Re: xinetd /etc/host.deny ALL:PARANOID
At 06:01 AM 1/11/02 +0100, martin f krafft wrote: >okay, why libwrap then? Once the network is compromised, it makes no difference what's on the box. If done properly, the compromised network is indistinguishable from the uncompromised network. That box is totally on it's own. :) >/29, although i've seen /30's. problem is that with that much of a >subnet, you are wasting a lot of IPs. the efficiency in terms of IP >usage for /30 is 50%!!! Come on... there are only 4 ip numbers in a /30!!! The only conceivable use for a /30 is as a point-to-point. /29 maybe for cable modem LANs... -- REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=-- 0100
Re: xinetd /etc/host.deny ALL:PARANOID
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0541 +0100]: > This is sort of the function of canonical names. "Other" names for the IP > besides the absolute name (or Loopback name in our parlance). But CNAME's > are deprecated for other reasons. I personally never had any problems using > them. me neither. deprecated? i know that most mailers will complain if the MX is a CNAME, so i always have mail.madduck.net have it's own A record, even though the actual hostname also maps to that A record... > >All the people who say "but I don't control the reverse for my IP(s)" > >don't understand the issue ... it's up to the registered contact for > >the block to make sure reverse resolution works. Of course that means > >resolving to A records that the contact also controls. This is all > >spelled out in the RFCs and best practice documents. > > It has been possible for some time now to allocate really really small IP > blocks. I had a /27 allocated to me in ARIN once. I controlled my own > reverse lookups that way. I don't know how small they will go though. /29, although i've seen /30's. problem is that with that much of a subnet, you are wasting a lot of IPs. the efficiency in terms of IP usage for /30 is 50%!!! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] "a rock pile ceases to be a rock pile the moment a single man contemplates it, bearing within him the image of a cathedral." -- antoine de saint-exupery pgpbVTgZewjDU.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0556 +0100]: > >a bogus IP won't even make it past OSI layer 4 on debian... > >rp_filter... > > There are ways of doing it such that the box has NO WAY of knowing > that the traffic is spoofed. Granted, that is hard to do. Even > paranoid lookups can be overcome. But it's just one more layer of > defense and one more thing an attacker has to contend with. okay, why libwrap then? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] f u cn rd ths, u cn gt a nce jb in th prgrmng indstry pgpa5X0XZCWiX.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
At 04:22 AM 1/11/02 +0100, martin f krafft wrote: >a bogus IP won't even make it past OSI layer 4 on debian... rp_filter... There are ways of doing it such that the box has NO WAY of knowing that the traffic is spoofed. Granted, that is hard to do. Even paranoid lookups can be overcome. But it's just one more layer of defense and one more thing an attacker has to contend with. >interesting signature. serious or not? But of course. -- REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=-- 0100
Re: xinetd /etc/host.deny ALL:PARANOID
At 10:01 PM 1/10/02 -0600, Nathan E Norman wrote: >Congratulations ... you just set up your DNS incorrectly. Every PTR >entry should resolve to a _unique_ name, and that name should resolve >to a _unique_ IP. That doesn't mean you can't have additional A >records doing load balancing. To give a POTS analogy, say you have 10 lines coming into your modem bank in a hunt group. That's when you have one number that scrolls over onto all 10 of the lines based on which ones are busy. However, all 10 of those lines have to have individual unique phone numbers even though they are reached through the common hunt group number. They all have unique phone number/circuit id pairs. >zone IN 3.2.1.in-addr.ARPA: > > 4 IN PTR host4.netblk1-2-3.madduck.net. > 4 IN PTR host5.netblk1-2-3.madduck.net. I assume you meant to write "5" there. ;) >zone IN netblk1-2-3.madduck.net: > > host4.netblk1-2-3.madduck.net. IN A 1.2.3.4 > host5.netblk1-2-3.madduck.net. IN A 1.2.3.5 > >zone IN madduck.net: > > mail.madduck.net. IN A 1.2.3.4 >IN A 1.2.3.5 > >Not all A records need PTR records. It never fails to amaze me how >many people don't understand this. This is sort of the function of canonical names. "Other" names for the IP besides the absolute name (or Loopback name in our parlance). But CNAME's are deprecated for other reasons. I personally never had any problems using them. >All the people who say "but I don't control the reverse for my IP(s)" >don't understand the issue ... it's up to the registered contact for >the block to make sure reverse resolution works. Of course that means >resolving to A records that the contact also controls. This is all >spelled out in the RFCs and best practice documents. It has been possible for some time now to allocate really really small IP blocks. I had a /27 allocated to me in ARIN once. I controlled my own reverse lookups that way. I don't know how small they will go though. -- REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=-- 0100
Re: xinetd /etc/host.deny ALL:PARANOID
also sprach Nathan E Norman <[EMAIL PROTECTED]> [2002.01.11.0501 +0100]: > Congratulations ... you just set up your DNS incorrectly. Every PTR > entry should resolve to a _unique_ name, and that name should resolve > to a _unique_ IP. That doesn't mean you can't have additional A > records doing load balancing. good point. i never used DNS RR, so sorry. there are better ways. i should have thought more. > zone IN 3.2.1.in-addr.ARPA: > > 4 IN PTR host4.netblk1-2-3.madduck.net. > 4 IN PTR host5.netblk1-2-3.madduck.net. ^ 5 just for clarification. > Not all A records need PTR records. It never fails to amaze me how > many people don't understand this. exactly my point. which is why i disabled PARANOID and still don't get hacked. > Having said that, I know there are plenty of retarded netblock owners > out there. i do have to speak for one actually, because i am amazed. speakeasy.net we had three IPs, we wanted another -> 4 hours this is a private DSL subscription, but we wanted custom reverse IP -> 3 hours seriously: wow! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] in africa some of the native tribes have a custom of beating the ground with clubs and uttering spine chilling cries. anthropologists call this a form of primitive self-expression. in america they call it golf. pgpHUCqPqSixI.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
On Fri, Jan 11, 2002 at 01:29:08AM +0100, martin f krafft wrote: > i think you need to know exactly what this checks to get a clue... > > first, the IP is taken and reverse-resolved to a domain name. then the > domain name is resolved to an IP. if that IP doesn't match, it'll DENY. > > now if 1.2.3.4 were to point to mail.madduck.net, but mail.madduck.net > points to 1.2.3.5, then that's obviously a problem, or indication of an > error status, or a hint at a hack/spoof attack... until you realize what > BIND and others do with simply RR load-balancing: > > zone IN 3.2.1.in-addr.ARPA: > > 4 IN PTR mail.madduck.net > 5 IN PTR mail.madduck.net > > zone IN madduck.net > > mail.madduck.net IN A 1.2.3.4 >IN A 1.2.3.5 > > > now repeated queries for the A record of mail.madduck.net will return > both IPs alternatingly. now think about why this would cause a problem. Congratulations ... you just set up your DNS incorrectly. Every PTR entry should resolve to a _unique_ name, and that name should resolve to a _unique_ IP. That doesn't mean you can't have additional A records doing load balancing. zone IN 3.2.1.in-addr.ARPA: 4 IN PTR host4.netblk1-2-3.madduck.net. 4 IN PTR host5.netblk1-2-3.madduck.net. zone IN netblk1-2-3.madduck.net: host4.netblk1-2-3.madduck.net. IN A 1.2.3.4 host5.netblk1-2-3.madduck.net. IN A 1.2.3.5 zone IN madduck.net: mail.madduck.net. IN A 1.2.3.4 IN A 1.2.3.5 Not all A records need PTR records. It never fails to amaze me how many people don't understand this. All the people who say "but I don't control the reverse for my IP(s)" don't understand the issue ... it's up to the registered contact for the block to make sure reverse resolution works. Of course that means resolving to A records that the contact also controls. This is all spelled out in the RFCs and best practice documents. Having said that, I know there are plenty of retarded netblock owners out there. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpwS9NBMSoYl.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0205 +0100]: > Well, the rationale behind this is as you touched on, preventing > spoofed address attacks. A paranoid lookup essentially verifies that > the connecting system is a known legit host. In effect you're using > your DNS system as another level of authentication. Say somebody > wants to covertly log on or attack your system, so they give > themselves a bogus ip. A paranoid lookup will stop that because > there's no DNS entry. (I won't get into the mechanisms of these spoof > type attacks) a bogus IP won't even make it past OSI layer 4 on debian... rp_filter... > REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=-- > > 0100 interesting signature. serious or not? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] "in any hierarchy, each individual rises to his own level of incompetence, and then remains there." -- murphy pgpbImtlWCjG9.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
At 06:01 AM 1/11/02 +0100, martin f krafft wrote: >okay, why libwrap then? Once the network is compromised, it makes no difference what's on the box. If done properly, the compromised network is indistinguishable from the uncompromised network. That box is totally on it's own. :) >/29, although i've seen /30's. problem is that with that much of a >subnet, you are wasting a lot of IPs. the efficiency in terms of IP >usage for /30 is 50%!!! Come on... there are only 4 ip numbers in a /30!!! The only conceivable use for a /30 is as a point-to-point. /29 maybe for cable modem LANs... -- REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: xinetd /etc/host.deny ALL:PARANOID
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0541 +0100]: > This is sort of the function of canonical names. "Other" names for the IP > besides the absolute name (or Loopback name in our parlance). But CNAME's > are deprecated for other reasons. I personally never had any problems using > them. me neither. deprecated? i know that most mailers will complain if the MX is a CNAME, so i always have mail.madduck.net have it's own A record, even though the actual hostname also maps to that A record... > >All the people who say "but I don't control the reverse for my IP(s)" > >don't understand the issue ... it's up to the registered contact for > >the block to make sure reverse resolution works. Of course that means > >resolving to A records that the contact also controls. This is all > >spelled out in the RFCs and best practice documents. > > It has been possible for some time now to allocate really really small IP > blocks. I had a /27 allocated to me in ARIN once. I controlled my own > reverse lookups that way. I don't know how small they will go though. /29, although i've seen /30's. problem is that with that much of a subnet, you are wasting a lot of IPs. the efficiency in terms of IP usage for /30 is 50%!!! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck "a rock pile ceases to be a rock pile the moment a single man contemplates it, bearing within him the image of a cathedral." -- antoine de saint-exupery msg04802/pgp0.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0556 +0100]: > >a bogus IP won't even make it past OSI layer 4 on debian... > >rp_filter... > > There are ways of doing it such that the box has NO WAY of knowing > that the traffic is spoofed. Granted, that is hard to do. Even > paranoid lookups can be overcome. But it's just one more layer of > defense and one more thing an attacker has to contend with. okay, why libwrap then? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck f u cn rd ths, u cn gt a nce jb in th prgrmng indstry msg04801/pgp0.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
At 04:22 AM 1/11/02 +0100, martin f krafft wrote: >a bogus IP won't even make it past OSI layer 4 on debian... rp_filter... There are ways of doing it such that the box has NO WAY of knowing that the traffic is spoofed. Granted, that is hard to do. Even paranoid lookups can be overcome. But it's just one more layer of defense and one more thing an attacker has to contend with. >interesting signature. serious or not? But of course. -- REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: xinetd /etc/host.deny ALL:PARANOID
At 10:01 PM 1/10/02 -0600, Nathan E Norman wrote: >Congratulations ... you just set up your DNS incorrectly. Every PTR >entry should resolve to a _unique_ name, and that name should resolve >to a _unique_ IP. That doesn't mean you can't have additional A >records doing load balancing. To give a POTS analogy, say you have 10 lines coming into your modem bank in a hunt group. That's when you have one number that scrolls over onto all 10 of the lines based on which ones are busy. However, all 10 of those lines have to have individual unique phone numbers even though they are reached through the common hunt group number. They all have unique phone number/circuit id pairs. >zone IN 3.2.1.in-addr.ARPA: > > 4 IN PTR host4.netblk1-2-3.madduck.net. > 4 IN PTR host5.netblk1-2-3.madduck.net. I assume you meant to write "5" there. ;) >zone IN netblk1-2-3.madduck.net: > > host4.netblk1-2-3.madduck.net. IN A 1.2.3.4 > host5.netblk1-2-3.madduck.net. IN A 1.2.3.5 > >zone IN madduck.net: > > mail.madduck.net. IN A 1.2.3.4 >IN A 1.2.3.5 > >Not all A records need PTR records. It never fails to amaze me how >many people don't understand this. This is sort of the function of canonical names. "Other" names for the IP besides the absolute name (or Loopback name in our parlance). But CNAME's are deprecated for other reasons. I personally never had any problems using them. >All the people who say "but I don't control the reverse for my IP(s)" >don't understand the issue ... it's up to the registered contact for >the block to make sure reverse resolution works. Of course that means >resolving to A records that the contact also controls. This is all >spelled out in the RFCs and best practice documents. It has been possible for some time now to allocate really really small IP blocks. I had a /27 allocated to me in ARIN once. I controlled my own reverse lookups that way. I don't know how small they will go though. -- REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: xinetd /etc/host.deny ALL:PARANOID
also sprach Nathan E Norman <[EMAIL PROTECTED]> [2002.01.11.0501 +0100]: > Congratulations ... you just set up your DNS incorrectly. Every PTR > entry should resolve to a _unique_ name, and that name should resolve > to a _unique_ IP. That doesn't mean you can't have additional A > records doing load balancing. good point. i never used DNS RR, so sorry. there are better ways. i should have thought more. > zone IN 3.2.1.in-addr.ARPA: > > 4 IN PTR host4.netblk1-2-3.madduck.net. > 4 IN PTR host5.netblk1-2-3.madduck.net. ^ 5 just for clarification. > Not all A records need PTR records. It never fails to amaze me how > many people don't understand this. exactly my point. which is why i disabled PARANOID and still don't get hacked. > Having said that, I know there are plenty of retarded netblock owners > out there. i do have to speak for one actually, because i am amazed. speakeasy.net we had three IPs, we wanted another -> 4 hours this is a private DSL subscription, but we wanted custom reverse IP -> 3 hours seriously: wow! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck in africa some of the native tribes have a custom of beating the ground with clubs and uttering spine chilling cries. anthropologists call this a form of primitive self-expression. in america they call it golf. msg04798/pgp0.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
On Fri, Jan 11, 2002 at 01:29:08AM +0100, martin f krafft wrote: > i think you need to know exactly what this checks to get a clue... > > first, the IP is taken and reverse-resolved to a domain name. then the > domain name is resolved to an IP. if that IP doesn't match, it'll DENY. > > now if 1.2.3.4 were to point to mail.madduck.net, but mail.madduck.net > points to 1.2.3.5, then that's obviously a problem, or indication of an > error status, or a hint at a hack/spoof attack... until you realize what > BIND and others do with simply RR load-balancing: > > zone IN 3.2.1.in-addr.ARPA: > > 4 IN PTR mail.madduck.net > 5 IN PTR mail.madduck.net > > zone IN madduck.net > > mail.madduck.net IN A 1.2.3.4 >IN A 1.2.3.5 > > > now repeated queries for the A record of mail.madduck.net will return > both IPs alternatingly. now think about why this would cause a problem. Congratulations ... you just set up your DNS incorrectly. Every PTR entry should resolve to a _unique_ name, and that name should resolve to a _unique_ IP. That doesn't mean you can't have additional A records doing load balancing. zone IN 3.2.1.in-addr.ARPA: 4 IN PTR host4.netblk1-2-3.madduck.net. 4 IN PTR host5.netblk1-2-3.madduck.net. zone IN netblk1-2-3.madduck.net: host4.netblk1-2-3.madduck.net. IN A 1.2.3.4 host5.netblk1-2-3.madduck.net. IN A 1.2.3.5 zone IN madduck.net: mail.madduck.net. IN A 1.2.3.4 IN A 1.2.3.5 Not all A records need PTR records. It never fails to amaze me how many people don't understand this. All the people who say "but I don't control the reverse for my IP(s)" don't understand the issue ... it's up to the registered contact for the block to make sure reverse resolution works. Of course that means resolving to A records that the contact also controls. This is all spelled out in the RFCs and best practice documents. Having said that, I know there are plenty of retarded netblock owners out there. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton msg04797/pgp0.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0205 +0100]: > Well, the rationale behind this is as you touched on, preventing > spoofed address attacks. A paranoid lookup essentially verifies that > the connecting system is a known legit host. In effect you're using > your DNS system as another level of authentication. Say somebody > wants to covertly log on or attack your system, so they give > themselves a bogus ip. A paranoid lookup will stop that because > there's no DNS entry. (I won't get into the mechanisms of these spoof > type attacks) a bogus IP won't even make it past OSI layer 4 on debian... rp_filter... > REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=-- > > 0100 interesting signature. serious or not? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck "in any hierarchy, each individual rises to his own level of incompetence, and then remains there." -- murphy msg04796/pgp0.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
Well, the rationale behind this is as you touched on, preventing spoofed address attacks. A paranoid lookup essentially verifies that the connecting system is a known legit host. In effect you're using your DNS system as another level of authentication. Say somebody wants to covertly log on or attack your system, so they give themselves a bogus ip. A paranoid lookup will stop that because there's no DNS entry. (I won't get into the mechanisms of these spoof type attacks) Now for connections originating from the internet this is little help since there are so many ways to spoof traffic/hack/attack/etc. What it can make a difference in is from traffic originating within your own network. Because that is a known entity and paranoid lookups should ALWAYS succeed. I don't know all the details of how it passes or fails you given RR DNS but it does something... At 01:29 AM 1/11/02 +0100, martin f krafft wrote: >yes, but *what* exactly does ALL:PARANOID prevent? establishing the >authenticity of the domain name is surel a good point, but that's for >finger/who/w and co. only because i don't even want to deal with/know >about a system administrator that parses logs based on domain names >rather than IPs... -- REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=-- 0100
Re: xinetd /etc/host.deny ALL:PARANOID
also sprach Marcin Owsiany <[EMAIL PROTECTED]> [2002.01.11.0058 +0100]: > > it's not really a security measure anymore, i find. feel free to > > disagree... > > Disabling PARANOID mode only means that you shouldn't trust the logged > hostnames, because thay may be faked, no? kinda. it also tries to act against... well, what actually? i think you need to know exactly what this checks to get a clue... first, the IP is taken and reverse-resolved to a domain name. then the domain name is resolved to an IP. if that IP doesn't match, it'll DENY. now if 1.2.3.4 were to point to mail.madduck.net, but mail.madduck.net points to 1.2.3.5, then that's obviously a problem, or indication of an error status, or a hint at a hack/spoof attack... until you realize what BIND and others do with simply RR load-balancing: zone IN 3.2.1.in-addr.ARPA: 4 IN PTR mail.madduck.net 5 IN PTR mail.madduck.net zone IN madduck.net mail.madduck.net IN A 1.2.3.4 IN A 1.2.3.5 now repeated queries for the A record of mail.madduck.net will return both IPs alternatingly. now think about why this would cause a problem. and i think this is too trivial a problem for me to be the first to find it, so i guess tcp_wrappers/libwrap accounts for this. but i am not sure, and don't really feel like trying it. yes, but *what* exactly does ALL:PARANOID prevent? establishing the authenticity of the domain name is surel a good point, but that's for finger/who/w and co. only because i don't even want to deal with/know about a system administrator that parses logs based on domain names rather than IPs... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] "driving with a destination is like having sex to have children" -- backwater wayne miller pgpLgZvHTowsy.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
also sprach Sam Varghese <[EMAIL PROTECTED]> [2002.01.11.0053 +0100]: > i can only speak from my limited experience. i have found these measures > to work, therefore i practice them. of course, one would agree to > disagree. i don't want to come across as the wannabe-guru, but what exactly do you mean with "i have found these measures to work". what do they do if they don't work? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] "it would be truly surprising if sound were not capable of suggesting colour, if colours could not give the idea of the melody, if sound and colour were not adequate to express ideas." -- claude debussy pgpq6Tcy1XPC7.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
On Fri, Jan 11, 2002 at 12:11:13AM +0100, martin f krafft wrote: > it's not really a security measure anymore, i find. feel free to > disagree... Disabling PARANOID mode only means that you shouldn't trust the logged hostnames, because thay may be faked, no? Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Re: xinetd /etc/host.deny ALL:PARANOID
On Fri, Jan 11, 2002 at 12:11:13AM +0100, martin f krafft wrote: > > If a host does not match its IP, your system SHOULD deny it access. > > i actually disagree. (a) these days, many run their own DNS even though > the IP belongs to someone else and is only leased to a "home user". (b) > you wouldn't believe how many DNS admins don't grasp reverse resolution, > how many have misconfigured it (or not configured it at all), and how > many times it just simply fails because of that reason even though it's > a legit request. i can only speak from my limited experience. i have found these measures to work, therefore i practice them. of course, one would agree to disagree. Sam -- (Sam Varghese) http://www.gnubies.com Software industry: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems.
Re: blocking ports
[greg: please wrap your lines at 76 characters...] also sprach Greg Hunt <[EMAIL PROTECTED]> [2002.01.10.1850 +0100]: > The reason it reports it as filtered is if someone tries to connect to > a port on which you're not running a service, say port 12345, your > server will respond back with a TCP/IP packet with the RST, ACK flags > set (I know RST, I think ACK too). nmap sees this as closed. If you > filter something out with iptables, a packet with RST flag is never > sent back, nmap just times out trying to connect and assumes it's > filtered. woops. discard my ICMP port unreachable thingie. (when is that sent???) > I'm not sure, but if you compile your kernel with iptables support and > use the REJECT target support (which sends back an ICMP error in > response to the attempted connection), nmap might say closed instead > of filtered (although since it's different than a packet with RST set, > maybe it still realizes it's filtered through a firewall). you can even make iptables can be made to do this too: iptables -A ... -j REJECT --reject-with tcp-reset -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] with searching comes loss and the presence of absence: file not found. pgpIqKRlbJUap.pgp Description: PGP signature
Re: blocking ports
also sprach David Bishop <[EMAIL PROTECTED]> [2002.01.10.1634 +0100]: > I'm running a server that's hot to the net, and running some insecure > services (by necessity), like nfs. Of course, I used iptables to > block all those ports, using nmap and netstat to double check all my > open ports. However, what nmap reports back is "filtered" for those > ports. I would prefer if I could somehow make it so that they are > "closed" to the outside world, so that random j. hacker doesn't know > that I'm running that service at all. Is there some way to do that, > or do I just live with "filtered"? you can configure iptables to return ICMP type 3 "port unreachable" packets, just like the OS would, using the REJECT target. that's what you want to do. to get your desired effect. however, DENYing has the advantage of *severly* slowing any portscan, and because obscurity is not a security measure[1] and REJECT not being any safer then DENY, you are really not gaining anything... [1] because i actually believe that one should be able to post the entire LAN topology as well as server config and firewall config to the net, and *still* be secure, -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] there's someone in my head but it's not me. -- pink floyd, the dark side of the moon, 1972 pgp8AXqsx3aFI.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
also sprach Sam Varghese <[EMAIL PROTECTED]> [2002.01.10.2323 +0100]: > Why would you want to remove your first line of defence? Do you want the > whole world to have access to the box in question? that doesn't mean allowing access to the whole world! > If a host does not match its IP, your system SHOULD deny it access. i actually disagree. (a) these days, many run their own DNS even though the IP belongs to someone else and is only leased to a "home user". (b) you wouldn't believe how many DNS admins don't grasp reverse resolution, how many have misconfigured it (or not configured it at all), and how many times it just simply fails because of that reason even though it's a legit request. i couldn't ssh into my machines from diamond.madduck.net for a long time simply because the DNS admin was "too loaded with work" to fix the reverse IP... until i removed that line. never had any more hack attempts, never had any successful hacks. it's not really a security measure anymore, i find. feel free to disagree... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] sprecare tempo e' una parte importante del vivere. pgpfCkpPfyJ3s.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Marcel Hicking <[EMAIL PROTECTED]> [2002.01.10.1646 +0100]: > /bin/true will log you out right away, > and therefore you cannot start scp. > I've doublechecked this yesterday, and > even tried to put "exit " into the .bashrc > *This* did work fine, no ssh anymore, but scp > works. But! unforunatelly the user can scp > an new .bashrc or use ssh and rm to remove it. chattr +i .bashrc. but whether you want to do it that way... well, you tell us... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] please keep your hands off the secretary's reproducing equipment. pgpp3qi0RId9L.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Marcel Hicking <[EMAIL PROTECTED]> [2002.01.10.1646 +0100]: > What about sftp? > Clients should be available by now. I mean, > Windooze clients ;-) > As secure as scp, as restricted as ftp. but you still need to enable a shell and ssh, because sftp does nothing else but pipe over ssh... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] "in contrast to the what-you-see-is-what-you-get philosophy, unix is the you-asked-for-it,-you-got-it operating system." --scott lee pgpuKa5WiswGg.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
Well, the rationale behind this is as you touched on, preventing spoofed address attacks. A paranoid lookup essentially verifies that the connecting system is a known legit host. In effect you're using your DNS system as another level of authentication. Say somebody wants to covertly log on or attack your system, so they give themselves a bogus ip. A paranoid lookup will stop that because there's no DNS entry. (I won't get into the mechanisms of these spoof type attacks) Now for connections originating from the internet this is little help since there are so many ways to spoof traffic/hack/attack/etc. What it can make a difference in is from traffic originating within your own network. Because that is a known entity and paranoid lookups should ALWAYS succeed. I don't know all the details of how it passes or fails you given RR DNS but it does something... At 01:29 AM 1/11/02 +0100, martin f krafft wrote: >yes, but *what* exactly does ALL:PARANOID prevent? establishing the >authenticity of the domain name is surel a good point, but that's for >finger/who/w and co. only because i don't even want to deal with/know >about a system administrator that parses logs based on domain names >rather than IPs... -- REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=-- 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
QMAIL question
List Gurus, I am running QMAIL for my work and the boffins above me have decided to start using Exchange Server for the corporate email. They like the "extra" functionality. Anyway, the username convention is changing from [EMAIL PROTECTED] to[EMAIL PROTECTED] I am being slack with not yet reading the QMAIL doco and From: re-write rules but is there a quick way to tack on a short few lines onto the end of all outbound mail ( like an autoresponder ) to advise of the imminent change in addressing before the domain one-domain.com.au gets decommissioned. If someone has seen this or done this please email. I have seen similar functionality for scanning for viruses on incoming emails and rewriting the To: address ( using qmail-scanner ) but is there something similar say in PERL for the outbound mail? Is this question better answered on the QMAIL mailing lists? Stuart -- Stuart Andrews Unix Administrator FOXBORO Australia Level 2-4, 810 Elizabeth Street, Waterloo NSW 2017 Ph: + 612 8396 3500 (Switch)Ph: + 612 8396 3723 (Direct) Fx: + 612 9690 1845
Re: xinetd /etc/host.deny ALL:PARANOID
also sprach Marcin Owsiany <[EMAIL PROTECTED]> [2002.01.11.0058 +0100]: > > it's not really a security measure anymore, i find. feel free to > > disagree... > > Disabling PARANOID mode only means that you shouldn't trust the logged > hostnames, because thay may be faked, no? kinda. it also tries to act against... well, what actually? i think you need to know exactly what this checks to get a clue... first, the IP is taken and reverse-resolved to a domain name. then the domain name is resolved to an IP. if that IP doesn't match, it'll DENY. now if 1.2.3.4 were to point to mail.madduck.net, but mail.madduck.net points to 1.2.3.5, then that's obviously a problem, or indication of an error status, or a hint at a hack/spoof attack... until you realize what BIND and others do with simply RR load-balancing: zone IN 3.2.1.in-addr.ARPA: 4 IN PTR mail.madduck.net 5 IN PTR mail.madduck.net zone IN madduck.net mail.madduck.net IN A 1.2.3.4 IN A 1.2.3.5 now repeated queries for the A record of mail.madduck.net will return both IPs alternatingly. now think about why this would cause a problem. and i think this is too trivial a problem for me to be the first to find it, so i guess tcp_wrappers/libwrap accounts for this. but i am not sure, and don't really feel like trying it. yes, but *what* exactly does ALL:PARANOID prevent? establishing the authenticity of the domain name is surel a good point, but that's for finger/who/w and co. only because i don't even want to deal with/know about a system administrator that parses logs based on domain names rather than IPs... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck "driving with a destination is like having sex to have children" -- backwater wayne miller msg04794/pgp0.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
also sprach Sam Varghese <[EMAIL PROTECTED]> [2002.01.11.0053 +0100]: > i can only speak from my limited experience. i have found these measures > to work, therefore i practice them. of course, one would agree to > disagree. i don't want to come across as the wannabe-guru, but what exactly do you mean with "i have found these measures to work". what do they do if they don't work? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck "it would be truly surprising if sound were not capable of suggesting colour, if colours could not give the idea of the melody, if sound and colour were not adequate to express ideas." -- claude debussy msg04793/pgp0.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
On Thu, Jan 10, 2002 at 03:41:37PM +0100, Davi Leal wrote: > Is It safe to delete the ALL:PARANOID line in /etc/hosts.deny to avoid the > below messages in /var/log/syslog? > > Jan 22 12:13:46 excalibur xinetd[254]: warning: /etc/hosts.deny, line 15: > can't verify hostname: gethostbyname(geicamdsl.easynet.es) failed > Jan 22 12:13:46 excalibur xinetd[254]: refused connect from 213.139.10.34 > > /etc/hosts.deny > > # The PARANOID wildcard matches any host whose name does not match its > # address. > ALL: PARANOID Why would you want to remove your first line of defence? Do you want the whole world to have access to the box in question? If a host does not match its IP, your system SHOULD deny it access. > > /etc/hosts.allow > > sendmail: all > in.qpopper: all I would modify that "all" to the IP range which you use: in.qpopper: xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx I'm not an ISP or even a tech person so maybe someone else can get in on this and elaborate. Sam -- (Sam Varghese) http://www.gnubies.com Software industry: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems.
Re: xinetd /etc/host.deny ALL:PARANOID
On Fri, Jan 11, 2002 at 12:11:13AM +0100, martin f krafft wrote: > it's not really a security measure anymore, i find. feel free to > disagree... Disabling PARANOID mode only means that you shouldn't trust the logged hostnames, because thay may be faked, no? Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: xinetd /etc/host.deny ALL:PARANOID
On Fri, Jan 11, 2002 at 12:11:13AM +0100, martin f krafft wrote: > > If a host does not match its IP, your system SHOULD deny it access. > > i actually disagree. (a) these days, many run their own DNS even though > the IP belongs to someone else and is only leased to a "home user". (b) > you wouldn't believe how many DNS admins don't grasp reverse resolution, > how many have misconfigured it (or not configured it at all), and how > many times it just simply fails because of that reason even though it's > a legit request. i can only speak from my limited experience. i have found these measures to work, therefore i practice them. of course, one would agree to disagree. Sam -- (Sam Varghese) http://www.gnubies.com Software industry: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: blocking ports
[greg: please wrap your lines at 76 characters...] also sprach Greg Hunt <[EMAIL PROTECTED]> [2002.01.10.1850 +0100]: > The reason it reports it as filtered is if someone tries to connect to > a port on which you're not running a service, say port 12345, your > server will respond back with a TCP/IP packet with the RST, ACK flags > set (I know RST, I think ACK too). nmap sees this as closed. If you > filter something out with iptables, a packet with RST flag is never > sent back, nmap just times out trying to connect and assumes it's > filtered. woops. discard my ICMP port unreachable thingie. (when is that sent???) > I'm not sure, but if you compile your kernel with iptables support and > use the REJECT target support (which sends back an ICMP error in > response to the attempted connection), nmap might say closed instead > of filtered (although since it's different than a packet with RST set, > maybe it still realizes it's filtered through a firewall). you can even make iptables can be made to do this too: iptables -A ... -j REJECT --reject-with tcp-reset -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck with searching comes loss and the presence of absence: file not found. msg04788/pgp0.pgp Description: PGP signature
Re: blocking ports
also sprach David Bishop <[EMAIL PROTECTED]> [2002.01.10.1634 +0100]: > I'm running a server that's hot to the net, and running some insecure > services (by necessity), like nfs. Of course, I used iptables to > block all those ports, using nmap and netstat to double check all my > open ports. However, what nmap reports back is "filtered" for those > ports. I would prefer if I could somehow make it so that they are > "closed" to the outside world, so that random j. hacker doesn't know > that I'm running that service at all. Is there some way to do that, > or do I just live with "filtered"? you can configure iptables to return ICMP type 3 "port unreachable" packets, just like the OS would, using the REJECT target. that's what you want to do. to get your desired effect. however, DENYing has the advantage of *severly* slowing any portscan, and because obscurity is not a security measure[1] and REJECT not being any safer then DENY, you are really not gaining anything... [1] because i actually believe that one should be able to post the entire LAN topology as well as server config and firewall config to the net, and *still* be secure, -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck there's someone in my head but it's not me. -- pink floyd, the dark side of the moon, 1972 msg04787/pgp0.pgp Description: PGP signature
Re: xinetd /etc/host.deny ALL:PARANOID
also sprach Sam Varghese <[EMAIL PROTECTED]> [2002.01.10.2323 +0100]: > Why would you want to remove your first line of defence? Do you want the > whole world to have access to the box in question? that doesn't mean allowing access to the whole world! > If a host does not match its IP, your system SHOULD deny it access. i actually disagree. (a) these days, many run their own DNS even though the IP belongs to someone else and is only leased to a "home user". (b) you wouldn't believe how many DNS admins don't grasp reverse resolution, how many have misconfigured it (or not configured it at all), and how many times it just simply fails because of that reason even though it's a legit request. i couldn't ssh into my machines from diamond.madduck.net for a long time simply because the DNS admin was "too loaded with work" to fix the reverse IP... until i removed that line. never had any more hack attempts, never had any successful hacks. it's not really a security measure anymore, i find. feel free to disagree... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck sprecare tempo e' una parte importante del vivere. msg04790/pgp0.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Marcel Hicking <[EMAIL PROTECTED]> [2002.01.10.1646 +0100]: > /bin/true will log you out right away, > and therefore you cannot start scp. > I've doublechecked this yesterday, and > even tried to put "exit " into the .bashrc > *This* did work fine, no ssh anymore, but scp > works. But! unforunatelly the user can scp > an new .bashrc or use ssh and rm to remove it. chattr +i .bashrc. but whether you want to do it that way... well, you tell us... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck please keep your hands off the secretary's reproducing equipment. msg04786/pgp0.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Marcel Hicking <[EMAIL PROTECTED]> [2002.01.10.1646 +0100]: > What about sftp? > Clients should be available by now. I mean, > Windooze clients ;-) > As secure as scp, as restricted as ftp. but you still need to enable a shell and ssh, because sftp does nothing else but pipe over ssh... -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck "in contrast to the what-you-see-is-what-you-get philosophy, unix is the you-asked-for-it,-you-got-it operating system." --scott lee msg04785/pgp0.pgp Description: PGP signature
QMAIL question
List Gurus, I am running QMAIL for my work and the boffins above me have decided to start using Exchange Server for the corporate email. They like the "extra" functionality. Anyway, the username convention is changing from [EMAIL PROTECTED] to[EMAIL PROTECTED] I am being slack with not yet reading the QMAIL doco and From: re-write rules but is there a quick way to tack on a short few lines onto the end of all outbound mail ( like an autoresponder ) to advise of the imminent change in addressing before the domain one-domain.com.au gets decommissioned. If someone has seen this or done this please email. I have seen similar functionality for scanning for viruses on incoming emails and rewriting the To: address ( using qmail-scanner ) but is there something similar say in PERL for the outbound mail? Is this question better answered on the QMAIL mailing lists? Stuart -- Stuart Andrews Unix Administrator FOXBORO Australia Level 2-4, 810 Elizabeth Street, Waterloo NSW 2017 Ph: + 612 8396 3500 (Switch)Ph: + 612 8396 3723 (Direct) Fx: + 612 9690 1845 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: blocking ports
Firstly look through the services you run and see if they can be bound to a single interface only. If they run from inetd you can replace it with xinetd to gain this functionality. Secondly (and this may or may not work I've never actually tried it), you could try rejecting the packets rather than dropping them. That should return a port closed type message to nmap so it would be unable to tell that port it filtered. At 08:34 10/01/2002 -0700, David Bishop wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm running a server that's hot to the net, and running some insecure services (by necessity), like nfs. Of course, I used iptables to block all those ports, using nmap and netstat to double check all my open ports. However, what nmap reports back is "filtered" for those ports. I would prefer if I could somehow make it so that they are "closed" to the outside world, so that random j. hacker doesn't know that I'm running that service at all. Is there some way to do that, or do I just live with "filtered"? TIA and HAND! - -- D.A.Bishop -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8PbSkEHLN/FXAbC0RAujUAJ0V5VD9ct2NbznFwtg4+j6D/rtmzACdEFDy EUlPKvw//odhMmweQ5Yx5dw= =3oEF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: xinetd /etc/host.deny ALL:PARANOID
On Thu, Jan 10, 2002 at 03:41:37PM +0100, Davi Leal wrote: > Is It safe to delete the ALL:PARANOID line in /etc/hosts.deny to avoid the > below messages in /var/log/syslog? > > Jan 22 12:13:46 excalibur xinetd[254]: warning: /etc/hosts.deny, line 15: > can't verify hostname: gethostbyname(geicamdsl.easynet.es) failed > Jan 22 12:13:46 excalibur xinetd[254]: refused connect from 213.139.10.34 > > /etc/hosts.deny > > # The PARANOID wildcard matches any host whose name does not match its > # address. > ALL: PARANOID Why would you want to remove your first line of defence? Do you want the whole world to have access to the box in question? If a host does not match its IP, your system SHOULD deny it access. > > /etc/hosts.allow > > sendmail: all > in.qpopper: all I would modify that "all" to the IP range which you use: in.qpopper: xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx I'm not an ISP or even a tech person so maybe someone else can get in on this and elaborate. Sam -- (Sam Varghese) http://www.gnubies.com Software industry: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: blocking ports
Firstly look through the services you run and see if they can be bound to a single interface only. If they run from inetd you can replace it with xinetd to gain this functionality. Secondly (and this may or may not work I've never actually tried it), you could try rejecting the packets rather than dropping them. That should return a port closed type message to nmap so it would be unable to tell that port it filtered. At 08:34 10/01/2002 -0700, David Bishop wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >I'm running a server that's hot to the net, and running some insecure >services (by necessity), like nfs. Of course, I used iptables to block all >those ports, using nmap and netstat to double check all my open ports. >However, what nmap reports back is "filtered" for those ports. I would >prefer if I could somehow make it so that they are "closed" to the outside >world, so that random j. hacker doesn't know that I'm running that service at >all. Is there some way to do that, or do I just live with "filtered"? > >TIA and HAND! > >- -- >D.A.Bishop >-BEGIN PGP SIGNATURE- >Version: GnuPG v1.0.6 (GNU/Linux) >Comment: For info see http://www.gnupg.org > >iD8DBQE8PbSkEHLN/FXAbC0RAujUAJ0V5VD9ct2NbznFwtg4+j6D/rtmzACdEFDy >EUlPKvw//odhMmweQ5Yx5dw= >=3oEF >-END PGP SIGNATURE- > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: tweaking samba and windows
Jose Alberto Guzman([EMAIL PROTECTED])@2002.01.08 21:06:50 +: > Hi. > > I'd like to know how (if possible) to 'map' in a 'network drive' a > subdirectory in an account's share with samba/windows, for example: > H: == \\sambasrvr\account\subdir instead of H: being just > \\sambasrvr\account. Last time I tested, you could just do: net use h: \\sambasrvr\account\subdir I think I tested under Windows 2000. I'm not sure if this is possibly with other versions of Windows, but I guess it is. > > Also I'd like to know how to tweak the windows smb cache or whatever > it is so that when msword is saving a >10KB file it won't take a > little pause in the middle and then continue to write. Sometimes it > hangs for more than 20 seconds and it's somewhat annoying, > notwithstanding netware 4.11 doesn't 'hang' when writing the same file > but writes somewhat faster or at least it seems so. You might be able to do some performance tweaking on the samba server side, this link might be useful: http://www.oreilly.com/catalog/samba/chapter/book/appb_01.html For performance tweaking on the client side, I guess you should consult some Windows documentation ;) Upgrading to samba 2.2.* instead of 2.0.* might help too. HTH, Alson
Re: blocking ports
The reason it reports it as filtered is if someone tries to connect to a port on which you're not running a service, say port 12345, your server will respond back with a TCP/IP packet with the RST, ACK flags set (I know RST, I think ACK too). nmap sees this as closed. If you filter something out with iptables, a packet with RST flag is never sent back, nmap just times out trying to connect and assumes it's filtered. I'm not sure, but if you compile your kernel with iptables support and use the REJECT target support (which sends back an ICMP error in response to the attempted connection), nmap might say closed instead of filtered (although since it's different than a packet with RST set, maybe it still realizes it's filtered through a firewall). > I'm running a server that's hot to the net, and running some insecure > services (by necessity), like nfs. Of course, I used iptables to block all > those ports, using nmap and netstat to double check all my open ports. > However, what nmap reports back is "filtered" for those ports. I would > prefer if I could somehow make it so that they are "closed" to the outside > world, so that random j. hacker doesn't know that I'm running that service at > all. Is there some way to do that, or do I just live with "filtered"? > -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED]
Setup new sparc
Hi All Today I tried to setup a Sun Ultra5. But I can't download exim... Is there anybody out there, who's mirror didn't sync with debian yet, so that I can set this maschine up? Regards Michael
firewall / router devices (Topic: Network Security)
2 Questions: I want do some major subnetting on our network to help secure it better. Currently, everything is routed by a Catalyst 5500 series with 3 trays of Fiber for our internal network. I also want to put some machines on with a Free IDS like snort to monitor packets. Q1: Any recommedations for a good commerical router that is easy to manage, does stateful packet filtering, and is not over $3000 ? ( If funding is regected, I think I will be looking at the Linux router project. I just would rather get a simplier to setup/manage commerical box. ) Q2: What type of machine would I need to run Snort to monitor all incoming and outgoing packets (RAM, CPU, HardDrive Size, Network Card ?) Currently, we have 6 T1 coming into 1 Cisco 7500 Series VXR. Ted
Re: tweaking samba and windows
Jose Alberto Guzman([EMAIL PROTECTED])@2002.01.08 21:06:50 +: > Hi. > > I'd like to know how (if possible) to 'map' in a 'network drive' a > subdirectory in an account's share with samba/windows, for example: > H: == \\sambasrvr\account\subdir instead of H: being just > \\sambasrvr\account. Last time I tested, you could just do: net use h: \\sambasrvr\account\subdir I think I tested under Windows 2000. I'm not sure if this is possibly with other versions of Windows, but I guess it is. > > Also I'd like to know how to tweak the windows smb cache or whatever > it is so that when msword is saving a >10KB file it won't take a > little pause in the middle and then continue to write. Sometimes it > hangs for more than 20 seconds and it's somewhat annoying, > notwithstanding netware 4.11 doesn't 'hang' when writing the same file > but writes somewhat faster or at least it seems so. You might be able to do some performance tweaking on the samba server side, this link might be useful: http://www.oreilly.com/catalog/samba/chapter/book/appb_01.html For performance tweaking on the client side, I guess you should consult some Windows documentation ;) Upgrading to samba 2.2.* instead of 2.0.* might help too. HTH, Alson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: scp, no ssh
On Thu, Jan 10, 2002 at 04:46:26PM +0100, Marcel Hicking wrote: > No way. > /bin/true will log you out right away, > and therefore you cannot start scp. > I've doublechecked this yesterday, and > even tried to put "exit " into the .bashrc > *This* did work fine, no ssh anymore, but scp > works. But! unforunatelly the user can scp > an new .bashrc or use ssh and rm to remove it. Late to the discussion so I may have missed something ... can't you chattr +i the .bashrc file, then chmod 750 /usr/bin/chattr ? Of course if the user can copy their own chattr binary using scp and execute it somehow, this doesn't work :) -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpgtXLkFeMkE.pgp Description: PGP signature
Re: /bin/true and USR
is /bin/true in /etc/shells? ;-) Cheers, Marcel On 10 Jan 2002, at 17:14, Glenn Hocking wrote: > Hi all > > I have just tried the /bin/true trick for logins but find > that ftp does not work. I use proftpd and the box tested is > debian stable. Any ideas? > > I have had many problems with USR modems not being too > friendly with Rockwell modem chip sets which seem to be the > most common down here. (Australia and New Zealand) plus USR > support down here is non existent. Just importers that take > your money then forget you. > > Regards > Glenn Hocking > Publish Media Pty Ltd > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- Now even on the 5 Euro banknote!
Re: Fwd: scp, no ssh
No way. /bin/true will log you out right away, and therefore you cannot start scp. I've doublechecked this yesterday, and even tried to put "exit " into the .bashrc *This* did work fine, no ssh anymore, but scp works. But! unforunatelly the user can scp an new .bashrc or use ssh and rm to remove it. So I'd say: No way, indeed. Cheers, Marcel On 9 Jan 2002, at 21:19, Tim Quinlan wrote: > how about setting the user's shell to /bin/true. this > allows ftp, but no login shell. so it may work for scp as > well. > > -- Forwarded Message -- > Subject: scp, no ssh > Date: Wed, 9 Jan 2002 09:49:10 +0100 > From: Robert Janusz <[EMAIL PROTECTED]> > To: debian-isp@lists.debian.org > > > How to allow, for some users' IPs, only scp and no ssh? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > an.org > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > --- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- Now even on the 5 Euro banknote!
Re: Fwd: scp, no ssh
What about sftp? Clients should be available by now. I mean, Windooze clients ;-) As secure as scp, as restricted as ftp. Cheers, Marcel On 9 Jan 2002, at 21:19, Tim Quinlan wrote: > how about setting the user's shell to /bin/true. this > allows ftp, but no login shell. so it may work for scp as > well. > > -- Forwarded Message -- > Subject: scp, no ssh > Date: Wed, 9 Jan 2002 09:49:10 +0100 > From: Robert Janusz <[EMAIL PROTECTED]> > To: debian-isp@lists.debian.org > > > How to allow, for some users' IPs, only scp and no ssh? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > an.org > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > --- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- Now even on the 5 Euro banknote!
Re: blocking ports
The reason it reports it as filtered is if someone tries to connect to a port on which you're not running a service, say port 12345, your server will respond back with a TCP/IP packet with the RST, ACK flags set (I know RST, I think ACK too). nmap sees this as closed. If you filter something out with iptables, a packet with RST flag is never sent back, nmap just times out trying to connect and assumes it's filtered. I'm not sure, but if you compile your kernel with iptables support and use the REJECT target support (which sends back an ICMP error in response to the attempted connection), nmap might say closed instead of filtered (although since it's different than a packet with RST set, maybe it still realizes it's filtered through a firewall). > I'm running a server that's hot to the net, and running some insecure > services (by necessity), like nfs. Of course, I used iptables to block all > those ports, using nmap and netstat to double check all my open ports. > However, what nmap reports back is "filtered" for those ports. I would > prefer if I could somehow make it so that they are "closed" to the outside > world, so that random j. hacker doesn't know that I'm running that service at > all. Is there some way to do that, or do I just live with "filtered"? > -- --SupplyEdge--- Greg Hunt 800-733-3380 x 107 [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
blocking ports
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm running a server that's hot to the net, and running some insecure services (by necessity), like nfs. Of course, I used iptables to block all those ports, using nmap and netstat to double check all my open ports. However, what nmap reports back is "filtered" for those ports. I would prefer if I could somehow make it so that they are "closed" to the outside world, so that random j. hacker doesn't know that I'm running that service at all. Is there some way to do that, or do I just live with "filtered"? TIA and HAND! - -- D.A.Bishop -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8PbSkEHLN/FXAbC0RAujUAJ0V5VD9ct2NbznFwtg4+j6D/rtmzACdEFDy EUlPKvw//odhMmweQ5Yx5dw= =3oEF -END PGP SIGNATURE-
Re: Fwd: scp, no ssh
What about setting rbash as login shell and then PATH=/usr/local/bin in .bash_profile and then ln -s /usr/bin/scp /usr/local/bin/scp and and and then chattr +i .bash_profile That is what i do and it works ( as far as i know .. ) -- __ Felipe Alvarez Harnecker. QlSoftware. Tels. 204.56.21 - 09.874.60.17 e-mail: [EMAIL PROTECTED] http://qlsoft.cl/ http://ql.cl/ __
xinetd /etc/host.deny ALL:PARANOID
We are an ISP (Internet Service Provider) and we use Debian GNU/Linux 2.2r3 (potato) as mail and DNS server: sendmail8.9.3-23 qpopper2.53-5 bind8.2.3 Is It safe to delete the ALL:PARANOID line in /etc/hosts.deny to avoid the below messages in /var/log/syslog? Jan 22 12:13:46 excalibur xinetd[254]: warning: /etc/hosts.deny, line 15: can't verify hostname: gethostbyname(geicamdsl.easynet.es) failed Jan 22 12:13:46 excalibur xinetd[254]: refused connect from 213.139.10.34 /etc/hosts.deny # The PARANOID wildcard matches any host whose name does not match its # address. ALL: PARANOID /etc/hosts.allow sendmail: all in.qpopper: all
rsync authentication problem using --password-file option
Hi Guys / Ladies We are having a problem with rsync. We have setup a rsync server and have client servers connecting to it to upload data. We can connect and upload data fine manually however when we tell rsync to use the --password-file option then we get an auth failure. Any help would be greatly appreciated :) Kind regards Craig
Setup new sparc
Hi All Today I tried to setup a Sun Ultra5. But I can't download exim... Is there anybody out there, who's mirror didn't sync with debian yet, so that I can set this maschine up? Regards Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
firewall / router devices (Topic: Network Security)
2 Questions: I want do some major subnetting on our network to help secure it better. Currently, everything is routed by a Catalyst 5500 series with 3 trays of Fiber for our internal network. I also want to put some machines on with a Free IDS like snort to monitor packets. Q1: Any recommedations for a good commerical router that is easy to manage, does stateful packet filtering, and is not over $3000 ? ( If funding is regected, I think I will be looking at the Linux router project. I just would rather get a simplier to setup/manage commerical box. ) Q2: What type of machine would I need to run Snort to monitor all incoming and outgoing packets (RAM, CPU, HardDrive Size, Network Card ?) Currently, we have 6 T1 coming into 1 Cisco 7500 Series VXR. Ted -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: scp, no ssh
On Thu, Jan 10, 2002 at 04:46:26PM +0100, Marcel Hicking wrote: > No way. > /bin/true will log you out right away, > and therefore you cannot start scp. > I've doublechecked this yesterday, and > even tried to put "exit " into the .bashrc > *This* did work fine, no ssh anymore, but scp > works. But! unforunatelly the user can scp > an new .bashrc or use ssh and rm to remove it. Late to the discussion so I may have missed something ... can't you chattr +i the .bashrc file, then chmod 750 /usr/bin/chattr ? Of course if the user can copy their own chattr binary using scp and execute it somehow, this doesn't work :) -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton msg04778/pgp0.pgp Description: PGP signature
Re: /bin/true and USR
is /bin/true in /etc/shells? ;-) Cheers, Marcel On 10 Jan 2002, at 17:14, Glenn Hocking wrote: > Hi all > > I have just tried the /bin/true trick for logins but find > that ftp does not work. I use proftpd and the box tested is > debian stable. Any ideas? > > I have had many problems with USR modems not being too > friendly with Rockwell modem chip sets which seem to be the > most common down here. (Australia and New Zealand) plus USR > support down here is non existent. Just importers that take > your money then forget you. > > Regards > Glenn Hocking > Publish Media Pty Ltd > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- Now even on the 5 Euro banknote! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: scp, no ssh
No way. /bin/true will log you out right away, and therefore you cannot start scp. I've doublechecked this yesterday, and even tried to put "exit " into the .bashrc *This* did work fine, no ssh anymore, but scp works. But! unforunatelly the user can scp an new .bashrc or use ssh and rm to remove it. So I'd say: No way, indeed. Cheers, Marcel On 9 Jan 2002, at 21:19, Tim Quinlan wrote: > how about setting the user's shell to /bin/true. this > allows ftp, but no login shell. so it may work for scp as > well. > > -- Forwarded Message -- > Subject: scp, no ssh > Date: Wed, 9 Jan 2002 09:49:10 +0100 > From: Robert Janusz <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > > > How to allow, for some users' IPs, only scp and no ssh? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > an.org > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > --- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- Now even on the 5 Euro banknote! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: scp, no ssh
What about sftp? Clients should be available by now. I mean, Windooze clients ;-) As secure as scp, as restricted as ftp. Cheers, Marcel On 9 Jan 2002, at 21:19, Tim Quinlan wrote: > how about setting the user's shell to /bin/true. this > allows ftp, but no login shell. so it may work for scp as > well. > > -- Forwarded Message -- > Subject: scp, no ssh > Date: Wed, 9 Jan 2002 09:49:10 +0100 > From: Robert Janusz <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > > > How to allow, for some users' IPs, only scp and no ssh? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > an.org > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > --- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- __ .´ `. : :' ! Enjoy `. `´ Debian/GNU Linux `- Now even on the 5 Euro banknote! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
blocking ports
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm running a server that's hot to the net, and running some insecure services (by necessity), like nfs. Of course, I used iptables to block all those ports, using nmap and netstat to double check all my open ports. However, what nmap reports back is "filtered" for those ports. I would prefer if I could somehow make it so that they are "closed" to the outside world, so that random j. hacker doesn't know that I'm running that service at all. Is there some way to do that, or do I just live with "filtered"? TIA and HAND! - -- D.A.Bishop -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8PbSkEHLN/FXAbC0RAujUAJ0V5VD9ct2NbznFwtg4+j6D/rtmzACdEFDy EUlPKvw//odhMmweQ5Yx5dw= =3oEF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: scp, no ssh
What about setting rbash as login shell and then PATH=/usr/local/bin in .bash_profile and then ln -s /usr/bin/scp /usr/local/bin/scp and and and then chattr +i .bash_profile That is what i do and it works ( as far as i know .. ) -- __ Felipe Alvarez Harnecker. QlSoftware. Tels. 204.56.21 - 09.874.60.17 e-mail: [EMAIL PROTECTED] http://qlsoft.cl/ http://ql.cl/ __ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
xinetd /etc/host.deny ALL:PARANOID
We are an ISP (Internet Service Provider) and we use Debian GNU/Linux 2.2r3 (potato) as mail and DNS server: sendmail8.9.3-23 qpopper2.53-5 bind8.2.3 Is It safe to delete the ALL:PARANOID line in /etc/hosts.deny to avoid the below messages in /var/log/syslog? Jan 22 12:13:46 excalibur xinetd[254]: warning: /etc/hosts.deny, line 15: can't verify hostname: gethostbyname(geicamdsl.easynet.es) failed Jan 22 12:13:46 excalibur xinetd[254]: refused connect from 213.139.10.34 /etc/hosts.deny # The PARANOID wildcard matches any host whose name does not match its # address. ALL: PARANOID /etc/hosts.allow sendmail: all in.qpopper: all -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
rsync authentication problem using --password-file option
Hi Guys / Ladies We are having a problem with rsync. We have setup a rsync server and have client servers connecting to it to upload data. We can connect and upload data fine manually however when we tell rsync to use the --password-file option then we get an auth failure. Any help would be greatly appreciated :) Kind regards Craig -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: scp, no ssh
Hi, Found something which looks like it might do the trick: http://www.sublimation.org/scponly/ Haven't tried it myself, though... Regards, Bennet On Thu, 2002-01-10 at 05:51, Jeff Norman wrote: > > Now, the trick is to replace bob's shell with a (perl?) script that > takes -c argument passed and checks if scp is the intended command. > If scp *isn't* the intended command, it merely exits, thus closing the > remote connection and effectively denying access to other commands. > If scp *is* what was requested, the script could just exec scp with the > requested options in place of itself and everything should continue as > normal. If you wanted to, you could even get really fancy and have the > script deny access to certain directories or types of files. > > Of course, I don't imagine that the ssh/scp combo was intended to be > used like this, so one should be careful while implementing, but other > than that, the only downside I can think of is that the user on the > remote system becomes useless for any purpose other than scp-ing. > > > Hope that makes sense. > Later, > > Jeff >
Re: Fwd: scp, no ssh
also sprach Joel Michael <[EMAIL PROTECTED]> [2002.01.10.0323 +0100]: > This is true, but you can still (probably) use ssh to execute commands, > like /bin/sh, and effectively get a shell. that's not possible either. try it. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] this message represents the official view of the voices in my head. pgpa00JYFXxES.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Gernot Glawe <[EMAIL PROTECTED]> [2002.01.10.0905 +0100]: > What about setting ssh and scp to a diffenrent user an make appropiate > sudo settings ? and how do you want to get that working remotely? i supposed you could create a shell script scp and a shell script ssh that would call scp.orig and ssh.orig via sudo. make sure to employ NOPASSWD though, and please let us know if that works... interesting approach! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] dimmi in 10 secondi i nomi dei 7 re di roma, in ordine decrescente di data di morte del figlio secondogenito, in rot13... o faccio fuori la directory /dev !!! pgpGiVIy0ECKU.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Tim Quinlan <[EMAIL PROTECTED]> [2002.01.10.0319 +0100]: > how about setting the user's shell to /bin/true. this allows ftp, but no > login shell. so it may work for scp as well. nope. as i said, scp uses ssh and needs a shell -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] as of next week, passwords will be entered in morse code. pgpzB3nMSZLdW.pgp Description: PGP signature
Re: /bin/true and USR
Hi, On Thu, 10 Jan 2002, Glenn Hocking wrote: > Hi all > > I have just tried the /bin/true trick for logins but find that ftp does > not work. I use proftpd and the box tested is debian stable. Any ideas? please verify that /bin/true ist listet in /etc/shells . If this is the case you should have seen this in /var/log/auth.log . > Regards Torsten Krueger -- Media Online Internet Services & Marketing GmbH Torsten Krueger [EMAIL PROTECTED] fon: 49-231-5575100fax: 49-231-55751098 Ruhrallee 39 D-44137 Dortmund
Re: scp, no ssh
Hi, Found something which looks like it might do the trick: http://www.sublimation.org/scponly/ Haven't tried it myself, though... Regards, Bennet On Thu, 2002-01-10 at 05:51, Jeff Norman wrote: > > Now, the trick is to replace bob's shell with a (perl?) script that > takes -c argument passed and checks if scp is the intended command. > If scp *isn't* the intended command, it merely exits, thus closing the > remote connection and effectively denying access to other commands. > If scp *is* what was requested, the script could just exec scp with the > requested options in place of itself and everything should continue as > normal. If you wanted to, you could even get really fancy and have the > script deny access to certain directories or types of files. > > Of course, I don't imagine that the ssh/scp combo was intended to be > used like this, so one should be careful while implementing, but other > than that, the only downside I can think of is that the user on the > remote system becomes useless for any purpose other than scp-ing. > > > Hope that makes sense. > Later, > > Jeff > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: /bin/true and USR
On Thu, 10 Jan 2002, Glenn Hocking wrote: > Hi all > > I have just tried the /bin/true trick for logins but find that ftp does > not work. I use proftpd and the box tested is debian stable. Any ideas? Add /bin/true to /etc/shells Chuck
Re: Fwd: scp, no ssh
What about setting ssh and scp to a diffenrent user an make appropiate sudo settings ? > Resent-Sender: [EMAIL PROTECTED] > Resent-Bcc: > Resent-Date: Thu, 10 Jan 2002 03:24:06 +0100 > > On Thu, 2002-01-10 at 12:19, Tim Quinlan wrote: > > how about setting the user's shell to /bin/true. this allows ftp, but no > > login shell. so it may work for scp as well. > > > This is true, but you can still (probably) use ssh to execute commands, > like /bin/sh, and effectively get a shell. > -- > Joel Michael > Systems Administrator > Worldhosting.org Pty. Ltd. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- G.Glawe pelion XII AG Fon: [05 11] 64 64 47 -0 Fax: [05 11] 39 13 07 Pelikanstr. 7, 30177 Hannover eMail: [EMAIL PROTECTED] www.pelion12.de
Re: Fwd: scp, no ssh
also sprach Joel Michael <[EMAIL PROTECTED]> [2002.01.10.0323 +0100]: > This is true, but you can still (probably) use ssh to execute commands, > like /bin/sh, and effectively get a shell. that's not possible either. try it. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck this message represents the official view of the voices in my head. msg04769/pgp0.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Gernot Glawe <[EMAIL PROTECTED]> [2002.01.10.0905 +0100]: > What about setting ssh and scp to a diffenrent user an make appropiate > sudo settings ? and how do you want to get that working remotely? i supposed you could create a shell script scp and a shell script ssh that would call scp.orig and ssh.orig via sudo. make sure to employ NOPASSWD though, and please let us know if that works... interesting approach! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck dimmi in 10 secondi i nomi dei 7 re di roma, in ordine decrescente di data di morte del figlio secondogenito, in rot13... o faccio fuori la directory /dev !!! msg04768/pgp0.pgp Description: PGP signature
Re: Fwd: scp, no ssh
also sprach Tim Quinlan <[EMAIL PROTECTED]> [2002.01.10.0319 +0100]: > how about setting the user's shell to /bin/true. this allows ftp, but no > login shell. so it may work for scp as well. nope. as i said, scp uses ssh and needs a shell -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck as of next week, passwords will be entered in morse code. msg04767/pgp0.pgp Description: PGP signature
Re: /bin/true and USR
Hi, On Thu, 10 Jan 2002, Glenn Hocking wrote: > Hi all > > I have just tried the /bin/true trick for logins but find that ftp does > not work. I use proftpd and the box tested is debian stable. Any ideas? please verify that /bin/true ist listet in /etc/shells . If this is the case you should have seen this in /var/log/auth.log . > Regards Torsten Krueger -- Media Online Internet Services & Marketing GmbH Torsten Krueger [EMAIL PROTECTED] fon: 49-231-5575100fax: 49-231-55751098 Ruhrallee 39 D-44137 Dortmund -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
/bin/true and USR
Hi all I have just tried the /bin/true trick for logins but find that ftp does not work. I use proftpd and the box tested is debian stable. Any ideas? I have had many problems with USR modems not being too friendly with Rockwell modem chip sets which seem to be the most common down here. (Australia and New Zealand) plus USR support down here is non existent. Just importers that take your money then forget you. Regards Glenn Hocking Publish Media Pty Ltd
Re: /bin/true and USR
On Thu, 10 Jan 2002, Glenn Hocking wrote: > Hi all > > I have just tried the /bin/true trick for logins but find that ftp does > not work. I use proftpd and the box tested is debian stable. Any ideas? Add /bin/true to /etc/shells Chuck -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: scp, no ssh
What about setting ssh and scp to a diffenrent user an make appropiate sudo settings ? > Resent-Sender: [EMAIL PROTECTED] > Resent-Bcc: > Resent-Date: Thu, 10 Jan 2002 03:24:06 +0100 > > On Thu, 2002-01-10 at 12:19, Tim Quinlan wrote: > > how about setting the user's shell to /bin/true. this allows ftp, but no > > login shell. so it may work for scp as well. > > > This is true, but you can still (probably) use ssh to execute commands, > like /bin/sh, and effectively get a shell. > -- > Joel Michael > Systems Administrator > Worldhosting.org Pty. Ltd. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- G.Glawe pelion XII AG Fon: [05 11] 64 64 47 -0 Fax: [05 11] 39 13 07 Pelikanstr. 7, 30177 Hannover eMail: [EMAIL PROTECTED] www.pelion12.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: please recommend a good modem card
On Wed, Jan 09, 2002 at 02:26:09PM +0800, Patrick Hsieh blathered thusly: > We need to purchase modem cards for our Debian GNU/Linux server. > >requirements : > . robustness, especially within our 2U rack server > . follows standard > . supports Linux Get yourself USR Courier v.everything modems if you want the best client-end modems in existence. -- /-- | Ben Staffin gpg key: http://darkskie.net/~benley/pgp.txt | --/ pgpuFS7WopQEm.pgp Description: PGP signature