Re: Bug#130876: Very definitely a bug, security
On Sat, 26 Jan 2002 05:01:14 + Lazarus Long <[EMAIL PROTECTED]> wrote: > This is definitely a security risk. There is no reason that such > information should be exposed to attackers. Just because FreeBSD has > some lame security practices doesn't mean Debian has to emulate them. > (If I ran it, I'd file a bug there as well.) I agree that this is exposing information that can be used by an attacker to aid them in their exploits. On the other hand, the purpose of the change was a good one; it's hard to tell if you're running a vulnerable SSH in Stable, since the version string is the same as the stock upstream source, while the Debian diffs will have many added patches. Is there any way this can be run-time configurable? -- .--=-=-=-=--=---=-=-=. /David Barclay HarrisAut agere, aut mori. \ \Clan Barclay Either action, or death./ `---==-=-=-=-===-=---=--='
Re: Bug#130876: Very definitely a bug, security
severity 130876 grave thanks On Sat, Jan 26, 2002 at 02:47:20AM +, Jonathan D. Amery wrote: > Subject: Bug#130876: Not a bug. > > severity 130876 wishlist > thanks > > This is not a bug. This is definitely a security risk. There is no reason that such information should be exposed to attackers. Just because FreeBSD has some lame security practices doesn't mean Debian has to emulate them. (If I ran it, I'd file a bug there as well.) Post your root password and IP address if you think obscurity is irrelevant. (You are twisting a comment about *source* being available for peer review in the crypto community, not about site-specifics being open to all.) /etc/issue and /etc/issue.net are conffiles, so the site admin can choose to stop broadcasting information to any and all attackers that may aid them in the process. Yet ssh 1:3.0.2p1-5 intends to make that irrelevant for any host running it on a public interface. This is a significant security hole that -5 opens, that was not open in -4, and needs to be addressed ASAP. -- Please (OpenPGP) encrypt all mail whenever possible. Request the following Public Keys for Lazarus Long <[EMAIL PROTECTED]> TypeBits/KeyIDFingerprint DSA KeyID: ElGamal: 2048g/CCB09D64 8270 4B79 CB1E 433B 6214 64EB 9D58 28A9 E8B1 27F4 (old 2001 keys) ElGamal: 2048g/215A8B4A F258 C2DD 7E9C DCEB E64F 82EC D4BB 3438 8B82 A392 pgpWFh6Zc8ux5.pgp Description: PGP signature
Re: Bug#130876: Very definitely a bug, security
On Sat, Jan 26, 2002 at 05:00:52AM +, Lazarus Long wrote: > Post your root password and IP address if you think obscurity is > irrelevant. (You are twisting a comment about *source* being available > for peer review in the crypto community, not about site-specifics being > open to all.) Apples to oranges. Passwords are successfully obscure because there are lots of them. There are not nearly enough seperate flavors of ssh to help obscurity. Meanwhile, having the Debian string in the ssh identification can help make tracking down issues relating to a particular ssh package easier. By the way, my IP is 129.63.206.105. I disagree that this is a grave bug in any way. Luckily, this bug isn't keeping other ssh changes out of testing. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bug#130876: Very definitely a bug, security
On Sat, 26 Jan 2002 05:01:14 + Lazarus Long <[EMAIL PROTECTED]> wrote: > This is definitely a security risk. There is no reason that such > information should be exposed to attackers. Just because FreeBSD has > some lame security practices doesn't mean Debian has to emulate them. > (If I ran it, I'd file a bug there as well.) I agree that this is exposing information that can be used by an attacker to aid them in their exploits. On the other hand, the purpose of the change was a good one; it's hard to tell if you're running a vulnerable SSH in Stable, since the version string is the same as the stock upstream source, while the Debian diffs will have many added patches. Is there any way this can be run-time configurable? -- .--=-=-=-=--=---=-=-=. /David Barclay HarrisAut agere, aut mori. \ \Clan Barclay Either action, or death./ `---==-=-=-=-===-=---=--=' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bug#130876: Very definitely a bug, security
severity 130876 grave thanks On Sat, Jan 26, 2002 at 02:47:20AM +, Jonathan D. Amery wrote: > Subject: Bug#130876: Not a bug. > > severity 130876 wishlist > thanks > > This is not a bug. This is definitely a security risk. There is no reason that such information should be exposed to attackers. Just because FreeBSD has some lame security practices doesn't mean Debian has to emulate them. (If I ran it, I'd file a bug there as well.) Post your root password and IP address if you think obscurity is irrelevant. (You are twisting a comment about *source* being available for peer review in the crypto community, not about site-specifics being open to all.) /etc/issue and /etc/issue.net are conffiles, so the site admin can choose to stop broadcasting information to any and all attackers that may aid them in the process. Yet ssh 1:3.0.2p1-5 intends to make that irrelevant for any host running it on a public interface. This is a significant security hole that -5 opens, that was not open in -4, and needs to be addressed ASAP. -- Please (OpenPGP) encrypt all mail whenever possible. Request the following Public Keys for Lazarus Long <[EMAIL PROTECTED]> TypeBits/KeyIDFingerprint DSA KeyID: ElGamal: 2048g/CCB09D64 8270 4B79 CB1E 433B 6214 64EB 9D58 28A9 E8B1 27F4 (old 2001 keys) ElGamal: 2048g/215A8B4A F258 C2DD 7E9C DCEB E64F 82EC D4BB 3438 8B82 A392 msg05538/pgp0.pgp Description: PGP signature
Re: SpamAssassin (Was Re: SOME ITEMS THAT YOU MAY BE INTERESTED IN OR BE ABLE TO ADVISE ME ON)
Oliver M . Bolzer wrote: > I've heard Razor is (configurabule) part of SpamAssassin. I'd recommend > disabling that check because somebody is tagging about 1/3 of Bugtraq mail > in Razor thus sending it to the Spam folder. Razor only scores 3 points in spamassassin, so a mail would need to exhibit two more points of spammishness to be flagged by spamassassin. I've not seen any false positives frm bugtraq. I consider razor mostly useless by itself, but it's still worth something as a part of a larger tool. -- see shy jo
Re: SpamAssassin (Was Re: SOME ITEMS THAT YOU MAY BE INTERESTED IN OR BE ABLE TO ADVISE ME ON)
Oliver M . Bolzer wrote: > I've heard Razor is (configurabule) part of SpamAssassin. I'd recommend > disabling that check because somebody is tagging about 1/3 of Bugtraq mail > in Razor thus sending it to the Spam folder. Razor only scores 3 points in spamassassin, so a mail would need to exhibit two more points of spammishness to be flagged by spamassassin. I've not seen any false positives frm bugtraq. I consider razor mostly useless by itself, but it's still worth something as a part of a larger tool. -- see shy jo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: what is the firewall?
Kenneth karlsen wrote: [EMAIL PROTECTED] wrote: I am new in debian linux, anyone know what is the good software for fire wall in debian. and how to instalation. I am using debian r. 2.2r4. thx aku also apt-get install bastill* man InteractiveBastille easy and simple Kenneth While you're at it, Linuxconf isn't too bad either. The http://www.linux-firewall-tools.com site also has a good ipchains builder. And there are some decent GTK firewall builders also, aren't there? Josh
Re: what is the firewall?
Kenneth karlsen wrote: > [EMAIL PROTECTED] wrote: > >> I am new in debian linux, anyone know what is the good software for fire >> wall in debian. and how to instalation. >> >> I am using debian r. 2.2r4. >> >> thx >> >> aku >> >> > also apt-get install bastill* > man InteractiveBastille > easy and simple > Kenneth > > > While you're at it, Linuxconf isn't too bad either. The http://www.linux-firewall-tools.com site also has a good ipchains builder. And there are some decent GTK firewall builders also, aren't there? Josh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: what is the firewall?
[EMAIL PROTECTED] wrote: I am new in debian linux, anyone know what is the good software for fire wall in debian. and how to instalation. I am using debian r. 2.2r4. thx aku also apt-get install bastill* man InteractiveBastille easy and simple Kenneth
Re: what is the firewall?
[EMAIL PROTECTED] schrieb: > > I am new in debian linux, anyone know what is the good software for fire > wall in debian. and how to instalation. > > I am using debian r. 2.2r4. If you are using kernel 2.2.x (I think this is standard with potato), ipchains is your friend. Installation: apt-get install ipchains Read the man page and the howto for the configuration. If you already use kernel 2.4.x, the netfilter framework using iptables will do. Martin -- [EMAIL PROTECTED]Discon GmbH Internet Solutions Wrangelstrasse 100 http://www.discon.de/ 10997 Berlin, Germany
what is the firewall?
I am new in debian linux, anyone know what is the good software for fire wall in debian. and how to instalation. I am using debian r. 2.2r4. thx aku
Re: how to create MD5 passwords
On Thu, Jan 24, 2002 at 08:56:56AM +0100, Rainer Sigl wrote: > Hi everyone, > please can me tell somebody how to make MD5 passwords in order > to supply it to ftppasswd file? > mkpasswd -H md5 mon_password mkpasswd --version GNU mkpasswd 4.5.16 -- Easter-eggsSp?cialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - M?tro Gait? Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com pgpU1Rzm7bw2M.pgp Description: PGP signature
Re: what is the firewall?
[EMAIL PROTECTED] wrote: >I am new in debian linux, anyone know what is the good software for fire >wall in debian. and how to instalation. > >I am using debian r. 2.2r4. > >thx > >aku > > also apt-get install bastill* man InteractiveBastille easy and simple Kenneth -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: what is the firewall?
[EMAIL PROTECTED] schrieb: > > I am new in debian linux, anyone know what is the good software for fire > wall in debian. and how to instalation. > > I am using debian r. 2.2r4. If you are using kernel 2.2.x (I think this is standard with potato), ipchains is your friend. Installation: apt-get install ipchains Read the man page and the howto for the configuration. If you already use kernel 2.4.x, the netfilter framework using iptables will do. Martin -- [EMAIL PROTECTED]Discon GmbH Internet Solutions Wrangelstrasse 100 http://www.discon.de/ 10997 Berlin, Germany -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: how to create MD5 passwords
On Thu, Jan 24, 2002 at 08:56:56AM +0100, Rainer Sigl wrote: > Hi everyone, > please can me tell somebody how to make MD5 passwords in order > to supply it to ftppasswd file? mkpasswd - Overfeatured front end to crypt(3) It's in the whois package. -- Florian Friesdorf <[EMAIL PROTECTED]> OpenPGP key available on public key servers --> Save the future of Open Source <-- -> Online-Petition against Software Patents <- --> http://petition.eurolinux.org <--- pgpvY4U8suOyj.pgp Description: PGP signature
what is the firewall?
I am new in debian linux, anyone know what is the good software for fire wall in debian. and how to instalation. I am using debian r. 2.2r4. thx aku -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: how to create MD5 passwords
On Thu, Jan 24, 2002 at 08:56:56AM +0100, Rainer Sigl wrote: > Hi everyone, > please can me tell somebody how to make MD5 passwords in order > to supply it to ftppasswd file? > mkpasswd -H md5 mon_password mkpasswd --version GNU mkpasswd 4.5.16 -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com msg05532/pgp0.pgp Description: PGP signature
Re: SpamAssassin (Was Re: SOME ITEMS THAT YOU MAY BE INTERESTED IN OR BE ABLE TO ADVISE ME ON)
On Fri, Jan 25, 2002 at 08:31:24AM +0100, Oliver M . Bolzer wrote: > I've heard Razor is (configurabule) part of SpamAssassin. I'd recommend > disabling that check because somebody is tagging about 1/3 of Bugtraq mail > in Razor thus sending it to the Spam folder. Or you can add whitelist_from [EMAIL PROTECTED] to your .spamassassin.cf file. Luca -- Luca Filipozzi [dpkg] We are the apt. Resistance is futile. You will be packaged. pgp024xiFfGUF.pgp Description: PGP signature
Re: SpamAssassin (Was Re: SOME ITEMS THAT YOU MAY BE INTERESTED IN OR BE ABLE TO ADVISE ME ON)
On Thu, Jan 24, 2002 at 06:03:54PM -0600, Bryan Andersen <[EMAIL PROTECTED]> wrote... > My ISP uses SpamAssassin and it works quite nicely. Not > perfectly, but well enough that I like it. It's filtered > out about 8M bytes of spam in the past 16 days. SpamAssassin > puts some new headers into the message that tell it's spam > status. I've heard Razor is (configurabule) part of SpamAssassin. I'd recommend disabling that check because somebody is tagging about 1/3 of Bugtraq mail in Razor thus sending it to the Spam folder. -- Oliver M. Bolzer [EMAIL PROTECTED] GPG (PGP) Fingerprint = 621B 52F6 2AC1 36DB 8761 018F 8786 87AD EF50 D1FF pgpwFiYUpdlkC.pgp Description: PGP signature
Re: how to create MD5 passwords
On Thu, Jan 24, 2002 at 08:56:56AM +0100, Rainer Sigl wrote: > Hi everyone, > please can me tell somebody how to make MD5 passwords in order > to supply it to ftppasswd file? mkpasswd - Overfeatured front end to crypt(3) It's in the whois package. -- Florian Friesdorf <[EMAIL PROTECTED]> OpenPGP key available on public key servers --> Save the future of Open Source <-- -> Online-Petition against Software Patents <- --> http://petition.eurolinux.org <--- msg05531/pgp0.pgp Description: PGP signature