unless I disabled privilege separation.
Re: Kernel ptrace Hole - Fix For i386 ?
On Tue, Apr 15, 2003 at 12:46:38AM +0100, Nick Boyce wrote: The fix is in vanilla kernel 2.4.20 as I understand it, and it sounds like some people here are downloading that source for their Woody i386 systems. By vanilla, do you mean the Linus kernel from kernel.org? If so, the fix was incorporated into 2.4.21-pre6... 2.4.20 wasn't updated. pgp0r4ybFGKlM.pgp Description: PGP signature
Re: Good Day -- RR and rbl
Since I do not tolerate any level of spam I consider it immature to run a professional mailing list like debian security so that it can be abused by the most stupid script kiddie. Sorry but the impression I got so far is semiprofessional. Cannot recommend it for use at work when people don't want to run serious/professional mailing lists. I beleive the term you're looking for is spammers, not script kiddies. There wasn't any 31337 h4x0ring going on here. If your basis for using redhat over debian in a work environment is the amount of spam on a mailing list I think your network is in trouble. Redhat released new openssh packages on June 27th, Debian released them on June 24th. Hey, at least you don't have spam... -Greg -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: ISS Advisory: OpenSSH Remote Challenge Vulnerability]
I don't see a better way of handling the OpenSSH announcement. More details or a patch would have allowed people to start writing exploits, at least they warned users of an upcoming bug and provided a work around. The OpenSSH team had to communicate with many vendors and eventually the details would have leaked. While debian may have released patched ssh packages right away, how many thousands of users of other vendors out there wouldn't have had a patch? The apache announcement was just a mess though... -Greg *raises hand* Both the Apache and OpenSSH announcements were done poorly, without any reasonable thought given to the user community. They should be taken out and shot ;-) (IMHO). -Anne -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DSA-134-1
Theo de Raadt said in a post to Bugtraq the exploit won't work on sshd with privilege seperation enabled, however even if it did work it'd be better to have an attacker get a chrooted shell with no privs instead of root access to the entire system. i unterstand it as remote chrooted nobody exploit, this is much more better than a remote root-exploit. better in what way? -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DSA-134-1
Yes it's still not a good thing for sometime to have a shell with no priv's but someone asked better how?, I'm pretty sure if most admins had a choice between an attacker having root access or an attacker having a chrooted shell with no privs they would choose the latter. Seeing as how there isn't a patch yet for the bug, it's this or nothing. -Greg Theo de Raadt said in a post to Bugtraq the exploit won't work on sshd with privilege seperation enabled, however even if it did work it'd be better to have an attacker get a chrooted shell with no privs instead of root access to the entire system. In which case you just need a local exploit to go with your remote exploit. makes it harder but not impossible. -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DSA-134-1
Well I'm not an open-bsd developer nor have I looked through the privilege seperation code so I only know what I read at http://www.citi.umich.edu/u/provos/ssh/privsep.html but according to that site (linked to from openssh.com) the privileged process (process 1) forks the unprivileged child (process 2) when a connection is made, this child talks to the client and requests authentication from the parent. If the authentication is sucessfull the parent passes the child a PTY, if not there's not much the child process can do. The child itself is never able to say give me a root shell, or give me a shell for user xyz so the child becoming corrupted doesn't compromise the security of the whole system (that's the point of priv seperation). -Greg PS: the site linked to above does a much better job of explaining this this shellcode is executed as user ralf, not as user root. I'm not worried about a shell spawned by the chrooted process. Chroot and su to some undangerous user helps if that's one-way only, i.e. the process doesn't have any connection to sensitive areas anymore. But in the case of sshd, it's not one-way: as far as I understand, the process running in the chroot as 'sshd' (say process 2) user does the communication with the client, but, and that's the problem, it does have a connection with a sister process running as root (say process 1) which it tells to launch a login shell for the user requested by the client. Normally, process 2 would of course only advise process 1 to do that if the remote client correctly identifies itself/gives the password. But if a malicious client submits data that corrupts process 2, he could make it to tell process 1 to launch a login shell for root. How should process 1 find out whether process 2 has been corrupted? (Well, it would be easy if logins are username/password only: if the check for correct username/password is done by process 1, process 2 has to provide them which it can't if the cracker doesn't know them anyway. But since ssh also allows public-key based logins, and I would guess that the key check is done by process 2, it looks different. Sorry if this starts to be OT.) Christian. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh authentication configuration? = better use OTP method
libpam-opie seems to be working great here. On Wed, May 29, 2002 at 10:58:50AM +0700, Jean Christophe ANDRÃ? wrote: Hello Joshua and all, Joshua Goodall wrote : Personally I recommend neither and tell everyone to prefer keys and one-time passwords, but that's another story :) Any hint for the best OTP method on Debian? libpam-opie?? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh authentication configuration? = better use OTP method
libpam-opie seems to be working great here. On Wed, May 29, 2002 at 10:58:50AM +0700, Jean Christophe ANDRÃ? wrote: Hello Joshua and all, Joshua Goodall wrote : Personally I recommend neither and tell everyone to prefer keys and one-time passwords, but that's another story :) Any hint for the best OTP method on Debian? libpam-opie?? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syn flood attacked?
echo 1 /proc/sys/net/ipv4/tcp_syncookies to turn on syn cookie support once it's compiled into the kernel. In this case you are probably a target of a SYN Flood atack. What you have to do is to compile your kernel with option with protect_against_synflood (or something like this, but for sure in network submenu). Make sure to read the help for this option because compiling it into kernel isn't enough... (you have to issue a command echo 1 /don't/remember/where ;) ) -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syn flood attacked?
echo 1 /proc/sys/net/ipv4/tcp_syncookies to turn on syn cookie support once it's compiled into the kernel. In this case you are probably a target of a SYN Flood atack. What you have to do is to compile your kernel with option with protect_against_synflood (or something like this, but for sure in network submenu). Make sure to read the help for this option because compiling it into kernel isn't enough... (you have to issue a command echo 1 /don't/remember/where ;) ) -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is this an attack on my sendmail?
It looks like one of your users (the ctladdr= one) is trying to email [EMAIL PROTECTED] company.com doesn't appear to be online right now, which is why the connection is timing out. For the SYN_SENT when doing a netstat, it's likely that your mail server is trying to connect to those mail servers, which are either not online or have some firewall rules blocking you - nothing to worry about. (sending a TCP packet with the SYN flag set is the first step to making a connection, if those servers were online and responding they would reply with a packet with SYN + ACK set, since your server can't get to them the connection is stuck in the SYN_SENT state until it times out) -Greg hi guys in my maillog I am receiving many strange message on sendmail like that: May 10 18:52:50 xserver sendmail[]: g4AIRfa02119: to=[EMAIL PROTECTED], ctladdr=one of my user mail (638/45), delay=03:25:09, xdelay=00:00:00, mailer=esmtp, pri=607606, relay=company.com., dsn=4.0.0, stat=Deferred: Connection timed out with company.com. and the other strange thing is that when i try to check the conections(netstat -at) there are one strange like that: tcp0 1 myserver:35169 mywebos.com:smtpSYN_SENT when I use netstat -atn looks like that: tcp0 1 myserver:35169208.49.229.140:25 SYN_SENT -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is this an attack on my sendmail?
It looks like one of your users (the ctladdr= one) is trying to email [EMAIL PROTECTED] company.com doesn't appear to be online right now, which is why the connection is timing out. For the SYN_SENT when doing a netstat, it's likely that your mail server is trying to connect to those mail servers, which are either not online or have some firewall rules blocking you - nothing to worry about. (sending a TCP packet with the SYN flag set is the first step to making a connection, if those servers were online and responding they would reply with a packet with SYN + ACK set, since your server can't get to them the connection is stuck in the SYN_SENT state until it times out) -Greg hi guys in my maillog I am receiving many strange message on sendmail like that: May 10 18:52:50 xserver sendmail[]: g4AIRfa02119: to=[EMAIL PROTECTED], ctladdr=one of my user mail (638/45), delay=03:25:09, xdelay=00:00:00, mailer=esmtp, pri=607606, relay=company.com., dsn=4.0.0, stat=Deferred: Connection timed out with company.com. and the other strange thing is that when i try to check the conections(netstat -at) there are one strange like that: tcp0 1 myserver:35169 mywebos.com:smtpSYN_SENT when I use netstat -atn looks like that: tcp0 1 myserver:35169208.49.229.140:25 SYN_SENT -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A more secure form of .htaccess?
You might want to take a look at using digest authentication, which sends a MD5 digest of the pasword instead of the actual password. http://httpd.apache.org/docs/howto/auth.html I have written some php-based internal systems for our users. Users are required to authenticate to access this system, and their login determines what they are allowed to do within the system. I am concerned that their logging in with cleartext passwords is a security risk. I work in a K-12 school enviroment, and many of these students are rather devious and resourceful (as I was at that age :) ). My fear is some bright student setting a sniffer up on my network and gleaning passwords from it. I am wondering if any of you have had similar problems. What is a more secure way for people to login? Is SSL an option, and if so, how do I go about using it? Do I have to purchase a certificate? Or is there some other option? Finally, should I be using .htaccess at all, or is there a better way? Thank you in advance for your advice. -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Stack protection
According to the Openwall kernel patch FAQ, JDK 1.3 and XFree86 4.0.1 both require an executable stack, but the openwall patch lets you allow certain programs to have an executable stack (from what I've gathered, I don't use it). Also, remember that a non-executable stack means very little in stopping exploits. I'm going to bore you with stack attacks once again ! :) I am testing some kernel patches which prevent the system from being vulnerable to stack overflows, and I am wondering : are there many languages which require an executable stack ? I think Ada needs it, but do you know more ? ie, are there such reasons to refuse a non-executable stack ? -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Stack protection
According to the Openwall kernel patch FAQ, JDK 1.3 and XFree86 4.0.1 both require an executable stack, but the openwall patch lets you allow certain programs to have an executable stack (from what I've gathered, I don't use it). Also, remember that a non-executable stack means very little in stopping exploits. I'm going to bore you with stack attacks once again ! :) I am testing some kernel patches which prevent the system from being vulnerable to stack overflows, and I am wondering : are there many languages which require an executable stack ? I think Ada needs it, but do you know more ? ie, are there such reasons to refuse a non-executable stack ? -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED]
Unidentified subject!
subscribe -- == Signatures suck... [EMAIL PROTECTED] ==
Re: Unknown open ports
On Tue, Jun 06, 2000 at 12:22:33AM +0200, Ron Rademaker wrote: I've just run a portscan to my computer that is connected to the internet (permanently) and there were a few ports open of which I don't know what they are for (all ports under 1024) and neither did the portscanner, these are the ports: 686 698 708 If I use telnet to go to one of those ports, the connection isn't closed by the remote host (only after I've typed a few things and pressed enter a few times). Anybody got any ideas on what these ports are for? Not off the top of my head. The most convienent way I've found to determine is lsof (apt-get install lsof-2.2 or lsof-2.0.36 depending on kernel). Just do a lsof | grep TCP as root and you'll get a list with names pids, and open ports down the right. It's nice. Someone else suggested it was rpc, but if you are actually neo.rademaker.dhs.org (That's what your headers say), that's not it. Oh well. hope this helps greg
