Re: root fs/crypted

[paul]

I see it as more than this. I see it as ensuring that the data on the disk does
not get accessed by anyone never intended to see it. (physically, of course).
I guess this would mostly be cool for thwarting things like police raids,
servers vulnerable in remote locations (e.g. colocation, etc). My opinion is,
with privacy, you can never have too much.


Thanks,

Paul
[EMAIL PROTECTED]
The price of freedom is eternal vigilence.


Curt Howland wrote:

> there is already a HowTo on how to create an encrypted
> loop-back "file system". it doesn't encrypt the whole
> disk, but it could certainly hold anything worth having
> encrypted.
>
> don't get me wrong, i fully understand the reasons behind
> putting the entire system behind a good pass-phrase. with
> the way *nix's put configuration files, data files, manuals,
> binaries, etc in so many different places, the only way to
> be absolutely sure would be to encrypt everything.
>
> but that only works at startup. if the system is running,
> having the entire disk encrypted is no different than the
> fact it's all in hex already. an individual user based
> encryption means all you have to do is logout, not power
> down, to kill the "decryption" process and thwart snooping.
>
> so how about a start-up passphrase protecting everything
> owned by root, then another for each individual user? but
> that would cancel root's ability to read everything
>
> hmmm.
>
> Curt-
>
> -Original Message-
> From: Paul Lowe [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 30, 2001 12:03
> To: clemens; [EMAIL PROTECTED]
> Subject: Re: root fs/crypted
>
> I like this. Would it be difficult to modify Debian, so that
> upon install, it creates an encrypted root volume and starts
> things off the right way?
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: root fs/crypted

[Curt Howland]

there is already a HowTo on how to create an encrypted
loop-back "file system". it doesn't encrypt the whole
disk, but it could certainly hold anything worth having
encrypted.

don't get me wrong, i fully understand the reasons behind
putting the entire system behind a good pass-phrase. with
the way *nix's put configuration files, data files, manuals,
binaries, etc in so many different places, the only way to
be absolutely sure would be to encrypt everything.

but that only works at startup. if the system is running,
having the entire disk encrypted is no different than the
fact it's all in hex already. an individual user based
encryption means all you have to do is logout, not power
down, to kill the "decryption" process and thwart snooping.

so how about a start-up passphrase protecting everything
owned by root, then another for each individual user? but
that would cancel root's ability to read everything

hmmm.

Curt-

-Original Message-
From: Paul Lowe [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 30, 2001 12:03
To: clemens; debian-security@lists.debian.org
Subject: Re: root fs/crypted


I like this. Would it be difficult to modify Debian, so that
upon install, it creates an encrypted root volume and starts
things off the right way?

Re: root fs/crypted

[Paul Lowe]

I like this. Would it be difficult to modify Debian, so that
upon install, it creates an encrypted root volume and starts
things off the right way?

-Original Message-
From: clemens <[EMAIL PROTECTED]>
To: debian-security@lists.debian.org 
Date: Tuesday, May 29, 2001 6:04 PM
Subject: root fs/crypted


>
>SAWFASP^*
>
>as laws around the globe are forged to weak personal privacy,
>police knocking on one's door, because of portscanning a
>previously hacked website, and - i don't have to tell those
>of you, which are reading slashdot - as pretty strange things start
>to happend worldwide, i'm getting somewhat nervous about
>my data safety.
>
>what i'm aiming at, you might ask?
>debian should support a crypted rootfs right out
>of the box.
>
>i'll try to grasp within a few words, what's necessary to realize this:
>
>- the international kernel must be introduced as regular
>  debian packages.
>- the boot disks needs to be modified (just do a losetup
>  on some loopdev, and mount that one instead of the realrootdev)
>- of course, there must be an initrd to boot from,
>  which accepts authentication information.
>  (this ramdisk has to be placed unencrypted on
>   the rootfs, so the kernel code has to be circumwented or
>   the plain data has to be manually decrypted in usermode
>   to be re-encrypted to the original plain data when flushed
>   to disk.. easy for EBC mode crypto but harder to
>   achieve for CBC mode - creative suggestions welcome)
>- there must be an alternative passphrase, since i nor
>  any user will be willing to trust one forgetable phrase.
>  (how many times have you forgotten your mobil phone pin?)
>  suggestion: the actual key will be random generated, and
>  encrypted twice by two different passphrases/keys - one
>  choosen by the user, one random generated - useful to write on
>  a piece of paper and hide behind the bookshelf.
>
>(probably i should crosspost to debian-legal. the
>whole non-US issue has been left untouched)
>
>what do YOU think?
>shell debian be the first(?) privacy enhanced distro?
>
>clemens
>
>^* SAWFASP = searched archives without finding a similiar
>posting
>
>
>--
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>

root fs/crypted

[clemens]

SAWFASP^*

as laws around the globe are forged to weak personal privacy, 
police knocking on one's door, because of portscanning a
previously hacked website, and - i don't have to tell those
of you, which are reading slashdot - as pretty strange things start
to happend worldwide, i'm getting somewhat nervous about
my data safety.

what i'm aiming at, you might ask? 
debian should support a crypted rootfs right out
of the box.

i'll try to grasp within a few words, what's necessary to realize this:

- the international kernel must be introduced as regular 
  debian packages. 
- the boot disks needs to be modified (just do a losetup
  on some loopdev, and mount that one instead of the realrootdev)
- of course, there must be an initrd to boot from, 
  which accepts authentication information.
  (this ramdisk has to be placed unencrypted on 
   the rootfs, so the kernel code has to be circumwented or
   the plain data has to be manually decrypted in usermode
   to be re-encrypted to the original plain data when flushed 
   to disk.. easy for EBC mode crypto but harder to
   achieve for CBC mode - creative suggestions welcome)
- there must be an alternative passphrase, since i nor
  any user will be willing to trust one forgetable phrase.
  (how many times have you forgotten your mobil phone pin?)
  suggestion: the actual key will be random generated, and 
  encrypted twice by two different passphrases/keys - one 
  choosen by the user, one random generated - useful to write on 
  a piece of paper and hide behind the bookshelf.

(probably i should crosspost to debian-legal. the 
whole non-US issue has been left untouched)

what do YOU think?
shell debian be the first(?) privacy enhanced distro?

clemens

^* SAWFASP = searched archives without finding a similiar 
posting

RE: root fs/crypted

[Curt Howland]

there is already a HowTo on how to create an encrypted
loop-back "file system". it doesn't encrypt the whole
disk, but it could certainly hold anything worth having
encrypted.

don't get me wrong, i fully understand the reasons behind
putting the entire system behind a good pass-phrase. with
the way *nix's put configuration files, data files, manuals,
binaries, etc in so many different places, the only way to
be absolutely sure would be to encrypt everything.

but that only works at startup. if the system is running,
having the entire disk encrypted is no different than the
fact it's all in hex already. an individual user based
encryption means all you have to do is logout, not power
down, to kill the "decryption" process and thwart snooping.

so how about a start-up passphrase protecting everything
owned by root, then another for each individual user? but
that would cancel root's ability to read everything

hmmm.

Curt-

-Original Message-
From: Paul Lowe [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 30, 2001 12:03
To: clemens; [EMAIL PROTECTED]
Subject: Re: root fs/crypted


I like this. Would it be difficult to modify Debian, so that
upon install, it creates an encrypted root volume and starts
things off the right way?


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: root fs/crypted

[Paul Lowe]

I like this. Would it be difficult to modify Debian, so that
upon install, it creates an encrypted root volume and starts
things off the right way?

-Original Message-
From: clemens <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Tuesday, May 29, 2001 6:04 PM
Subject: root fs/crypted


>
>SAWFASP^*
>
>as laws around the globe are forged to weak personal privacy,
>police knocking on one's door, because of portscanning a
>previously hacked website, and - i don't have to tell those
>of you, which are reading slashdot - as pretty strange things start
>to happend worldwide, i'm getting somewhat nervous about
>my data safety.
>
>what i'm aiming at, you might ask?
>debian should support a crypted rootfs right out
>of the box.
>
>i'll try to grasp within a few words, what's necessary to realize this:
>
>- the international kernel must be introduced as regular
>  debian packages.
>- the boot disks needs to be modified (just do a losetup
>  on some loopdev, and mount that one instead of the realrootdev)
>- of course, there must be an initrd to boot from,
>  which accepts authentication information.
>  (this ramdisk has to be placed unencrypted on
>   the rootfs, so the kernel code has to be circumwented or
>   the plain data has to be manually decrypted in usermode
>   to be re-encrypted to the original plain data when flushed
>   to disk.. easy for EBC mode crypto but harder to
>   achieve for CBC mode - creative suggestions welcome)
>- there must be an alternative passphrase, since i nor
>  any user will be willing to trust one forgetable phrase.
>  (how many times have you forgotten your mobil phone pin?)
>  suggestion: the actual key will be random generated, and
>  encrypted twice by two different passphrases/keys - one
>  choosen by the user, one random generated - useful to write on
>  a piece of paper and hide behind the bookshelf.
>
>(probably i should crosspost to debian-legal. the
>whole non-US issue has been left untouched)
>
>what do YOU think?
>shell debian be the first(?) privacy enhanced distro?
>
>clemens
>
>^* SAWFASP = searched archives without finding a similiar
>posting
>
>
>--
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: apt and security

[Jason Thomas]

actually I thought some sort of log for dpkg/apt would be good, just to
keep a record of when something was installed or upgraded. so you know
what changed.

On Tue, May 29, 2001 at 09:36:37AM -0500, Matthew H. Ray wrote:
> I've got tripwire keeping an eye on my filesystems so I'm notified whenever a
> change is made.  I recently added a couple of packages via apt, and I noticed 
> a
> number of files were modified that I hadn't expected changed.  I don't recall
> the names of the packages I upgraded (there were a bunch), but I was wondering
> if there is a dpkg -l flag of some sort that shows you the timestamps of when 
> a
> package was added, and if I could get the listing of files altered by those
> packages once I know which ones they are?
> 
> --
> Matthew H. Ray
> [EMAIL PROTECTED]
> [EMAIL PROTECTED] (secure)
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

-- 
Jason Thomas   Phone:  +61 2 6257 7111
System Administrator  -  UID 0 Fax:+61 2 6257 7311
tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81
1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/


pgpMif4H9cheW.pgp
Description: PGP signature

root fs/crypted

[clemens]

SAWFASP^*

as laws around the globe are forged to weak personal privacy, 
police knocking on one's door, because of portscanning a
previously hacked website, and - i don't have to tell those
of you, which are reading slashdot - as pretty strange things start
to happend worldwide, i'm getting somewhat nervous about
my data safety.

what i'm aiming at, you might ask? 
debian should support a crypted rootfs right out
of the box.

i'll try to grasp within a few words, what's necessary to realize this:

- the international kernel must be introduced as regular 
  debian packages. 
- the boot disks needs to be modified (just do a losetup
  on some loopdev, and mount that one instead of the realrootdev)
- of course, there must be an initrd to boot from, 
  which accepts authentication information.
  (this ramdisk has to be placed unencrypted on 
   the rootfs, so the kernel code has to be circumwented or
   the plain data has to be manually decrypted in usermode
   to be re-encrypted to the original plain data when flushed 
   to disk.. easy for EBC mode crypto but harder to
   achieve for CBC mode - creative suggestions welcome)
- there must be an alternative passphrase, since i nor
  any user will be willing to trust one forgetable phrase.
  (how many times have you forgotten your mobil phone pin?)
  suggestion: the actual key will be random generated, and 
  encrypted twice by two different passphrases/keys - one 
  choosen by the user, one random generated - useful to write on 
  a piece of paper and hide behind the bookshelf.

(probably i should crosspost to debian-legal. the 
whole non-US issue has been left untouched)

what do YOU think?
shell debian be the first(?) privacy enhanced distro?

clemens

^* SAWFASP = searched archives without finding a similiar 
posting


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: apt and security

[Jason Thomas]

actually I thought some sort of log for dpkg/apt would be good, just to
keep a record of when something was installed or upgraded. so you know
what changed.

On Tue, May 29, 2001 at 09:36:37AM -0500, Matthew H. Ray wrote:
> I've got tripwire keeping an eye on my filesystems so I'm notified whenever a
> change is made.  I recently added a couple of packages via apt, and I noticed a
> number of files were modified that I hadn't expected changed.  I don't recall
> the names of the packages I upgraded (there were a bunch), but I was wondering
> if there is a dpkg -l flag of some sort that shows you the timestamps of when a
> package was added, and if I could get the listing of files altered by those
> packages once I know which ones they are?
> 
> --
> Matthew H. Ray
> [EMAIL PROTECTED]
> [EMAIL PROTECTED] (secure)
> 
> 
> --  
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

-- 
Jason Thomas   Phone:  +61 2 6257 7111
System Administrator  -  UID 0 Fax:+61 2 6257 7311
tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81
1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/

 PGP signature

Re: other mysterious port things

[Ken Seefried]

Cesar writes:



Hi ! 


  I'm a disquette with this utilities clean.
  #mount /dev/fd0 /floppy
  #cd /floppy
  #./netstat -antp  



Don't forget to mount "-ro" or write protect the floppy. :-) 

On linux, AFASIK, "netstat" relies on /dev/net and friends not to lie to it. 
This is a poor assumption on a comprimised machine, as it is possible to 
intercept the reading of these devices in the kernel to filter results.  
This can be done with a LKM (which are a common feature of root kits), or 
perhaps by leveraging flaws in existing system calls (e.g. the old BSD 
mmap() bug that let you make kernel physical memory writable could be used 
to effect this, I suppose). 

For a practical example of how this can work in the wild, please check out 
the "knark" or "rial" root kit.  Both use an LKM, BTW.  Even having a safe, 
staticly linked "netstat" on floppy won't save you here. 

Once again, successful detection of a compromise is a multi-layered problem, 
and no one tool is a silver bullet. 

Ken Seefried, CISSP 

Re: Security in general

[Karl E. Jorgensen]

On Tue, May 29, 2001 at 10:50:07AM +0200, kjfsgjks ksjgkfhfd wrote:
> Hi,

kjfsgjks: You probably have a real name. Why not use it? 

> I have a question which has been bothering me all along, with windows / 
> linux / *bsd / etc. In this case, it's about Debian so I thought I'd post my 
> question here.
> Right now I have a linux-box (Debian 2.2r2) doing my 
> masquerading/firewalling. It has a dynamic ip (and changes quite often, like 
> 3 times a day). It runs all the latest patches, no services except for sshd 
> (for internal hosts) and identd (which is open for external connects. yeah I 
> know I shouldn't, but I need it).
> 
> I have a firewall set up (ipchains in this case), which blocks just about 
> anything incoming, except for the high ports (for ftp) and identd.

Are your users using passive mode FTP? If so, then you can block
off the high port numbers too.

Just my 2p worth

...snip...
> 
> Tubby

-- 
Karl E. Jørgensen
[EMAIL PROTECTED]
www.karl.jorgensen.com
 Today's fortune:
Facts are stubborn, but statistics are more pliable.


pgp4Snv8ZuZhL.pgp
Description: PGP signature

Re: other mysterious port things

[Cesar]

  Sorry I "have" :)) 

Cesar wrote:
> 
> Hi !
> 
>   I have a disquette with this utilities clean.
>   #mount /dev/fd0 /floppy
>   #cd /floppy
>   #./netstat -antp
> 
>   Regards
> César.
>

Re: other mysterious port things

[Hubert Chan]

On Tue, 29 May 2001, Ken Seefried wrote:

> Tim Haynes writes:
> > 
> >  Why do people persist in using nmap at test phase? Sure, if you've
> > been cracked, scan yourself if you want, but if you're looking to see `what
> > do I have open?' then nmap is the *last* tool I'd use.  
> > 
> > Go back to 
> > sudo netstat -plan | grep LIST
> 
> Well...that would be incorrect.  If you have been cracked, or suspect you 
> might have, then you cannot completely rely on the output of netstat, ps, 
> lsof, etc.  Many of the rootkits I've seen quite effectively hide themselves 
> behind trojan utilities and shared libs, making detection by such casual 
> methods as you indicate difficult. 

Which is why nmap would be useful if you've been cracked: because you can
scan yourself from *another* *box* (which is how you're supposed to use
nmap).

Tim is just saying that if you *haven't* been cracked, use netstat instead
of nmap.

-- 
Hubert Chan
Research Associate
Prediction in Interacting Systems (MITACS-PINTS)
University of Alberta
Office: CAB 522
Ph: 492-4394
e-mail: [EMAIL PROTECTED]

Re: other mysterious port things

[Cesar]

Hi !

  I'm a disquette with this utilities clean.
  #mount /dev/fd0 /floppy
  #cd /floppy
  #./netstat -antp 

  Regards
César.


Ken Seefried wrote:
> 
> Tim Haynes writes:
> >
> >  Why do people persist in using nmap at test phase? Sure, if you've
> > been cracked, scan yourself if you want, but if you're looking to see `what
> > do I have open?' then nmap is the *last* tool I'd use.
> >
> > Go back to
> > sudo netstat -plan | grep LIST
> 
> Well...that would be incorrect.  If you have been cracked, or suspect you
> might have, then you cannot completely rely on the output of netstat, ps,
> lsof, etc.  Many of the rootkits I've seen quite effectively hide themselves
> behind trojan utilities and shared libs, making detection by such casual
> methods as you indicate difficult.
> 
> An acurrate assessment requires more than a single tool.
> 
> Ken Seefried, CISSP
> 
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: other mysterious port things

[Ken Seefried]

Cesar writes:

> 
> Hi ! 
> 
>   I'm a disquette with this utilities clean.
>   #mount /dev/fd0 /floppy
>   #cd /floppy
>   #./netstat -antp  
> 

Don't forget to mount "-ro" or write protect the floppy. :-) 

On linux, AFASIK, "netstat" relies on /dev/net and friends not to lie to it. 
This is a poor assumption on a comprimised machine, as it is possible to 
intercept the reading of these devices in the kernel to filter results.  
This can be done with a LKM (which are a common feature of root kits), or 
perhaps by leveraging flaws in existing system calls (e.g. the old BSD 
mmap() bug that let you make kernel physical memory writable could be used 
to effect this, I suppose). 

For a practical example of how this can work in the wild, please check out 
the "knark" or "rial" root kit.  Both use an LKM, BTW.  Even having a safe, 
staticly linked "netstat" on floppy won't save you here. 

Once again, successful detection of a compromise is a multi-layered problem, 
and no one tool is a silver bullet. 

Ken Seefried, CISSP 


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Security in general

[Karl E. Jorgensen]

On Tue, May 29, 2001 at 10:50:07AM +0200, kjfsgjks ksjgkfhfd wrote:
> Hi,

kjfsgjks: You probably have a real name. Why not use it? 

> I have a question which has been bothering me all along, with windows / 
> linux / *bsd / etc. In this case, it's about Debian so I thought I'd post my 
> question here.
> Right now I have a linux-box (Debian 2.2r2) doing my 
> masquerading/firewalling. It has a dynamic ip (and changes quite often, like 
> 3 times a day). It runs all the latest patches, no services except for sshd 
> (for internal hosts) and identd (which is open for external connects. yeah I 
> know I shouldn't, but I need it).
> 
> I have a firewall set up (ipchains in this case), which blocks just about 
> anything incoming, except for the high ports (for ftp) and identd.

Are your users using passive mode FTP? If so, then you can block
off the high port numbers too.

Just my 2p worth

...snip...
> 
> Tubby

-- 
Karl E. Jørgensen
[EMAIL PROTECTED]
www.karl.jorgensen.com
 Today's fortune:
Facts are stubborn, but statistics are more pliable.

 PGP signature

Re: other mysterious port things

[Cesar]

  Sorry I "have" :)) 

Cesar wrote:
> 
> Hi !
> 
>   I have a disquette with this utilities clean.
>   #mount /dev/fd0 /floppy
>   #cd /floppy
>   #./netstat -antp
> 
>   Regards
> César.
>


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: other mysterious port things

[Hubert Chan]

On Tue, 29 May 2001, Ken Seefried wrote:

> Tim Haynes writes:
> > 
> >  Why do people persist in using nmap at test phase? Sure, if you've
> > been cracked, scan yourself if you want, but if you're looking to see `what
> > do I have open?' then nmap is the *last* tool I'd use.  
> > 
> > Go back to 
> > sudo netstat -plan | grep LIST
> 
> Well...that would be incorrect.  If you have been cracked, or suspect you 
> might have, then you cannot completely rely on the output of netstat, ps, 
> lsof, etc.  Many of the rootkits I've seen quite effectively hide themselves 
> behind trojan utilities and shared libs, making detection by such casual 
> methods as you indicate difficult. 

Which is why nmap would be useful if you've been cracked: because you can
scan yourself from *another* *box* (which is how you're supposed to use
nmap).

Tim is just saying that if you *haven't* been cracked, use netstat instead
of nmap.

-- 
Hubert Chan
Research Associate
Prediction in Interacting Systems (MITACS-PINTS)
University of Alberta
Office: CAB 522
Ph: 492-4394
e-mail: [EMAIL PROTECTED]


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: other mysterious port things

[Cesar]

Hi !

  I'm a disquette with this utilities clean.
  #mount /dev/fd0 /floppy
  #cd /floppy
  #./netstat -antp 

  Regards
César.


Ken Seefried wrote:
> 
> Tim Haynes writes:
> >
> >  Why do people persist in using nmap at test phase? Sure, if you've
> > been cracked, scan yourself if you want, but if you're looking to see `what
> > do I have open?' then nmap is the *last* tool I'd use.
> >
> > Go back to
> > sudo netstat -plan | grep LIST
> 
> Well...that would be incorrect.  If you have been cracked, or suspect you
> might have, then you cannot completely rely on the output of netstat, ps,
> lsof, etc.  Many of the rootkits I've seen quite effectively hide themselves
> behind trojan utilities and shared libs, making detection by such casual
> methods as you indicate difficult.
> 
> An acurrate assessment requires more than a single tool.
> 
> Ken Seefried, CISSP
> 
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

apt and security

[Matthew H. Ray]

I've got tripwire keeping an eye on my filesystems so I'm notified whenever a
change is made.  I recently added a couple of packages via apt, and I noticed a
number of files were modified that I hadn't expected changed.  I don't recall
the names of the packages I upgraded (there were a bunch), but I was wondering
if there is a dpkg -l flag of some sort that shows you the timestamps of when a
package was added, and if I could get the listing of files altered by those
packages once I know which ones they are?

--
Matthew H. Ray
[EMAIL PROTECTED]
[EMAIL PROTECTED] (secure)

Re: other mysterious port things

[Ken Seefried]

Tim Haynes writes:


 Why do people persist in using nmap at test phase? Sure, if you've
been cracked, scan yourself if you want, but if you're looking to see `what
do I have open?' then nmap is the *last* tool I'd use.  

Go back to 
sudo netstat -plan | grep LIST


Well...that would be incorrect.  If you have been cracked, or suspect you 
might have, then you cannot completely rely on the output of netstat, ps, 
lsof, etc.  Many of the rootkits I've seen quite effectively hide themselves 
behind trojan utilities and shared libs, making detection by such casual 
methods as you indicate difficult. 

An acurrate assessment requires more than a single tool. 

Ken Seefried, CISSP 

apt and security

[Matthew H. Ray]

I've got tripwire keeping an eye on my filesystems so I'm notified whenever a
change is made.  I recently added a couple of packages via apt, and I noticed a
number of files were modified that I hadn't expected changed.  I don't recall
the names of the packages I upgraded (there were a bunch), but I was wondering
if there is a dpkg -l flag of some sort that shows you the timestamps of when a
package was added, and if I could get the listing of files altered by those
packages once I know which ones they are?

--
Matthew H. Ray
[EMAIL PROTECTED]
[EMAIL PROTECTED] (secure)


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: other mysterious port things

[Pedro Zorzenon Neto]

On Tue, May 29, 2001 at 12:07:47PM +0100, Tim Haynes wrote:
> sudo netstat -plan | grep LIST
just a small note: if your LC enviroment variables are set to other language, 
you may need to change LIST for other word. (in pt_BR is OUÇA)

-- 
   Pedro Zorzenon Neto  
*--*
|  .''`.  | Debian GNU/Linux: |  (___)  |
| : :'  : | Debian BR...:  | < o o > |
| `. `'`  |  Be Happy! Be FREE!  |  \ ^ /  |
|   `-| "Think globally, act locally!"   |   (")   |
*--*

Re: other mysterious port things

[Ken Seefried]

Tim Haynes writes:
> 
>  Why do people persist in using nmap at test phase? Sure, if you've
> been cracked, scan yourself if you want, but if you're looking to see `what
> do I have open?' then nmap is the *last* tool I'd use.  
> 
> Go back to 
> sudo netstat -plan | grep LIST

Well...that would be incorrect.  If you have been cracked, or suspect you 
might have, then you cannot completely rely on the output of netstat, ps, 
lsof, etc.  Many of the rootkits I've seen quite effectively hide themselves 
behind trojan utilities and shared libs, making detection by such casual 
methods as you indicate difficult. 

An acurrate assessment requires more than a single tool. 

Ken Seefried, CISSP 


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: other mysterious port things

[Tim Haynes]

Jogi Hofmueller <[EMAIL PROTECTED]> writes:

> lately i was running nmap to check my office machine. to my surprise i
> found an open port 'cadsi-lm' (1387). running nmap again the port was not
> there anymore. on future runs i found my machine listening on different
> registered non-privileged ports but i never found any daemon nor nothing
> with lsof. the event is not reproduceable. the same port never shows up
> again. tcpdump didn't produce any helpful output.

 Why do people persist in using nmap at test phase? Sure, if you've
been cracked, scan yourself if you want, but if you're looking to see `what
do I have open?' then nmap is the *last* tool I'd use. Look at
nmap-services and note how many of /proc/sys/net/ipv4/ip_local_port_range
are given names because some crummy company has used them before now.

Go back to 
sudo netstat -plan | grep LIST
and that'll tell you what's listening, and more importantly, it'll tell you
what interface(s) the listeners have bound to, as well. (Of course,
equivalents with lsof and fuser can be useful too if you like them.)

> so my question: has anyone ever noticed something like this? could it be
> a bug in nmap (i'm using V. 2.12 from debian/potato which seems to be the
> newest version)?
[snip]

Do you run gnome-terminal? gdm and/or kdm[i]? ISTM far more likely that it was
a legitimate process setting up a fairly transient listener than that it
was any such worm, although you may well be the first ;)

~Tim

Footnotes: 
[i]  these are known to listen most frequently *on* 1024, especially if
started as part of the boot sequence. 

-- 
A big sky above me, |[EMAIL PROTECTED]
West winds blow.|http://spodzone.org.uk/

other mysterious port things

[Jogi Hofmueller]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi!

lately i was running nmap to check my office machine. to my surprise i
found an open port 'cadsi-lm' (1387). running nmap again the port was not
there anymore. on future runs i found my machine listening on different
registered non-privileged ports but i never found any daemon nor nothing
with lsof. the event is not reproduceable. the same port never shows up
again. tcpdump didn't produce any helpful output.

i checked various security sites if there is anything known about a 'worm'
or backdoor that shows a behaviour like this. nothing.

so my question: has anyone ever noticed something like this? could it be a
bug in nmap (i'm using V. 2.12 from debian/potato which seems to be the
newest version)?

thanx for replies
j.

- -- 
-/
//"\ /
j   http://www.mur.at/~jogi/ \ /  ASCII RIBBON CAMPAIGN /
 o  GSM: +43-676-34 12 198/   X   AGAINST HTML MAIL/
  g  /   / \  AND POSTINGS/
   ihofmueller__/

Look for public key at my homepage ...
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Made with pgp4pine

iD8DBQE7E32LAPrjdblyzsERAuc3AJ9MZevk0UQQFbrIaR4icKNseOdvfgCfTNPW
Q6068cE/OanPLpxL77dpKqQ=
=iirb
-END PGP SIGNATURE-

Re: other mysterious port things

[Pedro Zorzenon Neto]

On Tue, May 29, 2001 at 12:07:47PM +0100, Tim Haynes wrote:
> sudo netstat -plan | grep LIST
just a small note: if your LC enviroment variables are set to other language, you may 
need to change LIST for other word. (in pt_BR is OUÇA)

-- 
   Pedro Zorzenon Neto  
*--*
|  .''`.  | Debian GNU/Linux: |  (___)  |
| : :'  : | Debian BR...:  | < o o > |
| `. `'`  |  Be Happy! Be FREE!  |  \ ^ /  |
|   `-| "Think globally, act locally!"   |   (")   |
*--*


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Security in general

[kjfsgjks ksjgkfhfd]

Hi,

I have a question which has been bothering me all along, with windows / 
linux / *bsd / etc. In this case, it's about Debian so I thought I'd post my 
question here.
Right now I have a linux-box (Debian 2.2r2) doing my 
masquerading/firewalling. It has a dynamic ip (and changes quite often, like 
3 times a day). It runs all the latest patches, no services except for sshd 
(for internal hosts) and identd (which is open for external connects. yeah I 
know I shouldn't, but I need it).


I have a firewall set up (ipchains in this case), which blocks just about 
anything incoming, except for the high ports (for ftp) and identd.


I have no local users on the box except for totally trusted users (=me or 
gf).
Still I don't feel totally safe (and I shouldn't from what I'm told), but I 
wanna know what else I can do to enhance security. In the past I had 
Portsentry running and stuff, but since I block (& log almost) everything 
anyway, I see that stuff in my logs.

I have logcheck sending me mails, it comes with firewall-hits etc.
Is it usefull to have it running anyway? If it's in my log, it's already 
blocked. So what can I do anyway...


I hope someone understands my question :)
It isn't very specific, I know, and I'm sorry..

Tubby

_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Re: other mysterious port things

[Tim Haynes]

Jogi Hofmueller <[EMAIL PROTECTED]> writes:

> lately i was running nmap to check my office machine. to my surprise i
> found an open port 'cadsi-lm' (1387). running nmap again the port was not
> there anymore. on future runs i found my machine listening on different
> registered non-privileged ports but i never found any daemon nor nothing
> with lsof. the event is not reproduceable. the same port never shows up
> again. tcpdump didn't produce any helpful output.

 Why do people persist in using nmap at test phase? Sure, if you've
been cracked, scan yourself if you want, but if you're looking to see `what
do I have open?' then nmap is the *last* tool I'd use. Look at
nmap-services and note how many of /proc/sys/net/ipv4/ip_local_port_range
are given names because some crummy company has used them before now.

Go back to 
sudo netstat -plan | grep LIST
and that'll tell you what's listening, and more importantly, it'll tell you
what interface(s) the listeners have bound to, as well. (Of course,
equivalents with lsof and fuser can be useful too if you like them.)

> so my question: has anyone ever noticed something like this? could it be
> a bug in nmap (i'm using V. 2.12 from debian/potato which seems to be the
> newest version)?
[snip]

Do you run gnome-terminal? gdm and/or kdm[i]? ISTM far more likely that it was
a legitimate process setting up a fairly transient listener than that it
was any such worm, although you may well be the first ;)

~Tim

Footnotes: 
[i]  these are known to listen most frequently *on* 1024, especially if
started as part of the boot sequence. 

-- 
A big sky above me, |[EMAIL PROTECTED]
West winds blow.|http://spodzone.org.uk/


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

other mysterious port things

[Jogi Hofmueller]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi!

lately i was running nmap to check my office machine. to my surprise i
found an open port 'cadsi-lm' (1387). running nmap again the port was not
there anymore. on future runs i found my machine listening on different
registered non-privileged ports but i never found any daemon nor nothing
with lsof. the event is not reproduceable. the same port never shows up
again. tcpdump didn't produce any helpful output.

i checked various security sites if there is anything known about a 'worm'
or backdoor that shows a behaviour like this. nothing.

so my question: has anyone ever noticed something like this? could it be a
bug in nmap (i'm using V. 2.12 from debian/potato which seems to be the
newest version)?

thanx for replies
j.

- -- 
-/
//"\ /
j   http://www.mur.at/~jogi/ \ /  ASCII RIBBON CAMPAIGN /
 o  GSM: +43-676-34 12 198/   X   AGAINST HTML MAIL/
  g  /   / \  AND POSTINGS/
   ihofmueller__/

Look for public key at my homepage ...
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Made with pgp4pine

iD8DBQE7E32LAPrjdblyzsERAuc3AJ9MZevk0UQQFbrIaR4icKNseOdvfgCfTNPW
Q6068cE/OanPLpxL77dpKqQ=
=iirb
-END PGP SIGNATURE-


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: hi, any help ? about an evil mysterious crazy Open tcp port ?

[Juha Jäykkä]

> how, can i see the tcp port 4350 that states to be opened useing nmap

  There is _the_ official document of registered ports at
http://www.iana.org/assignments/port-numbers and it claims 4350 is
"Net Device" - what ever that means. The entry is created by microsoft
so we may assume it is some windows stuff. This does not preclude the
possibility of a backdoor/trojan, though: a wise backdoor would listen
on a port which would be open anyway thus concealing (partly) its
presence.

-- 
 ---
| Juha Jäykkä, [EMAIL PROTECTED]|
| home: http://www.utu.fi/~juolja/  |
 ---

Security in general

[kjfsgjks ksjgkfhfd]

Hi,

I have a question which has been bothering me all along, with windows / 
linux / *bsd / etc. In this case, it's about Debian so I thought I'd post my 
question here.
Right now I have a linux-box (Debian 2.2r2) doing my 
masquerading/firewalling. It has a dynamic ip (and changes quite often, like 
3 times a day). It runs all the latest patches, no services except for sshd 
(for internal hosts) and identd (which is open for external connects. yeah I 
know I shouldn't, but I need it).

I have a firewall set up (ipchains in this case), which blocks just about 
anything incoming, except for the high ports (for ftp) and identd.

I have no local users on the box except for totally trusted users (=me or 
gf).
Still I don't feel totally safe (and I shouldn't from what I'm told), but I 
wanna know what else I can do to enhance security. In the past I had 
Portsentry running and stuff, but since I block (& log almost) everything 
anyway, I see that stuff in my logs.
I have logcheck sending me mails, it comes with firewall-hits etc.
Is it usefull to have it running anyway? If it's in my log, it's already 
blocked. So what can I do anyway...

I hope someone understands my question :)
It isn't very specific, I know, and I'm sorry..

Tubby

_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]