Re: ProFtpd question
On Wednesday 27 June 2001 19:07, [EMAIL PROTECTED] wrote: > > And if I'm not mistaken, if they are somehow now able to execute the > chsh command, then they have a valid shell account they can log in > to. :-( > > While they shouldn't be able to run chsh, or the equivalent, putting > their shell in /etc/shells puts them that much closer to an account. Yep but "false" (or "true") is NOT a shell. So they won't be able to execute chsh and change their login shell to a real one. Moreover, I think it's a good idea to disable ftp for people with a "real" valid shell (ie only include pseudo shells in /etc/shells) as it isn't a secure protocol. JM
strange openssh error
Recently an uncommon error has begun appearing in the logs of only one of my servers: Jun 27 17:06:23 karma sshd[31816]: Setting tty modes failed: Invalid argument I have no clue about what it could be due to. Any help would be appreciated. -- Luca Gibelli ([EMAIL PROTECTED] || [EMAIL PROTECTED]) PGP Fingerprint: EC7C D6D2 D754 89F8 BDE8 8924 6341 3B07 C2F3 9102 PGP Key Available on: Key Servers || http://gibelli.oltrelinux.com/gibelli.asc BOFH excuse 143: Your computer hasn't been returning all the bits it gets from the Internet. pgpttBAPzbULE.pgp Description: PGP signature
Re: ProFtpd question
On Wed, Jun 27, 2001 at 02:49:20AM +0200, Jean-Marc Boursot wrote: > You create the link ftponly: > ln -s /bin/ftponly /bin/false > > You add /bin/ftponly in /etc/shells. And if I'm not mistaken, if they are somehow now able to execute the chsh command, then they have a valid shell account they can log in to. :-( While they shouldn't be able to run chsh, or the equivalent, putting their shell in /etc/shells puts them that much closer to an account. Bob
Re: ProFtpd question
Reidar Krogstad <[EMAIL PROTECTED]> writes: > And why not /bin/true ? > When I add ftp-only users I set their shell to /bin/true. > That makes them able to log in with ftp without access to a shell. [snip] Personal preference in choosing shells: if they have access to a service on the box, /bin/true; if they have no access at all, /bin/false; if they're peasants who need telling that they have no access, /usr/local/bin/buzzoff.sh or words to that effect. (That way I can glance at passwd and say `do they have access? false'...) ~Tim -- There's a sadness, there's a joy|[EMAIL PROTECTED] There's a place,|http://spodzone.org.uk/ There's a song that will never die | Forever |
AW: ProFtpd question
Hey, this is what Proftpd-Docs say. requirevalidshell is by default set to on. So proftpd will not allow logins from users whose shell is /bin/false, since this one is not listet in /etc/shells to be a valid shell. Syntax: RequireValidShell on|off Default: on Context: server config, , , Module: mod_core Compatibility: 0.99.0 and later The RequireValidShell directive configures the server, virtual host or anonymous login to allow or deny logins which do not have a shell binary listed in /etc/shells. By default, proftpd disallows logins if the user's default shell is not listed in /etc/shells. If /etc/shells cannot be found, all default shells are assumed to be valid. For allowing who is allowed to access which host, I believe this can not be done as you would run proftpd normally. Maybe you go and have a look into the proftpd-mysql plugins around. greetz... Michael -- Linux is like wigwam - no windows, no gates, Apache inside! -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 27. Juni 2001 18:46 An: debian-security Betreff: Re: ProFtpd question Thanks for all your answers. With that I suppose that "proftpd" does not accept users with the "/bin/false" shell, isn that true ? Another question related to this one. Are there any configuration file where we can configure the host access ( wich user is to access to wich service ) ? ( sorry for my English ) -- yoros
Re: ProFtpd question
And why not /bin/true ? When I add ftp-only users I set their shell to /bin/true. That makes them able to log in with ftp without access to a shell. At 20:54 26.06.2001 -0700, Brandon High wrote: On Wed, Jun 27, 2001 at 03:36:27AM +0200, Jean-Marc Boursot wrote: > > > ln -s /bin/ftponly /bin/false > > Wow, it's quite late in Europe. It's better like that: > ln -s /bin/false /bin/ftponly Perhaps a silly question, but why not just set the shell to /bin/false? -B -- Brandon High [EMAIL PROTECTED] Black holes are where God divided by zero. Reidar Krogstad tlf +47 959 45 444
Re: ProFtpd question
Thanks for all your answers. With that I suppose that "proftpd" does not accept users with the "/bin/false" shell, isn that true ? Another question related to this one. Are there any configuration file where we can configure the host access ( wich user is to access to wich service ) ? ( sorry for my English ) -- yoros pgp5FQzndVqYp.pgp Description: PGP signature
Re: ProFtpd question
On Wednesday 27 June 2001 19:07, [EMAIL PROTECTED] wrote: > > And if I'm not mistaken, if they are somehow now able to execute the > chsh command, then they have a valid shell account they can log in > to. :-( > > While they shouldn't be able to run chsh, or the equivalent, putting > their shell in /etc/shells puts them that much closer to an account. Yep but "false" (or "true") is NOT a shell. So they won't be able to execute chsh and change their login shell to a real one. Moreover, I think it's a good idea to disable ftp for people with a "real" valid shell (ie only include pseudo shells in /etc/shells) as it isn't a secure protocol. JM -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How to route
> > Good idea! But is it a Good Thing? mhhh... yes, it seems! > > Ok, as a definitive solution I'll do it and update to > You definitly don't have to update to iptables and 2.4 kernels > to NAT. Yes, but in the future... > > By the way, I have to patch the kernel 2.2.17 (or 18 or 19) > > to do bridging, isnt'it? > You don't have to patch your kernel, however, if you didn't compiled > it yourself, enabling bridging, nat (and so on) modules needed, you > must recompile your kernel. For the moment, i don't use kernel-package > and kernel-sources- to compile and install my kernel(s), but > it may (must ;-) be a good solution to begin (and to end ...). Last mounth I enabled bridge within a 2.2.19 (tar.gz) kernel and there was no 'bridge' chain in ipchains. The chain appared magically applying a linux_brfw_2.2.17.diff to the kernel and recompiling it... pheraphs I was wrong and that was not the point, I don't remember. > Last thing, i'm wondering why you need bridging ? I presume you are > making a mismatch between NAT and Ethernet-Bridging, which are significantly > different ... Well... a bridge is a /---\ on a river beetwen two networks... it has a learning algoritm to know who can traverse it. Howto said. A Nat is a way to redirect a packet to or from somewhere... They can both solve my problem, but pheraps Nat was designed for me. When I say Nat i mean "iptables nat" because is the only Nat I know under linux. Yes, what I'm going to do with a bridge could be seen as a Nat. Oo. And why I need bridging...? because I don't want to modify the router as my old good poor manager asked to me...! But he isn't crazy: he want a "portable" security sistem for similar networks he manage. > You should take a look to kernel docs and read a little > about bridging I hope understanding it well! :) Bye, Marco Marco Tassinari +039 328 1187801 mailto:[EMAIL PROTECTED] http://www.taffi.it
strange openssh error
Recently an uncommon error has begun appearing in the logs of only one of my servers: Jun 27 17:06:23 karma sshd[31816]: Setting tty modes failed: Invalid argument I have no clue about what it could be due to. Any help would be appreciated. -- Luca Gibelli ([EMAIL PROTECTED] || [EMAIL PROTECTED]) PGP Fingerprint: EC7C D6D2 D754 89F8 BDE8 8924 6341 3B07 C2F3 9102 PGP Key Available on: Key Servers || http://gibelli.oltrelinux.com/gibelli.asc BOFH excuse 143: Your computer hasn't been returning all the bits it gets from the Internet. PGP signature
Re: ProFtpd question
On Wed, Jun 27, 2001 at 02:49:20AM +0200, Jean-Marc Boursot wrote: > You create the link ftponly: > ln -s /bin/ftponly /bin/false > > You add /bin/ftponly in /etc/shells. And if I'm not mistaken, if they are somehow now able to execute the chsh command, then they have a valid shell account they can log in to. :-( While they shouldn't be able to run chsh, or the equivalent, putting their shell in /etc/shells puts them that much closer to an account. Bob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ProFtpd question
Reidar Krogstad <[EMAIL PROTECTED]> writes: > And why not /bin/true ? > When I add ftp-only users I set their shell to /bin/true. > That makes them able to log in with ftp without access to a shell. [snip] Personal preference in choosing shells: if they have access to a service on the box, /bin/true; if they have no access at all, /bin/false; if they're peasants who need telling that they have no access, /usr/local/bin/buzzoff.sh or words to that effect. (That way I can glance at passwd and say `do they have access? false'...) ~Tim -- There's a sadness, there's a joy|[EMAIL PROTECTED] There's a place,|http://spodzone.org.uk/ There's a song that will never die | Forever | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
AW: ProFtpd question
Hey, this is what Proftpd-Docs say. requirevalidshell is by default set to on. So proftpd will not allow logins from users whose shell is /bin/false, since this one is not listet in /etc/shells to be a valid shell. Syntax: RequireValidShell on|off Default: on Context: server config, , , Module: mod_core Compatibility: 0.99.0 and later The RequireValidShell directive configures the server, virtual host or anonymous login to allow or deny logins which do not have a shell binary listed in /etc/shells. By default, proftpd disallows logins if the user's default shell is not listed in /etc/shells. If /etc/shells cannot be found, all default shells are assumed to be valid. For allowing who is allowed to access which host, I believe this can not be done as you would run proftpd normally. Maybe you go and have a look into the proftpd-mysql plugins around. greetz... Michael -- Linux is like wigwam - no windows, no gates, Apache inside! -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Gesendet: Mittwoch, 27. Juni 2001 18:46 An: debian-security Betreff: Re: ProFtpd question Thanks for all your answers. With that I suppose that "proftpd" does not accept users with the "/bin/false" shell, isn that true ? Another question related to this one. Are there any configuration file where we can configure the host access ( wich user is to access to wich service ) ? ( sorry for my English ) -- yoros -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ProFtpd question
And why not /bin/true ? When I add ftp-only users I set their shell to /bin/true. That makes them able to log in with ftp without access to a shell. At 20:54 26.06.2001 -0700, Brandon High wrote: >On Wed, Jun 27, 2001 at 03:36:27AM +0200, Jean-Marc Boursot wrote: > > > > > ln -s /bin/ftponly /bin/false > > > > Wow, it's quite late in Europe. It's better like that: > > ln -s /bin/false /bin/ftponly > >Perhaps a silly question, but why not just set the shell to /bin/false? > >-B > >-- >Brandon High [EMAIL PROTECTED] >Black holes are where God divided by zero. Reidar Krogstad tlf +47 959 45 444 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ProFtpd question
Thanks for all your answers. With that I suppose that "proftpd" does not accept users with the "/bin/false" shell, isn that true ? Another question related to this one. Are there any configuration file where we can configure the host access ( wich user is to access to wich service ) ? ( sorry for my English ) -- yoros PGP signature
Re: How to route
> > Good idea! But is it a Good Thing? mhhh... yes, it seems! > > Ok, as a definitive solution I'll do it and update to > You definitly don't have to update to iptables and 2.4 kernels > to NAT. Yes, but in the future... > > By the way, I have to patch the kernel 2.2.17 (or 18 or 19) > > to do bridging, isnt'it? > You don't have to patch your kernel, however, if you didn't compiled > it yourself, enabling bridging, nat (and so on) modules needed, you > must recompile your kernel. For the moment, i don't use kernel-package > and kernel-sources- to compile and install my kernel(s), but > it may (must ;-) be a good solution to begin (and to end ...). Last mounth I enabled bridge within a 2.2.19 (tar.gz) kernel and there was no 'bridge' chain in ipchains. The chain appared magically applying a linux_brfw_2.2.17.diff to the kernel and recompiling it... pheraphs I was wrong and that was not the point, I don't remember. > Last thing, i'm wondering why you need bridging ? I presume you are > making a mismatch between NAT and Ethernet-Bridging, which are significantly > different ... Well... a bridge is a /---\ on a river beetwen two networks... it has a learning algoritm to know who can traverse it. Howto said. A Nat is a way to redirect a packet to or from somewhere... They can both solve my problem, but pheraps Nat was designed for me. When I say Nat i mean "iptables nat" because is the only Nat I know under linux. Yes, what I'm going to do with a bridge could be seen as a Nat. Oo. And why I need bridging...? because I don't want to modify the router as my old good poor manager asked to me...! But he isn't crazy: he want a "portable" security sistem for similar networks he manage. > You should take a look to kernel docs and read a little > about bridging I hope understanding it well! :) Bye, Marco Marco Tassinari +039 328 1187801 mailto:[EMAIL PROTECTED] http://www.taffi.it -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ippl failure and strange echo requests
Hello I have ippl installed and have started it as 'nohup ippl -n' 8 days ago. It has worked well, but now there are two things I wonder about. - yesterday there were 47 echo requests from 30 different origins within half an hour. This hasn't happened the 8 days before. The only way I can explain that is either that someone sent requests with spoofed sender ip adresses, or that ippl isn't working correctly. It's strange that all 30 ip's except one have a valid dns entry. - Just after this, ippl stopped working: there weren't any more messages even when I ping'd my machine myself. With 'ps' I saw it still running (4 threads). Another instance 'ippl -n' started in a terminal worked. 'killall ippl' stopped all of them and led the old ippl instance to write the 'stopped' message to the log: (...) Jun 26 13:55:48 ICMP message type echo request from c122s7h5.upc.chello.no [212.186.118.122] Jun 26 13:55:48 port 8007 connection attempt from localhost [127.0.0.1] Jun 26 13:56:06 last message repeated 8 time(s) Jun 26 13:56:18 ICMP message type echo request from 24-164-142-190.si.rr.com [24.164.142.190] Jun 26 13:56:18 port 8007 connection attempt from localhost [127.0.0.1] Jun 26 13:56:27 ICMP message type echo request from 36-174.engelholm.se [195.216.36.174] Jun 26 13:56:27 port 8007 connection attempt from localhost [127.0.0.1] Jun 26 13:56:48 last message repeated 11 time(s) Jun 26 13:56:50 ICMP message type echo request from 36-174.engelholm.se [195.216.36.174] (... more echo requests...) Jun 26 14:25:22 ICMP message type echo request from co3042367-a.rochd1.qld.optushome.com.au [203.164.196.110] Jun 26 14:25:22 port 8007 connection attempt from localhost [127.0.0.1] Jun 27 12:39:27 IP Protocols Logger: stopped (signal 15). So it really seems that ippl hung just after (or while?) these strange echo requests. Were these 'ping of death' or something that ippl couldn't handle? Christian.
ippl failure and strange echo requests
Hello I have ippl installed and have started it as 'nohup ippl -n' 8 days ago. It has worked well, but now there are two things I wonder about. - yesterday there were 47 echo requests from 30 different origins within half an hour. This hasn't happened the 8 days before. The only way I can explain that is either that someone sent requests with spoofed sender ip adresses, or that ippl isn't working correctly. It's strange that all 30 ip's except one have a valid dns entry. - Just after this, ippl stopped working: there weren't any more messages even when I ping'd my machine myself. With 'ps' I saw it still running (4 threads). Another instance 'ippl -n' started in a terminal worked. 'killall ippl' stopped all of them and led the old ippl instance to write the 'stopped' message to the log: (...) Jun 26 13:55:48 ICMP message type echo request from c122s7h5.upc.chello.no [212.186.118.122] Jun 26 13:55:48 port 8007 connection attempt from localhost [127.0.0.1] Jun 26 13:56:06 last message repeated 8 time(s) Jun 26 13:56:18 ICMP message type echo request from 24-164-142-190.si.rr.com [24.164.142.190] Jun 26 13:56:18 port 8007 connection attempt from localhost [127.0.0.1] Jun 26 13:56:27 ICMP message type echo request from 36-174.engelholm.se [195.216.36.174] Jun 26 13:56:27 port 8007 connection attempt from localhost [127.0.0.1] Jun 26 13:56:48 last message repeated 11 time(s) Jun 26 13:56:50 ICMP message type echo request from 36-174.engelholm.se [195.216.36.174] (... more echo requests...) Jun 26 14:25:22 ICMP message type echo request from co3042367-a.rochd1.qld.optushome.com.au [203.164.196.110] Jun 26 14:25:22 port 8007 connection attempt from localhost [127.0.0.1] Jun 27 12:39:27 IP Protocols Logger: stopped (signal 15). So it really seems that ippl hung just after (or while?) these strange echo requests. Were these 'ping of death' or something that ippl couldn't handle? Christian. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ProFtpd question
On Wednesday 27 June 2001 05:54, Brandon High wrote: > > Perhaps a silly question, but why not just set the shell to > /bin/false? You can. However, with ftponly, you can have 3 user levels: false -> only mail ftponly -> mail + FTP ??sh -> mail, FTP and shell JM
Re: ProFtpd question
On Wednesday 27 June 2001 05:54, Brandon High wrote: > > Perhaps a silly question, but why not just set the shell to > /bin/false? You can. However, with ftponly, you can have 3 user levels: false -> only mail ftponly -> mail + FTP ??sh -> mail, FTP and shell JM -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Pam 0.72-26 critically broken
> oliver <[EMAIL PROTECTED]> wrote: > > >> > Hi. I uploaded a version of PAM today that fails to minimally work. > >> > If you install this package, the main PAM module (pam_unix) fails to > >> > load. This means that login, su and other programs that ask for a > >> > password all fail. > > > > I recogniced it after booting!! > > can only boot with "linux init=/bin/bash" > > Currently i`m on my gateway (console, pine, etc.), what do you suggest, > > how do I get this machine running again? > > > > I took a install cd and did a : > linux root=/dev/hda1 rw init=/bin/sh > > after that i made lilo prompt so i could do a linux single on the lilo > boot prompt then i got my machine in single mode got online got the > new pack installed it and all fixed Thanks for that Henrik, a stitch in time saves nine. That had the gateway machine running again, after considerable head scratching I have the other machines running with a small modification to your line above. try : linux root=/dev/hda3 rw single perhaps this will be of some use to others regards Mark