Re: APT-GET Problems
On Thu, May 02, 2002 at 06:54:38PM -0700, Mike Shepherd wrote: # apt-get install uucp Reading Package Lists... Done Building Dependency Tree... Done The following NEW packages will be installed: uucp 0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded. E: Could not get lock /var/cache/apt/archives/lock - open (22 Invalid argument) E: Unable to lock the download directory [root@generic:pts/0-1!/var/cache/apt/archives] # mount /dev/hda5 on / type ext2 (rw,errors=remount-ro) proc on /proc type proc (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) 192.168.2.15:/home on /home type nfs (rw,noexec,nosuid,nodev,rsize=8192,wsize=81 92,addr=192.168.2.15) 192.168.2.15:/var/cache/apt/archives on /var/cache/apt/archives type nfs (rw,noe xec,nosuid,nodev,rsize=8192,wsize=8192,addr=192.168.2.15) This sounds like an NFS locking problem. It will surely happen if you try to use `dpkg` (either through `apt-get`, or not) on both machines at the same time. Otherwise, it may be an NFS server problem, or a kernerl problem (regarding NFS locking support). Someone knows something more prcise? -- Pav -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[no subject]
¡¡ °¡ºê¸®¿¤Çâ¼ö ÆÄ¿îµ¥ÀÌ¼Ç ÃѾËû¹ÙÁö \25,000 \39,000 \31,500 Çã¶ô ¾øÀÌ ¸ÞÀÏÀ» º¸³»µå·Á Á˼ÛÇÕ´Ï´Ù. ¿øÄ¡ ¾ÊÀ¸½Ã¸é ¿·ÀÇ ¹öÆ°À» ´·¯ÁÖ¼¼¿ä. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
html spam
can someone plz remove the html spamer and also disable html for the mailinglist(s)? bye, tom. -- pub 1024D/DB69936B 2002-03-01 Thomas Buhk [EMAIL PROTECTED] Key fingerprint = DA11 1EC3 30EE BE59 3D47 9A0E F7E2 9CF1 DB69 936B -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
Pavel Minev Penev wrote: On Thu, May 02, 2002 at 06:54:38PM -0700, Mike Shepherd wrote: # apt-get install uucp Reading Package Lists... Done Building Dependency Tree... Done The following NEW packages will be installed: uucp 0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded. E: Could not get lock /var/cache/apt/archives/lock - open (22 Invalid argument) E: Unable to lock the download directory [root@generic:pts/0-1!/var/cache/apt/archives] # mount /dev/hda5 on / type ext2 (rw,errors=remount-ro) proc on /proc type proc (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) 192.168.2.15:/home on /home type nfs (rw,noexec,nosuid,nodev,rsize=8192,wsize=81 92,addr=192.168.2.15) 192.168.2.15:/var/cache/apt/archives on /var/cache/apt/archives type nfs (rw,noe xec,nosuid,nodev,rsize=8192,wsize=8192,addr=192.168.2.15) This sounds like an NFS locking problem. It will surely happen if you try to use `dpkg` (either through `apt-get`, or not) on both machines at the same time. Otherwise, it may be an NFS server problem, or a kernerl problem (regarding NFS locking support). Someone knows something more prcise? -- Pav -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: APT-GET Problems
On Thu, May 02, 2002 at 09:32:33PM -0700, tony mancill wrote: this isn't exactly a debian-security answer (but then again, I'm not sure that you've posed a debian-security question), but my recommendation is to use the apt-proxy package on server machine (you can even use apt-proxy-import to build your proxying mirror using the files you've already pooled). Then you set up your clients to pull packages from your apt-proxy box, which will transparently fetch anything asked of it and add the deb to its cache. You'll only pay once for the fetch, but have a copy from that point forward. Or use squid to accomplish the same thing. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
snort not recognizing dns server correctly
I have the following entry in /etc/snort/snort.conf var DNS_SERVERS [192.168.0.0/24,216.148.227.68/32,204.127.202.4/32] The 192... is a local private network and the next 2 addresses are dns servers. Snort is constantly logging activity to the 1st dns server as a portscan, and as I understand it, this config entry is supposed to eliminate that. Is this incorrect? thanks, jc -- Jeff CoppockSystems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
Jeff, I had this problem initially as well when I reconfigured snort, until I restarted the service. Quite obvious in retrospect, but when I missed it initially, I could see others doing the same. There is also a section towards the bottom of the snort.conf file that you _also_ have to unhash, for DNS_SERVERS, IIRC, to actually activate the DNS filter. HTH, David --- Jeff [EMAIL PROTECTED] wrote: I have the following entry in /etc/snort/snort.conf var DNS_SERVERS [192.168.0.0/24,216.148.227.68/32,204.127.202.4/32] The 192... is a local private network and the next 2 addresses are dns servers. Snort is constantly logging activity to the 1st dns server as a portscan, and as I understand it, this config entry is supposed to eliminate that. Is this incorrect? thanks, jc -- Jeff Coppock Systems Engineer Diggin' DebianAdmin and User __ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
Hi Jeff, Quoting Jeff ([EMAIL PROTECTED]): The 192... is a local private network and the next 2 addresses are dns servers. Snort is constantly logging activity to the 1st dns server as a portscan, and as I understand it, this config entry is supposed to eliminate that. Is this incorrect? Please email me offlist about this; (debian-security is not the right place, the package maintainer address (mine) is). It's also important to know what version(s) of the package(s) you're talking about. Greets, Robert -- ( o Linux Generation o ) ///\finger [EMAIL PROTECTED] for my GnuPG/PGP key./\\\ \V_/well you should probably thank me anyway, \_V/ those disks needed a major clean up :) -- Cracker -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Help
Hello: I am in the process of getting a debian server in the high school that I teach in. The network admin is concerned about the security of the exsisting Novell Server, border manager, etc. Our ISP is very picky about not hogging more bandwidth than we are suppossed to use. I have been carefully pushing for a debian linux server for about 3 years and now I am very close to getting one for my students to program on. The network admin is the last person I need to sign off on Below is a message from him, that I need to reply to in order for him to sanction the machine. I would like some help in creating a reponse to sooth his anxiety and fears. ** I have described the Linux project, its uses, and its physical placement within our network, to four knowledgeable people, and asked for their thoughts and recommendations. A. Partner in a consulting company based in Hunterdon County. Their mission is to encourage Linux use in small/medium companies. B. Lt. Col. (ret.) USAF, now a contractor for the Air Force (process compliance and Unix network administrator) C. Network technician. This person builds wide-area networks for corporations and financial institutions D. Computer consultant. This person has extensive employment experience (programming, documentation, database, networking) with HP, Agilent, and others. Husband and brother also do design work for top computer firms. They all insisted that a dedicated firewall is a requirement. They are unanimous in their exhortation that the server be properly secured. B gave specific items to examine in this regard, and A offered to scan it from inside and outside our building. A, B, and C state that, even if it IS properly secured, this does not prevent some types of malicious behavior. A and B think that the risk is no greater than our current setup, while C has reservations that we should not increase our susceptibility, and that the 24-hour availability of this server leaves us open to mischief. I share C's concern. In-school computer use is subject to various controls, not the least of which is teacher oversight. By design, a publicly accessible server on which students can run their own programs at 3 a.m. lacks this important security. In light of this last point, let me pose a situation: A student loads and runs a program onto this Linux server which then launches attacks on other computers or routers on the Internet. Such attacks could be as simple as participating in a Denial-of-Service attack. In our earlier meeting, you said that proper settings, permissions, and restrictions could prevent that. Since this is one of the situations for which I am most concerned, can you give me (in excruciating detail) the steps which would prevent this? == Brian R. Furry [EMAIL PROTECTED] == === The Power of Open Source can only give the people what they so richly deserve ... stable and flexible computing === Debian/GNU Linuxwww.debian.org === -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Help
Tell him he you could easily setup iptables to restrict outgoing connection ie: you can telnet it but not telnet out, or send packets in but not out. I have worked on many servers that have this feature used ie: compaqs testdrive program. I also use this feature in one of my free shell servers. From: Brian Furry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Help Date: Fri, 3 May 2002 18:14:15 -0400 (EDT) MIME-Version: 1.0 Received: from [65.125.64.134] by hotmail.com (3.2) with ESMTP id MHotMailBE9C5876007E4004325E417D408606C30; Fri, 03 May 2002 15:21:42 -0700 Received: (qmail 3047 invoked by uid 38); 3 May 2002 22:14:31 - Received: (qmail 2733 invoked from network); 3 May 2002 22:14:21 - Received: from lithium.nac.net (64.21.52.68) by murphy.debian.org with SMTP; 3 May 2002 22:14:21 - Received: (qmail 99879 invoked from network); 3 May 2002 22:14:19 - Received: from unknown (HELO euler.nac.net) (207.99.6.85) by mail.nac.net with SMTP; 3 May 2002 22:14:19 - Received: from brian (helo=localhost)by euler.nac.net with local-esmtp (Exim 3.12 #1 (Debian))id 173lJh-7l-00for [EMAIL PROTECTED]; Fri, 03 May 2002 18:14:17 -0400 From bounce-debian-security Fri, 03 May 2002 15:23:19 -0700 X-Envelope-Sender: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Sender: Brian Furry [EMAIL PROTECTED] X-Spam-Status: No, hits=0.0 required=4.7 tests= version=2.01 Resent-Message-ID: uMdIKB.A.Yv.Gvw08@murphy Resent-From: [EMAIL PROTECTED] X-Mailing-List: [EMAIL PROTECTED] archive/latest/7106 X-Loop: [EMAIL PROTECTED] List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED]?subject=help List-Subscribe: mailto:[EMAIL PROTECTED]?subject=subscribe List-Unsubscribe: mailto:[EMAIL PROTECTED]?subject=unsubscribe Precedence: list Resent-Sender: [EMAIL PROTECTED] Hello: I am in the process of getting a debian server in the high school that I teach in. The network admin is concerned about the security of the exsisting Novell Server, border manager, etc. Our ISP is very picky about not hogging more bandwidth than we are suppossed to use. I have been carefully pushing for a debian linux server for about 3 years and now I am very close to getting one for my students to program on. The network admin is the last person I need to sign off on Below is a message from him, that I need to reply to in order for him to sanction the machine. I would like some help in creating a reponse to sooth his anxiety and fears. ** I have described the Linux project, its uses, and its physical placement within our network, to four knowledgeable people, and asked for their thoughts and recommendations. A. Partner in a consulting company based in Hunterdon County. Their mission is to encourage Linux use in small/medium companies. B. Lt. Col. (ret.) USAF, now a contractor for the Air Force (process compliance and Unix network administrator) C. Network technician. This person builds wide-area networks for corporations and financial institutions D. Computer consultant. This person has extensive employment experience (programming, documentation, database, networking) with HP, Agilent, and others. Husband and brother also do design work for top computer firms. They all insisted that a dedicated firewall is a requirement. They are unanimous in their exhortation that the server be properly secured. B gave specific items to examine in this regard, and A offered to scan it from inside and outside our building. A, B, and C state that, even if it IS properly secured, this does not prevent some types of malicious behavior. A and B think that the risk is no greater than our current setup, while C has reservations that we should not increase our susceptibility, and that the 24-hour availability of this server leaves us open to mischief. I share C's concern. In-school computer use is subject to various controls, not the least of which is teacher oversight. By design, a publicly accessible server on which students can run their own programs at 3 a.m. lacks this important security. In light of this last point, let me pose a situation: A student loads and runs a program onto this Linux server which then launches attacks on other computers or routers on the Internet. Such attacks could be as simple as participating in a Denial-of-Service attack. In our earlier meeting, you said that proper settings, permissions, and restrictions could prevent that. Since this is one of the situations for which I am most concerned, can you give me (in excruciating detail) the steps which would prevent this? == Brian R. Furry [EMAIL PROTECTED] == === The Power of Open Source can only give the people what they so richly deserve ... stable and flexible computing === Debian/GNU
Re: Help
On 03-May 06:14, Brian Furry wrote: Hello: I am in the process of getting a debian server in the high school that I teach in. The network admin is concerned about the security of the exsisting Novell Server, border manager, etc. Our ISP is very picky about not hogging more bandwidth than we are suppossed to use. I have been carefully pushing for a debian linux server for about 3 years and now I am very close to getting one for my students to program on. The network admin is the last person I need to sign off on Below is a message from him, that I need to reply to in order for him to sanction the machine. I would like some help in creating a reponse to sooth his anxiety and fears. ** I have described the Linux project, its uses, and its physical placement within our network, to four knowledgeable people, and asked for their thoughts and recommendations. A. Partner in a consulting company based in Hunterdon County. Their mission is to encourage Linux use in small/medium companies. B. Lt. Col. (ret.) USAF, now a contractor for the Air Force (process compliance and Unix network administrator) C. Network technician. This person builds wide-area networks for corporations and financial institutions D. Computer consultant. This person has extensive employment experience (programming, documentation, database, networking) with HP, Agilent, and others. Husband and brother also do design work for top computer firms. They all insisted that a dedicated firewall is a requirement. They are unanimous in their exhortation that the server be properly secured. B gave specific items to examine in this regard, and A offered to scan it from inside and outside our building. A, B, and C state that, even if it IS properly secured, this does not prevent some types of malicious behavior. A and B think that the risk is no greater than our current setup, while C has reservations that we should not increase our susceptibility, and that the 24-hour availability of this server leaves us open to mischief. I share C's concern. In-school computer use is subject to various controls, not the least of which is teacher oversight. By design, a publicly accessible server on which students can run their own programs at 3 a.m. lacks this important security. There are pam settings that disallow users based on time of day. (see pam documentation.) In light of this last point, let me pose a situation: A student loads and runs a program onto this Linux server which then launches attacks on other computers or routers on the Internet. Such attacks could be as simple as participating in a Denial-of-Service attack. In our earlier meeting, you said that proper settings, permissions, and restrictions could prevent that. Since this is one of the situations for which I am most concerned, can you give me (in excruciating detail) the steps which would prevent this? If this is of great concern, setting up cron jobs to take the machine off line at the end of the school day, and returning it online in the morning is not difficult. Refining filewall rules to allow only good access is also a possibility. Using apt-get to stay up-to-date lessens the chance that bugs leave this machine open to general attack for long, and lessens support time spent just keeping software patches straight. Also, If you feel upto it, the grsecurity patch allows you to lock down the kernel more, and disallow run-of-the-mill expolits. This does have some performace impact, but it's not really noticable on todays hardware (new stuff). Thomas == Brian R. Furry[EMAIL PROTECTED] ===== The Power of Open Source can only give the people what they so richly deserve ... stable and flexible computing === Debian/GNU Linux www.debian.org === -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] msg06595/pgp0.pgp Description: PGP signature
Re: Help
On Fri, May 03, 2002 at 06:14:15PM -0400, Brian Furry wrote: Hello: I am in the process of getting a debian server in the high school that I teach in. The network admin is concerned about the security of the exsisting Novell Server, border manager, etc. Our ISP is very picky about not hogging more bandwidth than we are suppossed to use. I have been carefully pushing for a debian linux server for about 3 years and now I am very close to getting one for my students to program on. The network admin is the last person I need to sign off on Much depends on the exact setup. And there I've to guesh:) They all insisted that a dedicated firewall is a requirement. They are Here I'm confused. What has this to do with your new server and what has it to do with it being linux based? I'm just guessing here, but I take it that your new server wont have a direct connection to the internet, i.e. there is no telefoon nor a cable modem hooked up to it. Instead it uses the localnet to route all its internet traffic via an other local machine. That *other* local machine should be a firewall and it should be there regardless of your new server to protect your local network from the web, though it probably needs to be reconfigured / adapted to deal with your new server. I sure hope they do have that firewall in place right now, whether it's a single machine firewall or a double layered (bastion type) one. Or are they insisting to insulate the localnet from your new server? In that case they should realize that anybody who brings in a laptop is a big security risk for your localnet, so your localnet should be setup to cope with it and your new server is not really changing that. And, related, how are other machines protected against misuse? It's for example easy to bring in a CD with lots of nasty programs to run from any Windows machine in the localnet. Or is your new server to be available from outside? In that case it really should be insulated from the localnet. Best is to put it in a DMZ appart from the localnet, directly connected to the already existing firewall. Or is your new server physically accessibly? Then they should realise that most physically accessibly machines can be easily overtaken by bringing in a CD or even a floppy unless that machine has been secured in other ways. Secure the box so it can't be opened, add a passwd on the BIOS setup (and pray there isn't a generic passwd for that particular BIOS like there is for most BIOSses), disallow booting from removable media in the BIOS and configure your bootloader (lilo, GRUB?) to need a passwd for special boots too. Again, things that need to be done for any machine it the localnet regardless of whether it's a linux or a Windows based machine. unanimous in their exhortation that the server be properly secured. B gave specific items to examine in this regard, and A offered to scan it from inside and outside our building. A, B, and C state that, even if it IS properly secured, this does not prevent some types of malicious behavior. A and B think that the risk is no greater than our current setup, while C has reservations that we should not increase our susceptibility, and that the 24-hour availability of this server leaves us open to mischief. I share C's concern. In-school computer use is subject to various controls, not the least of which is teacher oversight. By design, a publicly accessible server on which students can run their own programs at 3 a.m. lacks this important security. Ah, so it is accessible from the net. Go for a DMZ then. If your school already offers public services, then such a DMZ should already be in place, just hook your new server in, adjust the rules in the firewall(s) that insulate the localnet from your public service machines. And allow ssh access in only! In light of this last point, let me pose a situation: A student loads and runs a program onto this Linux server which then launches attacks on other computers or routers on the Internet. Such attacks could be as simple as participating in a Denial-of-Service attack. In our earlier meeting, you said that proper settings, permissions, and restrictions could prevent that. Simply setup the DMZ to allow only ssh access to that box and disallow all other access. Moreover, don't route anything from that new server but the ssh connection. Again, the standard things regardless of whether it's a linux or a Windows based machine. -- groetjes, carel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
can't get .shosts authentication to run
Hello, I am trying to connect to a machine on our LAN with the .shosts method, but it seems that my ssh client is not even willing to try that. My $HOME/.ssh/config looks like this: --- Host myserver HostName myserver.mydomain.net Protocol 2 RhostsRSAAuthentication yes RhostsAuthentication yes HostbasedAuthentication yes --- When I try to connect with ssh -v, I get the following output: --- OpenSSH_3.0.2p1 Debian 1:3.0.2p1-9, SSH protocols 1.5/2.0, OpenSSL 0x0090603f debug1: Reading configuration data /home/juergen/.ssh/config debug1: Applying options for cavemaus debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1000 geteuid 0 anon 1 debug1: Connecting to myserver.mydomain.net [XXX.XX.XX.XXX] port 22. [...] --- I then get logged in via public key authentication. Am I correct in assuming that the 'Rhosts Authentication disabled' line means that the client isn't even going to try the .shosts method? If so, is there anything I can do to remediate that? The client system is sid, the server woody and ssh is installed SUID root on both. Any help would be appreciated. Thanks in advance, Juergen msg06598/pgp0.pgp Description: PGP signature
Re: APT-GET Problems
Hi Mike, this isn't exactly a debian-security answer (but then again, I'm not sure that you've posed a debian-security question), but my recommendation is to use the apt-proxy package on server machine (you can even use apt-proxy-import to build your proxying mirror using the files you've already pooled). Then you set up your clients to pull packages from your apt-proxy box, which will transparently fetch anything asked of it and add the deb to its cache. You'll only pay once for the fetch, but have a copy from that point forward. Hope that hopes, tony On Thu, 2 May 2002, Mike Shepherd wrote: Howdy all, I am running 2 Linux systems (1 server comprising of a Cyrix 686 chip with 32MB RAM, the other a 486 workstation), and I have the systems set up so that when I run APT-GET on the 486, it checks /var/cache/apt/archives on the server to see if the required files exist before downloading them. If they do, use them, if not, download ferom the 'net and store in the above-mentioned location. For some reason, though, I am now getting an error when trying to install/remove/upgrade on the 486. The server runs fine, no problems there. But the 486 will not perform the APT-GET functions properly. I have the error message, and my mount properties below: # apt-get install uucp Reading Package Lists... Done Building Dependency Tree... Done The following NEW packages will be installed: uucp 0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded. E: Could not get lock /var/cache/apt/archives/lock - open (22 Invalid argument) E: Unable to lock the download directory [EMAIL PROTECTED]:pts/0-1!/var/cache/apt/archives] # mount /dev/hda5 on / type ext2 (rw,errors=remount-ro) proc on /proc type proc (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) 192.168.2.15:/home on /home type nfs (rw,noexec,nosuid,nodev,rsize=8192,wsize=81 92,addr=192.168.2.15) 192.168.2.15:/var/cache/apt/archives on /var/cache/apt/archives type nfs (rw,noe xec,nosuid,nodev,rsize=8192,wsize=8192,addr=192.168.2.15) [EMAIL PROTECTED]:pts/0-1!/var/cache/apt/archives] # I realize this may not be enough information to help find a solution, but with some guidance, I can locate more info from my systems for anyone wishing to tackle this problem. I was told that this method of mounting the server's /var/cache/apt/archives/ directory would make things far more efficient, and that it would be less painful to download things only once. And I can agree with that as our 'net connection is only a 56k modem. In the meantime, any takers? Cheers! Mike Shepherd (AKA: The Sheepster) Ham: VE7PRT -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: APT-GET Problems
On Thu, May 02, 2002 at 06:54:38PM -0700, Mike Shepherd wrote: # apt-get install uucp Reading Package Lists... Done Building Dependency Tree... Done The following NEW packages will be installed: uucp 0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded. E: Could not get lock /var/cache/apt/archives/lock - open (22 Invalid argument) E: Unable to lock the download directory [EMAIL PROTECTED]:pts/0-1!/var/cache/apt/archives] # mount /dev/hda5 on / type ext2 (rw,errors=remount-ro) proc on /proc type proc (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) 192.168.2.15:/home on /home type nfs (rw,noexec,nosuid,nodev,rsize=8192,wsize=81 92,addr=192.168.2.15) 192.168.2.15:/var/cache/apt/archives on /var/cache/apt/archives type nfs (rw,noe xec,nosuid,nodev,rsize=8192,wsize=8192,addr=192.168.2.15) This sounds like an NFS locking problem. It will surely happen if you try to use `dpkg` (either through `apt-get`, or not) on both machines at the same time. Otherwise, it may be an NFS server problem, or a kernerl problem (regarding NFS locking support). Someone knows something more prcise? -- Pav -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[no subject]
가브리엘향수 파운데이션 총알청바지 \25,000 \39,000 \31,500 허락 없이 메일을 보내드려 죄송합니다. 원치 않으시면 옆의 버튼을 눌러주세요. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
html spam
can someone plz remove the html spamer and also disable html for the mailinglist(s)? bye, tom. -- pub 1024D/DB69936B 2002-03-01 Thomas Buhk [EMAIL PROTECTED] Key fingerprint = DA11 1EC3 30EE BE59 3D47 9A0E F7E2 9CF1 DB69 936B -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
Pavel Minev Penev wrote: On Thu, May 02, 2002 at 06:54:38PM -0700, Mike Shepherd wrote: # apt-get install uucp Reading Package Lists... Done Building Dependency Tree... Done The following NEW packages will be installed: uucp 0 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded. E: Could not get lock /var/cache/apt/archives/lock - open (22 Invalid argument) E: Unable to lock the download directory [EMAIL PROTECTED]:pts/0-1!/var/cache/apt/archives] # mount /dev/hda5 on / type ext2 (rw,errors=remount-ro) proc on /proc type proc (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) 192.168.2.15:/home on /home type nfs (rw,noexec,nosuid,nodev,rsize=8192,wsize=81 92,addr=192.168.2.15) 192.168.2.15:/var/cache/apt/archives on /var/cache/apt/archives type nfs (rw,noe xec,nosuid,nodev,rsize=8192,wsize=8192,addr=192.168.2.15) This sounds like an NFS locking problem. It will surely happen if you try to use `dpkg` (either through `apt-get`, or not) on both machines at the same time. Otherwise, it may be an NFS server problem, or a kernerl problem (regarding NFS locking support). Someone knows something more prcise? -- Pav -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: APT-GET Problems
On Thu, May 02, 2002 at 09:32:33PM -0700, tony mancill wrote: this isn't exactly a debian-security answer (but then again, I'm not sure that you've posed a debian-security question), but my recommendation is to use the apt-proxy package on server machine (you can even use apt-proxy-import to build your proxying mirror using the files you've already pooled). Then you set up your clients to pull packages from your apt-proxy box, which will transparently fetch anything asked of it and add the deb to its cache. You'll only pay once for the fetch, but have a copy from that point forward. Or use squid to accomplish the same thing. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
snort not recognizing dns server correctly
I have the following entry in /etc/snort/snort.conf var DNS_SERVERS [192.168.0.0/24,216.148.227.68/32,204.127.202.4/32] The 192... is a local private network and the next 2 addresses are dns servers. Snort is constantly logging activity to the 1st dns server as a portscan, and as I understand it, this config entry is supposed to eliminate that. Is this incorrect? thanks, jc -- Jeff CoppockSystems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: snort not recognizing dns server correctly
Hi Jeff, Quoting Jeff ([EMAIL PROTECTED]): The 192... is a local private network and the next 2 addresses are dns servers. Snort is constantly logging activity to the 1st dns server as a portscan, and as I understand it, this config entry is supposed to eliminate that. Is this incorrect? Please email me offlist about this; (debian-security is not the right place, the package maintainer address (mine) is). It's also important to know what version(s) of the package(s) you're talking about. Greets, Robert -- ( o Linux Generation o ) ///\finger [EMAIL PROTECTED] for my GnuPG/PGP key./\\\ \V_/well you should probably thank me anyway, \_V/ those disks needed a major clean up :) -- Cracker -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Help
Hello: I am in the process of getting a debian server in the high school that I teach in. The network admin is concerned about the security of the exsisting Novell Server, border manager, etc. Our ISP is very picky about not hogging more bandwidth than we are suppossed to use. I have been carefully pushing for a debian linux server for about 3 years and now I am very close to getting one for my students to program on. The network admin is the last person I need to sign off on Below is a message from him, that I need to reply to in order for him to sanction the machine. I would like some help in creating a reponse to sooth his anxiety and fears. ** I have described the Linux project, its uses, and its physical placement within our network, to four knowledgeable people, and asked for their thoughts and recommendations. A. Partner in a consulting company based in Hunterdon County. Their mission is to encourage Linux use in small/medium companies. B. Lt. Col. (ret.) USAF, now a contractor for the Air Force (process compliance and Unix network administrator) C. Network technician. This person builds wide-area networks for corporations and financial institutions D. Computer consultant. This person has extensive employment experience (programming, documentation, database, networking) with HP, Agilent, and others. Husband and brother also do design work for top computer firms. They all insisted that a dedicated firewall is a requirement. They are unanimous in their exhortation that the server be properly secured. B gave specific items to examine in this regard, and A offered to scan it from inside and outside our building. A, B, and C state that, even if it IS properly secured, this does not prevent some types of malicious behavior. A and B think that the risk is no greater than our current setup, while C has reservations that we should not increase our susceptibility, and that the 24-hour availability of this server leaves us open to mischief. I share C's concern. In-school computer use is subject to various controls, not the least of which is teacher oversight. By design, a publicly accessible server on which students can run their own programs at 3 a.m. lacks this important security. In light of this last point, let me pose a situation: A student loads and runs a program onto this Linux server which then launches attacks on other computers or routers on the Internet. Such attacks could be as simple as participating in a Denial-of-Service attack. In our earlier meeting, you said that proper settings, permissions, and restrictions could prevent that. Since this is one of the situations for which I am most concerned, can you give me (in excruciating detail) the steps which would prevent this? == Brian R. Furry [EMAIL PROTECTED] == === The Power of Open Source can only give the people what they so richly deserve ... stable and flexible computing === Debian/GNU Linuxwww.debian.org === -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Help
Tell him he you could easily setup iptables to restrict outgoing connection ie: you can telnet it but not telnet out, or send packets in but not out. I have worked on many servers that have this feature used ie: compaqs testdrive program. I also use this feature in one of my free shell servers. From: Brian Furry [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: debian-security@lists.debian.org Subject: Help Date: Fri, 3 May 2002 18:14:15 -0400 (EDT) MIME-Version: 1.0 Received: from [65.125.64.134] by hotmail.com (3.2) with ESMTP id MHotMailBE9C5876007E4004325E417D408606C30; Fri, 03 May 2002 15:21:42 -0700 Received: (qmail 3047 invoked by uid 38); 3 May 2002 22:14:31 - Received: (qmail 2733 invoked from network); 3 May 2002 22:14:21 - Received: from lithium.nac.net (64.21.52.68) by murphy.debian.org with SMTP; 3 May 2002 22:14:21 - Received: (qmail 99879 invoked from network); 3 May 2002 22:14:19 - Received: from unknown (HELO euler.nac.net) (207.99.6.85) by mail.nac.net with SMTP; 3 May 2002 22:14:19 - Received: from brian (helo=localhost)by euler.nac.net with local-esmtp (Exim 3.12 #1 (Debian))id 173lJh-7l-00for debian-security@lists.debian.org; Fri, 03 May 2002 18:14:17 -0400 From bounce-debian-security Fri, 03 May 2002 15:23:19 -0700 X-Envelope-Sender: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Sender: Brian Furry [EMAIL PROTECTED] X-Spam-Status: No, hits=0.0 required=4.7 tests= version=2.01 Resent-Message-ID: [EMAIL PROTECTED] Resent-From: debian-security@lists.debian.org X-Mailing-List: debian-security@lists.debian.org archive/latest/7106 X-Loop: debian-security@lists.debian.org List-Post: mailto:debian-security@lists.debian.org List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] Precedence: list Resent-Sender: [EMAIL PROTECTED] Hello: I am in the process of getting a debian server in the high school that I teach in. The network admin is concerned about the security of the exsisting Novell Server, border manager, etc. Our ISP is very picky about not hogging more bandwidth than we are suppossed to use. I have been carefully pushing for a debian linux server for about 3 years and now I am very close to getting one for my students to program on. The network admin is the last person I need to sign off on Below is a message from him, that I need to reply to in order for him to sanction the machine. I would like some help in creating a reponse to sooth his anxiety and fears. ** I have described the Linux project, its uses, and its physical placement within our network, to four knowledgeable people, and asked for their thoughts and recommendations. A. Partner in a consulting company based in Hunterdon County. Their mission is to encourage Linux use in small/medium companies. B. Lt. Col. (ret.) USAF, now a contractor for the Air Force (process compliance and Unix network administrator) C. Network technician. This person builds wide-area networks for corporations and financial institutions D. Computer consultant. This person has extensive employment experience (programming, documentation, database, networking) with HP, Agilent, and others. Husband and brother also do design work for top computer firms. They all insisted that a dedicated firewall is a requirement. They are unanimous in their exhortation that the server be properly secured. B gave specific items to examine in this regard, and A offered to scan it from inside and outside our building. A, B, and C state that, even if it IS properly secured, this does not prevent some types of malicious behavior. A and B think that the risk is no greater than our current setup, while C has reservations that we should not increase our susceptibility, and that the 24-hour availability of this server leaves us open to mischief. I share C's concern. In-school computer use is subject to various controls, not the least of which is teacher oversight. By design, a publicly accessible server on which students can run their own programs at 3 a.m. lacks this important security. In light of this last point, let me pose a situation: A student loads and runs a program onto this Linux server which then launches attacks on other computers or routers on the Internet. Such attacks could be as simple as participating in a Denial-of-Service attack. In our earlier meeting, you said that proper settings, permissions, and restrictions could prevent that. Since this is one of the situations for which I am most concerned, can you give me (in excruciating detail) the steps which would prevent this? == Brian R. Furry [EMAIL PROTECTED] == === The Power of Open Source can only give the people what they so richly deserve ... stable and flexible computing
Re: APT-GET Problems
On Fri, May 03, 2002 at 12:33:28PM -0400, Matt Zimmerman wrote: Or use squid to accomplish the same thing. If you use squid, you should tweak the config file: Increase the maximum_object_size to handle big .debs: maximum_object_size 10 KB I also use LFUDA so squid doesn't mind caching large files. (I've got plenty of space, and I do other web browsing through squid, so this helps keep .debs in the cache, I think.): cache_replacement_policy heap LFUDA I use GDSF for the memory-cache: memory_replacement_policy heap GDSF -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: APT-GET Problems
On Fri, May 03, 2002 at 08:02:28PM -0300, Peter Cordes wrote: On Fri, May 03, 2002 at 12:33:28PM -0400, Matt Zimmerman wrote: Or use squid to accomplish the same thing. If you use squid, you should tweak the config file: Increase the maximum_object_size to handle big .debs: maximum_object_size 10 KB As a minimum, yes. I also tune refresh_pattern so that debs and source package files are considered fresh forever. I also use LFUDA so squid doesn't mind caching large files. (I've got plenty of space, and I do other web browsing through squid, so this helps keep .debs in the cache, I think.): cache_replacement_policy heap LFUDA I use GDSF for the memory-cache: memory_replacement_policy heap GDSF These may also be useful, I'll read up on the replacement policy options. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Help
On 03-May 06:14, Brian Furry wrote: Hello: I am in the process of getting a debian server in the high school that I teach in. The network admin is concerned about the security of the exsisting Novell Server, border manager, etc. Our ISP is very picky about not hogging more bandwidth than we are suppossed to use. I have been carefully pushing for a debian linux server for about 3 years and now I am very close to getting one for my students to program on. The network admin is the last person I need to sign off on Below is a message from him, that I need to reply to in order for him to sanction the machine. I would like some help in creating a reponse to sooth his anxiety and fears. ** I have described the Linux project, its uses, and its physical placement within our network, to four knowledgeable people, and asked for their thoughts and recommendations. A. Partner in a consulting company based in Hunterdon County. Their mission is to encourage Linux use in small/medium companies. B. Lt. Col. (ret.) USAF, now a contractor for the Air Force (process compliance and Unix network administrator) C. Network technician. This person builds wide-area networks for corporations and financial institutions D. Computer consultant. This person has extensive employment experience (programming, documentation, database, networking) with HP, Agilent, and others. Husband and brother also do design work for top computer firms. They all insisted that a dedicated firewall is a requirement. They are unanimous in their exhortation that the server be properly secured. B gave specific items to examine in this regard, and A offered to scan it from inside and outside our building. A, B, and C state that, even if it IS properly secured, this does not prevent some types of malicious behavior. A and B think that the risk is no greater than our current setup, while C has reservations that we should not increase our susceptibility, and that the 24-hour availability of this server leaves us open to mischief. I share C's concern. In-school computer use is subject to various controls, not the least of which is teacher oversight. By design, a publicly accessible server on which students can run their own programs at 3 a.m. lacks this important security. There are pam settings that disallow users based on time of day. (see pam documentation.) In light of this last point, let me pose a situation: A student loads and runs a program onto this Linux server which then launches attacks on other computers or routers on the Internet. Such attacks could be as simple as participating in a Denial-of-Service attack. In our earlier meeting, you said that proper settings, permissions, and restrictions could prevent that. Since this is one of the situations for which I am most concerned, can you give me (in excruciating detail) the steps which would prevent this? If this is of great concern, setting up cron jobs to take the machine off line at the end of the school day, and returning it online in the morning is not difficult. Refining filewall rules to allow only good access is also a possibility. Using apt-get to stay up-to-date lessens the chance that bugs leave this machine open to general attack for long, and lessens support time spent just keeping software patches straight. Also, If you feel upto it, the grsecurity patch allows you to lock down the kernel more, and disallow run-of-the-mill expolits. This does have some performace impact, but it's not really noticable on todays hardware (new stuff). Thomas == Brian R. Furry[EMAIL PROTECTED] ===== The Power of Open Source can only give the people what they so richly deserve ... stable and flexible computing === Debian/GNU Linux www.debian.org === -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] pgp8eK1cn5MOR.pgp Description: PGP signature
Re: Help
This one time, at band camp, Brian Furry said: (Speaking as the Net Admin) I have described the Linux project, its uses, and its physical placement within our network, to four knowledgeable people, and asked for their thoughts and recommendations. A. Partner in a consulting company based in Hunterdon County. Their mission is to encourage Linux use in small/medium companies. B. Lt. Col. (ret.) USAF, now a contractor for the Air Force (process compliance and Unix network administrator) C. Network technician. This person builds wide-area networks for corporations and financial institutions D. Computer consultant. This person has extensive employment experience (programming, documentation, database, networking) with HP, Agilent, and others. Husband and brother also do design work for top computer firms. They all insisted that a dedicated firewall is a requirement. They are unanimous in their exhortation that the server be properly secured. B gave specific items to examine in this regard, and A offered to scan it from inside and outside our building. A, B, and C state that, even if it IS properly secured, this does not prevent some types of malicious behavior. A and B think that the risk is no greater than our current setup, while C has reservations that we should not increase our susceptibility, and that the 24-hour availability of this server leaves us open to mischief. I share C's concern. In-school computer use is subject to various controls, not the least of which is teacher oversight. By design, a publicly accessible server on which students can run their own programs at 3 a.m. lacks this important security. In light of this last point, let me pose a situation: A student loads and runs a program onto this Linux server which then launches attacks on other computers or routers on the Internet. Such attacks could be as simple as participating in a Denial-of-Service attack. In our earlier meeting, you said that proper settings, permissions, and restrictions could prevent that. Since this is one of the situations for which I am most concerned, can you give me (in excruciating detail) the steps which would prevent this? iptables combined with login restrictions can solve this - I believe setting up time-dependant logins is relatively painless (user can log in only from 8AM to 4PM, for example). iptables can easily restrict outgoing traffic, and the rate of outgoing traffic, so that you could allow regular web requests, but not ping floods or other attacks. There are other restrictions that you can use to limit user's ability to do things - check out usr/share/doc/libpam-doc/sgml/modules/pam_limits.sgml.gz in libpam-doc or man 5 limits for more things that are configurable. Some brief examples: /sbin/iptables -P OUTPUT DROP # This prevents outgoing connections /sbin/iptables -A OUTPUT -p (tcp, icmp, whatever) -m limit --limit \ 1/second -j ACCEPT # This would limit rate of # outgoing connections instead In /etc/security/limits.conf: @studenthardnproc 50 # Limits max cpu processes These are just off the top of my head - the others on this list can probably give you more (and much better suggestions than this. Good luck, Steve -- Finagle's Seventh Law: The perversity of the universe tends toward a maximum. pgpnb7wO17SRf.pgp Description: PGP signature
Re: Help
On Fri, May 03, 2002 at 06:14:15PM -0400, Brian Furry wrote: Hello: I am in the process of getting a debian server in the high school that I teach in. The network admin is concerned about the security of the exsisting Novell Server, border manager, etc. Our ISP is very picky about not hogging more bandwidth than we are suppossed to use. I have been carefully pushing for a debian linux server for about 3 years and now I am very close to getting one for my students to program on. The network admin is the last person I need to sign off on Much depends on the exact setup. And there I've to guesh:) They all insisted that a dedicated firewall is a requirement. They are Here I'm confused. What has this to do with your new server and what has it to do with it being linux based? I'm just guessing here, but I take it that your new server wont have a direct connection to the internet, i.e. there is no telefoon nor a cable modem hooked up to it. Instead it uses the localnet to route all its internet traffic via an other local machine. That *other* local machine should be a firewall and it should be there regardless of your new server to protect your local network from the web, though it probably needs to be reconfigured / adapted to deal with your new server. I sure hope they do have that firewall in place right now, whether it's a single machine firewall or a double layered (bastion type) one. Or are they insisting to insulate the localnet from your new server? In that case they should realize that anybody who brings in a laptop is a big security risk for your localnet, so your localnet should be setup to cope with it and your new server is not really changing that. And, related, how are other machines protected against misuse? It's for example easy to bring in a CD with lots of nasty programs to run from any Windows machine in the localnet. Or is your new server to be available from outside? In that case it really should be insulated from the localnet. Best is to put it in a DMZ appart from the localnet, directly connected to the already existing firewall. Or is your new server physically accessibly? Then they should realise that most physically accessibly machines can be easily overtaken by bringing in a CD or even a floppy unless that machine has been secured in other ways. Secure the box so it can't be opened, add a passwd on the BIOS setup (and pray there isn't a generic passwd for that particular BIOS like there is for most BIOSses), disallow booting from removable media in the BIOS and configure your bootloader (lilo, GRUB?) to need a passwd for special boots too. Again, things that need to be done for any machine it the localnet regardless of whether it's a linux or a Windows based machine. unanimous in their exhortation that the server be properly secured. B gave specific items to examine in this regard, and A offered to scan it from inside and outside our building. A, B, and C state that, even if it IS properly secured, this does not prevent some types of malicious behavior. A and B think that the risk is no greater than our current setup, while C has reservations that we should not increase our susceptibility, and that the 24-hour availability of this server leaves us open to mischief. I share C's concern. In-school computer use is subject to various controls, not the least of which is teacher oversight. By design, a publicly accessible server on which students can run their own programs at 3 a.m. lacks this important security. Ah, so it is accessible from the net. Go for a DMZ then. If your school already offers public services, then such a DMZ should already be in place, just hook your new server in, adjust the rules in the firewall(s) that insulate the localnet from your public service machines. And allow ssh access in only! In light of this last point, let me pose a situation: A student loads and runs a program onto this Linux server which then launches attacks on other computers or routers on the Internet. Such attacks could be as simple as participating in a Denial-of-Service attack. In our earlier meeting, you said that proper settings, permissions, and restrictions could prevent that. Simply setup the DMZ to allow only ssh access to that box and disallow all other access. Moreover, don't route anything from that new server but the ssh connection. Again, the standard things regardless of whether it's a linux or a Windows based machine. -- groetjes, carel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
can't get .shosts authentication to run
Hello, I am trying to connect to a machine on our LAN with the .shosts method, but it seems that my ssh client is not even willing to try that. My $HOME/.ssh/config looks like this: --- Host myserver HostName myserver.mydomain.net Protocol 2 RhostsRSAAuthentication yes RhostsAuthentication yes HostbasedAuthentication yes --- When I try to connect with ssh -v, I get the following output: --- OpenSSH_3.0.2p1 Debian 1:3.0.2p1-9, SSH protocols 1.5/2.0, OpenSSL 0x0090603f debug1: Reading configuration data /home/juergen/.ssh/config debug1: Applying options for cavemaus debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1000 geteuid 0 anon 1 debug1: Connecting to myserver.mydomain.net [XXX.XX.XX.XXX] port 22. [...] --- I then get logged in via public key authentication. Am I correct in assuming that the 'Rhosts Authentication disabled' line means that the client isn't even going to try the .shosts method? If so, is there anything I can do to remediate that? The client system is sid, the server woody and ssh is installed SUID root on both. Any help would be appreciated. Thanks in advance, Juergen pgpZCqjfHqYFo.pgp Description: PGP signature
