Re: iptables logging
Jeff Coppock wrote on Sat Jul 21, 2001 at 10:59:08PM: >What does syslog recognize as iptables log messages? I tried >putting iptable.* in syslog.conf, but I'm not seeing messages. You need to tell iptables which packages should be logged. For example: iptables -N log # This table logs and hands package over to "delete" iptables -N delete - This table rejects anything iptables -A INPUT -j log # Rule to be logged iptables -A INPUT -j delete # Rule not to be logged iptables -A log -j LOG --log-prefix "Rejected: " # be verbose in syslog iptables -A log -j delete # hand over package to "delete" iptables -A delete -j REJECT # gracefully reject package It would be bad to have iptables log everything by default --> man DOS Matth¡as -- Matthias Richter --+- stud. soz. & inf. -+-- http://www.uni-leipzig.de -->GPG Public Key: http://www.matthias-richter.de/gpg.ascii<-- · Projekt Deutscher Wortschatz: http://wortschatz.uni-leipzig.de> pgpVaeMjxUoEz.pgp Description: PGP signature
Re: iptables logging
Jeff Coppock wrote on Sat Jul 21, 2001 at 10:59:08PM: >What does syslog recognize as iptables log messages? I tried >putting iptable.* in syslog.conf, but I'm not seeing messages. You need to tell iptables which packages should be logged. For example: iptables -N log # This table logs and hands package over to "delete" iptables -N delete - This table rejects anything iptables -A INPUT -j log # Rule to be logged iptables -A INPUT -j delete # Rule not to be logged iptables -A log -j LOG --log-prefix "Rejected: " # be verbose in syslog iptables -A log -j delete # hand over package to "delete" iptables -A delete -j REJECT # gracefully reject package It would be bad to have iptables log everything by default --> man DOS Matth¡as -- Matthias Richter --+- stud. soz. & inf. -+-- http://www.uni-leipzig.de -->GPG Public Key: http://www.matthias-richter.de/gpg.ascii<-- · Projekt Deutscher Wortschatz: http://wortschatz.uni-leipzig.de> PGP signature
Re: iptables install
Jeff Coppock wrote on Fri Jul 20, 2001 at 12:37:49PM: > >Dilemna: >I want to run iptables, but I'm running stable. I have a >clean, bootable 2.4.6 kernel (took awhile, but I got it), and >then realized that the iptable package in not in stable, but >is in testing and unstable. I looked for deb-src, but >couldn't find any. I figured I could compile it on my stable >machine. > >Do I need to dist-upgrade to woody to use iptables? No you don't have to, http://www.fs.tum.de/~bunk/kernel-24.html tells you how to upgrade stable to kernel 2.4.x --- including iptables. Works fine here. Matth¡as -- Matthias Richter --+- stud. soz. & inf. -+-- http://www.uni-leipzig.de -->GPG Public Key: http://www.matthias-richter.de/gpg.ascii<-- · Projekt Deutscher Wortschatz: http://wortschatz.uni-leipzig.de> pgpPJF0rzaEE0.pgp Description: PGP signature
Re: iptables install
Jeff Coppock wrote on Fri Jul 20, 2001 at 12:37:49PM: > >Dilemna: >I want to run iptables, but I'm running stable. I have a >clean, bootable 2.4.6 kernel (took awhile, but I got it), and >then realized that the iptable package in not in stable, but >is in testing and unstable. I looked for deb-src, but >couldn't find any. I figured I could compile it on my stable >machine. > >Do I need to dist-upgrade to woody to use iptables? No you don't have to, http://www.fs.tum.de/~bunk/kernel-24.html tells you how to upgrade stable to kernel 2.4.x --- including iptables. Works fine here. Matth¡as -- Matthias Richter --+- stud. soz. & inf. -+-- http://www.uni-leipzig.de -->GPG Public Key: http://www.matthias-richter.de/gpg.ascii<-- · Projekt Deutscher Wortschatz: http://wortschatz.uni-leipzig.de> PGP signature
Re: How to write a secure C program..
Lukas Ruf wrote on Tue Jul 03, 2001 at 10:34:44AM: > On Tue, 03 Jul 2001, SDiZ Cheng wrote: > > > I am going to rewrite suexec.c of apache ( to suit my boss's need ). > > As this program is SUID, I don't want to make any mistake. > > > Are you really sure you wanna do that? If so, there is a HOWTO out there that he might me interested in: http://www.dwheeler.com/secure-programs> Matthias pgpfN45OE14Gm.pgp Description: PGP signature
Re: How to write a secure C program..
Lukas Ruf wrote on Tue Jul 03, 2001 at 10:34:44AM: > On Tue, 03 Jul 2001, SDiZ Cheng wrote: > > > I am going to rewrite suexec.c of apache ( to suit my boss's need ). > > As this program is SUID, I don't want to make any mistake. > > > Are you really sure you wanna do that? If so, there is a HOWTO out there that he might me interested in: http://www.dwheeler.com/secure-programs> Matthias PGP signature
Re: Basic question about ipchains being useful
Julien Dupre wrote on Tue Jun 19, 2001 at 11:14:06PM: > I'm using these packages with the latest versions in stable : postfix, > apache 1.3.9 (quite old btw but not necessarily a problem), bind > 8.2.3, openssh 1.2.3 [...] > My idea is not to look at security alerts but trust that debian > maintainers will do it, I have a daily cron job which mails me if > "apt-get -s upgrade" says something should be upgraded, is this not > reasonable ? hopefully, security.debian.org is in your /etc/apt/sources.list? > Is there any case where a package with a known exploit > was not upgraded quickly in stable ? > > > ) with ipchains/iptables you have a choice of accepting, rejecting > > or dropping packets. If you reject them, they know you exist. If you > > drop them, they have to wait for a timeout before they know anything > > about you - you can play dead. > > Yes but what should I want to drop them, as I would only deny packets > for services I'm not running, a potential attacker would just get a > timeout for services which aren't running anyway. You've got the point. I had to learn that there is no sense in dropping packages instead of rejecting them. And ... once you offer services you cannot play dead anyway. > Rigth, but more generally about the interest of ipchains : if I have > to consider such packets are dangerous, it means that opened service > are not secured, can't I just rely on having most recent versions > installed and be confident but for zero day exploits ? Simple rule: reject anything that is not essential for the services you are offering. Put yourself in paranoia-mode while building your firewall. Matthias pgpYg4CEk15qu.pgp Description: PGP signature
Re: proftpd exploit??
Marcelo Drudi Miranda wrote on Sat May 26, 2001 at 02:49:02AM: > Matthias Richter <[EMAIL PROTECTED]> escreveu: > > > Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: > > [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] > > > Any solution?? > > > > This is a exploit or a Dos atack? *Dos*, of course. Sorry for being inaccurate ... regards, Matthias pgpxeCmb0076U.pgp Description: PGP signature
Re: proftpd exploit??
Marcelo Drudi Miranda wrote on Sat May 26, 2001 at 02:49:02AM: > Matthias Richter <[EMAIL PROTECTED]> escreveu: > > > Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: > > [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] > > > Any solution?? > > > > This is a exploit or a Dos atack? *Dos*, of course. Sorry for being inaccurate ... regards, Matthias PGP signature
Re: proftpd exploit??
Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] > Any solution?? There was mentioned a suggested entry (ment as an intermediate solution until proftpd has been fixed) to /etc/proftpd.conf: DenyFilter \*.*/ hth, Matthias -- Matthias Richter --+- stud. soz. & inf. -+-- http://www.uni-leipzig.de -->GPG Public Key: http://www.matthias-richter.de/gpg.ascii<-- «Reality must take precedence over public relations, for Mother Nature cannot be fooled.» -- R.P. Feynman pgpCuKMLd9tnI.pgp Description: PGP signature
Re: proftpd exploit??
Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] > Any solution?? There was mentioned a suggested entry (ment as an intermediate solution until proftpd has been fixed) to /etc/proftpd.conf: DenyFilter \*.*/ hth, Matthias -- Matthias Richter --+- stud. soz. & inf. -+-- http://www.uni-leipzig.de -->GPG Public Key: http://www.matthias-richter.de/gpg.ascii<-- «Reality must take precedence over public relations, for Mother Nature cannot be fooled.» -- R.P. Feynman PGP signature