Re: shell access exploits (was Re: upgrading to MySQL 4 on woody)
I'm no expert. I run chkrootkit on a regular basis. Run a virus scanner it will find some exploits. Hacafee found a few rootkits and known kernel exploits. I use mcafee for linux. Analyze history files for certain keywords. The best way would be to analyze command frequency in history files and look for infrequently occuring commands that are good indications of hack attempts. Look at anyone running command: uname -a Install grsecurity, and laugh at the attempts to do buffer overruns. Enable grsecurity acl subsystem and continue laughing. Analyze login frequency, what country are they logging in from? Have they logged in from this address before? Analyze login time, 2-6am is when most exploits occur. Look at tripwire or sash logs. (still use tripwire have not learned how to use sash) Look at when root logins. Check for processes initiating outgoing connections, hackers love to wget their files. Check for process using a lot of memory or processor time. Jason Lim said: > >> >> One of my hats is a junior sys admin in an academic environment. I'm >> curious as to how you know when shell users are trying to exploit a > kernel >> hole. > > chkrootkit? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- --Luke CS Sysadmin, Montana State University-Bozeman
Re: shell access exploits (was Re: upgrading to MySQL 4 on woody)
I'm no expert. I run chkrootkit on a regular basis. Run a virus scanner it will find some exploits. Hacafee found a few rootkits and known kernel exploits. I use mcafee for linux. Analyze history files for certain keywords. The best way would be to analyze command frequency in history files and look for infrequently occuring commands that are good indications of hack attempts. Look at anyone running command: uname -a Install grsecurity, and laugh at the attempts to do buffer overruns. Enable grsecurity acl subsystem and continue laughing. Analyze login frequency, what country are they logging in from? Have they logged in from this address before? Analyze login time, 2-6am is when most exploits occur. Look at tripwire or sash logs. (still use tripwire have not learned how to use sash) Look at when root logins. Check for processes initiating outgoing connections, hackers love to wget their files. Check for process using a lot of memory or processor time. Jason Lim said: > >> >> One of my hats is a junior sys admin in an academic environment. I'm >> curious as to how you know when shell users are trying to exploit a > kernel >> hole. > > chkrootkit? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: upgrading to MySQL 4 on woody (final)
Thanks to all - it works great with backports.org! Oh, how I love the Debian Universe... They have been thinking of everything, haven't they? Andreas Check out the www.backports.org website. P.S.: Of cource, security is an important issue and will get lower when using testing or "backported" packages. But, in this particular case, it doesn't matter that much (there are only very little shell accounts on the box in question, no MySQL networking a.s.o.) Thanks again for nice help and discussion. -- procommerz - Internet fuer Unternehmen http://www.procommerz.de | 033925-90710 Stoppt TCPA, das Zensursystem von Microsoft! | http://www.againsttcpa.com
RE: upgrading to MySQL 4 on woody (final)
Thanks to all - it works great with backports.org! Oh, how I love the Debian Universe... They have been thinking of everything, haven't they? Andreas Check out the www.backports.org website. P.S.: Of cource, security is an important issue and will get lower when using testing or "backported" packages. But, in this particular case, it doesn't matter that much (there are only very little shell accounts on the box in question, no MySQL networking a.s.o.) Thanks again for nice help and discussion. -- procommerz - Internet fuer Unternehmen http://www.procommerz.de | 033925-90710 Stoppt TCPA, das Zensursystem von Microsoft! | http://www.againsttcpa.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: shell access exploits (was Re: upgrading to MySQL 4 on woody)
> > One of my hats is a junior sys admin in an academic environment. I'm > curious as to how you know when shell users are trying to exploit a kernel > hole. chkrootkit?
shell access exploits (was Re: upgrading to MySQL 4 on woody)
> I have at most a week from a known kernel exploit to when one of my users > tries to exploit via shell access. One of my hats is a junior sys admin in an academic environment. I'm curious as to how you know when shell users are trying to exploit a kernel hole. In another non academic environment and based on info from this list, I've been running snoopy with an eye to grepping the logs for naughiness # On Mon, 19 Jan 2004, Lucas Albers wrote: > > Rod Rodolico said: > > > Becoming a firm believer that you CAN have it all, stability and the > > latest packages :) > > > > There are other places to get backports, BTW. This one works for me. > > > Rod, > Yes I agree with your statements. > Thanks for the link I'll use it on one of my systems... > > But you don't explicitly have security, you have the testing delay for > security updates, combined with the propagation time to backports from > testing. > > I'm still leery of using testing for any publicly exposed service, or for > machines with shell access. > I have at most a week from a known kernel exploit to when one of my users > tries to exploit via shell access. > > --Luke CS Sysadmin, Montana State University-Bozeman > > >
Re: shell access exploits (was Re: upgrading to MySQL 4 on woody)
> > One of my hats is a junior sys admin in an academic environment. I'm > curious as to how you know when shell users are trying to exploit a kernel > hole. chkrootkit? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
shell access exploits (was Re: upgrading to MySQL 4 on woody)
> I have at most a week from a known kernel exploit to when one of my users > tries to exploit via shell access. One of my hats is a junior sys admin in an academic environment. I'm curious as to how you know when shell users are trying to exploit a kernel hole. In another non academic environment and based on info from this list, I've been running snoopy with an eye to grepping the logs for naughiness # On Mon, 19 Jan 2004, Lucas Albers wrote: > > Rod Rodolico said: > > > Becoming a firm believer that you CAN have it all, stability and the > > latest packages :) > > > > There are other places to get backports, BTW. This one works for me. > > > Rod, > Yes I agree with your statements. > Thanks for the link I'll use it on one of my systems... > > But you don't explicitly have security, you have the testing delay for > security updates, combined with the propagation time to backports from > testing. > > I'm still leery of using testing for any publicly exposed service, or for > machines with shell access. > I have at most a week from a known kernel exploit to when one of my users > tries to exploit via shell access. > > --Luke CS Sysadmin, Montana State University-Bozeman > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: upgrading to MySQL 4 on woody
Sorry, I forget sometimes that security is different for different installations. Yes, it would be an issue in a cs department at a college :) I remember when . .
Re: upgrading to MySQL 4 on woody
Sorry, I forget sometimes that security is different for different installations. Yes, it would be an issue in a cs department at a college :) I remember when . . . In my case, db access is limited to the web server, via cgi scripts I write or are relatively easy to keep patched. And, there are at most a half dozen accounts with shell access . . . everyone else has a shell of /bin/false. If I am living in a fantasy land thinking that gives me a little leeway, please tell me (God, I know what I've let myself in for here). Rod BTW, I know what you mean about someone attempting cracks. Turned ProFTP on one of my servers at a clients request. Several dozen attempts at a login within the first 24 hours. I hadn't even told the client it was on yet! RWR > > Rod Rodolico said: > >> Becoming a firm believer that you CAN have it all, stability and the >> latest packages :) >> >> There are other places to get backports, BTW. This one works for me. >> > Rod, > Yes I agree with your statements. > Thanks for the link I'll use it on one of my systems... > > But you don't explicitly have security, you have the testing delay for > security updates, combined with the propagation time to backports from > testing. > > I'm still leery of using testing for any publicly exposed service, or for > machines with shell access. > I have at most a week from a known kernel exploit to when one of my users > tries to exploit via shell access. > > --Luke CS Sysadmin, Montana State University-Bozeman > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- Media Ethics is an oxymoron, much like Jumbo Shrimp and Microsoft Works. Not to mention NT Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: upgrading to MySQL 4 on woody
Rod Rodolico said: > Becoming a firm believer that you CAN have it all, stability and the > latest packages :) > > There are other places to get backports, BTW. This one works for me. > Rod, Yes I agree with your statements. Thanks for the link I'll use it on one of my systems... But you don't explicitly have security, you have the testing delay for security updates, combined with the propagation time to backports from testing. I'm still leery of using testing for any publicly exposed service, or for machines with shell access. I have at most a week from a known kernel exploit to when one of my users tries to exploit via shell access. --Luke CS Sysadmin, Montana State University-Bozeman
Re: upgrading to MySQL 4 on woody
Rod Rodolico said: > Becoming a firm believer that you CAN have it all, stability and the > latest packages :) > > There are other places to get backports, BTW. This one works for me. > Rod, Yes I agree with your statements. Thanks for the link I'll use it on one of my systems... But you don't explicitly have security, you have the testing delay for security updates, combined with the propagation time to backports from testing. I'm still leery of using testing for any publicly exposed service, or for machines with shell access. I have at most a week from a known kernel exploit to when one of my users tries to exploit via shell access. --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: upgrading to MySQL 4 on woody
This is exactly what I did a few months ago, for the same reason. Add the following line to your /etc/apt/sources.list deb http://www.backports.org/debian woody mysql-dfsg Works like a charm. FYI, I also added: deb http://www.backports.org/debian woody spamassassin Becoming a firm believer that you CAN have it all, stability and the latest packages :) There are other places to get backports, BTW. This one works for me. Rod > Hi, > > is there any way to do an upgrade for a single Deb package which is > NOT listed in the stable package list? > > I want to upgrade only MySQL to version 4.0.x (because of the fine > transaction feature), but want not to change the apt source list in > general (I want to keep the *stable* system). > > Is there a "mysql-4.0.17.deb" or something like that out there in > space? I didn't find such things on the mysql.com website... > > (Well, it is: in the *testing* distribution. Can I mix this, and if > so: how to do this?) > > Thanks in advance, > Andreas Vent-Schmidt > > -- > procommerz - Internet fuer Unternehmen > http://www.procommerz.de | 033925-90710 > > Stoppt TCPA, das Zensursystem von Microsoft! | http://www.againsttcpa.com > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- Media Ethics is an oxymoron, much like Jumbo Shrimp and Microsoft Works. Not to mention NT Security
Re: upgrading to MySQL 4 on woody
This is exactly what I did a few months ago, for the same reason. Add the following line to your /etc/apt/sources.list deb http://www.backports.org/debian woody mysql-dfsg Works like a charm. FYI, I also added: deb http://www.backports.org/debian woody spamassassin Becoming a firm believer that you CAN have it all, stability and the latest packages :) There are other places to get backports, BTW. This one works for me. Rod > Hi, > > is there any way to do an upgrade for a single Deb package which is > NOT listed in the stable package list? > > I want to upgrade only MySQL to version 4.0.x (because of the fine > transaction feature), but want not to change the apt source list in > general (I want to keep the *stable* system). > > Is there a "mysql-4.0.17.deb" or something like that out there in > space? I didn't find such things on the mysql.com website... > > (Well, it is: in the *testing* distribution. Can I mix this, and if > so: how to do this?) > > Thanks in advance, > Andreas Vent-Schmidt > > -- > procommerz - Internet fuer Unternehmen > http://www.procommerz.de | 033925-90710 > > Stoppt TCPA, das Zensursystem von Microsoft! | http://www.againsttcpa.com > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- Media Ethics is an oxymoron, much like Jumbo Shrimp and Microsoft Works. Not to mention NT Security -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: upgrading to MySQL 4 on woody
On Mon, Jan 19, 2004 at 02:43:52PM +0100, Andreas Vent-Schmidt wrote: > Hi, Hello, > is there any way to do an upgrade for a single Deb package which is > NOT listed in the stable package list? > > I want to upgrade only MySQL to version 4.0.x (because of the fine > transaction feature), but want not to change the apt source list in > general (I want to keep the *stable* system). > > Is there a "mysql-4.0.17.deb" or something like that out there in > space? I didn't find such things on the mysql.com website... > > (Well, it is: in the *testing* distribution. Can I mix this, and if > so: how to do this?) Fetching packages from testing or unstable is an option. But then you would probably need to deal with apt pinning and I'm not that experienced with this particular feature of apt to guide you on how you could achieve such a setup. Another option is to look for a backport of mysql. I've just found that backports.org have a backported package of mysql version 4.0.16 properly built to work under a stable (woody) system. I cannot speak for the robustness of the package as I never used it, but then it seems to me that the whole idea of backport.org's existence is to then it seems to be the same codebase adn the same packaging from the provide the same Debian package as released to unstable/testing with a minimal change only to allow it to be installed fine under stable. Have a look at www.backports.org to find out how you could fetch the packages from there. Regards, -- ++--++ || Andrà LuÃs Lopes [EMAIL PROTECTED]|| || http://people.debian.org/~andrelop || || Debian-BR Projecthttp://www.debian-br.org || || Public GPG KeyID 9D1B82F6 || signature.asc Description: Digital signature
Re: upgrading to MySQL 4 on woody
Hi, I provide MySQL 4.0.16 backported packages on www.dotdeb.org Have fun with them Gui Le Mon, Jan 19, 2004 at 14:43:52 +0100, Andreas Vent-Schmidt a écrit: > Hi, > > is there any way to do an upgrade for a single Deb package which is > NOT listed in the stable package list? > > I want to upgrade only MySQL to version 4.0.x (because of the fine > transaction feature), but want not to change the apt source list in > general (I want to keep the *stable* system). -- Guillaume Plessis <[EMAIL PROTECTED]> GnuPG Key-ID: BA729AD0 signature.asc Description: Digital signature
Re: upgrading to MySQL 4 on woody
On Monday 19 January 2004 08:43, Andreas Vent-Schmidt wrote: > is there any way to do an upgrade for a single Deb package which is > NOT listed in the stable package list? > > I want to upgrade only MySQL to version 4.0.x (because of the fine > transaction feature), but want not to change the apt source list in > general (I want to keep the *stable* system). Two ways that I can think of: - find or build a package designed for woody (check http://www.backports.org/ and http://www.apt-get.org/) - set up sources.list with stable, testing and unstable sources. Set up apt to prefer the stable distribution but selectively install what you want from testing or unstable (apt-get -t testing install mysql-server) I prefer the first solution if it's available (and it is for mysql-server). -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: upgrading to MySQL 4 on woody
On Mon, Jan 19, 2004 at 02:43:52PM +0100, Andreas Vent-Schmidt wrote: > Hi, Hello, > is there any way to do an upgrade for a single Deb package which is > NOT listed in the stable package list? > > I want to upgrade only MySQL to version 4.0.x (because of the fine > transaction feature), but want not to change the apt source list in > general (I want to keep the *stable* system). > > Is there a "mysql-4.0.17.deb" or something like that out there in > space? I didn't find such things on the mysql.com website... > > (Well, it is: in the *testing* distribution. Can I mix this, and if > so: how to do this?) Fetching packages from testing or unstable is an option. But then you would probably need to deal with apt pinning and I'm not that experienced with this particular feature of apt to guide you on how you could achieve such a setup. Another option is to look for a backport of mysql. I've just found that backports.org have a backported package of mysql version 4.0.16 properly built to work under a stable (woody) system. I cannot speak for the robustness of the package as I never used it, but then it seems to me that the whole idea of backport.org's existence is to then it seems to be the same codebase adn the same packaging from the provide the same Debian package as released to unstable/testing with a minimal change only to allow it to be installed fine under stable. Have a look at www.backports.org to find out how you could fetch the packages from there. Regards, -- ++--++ || Andrà LuÃs Lopes [EMAIL PROTECTED]|| || http://people.debian.org/~andrelop || || Debian-BR Projecthttp://www.debian-br.org || || Public GPG KeyID 9D1B82F6 || signature.asc Description: Digital signature
RE: upgrading to MySQL 4 on woody
> Hi, > > is there any way to do an upgrade for a single Deb package which is > NOT listed in the stable package list? Check out the www.backports.org website. > Thanks in advance, > Andreas Vent-Schmidt -- Ole Hansen
Re: upgrading to MySQL 4 on woody
Hi, I provide MySQL 4.0.16 backported packages on www.dotdeb.org Have fun with them Gui Le Mon, Jan 19, 2004 at 14:43:52 +0100, Andreas Vent-Schmidt a écrit: > Hi, > > is there any way to do an upgrade for a single Deb package which is > NOT listed in the stable package list? > > I want to upgrade only MySQL to version 4.0.x (because of the fine > transaction feature), but want not to change the apt source list in > general (I want to keep the *stable* system). -- Guillaume Plessis <[EMAIL PROTECTED]> GnuPG Key-ID: BA729AD0 signature.asc Description: Digital signature
Re: upgrading to MySQL 4 on woody
On Monday 19 January 2004 08:43, Andreas Vent-Schmidt wrote: > is there any way to do an upgrade for a single Deb package which is > NOT listed in the stable package list? > > I want to upgrade only MySQL to version 4.0.x (because of the fine > transaction feature), but want not to change the apt source list in > general (I want to keep the *stable* system). Two ways that I can think of: - find or build a package designed for woody (check http://www.backports.org/ and http://www.apt-get.org/) - set up sources.list with stable, testing and unstable sources. Set up apt to prefer the stable distribution but selectively install what you want from testing or unstable (apt-get -t testing install mysql-server) I prefer the first solution if it's available (and it is for mysql-server). -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: upgrading to MySQL 4 on woody
> Hi, > > is there any way to do an upgrade for a single Deb package which is > NOT listed in the stable package list? Check out the www.backports.org website. > Thanks in advance, > Andreas Vent-Schmidt -- Ole Hansen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]