An attack or bad source packet?
I've been watching a computer over the past week attempt to connect to a few high level ports (3094, 3095, 3093) on my small home network (AT&T@Home). My Debian firewall is running Ipchains, which I think is set up right and blocks most ports. All the traffic is coming from port 80 with an IP address resolving to an odd host at compaq.com. Could a poorly configured web server return packets for days? I've definitely visited Compaq's web site in the past month, so perhaps it's a left over session? Or perhaps it's an attack or just my mis-configured firewall? Thank you for your help. Tim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Disabling Accounts
I have a question about /etc/passwd... I typically go thru and put a * in all accounts except for 'root' and change the shell to '/bin/false' when I first setup a box, to make sure the account cannot be logged into. Is there a specific reason why this is not done? Are there any implications I just haven't noticed about doing this? Am I just retarded and missing something obvious? It doesn't seem to break anything when I do that, but thought I'd ask for someone else's input/opinion. TIA, Steven Beverly "Failure is not an option, it comes pre-installed with your Windoze software..." -Unknown "He who fights with monsters should look to it that he himself does not become a monster...when you gaze long into the abyss the abyss also gazes into you." -Friedrich Nietzsche "Time is dead...I stabbed him in the eye with a fork." -Poxin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Port Scanning...
A nice nastygram to the ISP admin is about all you can do. Often that makes the scans stop, and every so often you'll actually get a RESPONSE! Cut-n-paste the relevant info and include that in the nastygram (they like to be able to match IPs with login times to find and root out skr1pt K1dd13z. As far as opening false ports, I wouldn't play that game - it could come back to really bite you unless you absolutely know what you're doing (read Bellovin & Cheswick - "Repelling the Wily Hacker" regarding a good story of doing this sort of thing). At 08:18 PM 2/1/2001 -0600, Jason Arden wrote: Can anyone recommend a program to stop people from portscanning your server... or maybe put out some false information, like lets say 20 pages of open ports? -Jason Thanks for your time... -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: Port Scanning...
tcpwrappers and a firewall are your two best bets. You can provide false info or whatever you want with tcpwrappers, and a firewall can prevent them from getting information off your ports. These have always worked for me well. ...adam On Thu, Feb 01, 2001 at 08:18:19PM -0600, Jason Arden wrote: > Can anyone recommend a program to stop people from portscanning your > server... or maybe put out some false information, like lets say 20 pages of > open ports? > > -Jason > > Thanks for your time... >
Port Scanning...
Can anyone recommend a program to stop people from portscanning your server... or maybe put out some false information, like lets say 20 pages of open ports? -Jason Thanks for your time...
Port Scanning...
Can anyone recommend a program to stop people from portscanning your server... or maybe put out some false information, like lets say 20 pages of open ports? -Jason Thanks for your time...
Re: Port Scanning...
tcpwrappers and a firewall are your two best bets. You can provide false info or whatever you want with tcpwrappers, and a firewall can prevent them from getting information off your ports. These have always worked for me well. ...adam On Thu, Feb 01, 2001 at 08:18:19PM -0600, Jason Arden wrote: > Can anyone recommend a program to stop people from portscanning your server... or >maybe put out some false information, like lets say 20 pages of open ports? > > -Jason > > Thanks for your time... > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Port Scanning...
A nice nastygram to the ISP admin is about all you can do. Often that makes the scans stop, and every so often you'll actually get a RESPONSE! Cut-n-paste the relevant info and include that in the nastygram (they like to be able to match IPs with login times to find and root out skr1pt K1dd13z. As far as opening false ports, I wouldn't play that game - it could come back to really bite you unless you absolutely know what you're doing (read Bellovin & Cheswick - "Repelling the Wily Hacker" regarding a good story of doing this sort of thing). At 08:18 PM 2/1/2001 -0600, Jason Arden wrote: Can anyone recommend a program to stop people from portscanning your server... or maybe put out some false information, like lets say 20 pages of open ports? -Jason Thanks for your time... -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: Disappointment in security handling in Debian
Lucien, I've proposed a secure by default configuration for new Debian installations on this list before. It drew harsh criticism from at least one person whose belief it was that those who lack the knowledge to secure their systems deserve to be rooted. Because of this attitude, and the fact that maintainers of several packages of questionable security (eg NFS) refuse to move their packages out of `standard' and into `optional' or `extra', I have my doubts that Debian will be secure by default anytime soon. If secure by default is what you want, you'll probably be better off with OpenBSD, where secure by default is their policy. Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CM>CC/IT d- s:+ a16 C++()>$ UL>$ P--- L++>++$ E+ W+(-) N+ o? K? w---() !O !M !V PS+(++)>+ PE-(--) Y+>+ PGP t+>++ !5 X-- R>++ tv(+) b+(++) DI(+) D++ G>+++ e--> h! !r y>+++ --END GEEK CODE BLOCK-- On Thu, 1 Feb 2001, A. L. Meyers wrote: > -BEGIN PGP SIGNED MESSAGE- > > On Thursday 01 February 2001 07:01, Daniel Jacobowitz wrote: > > On Wed, Jan 31, 2001 at 08:56:24AM +1100, Craig Small wrote: > > > G'day, > > > I'm writing this to express my frustration at the slowness Debian > > > seems to be afflicted with when it comes to letting people know about > > > our security vulnerabilities and fixes. > > > > > > We seem to be able to find, fix and upload fixed packages quite > > > quickly, however we are usually the last to let others know that they > > > should upgrade to the new packages, making our users unnecessarily > > > vulnerable. > > > > I beg your pardon? This isn't the general case at all. Your example > > is certainly accurate, but to my knowledge lprng is the only thing to > > slip through the cracks that way in a year. We're often behind with > > fixes in general, but when we post a fix the advisory generally goes > > out the same day! > > > > Dan > > > > /\ /\ > > > > | Daniel Jacobowitz|__|SCS Class of 2002 | > > | Debian GNU/Linux Developer__Carnegie Mellon University | > > | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | > > > > \/ \/ > Dear GNU/Debianites, > > "errare humanum est" > > Even the best are not perfect. > > But security tracking is one of the areas where open source shines the most. > > Proprietary closed source systems can't even come remotely close to the > security auditing and security improvement controls implemented by open > source = open scrutiny. > > With the security vulnerabilites of the internet, my hope is that there will > soon be a paradigm shift to: "secure by default". > > Greetings, > > Lucien > -- > This message may contain confidential data intended only for the rightful > addressee. Should you receive it by error, please delete it at once and > inform the sender. We encourage the use of encrypted e-mail. > Please visit our web site: http://www.consult-meyers.com > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: Disappointment in security handling in Debian
On Thu, Feb 01, 2001 at 02:12:40PM +0100, Mathieu Dessus wrote: > This is not directly related to this thread, but this post reminds me > that generally the translations pages of Security Information page ( > http://www.debian.org/security/ ) are generally not up to date. > And with the automatic switch to the page corresponding to your > languange's preference, I've been fooled several times, thinking that > Debian security was not up to date. > > What about adding a link to the original version with an warning or > simply disabling automatic swicthing language for this page ? The web people tell me that this was a bug in the automatic regeneration of the web pages; it should be fixed. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
Re: security.debian.org in woody
On Thu, Feb 01, 2001 at 07:36:39PM +, Robert Lazzurs wrote: > On Thu, 1 Feb 2001, Tal Danzig wrote: > > > On Wed, Jan 31, 2001 at 02:32:50PM +0100, Niklas H?glund (ETX) wrote: > > > Hi! > > > I'm running woody, should have > > > "deb http://security.debian.org potato/updates ..." > > > in my sources.list, as there is no > > > "deb http://security.debian.org woody/updates ..." > > > ? > > > > Security updates are available only for stable releases of Debian. > > These updates generaly make their way into unstable around the same time > > as the security update is released, and should then filter their way into > > testing. > > > > - Tal > > Yea, but should this not be something that is put through straight away, > should security update really have to wait with the rest of the packages? I believe that these packages can be expidited by setting the priority of the update to critical. I'm not 100% sure of the details. Still, AFIK, if package conflicts are created or the package doesn't build on all released arch's then it still won't make it into testing. - Tal > > Take care - Rab -- -- -- | Tal Danzig | Libranet Linux | | [EMAIL PROTECTED] | The TOP Desktop! | | http://tal.thepenismightier.net/ | http://www.libranet.com/ | -- -- Beneath the rule of men entirely great, the pen is mightier than the sword. -- Edward G Bulwer
Re: security.debian.org in woody
On Thu, 1 Feb 2001, Tal Danzig wrote: > On Wed, Jan 31, 2001 at 02:32:50PM +0100, Niklas H?glund (ETX) wrote: > > Hi! > > I'm running woody, should have > > "deb http://security.debian.org potato/updates ..." > > in my sources.list, as there is no > > "deb http://security.debian.org woody/updates ..." > > ? > > Security updates are available only for stable releases of Debian. > These updates generaly make their way into unstable around the same time > as the security update is released, and should then filter their way into > testing. > > - Tal Yea, but should this not be something that is put through straight away, should security update really have to wait with the rest of the packages? Take care - Rab -- Robert Lazzurs | "All that is etched in stone is The Lazzurs Administration | truly only scribbled in sand" +44 7092 157408 | -ARL [EMAIL PROTECTED] | EB chat client http://www.everybuddy.com AIM:lazzurs ICQ:66324927| ER-Web http://www.elite.uk.com/er Yahoo:arl666_uk MSN:arl666 | Join EFF http://www.eff.org
Re: security.debian.org in woody
On Wed, Jan 31, 2001 at 02:32:50PM +0100, Niklas H?glund (ETX) wrote: > Hi! > I'm running woody, should have > "deb http://security.debian.org potato/updates ..." > in my sources.list, as there is no > "deb http://security.debian.org woody/updates ..." > ? Security updates are available only for stable releases of Debian. These updates generaly make their way into unstable around the same time as the security update is released, and should then filter their way into testing. - Tal -- -- -- | Tal Danzig | Libranet Linux | | [EMAIL PROTECTED] | The TOP Desktop! | | http://tal.thepenismightier.net/ | http://www.libranet.com/ | -- -- "but the fact remained that the Tooks were not as respectable as the Bagginses, though they were undoubtedly richer." -- J. R. R. Tolkien
Re: Disappointment in security handling in Debian
Lucien, I've proposed a secure by default configuration for new Debian installations on this list before. It drew harsh criticism from at least one person whose belief it was that those who lack the knowledge to secure their systems deserve to be rooted. Because of this attitude, and the fact that maintainers of several packages of questionable security (eg NFS) refuse to move their packages out of `standard' and into `optional' or `extra', I have my doubts that Debian will be secure by default anytime soon. If secure by default is what you want, you'll probably be better off with OpenBSD, where secure by default is their policy. Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CM>CC/IT d- s:+ a16 C++()>$ UL>$ P--- L++>++$ E+ W+(-) N+ o? K? w---() !O !M !V PS+(++)>+ PE-(--) Y+>+ PGP t+>++ !5 X-- R>++ tv(+) b+(++) DI(+) D++ G>+++ e--> h! !r y>+++ --END GEEK CODE BLOCK-- On Thu, 1 Feb 2001, A. L. Meyers wrote: > -BEGIN PGP SIGNED MESSAGE- > > On Thursday 01 February 2001 07:01, Daniel Jacobowitz wrote: > > On Wed, Jan 31, 2001 at 08:56:24AM +1100, Craig Small wrote: > > > G'day, > > > I'm writing this to express my frustration at the slowness Debian > > > seems to be afflicted with when it comes to letting people know about > > > our security vulnerabilities and fixes. > > > > > > We seem to be able to find, fix and upload fixed packages quite > > > quickly, however we are usually the last to let others know that they > > > should upgrade to the new packages, making our users unnecessarily > > > vulnerable. > > > > I beg your pardon? This isn't the general case at all. Your example > > is certainly accurate, but to my knowledge lprng is the only thing to > > slip through the cracks that way in a year. We're often behind with > > fixes in general, but when we post a fix the advisory generally goes > > out the same day! > > > > Dan > > > > /\ /\ > > > > | Daniel Jacobowitz|__|SCS Class of 2002 | > > | Debian GNU/Linux Developer__Carnegie Mellon University | > > | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | > > > > \/ \/ > Dear GNU/Debianites, > > "errare humanum est" > > Even the best are not perfect. > > But security tracking is one of the areas where open source shines the most. > > Proprietary closed source systems can't even come remotely close to the > security auditing and security improvement controls implemented by open > source = open scrutiny. > > With the security vulnerabilites of the internet, my hope is that there will > soon be a paradigm shift to: "secure by default". > > Greetings, > > Lucien > -- > This message may contain confidential data intended only for the rightful > addressee. Should you receive it by error, please delete it at once and > inform the sender. We encourage the use of encrypted e-mail. > Please visit our web site: http://www.consult-meyers.com > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Disappointment in security handling in Debian
On Thu, Feb 01, 2001 at 02:12:40PM +0100, Mathieu Dessus wrote: > This is not directly related to this thread, but this post reminds me > that generally the translations pages of Security Information page ( > http://www.debian.org/security/ ) are generally not up to date. > And with the automatic switch to the page corresponding to your > languange's preference, I've been fooled several times, thinking that > Debian security was not up to date. > > What about adding a link to the original version with an warning or > simply disabling automatic swicthing language for this page ? The web people tell me that this was a bug in the automatic regeneration of the web pages; it should be fixed. Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org in woody
On Thu, Feb 01, 2001 at 07:36:39PM +, Robert Lazzurs wrote: > On Thu, 1 Feb 2001, Tal Danzig wrote: > > > On Wed, Jan 31, 2001 at 02:32:50PM +0100, Niklas H?glund (ETX) wrote: > > > Hi! > > > I'm running woody, should have > > > "deb http://security.debian.org potato/updates ..." > > > in my sources.list, as there is no > > > "deb http://security.debian.org woody/updates ..." > > > ? > > > > Security updates are available only for stable releases of Debian. > > These updates generaly make their way into unstable around the same time > > as the security update is released, and should then filter their way into > > testing. > > > > - Tal > > Yea, but should this not be something that is put through straight away, > should security update really have to wait with the rest of the packages? I believe that these packages can be expidited by setting the priority of the update to critical. I'm not 100% sure of the details. Still, AFIK, if package conflicts are created or the package doesn't build on all released arch's then it still won't make it into testing. - Tal > > Take care - Rab -- -- -- | Tal Danzig | Libranet Linux | | [EMAIL PROTECTED] | The TOP Desktop! | | http://tal.thepenismightier.net/ | http://www.libranet.com/ | -- -- Beneath the rule of men entirely great, the pen is mightier than the sword. -- Edward G Bulwer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org in woody
On Wed, Jan 31, 2001 at 02:32:50PM +0100, Niklas H?glund (ETX) wrote: > Hi! > I'm running woody, should have > "deb http://security.debian.org potato/updates ..." > in my sources.list, as there is no > "deb http://security.debian.org woody/updates ..." > ? Security updates are available only for stable releases of Debian. These updates generaly make their way into unstable around the same time as the security update is released, and should then filter their way into testing. - Tal -- -- -- | Tal Danzig | Libranet Linux | | [EMAIL PROTECTED] | The TOP Desktop! | | http://tal.thepenismightier.net/ | http://www.libranet.com/ | -- -- "but the fact remained that the Tooks were not as respectable as the Bagginses, though they were undoubtedly richer." -- J. R. R. Tolkien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org in woody
On Thu, 1 Feb 2001, Tal Danzig wrote: > On Wed, Jan 31, 2001 at 02:32:50PM +0100, Niklas H?glund (ETX) wrote: > > Hi! > > I'm running woody, should have > > "deb http://security.debian.org potato/updates ..." > > in my sources.list, as there is no > > "deb http://security.debian.org woody/updates ..." > > ? > > Security updates are available only for stable releases of Debian. > These updates generaly make their way into unstable around the same time > as the security update is released, and should then filter their way into > testing. > > - Tal Yea, but should this not be something that is put through straight away, should security update really have to wait with the rest of the packages? Take care - Rab -- Robert Lazzurs | "All that is etched in stone is The Lazzurs Administration | truly only scribbled in sand" +44 7092 157408 | -ARL [EMAIL PROTECTED] | EB chat client http://www.everybuddy.com AIM:lazzurs ICQ:66324927| ER-Web http://www.elite.uk.com/er Yahoo:arl666_uk MSN:arl666 | Join EFF http://www.eff.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Port forwarding for potato
On Thu, 1 Feb 2001, Viljo Marrandi wrote: > > > > > > > could you please help me select proper solution for port > > > > > > > forwarding (one IP, Potato firewall and internal WWW > > > > > > > server to be accessed from Internet). > > I used 'ipmasqadm portfw', worked perfectly (potato ext firewall -> int > https server. If you already have masquerading installed then u don't need > to install anything, at least i didn't :) > > Viljo be careful, with masquerading you can't get valid statistics, because httpd logs all request as requested by your firewall. ökul PGP public key: http://okul.bumpclub.ee/pubkey.asc
Re: Disappointment in security handling in Debian
Daniel Jacobowitz wrote: > > On Wed, Jan 31, 2001 at 08:56:24AM +1100, Craig Small wrote: > > G'day, > > I'm writing this to express my frustration at the slowness Debian > > seems to be afflicted with when it comes to letting people know about > > our security vulnerabilities and fixes. > > > > We seem to be able to find, fix and upload fixed packages quite > > quickly, however we are usually the last to let others know that they > > should upgrade to the new packages, making our users unnecessarily > > vulnerable. > > I beg your pardon? This isn't the general case at all. Your example > is certainly accurate, but to my knowledge lprng is the only thing to > slip through the cracks that way in a year. We're often behind with > fixes in general, but when we post a fix the advisory generally goes > out the same day! This is not directly related to this thread, but this post reminds me that generally the translations pages of Security Information page ( http://www.debian.org/security/ ) are generally not up to date. And with the automatic switch to the page corresponding to your languange's preference, I've been fooled several times, thinking that Debian security was not up to date. What about adding a link to the original version with an warning or simply disabling automatic swicthing language for this page ? - Mathieu DessusR&D CF6 Telindus [EMAIL PROTECTED]http://mdessus.free.fr/
Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
On 1 Feb 2001, Rainer Weikusat wrote: > Given dynamic IPs, he can't, as hosts aren't associated with > particular IPs, but with randomly changing ones. For instance, a > homebrew ISDN router with an aggressive huptimeout (20s) will change > IPs comparatively fast, but still remain the same host. i'm quite aware of this. > 'ipchains -L -n -v' or a ride with ipchains(8)). But this cannot help, > because host <-> ip associations are dynmamic... > > ... but it's probably useless to try to explain this to you any > longer, as you aren't really interested technical details, more in > defending your position on the ladder, so that'll be it. and i'm not sure what brings you to say this. looking back at your past postings, your general tone is negative. i've not yet seen you say something positive. for the record, i've been working in infosec for over four years, and have designed and built substantial Internet-based commerce systems for major investment banks during this period. technical detail is my job. i understand your points, and yes, i agree that a host could add blocked hosts to a hosts running portsentry very quickly. however, i've never had this happen to me, nor have i heard of it happening on any security-related mailing list, or via any other source. dynamic-ip activity of the kind you describe could be traced very easily to the perpetrator, and could be dealt with via official channels easily too -- and it could cost the attacker substantial money in telco charges for any persistent attack. portsentry is not a panacea -- it's just part of an overall strategy. but, i do not agree with your initial assessment that it is 'worse than useless'. each to their own, but you've not convinced me that my strategy is wrong, or that your strategy (not that you've proposed an alternative) is right. cheers, -thomas -- who's watching your watchmen? gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d 2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43
Re: security.debian.org in woody
Niklas Höglund (ETX) wrote: > > Hi! > I'm running woody, should have > "deb http://security.debian.org potato/updates ..." > in my sources.list, as there is no > "deb http://security.debian.org woody/updates ..." > ? I'd also like to know this, as I am running "testing" right now. -- [EMAIL PROTECTED] Web: http://houseofmoran.com/ AvantGo: http://houseofmoran.com/Lite/
Re: Port forwarding for potato
> > > > > > could you please help me select proper solution for port > > > > > > forwarding (one IP, Potato firewall and internal WWW > > > > > > server to be accessed from Internet). I used 'ipmasqadm portfw', worked perfectly (potato ext firewall -> int https server. If you already have masquerading installed then u don't need to install anything, at least i didn't :) Viljo
Re: Disappointment in security handling in Debian
Daniel Jacobowitz wrote: > > On Wed, Jan 31, 2001 at 08:56:24AM +1100, Craig Small wrote: > > G'day, > > I'm writing this to express my frustration at the slowness Debian > > seems to be afflicted with when it comes to letting people know about > > our security vulnerabilities and fixes. > > > > We seem to be able to find, fix and upload fixed packages quite > > quickly, however we are usually the last to let others know that they > > should upgrade to the new packages, making our users unnecessarily > > vulnerable. > > I beg your pardon? This isn't the general case at all. Your example > is certainly accurate, but to my knowledge lprng is the only thing to > slip through the cracks that way in a year. We're often behind with > fixes in general, but when we post a fix the advisory generally goes > out the same day! This is not directly related to this thread, but this post reminds me that generally the translations pages of Security Information page ( http://www.debian.org/security/ ) are generally not up to date. And with the automatic switch to the page corresponding to your languange's preference, I've been fooled several times, thinking that Debian security was not up to date. What about adding a link to the original version with an warning or simply disabling automatic swicthing language for this page ? - Mathieu DessusR&D CF6 Telindus [EMAIL PROTECTED]http://mdessus.free.fr/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Port forwarding for potato
On Thu, 1 Feb 2001, Viljo Marrandi wrote: > > > > > > > could you please help me select proper solution for port > > > > > > > forwarding (one IP, Potato firewall and internal WWW > > > > > > > server to be accessed from Internet). > > I used 'ipmasqadm portfw', worked perfectly (potato ext firewall -> int > https server. If you already have masquerading installed then u don't need > to install anything, at least i didn't :) > > Viljo be careful, with masquerading you can't get valid statistics, because httpd logs all request as requested by your firewall. ökul PGP public key: http://okul.bumpclub.ee/pubkey.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: portsentry dangerous? hardly; RTFM. (was Re: checking securitylogs)
On 1 Feb 2001, Rainer Weikusat wrote: > Given dynamic IPs, he can't, as hosts aren't associated with > particular IPs, but with randomly changing ones. For instance, a > homebrew ISDN router with an aggressive huptimeout (20s) will change > IPs comparatively fast, but still remain the same host. i'm quite aware of this. > 'ipchains -L -n -v' or a ride with ipchains(8)). But this cannot help, > because host <-> ip associations are dynmamic... > > ... but it's probably useless to try to explain this to you any > longer, as you aren't really interested technical details, more in > defending your position on the ladder, so that'll be it. and i'm not sure what brings you to say this. looking back at your past postings, your general tone is negative. i've not yet seen you say something positive. for the record, i've been working in infosec for over four years, and have designed and built substantial Internet-based commerce systems for major investment banks during this period. technical detail is my job. i understand your points, and yes, i agree that a host could add blocked hosts to a hosts running portsentry very quickly. however, i've never had this happen to me, nor have i heard of it happening on any security-related mailing list, or via any other source. dynamic-ip activity of the kind you describe could be traced very easily to the perpetrator, and could be dealt with via official channels easily too -- and it could cost the attacker substantial money in telco charges for any persistent attack. portsentry is not a panacea -- it's just part of an overall strategy. but, i do not agree with your initial assessment that it is 'worse than useless'. each to their own, but you've not convinced me that my strategy is wrong, or that your strategy (not that you've proposed an alternative) is right. cheers, -thomas -- who's watching your watchmen? gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d 2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Disappointment in security handling in Debian
-BEGIN PGP SIGNED MESSAGE- On Thursday 01 February 2001 07:01, Daniel Jacobowitz wrote: > On Wed, Jan 31, 2001 at 08:56:24AM +1100, Craig Small wrote: > > G'day, > > I'm writing this to express my frustration at the slowness Debian > > seems to be afflicted with when it comes to letting people know about > > our security vulnerabilities and fixes. > > > > We seem to be able to find, fix and upload fixed packages quite > > quickly, however we are usually the last to let others know that they > > should upgrade to the new packages, making our users unnecessarily > > vulnerable. > > I beg your pardon? This isn't the general case at all. Your example > is certainly accurate, but to my knowledge lprng is the only thing to > slip through the cracks that way in a year. We're often behind with > fixes in general, but when we post a fix the advisory generally goes > out the same day! > > Dan > > /\ /\ > > | Daniel Jacobowitz|__|SCS Class of 2002 | > | Debian GNU/Linux Developer__Carnegie Mellon University | > | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | > > \/ \/ Dear GNU/Debianites, "errare humanum est" Even the best are not perfect. But security tracking is one of the areas where open source shines the most. Proprietary closed source systems can't even come remotely close to the security auditing and security improvement controls implemented by open source = open scrutiny. With the security vulnerabilites of the internet, my hope is that there will soon be a paradigm shift to: "secure by default". Greetings, Lucien -- This message may contain confidential data intended only for the rightful addressee. Should you receive it by error, please delete it at once and inform the sender. We encourage the use of encrypted e-mail. Please visit our web site: http://www.consult-meyers.com
Re: security.debian.org in woody
Niklas Höglund (ETX) wrote: > > Hi! > I'm running woody, should have > "deb http://security.debian.org potato/updates ..." > in my sources.list, as there is no > "deb http://security.debian.org woody/updates ..." > ? I'd also like to know this, as I am running "testing" right now. -- [EMAIL PROTECTED] Web: http://houseofmoran.com/ AvantGo: http://houseofmoran.com/Lite/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
security.debian.org in woody
Hi! I'm running woody, should have "deb http://security.debian.org potato/updates ..." in my sources.list, as there is no "deb http://security.debian.org woody/updates ..." ? //Niklas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Port forwarding for potato
> > > > > > could you please help me select proper solution for port > > > > > > forwarding (one IP, Potato firewall and internal WWW > > > > > > server to be accessed from Internet). I used 'ipmasqadm portfw', worked perfectly (potato ext firewall -> int https server. If you already have masquerading installed then u don't need to install anything, at least i didn't :) Viljo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Port forwarding for potato
Even more stable: use fastforward (it's on freshmeat somewhere). Eelco On Thu, 1 Feb 2001, [iso-8859-1] Johan Bergstr?m wrote: > > There is also a little application called redir. > Simple and easy. > > Johbe > > On Thu, 1 Feb 2001, Michael Boman wrote: > > > Kelsey Damas wrote: > > > > > > > > could you please help me select proper solution for port > > > > > forwarding (one IP, Potato firewall and internal WWW > > > > > server to be accessed from Internet). > > > > > > What about rinetd? It's a TCP port redirector. Userland, no patching... > > > > > > http://packages.debian.org/stable/net/rinetd.html > > > > > > I've found it useful, but I've never needed anything fancy. > > > > Last time I checked out rinetd it re-writes the sender IP and therefor > > makes logfiles useless (as everything comes from your firewall). > > > > /Mike > > > > -- > > "eLINUX --- Enabling the Net Economy on Linux" > > -- > > Michael Boman eLinux Pte Ltd > > Technical Consultanthttp://www.elinux.com.sg > > [EMAIL PROTECTED] Tel:(65) 227 6180 > > Fax:(65) 227 5808 > > -- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: Port forwarding for potato
There is also a little application called redir. Simple and easy. Johbe On Thu, 1 Feb 2001, Michael Boman wrote: > Kelsey Damas wrote: > > > > > > could you please help me select proper solution for port > > > > forwarding (one IP, Potato firewall and internal WWW > > > > server to be accessed from Internet). > > > > What about rinetd? It's a TCP port redirector. Userland, no patching... > > > > http://packages.debian.org/stable/net/rinetd.html > > > > I've found it useful, but I've never needed anything fancy. > > Last time I checked out rinetd it re-writes the sender IP and therefor > makes logfiles useless (as everything comes from your firewall). > > /Mike > > -- > "eLINUX --- Enabling the Net Economy on Linux" > -- > Michael Boman eLinux Pte Ltd > Technical Consultanthttp://www.elinux.com.sg > [EMAIL PROTECTED] Tel:(65) 227 6180 > Fax:(65) 227 5808 > --
Re: Disappointment in security handling in Debian
-BEGIN PGP SIGNED MESSAGE- On Thursday 01 February 2001 07:01, Daniel Jacobowitz wrote: > On Wed, Jan 31, 2001 at 08:56:24AM +1100, Craig Small wrote: > > G'day, > > I'm writing this to express my frustration at the slowness Debian > > seems to be afflicted with when it comes to letting people know about > > our security vulnerabilities and fixes. > > > > We seem to be able to find, fix and upload fixed packages quite > > quickly, however we are usually the last to let others know that they > > should upgrade to the new packages, making our users unnecessarily > > vulnerable. > > I beg your pardon? This isn't the general case at all. Your example > is certainly accurate, but to my knowledge lprng is the only thing to > slip through the cracks that way in a year. We're often behind with > fixes in general, but when we post a fix the advisory generally goes > out the same day! > > Dan > > /\ /\ > > | Daniel Jacobowitz|__|SCS Class of 2002 | > | Debian GNU/Linux Developer__Carnegie Mellon University | > | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | > > \/ \/ Dear GNU/Debianites, "errare humanum est" Even the best are not perfect. But security tracking is one of the areas where open source shines the most. Proprietary closed source systems can't even come remotely close to the security auditing and security improvement controls implemented by open source = open scrutiny. With the security vulnerabilites of the internet, my hope is that there will soon be a paradigm shift to: "secure by default". Greetings, Lucien -- This message may contain confidential data intended only for the rightful addressee. Should you receive it by error, please delete it at once and inform the sender. We encourage the use of encrypted e-mail. Please visit our web site: http://www.consult-meyers.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Port forwarding for potato
Even more stable: use fastforward (it's on freshmeat somewhere). Eelco On Thu, 1 Feb 2001, [iso-8859-1] Johan Bergström wrote: > > There is also a little application called redir. > Simple and easy. > > Johbe > > On Thu, 1 Feb 2001, Michael Boman wrote: > > > Kelsey Damas wrote: > > > > > > > > could you please help me select proper solution for port > > > > > forwarding (one IP, Potato firewall and internal WWW > > > > > server to be accessed from Internet). > > > > > > What about rinetd? It's a TCP port redirector. Userland, no patching... > > > > > > http://packages.debian.org/stable/net/rinetd.html > > > > > > I've found it useful, but I've never needed anything fancy. > > > > Last time I checked out rinetd it re-writes the sender IP and therefor > > makes logfiles useless (as everything comes from your firewall). > > > > /Mike > > > > -- > > "eLINUX --- Enabling the Net Economy on Linux" > > -- > > Michael Boman eLinux Pte Ltd > > Technical Consultanthttp://www.elinux.com.sg > > [EMAIL PROTECTED] Tel:(65) 227 6180 > > Fax:(65) 227 5808 > > -- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Port forwarding for potato
Hi, could you please help me select proper solution for port forwarding (one IP, Potato firewall and internal WWW server to be accessed from Internet). It is hard to belive that the only solution for kernel 2.2.17 is patching it with experimental ipmasqadm module. Are there any other secure and stable solutions? Rgds, Piotr Tarnowski --- Najnowsze przygody Harry'ego Potter'a ju¿ w sprzeda¿y! < http://www.ws.pl/wydawnictwa/ > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Port forwarding for potato
There is also a little application called redir. Simple and easy. Johbe On Thu, 1 Feb 2001, Michael Boman wrote: > Kelsey Damas wrote: > > > > > > could you please help me select proper solution for port > > > > forwarding (one IP, Potato firewall and internal WWW > > > > server to be accessed from Internet). > > > > What about rinetd? It's a TCP port redirector. Userland, no patching... > > > > http://packages.debian.org/stable/net/rinetd.html > > > > I've found it useful, but I've never needed anything fancy. > > Last time I checked out rinetd it re-writes the sender IP and therefor > makes logfiles useless (as everything comes from your firewall). > > /Mike > > -- > "eLINUX --- Enabling the Net Economy on Linux" > -- > Michael Boman eLinux Pte Ltd > Technical Consultanthttp://www.elinux.com.sg > [EMAIL PROTECTED] Tel:(65) 227 6180 > Fax:(65) 227 5808 > -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Port forwarding for potato
> could you please help me select proper solution for port > forwarding (one IP, Potato firewall and internal WWW > server to be accessed from Internet). http://rdb.linux-help.org/ipmasq/ipmasq.php3#ipmasqadm > It is hard to belive that the only solution for kernel > 2.2.17 is patching it with experimental ipmasqadm module. > Are there any other secure and stable solutions? I don't think you need to patch the standard 2.2.x kernels. Mostyn Bramley-Moore. -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: portsentry dangerous? hardly; RTFM. (was Re: checking security logs)
thomas lakofski <[EMAIL PROTECTED]> writes: > On Wed, 31 Jan 2001, Quietman wrote: > > On Wed, Jan 31, 2001 at 12:54:41AM +, Quietman wrote: > > > Excuse me if I'm missing the point, but what will this show other than > > > any rules you already have in place? > > And obviously, how many packets have been intercepted by that rule. > > If you read back in the thread you'll see that the point of contention was > whether an admin could know what hosts had been blocked by > portsentry, Given dynamic IPs, he can't, as hosts aren't associated with particular IPs, but with randomly changing ones. For instance, a homebrew ISDN router with an aggressive huptimeout (20s) will change IPs comparatively fast, but still remain the same host. > Equally one could reference the portsentry logs which will contain > similar information. Which is '32-bit-numbers' and nothing beyond. > Adding appropriate accounting rules when blocking would let you know > how many packets had been intercepted without vast effort. You won't need accounting rules for that, because the linux kernel packet filter keeps byte and packet counters for every rule (try 'ipchains -L -n -v' or a ride with ipchains(8)). But this cannot help, because host <-> ip associations are dynmamic... ... but it's probably useless to try to explain this to you any longer, as you aren't really interested technical details, more in defending your position on the ladder, so that'll be it. -- SIGSTOP
Re: portsentry dangerous? hardly; RTFM. (was Re: checking securitylogs)
On Wed, 31 Jan 2001, Quietman wrote: > On Wed, Jan 31, 2001 at 12:54:41AM +, Quietman wrote: > > On Tue, Jan 30, 2001 at 04:56:12PM +, thomas lakofski wrote: > > > ipchains -L -n > > Excuse me if I'm missing the point, but what will this show other than > > any rules you already have in place? > And obviously, how many packets have been intercepted by that rule. If you read back in the thread you'll see that the point of contention was whether an admin could know what hosts had been blocked by portsentry, particularly in the case of a 'denial of service' where someone tries to make the portsentry host block large numbers of dynamic IP addresses. Equally one could reference the portsentry logs which will contain similar information. Adding appropriate accounting rules when blocking would let you know how many packets had been intercepted without vast effort. -thomas -- who's watching your watchmen? gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d 2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Disappointment in security handling in Debian
On Wed, Jan 31, 2001 at 08:56:24AM +1100, Craig Small wrote: > G'day, > I'm writing this to express my frustration at the slowness Debian > seems to be afflicted with when it comes to letting people know about > our security vulnerabilities and fixes. > > We seem to be able to find, fix and upload fixed packages quite > quickly, however we are usually the last to let others know that they > should upgrade to the new packages, making our users unnecessarily > vulnerable. I beg your pardon? This isn't the general case at all. Your example is certainly accurate, but to my knowledge lprng is the only thing to slip through the cracks that way in a year. We're often behind with fixes in general, but when we post a fix the advisory generally goes out the same day! Dan /\ /\ | Daniel Jacobowitz|__|SCS Class of 2002 | | Debian GNU/Linux Developer__Carnegie Mellon University | | [EMAIL PROTECTED] | | [EMAIL PROTECTED] | \/ \/
