Is nmap free or not? -> d-legal discussion
Hello team, I just wanted to make you aware that I've started a thread on d-legal to discuss nmap's license: https://lists.debian.org/debian-legal/2022/09/msg0.html You might find it interesting, feel free to share your views there too. Cheers, -- Samuel Henrique
Re: [nmap] polkit on Recommends vs Depends
On Wed, 31 Oct 2018, Samuel Henrique wrote: > I think it's safe to downgrade to Recommends, as most users install > recommends anyway. > > I will do it soon if there isn't any objections to this. Yeah, fine for me. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: [nmap] polkit on Recommends vs Depends
I think it's safe to downgrade to Recommends, as most users install recommends anyway. I will do it soon if there isn't any objections to this. Thanks -- Samuel Henrique
[nmap] polkit on Recommends vs Depends
Hello team, I uploaded a new release of nmap yesterday, fixing #890728 [0]. I used the Ubuntu patch, which was adding polkit as Recommends, but I bumped it to Depends by the following policy part: "The Depends field should be used if the depended-on package is required for the depending package to provide a significant amount of functionality." Because the desktop file for zenmap as root won't work without polkit, and zenmap being a gui tool, I assume most users will start it from their DEs. Today I've got a bug report #912452 [1] about that, I was not aware that polkit adds a Dependency on systemd, which makes nmap not installable on SysV systems. I think I should have left as Recommends, but as I mentioned on the bug report, I would like to check with the team before doing that, to confirm that we can downgrade it do Recommends even if it breaks the desktop file for zenmap as root. [0]https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890728 [1]https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912452 -- Samuel Henrique
Re: Please push missing changes grr-client-templates/libevt/nmap
* Raphael Hertzog: > the git repositories of grr-client-templates, libevt and nmap are lacking > the changes (and tags) corresponding to your last upload(s). Thank you for the reminder. Pushed. Cheers, -Hilko
Please push missing changes grr-client-templates/libevt/nmap
Hello Hilko, the git repositories of grr-client-templates, libevt and nmap are lacking the changes (and tags) corresponding to your last upload(s). Can you push them? Thank you. -- Raphaël Hertzog ◈ Writer/Consultant ◈ Debian Developer Discover the Debian Administrator's Handbook: → https://debian-handbook.info/get/
nmap license is incompatible with GPL
Hi, [ BCC'ed maintainers of packages mentioned below ] Chris Lamb pointed out that nmap uses a special version of the GPL-2 which is incompatible with the standard GPL license: +--- | Because this license imposes special exceptions to the GPL, Covered | work may not be combined (even as part of a larger work) with plain | GPL software." +--- The license in particular also forbids front-ends parsing nmap's output that are released under a license not compatible with nmap's: +--- | For example, we consider an application to constitute a | derivative work for the purpose of this license if it does any of the | following with any software or content covered by this license | ("Covered Software"): | [...] | - Is designed specifically to execute Covered Software and parse the | results (as opposed to typical shell or execution-menu apps, which | will execute anything you tell them to). +--- This means packages such as `nmapsi4`, `python-nmap`, `lsat`, `nikto`, `zabbix`, `oscinventory-agent`, `fusioninventory-agent-task-network` and possibly others which are licensed under the GPL-2 (some with or-later) do not conform to nmap's license requirements... I plan to file RC bugs against these packages soon; this thread can serve as a central place for discussions. Ansgar
Re: avahi-daemon uses 100% of cpu when scanned with nmap (DoS possible?)
Package: avahi-daemon Version: 0.6.27-2 Tags: security Severity: critical Justification: Introduces possible denial-of-service scenario. Hi, when I scan my server from another machine on the network using nmap, I get this: [snip] It seems that mandriva already released an update for avahi : http://lists.grok.org.uk/pipermail/full-disclosure/2011-February/079525.html I guess you're facing the same issue. Regards -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/04cad33b021e7c91a76da3404fb76f3f.squir...@www.c0a8.org
Re: avahi-daemon uses 100% of cpu when scanned with nmap (DoS possible?)
On Thu, 2011-02-24 at 15:31 +, Julien Reveret wrote: [snip] It seems that mandriva already released an update for avahi : http://lists.grok.org.uk/pipermail/full-disclosure/2011-February/079525.html I guess you're facing the same issue. 0.6.28-4 has been accepted to unstable yesterday and afaik the fix was uploaded to stable-security but not yet accepted. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
avahi-daemon uses 100% of cpu when scanned with nmap (DoS possible?)
Package: avahi-daemon Version: 0.6.27-2 Tags: security Severity: critical Justification: Introduces possible denial-of-service scenario. Hi, when I scan my server from another machine on the network using nmap, I get this: # nmap -sU -p5353 192.168.2.2 Starting Nmap 5.00 ( http://nmap.org ) at 2011-02-23 13:15 CET Interesting ports on 192.168.2.2: PORT STATE SERVICE 5353/udp open|filtered zeroconf MAC Address: XX:XX:XX:XX:XX:XX (Netgear) Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds # As soon as the scan starts, avahi-daemon on the server starts running amok, top shows this: PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 5535 avahi 20 0 33884 1600 1280 R 100 0.0 2:28.47 avahi-daemon Restarting avahi-daemon is not possible: # /etc/init.d/avahi-daemon restart Restarting Avahi mDNS/DNS-SD Daemon: avahi-daemonFailed to kill daemon: Timer expired . # Simply terminating the process doesn't work either: # ps -Af | grep avahi-daemon avahi 5535 1 87 13:14 ?00:04:43 avahi-daemon: running [server.local] avahi 5536 5535 0 13:14 ?00:00:00 avahi-daemon: chroot helper root 5610 5581 0 13:20 pts/200:00:00 grep avahi-daemon # kill 5535 # ps -Af | grep avahi-daemon avahi 5535 1 88 13:14 ?00:05:02 avahi-daemon: running [server.local] avahi 5536 5535 0 13:14 ?00:00:00 avahi-daemon: chroot helper root 5614 5581 0 13:20 pts/200:00:00 grep avahi-daemon # Forcibly killing the process works: # kill -9 5535 # ps -Af | grep avahi-daemon root 5629 5581 0 13:23 pts/200:00:00 grep avahi-daemon # I don't know what kind of data nmap sends when scanning for open UDP ports, but it definitely shouldn't cause avahi-daemon to run amok. Please note that I have not changed the Avahi configuration in any way, so you should be able to reproduce this easily. Please tell me if you need any more information! Best regards Alexander Kurtz signature.asc Description: This is a digitally signed message part
Re: nmap Xmas scans and unrecognized outcoming connections
Am Friday, den 7 December hub Martín Peluso folgendes in die Tasten: Hi! Two days ago one of my machines started to receive several nmap Xmas scans from 73.23.32.79. Later, in another machine which is running under Debian etch, Firestarter showed me four outcoming connections to the same ip address with destination ports 80, 44285, 41182 and 43275. Those connections are not used by any client application and they are not recognized by netstat. In addition, the target ip address (a comcast range address) don't seem to be giving http access, and it have all of its ports filtered. I don't know how to proceed in order to determine what application is using those connections or what are they used for. They are still active since two days ago. Any suggestion? You should check the md5sum of netstat if it's still the one you would expect it to be. The same might be interesting for things like ls, lsof and such. If you have a machine with two NICs you could setup a bridge and place it between the machine in question and its switchport and fireup wireshark to have a look whats going on. Ciao Max -- Follow the white penguin. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
nmap Xmas scans and unrecognized outcoming connections
Hello everybody Two days ago one of my machines started to receive several nmap Xmas scans from 73.23.32.79. Later, in another machine which is running under Debian etch, Firestarter showed me four outcoming connections to the same ip address with destination ports 80, 44285, 41182 and 43275. Those connections are not used by any client application and they are not recognized by netstat. In addition, the target ip address (a comcast range address) don't seem to be giving http access, and it have all of its ports filtered. I don't know how to proceed in order to determine what application is using those connections or what are they used for. They are still active since two days ago. Any suggestion? Thanks in advance. Martin Peluso -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables and nmap
You got it Tibor !!! I applied the command Andreas gave to me and tomcat55 listens on 8180. However, it does not resolve my firewall problem. I will explore differents ways that have been proposed to me. Thank to all of you, I will inform you on the state of things, Joan Le 8 juin 07 à 23:05, Repasi Tibor a écrit : Joan Hérisson wrote: Hello, Config: - Debian 2.4.18 - iptables with many rules Problems: - I have installed a tomcat 5.5 server. The server is unreachable (connection failed from locahost or another host on my local network). Hey Joan, how do You installed tomcat? Because, if installed from Debian package tomcat is listening on port 8180 instead of the default tomcat setting 8080. This can be confusing. Regards, Tibor -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables and nmap
Joan Hérisson wrote: Chain INPUT (policy DROP 17 packets, 1088 bytes) pkts bytes target prot opt in out source destination 164 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 225 18816 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- eth1 * 192.168.0.3 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth1 * 192.168.0.12 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth1 * 192.168.0.31 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth1 * 192.168.0.28 0.0.0.0/0 tcp dpt:22 0 0 REJECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable 162 18088 ACCEPT all -- eth1 * 192.168.0.0/24 0.0.0.0/0 you accept all eth1 packets from the inner network. 10 1219 ACCEPT all -- lo * 127.0.0.1 0.0.0.0/0 4 156 ACCEPT all -- lo * 192.168.0.1 0.0.0.0/0 8 528 ACCEPT all -- lo * 193.51.128.146 0.0.0.0/0 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68 hmm 140 10422 ACCEPT all -- * * 0.0.0.0/0 193.51.128.146 state RELATED,ESTABLISHED 20 1280 tcp_packets tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 chain tcp_packets is parsed only for eth0 traffic. so your rules with -i eth1 in tcp_packets will never be hit. 0 0 udp_packets udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 10 640 icmp_packets icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- eth0 * 0.0.0.0/0 224.0.0.0/8 3 192 LOGall -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT INPUT packet died: ' Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0 2 152 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 2 152 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 LOGall -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT FORWARD packet died: ' Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 169 22018 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0 10 1219 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 166 16632 ACCEPT all -- * * 192.168.0.1 0.0.0.0/0 120 16559 ACCEPT all -- * * 193.51.128.146 0.0.0.0/0 0 0 LOGall -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT OUTPUT packet died: ' iptables will drop (and log) all outgoing packets? So you cannot have a tcp connection if you are not in one of the 3 named machines. Chain allowed (20 references) pkts bytes target prot opt in out source destination 3 192 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 Chain bad_tcp_packets (3 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset 140 LOGtcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `New not syn:' The author don't understand what NEW means. (NEW (first hit) connection in netfilter, not a new (--syn) tcp connection) 140 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW Chain icmp_packets (1 references) pkts bytes target prot opt in out source destination 10 640 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
Re: iptables and nmap
Hi ! * Manuel García [EMAIL PROTECTED] [2007-06-07 10:01]: On 6/7/07, Joan Hérisson [EMAIL PROTECTED] wrote: [...snip...] Results: - The server is still unreachable. - When I do nmap localhost, I have port 80 open but not 8080. - When I comment out the line for port 80 in firewall-start and I restart firewall, I do nmap localhost, port 80 is still open. man nmap: -p port ranges: Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 And if you have port 80 OPEN that's because you have some webserver running in your machine (maybe apache?) [...snip...] If you are not sure that tomcat is listening on the port you expect, run lsof -i :$PORT on the server. In your case, just run lsof -i :80 lsof -i :8080 This should give you an output like this: # lsof -i :80 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME apache2 7497 www-data3u IPv6 15254670 TCP *:www (LISTEN) apache2 8408 www-data3u IPv6 15254670 TCP *:www (LISTEN) apache2 8409 www-data3u IPv6 15254670 TCP *:www (LISTEN) apache2 8428 www-data3u IPv6 15254670 TCP *:www (LISTEN) apache2 11194 www-data3u IPv6 15254670 TCP *:www (LISTEN) In that case, apache2 with five instaces (different PIDs) running under the user www-data is listening on port 80 on all available interfaces. If you don't get back anything for port 8080, then nothing is listening on this port and you won't get any connection. (That's not completely true, you could for example redirect ports in iptables, but I assume that your iptables-script is not doing something like that.) BTW: As others already wrote, you should not use the iptables script if you don't understand what it really does. Otherwise you'll end up with problems and can't say if it's normal (because the script is doing it) or if you have a problem somewhere else. Write the rules by yourself, there are a lot of HOWTOs, tutorials and explained example scripts on the net. A good start might be http://netfilter.org/documentation/index.html mfg @ndy -- personal web site: http://skater.priv.at/~andy/ Nachtskaten / Friday Night Skating Vienna: http://night.skater.priv.at/ CCC Wien (CCC Erfa-Kreis Wien): http://metalab.at/wiki/Groups:CCC_Wien Verein fuer Internet-BEnutzer Oesterreichs (.AT) http://www.vibe.at/ signature.asc Description: Digital signature
Re: iptables and nmap
Joan Hérisson wrote: Hello, Config: - Debian 2.4.18 - iptables with many rules Problems: - I have installed a tomcat 5.5 server. The server is unreachable (connection failed from locahost or another host on my local network). Hey Joan, how do You installed tomcat? Because, if installed from Debian package tomcat is listening on port 8180 instead of the default tomcat setting 8080. This can be confusing. Regards, Tibor -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
iptables and nmap
Hello, Config: - Debian 2.4.18 - iptables with many rules Problems: - I have installed a tomcat 5.5 server. The server is unreachable (connection failed from locahost or another host on my local network). Tries: - I have to open port 8080. I have this rule in /etc/init.d.firewal- start : iptables -A tcp_packets -p TCP -i eth0 -s 0/0 --dport 80 -j allowed where eth0 is the way toward the internet. So I added this rule : iptables -A tcp_packets -p TCP -i eth1 -s 0/0 --dport 8080 -j allowed where eth1 is the way toward my local network Results: - The server is still unreachable. - When I do nmap localhost, I have port 80 open but not 8080. - When I comment out the line for port 80 in firewall-start and I restart firewall, I do nmap localhost, port 80 is still open. I do not find the link between iptables rules and nmap. Some ideas ? Thank you, Joan ps: sorry for my english. _ Post-doc GENNETEC Programme d'Épigénomique, Genopole® Tour Évry2, 10è étage 523 Terrasses de l'Agora 91034 ÉVRY cedex Tél : +33 (0)1 69 47 44 34 Fax : +33 (0)1 69 47 44 37 Web : http://www.epigenomique.genopole.fr/opencms/opencms/ epigenomique/en/perso/joe/
Re: iptables and nmap
On Thursday 07 June 2007 15:51, Joan Hérisson wrote: Hello, Config: - Debian 2.4.18 - iptables with many rules Problems: - I have installed a tomcat 5.5 server. The server is unreachable (connection failed from locahost or another host on my local network). Tries: - I have to open port 8080. I have this rule in /etc/init.d.firewal-start : iptables -A tcp_packets -p TCP -i eth0 -s 0/0 --dport 80 -j allowed where eth0 is the way toward the internet. So I added this rule : iptables -A tcp_packets -p TCP -i eth1 -s 0/0 --dport 8080 -j allowed where eth1 is the way toward my local network Hello, it seems that you are using some firewall script which uses a lot of user defined chains: tcp_packets, allowed. Without understanding which packets get filtered by chain tcp_packets and what is happening in chain allowed, it is hard to guess what's wrong. Try this: iptables -A INPUT -p tcp -i eth1 --dport 8080 -j ACCEPT I suspect that you are using some firewall script made by someone else, and that script is too complicated to understand for anyone else than author. IMHO it's always better to make your own script that has only the rules you really need and understand. Results: - The server is still unreachable. - When I do nmap localhost, I have port 80 open but not 8080. - When I comment out the line for port 80 in firewall-start and I restart firewall, I do nmap localhost, port 80 is still open. I do not find the link between iptables rules and nmap. Some ideas ? nmap shows you the reality defined by iptables. If nmap shows something different than you expected, it just means you do not understand how iptables work. You should visit http://www.netfilter.org/ and read man iptables. -- S pozdravem Vladislav Kurz === WebStep, s.r.o. (Ltd.) = a step to the Web === address: Mezirka 1, 602 00 Brno, CZ, tel: +420 548 214 711 === www.webstep.net === [EMAIL PROTECTED] === -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables and nmap
Joan Hérisson wrote: Hello, Config: - Debian 2.4.18 - iptables with many rules Problems: - I have installed a tomcat 5.5 server. The server is unreachable (connection failed from locahost or another host on my local network). Tries: - I have to open port 8080. I have this rule in /etc/init.d.firewal-start : iptables -A tcp_packets -p TCP -i eth0 -s 0/0 --dport 80 -j allowed where eth0 is the way toward the internet. So I added this rule : iptables -A tcp_packets -p TCP -i eth1 -s 0/0 --dport 8080 -j allowed where eth1 is the way toward my local network Results: - The server is still unreachable. - When I do nmap localhost, I have port 80 open but not 8080. - When I comment out the line for port 80 in firewall-start and I restart firewall, I do nmap localhost, port 80 is still open. I do not find the link between iptables rules and nmap. Some ideas ? You should give us more information! iptables is run in the tomcat server? What about the other rules (i.e. in INPUT and OUTPUT)? what will do the chain accept ? nmap will send packets only to one interface, so you should do nmap from a computer in the eth0 network and an other run in eth1 network. Add some log target in iptables and check the flux! ciao cate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables and nmap
Can you send the output of 'iptables -t filter -L -n -v ' to this mailing list? 2007. június 7. 15.51 dátummal Joan Hérisson ezt írta: Hello, Config: - Debian 2.4.18 - iptables with many rules Problems: - I have installed a tomcat 5.5 server. The server is unreachable (connection failed from locahost or another host on my local network). Tries: - I have to open port 8080. I have this rule in /etc/init.d.firewal- start : iptables -A tcp_packets -p TCP -i eth0 -s 0/0 --dport 80 -j allowed where eth0 is the way toward the internet. So I added this rule : iptables -A tcp_packets -p TCP -i eth1 -s 0/0 --dport 8080 -j allowed where eth1 is the way toward my local network Results: - The server is still unreachable. - When I do nmap localhost, I have port 80 open but not 8080. - When I comment out the line for port 80 in firewall-start and I restart firewall, I do nmap localhost, port 80 is still open. I do not find the link between iptables rules and nmap. Some ideas ? Thank you, Joan ps: sorry for my english. _ Post-doc GENNETEC Programme d'Épigénomique, Genopole® Tour Évry2, 10è étage 523 Terrasses de l'Agora 91034 ÉVRY cedex Tél : +33 (0)1 69 47 44 34 Fax : +33 (0)1 69 47 44 37 Web : http://www.epigenomique.genopole.fr/opencms/opencms/ epigenomique/en/perso/joe/
Re: iptables and nmap
Il giorno Thu, 7 Jun 2007 15:51:51 +0200 Joan Hérisson [EMAIL PROTECTED] ha scritto: So I added this rule : iptables -A tcp_packets -p TCP -i eth1 -s 0/0 --dport 8080 -j allowed where eth1 is the way toward my local network Results: - The server is still unreachable. - When I do nmap localhost, I have port 80 open but not 8080. - When I comment out the line for port 80 in firewall-start and I restart firewall, I do nmap localhost, port 80 is still open. Just a further note: you've opened ( or tried to, don't know if the action was successful ) the port on interface eth1, but you're testing the rule on localhost ( loopback interface lo ). Ciao, Gian Piero.
Re: iptables and nmap
Ok, thank you for your answers. I will try to sum up mine. It is true that it is not me who wrote the firewall script and that I do not understand what all rules do. I tried different solutions that you proposed but none works, from localhost, local network or from the internet. The 8080 port remains closed. i did not try to upgrade my kernel. Actually, I am a little bit frightened to this idea. is it really riskless ? Finally this is the result of 'iptables -t filter -L -n -v' command: Chain INPUT (policy DROP 17 packets, 1088 bytes) pkts bytes target prot opt in out source destination 164 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 225 18816 bad_tcp_packets tcp -- * * 0.0.0.0/00.0.0.0/0 0 0 ACCEPT tcp -- eth1 * 192.168.0.3 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth1 * 192.168.0.12 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth1 * 192.168.0.31 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth1 * 192.168.0.28 0.0.0.0/0 tcp dpt:22 0 0 REJECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable 162 18088 ACCEPT all -- eth1 * 192.168.0.0/24 0.0.0.0/0 10 1219 ACCEPT all -- lo * 127.0.0.1 0.0.0.0/0 4 156 ACCEPT all -- lo * 192.168.0.1 0.0.0.0/0 8 528 ACCEPT all -- lo * 193.51.128.146 0.0.0.0/0 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68 140 10422 ACCEPT all -- * * 0.0.0.0/0 193.51.128.146 state RELATED,ESTABLISHED 20 1280 tcp_packets tcp -- eth0 * 0.0.0.0/00.0.0.0/0 0 0 udp_packets udp -- eth0 * 0.0.0.0/00.0.0.0/0 10 640 icmp_packets icmp -- eth0 * 0.0.0.0/00.0.0.0/0 0 0 DROP all -- eth0 * 0.0.0.0/0 224.0.0.0/8 3 192 LOGall -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT INPUT packet died: ' Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 bad_tcp_packets tcp -- * * 0.0.0.0/00.0.0.0/0 2 152 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 2 152 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 LOGall -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT FORWARD packet died: ' Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 169 22018 bad_tcp_packets tcp -- * * 0.0.0.0/00.0.0.0/0 10 1219 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 166 16632 ACCEPT all -- * * 192.168.0.1 0.0.0.0/0 120 16559 ACCEPT all -- * * 193.51.128.146 0.0.0.0/0 0 0 LOGall -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT OUTPUT packet died: ' Chain allowed (20 references) pkts bytes target prot opt in out source destination 3 192 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 Chain bad_tcp_packets (3 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset 140 LOGtcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `New not syn:' 140 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW Chain icmp_packets (1 references) pkts bytes target prot opt in out source destination 10 640 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 Chain tcp_packets (1 references) pkts bytes target prot opt in out
Re: iptables and nmap
Hi Joan, On Thursday 07 June 2007 14:51:51 Joan Hérisson wrote: Hello, Config: - Debian 2.4.18 This is very old. For security and better features, you'd be best to upgrade to a more recent version of Debian, with a more recent kernel. - iptables with many rules Without understanding those rules, you're unlikely to get it working. IPTables is pretty simple when you take time to understand it -- it's literally just a list of tests, and things to do if that test has a positive result. Well, lists (tables) can have other lists/tables, but that's not really any more complex. Problems: - I have installed a tomcat 5.5 server. The server is unreachable (connection failed from locahost or another host on my local network). This suggests that the server isn't yet up and running. Sometimes, installing things on debian means they will just work. Other times, you have to configure the thing and enable it. I've never really bothered with tomcat, but given that it's java-based, and fairly heavyweight, I'd expect you have to do some configuration before it'll run. Try reading /usr/share/doc/tomcat*/README.Debian. Also, make sure that the server is actually running on port 8080, and that it's listening on the correct IPs/interfaces. Tries: - I have to open port 8080. I have this rule in /etc/init.d.firewal- start : iptables -A tcp_packets -p TCP -i eth0 -s 0/0 --dport 80 -j allowed Appending rules to many iptables rules isn't likely to work, if your rules end with something that denies all unknown traffic. You really should try to understand your firewall before adding anything to it. Having said that, I've been guilty of not taking enough time for things like that, too :) iptables -A tcp_packets -p TCP -i eth1 -s 0/0 --dport 8080 -j allowed As someone else mentioned, this should probably be -j ACCEPT Results: - The server is still unreachable. Are you actually seeing an error that says unreachable? That suggests a routing problem, or a prohibitive firewall rule before the one you added. - When I do nmap localhost, I have port 80 open but not 8080. - When I comment out the line for port 80 in firewall-start and I restart firewall, I do nmap localhost, port 80 is still open. Your firewall script is broken. Again, as others suggested, I'd say start from scratch -- either with IPTables (if you have the time to understand it) or with a simpler/higher-level interface, like firehol, or shorewall. Remember not to test firewall rules for external interfaces through localhost -- use, at least, the ip of the interface in question. Ideally, test from the machine you actually need access to be provided for. Good luck :) -- Lee Braiden http://peacejournals.org Those who check rising anger as a charioteer checks a rolling chariot... those, I call true charioteers. Others only hold the reins.-- Dhammapada, verse 222
Re: X security (was Re: nmap -sT and open ports from a friends)
On Fri, Feb 03, 2006 at 06:33:30PM -0500, Daniel Sterling wrote: Adding a firewall will only help things, and it certainly can't hurt. This is generally true, but an improperly configured firewall can be worse than no firewall. If it creates new vulnerabilities, or if it is obtrusive and causes users to adopt insecure practices to circumvent it, it can hurt. At least that's my understanding after reading Secrets and Lies and Beyond Fear by Bruce Schneier. -- Steven Wheelwright [EMAIL PROTECTED] It's never not now. OpenPGP Fingerprint: 809E 9E32 907D 7619 2BED 8764 108D F31C 8927 1E3F signature.asc Description: Digital signature
nmap -sT and open ports from a friends
Hi, this is the nmap -sT scan from a friend: nmap -sT internet_address Port State Service 25/tcp filteredsmtp 46/tcp openmpm-snd 80/tcp filtered http 119/tcp open nntp 445/tcp filtered microsoft-ds 1080/tcp filtered socks 6000/tcp open X11 6346/tcp open gnutella He has no firewall (like me) as he's saying a firewall is nothing good and not usefull but there's an open X11 server available in the internet. Isn't this vulnerable without a firewall ? -- Best Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nmap -sT and open ports from a friends
He has no firewall (like me) as he's saying a firewall is nothing good and not usefull but there's an open X11 server available in the internet. A firewall is one of the best things you can have and should always run. Isn't this vulnerable without a firewall ? Yes. Both of you should setup iptables with a minimal set that either denys certain ports, or better yet, blocks-all and only allows-specified. [EMAIL PROTECTED] wrote: Hi, this is the nmap -sT scan from a friend: nmap -sT internet_address Port State Service 25/tcp filteredsmtp 46/tcp openmpm-snd 80/tcp filtered http 119/tcp open nntp 445/tcp filtered microsoft-ds 1080/tcp filtered socks 6000/tcp open X11 6346/tcp open gnutella He has no firewall (like me) as he's saying a firewall is nothing good and not usefull but there's an open X11 server available in the internet. Isn't this vulnerable without a firewall ? -- == Nate Sanders [EMAIL PROTECTED] Associate Systems Manager (612) 624 - 4353 http://www.ima.umn.edu/ == Institute for Mathematics and its Applications University of Minnesota 400 Lind Hall, 207 Church St. SE Minneapolis, MN 55455-0463 == -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nmap -sT and open ports from a friends
On Fri, Feb 03, 2006 at 11:02:33PM +0100, [EMAIL PROTECTED] wrote: Hi, this is the nmap -sT scan from a friend: I guess you both are not in the same ISP nmap -sT internet_address Port State Service 25/tcp filteredsmtp 46/tcp openmpm-snd 80/tcp filtered http 119/tcpopen nntp 445/tcp filtered microsoft-ds 1080/tcp filtered socks 6000/tcp open X11 6346/tcp open gnutella The 'filtered' ones are probably filtered by your ISP. I can understand (but don't share) why they block port 25 or port 445) but I wonder why a ISP would filter out port 80, aren't people allowed to have a web server at home? He has no firewall (like me) as he's saying a firewall is nothing good and not usefull but there's an open X11 server available in the internet. Well, he really should consider configuring his X11 server with '-nolisten tcp' (which is the default in Debian, BTW). And he probably wants to check what application he has running in port 46 and 119. He can use 'lsof' for that (or 'netstat -punta') Isn't this vulnerable without a firewall ? IMHO, he is vulnerable only, and only if he either has: - vulnerable configurations (i.e. he runs 'xhost +' and allows anyone to access his desktop remotely) - has vulnerabile applications (i.e. with software bugs that might lead to remote code execution). Even if he fixes the first possibility, he might be unsure about the second one. Given the fact that the Gnutella source code has not been audited for security bugs (at least not that I know) he might be vulnerable there. But then again, even if he added in a firewall, since he wants to open up the Gnutella port for the Internet to do P2P he would remain just as vulnerable. I would suggest your friend to minimize his exposure by properly configuring (and/or stopping) those Internet servers he doesn't have a need for. He can add in a firewall, but if you end up having: nmap -sT internet_address Port State Service 25/tcp filteredsmtp 80/tcp filtered http 445/tcp filtered microsoft-ds 1080/tcp filtered socks 6346/tcp open gnutella And he opens up the 6346 port it doesn't make him less of a target with a firewall. What a firewall *does* buy you is defense in depth. If somebody gets access to his computer and opens up a server port, the firewall will prevent access ot it. Likewise, it also protects you against your own mistakes, if he is just testing software and installs a vulnerable server which automatically starts and he forgets about it. If your friend wans to get even more paranoid, he could configure his local firewall to close off *outgoing* access (host-based firewalls are typically configured just for *incoming* but that doesn't mean it's the only thing they can do), so that he could try to block applications that try to contact the Internet if he has not authorised them previously. That said, this is hardly Debian-specific, really. Javier signature.asc Description: Digital signature
Re: nmap ...
On Mon, Nov 05, 2001 at 10:24:34PM +0100, Philipp Schulte wrote: Thats not true. nmap shows open ports which means that something is listening on them. If I connect from localhost:1024 to www.debian.org:80 that does not mean that my port 1024 is open. It doesn't accept connections. I actually think that the explanation from Moritz was correct. I have not seen this kind of behaviour with recent versions of nmap. Yes, that's true. I would say it was a problem with previous versions of libc / kernel / don't know what rather than nmap. I wrote a simple program which endlessly tries to connect to port 6 (of course nothing is listening on that port). here it follows : --- #include stdio.h #include stdlib.h #include unistd.h #include netinet/in.h #include sys/socket.h #include sys/types.h #include arpa/inet.h #include errno.h #include netdb.h #include string.h int main() { int sock; struct sockaddr_in server_addr; struct hostent* host; int retval; int ile = 0; do { sock = socket (AF_INET, SOCK_STREAM, 0); host = gethostbyname (localhost); memset (server_addr, 0, sizeof(struct sockaddr_in)); server_addr.sin_family = AF_INET; server_addr.sin_port = htons (6); memcpy (server_addr.sin_addr, host-h_addr_list[0], sizeof(server_addr.sin_addr)); ile++; retval = connect (sock, (struct sockaddr*)server_addr, sizeof (struct sockaddr_in)); printf ([%d] trying to connect - %d\n,ile,retval); close (sock); /* sleep (1); */ } while (retval == -1); printf ([%d] trying to connect - %d\n,ile,retval); return 0; } --- nothing special, isn't it ? when run in my last potato installation (2.2.x kernel) it ends with : ... [6123] trying to connect - -1 [6124] trying to connect - -1 [6125] trying to connect - 0 The numbers are rather random, but near couple of thousands. If I put 'sleep(1);' (or some delay, let's say bigger than 1/100sec) at the end of each loop, it will run perfectly normal. It also works normal on kernels 2.4.x with libc 6.1, for example on my current debian distribution. I would suspect that what it really does is connecting to _itself_. Imagine that in the 6125-th run of the loop kernel assigns 6 as the source port to 'connect' call - why not ? Or it assigns it a little bit earlier, and this port stays binded, because kernel has no time to free it ? Or maybe I am missing something, then show me please errors in the program above :) best regards, -- Marcin Biekowski -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nmap ...
On Mon, Nov 05, 2001 at 10:24:34PM +0100, Philipp Schulte wrote: Thats not true. nmap shows open ports which means that something is listening on them. If I connect from localhost:1024 to www.debian.org:80 that does not mean that my port 1024 is open. It doesn't accept connections. I actually think that the explanation from Moritz was correct. I have not seen this kind of behaviour with recent versions of nmap. Yes, that's true. I would say it was a problem with previous versions of libc / kernel / don't know what rather than nmap. I wrote a simple program which endlessly tries to connect to port 6 (of course nothing is listening on that port). here it follows : --- #include stdio.h #include stdlib.h #include unistd.h #include netinet/in.h #include sys/socket.h #include sys/types.h #include arpa/inet.h #include errno.h #include netdb.h #include string.h int main() { int sock; struct sockaddr_in server_addr; struct hostent* host; int retval; int ile = 0; do { sock = socket (AF_INET, SOCK_STREAM, 0); host = gethostbyname (localhost); memset (server_addr, 0, sizeof(struct sockaddr_in)); server_addr.sin_family = AF_INET; server_addr.sin_port = htons (6); memcpy (server_addr.sin_addr, host-h_addr_list[0], sizeof(server_addr.sin_addr)); ile++; retval = connect (sock, (struct sockaddr*)server_addr, sizeof (struct sockaddr_in)); printf ([%d] trying to connect - %d\n,ile,retval); close (sock); /* sleep (1); */ } while (retval == -1); printf ([%d] trying to connect - %d\n,ile,retval); return 0; } --- nothing special, isn't it ? when run in my last potato installation (2.2.x kernel) it ends with : ... [6123] trying to connect - -1 [6124] trying to connect - -1 [6125] trying to connect - 0 The numbers are rather random, but near couple of thousands. If I put 'sleep(1);' (or some delay, let's say bigger than 1/100sec) at the end of each loop, it will run perfectly normal. It also works normal on kernels 2.4.x with libc 6.1, for example on my current debian distribution. I would suspect that what it really does is connecting to _itself_. Imagine that in the 6125-th run of the loop kernel assigns 6 as the source port to 'connect' call - why not ? Or it assigns it a little bit earlier, and this port stays binded, because kernel has no time to free it ? Or maybe I am missing something, then show me please errors in the program above :) best regards, -- Marcin Bieńkowski
Re: nmap ...
Christopher W. Curtis wrote: Ports that are 1024 are assigned dynamically. For instance, suppose you connect to a remote website. You are connecting to port 80 on the remote machine, but you are also opening a high port on the local machine. So you connect from port 55234 to 80, or 1025 to 80. Open ports above 1024 will appear and disappear regularly as the system is used. Thats not true. nmap shows open ports which means that something is listening on them. If I connect from localhost:1024 to www.debian.org:80 that does not mean that my port 1024 is open. It doesn't accept connections. I actually think that the explanation from Moritz was correct. I have not seen this kind of behaviour with recent versions of nmap. Phil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nmap ...
[EMAIL PROTECTED] wrote: 2020opentcpxinupageserver 2020 ??? the port is not the same every time Ports that are 1024 are assigned dynamically. For instance, suppose you connect to a remote website. You are connecting to port 80 on the remote machine, but you are also opening a high port on the local machine. So you connect from port 55234 to 80, or 1025 to 80. Open ports above 1024 will appear and disappear regularly as the system is used. Chris
Re: nmap ...
Christopher W. Curtis wrote: Ports that are 1024 are assigned dynamically. For instance, suppose you connect to a remote website. You are connecting to port 80 on the remote machine, but you are also opening a high port on the local machine. So you connect from port 55234 to 80, or 1025 to 80. Open ports above 1024 will appear and disappear regularly as the system is used. Thats not true. nmap shows open ports which means that something is listening on them. If I connect from localhost:1024 to www.debian.org:80 that does not mean that my port 1024 is open. It doesn't accept connections. I actually think that the explanation from Moritz was correct. I have not seen this kind of behaviour with recent versions of nmap. Phil
Re: nmap ...
[EMAIL PROTECTED] writes: hi, when I make nmap I read my open ports more one suspect (every time is one new port). So I make nmap another time and I read my realy open ports without the last. I saw this, too. That nmap version (at least the one from Potato) seems to be buggy. To verify that I tried a newer nmap version than the one from Potato and it didn't show this broken behaviour. moritz -- Moritz Schulte [EMAIL PROTECTED] http://www.chaosdorf.de/moritz/ In short: just say NO TO DRUGS, and maybe you won't end up like the Hurd people. - Linus Torvalds. GPG fingerprint = 3A14 3923 15BE FD57 FC06 B501 0841 2D7B 6F98 4199 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nmap ...
[EMAIL PROTECTED] writes: hi, when I make nmap I read my open ports more one suspect (every time is one new port). So I make nmap another time and I read my realy open ports without the last. I saw this, too. That nmap version (at least the one from Potato) seems to be buggy. To verify that I tried a newer nmap version than the one from Potato and it didn't show this broken behaviour. moritz -- Moritz Schulte [EMAIL PROTECTED] http://www.chaosdorf.de/moritz/ In short: just say NO TO DRUGS, and maybe you won't end up like the Hurd people. - Linus Torvalds. GPG fingerprint = 3A14 3923 15BE FD57 FC06 B501 0841 2D7B 6F98 4199
Re: nmap ...
-BEGIN PGP SIGNED MESSAGE- Hash: MD5 well,first you gotta chill..: do you have a lan there? is your debian a gateway/router for the lan? maybe you use a masquerade for some of those computers.. there can be an aplication in windows that connects through that port to the internet. so like if that port is always changing perhaps there is traffic on your network,and the windows applications connect to the internet on those ports.note them and mail them here : Dani, hackers unsupport. sli hi, when I make nmap I read my open ports more one suspect (every time is sli one new port). So I make nmap another time and I read my realy open ports sli without the last. sli ? sli what is it ? sli example: sli [EMAIL PROTECTED]:~$ nmap debian sli Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) sli Interesting ports on debian (127.0.0.1): sli PortState Protocol Service sli 23 opentcptelnet sli 25 opentcpsmtp sli 111 opentcpsunrpc sli 2020opentcpxinupageserver sli 6000opentcpX11 sli Nmap run completed -- 1 IP address (1 host up) scanned in 1 second sli 2020 ??? sli now I make nmap another time: sli [EMAIL PROTECTED]:~$ nmap debian sli Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) sli Interesting ports on debian (127.0.0.1): sli PortState Protocol Service sli 23 opentcptelnet sli 25 opentcpsmtp sli 111 opentcpsunrpc sli 6000opentcpX11 sli Nmap run completed -- 1 IP address (1 host up) scanned in 1 second sli the port is not the same every time sli _ sli Sebastian Ezequiel Ovide -BEGIN PGP SIGNATURE- Version: 2.6 iQCVAwUAO9LtUMw1CXXrWGBbAQFL9QQAo/vQgPh6B36bMNTWcDIoCY/R8lj3l40N YY6HfO7HJS31pg621ZMvin9sfyTmSXREp2p43vOoRsCvK1BuZWgZaMlwReUdDjdA AEf2sfnZ8EkFkp/Y2EZ4sorYekCw5tXogow77XfOWcPUN6NtFtfDwArqe/0wSxzT fFgo9jcPIuE= =e5jM -END PGP SIGNATURE- _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
nmap 2.12
Hello, I have recently installed a basic potato on a PII. While playing a little bit around a find that the provided nmap was only a 2.12 version. It is a rather old version of nmap (I have a 2.53 installed on a SuSE 6.3). Is there any known reason for this choice ? signature Grégoire Welraeds gregoire (at) welraeds (dot) be /signature -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nmap 2.12
Gregoire Welraeds [EMAIL PROTECTED] writes: I have recently installed a basic potato on a PII. While playing a little bit around a find that the provided nmap was only a 2.12 version. It is a rather old version of nmap (I have a 2.53 installed on a SuSE 6.3). Is there any known reason for this choice ? The reason is called 'stable' ;-) Debian does not put new versions into stable. It just allows security fixes to be made to it. Okay, ocassionally a new upgrade (e.g. 2.2r1 to 2.2r2) may fix some serious breakage as well, but that's about it. If you want more recent versions of various packages, point yourself at 'testing' or 'unstable'. My nmap is 2.54.22.BETA-2 (from testing) which beats your 2.53. The preference functionality in apt should let you pull down only selected packages from testing and/or unstable. I don't know if potato's apt already supports this though. Hope this helps, -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development Free Software: `No walls, no windows! No fences, no gates!' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nmap 2.12
Tim Haynes [EMAIL PROTECTED] writes: Olaf Meeuwissen [EMAIL PROTECTED] writes: [snip] The reason is called 'stable' ;-) Debian does not put new versions into stable. It just allows security fixes to be made to it. Okay, ocassionally a new upgrade (e.g. 2.2r1 to 2.2r2) may fix some serious breakage as well, but that's about it. Indeed. If you want more recent versions of various packages, point yourself at 'testing' or 'unstable'. My nmap is 2.54.22.BETA-2 (from testing) which beats your 2.53. The preference functionality in apt should let you pull down only selected packages from testing and/or unstable. I don't know if potato's apt already supports this though. FWIW, one way that I used until I recently converted this whole box up to Testing was to have sources that came from unstable/testing/secure/stable in that order, while binary packages only came from secure/stable in that order. Hence, if I wanted a newer version I didn't have to dist-upgrade the whole box, but could (normally) build on stable. On a really secure box I wouldn't want to have the build environment needed to do this. Perhaps on another reasonably secure box where I am the one and only normal user, but that's another story. -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development Free Software: `No walls, no windows! No fences, no gates!' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nmap 2.12
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Olaf == Olaf Meeuwissen [EMAIL PROTECTED] writes: Olaf On a really secure box I wouldn't want to have the build Olaf environment needed to do this. Perhaps on another reasonably Olaf secure box where I am the one and only normal user, but that's Olaf another story. Well, you can build on one box, and install the packages on the other. AFAIK, to install the new packages, you wouldn't need anything that you don't already have. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7MrL9ZRhU33H9o38RAipcAKCpVs1SknulO9Ozl8BKoyUQLQ/8TACbBuzp 85F4XfnLwBscmXo1vZsCQoQ= =G8yF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: nmap 2.12
Hubert Chan [EMAIL PROTECTED] writes: Olaf == Olaf Meeuwissen [EMAIL PROTECTED] writes: Olaf On a really secure box I wouldn't want to have the build Olaf environment needed to do this. Perhaps on another reasonably Olaf secure box where I am the one and only normal user, but that's Olaf another story. Well, you can build on one box, and install the packages on the other. AFAIK, to install the new packages, you wouldn't need anything that you don't already have. I know, but from the original poster's mail I got the impression he was doing this on a single machine. Just wanted to point out that that might not be the ultimate in security :-) -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development Free Software: `No walls, no windows! No fences, no gates!' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
nmap 2.12
Hello, I have recently installed a basic potato on a PII. While playing a little bit around a find that the provided nmap was only a 2.12 version. It is a rather old version of nmap (I have a 2.53 installed on a SuSE 6.3). Is there any known reason for this choice ? signature Grégoire Welraeds gregoire (at) welraeds (dot) be /signature
Re: nmap 2.12
On Sun, Jun 17, 2001 at 09:52:50PM +0200, Gregoire Welraeds wrote: Hello, I have recently installed a basic potato on a PII. While playing a little bit around a find that the provided nmap was only a 2.12 version. It is a rather old version of nmap (I have a 2.53 installed on a SuSE 6.3). Is there any known reason for this choice ? It's probably what was available when Potato was frozen. The distribution is getting a little long in the tooth, I think that it was almost 2 years ago. -B -- Brandon High [EMAIL PROTECTED] I always have fun because I'm out of my mind!!! pgpTnTEIUKZPF.pgp Description: PGP signature
Re: nmap 2.12
Gregoire Welraeds [EMAIL PROTECTED] writes: I have recently installed a basic potato on a PII. While playing a little bit around a find that the provided nmap was only a 2.12 version. It is a rather old version of nmap (I have a 2.53 installed on a SuSE 6.3). Is there any known reason for this choice ? The reason is called 'stable' ;-) Debian does not put new versions into stable. It just allows security fixes to be made to it. Okay, ocassionally a new upgrade (e.g. 2.2r1 to 2.2r2) may fix some serious breakage as well, but that's about it. If you want more recent versions of various packages, point yourself at 'testing' or 'unstable'. My nmap is 2.54.22.BETA-2 (from testing) which beats your 2.53. The preference functionality in apt should let you pull down only selected packages from testing and/or unstable. I don't know if potato's apt already supports this though. Hope this helps, -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development Free Software: `No walls, no windows! No fences, no gates!'
Re: nmap 2.12
Olaf Meeuwissen [EMAIL PROTECTED] writes: [snip] The reason is called 'stable' ;-) Debian does not put new versions into stable. It just allows security fixes to be made to it. Okay, ocassionally a new upgrade (e.g. 2.2r1 to 2.2r2) may fix some serious breakage as well, but that's about it. Indeed. If you want more recent versions of various packages, point yourself at 'testing' or 'unstable'. My nmap is 2.54.22.BETA-2 (from testing) which beats your 2.53. The preference functionality in apt should let you pull down only selected packages from testing and/or unstable. I don't know if potato's apt already supports this though. FWIW, one way that I used until I recently converted this whole box up to Testing was to have sources that came from unstable/testing/secure/stable in that order, while binary packages only came from secure/stable in that order. Hence, if I wanted a newer version I didn't have to dist-upgrade the whole box, but could (normally) build on stable. HTH, ~Tim -- 01:01:40 up 7 days, 5:05, 13 users, load average: 0.00, 0.03, 0.00 [EMAIL PROTECTED] |There's a lighthouse, Shining in the black, http://piglet.is.dreaming.org |A lighthouse, Standing in the dark
Re: nmap 2.12
Tim Haynes [EMAIL PROTECTED] writes: Olaf Meeuwissen [EMAIL PROTECTED] writes: [snip] The reason is called 'stable' ;-) Debian does not put new versions into stable. It just allows security fixes to be made to it. Okay, ocassionally a new upgrade (e.g. 2.2r1 to 2.2r2) may fix some serious breakage as well, but that's about it. Indeed. If you want more recent versions of various packages, point yourself at 'testing' or 'unstable'. My nmap is 2.54.22.BETA-2 (from testing) which beats your 2.53. The preference functionality in apt should let you pull down only selected packages from testing and/or unstable. I don't know if potato's apt already supports this though. FWIW, one way that I used until I recently converted this whole box up to Testing was to have sources that came from unstable/testing/secure/stable in that order, while binary packages only came from secure/stable in that order. Hence, if I wanted a newer version I didn't have to dist-upgrade the whole box, but could (normally) build on stable. On a really secure box I wouldn't want to have the build environment needed to do this. Perhaps on another reasonably secure box where I am the one and only normal user, but that's another story. -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development Free Software: `No walls, no windows! No fences, no gates!'
Re: nmap 2.12
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Olaf == Olaf Meeuwissen [EMAIL PROTECTED] writes: Olaf On a really secure box I wouldn't want to have the build Olaf environment needed to do this. Perhaps on another reasonably Olaf secure box where I am the one and only normal user, but that's Olaf another story. Well, you can build on one box, and install the packages on the other. AFAIK, to install the new packages, you wouldn't need anything that you don't already have. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7MrL9ZRhU33H9o38RAipcAKCpVs1SknulO9Ozl8BKoyUQLQ/8TACbBuzp 85F4XfnLwBscmXo1vZsCQoQ= =G8yF -END PGP SIGNATURE-
Re: nmap 2.12
Hubert Chan [EMAIL PROTECTED] writes: Olaf == Olaf Meeuwissen [EMAIL PROTECTED] writes: Olaf On a really secure box I wouldn't want to have the build Olaf environment needed to do this. Perhaps on another reasonably Olaf secure box where I am the one and only normal user, but that's Olaf another story. Well, you can build on one box, and install the packages on the other. AFAIK, to install the new packages, you wouldn't need anything that you don't already have. I know, but from the original poster's mail I got the impression he was doing this on a single machine. Just wanted to point out that that might not be the ultimate in security :-) -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development Free Software: `No walls, no windows! No fences, no gates!'
Re: fakebo vs nmap -sS (fwd)
Previously Jacob Kuntz wrote: although this isn't really the right forum for this, sergio has a point. what he's saying is that either fakebo or nmap aren't working as advertised. fakebo is advertised to `fake' bo servers, and that is exactly what it does. It does not log portscans on its port because that's simply not what it is inteded for; if you want to log those you should use a tool like ippl. Wichert. -- / Generally uninteresting signature - ignore at your convenience \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | pgphc1PmocVDL.pgp Description: PGP signature
Re: fakebo vs nmap -sS (fwd)
Wichert Akkerman wrote: It does not log portscans It does log portscans. Give it a try, and you'll see it. It is also true that fakebo does more than symply logging the port scans, that is the reason why I like it. Sergio
Re: fakebo vs nmap -sS (fwd)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Apr 05, 2000 at 10:38:36AM +, Sergio Brandano wrote: Wichert Akkerman wrote: It does not log portscans It does log portscans. Give it a try, and you'll see it. It is also true that fakebo does more than symply logging the port scans, that is the reason why I like it. I have just installed it (having used it a while ago at home, with some amusement) and see no reference to it logging port scans in either its config file or /usr/doc/fakebo/*. It logs port connection attempts to two ports. This does not constitute logging stealth-scan attempts from nmap - there are other toys available for that purpose. ~Tim - -- | Geek Code: GCS dpu s-:+ a-- C UBLUAVHSC P+++ L++ E--- W+++(--) N++ | w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y- | The sun is melting over the hills, | http://piglet.is.dreaming.org/ | All our roads are waiting / To be revealed | [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjjrHEYACgkQh3MeQyZWueRd2wCeNXOicSzuwSKjHDERu5VgRIX8 ftwAoIMoYB08TqVX6c0II0cEBpG43DIg =wRl7 -END PGP SIGNATURE-
Re: fakebo vs nmap -sS (fwd)
Sergio, Yes, but how many lame script kiddies do you know of that know how to do that? :) Seriously, though -- fakebo is more for intercepting people actually trying to exploit you, rather than just scan you. If you want that, go get scanlogd or something. Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+ G e-- h++ r--- y --END GEEK CODE BLOCK-- On Tue, 4 Apr 2000, Sergio Brandano wrote: --- Forwarded Message Date: Tue, 04 Apr 2000 11:22:11 + From: Sergio Brandano [EMAIL PROTECTED] Organization: Queen Mary and Westfield College To: [EMAIL PROTECTED] Subject: fakebo vs nmap -sS Hi, I noted that fakebo does not report scans promoted using nmap -sS. Cheers, Sergio --- End of Forwarded Message -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fakebo vs nmap -sS (fwd)
although this isn't really the right forum for this, sergio has a point. what he's saying is that either fakebo or nmap aren't working as advertised. sergio, get in touch with the fakebo or nmap authors. it's not really debian's fault. Alexander Hvostov ([EMAIL PROTECTED]) wrote: Sergio, Yes, but how many lame script kiddies do you know of that know how to do that? :) Seriously, though -- fakebo is more for intercepting people actually trying to exploit you, rather than just scan you. If you want that, go get scanlogd or something. Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCM d- s:+ a--- C UL P L+++ E W++ N o-- K- w O--- M- V- PS+ PE- Y PGP t+ 5 X- R tv+ b DI--- D+ G e-- h++ r--- y --END GEEK CODE BLOCK-- On Tue, 4 Apr 2000, Sergio Brandano wrote: --- Forwarded Message Date: Tue, 04 Apr 2000 11:22:11 + From: Sergio Brandano [EMAIL PROTECTED] Organization: Queen Mary and Westfield College To: [EMAIL PROTECTED] Subject: fakebo vs nmap -sS Hi, I noted that fakebo does not report scans promoted using nmap -sS. Cheers, Sergio --- End of Forwarded Message -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- (jacob kuntz)[EMAIL PROTECTED],underworld}.net [EMAIL PROTECTED] (megabite systems) think free speech, not free beer. (gnu foundataion)
Re: fakebo vs nmap -sS (fwd)
Previously Sergio Brandano wrote: I noted that fakebo does not report scans promoted using nmap -sS. Why should it? Wichert. -- / Generally uninteresting signature - ignore at your convenience \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | pgp4nUPwRCPXG.pgp Description: PGP signature
fakebo vs nmap -sS (fwd)
--- Forwarded Message Date: Tue, 04 Apr 2000 11:22:11 + From: Sergio Brandano [EMAIL PROTECTED] Organization: Queen Mary and Westfield College To: [EMAIL PROTECTED] Subject: fakebo vs nmap -sS Hi, I noted that fakebo does not report scans promoted using nmap -sS. Cheers, Sergio --- End of Forwarded Message