RE: ADSL connection problem
Not really the list for this, but... 1. Is your link really up? Can you ping the IP of yahoo.com (64.58.76.226)? 2. Can you ping your ISP's DNS? Is that IP correct? 3. Have you tried putting in another organization's DNS server? 4. What is your syntax in /etc/resolv.conf? Mine is: search dyn.optonline.net optonline.net nameserver 167.206.112.138 nameserver 167.206.7.4 nameserver 167.206.112.4 - James -Original Message- From: Luc MAIGNAN [mailto:[EMAIL PROTECTED] Sent: Monday, October 22, 2001 11:23 AM To: debian-security@lists.debian.org Subject: ADSL connection problem Hi, I use an ADSL connection. The link seems to be up, because I can ping my own fixed IP address. I have configureg the IP address of my provider in /etc/resolv.conf, but I can't resolve any name. Where is the problem ? Regards -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Potato 2.2r3 and Kernel 2.2.19 Questions
On Wed, Oct 24, 2001 at 01:18:52AM +, Martin WHEELER wrote: > On Tue, 23 Oct 2001, Ethan Benson wrote: > > > kernels are never upgraded automatically by apt, you have to do it > > yourself: > > That's not quite true -- should you recompile your own kernel, and for > whatever reason, NOT give that new kernel a debian-style name which > conforms *exactly* to the debian naming conventions, you will be > pestered for evermore with attempts by apt to 'upgrade' to the latest > (plain vanilla) version. well yes, the reason kernel images are not automatically upgraded from r2 -> r3 is because its a different package r2: kernel-image-2.2.18 Version: 2.2.18-1 r3: kernel-image-2.2.19 Version: 2.2.19-1 different package so why would apt upgrade it. (and yes i know its actually a pre-something in r2, thats beside the point). if you create your own kernel-image-2.2.19 package and your version number is not greater then the debian one then yes apt will try to upgrade it like any other package, and this in fact occurs sometimes in unstable dists since the kernel version is the same, but a few debian revisions will be done (-2 -3 -4 etc), this very rarly to never effects the stable release since by the time a new stable is released a much newer kernel is available and used. its also possible the 2.2.19 images will get a backported security patch which would cause an automatic apt upgrade for anyone with the 2.2.19 image already installed. as for your custom kernel problem the solution is trivial: make-kpkg --revision=5:2.2.19-1 or --revision=5:2.2.19-`hostname`.1 is something i use. the 5: is an epoch which will make your version number always newwer then any debian version (unless a debian kernel somehow gets an epoch larger then 5, a very unlikly scenerio). one last point, if you never actually install a kernel-image package after you install a new system from boot-floppies apt will never upgrade you kernel, since boot-floppies don't install any kernel-image they simply untar the modules into /lib/modules and cp the vmlinux files to /boot and symlink it to / dpkg never knows about it. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
RE: Unidentified subject!
I've been told that usually means just a corrupt/damaged packet and shouldn't be much to worry about, unless you are getting lots of them (Might be an attack). - James -Original Message-From: sonam dukda [mailto:[EMAIL PROTECTED]]Sent: Tuesday, October 23, 2001 4:52 AMTo: [EMAIL PROTECTED]Subject: Unidentified subject! Hi! The message on our server is " IP-MASQ:reverse ICMP:failed checksum from 202.144.129.2!". What does this mean? Also the internet access has become very slow. We are connected at 64 Kbps leased line. sonam
RE: Firewall Related Question
That link might help... http://www.linuxdoc.org/HOWTO/mini/Bridge+Firewall.html - James -Original Message- From: Alson van der Meulen [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 1:31 PM To: Debian Security List Subject: Re: Firewall Related Question On Mon, Oct 22, 2001 at 10:17:59AM -0700, tony mancill wrote: > I'd recommend the former (firewalling on each server). This will let you > customize the firewall for that server alone, and spread the packet > filtering load and logging. Also, with no access the Cisco box, you'd > have to either MASQ or SNAT with proxy arps if you do insert a firewall > into the packet path to get the traffic to cross the firewall. (The Cisco > is going to assume that the subnet with the DMZ address space is still > directly attached.) With FreeBSD/OpenBSD, you could use a packet filtering bridge (quit nice IMO), put two ethernet cards in a box, one to cisco, second to switch with Debian servers, no need for an IP address at the bridge, just bridge and firewall. I'm not sure if Linux can do this, maybe there are some patches for iptables to do it? > On Mon, 22 Oct 2001, James wrote: > > > Yes, you could definitely do a firewall on each server. > > > > Also, have you considered setting up a 4th machine between the Cisco and 3 > > servers? That could work also. You wouldn't make it a masq box, just > > configure it to pass packets based on the rules. > > > > - James > > > > -Original Message- > > From: Alson van der Meulen [mailto:[EMAIL PROTECTED]] > > Sent: Monday, October 22, 2001 6:58 AM > > To: Debian Security List > > Subject: Re: Firewall Related Question > > > > > > On Mon, Oct 22, 2001 at 12:44:03PM +0200, eim wrote: > > > I've got some simple questions related to using a Firewall on > > > some single pubblic Debian Boxes, I choose to post my questions > > > here because I've always securitty in mind during the Developing > > > time of my Network Services. > > > > > > Let me asume I've got a simple Network with 3 Pubblic Debian > > > Servers and 1 Cisco Router (Internet Gateway). > > > > > > The router belongs to my Connection ISP so I can't configure it, > > > but onlu use it for Internet connectivity. > > > > > > The 3 Debian Boxes are under my full control. > > > > > > The best way to protect my Debian Servers would be to install > > > a Firewall on my Gateway (Cisco Router) but actually I can't, > > > so my question is: Can I install a Firewall on each of my Debian > > > Boxes to filter/block incoming and outgoing Network Traffic ? > > > > > > Is this a good choice ? or should I put another machine in my > > > Network, between the Gateway and the Servers, which acts as Firewall ? > > You can just configure a packet filter on all your servers, the main > > disadvantage is that it's more difficult to administer -- ,---. > Name: Alson van der Meulen < > Personal:[EMAIL PROTECTED]< > School: [EMAIL PROTECTED]< `---' I remember the last time I saw it do that... - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] Linux Bridge+Firewall Mini-HOWTO version 1.2.0.url
Re: Potato 2.2r3 and Kernel 2.2.19 Questions
I would suggest adding the testing source to your /etc/apt/sources.list and grabbing kernel-source-2.2.19 (version 2.2.19.1-1 has the security patches in question). Edit /etc/apt/sources.list Add deb http://http.us.debian.org/debian/ testing main Save the file. apt-get update apt-get install kernel-source-2.2.19 Once you are done, you can take the testing source out. Unpack the source: cd /usr/src; tar xIvf kernel-source-2.2.19.tar.bz2 [if you are using a version of bzip2 later than what is in stable, you will need j instead of I] Configure your kernel as you usually would (make menuconfig, make xconfig, whatever). Install kernel-package: apt-get install kernel-package Use make-kpkg to build your kernel instead of doing it by hand. make-kpkg buildpackage [you can pass the --revision and --flavour arguments to make it appear as something other than Custom_1.00] Using make-kpkg takes out all of the inbetween steps and leaves you with a customized kernel-image-2.2.19. Go up to the parent directory and install your kernel image with dpkg. It will handle moving your old kernel to a vmlinuz.old link and your new kernel to a vmlinuz link. The default configuration of lilo knows how to handle them both and they will both be bootable should you need to revert to the old kernel. dpkg of course also handles the proper placement of modules and such as well. make-kpkg always seemed to be the best way to make your own kernel but stay debian-friendly to me. It makes a LOT of sense if you have a lot of boxes that are very similar in hardware. -nicole At 19:09 on Oct 23, eim combined all the right letters to say: > Actually I'm runnning Potato 2.2r2 on some Debian Boxes which > I've upgraded to 2.2r3, the Kernel which powers the system is > still 2.2.18pre21 while for the 2.2r3 Release of Potato it should > be version 2.2.19 > > So, correct me if I'm wrong but Debian Potato 2.2r3 comes out > with Kernel 2.2.19, right ? > > Well, if so, I want to upgrade from 2.2.18pre21 to 2.2.19, apply > the "new RAID Style" Patch and the latest security Patch. > > My question is this: Debian's 2.2.19 kernel-source package is > allready avaiable with the latest Kernel security patch or should > I download the patch form openwall.com and apply externaly ? > > Thank you for suggestions, > have a good work ! > > Ivo Marino > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: ADSL connection problem
Not really the list for this, but... 1. Is your link really up? Can you ping the IP of yahoo.com (64.58.76.226)? 2. Can you ping your ISP's DNS? Is that IP correct? 3. Have you tried putting in another organization's DNS server? 4. What is your syntax in /etc/resolv.conf? Mine is: search dyn.optonline.net optonline.net nameserver 167.206.112.138 nameserver 167.206.7.4 nameserver 167.206.112.4 - James -Original Message- From: Luc MAIGNAN [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 11:23 AM To: [EMAIL PROTECTED] Subject: ADSL connection problem Hi, I use an ADSL connection. The link seems to be up, because I can ping my own fixed IP address. I have configureg the IP address of my provider in /etc/resolv.conf, but I can't resolve any name. Where is the problem ? Regards -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Potato 2.2r3 and Kernel 2.2.19 Questions
On Tue, 23 Oct 2001, Ethan Benson wrote: > kernels are never upgraded automatically by apt, you have to do it > yourself: That's not quite true -- should you recompile your own kernel, and for whatever reason, NOT give that new kernel a debian-style name which conforms *exactly* to the debian naming conventions, you will be pestered for evermore with attempts by apt to 'upgrade' to the latest (plain vanilla) version. Pain. msw --
Re: Potato 2.2r3 and Kernel 2.2.19 Questions
kernels are never upgraded automatically by apt, you have to do it yourself: apt-get install kernel-image-2.2.19 On Tue, Oct 23, 2001 at 07:09:43PM +0200, eim wrote: > Actually I'm runnning Potato 2.2r2 on some Debian Boxes which > I've upgraded to 2.2r3, the Kernel which powers the system is > still 2.2.18pre21 while for the 2.2r3 Release of Potato it should > be version 2.2.19 > > So, correct me if I'm wrong but Debian Potato 2.2r3 comes out > with Kernel 2.2.19, right ? > > Well, if so, I want to upgrade from 2.2.18pre21 to 2.2.19, apply > the "new RAID Style" Patch and the latest security Patch. > > My question is this: Debian's 2.2.19 kernel-source package is > allready avaiable with the latest Kernel security patch or should > I download the patch form openwall.com and apply externaly ? > > Thank you for suggestions, > have a good work ! > > Ivo Marino > -- > > > Ivo Marino[EMAIL PROTECTED] > UN*X Developer, running Debian GNU/Linux > DALnet #flex > http://eimbox.org > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Ethan Benson http://www.alaska.net/~erbenson/ pgpaEw6bSymt2.pgp Description: PGP signature
Re: ssh vulernability
On Tue, Oct 23, 2001 at 01:19:58PM +0200, Philipp Schulte wrote: > On Mon, Oct 22, 2001 at 06:21:51AM -0300, Peter Cordes wrote: > > > Just as you automate everything you can, in the name of laziness, you can > > wait until stuff falls into your lap instead of going out and fixing it > > yourself, if the problem is not at all likely to lead to any real problems > > for your system. > > And where is the relation to "security"? If there is no real security risk to your system (e.g. you weren't using the feature that the problem is in), then you can wait for the security team to handle it and upload a new package. If you have multiple layers of defence, and the vulnerability only takes out one of them, then you can wait a while instead of fixing it yourself. (e.g. with this ssh vuln., you would only be at real risk if attackers actually had the necessary keys, but not access to an IP that you allowed logins from. If you were pretty sure that nobody had stolen your keys, you wouldn't really have to worry about the vuln.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Re: Potato 2.2r3 and Kernel 2.2.19 Questions
On Tue, 23 Oct 2001, Ethan Benson wrote: > kernels are never upgraded automatically by apt, you have to do it > yourself: That's not quite true -- should you recompile your own kernel, and for whatever reason, NOT give that new kernel a debian-style name which conforms *exactly* to the debian naming conventions, you will be pestered for evermore with attempts by apt to 'upgrade' to the latest (plain vanilla) version. Pain. msw -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Potato 2.2r3 and Kernel 2.2.19 Questions
kernels are never upgraded automatically by apt, you have to do it yourself: apt-get install kernel-image-2.2.19 On Tue, Oct 23, 2001 at 07:09:43PM +0200, eim wrote: > Actually I'm runnning Potato 2.2r2 on some Debian Boxes which > I've upgraded to 2.2r3, the Kernel which powers the system is > still 2.2.18pre21 while for the 2.2r3 Release of Potato it should > be version 2.2.19 > > So, correct me if I'm wrong but Debian Potato 2.2r3 comes out > with Kernel 2.2.19, right ? > > Well, if so, I want to upgrade from 2.2.18pre21 to 2.2.19, apply > the "new RAID Style" Patch and the latest security Patch. > > My question is this: Debian's 2.2.19 kernel-source package is > allready avaiable with the latest Kernel security patch or should > I download the patch form openwall.com and apply externaly ? > > Thank you for suggestions, > have a good work ! > > Ivo Marino > -- > > > Ivo Marino[EMAIL PROTECTED] > UN*X Developer, running Debian GNU/Linux > DALnet #flex > http://eimbox.org > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: ssh vulernability
On Tue, Oct 23, 2001 at 01:19:58PM +0200, Philipp Schulte wrote: > On Mon, Oct 22, 2001 at 06:21:51AM -0300, Peter Cordes wrote: > > > Just as you automate everything you can, in the name of laziness, you can > > wait until stuff falls into your lap instead of going out and fixing it > > yourself, if the problem is not at all likely to lead to any real problems > > for your system. > > And where is the relation to "security"? If there is no real security risk to your system (e.g. you weren't using the feature that the problem is in), then you can wait for the security team to handle it and upload a new package. If you have multiple layers of defence, and the vulnerability only takes out one of them, then you can wait a while instead of fixing it yourself. (e.g. with this ssh vuln., you would only be at real risk if attackers actually had the necessary keys, but not access to an IP that you allowed logins from. If you were pretty sure that nobody had stolen your keys, you wouldn't really have to worry about the vuln.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apache log entry
Brendan, Not sure If you are who I think you are. By chance did you live in Virginia and work for Gannon LLc for a short while. If so email me back. Later, Curtis On 9 Oct 2001, at 11:56, brendan hack wrote: > Thanks to Bill and James for your responses. It was a proxy attempt. I > set up my mozilla to use the apache server as a proxy and got the same > log entries. Luckily though, apache simply returned web pages from the > local web site instead of proxying them since the ProxyRequests > directive was not on. I've now removed the proxy modules as well, just > to be sure (I said I was paranoid). > > thanks, > > brendan > > > William R. Ward wrote: > > > brendan hack writes: > > > >>Hi All, > >> > >>I found a strange entry hidden among all the IIS exploit attempts in my > >>apache access log today: > >> > >>61.177.66.228 - - [07/Oct/2001:21:28:44 +1000] "GET > >>http://61.177.66.228:8283/ HTTP/1.0" 200 756 > >> > >>Does anyone know if this is some sort of attack attempt? It doesn't > >> seem > >>to make any sense as a log entry as there is no leading '/' on the url > >>portion and there is no corresponding error log entry saying that the > >>file 'http://61.177.66.228:8283/' couldn't be found. I also find the > >>fact that the client IP and the url are the same suspicious. I tried > >>retrieving the same file myself using mozilla > >>(http://webserver/http://61.177.66.228:8283/) and it created a similar > >>access entry but with a '/' at the start of the url and there was an > >>error log entry generated. There was a peak in traffic from the server > >>the day after this log entry which instigated the check. Any suggestions > >>will be appreciated. > >> > > > > Someone's trying to use you as a proxy. That's what proxy HTTP > > requests look like. > > > > The "200" code suggests that they succeeded. Add something like this > > to your httpd.conf to block these. (Delete the "allow" part if you > > don't want proxying at all; if you do, change the IP addresses to > > whatever is appropriate for your system.) > > > > > > order deny,allow > > deny from all > > allow from 192.168.0.0/255.255.0.0 > > > > > > HTH. > > > > --Bill. > > > > > > > > > -- > http://www.bendys.com > [EMAIL PROTECTED] > > Real coders celebrate Christmas at Halloween. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > Curtis Brownley Palais Royal / Yves Delorme 1725 Broadway St. Charlottesville VA 22902 Phone: 1-800-322-3911 ext:308 Fax: 1-804-977-8962
Re: Firewall Related Question
* eim <[EMAIL PROTECTED]> [2001.10.22 12:44:03+0200]: > Is this a good choice ? or should I put another machine in my > Network, between the Gateway and the Servers, which acts as Firewall ? what's a firewall for you? a packet filter? you can surely install a packet filter on every box. iptables of kernel 2.4.x is even more than a packet filter (strictly speaking, even ipchains is), as it can go up to application level for specific protocols. so sure, iptables will be a firewall for you, which you can set up on every host... *but*: do you want to maintain three different ones? if i were you, i'd set up some old pentium or even 486 with a minimal install of debian (or openwall, or smoothwall, or openBSD), which does NAT for your IPs (not MASQ, since you *have* IPs), and which runs kernel 2.4.12 with a fancy iptables setup. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] it's as bad as you think, and they are out to get you. pgpsn1NrhCfQA.pgp Description: PGP signature
Potato 2.2r3 and Kernel 2.2.19 Questions
Actually I'm runnning Potato 2.2r2 on some Debian Boxes which I've upgraded to 2.2r3, the Kernel which powers the system is still 2.2.18pre21 while for the 2.2r3 Release of Potato it should be version 2.2.19 So, correct me if I'm wrong but Debian Potato 2.2r3 comes out with Kernel 2.2.19, right ? Well, if so, I want to upgrade from 2.2.18pre21 to 2.2.19, apply the "new RAID Style" Patch and the latest security Patch. My question is this: Debian's 2.2.19 kernel-source package is allready avaiable with the latest Kernel security patch or should I download the patch form openwall.com and apply externaly ? Thank you for suggestions, have a good work ! Ivo Marino -- Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux DALnet #flex http://eimbox.org
Re: apache log entry
Brendan, Not sure If you are who I think you are. By chance did you live in Virginia and work for Gannon LLc for a short while. If so email me back. Later, Curtis On 9 Oct 2001, at 11:56, brendan hack wrote: > Thanks to Bill and James for your responses. It was a proxy attempt. I > set up my mozilla to use the apache server as a proxy and got the same > log entries. Luckily though, apache simply returned web pages from the > local web site instead of proxying them since the ProxyRequests > directive was not on. I've now removed the proxy modules as well, just > to be sure (I said I was paranoid). > > thanks, > > brendan > > > William R. Ward wrote: > > > brendan hack writes: > > > >>Hi All, > >> > >>I found a strange entry hidden among all the IIS exploit attempts in my > >>apache access log today: > >> > >>61.177.66.228 - - [07/Oct/2001:21:28:44 +1000] "GET > >>http://61.177.66.228:8283/ HTTP/1.0" 200 756 > >> > >>Does anyone know if this is some sort of attack attempt? It doesn't seem > >>to make any sense as a log entry as there is no leading '/' on the url > >>portion and there is no corresponding error log entry saying that the > >>file 'http://61.177.66.228:8283/' couldn't be found. I also find the > >>fact that the client IP and the url are the same suspicious. I tried > >>retrieving the same file myself using mozilla > >>(http://webserver/http://61.177.66.228:8283/) and it created a similar > >>access entry but with a '/' at the start of the url and there was an > >>error log entry generated. There was a peak in traffic from the server > >>the day after this log entry which instigated the check. Any suggestions > >>will be appreciated. > >> > > > > Someone's trying to use you as a proxy. That's what proxy HTTP > > requests look like. > > > > The "200" code suggests that they succeeded. Add something like this > > to your httpd.conf to block these. (Delete the "allow" part if you > > don't want proxying at all; if you do, change the IP addresses to > > whatever is appropriate for your system.) > > > > > > order deny,allow > > deny from all > > allow from 192.168.0.0/255.255.0.0 > > > > > > HTH. > > > > --Bill. > > > > > > > > > -- > http://www.bendys.com > [EMAIL PROTECTED] > > Real coders celebrate Christmas at Halloween. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > Curtis Brownley Palais Royal / Yves Delorme 1725 Broadway St. Charlottesville VA 22902 Phone: 1-800-322-3911 ext:308 Fax: 1-804-977-8962 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Two questions about /etc/apt/sources.list
On Tue, Oct 23, 2001 at 04:51:13PM +0800, Zhenguang Mo (163) wrote: > thanks for your help. > basicaly, the following three line is good enough to keep my potato debian > up to date? > > deb http://http.us.debian.org/debian stable main contrib non-free > (#for standard us debian) > deb http://non-us.debian.org/debian-non-US stable/non-US main contrib > non-free (#for non-us debian) > deb http://security.debian.org stable/updates main contrib non-free (# for > security update) Yes, these three lines are good. > the last line is for BOTH standard us debian update AND non-us debian > update, right? Yes, stable/updates does include non-us packages (like ssh) so you should be kept up on all security updates. -- Steven Barker [EMAIL PROTECTED] The bigger they are, the harder they hit. Get my GnuPG public key at: http://www.blckknght.org/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B
Re: Firewall Related Question
* eim <[EMAIL PROTECTED]> [2001.10.22 12:44:03+0200]: > Is this a good choice ? or should I put another machine in my > Network, between the Gateway and the Servers, which acts as Firewall ? what's a firewall for you? a packet filter? you can surely install a packet filter on every box. iptables of kernel 2.4.x is even more than a packet filter (strictly speaking, even ipchains is), as it can go up to application level for specific protocols. so sure, iptables will be a firewall for you, which you can set up on every host... *but*: do you want to maintain three different ones? if i were you, i'd set up some old pentium or even 486 with a minimal install of debian (or openwall, or smoothwall, or openBSD), which does NAT for your IPs (not MASQ, since you *have* IPs), and which runs kernel 2.4.12 with a fancy iptables setup. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck it's as bad as you think, and they are out to get you. PGP signature
Potato 2.2r3 and Kernel 2.2.19 Questions
Actually I'm runnning Potato 2.2r2 on some Debian Boxes which I've upgraded to 2.2r3, the Kernel which powers the system is still 2.2.18pre21 while for the 2.2r3 Release of Potato it should be version 2.2.19 So, correct me if I'm wrong but Debian Potato 2.2r3 comes out with Kernel 2.2.19, right ? Well, if so, I want to upgrade from 2.2.18pre21 to 2.2.19, apply the "new RAID Style" Patch and the latest security Patch. My question is this: Debian's 2.2.19 kernel-source package is allready avaiable with the latest Kernel security patch or should I download the patch form openwall.com and apply externaly ? Thank you for suggestions, have a good work ! Ivo Marino -- Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux DALnet #flex http://eimbox.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Does Debian need to enforce a better Security policy for packages?
On Tue, Oct 23, 2001 at 09:55:04AM +0200, Christian Kurz wrote: > Do you know how difficult and time-consuming it really is to do a manual > source code audit? Also the available programs for source code audits > can only give you hints which parts of a program might be suspicious, but > you still would have to verify everything by hand to be really sure. FreeBSD does it for their ports tree. In fact, this has been a matter of controversy, as the FreeBSD team issues a huge number of security advisories for software that really has nothing to do with FreeBSD. This has caused casual observers to erroneously believe FreeBSD is less secure than other less carefully managed operating system projects. Yes, source-code audits are time-consuming. Time-consuming is different from "not possible", however. The alternative is the "ostrich" method of security management. -Michael Robinson
Re: Two questions about /etc/apt/sources.list
On Tue, Oct 23, 2001 at 04:51:13PM +0800, Zhenguang Mo (163) wrote: > thanks for your help. > basicaly, the following three line is good enough to keep my potato debian > up to date? > > deb http://http.us.debian.org/debian stable main contrib non-free > (#for standard us debian) > deb http://non-us.debian.org/debian-non-US stable/non-US main contrib > non-free (#for non-us debian) > deb http://security.debian.org stable/updates main contrib non-free (# for > security update) Yes, these three lines are good. > the last line is for BOTH standard us debian update AND non-us debian > update, right? Yes, stable/updates does include non-us packages (like ssh) so you should be kept up on all security updates. -- Steven Barker [EMAIL PROTECTED] The bigger they are, the harder they hit. Get my GnuPG public key at: http://www.blckknght.org/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Does Debian need to enforce a better Security policy for packages?
On Mon, Oct 22, 2001 at 06:46:19PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote: > I just made an empty package with dh_make with only a postinst > having 'rm -rf /'. Lintian says: > > $ lintian test-rm*deb > E: test-rm: description-is-dh_make-template > E: test-rm: helper-templates-in-copyright > W: test-rm: readme-debian-is-debmake-template > W: test-rm: unknown-section unknown Lintian only checks for mistakes. If you make it try to check for maliciousness, then the malicious packager will just make his/her trojan more obscure to foil it - thus making it harder for the casual observer to tell that there's a trojan there. This is a social problem. I don't think a purely technical solution is appropriate. -- Colin Watson [EMAIL PROTECTED]
Re: Does Debian need to enforce a better Security policy for packages?
On Tue, Oct 23, 2001 at 09:55:04AM +0200, Christian Kurz wrote: > Do you know how difficult and time-consuming it really is to do a manual > source code audit? Also the available programs for source code audits > can only give you hints which parts of a program might be suspicious, but > you still would have to verify everything by hand to be really sure. FreeBSD does it for their ports tree. In fact, this has been a matter of controversy, as the FreeBSD team issues a huge number of security advisories for software that really has nothing to do with FreeBSD. This has caused casual observers to erroneously believe FreeBSD is less secure than other less carefully managed operating system projects. Yes, source-code audits are time-consuming. Time-consuming is different from "not possible", however. The alternative is the "ostrich" method of security management. -Michael Robinson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh vulernability
On Mon, Oct 22, 2001 at 06:21:51AM -0300, Peter Cordes wrote: > Just as you automate everything you can, in the name of laziness, you can > wait until stuff falls into your lap instead of going out and fixing it > yourself, if the problem is not at all likely to lead to any real problems > for your system. And where is the relation to "security"? Phil
Re: Does Debian need to enforce a better Security policy for packages?
On Tue, Oct 23, 2001 at 01:17:14AM +0200, Javier Fernández-Sanguino Peña wrote: > So, is it possible to limit those scripts or am I just thinking on > trying to put a fence around the desert? (not really sure if that's the > appropiate expression BTW :P Fencing off deserts is easy. You are trying to put a fence around the moon. -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : | Dept. of Computing, `. `' | Imperial College, `-http://www.debian.org/ | London, UK
Connection problem
Hi, It's maybe a little bit off topic, but I think someone in this list can help me: I've got a firewall debian potato, kernel 2.2.17pre6, doing masquerading and other rules over an adsl pppoe line. All worked perfectly but since two weeks ( without doing any changes ) I'm unable to go to certain sites. Tcpdump show me that the connection close in the middle. Something like this: 11:36:16.439327 a.b.c.26.https > d.e.f.36.62968: P 1269:1340(71) ack 214 win 17307 (DF) 11:36:16.495429 d.e.f.36.62969 > a.b.c.21.www: S 10634093:10634093(0) win 8192 (DF) 11:36:16.571944 d.e.f.36.62968 > a.b.c.26.https: . ack 1340 win 7421 (DF) 11:36:16.591005 a.b.c.21.www > d.e.f.36.62969: S 3660606280:3660606280(0) ack 10634094 win 17520 (DF) 11:36:16.591218 d.e.f.36.62969 > a.b.c.21.www: . ack 1 win 8760 (DF) 11:36:16.591569 d.e.f.36.62969 > a.b.c.21.www: P 1:267(266) ack 1 win 8760 (DF) 11:36:16.719188 a.b.c.21.www > d.e.f.36.62969: P 1:140(139) ack 267 win 17254 (DF) 11:36:16.722604 d.e.f.36.62968 > a.b.c.26.https: F 214:214(0) ack 1340 win 7421 (DF) 11:36:16.823751 a.b.c.26.https > d.e.f.36.62968: F 1340:1340(0) ack 215 win 17307 (DF) 11:36:16.824023 d.e.f.36.62968 > a.b.c.26.https: . ack 1341 win 7421 (DF) 11:36:16.871853 d.e.f.36.62969 > a.b.c.21.www: . ack 140 win 8621 (DF) 11:36:18.868878 d.e.f.36.62970 > a.b.c.26.https: S 10636467:10636467(0) win 8192 (DF) 11:36:18.962180 a.b.c.26.https > d.e.f.36.62970: S 3661217994:3661217994(0) ack 10636468 win 17520 (DF) 11:36:18.962414 d.e.f.36.62970 > a.b.c.26.https: . ack 1 win 8760 (DF) 11:36:18.962924 d.e.f.36.62970 > a.b.c.26.https: P 1:97(96) ack 1 win 8760 (DF) 11:36:19.084207 a.b.c.26.https > d.e.f.36.62970: P 1:151(150) ack 97 win 17424 (DF) 11:36:19.084930 d.e.f.36.62970 > a.b.c.26.https: P 97:168(71) ack 151 win 8610 (DF) 11:36:19.086571 d.e.f.36.62970 > a.b.c.26.https: P 168:682(514) ack 151 win 8610 (DF) 11:36:19.217933 a.b.c.26.https > d.e.f.36.62970: . ack 682 win 16839 (DF) 11:36:19.236432 a.b.c.26.https > d.e.f.36.62970: P 151:448(297) ack 682 win 16839 (DF) 11:36:19.376182 d.e.f.36.62970 > a.b.c.26.https: . ack 448 win 8313 (DF) That's all... no F I've got similar config wich works perfectly. Thanks for any help! PS: as this is not the good place to talk about this, maybe send reply to me directly. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com pgpyhAC7x9unc.pgp Description: PGP signature
Re: Does Debian need to enforce a better Security policy for packages?
On 23/10/01, Javier Fernández-Sanguino Peña wrote: > On Mon, Oct 22, 2001 at 09:31:38PM +0200, Christian Kurz wrote: > > What does security policies for building a debian package exactly have > > to do with securing a debian box? System administrator reading this > > document will be interested in tips and howtos on improving the security > > on the boxes, that he administrates. He's certainly not interested in > > knowing how to securely build a debian package. > The point is. I'm starting to think on changing the document title > to something on the lines of "Debian Security Manual" and go a little > deeper into Debian security stuff (advisories, the security team, etc..) Well, advisories still would fit into a "Securing Debian Manual" because they are an important part of increase the security of the system someone is responsible for. I don't know what exactly you want to write about the security team, but maybe it would also fit. Information about securing the build system and how to securely build Debian packages should be an extra document for interested developers in my humble opinion. > > That will soon be discovered and I would say those maintainer is facing > > definetely problems. > Migh I remember you that we are not (IIRC) doing a source code Do you know how difficult and time-consuming it really is to do a manual source code audit? Also the available programs for source code audits can only give you hints which parts of a program might be suspicious, but you still would have to verify everything by hand to be really sure. > audit of packages. That "soon" is supposing that his package is widely > used and the mischief promptly discovered. I don't think so, because any mischief that isn't triggered by some obscure situation or configuration, will be very fast discovered. And also the package doesn't need to be widely used, since we have quite some people following unstable and new packages closely, which would then report bugs. > > > lintian does check many issues regarding policy, but it does not test > > > potential security problems. > > Which is correct, since lintian is only written for checking policy > > compliance. If you want a tool checking for security problems, you > > should write another new tool for this purpose. > Not exactly right, policy does talk about security related issues, > and lintian should check them. For example: > 11.9. Permissions and owners > > The rules in this section are guidelines for general use. If > necessary you may deviate from the details below. However, if you do > so you must make sure that what is done is *secure* and you should try > to be as consistent as possible with the rest of the system. > (emphasis is mine) Did you read just this small paragraph or the whole section 11.9 from the policy? If you have read it, then you should have noticed that it clearly talks about useful permission for certain cases, which don't open security holes. It absolutely is not talking about how to change permissions and owners to have a really secure system. That would involve for example also checking for setuid,setgid files or world-writable directories for example. > > > So. Since we do not source code audits of incoming packages and > > > this kind of issues are not detected automatically... does this leave > > > the Debian distribution open to attack if a developer box gets hacked > > > into? > > No, new packages are not automatically becoming available for everyone > > and will be reviewed before. So this doesn't leave the distribution open > > for that kind of attacks you imagine. > So, then, for the record (i.e. the manual) what kind of reviews > are made for incoming/new packages (besides lintian checks). I do know > that the archive maintainers do this stuff, could someone introduce me to > what reviews (security-wise) are made? Please ask the ftp-masters about this issue, since they are the best authority you can ask for getting the necessary information about this. > > No, because that's not the purpose of lintian. Write either a new tool > > for that purpose or leave it. But be aware that it's very difficult to > > detect all kinds of possible attacks or trojans that one could create. > I agree. However, with the Debian package format becoming > increasingly popular, it does have some flaws (IMHO, I might get smacked > for saying this :) which might be used to introduce simple troyans. I would say, that not only the Debian package format has it's shortcomings, but that the same applies for the rpm format also. There's no format available which doesn't have any short-coming. [0] > Regardless of the package contents (which might > be a troyan by itself) having the post-pre-install-remove script as a root > user with an unrestricted shell (or perl, or whatever) could turn into > potential problems on the long term. You know that a restricted shel
Re: Does Debian need to enforce a better Security policy for packages?
On Mon, Oct 22, 2001 at 06:46:19PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote: > I just made an empty package with dh_make with only a postinst > having 'rm -rf /'. Lintian says: > > $ lintian test-rm*deb > E: test-rm: description-is-dh_make-template > E: test-rm: helper-templates-in-copyright > W: test-rm: readme-debian-is-debmake-template > W: test-rm: unknown-section unknown Lintian only checks for mistakes. If you make it try to check for maliciousness, then the malicious packager will just make his/her trojan more obscure to foil it - thus making it harder for the casual observer to tell that there's a trojan there. This is a social problem. I don't think a purely technical solution is appropriate. -- Colin Watson [[EMAIL PROTECTED]] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Unidentified subject!
Hi! The message on our server is " IP-MASQ:reverse ICMP:failed checksum from 202.144.129.2!". What does this mean? Also the internet access has become very slow. We are connected at 64 Kbps leased line. sonam
Re: ssh vulernability
On Mon, Oct 22, 2001 at 06:21:51AM -0300, Peter Cordes wrote: > Just as you automate everything you can, in the name of laziness, you can > wait until stuff falls into your lap instead of going out and fixing it > yourself, if the problem is not at all likely to lead to any real problems > for your system. And where is the relation to "security"? Phil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Two questions about /etc/apt/sources.list
thanks for your help. basicaly, the following three line is good enough to keep my potato debian up to date? deb http://http.us.debian.org/debian stable main contrib non-free (#for standard us debian) deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free(#for non-us debian) deb http://security.debian.org stable/updates main contrib non-free (# for security update) the last line is for BOTH standard us debian update AND non-us debian update, right? good day Mo -Original Message- From: Steven Barker [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 23, 2001 4:06 PM To: debian-security@lists.debian.org Subject: Re: Two questions about /etc/apt/sources.list On Tue, Oct 23, 2001 at 02:43:48PM +0800, Zhenguang Mo (163) wrote: > Hi, > > Q1: > is http://security.debian.org/dists/ and > http://security.debian.org/debian-security/dists/ the same thing? I'm pretty sure they are. I can't seem to check as ftp won't let me ls currently (I think that machine is still being upgraded, but maybe it just doesn't like me tonight). > Q2: do i also need to have a line saying > deb http://security.debian.org/debian-non-US potato/non-US main > contrib non-free > for non-us update? You discovered the wonders of virtual hosting. Both non-us.debian.org and security.debian.org are on the same machine (also known as pandora.debian.org). Depending on what hostname you use to access it, you get a slightly different directory hierarchy. I'm not quite sure what your question is however. You won't get non-us security updates by putting deb http://security.debian.org/debian-non-US potato/non-US main in sources.list because that is the same as the line deb http://non-us.debian.org/debian-non-US potato/non-US main which I presume you already have. I think (and I hope somebody will correct me if I'm wrong) that as the security updates are already being provided on a non-us machine, they include non-us packages along with the regular ones. -- Steven Barker [EMAIL PROTECTED] You will stop at nothing to reach your objective, but only because your brakes are defective. GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Does Debian need to enforce a better Security policy for packages?
On Tue, Oct 23, 2001 at 01:17:14AM +0200, Javier Fernández-Sanguino Peña wrote: > So, is it possible to limit those scripts or am I just thinking on > trying to put a fence around the desert? (not really sure if that's the > appropiate expression BTW :P Fencing off deserts is easy. You are trying to put a fence around the moon. -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : | Dept. of Computing, `. `' | Imperial College, `-http://www.debian.org/ | London, UK -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Does Debian need to enforce a better Security policy for packages?
On Tue, Oct 23, 2001 at 01:17:14AM +0200, Javier Fernández-Sanguino Peña wrote: > > So, is it possible to limit those scripts or am I just thinking on > trying to put a fence around the desert? (not really sure if that's the > appropiate expression BTW :P even without maintainer scripts there are plenty of ways to do evil in a trojan.deb (or trojan.tgz, or trojan.rpm...) simply including an /etc/passwd with backdoor accounts comes to mind. since /etc/passwd belongs to no package dpkg won't complain. (i don't think so anyway.. i haven't tested this) of course that particular example would be noticed since the existing accounts would be gone.. but you get the idea. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpdKvhWaCgMt.pgp Description: PGP signature
Re: Two questions about /etc/apt/sources.list
On Tue, Oct 23, 2001 at 02:43:48PM +0800, Zhenguang Mo (163) wrote: > Hi, > > Q1: > is http://security.debian.org/dists/ and > http://security.debian.org/debian-security/dists/ the same thing? I'm pretty sure they are. I can't seem to check as ftp won't let me ls currently (I think that machine is still being upgraded, but maybe it just doesn't like me tonight). > Q2: do i also need to have a line saying > deb http://security.debian.org/debian-non-US potato/non-US main > contrib non-free > for non-us update? You discovered the wonders of virtual hosting. Both non-us.debian.org and security.debian.org are on the same machine (also known as pandora.debian.org). Depending on what hostname you use to access it, you get a slightly different directory hierarchy. I'm not quite sure what your question is however. You won't get non-us security updates by putting deb http://security.debian.org/debian-non-US potato/non-US main in sources.list because that is the same as the line deb http://non-us.debian.org/debian-non-US potato/non-US main which I presume you already have. I think (and I hope somebody will correct me if I'm wrong) that as the security updates are already being provided on a non-us machine, they include non-us packages along with the regular ones. -- Steven Barker [EMAIL PROTECTED] You will stop at nothing to reach your objective, but only because your brakes are defective. GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B
Re: Hi :>
Hi Tom On Thu, Oct 18, 2001 at 07:46:01PM +0100, Tom Breza wrote: >Hi I got this today in my mail box, this is generated by somthing but I >don't know what is it? Why I got message from root? and why is empty? >also is strage a X-UIDL, >what can generate that kind of mail and why is empty? do you have log2mail installed? [EMAIL PROTECTED]:~$ dpkg -l | grep log2mail ii log2mail 0.2.5 Daemon watching logfiles and mailing lines m [EMAIL PROTECTED]:~$ I do and I get empty mails from root, too. Why is it empty ... I think, because of missing configuration! Regards Jan -- One time, you all will be emulated by linux! Jan- Hendrik Palic Url:"http://www.billgotchy.de"; E-Mail: "[EMAIL PROTECTED]" -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS d- s: a-- C++ UL++ P+++ L+++ E W++ N+ o+ K- w--- O- M- V- PS++ PE Y+ PGP++ t--- 5- X+++ R-- tv- b++ DI-- D+++ G+++ e+++ h+ r++ z+ --END GEEK CODE BLOCK-- pgpWjZfE8rh4V.pgp Description: PGP signature
Connection problem
Hi, It's maybe a little bit off topic, but I think someone in this list can help me: I've got a firewall debian potato, kernel 2.2.17pre6, doing masquerading and other rules over an adsl pppoe line. All worked perfectly but since two weeks ( without doing any changes ) I'm unable to go to certain sites. Tcpdump show me that the connection close in the middle. Something like this: 11:36:16.439327 a.b.c.26.https > d.e.f.36.62968: P 1269:1340(71) ack 214 win 17307 (DF) 11:36:16.495429 d.e.f.36.62969 > a.b.c.21.www: S 10634093:10634093(0) win 8192 (DF) 11:36:16.571944 d.e.f.36.62968 > a.b.c.26.https: . ack 1340 win 7421 (DF) 11:36:16.591005 a.b.c.21.www > d.e.f.36.62969: S 3660606280:3660606280(0) ack 10634094 win 17520 (DF) 11:36:16.591218 d.e.f.36.62969 > a.b.c.21.www: . ack 1 win 8760 (DF) 11:36:16.591569 d.e.f.36.62969 > a.b.c.21.www: P 1:267(266) ack 1 win 8760 (DF) 11:36:16.719188 a.b.c.21.www > d.e.f.36.62969: P 1:140(139) ack 267 win 17254 (DF) 11:36:16.722604 d.e.f.36.62968 > a.b.c.26.https: F 214:214(0) ack 1340 win 7421 (DF) 11:36:16.823751 a.b.c.26.https > d.e.f.36.62968: F 1340:1340(0) ack 215 win 17307 (DF) 11:36:16.824023 d.e.f.36.62968 > a.b.c.26.https: . ack 1341 win 7421 (DF) 11:36:16.871853 d.e.f.36.62969 > a.b.c.21.www: . ack 140 win 8621 (DF) 11:36:18.868878 d.e.f.36.62970 > a.b.c.26.https: S 10636467:10636467(0) win 8192 (DF) 11:36:18.962180 a.b.c.26.https > d.e.f.36.62970: S 3661217994:3661217994(0) ack 10636468 win 17520 (DF) 11:36:18.962414 d.e.f.36.62970 > a.b.c.26.https: . ack 1 win 8760 (DF) 11:36:18.962924 d.e.f.36.62970 > a.b.c.26.https: P 1:97(96) ack 1 win 8760 (DF) 11:36:19.084207 a.b.c.26.https > d.e.f.36.62970: P 1:151(150) ack 97 win 17424 (DF) 11:36:19.084930 d.e.f.36.62970 > a.b.c.26.https: P 97:168(71) ack 151 win 8610 (DF) 11:36:19.086571 d.e.f.36.62970 > a.b.c.26.https: P 168:682(514) ack 151 win 8610 (DF) 11:36:19.217933 a.b.c.26.https > d.e.f.36.62970: . ack 682 win 16839 (DF) 11:36:19.236432 a.b.c.26.https > d.e.f.36.62970: P 151:448(297) ack 682 win 16839 (DF) 11:36:19.376182 d.e.f.36.62970 > a.b.c.26.https: . ack 448 win 8313 (DF) That's all... no F I've got similar config wich works perfectly. Thanks for any help! PS: as this is not the good place to talk about this, maybe send reply to me directly. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com PGP signature
Re: Does Debian need to enforce a better Security policy for packages?
On 23/10/01, Javier Fernández-Sanguino Peña wrote: > On Mon, Oct 22, 2001 at 09:31:38PM +0200, Christian Kurz wrote: > > What does security policies for building a debian package exactly have > > to do with securing a debian box? System administrator reading this > > document will be interested in tips and howtos on improving the security > > on the boxes, that he administrates. He's certainly not interested in > > knowing how to securely build a debian package. > The point is. I'm starting to think on changing the document title > to something on the lines of "Debian Security Manual" and go a little > deeper into Debian security stuff (advisories, the security team, etc..) Well, advisories still would fit into a "Securing Debian Manual" because they are an important part of increase the security of the system someone is responsible for. I don't know what exactly you want to write about the security team, but maybe it would also fit. Information about securing the build system and how to securely build Debian packages should be an extra document for interested developers in my humble opinion. > > That will soon be discovered and I would say those maintainer is facing > > definetely problems. > Migh I remember you that we are not (IIRC) doing a source code Do you know how difficult and time-consuming it really is to do a manual source code audit? Also the available programs for source code audits can only give you hints which parts of a program might be suspicious, but you still would have to verify everything by hand to be really sure. > audit of packages. That "soon" is supposing that his package is widely > used and the mischief promptly discovered. I don't think so, because any mischief that isn't triggered by some obscure situation or configuration, will be very fast discovered. And also the package doesn't need to be widely used, since we have quite some people following unstable and new packages closely, which would then report bugs. > > > lintian does check many issues regarding policy, but it does not test > > > potential security problems. > > Which is correct, since lintian is only written for checking policy > > compliance. If you want a tool checking for security problems, you > > should write another new tool for this purpose. > Not exactly right, policy does talk about security related issues, > and lintian should check them. For example: > 11.9. Permissions and owners > > The rules in this section are guidelines for general use. If > necessary you may deviate from the details below. However, if you do > so you must make sure that what is done is *secure* and you should try > to be as consistent as possible with the rest of the system. > (emphasis is mine) Did you read just this small paragraph or the whole section 11.9 from the policy? If you have read it, then you should have noticed that it clearly talks about useful permission for certain cases, which don't open security holes. It absolutely is not talking about how to change permissions and owners to have a really secure system. That would involve for example also checking for setuid,setgid files or world-writable directories for example. > > > So. Since we do not source code audits of incoming packages and > > > this kind of issues are not detected automatically... does this leave > > > the Debian distribution open to attack if a developer box gets hacked > > > into? > > No, new packages are not automatically becoming available for everyone > > and will be reviewed before. So this doesn't leave the distribution open > > for that kind of attacks you imagine. > So, then, for the record (i.e. the manual) what kind of reviews > are made for incoming/new packages (besides lintian checks). I do know > that the archive maintainers do this stuff, could someone introduce me to > what reviews (security-wise) are made? Please ask the ftp-masters about this issue, since they are the best authority you can ask for getting the necessary information about this. > > No, because that's not the purpose of lintian. Write either a new tool > > for that purpose or leave it. But be aware that it's very difficult to > > detect all kinds of possible attacks or trojans that one could create. > I agree. However, with the Debian package format becoming > increasingly popular, it does have some flaws (IMHO, I might get smacked > for saying this :) which might be used to introduce simple troyans. I would say, that not only the Debian package format has it's shortcomings, but that the same applies for the rpm format also. There's no format available which doesn't have any short-coming. [0] > Regardless of the package contents (which might > be a troyan by itself) having the post-pre-install-remove script as a root > user with an unrestricted shell (or perl, or whatever) could turn into > potential problems on the long term. You know that a restricted she
Re: Questions regarding the Security Secretary Position
On Tue, 23 Oct 2001, Martin Schulze wrote: >John Galt wrote: >> On Tue, 23 Oct 2001, Martin Schulze wrote: >> >> >John Galt wrote: >> >> >> >> It really didn't need to go to -devel in the first place: this is >> >> internal >> >> to debian-security until there's a candidate. Folloups redirected. >> > >> >Err... you have noticed that there are already two people filling >> >this position, haven't you? >> >> An since the candidate wasn't announced on -devel, once can only assume > >I'm sorry, but things are announced to -devel-announce, -news or >-announce. If you don't follow these lists, I'm sorry... Wherever they're announced is pretty much irrelevant, the issue at hand is that 1) somebody complained about the crosspost 2) -devel was the obvious extra and 3) I redirected it. I cannot be expected to unilaterally redirect, so my comment was my way of throwing up my hands: crosspost it to hell as far as I'm concerned, just don't blame me anymore for where it goes. >Regards, > > Joey > > -- Be Careful! I have a black belt in sna-fu! Who is John Galt? [EMAIL PROTECTED]
Two questions about /etc/apt/sources.list
Hi, Q1: is http://security.debian.org/dists/ and http://security.debian.org/debian-security/dists/ the same thing? Q2: do i also need to have a line saying deb http://security.debian.org/debian-non-US potato/non-US main contrib non-free for non-us update? thanks Mo
Unidentified subject!
Hi! The message on our server is " IP-MASQ:reverse ICMP:failed checksum from 202.144.129.2!". What does this mean? Also the internet access has become very slow. We are connected at 64 Kbps leased line. sonam
Re: Questions regarding the Security Secretary Position
John Galt wrote: > On Tue, 23 Oct 2001, Martin Schulze wrote: > > >John Galt wrote: > >> > >> It really didn't need to go to -devel in the first place: this is internal > >> to debian-security until there's a candidate. Folloups redirected. > > > >Err... you have noticed that there are already two people filling > >this position, haven't you? > > An since the candidate wasn't announced on -devel, once can only assume I'm sorry, but things are announced to -devel-announce, -news or -announce. If you don't follow these lists, I'm sorry... Regards, Joey -- This is Linux Country. On a quiet night, you can hear Windows reboot. Please always Cc to me when replying to me on the lists.
RE: Two questions about /etc/apt/sources.list
thanks for your help. basicaly, the following three line is good enough to keep my potato debian up to date? deb http://http.us.debian.org/debian stable main contrib non-free (#for standard us debian) deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free(#for non-us debian) deb http://security.debian.org stable/updates main contrib non-free (# for security update) the last line is for BOTH standard us debian update AND non-us debian update, right? good day Mo -Original Message- From: Steven Barker [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 4:06 PM To: [EMAIL PROTECTED] Subject: Re: Two questions about /etc/apt/sources.list On Tue, Oct 23, 2001 at 02:43:48PM +0800, Zhenguang Mo (163) wrote: > Hi, > > Q1: > is http://security.debian.org/dists/ and > http://security.debian.org/debian-security/dists/ the same thing? I'm pretty sure they are. I can't seem to check as ftp won't let me ls currently (I think that machine is still being upgraded, but maybe it just doesn't like me tonight). > Q2: do i also need to have a line saying > deb http://security.debian.org/debian-non-US potato/non-US main > contrib non-free > for non-us update? You discovered the wonders of virtual hosting. Both non-us.debian.org and security.debian.org are on the same machine (also known as pandora.debian.org). Depending on what hostname you use to access it, you get a slightly different directory hierarchy. I'm not quite sure what your question is however. You won't get non-us security updates by putting deb http://security.debian.org/debian-non-US potato/non-US main in sources.list because that is the same as the line deb http://non-us.debian.org/debian-non-US potato/non-US main which I presume you already have. I think (and I hope somebody will correct me if I'm wrong) that as the security updates are already being provided on a non-us machine, they include non-us packages along with the regular ones. -- Steven Barker [EMAIL PROTECTED] You will stop at nothing to reach your objective, but only because your brakes are defective. GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
On Tue, 23 Oct 2001, Martin Schulze wrote: >John Galt wrote: >> >> It really didn't need to go to -devel in the first place: this is internal >> to debian-security until there's a candidate. Folloups redirected. > >Err... you have noticed that there are already two people filling >this position, haven't you? An since the candidate wasn't announced on -devel, once can only assume that their qualifications aren't germane to -devel (followups NOT redirected, I've futilely tried too many times to redirect to care who the hell gets this). >Regards, > > Joey > > -- Be Careful! I have a black belt in sna-fu! Who is John Galt? [EMAIL PROTECTED]
Re: Questions regarding the Security Secretary Position
John Galt wrote: > > It really didn't need to go to -devel in the first place: this is internal > to debian-security until there's a candidate. Folloups redirected. Err... you have noticed that there are already two people filling this position, haven't you? Regards, Joey -- This is Linux Country. On a quiet night, you can hear Windows reboot. Please always Cc to me when replying to me on the lists.
Re: Does Debian need to enforce a better Security policy for packages?
On Tue, Oct 23, 2001 at 01:17:14AM +0200, Javier Fernández-Sanguino Peña wrote: > > So, is it possible to limit those scripts or am I just thinking on > trying to put a fence around the desert? (not really sure if that's the > appropiate expression BTW :P even without maintainer scripts there are plenty of ways to do evil in a trojan.deb (or trojan.tgz, or trojan.rpm...) simply including an /etc/passwd with backdoor accounts comes to mind. since /etc/passwd belongs to no package dpkg won't complain. (i don't think so anyway.. i haven't tested this) of course that particular example would be noticed since the existing accounts would be gone.. but you get the idea. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: Questions regarding the Security Secretary Position
On 22 Oct 2001, Thomas Bushnell, BSG wrote: >John Galt <[EMAIL PROTECTED]> writes: > >> The whole problem here is they DIDN'T ask you. You threw in your two >> cents worth without a corresponding pledge of support. > >It's a public mailing list, and I was simply contributing my >suggestion. You decided it should be a big Federal case. I find that hilarious coming from you. Didn't you once try to muzzle myself and another on -legal, claiming that lists.debian.org wasn't a public resource? Hypocrite. >I'll make you a deal. When you rudely say "shut up", I'll pay >attention if you return the favor when I say shut up to you. Yeah, sure. You have yet to back that statement with lack of words... >> No, but you DO make yourself a hypocrite for calling ME obstructionist... >> Compared to you, I'm a piker in this context apparently. > >I'm not trying to obstruct anything. No, you're just making "reasonable suggestions" after the fact. Whatever, if you can't figure that what you're doing is being obstructionist, there ain't nothing I'm going to tell you that will change it, even if I could. -- Be Careful! I have a black belt in sna-fu! Who is John Galt? [EMAIL PROTECTED]
Re: Two questions about /etc/apt/sources.list
On Tue, Oct 23, 2001 at 02:43:48PM +0800, Zhenguang Mo (163) wrote: > Hi, > > Q1: > is http://security.debian.org/dists/ and > http://security.debian.org/debian-security/dists/ the same thing? I'm pretty sure they are. I can't seem to check as ftp won't let me ls currently (I think that machine is still being upgraded, but maybe it just doesn't like me tonight). > Q2: do i also need to have a line saying > deb http://security.debian.org/debian-non-US potato/non-US main > contrib non-free > for non-us update? You discovered the wonders of virtual hosting. Both non-us.debian.org and security.debian.org are on the same machine (also known as pandora.debian.org). Depending on what hostname you use to access it, you get a slightly different directory hierarchy. I'm not quite sure what your question is however. You won't get non-us security updates by putting deb http://security.debian.org/debian-non-US potato/non-US main in sources.list because that is the same as the line deb http://non-us.debian.org/debian-non-US potato/non-US main which I presume you already have. I think (and I hope somebody will correct me if I'm wrong) that as the security updates are already being provided on a non-us machine, they include non-us packages along with the regular ones. -- Steven Barker [EMAIL PROTECTED] You will stop at nothing to reach your objective, but only because your brakes are defective. GnuPG public key: http://www.students.uiuc.edu/~scbarker/pubkey.asc Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Multiple IP addresses
Quite obvious when you look at it (DUH!) Thanks for all who replied. Marcel Robert Davidson wrote: IP aliasing. Cya. Marcel Welschbillig wrote: Can any one tell me the kernel option to enable on 2.2.17 to be able to specify multiple ethernet addresses in the /etc/network/interfaces file. ie. eth0 eth0:1 eth0:2 .. on the same physical interface ? I know it works on the standard kernel but every time i compile my own kernel i lose the ability to do this. Thanks ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Regards, Marcel Welschbillig -- Inter-Network Engineer Comdek Limited 673 Murray Street West Perth WA 6005 Ph : (08)9214 5259 FAX: (08)9214 5201 -- The information contained in this e-mail is confidential and privileged. It is intended solely for the addressee. If you receive this e-mail by mistake please promptly inform us by reply e-mail or by telephoning the phone number listed above and then delete the e-mail and destroy any printed copy ---
Re: Hi :>
Hi Tom On Thu, Oct 18, 2001 at 07:46:01PM +0100, Tom Breza wrote: >Hi I got this today in my mail box, this is generated by somthing but I >don't know what is it? Why I got message from root? and why is empty? >also is strage a X-UIDL, >what can generate that kind of mail and why is empty? do you have log2mail installed? palic@shaun:~$ dpkg -l | grep log2mail ii log2mail 0.2.5 Daemon watching logfiles and mailing lines m palic@shaun:~$ I do and I get empty mails from root, too. Why is it empty ... I think, because of missing configuration! Regards Jan -- One time, you all will be emulated by linux! Jan- Hendrik Palic Url:"http://www.billgotchy.de"; E-Mail: "[EMAIL PROTECTED]" -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS d- s: a-- C++ UL++ P+++ L+++ E W++ N+ o+ K- w--- O- M- V- PS++ PE Y+ PGP++ t--- 5- X+++ R-- tv- b++ DI-- D+++ G+++ e+++ h+ r++ z+ --END GEEK CODE BLOCK-- PGP signature
Re: Multiple IP addresses
IP aliasing. Cya. Marcel Welschbillig wrote: > > Can any one tell me the kernel option to enable on 2.2.17 to be able to > specify multiple ethernet addresses in the /etc/network/interfaces file. > ie. eth0 eth0:1 eth0:2 .. on the same physical interface ? > > I know it works on the standard kernel but every time i compile my own > kernel i lose the ability to do this. > > Thanks ! > > Marcel > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Regards, Robert Davidson. http://www.mlug.org.au/
Re: Multiple IP addresses
its called alias support, and can be found in networking options. CONFIG_IP_ALIAS=y On Tue, Oct 23, 2001 at 12:29:36PM +0800, Marcel Welschbillig wrote: > > Can any one tell me the kernel option to enable on 2.2.17 to be able to > specify multiple ethernet addresses in the /etc/network/interfaces file. > ie. eth0 eth0:1 eth0:2 .. on the same physical interface ? -- Jason Thomas Phone: +61 2 6257 7111 System Administrator - UID 0 Fax:+61 2 6257 7311 tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81 1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/ pgpX2I2Jr8YFL.pgp Description: PGP signature
Re: Multiple IP addresses
Previously Marcel Welschbillig wrote: > I know it works on the standard kernel but every time i compile my own > kernel i lose the ability to do this. Enable IP aliasing. Wichert. -- _ / Nothing is fool-proof to a sufficiently talented fool \ | [EMAIL PROTECTED] http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Re: Multiple IP addresses
Marcel Welschbillig <[EMAIL PROTECTED]> writes: > Can any one tell me the kernel option to enable on 2.2.17 to be able > to specify multiple ethernet addresses in the /etc/network/interfaces > file. ie. eth0 eth0:1 eth0:2 .. on the same physical interface ? > > I know it works on the standard kernel but every time i compile my own > kernel i lose the ability to do this. CONFIG_IP_ALIAS Phil.
Re: Questions regarding the Security Secretary Position
John Galt <[EMAIL PROTECTED]> writes: > The whole problem here is they DIDN'T ask you. You threw in your two > cents worth without a corresponding pledge of support. It's a public mailing list, and I was simply contributing my suggestion. You decided it should be a big Federal case. I'll make you a deal. When you rudely say "shut up", I'll pay attention if you return the favor when I say shut up to you. > No, but you DO make yourself a hypocrite for calling ME obstructionist... > Compared to you, I'm a piker in this context apparently. I'm not trying to obstruct anything.
Multiple IP addresses
Can any one tell me the kernel option to enable on 2.2.17 to be able to specify multiple ethernet addresses in the /etc/network/interfaces file. ie. eth0 eth0:1 eth0:2 .. on the same physical interface ? I know it works on the standard kernel but every time i compile my own kernel i lose the ability to do this. Thanks ! Marcel