Re: Sendmail DOS
On Thu, 22 Feb 2001 12:59:06 Jean-Francois JOLY wrote: | Hello Everybody, | | I've ran Nessus against some servers and it reports me that | sendmail | is vulnerable to a Syn Flood. I've grabbed utilities to test the | vulnerabilitie and haven't succeed to reproduce the problem. | I've found no information about this vulnerabilitie. | Do you know if this is a true problem or just a false report ? | | In my configuration, Sendmail is run as a standalone daemon. | Should I include it in Xinetd to stop the Problem ? Somehow I don't think its necessary (I could be wrong). Look in /etc/mail/sendmail.cf for: # load average at which we refuse connections O RefuseLA=10 # maximum number of children we allow at one time O MaxDaemonChildren=50 # maximum number of new connections per second O ConnectionRateThrottle=3 Any of the above options should be able to prevent a DoS, from their description, if they are implemented correctly. At least, they'll offer as much protection as inetd can. I've used them before when a mail script when crazy and caused too many connections. Anyway, Debian Potato ships with Exim, not sendmail. | Thanks. | | -- | Best regards, | Jean-Francois mailto:[EMAIL PROTECTED] | | | | -- | To UNSUBSCRIBE, email to [EMAIL PROTECTED] | with a subject of "unsubscribe". Trouble? Contact | [EMAIL PROTECTED] | Kind regards, Berend -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail DOS
At 13:16 22.2.2001, Berend De Schouwer wrote: event a DoS, from their description, if they are implemented correctly. At least, they'll offer as much protection as inetd can. I've used them before when a mail script when crazy and caused too many connections. Anyway, Debian Potato ships with Exim, not sendmail. So? Antti -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
how secure is mail and ftp and netscape/IE???
Hello! Steve here, Well I am one of the family now! My server is Debian 2.2r2. A benign hacker got me. All he seemed to do was overwrite my root index.html page and notify the "hackers watchdog" group to take responsibility for the act! I have some security questions: 1. How secure is it checking email with eudora pro, given they have not yet got ssh or any other system that is secure? Since outlook has ssh, is it worth switching for that? I use a separate user and password for mail and ftp. 2. Cute ftp is not secure yet, but should be soon. 3. Using netscape to port to private sections of the website: www.abc.com:1020/systemconfig/index.html (for example) I am asked for a user name and password via netscape/IE === Ok all these things are really transmitting my user name and password via plain text with no encryption. If I have sudo installed and a sniffer comes along, they have root access very easily! Should I be concerned about using email, ftp and IE ? Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: how secure is mail and ftp and netscape/IE???
On Wed, Feb 21, 2001 at 01:26:02PM +, Jacob Meuser wrote: You could install the Cygwin package for windows. It has ssh-2.3.0 and sftp I believe. Look for any of the following on google -- * putty: a 200K single exe file for windows. Does ssh, telnet, xterm emulation, but no port forwarding. No DLLs, stick it on a floppy and it just works. GPL. * pscp: same author as putty, 200K single exe for windows. does scp. * ttssh: ssh extension for TeraTerm Pro. Considerably larger than putty, but does port forwarding, X forwarding, and has more features like printing. For Macs: * niftytelnet with ssh: no port forwarding, but everything else is pretty good. For Java: * mindterm: runs on Windows Mac, and probably others (Macs require using jbindery to turn a java class file into a recognizable executable). Does port forwarding, and can even be run inside a browser. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mac most secure servers?
Microsoft says the same about Windows 2000 Linux fans say the same about Linux OpenBSD folks say the same about OpenBSD ... Security relies on the good quality of the system and, more important, the software you use but, in my opinion, is at the same level than the engineer in charge of the security. Why do I use Debian ? Because it's very easy to update and upgrade. Because people behind Debian care about security and propose up-to-dates packages. Why do I use OpenBSD or FreeBSD on my routers and firewalls, because they're secure by default and I don't need to upgrade them often. That's my choice. No comments. There's no need to begin long threads about "what is the more secure OS ever ?". This list aims at securing Debian, not withspreading Debian as the MOST secure OS. my 2 cents, Philippe On Thu, Feb 22, 2001 at 10:58:27AM -0500, Steve Rudd wrote: I have been told by a "Mac-head" that the Mac is the most secure server and that it is significantly more secure than any unix system, including Linux. Any comments -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Philippe BARNETCHE AGISphere 14, Boulevard Vital Bouhot 92200 NEUILLY/SEINE 01 47 45 99 92 06 10 01 68 11 "He who sacrifices functionality for ease of use loses both and deserves neither." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mac most secure servers?
On Thu, Feb 22, 2001 at 10:58:27AM -0500, Steve Rudd wrote: I have been told by a "Mac-head" that the Mac is the most secure server and that it is significantly more secure than any unix system, including Linux. Any comments It all depends on the admin. Given good tools to work with, the admin is more likely to succeed. If a Mac-head who knows nothing but MacOS, but knows every detail of MacOS, wanted to set up a server, they would probably be able to set up a more secure server on MacOS than on Unix. However, I don't know what the general quality of software for MacOS is. If you're talking about MacOS ten running apache, then you can probably make a pretty darn secure system. Keep in mind where your advice is comming from. If Bill Gates told you NT was the most secure OS, would you even have to ask...? The most secure OS is the one you can do the best job securing. Some OSes make it easier to learn to secure them. The classic example is OpenBSD, which is "secure by default", because it's default install is to not run any services. The trick is to turn on the service you want, and not have it misconfigured in a security problem way. I haven't used OBSD, so I can't comment. I would assume that it wouldn't be too hard, but it would take some time to get familiar with the system. No matter what anybody tells you, you can't make a secure server (at least, not long-term secure) without investing some of your time to learn the system and keep up with security announcements. (choosing a system which has good security announcements is obviously important, or you might not hear about problems until it's too late.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: how secure is mail and ftp and netscape/IE???
I ssh from my Windows 2000 machine at work to my Debian machine at home. You just need the proper client. There are free ones out there for Windows. From: Adam Spickler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: how secure is mail and ftp and netscape/IE??? Date: Wed, 21 Feb 2001 15:40:05 -0500 What about if you are going from a Windows box to a *nix box. Is there any way to do secure ftp transfers. Mail, for me is no problem. I ssh into my machines and use "Mutt" to deal with email. ...adam On Wed, Feb 21, 2001 at 05:29:11PM -0300, Pedro Zorzenon Neto wrote: Hi Steve, About sending plain text password and files with telnet and ftp: uninstall your 'telnetd' and 'ftp server' and install 'ssh' ssh is real secure and has two usefull commands: 'ssh' is a substitute for telnet and 'scp' is not the same thing, but substitutes ftp with some advantages read their manuals and compare. Bye Pedro On Wed, Feb 21, 2001 at 03:13:43PM -0500, Steve Rudd wrote: Hello! Steve here, Well I am one of the family now! My server is Debian 2.2r2. A benign hacker got me. All he seemed to do was overwrite my root index.html page and notify the "hackers watchdog" group to take responsibility for the act! I have some security questions: 1. How secure is it checking email with eudora pro, given they have not yet got ssh or any other system that is secure? Since outlook has ssh, is it worth switching for that? I use a separate user and password for mail and ftp. 2. Cute ftp is not secure yet, but should be soon. 3. Using netscape to port to private sections of the website: www.abc.com:1020/systemconfig/index.html (for example) I am asked for a user name and password via netscape/IE === Ok all these things are really transmitting my user name and password via plain text with no encryption. If I have sudo installed and a sniffer comes along, they have root access very easily! Should I be concerned about using email, ftp and IE ? Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] - Adam Spickler Whaddu LLC. http://www.whaddu.com WebHosting and Design/Development Unlimited - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mac most secure servers?
I have been told by a "Mac-head" that the Mac is the most secure server and that it is significantly more secure than any unix system, including Linux. MacOS up through 9.x is arguably more secure *out of the box* for the same reason that Windows9x is secure *out of the box* -- there's no network listener running as a matter of course on such a system, and no provision whatsoever for someone coming in from the outside and executing code. It's also impossible to get "shell" access by hacking into a MacOS = 9.x, because there is no shell! You can get 99.99% of the way there on any Unixoid platform simply by deciding there's absolutely nothing in inetd you actually need, and turning it off. But if we're comparing *out of the box* installations, MacOS wins because there are *no* default network services, whereas every Unixoid I know of installs inetd with a whole bunch of 'essential' services (telnet, rsh, ftp) turned on. A server is only as insecure as the services you choose to run on it. Every port some daemon listens to is arguably one more hole, so you have to keep track of security concerns for the programs you run. But this is true for any operating system. I've discovered that I can easily get away without inetd running at all. I run a Debian server whose only listeners are sshd, apache and sendmail (used to be exi), and I keep on top of the security updates for all three. Does this make my machine 'secure'? No; but it's no *less* secure than a MacOS = 9.x box running a web server and a mail server, assuming the programs themselves are equally well secured. MaxOS X, of course, changes everything, because it's Unixoid. /m PGP signature
Re: Anti Virus for Debian
Matthew Sherborne [EMAIL PROTECTED] writes: Are there any gpl or similar anti-virus programs for linux ? Any reccomendations ? I have patch for qmail-local which will use AVPdaemon from Kaspersky (their 'AVP for qmail' sucks), if anyone is interested, but you have to buy a license (it's not so expensive in case you are scanning 4k+ domains for your customers.) -- Ondej Sur [EMAIL PROTECTED] Globe Internet s.r.o. http://globe.cz/ Tel: +420235365000 Fax: +420235365009 Plnikova 1, 162 00 Praha 6 Mob: +420605204544 ICQ: 24944126 Mapa: http://globe.namape.cz/ GPG fingerprint: CC91 8F02 8CDE 911A 933F AE52 F4E6 6A7C C20D F273 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Separate telnet/email ssh users???
Hi! I tore down my redhat box and installed debian about 3 days ago. I decided to use separate users and passwd for each telnet and email. User#1: standard unsecure telnet cuteftp and Eudora. User#1 has no shell access and is restricted to public "html" files directories. User#2: CRTssh program User#2: ssh shell access, but not "su". The idea is that until eudora and cuteftp come out with their new "shh" secure versions in a few months, the user names and passwords of user#1 are not a security risk. Why I could even post them on my root page and taunt hackers to try and break in with them! I could even offer a 1000 prize for anyone who can crack and hack their way in! (I saw that done at another site... real neet!) What do you think? Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mac most secure servers?
I've used macs as servers for fairly large numbers of people working for a school district (k12 districts aren't into *nixes much yet, at least mine wasn't...). It ran webstar (httpd), eims (mail), quickdns pro, and netpresenz (ftpd). In my estimation, the security advantage definitely goes to the mac. Quite frankly, I never spent any time performing security checks / tests, because there just isn't the ability to buffer overflow to a rootshell, for example. If an app crashes, that app dies (and, being a mac, chances are the rest of the system dies with it). Believe it or not, macs used as servers (that are intelligently set up) are fairly stable... at least, far more stable than a mac that's used as a desktop (nothing approaching *nix stability, of course). These days, I really wouldn't recommend a mac as a server: * much more expensive than x86 hardware running linux * less usefull than above x86, unless you need only basic services * performance wise, not very suitable for heavy loads Of course, now it's all about Mac OS X. The builds I've tried so far have a fairly modest default inetd config - that is, not too much is turned on by default. I'm pretty sure that I'll have to pay more attention to security in Mac OS X, especially if I decide to use any of the more exploitable services (bind, sendmail, etc). Really, though, I'm quite happy running that stuff on my linux box... Macs are desktop computers, and they should be used as such. To do anything else is a waste, imho :) On Thu, 22 Feb 2001, Steve Rudd wrote: I have been told by a "Mac-head" that the Mac is the most secure server and that it is significantly more secure than any unix system, including Linux. Any comments -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Woody ssh exploit
We are currently running woody on a production machine (yes, I am not that happy about that decision). Woody does not get potato's security updates, and does not get new unstable security fixes in a timely fashion. This leaves woody vulnerable to certain kinds of problems, particularly distressing right now is the ssh security issue that is out there, which woody does not have a fix for. Potato has a fix at http://www.debian.org/security/2001/dsa-027 So how do we fix this on a woody machine? There are a few things that can be done, none of them very great. There is the possibility of putting the potato package on our machine, but are there are dependancy issues or problems downgrading a package from woody to potato? What about when a fix does finally come available for woody, will it be an issue to bring the potato package up to that woody upgrade? There is the possibility of enabling protocol2 only on our ssh installation, which would make us safe, but is only an interim fix until an update comes available for woody, this an issue for people who cannot connect via protocol 2, and an annoyance/education effort for those who connect via protocol 1. All of these aren't great. Unless I am wrong, currently there is no known exploit for this hole, but that isn't that much of a reassurance either. Thanks, Micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Woody ssh exploit
You could just recompile it yourself. I don't even use any of the Debian SSH packages anymore, they are mostly out-of-date anyway. The current SSH2 in woody is 2.0.13, for example. I just download the source and compile it myself for those kind of things. There's another good point to that: Anything that intimitely connected with your system security should be done by hand anyway. Actually, if someone wants to give me a hint on how to use the dpkg tool to build things (never done it before!) and how to upload the compiled versions, I'd re-contribute the packages. Aaron On Thu, 22 Feb 2001, Micah Anderson wrote: We are currently running woody on a production machine (yes, I am not that happy about that decision). Woody does not get potato's security updates, and does not get new unstable security fixes in a timely fashion. This leaves woody vulnerable to certain kinds of problems, particularly distressing right now is the ssh security issue that is out there, which woody does not have a fix for. Potato has a fix at http://www.debian.org/security/2001/dsa-027 So how do we fix this on a woody machine? There are a few things that can be done, none of them very great. There is the possibility of putting the potato package on our machine, but are there are dependancy issues or problems downgrading a package from woody to potato? What about when a fix does finally come available for woody, will it be an issue to bring the potato package up to that woody upgrade? There is the possibility of enabling protocol2 only on our ssh installation, which would make us safe, but is only an interim fix until an update comes available for woody, this an issue for people who cannot connect via protocol 2, and an annoyance/education effort for those who connect via protocol 1. All of these aren't great. Unless I am wrong, currently there is no known exploit for this hole, but that isn't that much of a reassurance either. Thanks, Micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Woody ssh exploit
On Thu, 22 Feb 2001, Micah Anderson wrote: Potato has a fix at http://www.debian.org/security/2001/dsa-027 So how do we fix this on a woody machine? You could build it from the source pkg's. put some deb-src lines in y'r /etc/apt/sources.list apt-get (-b) source btw. howdo these 'Build-Depends' work? I alway find myself fetching, building, install additional pkgs by hand. [RicV] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Woody ssh exploit
from the secret journal of Aaron Dewell ([EMAIL PROTECTED]): You could just recompile it yourself. I don't even use any of the Debian SSH packages anymore, they are mostly out-of-date anyway. The current SSH2 in woody is 2.0.13, for example. I just download the source and compile it myself for those kind of things. There's another good point to that: Anything that intimitely connected with your system security should be done by hand anyway. unless you need it done to many machines at once. that's why all of our production servers don't run slackware like they did in 97. Actually, if someone wants to give me a hint on how to use the dpkg tool to build things (never done it before!) and how to upload the compiled versions, I'd re-contribute the packages. put deb-src lines (see below) in your sources.list. now, let's say that proftpd has a security hole thats fixed in unstable but you're running testing. assuming you already have debhelper and dpkg-dev installed, this is all you have to do: # fakeroot apt-get source -b proftpd this leaves you with a proftpd package with the security fixes built for your specifc system. i run with deb-src lines for unstable, but for what you're doing, a deb-src line for security.debian.org might be all you need. deb-src http://http.us.debian.org/debian unstable main contrib non-free deb-src http://non-us.debian.org/debian-non-US unstable/non-US main contrib \ non-free -- jacob kuntz [EMAIL PROTECTED] underworld.net/~jake -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Woody ssh exploit
On Thu, Feb 22, 2001 at 11:10:39AM -0800, Micah Anderson wrote: We are currently running woody on a production machine (yes, I am not that happy about that decision). Woody does not get potato's security updates, and does not get new unstable security fixes in a timely fashion. This leaves woody vulnerable to certain kinds of problems, particularly distressing right now is the ssh security issue that is out there, which woody does not have a fix for. Potato has a fix at http://www.debian.org/security/2001/dsa-027 So how do we fix this on a woody machine? I installed ssh 2.3.0p1-1.11 from unstable on my woody machines at home. It works great. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Woody ssh exploit
Hi, I'm running woody but I have security.debian.org stable in my apt sources.list file: deb http://ftp.debian.org/debian woody main contrib non-free deb http://non-us.debian.org woody/non-US main contrib non-free deb http://security.debian.org stable/updates main contrib non-free deb http://spidermonkey.helixcode.com/distributions/debian woody main As a result "dpkg -s ssh" yields: Package: ssh Status: install ok installed Priority: optional Section: non-US/main Installed-Size: 503 Maintainer: Philip Hands [EMAIL PROTECTED] Source: openssh Version: 1:1.2.3-9.2 ... And "zcat /usr/share/doc/ssh/changelog.Debian.gz | head" yields: openssh (1:1.2.3-9.2) stable; urgency=high * Non-maintainer upload by Security Team * Added backported fix for a buffer overflow (thanks to Piotr Roszatycki) * Added modified build dependencies from unstable for convenience * Added patch that fixes an rsa key exchange problem made public by CORE SDI. which is the fixed version mentioned in the security alert. Am I missing something here? I thought the security fix was installed. Stuart Quoting Richard ([EMAIL PROTECTED]): On Thu, 22 Feb 2001, Micah Anderson wrote: Potato has a fix at http://www.debian.org/security/2001/dsa-027 So how do we fix this on a woody machine? You could build it from the source pkg's. put some deb-src lines in y'r /etc/apt/sources.list apt-get (-b) source btw. howdo these 'Build-Depends' work? I alway find myself fetching, building, install additional pkgs by hand. [RicV] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Woody ssh exploit
I installed ssh 2.3.0p1-1.11 from unstable on my woody machines at home. It works great. Yes, but 2.4.0 is current. NO, SSH 2.4.0 is SSH from SSH Communications. It is a commerical release. OpenSSH and SSH are two different products - two completely different implementations of SSH. This last post helps to illustrate my point about properly naming these. It would help to eliminate a lot of confusion. SSH is not Free Software. READ the licensing! Yes, there is no charge if you run it on Linux or any of the BSDs. However if you using it in a mixed environment (you have non Linux/BSD machines) you could possibly be violating the license. The license is very restrictive. OpenSSH is Free Software (BSD style license). You can do whatever you want with it. I really hope the packages get a name change. OpenSSH should be called openssh and SSH from SSH Communications labeled as ssh. The current stable release of OpenSSH for Linux is 2.5.1p1. You can get it at www.openssh.com M -- Get free personalized email from GTE at http://www.gtemail.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mac most secure servers?
On Thu, Feb 22, 2001 at 10:58:27AM -0500, Steve Rudd wrote: I have been told by a "Mac-head" that the Mac is the most secure server and that it is significantly more secure than any unix system, including Linux. with MacOS everything runs as root since there is no security, no UIDs, no permisions nothing. if you manage to exploit any daemon or any cgi script you have full root on the box, a clueful attacker could do anything since there is also not even any memory protection in MacOS. the reason MacOS seems to be more secure is simply that its an obscure platform, most typical unix attacks fail simply because MacOS is different. that does NOT mean that its not possible to very sucessfully attack MacOS and gain significant access, it simply takes a different attack and different exploits. several years ago there was a silly `Crack a Mac' contest and someone managed to exploit a cgi script and deface the web site served by the Mac. in most cases such an attack would never allow site defacment on unix since the site is not owned by the webserver UID that the cgi script generally runs as. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: Mac most secure servers?
On Thu, Feb 22, 2001 at 03:09:36PM -0900, Ethan Benson wrote: several years ago there was a silly `Crack a Mac' contest and someone managed to exploit a cgi script and deface the web site served by the Mac. in most cases such an attack would never allow site defacment on unix since the site is not owned by the webserver UID that the cgi script generally runs as. Point of note... cgi scripts for a site are generally setup to run as the user who owns the site so that if a cgi script is hacked, the damage is restricted to said site and not the webserver itself or the system as a whole. -- CaT ([EMAIL PROTECTED])*** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Woody ssh exploit
On Thu, Feb 22, 2001 at 06:03:53PM -0700, Ray Percival wrote: To solve this issue with Woody I just leave the line for the stable security updates in my sources file. I get the security updates before they are in Woody. Is there any reason this would not be a good idea? Yeah. It doesn't work. What if stable has version 1.0 of a package, woody and sid have 2.0. A security hole is found in 2.0 and fixed in 2.1. It gets backported to 1.0, but you're running 2.0 on testing so apt-get won't install 1.0-fixed. You need to either wait until 2.1 makes it to testing or fetch it from unstable. This issue was basically overlooked in the creation of a testing tree, and has come up many many times. I think there needs to be a policy update about it, but I haven't seen any talk of it on the policy list, nor do I know of a quick solution that doesn't risk breaking testing with possible incompatibilities. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html PGP signature
Re: Separate telnet/email ssh users???
On Thu, 22 Feb 2001 13:43:55 -0500, Steve Rudd mumbled disconsolately: Why I could even post them on my root page and taunt hackers to try and break in with them! I could even offer a 1000 prize for anyone who can crack and hack their way in! "Pride goeth before destruction, and an haughty spirit before a fall." Proverbs xvi. 18. -- Bob Bernstein NetBSD 1.5 atPronto 2.2.3 Esmond, R.I. Perl 5.6.0 Gtk 1.2.8 MySQL 3.22 USAYeah baby! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Sendmail DOS
Hello Everybody, I've ran Nessus against some servers and it reports me that sendmail is vulnerable to a Syn Flood. I've grabbed utilities to test the vulnerabilitie and haven't succeed to reproduce the problem. I've found no information about this vulnerabilitie. Do you know if this is a true problem or just a false report ? In my configuration, Sendmail is run as a standalone daemon. Should I include it in Xinetd to stop the Problem ? Thanks. -- Best regards, Jean-Francois mailto:[EMAIL PROTECTED]
Re: Sendmail DOS
On Thu, 22 Feb 2001 12:59:06 Jean-Francois JOLY wrote: | Hello Everybody, | | I've ran Nessus against some servers and it reports me that | sendmail | is vulnerable to a Syn Flood. I've grabbed utilities to test the | vulnerabilitie and haven't succeed to reproduce the problem. | I've found no information about this vulnerabilitie. | Do you know if this is a true problem or just a false report ? | | In my configuration, Sendmail is run as a standalone daemon. | Should I include it in Xinetd to stop the Problem ? Somehow I don't think its necessary (I could be wrong). Look in /etc/mail/sendmail.cf for: # load average at which we refuse connections O RefuseLA=10 # maximum number of children we allow at one time O MaxDaemonChildren=50 # maximum number of new connections per second O ConnectionRateThrottle=3 Any of the above options should be able to prevent a DoS, from their description, if they are implemented correctly. At least, they'll offer as much protection as inetd can. I've used them before when a mail script when crazy and caused too many connections. Anyway, Debian Potato ships with Exim, not sendmail. | Thanks. | | -- | Best regards, | Jean-Francois mailto:[EMAIL PROTECTED] | | | | -- | To UNSUBSCRIBE, email to [EMAIL PROTECTED] | with a subject of unsubscribe. Trouble? Contact | [EMAIL PROTECTED] | Kind regards, Berend -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS
Re: Sendmail DOS
On Thu, 22 Feb 2001 13:27:07 Antti Tolamo wrote: | At 13:16 22.2.2001, Berend De Schouwer wrote: | | | event a DoS, from | their description, if they are implemented correctly. At least, | they'll offer as much protection as inetd can. I've used them | before when a mail script when crazy and caused too many | connections. | | Anyway, Debian Potato ships with Exim, not sendmail. | | | So? So does Nessus talk to sendmail or Exim? I've had security scanners scan my OpenBSD ftp server and list wu-ftpd vulnerabilities. Just checking :) | Antti | | | -- | To UNSUBSCRIBE, email to [EMAIL PROTECTED] | with a subject of unsubscribe. Trouble? Contact | [EMAIL PROTECTED] | Kind regards, Berend -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS
Re[2]: Sendmail DOS
Hello Berend, You're right, it's a good question but: It *is* Sendmail ;-) I will try the features you told me, what do you think of this setting, there is 150 PCs behind a 128k leased line. O RefuseLA=15 O MaxDaemonChildren=30 O ConnectionRateThrottle=2 I wonder if ConnectionRateThrottle will just make the client wait or if he will refuse the connection (would be crazy !). Thanks. JF. Thursday, February 22, 2001, 12:42:40 PM, you wrote: BDS On Thu, 22 Feb 2001 13:27:07 Antti Tolamo wrote: BDS | At 13:16 22.2.2001, Berend De Schouwer wrote: BDS | BDS | | event a DoS, from | their description, if they are implemented correctly. At least, | they'll offer as much protection as inetd can. I've used them | before when a mail script when crazy and caused too many | connections. | | Anyway, Debian Potato ships with Exim, not sendmail. | BDS | BDS | So? BDS So does Nessus talk to sendmail or Exim? I've had security scanners BDS scan my OpenBSD ftp server and list wu-ftpd vulnerabilities. BDS Just checking :) BDS | Antti BDS | BDS | BDS | -- BDS | To UNSUBSCRIBE, email to [EMAIL PROTECTED] BDS | with a subject of unsubscribe. Trouble? Contact BDS | [EMAIL PROTECTED] BDS | BDS Kind regards, BDS Berend -- Best regards, Jean-Francoismailto:[EMAIL PROTECTED]
Re: how secure is mail and ftp and netscape/IE???
On Wed, Feb 21, 2001 at 01:26:02PM +, Jacob Meuser wrote: You could install the Cygwin package for windows. It has ssh-2.3.0 and sftp I believe. Look for any of the following on google -- * putty: a 200K single exe file for windows. Does ssh, telnet, xterm emulation, but no port forwarding. No DLLs, stick it on a floppy and it just works. GPL. * pscp: same author as putty, 200K single exe for windows. does scp. * ttssh: ssh extension for TeraTerm Pro. Considerably larger than putty, but does port forwarding, X forwarding, and has more features like printing. For Macs: * niftytelnet with ssh: no port forwarding, but everything else is pretty good. For Java: * mindterm: runs on Windows Mac, and probably others (Macs require using jbindery to turn a java class file into a recognizable executable). Does port forwarding, and can even be run inside a browser. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED]
Mac most secure servers?
I have been told by a Mac-head that the Mac is the most secure server and that it is significantly more secure than any unix system, including Linux. Any comments
Re: Mac most secure servers?
Microsoft says the same about Windows 2000 Linux fans say the same about Linux OpenBSD folks say the same about OpenBSD ... Security relies on the good quality of the system and, more important, the software you use but, in my opinion, is at the same level than the engineer in charge of the security. Why do I use Debian ? Because it's very easy to update and upgrade. Because people behind Debian care about security and propose up-to-dates packages. Why do I use OpenBSD or FreeBSD on my routers and firewalls, because they're secure by default and I don't need to upgrade them often. That's my choice. No comments. There's no need to begin long threads about what is the more secure OS ever ?. This list aims at securing Debian, not withspreading Debian as the MOST secure OS. my 2 cents, Philippe On Thu, Feb 22, 2001 at 10:58:27AM -0500, Steve Rudd wrote: I have been told by a Mac-head that the Mac is the most secure server and that it is significantly more secure than any unix system, including Linux. Any comments -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Philippe BARNETCHE AGISphere 14, Boulevard Vital Bouhot 92200 NEUILLY/SEINE 01 47 45 99 92 06 10 01 68 11 He who sacrifices functionality for ease of use loses both and deserves neither.
Re: Mac most secure servers?
On Thu, Feb 22, 2001 at 10:58:27AM -0500, Steve Rudd wrote: I have been told by a Mac-head that the Mac is the most secure server and that it is significantly more secure than any unix system, including Linux. Any comments It all depends on the admin. Given good tools to work with, the admin is more likely to succeed. If a Mac-head who knows nothing but MacOS, but knows every detail of MacOS, wanted to set up a server, they would probably be able to set up a more secure server on MacOS than on Unix. However, I don't know what the general quality of software for MacOS is. If you're talking about MacOS ten running apache, then you can probably make a pretty darn secure system. Keep in mind where your advice is comming from. If Bill Gates told you NT was the most secure OS, would you even have to ask...? The most secure OS is the one you can do the best job securing. Some OSes make it easier to learn to secure them. The classic example is OpenBSD, which is secure by default, because it's default install is to not run any services. The trick is to turn on the service you want, and not have it misconfigured in a security problem way. I haven't used OBSD, so I can't comment. I would assume that it wouldn't be too hard, but it would take some time to get familiar with the system. No matter what anybody tells you, you can't make a secure server (at least, not long-term secure) without investing some of your time to learn the system and keep up with security announcements. (choosing a system which has good security announcements is obviously important, or you might not hear about problems until it's too late.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: how secure is mail and ftp and netscape/IE???
I ssh from my Windows 2000 machine at work to my Debian machine at home. You just need the proper client. There are free ones out there for Windows. From: Adam Spickler [EMAIL PROTECTED] To: debian-security@lists.debian.org Subject: Re: how secure is mail and ftp and netscape/IE??? Date: Wed, 21 Feb 2001 15:40:05 -0500 What about if you are going from a Windows box to a *nix box. Is there any way to do secure ftp transfers. Mail, for me is no problem. I ssh into my machines and use Mutt to deal with email. ...adam On Wed, Feb 21, 2001 at 05:29:11PM -0300, Pedro Zorzenon Neto wrote: Hi Steve, About sending plain text password and files with telnet and ftp: uninstall your 'telnetd' and 'ftp server' and install 'ssh' ssh is real secure and has two usefull commands: 'ssh' is a substitute for telnet and 'scp' is not the same thing, but substitutes ftp with some advantages read their manuals and compare. Bye Pedro On Wed, Feb 21, 2001 at 03:13:43PM -0500, Steve Rudd wrote: Hello! Steve here, Well I am one of the family now! My server is Debian 2.2r2. A benign hacker got me. All he seemed to do was overwrite my root index.html page and notify the hackers watchdog group to take responsibility for the act! I have some security questions: 1. How secure is it checking email with eudora pro, given they have not yet got ssh or any other system that is secure? Since outlook has ssh, is it worth switching for that? I use a separate user and password for mail and ftp. 2. Cute ftp is not secure yet, but should be soon. 3. Using netscape to port to private sections of the website: www.abc.com:1020/systemconfig/index.html (for example) I am asked for a user name and password via netscape/IE === Ok all these things are really transmitting my user name and password via plain text with no encryption. If I have sudo installed and a sniffer comes along, they have root access very easily! Should I be concerned about using email, ftp and IE ? Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] - Adam Spickler Whaddu LLC. http://www.whaddu.com WebHosting and Design/Development Unlimited - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com
Re: Mac most secure servers?
well, considering that mac has cornered .0001% of the network operating system market, there may be some truth to that statement. after all, the most secure os is one that no one uses, right? some one else, replied stating that a systems level of security is generally at the knowledge/skill level of the security officerI would have to second that, harumpf! :) robt Steve Rudd wrote: I have been told by a Mac-head that the Mac is the most secure server and that it is significantly more secure than any unix system, including Linux. Any comments -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mac most secure servers?
On Thu, Feb 22, 2001 at 10:58:27AM -0500, Steve Rudd wrote: I have been told by a Mac-head that the Mac is the most secure server and that it is significantly more secure than any unix system, including Linux. Believe it or not the U.S. military made such a claim about 18 months or so back. They had an NT based web server defaced, so they switched to MacOS. Their reasoning was that since MacOS is not designed to be multi-user and remotely managed and stuff that there's less of a chance that it would get cracked remotely. IMHO that's the worst possible reason to claim that the Mac is secure. It's just an ugly form of security through obscurity. The thing is, any box on the network is going to be insecure, and the level of insecurity is going to be inversely proportional to the usefulness of the machine. Sure, maybe you can't remotely manage a Mac. I could do the same thing to a Unix system and make it significantly more secure, but that also makes it a lot less useful. Maybe the Mac is more secure than the *default* installations of most Unixes, but I'd hardly claim that it's more secure than a Unix or (maybe) even an NT system could be. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpIliuMrSnCH.pgp Description: PGP signature
Re: Mac most secure servers?
On Thu, 22 Feb 2001, Noah L. Meyerhans wrote: The thing is, any box on the network is going to be insecure, and the I second(third?) that. The best way to reduce the security risk to zero on ANY system is to: 1. Unplug ethernet 2. Unplug power cord 3. Lock system in concrete box 4. Drop in Lake Erie REDUCE the risk by keeping up on security upgrades. OS patches, admin skills, etc. All of which requires that you use an OS that can be upgraded and/or patched easily and quickly. Just my 2 cents , adjusted for inflation. -John On Thu, Feb 22, 2001 at 10:58:27AM -0500, Steve Rudd wrote: I have been told by a Mac-head that the Mac is the most secure server and that it is significantly more secure than any unix system, including Linux. Believe it or not the U.S. military made such a claim about 18 months or so back. They had an NT based web server defaced, so they switched to MacOS. Their reasoning was that since MacOS is not designed to be multi-user and remotely managed and stuff that there's less of a chance that it would get cracked remotely. IMHO that's the worst possible reason to claim that the Mac is secure. It's just an ugly form of security through obscurity. level of insecurity is going to be inversely proportional to the usefulness of the machine. Sure, maybe you can't remotely manage a Mac. I could do the same thing to a Unix system and make it significantly more secure, but that also makes it a lot less useful. Maybe the Mac is more secure than the *default* installations of most Unixes, but I'd hardly claim that it's more secure than a Unix or (maybe) even an NT system could be. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Re: Mac most secure servers?
I have been told by a Mac-head that the Mac is the most secure server and that it is significantly more secure than any unix system, including Linux. MacOS up through 9.x is arguably more secure *out of the box* for the same reason that Windows9x is secure *out of the box* -- there's no network listener running as a matter of course on such a system, and no provision whatsoever for someone coming in from the outside and executing code. It's also impossible to get shell access by hacking into a MacOS = 9.x, because there is no shell! You can get 99.99% of the way there on any Unixoid platform simply by deciding there's absolutely nothing in inetd you actually need, and turning it off. But if we're comparing *out of the box* installations, MacOS wins because there are *no* default network services, whereas every Unixoid I know of installs inetd with a whole bunch of 'essential' services (telnet, rsh, ftp) turned on. A server is only as insecure as the services you choose to run on it. Every port some daemon listens to is arguably one more hole, so you have to keep track of security concerns for the programs you run. But this is true for any operating system. I've discovered that I can easily get away without inetd running at all. I run a Debian server whose only listeners are sshd, apache and sendmail (used to be exi), and I keep on top of the security updates for all three. Does this make my machine 'secure'? No; but it's no *less* secure than a MacOS = 9.x box running a web server and a mail server, assuming the programs themselves are equally well secured. MaxOS X, of course, changes everything, because it's Unixoid. /m pgphQzKptQS7w.pgp Description: PGP signature
RE: how secure is mail and ftp and netscape/IE???
-Original Message- From: Mike Renfro [mailto:[EMAIL PROTECTED] Behalf Of Mike Renfro Sent: Thursday, February 22, 2001 7:30 AM To: debian-security@lists.debian.org Subject: Re: how secure is mail and ftp and netscape/IE??? [...] * ttssh: ssh extension for TeraTerm Pro. Considerably larger than putty, but does port forwarding, X forwarding, and has more features like printing. [...] Just as a note here, I've had good luck with port forwarding and VNC using ttssh. Also, between TeraTerm, ttssh and VNC, you can fit them all on a floppy.
Re: Anti Virus for Debian
Matthew Sherborne [EMAIL PROTECTED] writes: Are there any gpl or similar anti-virus programs for linux ? Any reccomendations ? I have patch for qmail-local which will use AVPdaemon from Kaspersky (their 'AVP for qmail' sucks), if anyone is interested, but you have to buy a license (it's not so expensive in case you are scanning 4k+ domains for your customers.) -- Ondřej Surý [EMAIL PROTECTED] Globe Internet s.r.o. http://globe.cz/ Tel: +420235365000 Fax: +420235365009 Pláničkova 1, 162 00 Praha 6 Mob: +420605204544 ICQ: 24944126 Mapa: http://globe.namape.cz/ GPG fingerprint: CC91 8F02 8CDE 911A 933F AE52 F4E6 6A7C C20D F273
Separate telnet/email ssh users???
Hi! I tore down my redhat box and installed debian about 3 days ago. I decided to use separate users and passwd for each telnet and email. User#1: standard unsecure telnet cuteftp and Eudora. User#1 has no shell access and is restricted to public html files directories. User#2: CRTssh program User#2: ssh shell access, but not su. The idea is that until eudora and cuteftp come out with their new shh secure versions in a few months, the user names and passwords of user#1 are not a security risk. Why I could even post them on my root page and taunt hackers to try and break in with them! I could even offer a 1000 prize for anyone who can crack and hack their way in! (I saw that done at another site... real neet!) What do you think? Steve
Re: Mac most secure servers?
I've used macs as servers for fairly large numbers of people working for a school district (k12 districts aren't into *nixes much yet, at least mine wasn't...). It ran webstar (httpd), eims (mail), quickdns pro, and netpresenz (ftpd). In my estimation, the security advantage definitely goes to the mac. Quite frankly, I never spent any time performing security checks / tests, because there just isn't the ability to buffer overflow to a rootshell, for example. If an app crashes, that app dies (and, being a mac, chances are the rest of the system dies with it). Believe it or not, macs used as servers (that are intelligently set up) are fairly stable... at least, far more stable than a mac that's used as a desktop (nothing approaching *nix stability, of course). These days, I really wouldn't recommend a mac as a server: * much more expensive than x86 hardware running linux * less usefull than above x86, unless you need only basic services * performance wise, not very suitable for heavy loads Of course, now it's all about Mac OS X. The builds I've tried so far have a fairly modest default inetd config - that is, not too much is turned on by default. I'm pretty sure that I'll have to pay more attention to security in Mac OS X, especially if I decide to use any of the more exploitable services (bind, sendmail, etc). Really, though, I'm quite happy running that stuff on my linux box... Macs are desktop computers, and they should be used as such. To do anything else is a waste, imho :) On Thu, 22 Feb 2001, Steve Rudd wrote: I have been told by a Mac-head that the Mac is the most secure server and that it is significantly more secure than any unix system, including Linux. Any comments -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Woody ssh exploit
We are currently running woody on a production machine (yes, I am not that happy about that decision). Woody does not get potato's security updates, and does not get new unstable security fixes in a timely fashion. This leaves woody vulnerable to certain kinds of problems, particularly distressing right now is the ssh security issue that is out there, which woody does not have a fix for. Potato has a fix at http://www.debian.org/security/2001/dsa-027 So how do we fix this on a woody machine? There are a few things that can be done, none of them very great. There is the possibility of putting the potato package on our machine, but are there are dependancy issues or problems downgrading a package from woody to potato? What about when a fix does finally come available for woody, will it be an issue to bring the potato package up to that woody upgrade? There is the possibility of enabling protocol2 only on our ssh installation, which would make us safe, but is only an interim fix until an update comes available for woody, this an issue for people who cannot connect via protocol 2, and an annoyance/education effort for those who connect via protocol 1. All of these aren't great. Unless I am wrong, currently there is no known exploit for this hole, but that isn't that much of a reassurance either. Thanks, Micah
Re: Woody ssh exploit
You could just recompile it yourself. I don't even use any of the Debian SSH packages anymore, they are mostly out-of-date anyway. The current SSH2 in woody is 2.0.13, for example. I just download the source and compile it myself for those kind of things. There's another good point to that: Anything that intimitely connected with your system security should be done by hand anyway. Actually, if someone wants to give me a hint on how to use the dpkg tool to build things (never done it before!) and how to upload the compiled versions, I'd re-contribute the packages. Aaron On Thu, 22 Feb 2001, Micah Anderson wrote: We are currently running woody on a production machine (yes, I am not that happy about that decision). Woody does not get potato's security updates, and does not get new unstable security fixes in a timely fashion. This leaves woody vulnerable to certain kinds of problems, particularly distressing right now is the ssh security issue that is out there, which woody does not have a fix for. Potato has a fix at http://www.debian.org/security/2001/dsa-027 So how do we fix this on a woody machine? There are a few things that can be done, none of them very great. There is the possibility of putting the potato package on our machine, but are there are dependancy issues or problems downgrading a package from woody to potato? What about when a fix does finally come available for woody, will it be an issue to bring the potato package up to that woody upgrade? There is the possibility of enabling protocol2 only on our ssh installation, which would make us safe, but is only an interim fix until an update comes available for woody, this an issue for people who cannot connect via protocol 2, and an annoyance/education effort for those who connect via protocol 1. All of these aren't great. Unless I am wrong, currently there is no known exploit for this hole, but that isn't that much of a reassurance either. Thanks, Micah
Re: Woody ssh exploit
On Thu, 22 Feb 2001, Micah Anderson wrote: Potato has a fix at http://www.debian.org/security/2001/dsa-027 So how do we fix this on a woody machine? You could build it from the source pkg's. put some deb-src lines in y'r /etc/apt/sources.list apt-get (-b) source btw. howdo these 'Build-Depends' work? I alway find myself fetching, building, install additional pkgs by hand. [RicV]
Re: Woody ssh exploit
from the secret journal of Aaron Dewell ([EMAIL PROTECTED]): You could just recompile it yourself. I don't even use any of the Debian SSH packages anymore, they are mostly out-of-date anyway. The current SSH2 in woody is 2.0.13, for example. I just download the source and compile it myself for those kind of things. There's another good point to that: Anything that intimitely connected with your system security should be done by hand anyway. unless you need it done to many machines at once. that's why all of our production servers don't run slackware like they did in 97. Actually, if someone wants to give me a hint on how to use the dpkg tool to build things (never done it before!) and how to upload the compiled versions, I'd re-contribute the packages. put deb-src lines (see below) in your sources.list. now, let's say that proftpd has a security hole thats fixed in unstable but you're running testing. assuming you already have debhelper and dpkg-dev installed, this is all you have to do: # fakeroot apt-get source -b proftpd this leaves you with a proftpd package with the security fixes built for your specifc system. i run with deb-src lines for unstable, but for what you're doing, a deb-src line for security.debian.org might be all you need. deb-src http://http.us.debian.org/debian unstable main contrib non-free deb-src http://non-us.debian.org/debian-non-US unstable/non-US main contrib \ non-free -- jacob kuntz [EMAIL PROTECTED] underworld.net/~jake
RE: Woody ssh exploit
I installed ssh 2.3.0p1-1.11 from unstable on my woody machines at home. It works great. Actually that's OpenSSH 2.3.0p1. I seriously wish the Debian team would stop calling it SSH and label it properly. OpenSSH is Free Software. The commercial release of SSH from SSH Communications is *not*. The current release of OpenSSH is 2.5.1p1. p stands for portable - for use on non-BSD systems. 2.5.1 not only contains new features it also has a few security fixes. Theo De Raadt is also claiming that OSSH 2.5 is the most universially compatible SSH implementation out which means it should work well with all other implementations from other vendors. M -- Get free personalized email from GTE at http://www.gtemail.net
Re: Woody ssh exploit
Hi, I'm running woody but I have security.debian.org stable in my apt sources.list file: deb http://ftp.debian.org/debian woody main contrib non-free deb http://non-us.debian.org woody/non-US main contrib non-free deb http://security.debian.org stable/updates main contrib non-free deb http://spidermonkey.helixcode.com/distributions/debian woody main As a result dpkg -s ssh yields: Package: ssh Status: install ok installed Priority: optional Section: non-US/main Installed-Size: 503 Maintainer: Philip Hands [EMAIL PROTECTED] Source: openssh Version: 1:1.2.3-9.2 ... And zcat /usr/share/doc/ssh/changelog.Debian.gz | head yields: openssh (1:1.2.3-9.2) stable; urgency=high * Non-maintainer upload by Security Team * Added backported fix for a buffer overflow (thanks to Piotr Roszatycki) * Added modified build dependencies from unstable for convenience * Added patch that fixes an rsa key exchange problem made public by CORE SDI. which is the fixed version mentioned in the security alert. Am I missing something here? I thought the security fix was installed. Stuart Quoting Richard ([EMAIL PROTECTED]): On Thu, 22 Feb 2001, Micah Anderson wrote: Potato has a fix at http://www.debian.org/security/2001/dsa-027 So how do we fix this on a woody machine? You could build it from the source pkg's. put some deb-src lines in y'r /etc/apt/sources.list apt-get (-b) source btw. howdo these 'Build-Depends' work? I alway find myself fetching, building, install additional pkgs by hand. [RicV]
Re: Woody ssh exploit
On Thu, 22 Feb 2001, Peter Cordes wrote: On Thu, Feb 22, 2001 at 11:10:39AM -0800, Micah Anderson wrote: We are currently running woody on a production machine (yes, I am not that happy about that decision). Woody does not get potato's security updates, and does not get new unstable security fixes in a timely fashion. This leaves woody vulnerable to certain kinds of problems, particularly distressing right now is the ssh security issue that is out there, which woody does not have a fix for. Potato has a fix at http://www.debian.org/security/2001/dsa-027 So how do we fix this on a woody machine? I installed ssh 2.3.0p1-1.11 from unstable on my woody machines at home. It works great. Yes, but 2.4.0 is current.
Re: Woody ssh exploit
I installed ssh 2.3.0p1-1.11 from unstable on my woody machines at home. It works great. Yes, but 2.4.0 is current. NO, SSH 2.4.0 is SSH from SSH Communications. It is a commerical release. OpenSSH and SSH are two different products - two completely different implementations of SSH. This last post helps to illustrate my point about properly naming these. It would help to eliminate a lot of confusion. SSH is not Free Software. READ the licensing! Yes, there is no charge if you run it on Linux or any of the BSDs. However if you using it in a mixed environment (you have non Linux/BSD machines) you could possibly be violating the license. The license is very restrictive. OpenSSH is Free Software (BSD style license). You can do whatever you want with it. I really hope the packages get a name change. OpenSSH should be called openssh and SSH from SSH Communications labeled as ssh. The current stable release of OpenSSH for Linux is 2.5.1p1. You can get it at www.openssh.com M -- Get free personalized email from GTE at http://www.gtemail.net
Re: Mac most secure servers?
On Thu, Feb 22, 2001 at 10:58:27AM -0500, Steve Rudd wrote: I have been told by a Mac-head that the Mac is the most secure server and that it is significantly more secure than any unix system, including Linux. with MacOS everything runs as root since there is no security, no UIDs, no permisions nothing. if you manage to exploit any daemon or any cgi script you have full root on the box, a clueful attacker could do anything since there is also not even any memory protection in MacOS. the reason MacOS seems to be more secure is simply that its an obscure platform, most typical unix attacks fail simply because MacOS is different. that does NOT mean that its not possible to very sucessfully attack MacOS and gain significant access, it simply takes a different attack and different exploits. several years ago there was a silly `Crack a Mac' contest and someone managed to exploit a cgi script and deface the web site served by the Mac. in most cases such an attack would never allow site defacment on unix since the site is not owned by the webserver UID that the cgi script generally runs as. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpz3N13xwrGy.pgp Description: PGP signature
Re: Mac most secure servers?
On Thu, Feb 22, 2001 at 03:09:36PM -0900, Ethan Benson wrote: several years ago there was a silly `Crack a Mac' contest and someone managed to exploit a cgi script and deface the web site served by the Mac. in most cases such an attack would never allow site defacment on unix since the site is not owned by the webserver UID that the cgi script generally runs as. Point of note... cgi scripts for a site are generally setup to run as the user who owns the site so that if a cgi script is hacked, the damage is restricted to said site and not the webserver itself or the system as a whole. -- CaT ([EMAIL PROTECTED]) *** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000
Re: Woody ssh exploit
To solve this issue with Woody I just leave the line for the stable security updates in my sources file. I get the security updates before they are in Woody. Is there any reason this would not be a good idea? Ray Random numbers are to computers what freewill is to human beings --Robert A. Heinlein -- Original Message -- From: [EMAIL PROTECTED] Date: Thu, 22 Feb 2001 16:10:18 -0500 (EST) I installed ssh 2.3.0p1-1.11 from unstable on my woody machines at home. It works great. Yes, but 2.4.0 is current. NO, SSH 2.4.0 is SSH from SSH Communications. It is a commerical release. OpenSSH and SSH are two different products - two completely different implementations of SSH. This last post helps to illustrate my point about properly naming these. It would help to eliminate a lot of confusion. SSH is not Free Software. READ the licensing! Yes, there is no charge if you run it on Linux or any of the BSDs. However if you using it in a mixed environment (you have non Linux/BSD machines) you could possibly be violating the license. The license is very restrictive. OpenSSH is Free Software (BSD style license). You can do whatever you want with it. I really hope the packages get a name change. OpenSSH should be called openssh and SSH from SSH Communications labeled as ssh. The current stable release of OpenSSH for Linux is 2.5.1p1. You can get it at www.openssh.com M -- Get free personalized email from GTE at http://www.gtemail.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian or Redhat 7???
Tal Danzig wrote: There are no mirrors of security.debian.org (or shouldn't be) for security reasons. This way the authenticity of security packages can be better controlled. - Tal What about local mirrors? I can imagine a company with several hundred, or maybe thousands of debian workstations upgrading at the same time directly from the security.debian.org site. They could setup a caching proxy, or a mirror. Are both available? I know someone could mirror with wget or some other mirror package through http, but I'd prefer rsync... Mike