Re: Strange opened ports.
[snip] news:~# netstat -vatn Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 195.6.210.99:22 80.9.25.228:654 ESTABLISHED tcp0 53 195.6.210.99:22 193.250.33.70:660 FIN_WAIT1 tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN Can anybody try this from elsewhere : # nmap -sU -p 1996-1997 news.pcl.fr I find the same as you do. From norway. -- Alf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strange opened ports.
* Jacques Lav!gnotte [EMAIL PROTECTED] [020603 22:22]: Is there any malicious think listening these ports : Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Interesting ports on news.pcl.fr (195.6.210.99): PortState Protocol Service 1996openudptr-rsrb-port 1997openudpgdp-port If you are running nfs or something other portmap-based, calling rpcinfo -p on the maschine might show you, what service theese ports are. Hochachtungsvoll, Bernhard R. Link -- The man who trades freedom for security does not deserve nor will he ever receive either. (Benjamin Franklin) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strange opened ports.
On Mon, Jun 03, 2002 at 04:55:18PM -0400, Derek J. Balling wrote: At 10:43 PM +0200 6/3/02, Guido Hennecke wrote: netstat -an | grep port That command will only tell him yup, it's LISTENING, but won't tell him WHAT is listening on that port. It does with the -p switch: $ netstat -apn |grep port Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strange opened ports.
Le Monday 03 June 2002 à 23:01:39 +0200, Jacques Lav!gnotte a écrit: On Mon, Jun 03, 2002 at 04:46:36PM -0400, James wrote: Are you sure they are open and nmap isn't just returning a false positive? Try a #netstat -vatn on the local server and see if those ports really are open. Nmap issued from the host itself does not returns anything either... news:~# nmap -sU -p 1996-1997 news.pcl.fr Starting nmap V. 2.54BETA33 ( www.insecure.org/nmap/ ) All 2 scanned ports on news.pcl.fr (195.6.210.99) are: closed I have the same : alibaba:~# nmap -sU -p 1996-1997 news.pcl.fr Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) All 2 scanned ports on news.pcl.fr (195.6.210.99) are: closed Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds But if I add -v I got : alibaba:~# nmap -v -sU -p 1996-1997 news.pcl.fr Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Host news.pcl.fr (195.6.210.99) appears to be up ... good. Initiating UDP Scan against news.pcl.fr (195.6.210.99) The UDP Scan took 1 second to scan 2 ports. Adding open port 1997/udp Adding open port 1996/udp Interesting ports on news.pcl.fr (195.6.210.99): Port State Service 1996/udp opentr-rsrb-port 1997/udp opengdp-port Nmap run completed -- 1 IP address (1 host up) scanned in 1 second Strange isn't it ? -- Loïc msg06915/pgp0.pgp Description: PGP signature
Re: Strange opened ports.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Is there any malicious think listening these ports : Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Interesting ports on news.pcl.fr (195.6.210.99): PortState Protocol Service 1996openudptr-rsrb-port 1997openudpgdp-port Perhaps try netcat -l -p port it binds a server-socket on udp-port port and then you try netcat machine port then enter some letters and if they don't arrive at the term which executes netcat -l -p port there is another proggi listening on this port Weissi -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8/Lzi3lkVkvL9FpcRAutXAJ0VPlkAbCbRGlKH0+7d/tOosFvHDQCgqlJf A58u+Uc57FfjPh0T+bo/vrQ= =d0gx -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure file transfer
Renato Lozano wrote: Hi All, I am trying to implement a way of transfering files securely over the Internet using sftp which is part of the ssh2 protocol. A down side of implementing this is that users logging on can browse the whole filesystem. I have done some research and found a way to chroot users so they won't be able to browse the filesystem (http://chrootssh.sourceforge.net/). Can someone please suggest if there are any other ways of implementing a secure file transfer without patching sshd ??? Nato I had the same concerns a few months back. I wanted to use sftp but I disliked the fact that they can see the whole filesystem although debian's default permission on the important files prevents anyone from changing them. I did not want to patch ssh either. It was so complex and I wanted to be keep to a standard ssh so as to keep up with the security updates to ssh. So I used vpn and ftp. The firewall is set to block the ftp ports for anything from the internet. Using vpn gives the user a local ip and thus allows ftp to get through plus the traffic is encrypted. Proftp lets you chroot the user to their home dir. You can remove the sftp-server program to disable sftp but you can't turn off the scp commands. They are part of ssh. So someone could still use something like winscp and be able to browse everything. You can break scp by making the users shell a menu script (i.e. /usr/bin/yourmenu instead of /usr/bin/bash) so they can not get to a $ prompt. You also have to define your menu script as a shell (/etc/shell) so regular ftp will still work. -- ___ (@ @) --oOo--(_)--oOo--- Jon McCainEmail: [EMAIL PROTECTED] Sr. ProgrammerVoice: 912-355-3213 DavLong Business Solutions Fax: 912-355-3575 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security Updates Sources
[EMAIL PROTECTED] (Olaf Meeuwissen) wrote: Jean-Charles Preaux [EMAIL PROTECTED] writes: Hello Just a little question : is there a security updates sources for the woody release ? as : deb http://security.debian.org/ http://security.debian.org/ potato/updates main contrib non-free for the potato release ? Which i can put in my /etc/apt/sources.list ? Thanks Just put deb http://security.debian.org stable/updates main et cetera in your /etc/apt/sources.list and you'll get the woody security updates as soon as it has become stable What about this line : deb http://security.debian.org/woody/updates main ? It seems there's already a woody directory : ftp://security.debian.org/debian-security/dists/woody/updates/main/binary-i386/ -- Tuyen DINH RISC Technology France http://www.risc.fr/ APRIL http://www.april.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security Updates Sources
You mean deb http://security.debian.org/debian-security woody/updates main right? ~mark From: Tuyen DINH [EMAIL PROTECTED] What about this line : deb http://security.debian.org/woody/updates main ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure file transfer
On Tue, Jun 04, 2002 at 09:58:55AM -0400, Jon McCain wrote: Renato Lozano wrote: Hi All, I am trying to implement a way of transfering files securely over the snip You can remove the sftp-server program to disable sftp but you can't turn off the scp commands. They are part of ssh. So someone could still use something like winscp and be able to browse everything. You can break scp by making the users shell a menu script (i.e. /usr/bin/yourmenu instead of /usr/bin/bash) so they can not get to a $ prompt. You also have to define your menu script as a shell (/etc/shell) so regular ftp will still work. In proftpd.conf: RequireValidShell off ;-) -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
asynchronous socket error 10060
Hi guys, I am having this error asynchronous socket error 10060 when I try to get some archives from a socket software who was behind a iptables firewall(doing redirection port). FTP is working with this redirection. Anyone know what was happened? I configure iptables to redirect some TCP request port to other machine and enables conectiontrack modules. tks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strange opened ports.
[snip] news:~# netstat -vatn Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 195.6.210.99:22 80.9.25.228:654 ESTABLISHED tcp0 53 195.6.210.99:22 193.250.33.70:660 FIN_WAIT1 tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN Can anybody try this from elsewhere : # nmap -sU -p 1996-1997 news.pcl.fr I find the same as you do. From norway. -- Alf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strange opened ports.
* Jacques Lav!gnotte [EMAIL PROTECTED] [020603 22:22]: Is there any malicious think listening these ports : Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Interesting ports on news.pcl.fr (195.6.210.99): PortState Protocol Service 1996openudptr-rsrb-port 1997openudpgdp-port If you are running nfs or something other portmap-based, calling rpcinfo -p on the maschine might show you, what service theese ports are. Hochachtungsvoll, Bernhard R. Link -- The man who trades freedom for security does not deserve nor will he ever receive either. (Benjamin Franklin) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure file transfer
Renato Lozano writes: I am trying to implement a way of transfering files securely over the Internet using sftp which is part of the ssh2 protocol. A down side of implementing this is that users logging on can browse the whole filesystem. I have done some research and found a way to chroot users so they won't be able to browse the filesystem (http://chrootssh.sourceforge.net/). Can someone please suggest if there are any other ways of implementing a secure file transfer without patching sshd ??? You may try sfs (Self-Certifying File System server), you can find testing packages and the home page is at http://www.fs.net. With this kind of system, you'll be able to allow someone to mount his homedir but nothing else. -- Davy Gigan System Network Administration [Please no HTML, I'm not a browser] University Of Caen (France) [Pas d'HTML, je ne suis pas un navigateur] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strange opened ports.
On Mon, Jun 03, 2002 at 04:55:18PM -0400, Derek J. Balling wrote: At 10:43 PM +0200 6/3/02, Guido Hennecke wrote: netstat -an | grep port That command will only tell him yup, it's LISTENING, but won't tell him WHAT is listening on that port. It does with the -p switch: $ netstat -apn |grep port Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strange opened ports.
Le Monday 03 June 2002 à 23:01:39 +0200, Jacques Lav!gnotte a écrit: On Mon, Jun 03, 2002 at 04:46:36PM -0400, James wrote: Are you sure they are open and nmap isn't just returning a false positive? Try a #netstat -vatn on the local server and see if those ports really are open. Nmap issued from the host itself does not returns anything either... news:~# nmap -sU -p 1996-1997 news.pcl.fr Starting nmap V. 2.54BETA33 ( www.insecure.org/nmap/ ) All 2 scanned ports on news.pcl.fr (195.6.210.99) are: closed I have the same : alibaba:~# nmap -sU -p 1996-1997 news.pcl.fr Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) All 2 scanned ports on news.pcl.fr (195.6.210.99) are: closed Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds But if I add -v I got : alibaba:~# nmap -v -sU -p 1996-1997 news.pcl.fr Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Host news.pcl.fr (195.6.210.99) appears to be up ... good. Initiating UDP Scan against news.pcl.fr (195.6.210.99) The UDP Scan took 1 second to scan 2 ports. Adding open port 1997/udp Adding open port 1996/udp Interesting ports on news.pcl.fr (195.6.210.99): Port State Service 1996/udp opentr-rsrb-port 1997/udp opengdp-port Nmap run completed -- 1 IP address (1 host up) scanned in 1 second Strange isn't it ? -- Loïc pgpVXlt7Efqyh.pgp Description: PGP signature
Re: Strange opened ports.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Is there any malicious think listening these ports : Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Interesting ports on news.pcl.fr (195.6.210.99): PortState Protocol Service 1996openudptr-rsrb-port 1997openudpgdp-port Perhaps try netcat -l -p port it binds a server-socket on udp-port port and then you try netcat machine port then enter some letters and if they don't arrive at the term which executes netcat -l -p port there is another proggi listening on this port Weissi -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8/Lzi3lkVkvL9FpcRAutXAJ0VPlkAbCbRGlKH0+7d/tOosFvHDQCgqlJf A58u+Uc57FfjPh0T+bo/vrQ= =d0gx -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure file transfer
Renato Lozano wrote: Hi All, I am trying to implement a way of transfering files securely over the Internet using sftp which is part of the ssh2 protocol. A down side of implementing this is that users logging on can browse the whole filesystem. I have done some research and found a way to chroot users so they won't be able to browse the filesystem (http://chrootssh.sourceforge.net/). Can someone please suggest if there are any other ways of implementing a secure file transfer without patching sshd ??? Nato I had the same concerns a few months back. I wanted to use sftp but I disliked the fact that they can see the whole filesystem although debian's default permission on the important files prevents anyone from changing them. I did not want to patch ssh either. It was so complex and I wanted to be keep to a standard ssh so as to keep up with the security updates to ssh. So I used vpn and ftp. The firewall is set to block the ftp ports for anything from the internet. Using vpn gives the user a local ip and thus allows ftp to get through plus the traffic is encrypted. Proftp lets you chroot the user to their home dir. You can remove the sftp-server program to disable sftp but you can't turn off the scp commands. They are part of ssh. So someone could still use something like winscp and be able to browse everything. You can break scp by making the users shell a menu script (i.e. /usr/bin/yourmenu instead of /usr/bin/bash) so they can not get to a $ prompt. You also have to define your menu script as a shell (/etc/shell) so regular ftp will still work. -- ___ (@ @) --oOo--(_)--oOo--- Jon McCainEmail: [EMAIL PROTECTED] Sr. ProgrammerVoice: 912-355-3213 DavLong Business Solutions Fax: 912-355-3575 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[CLOSED NOW] Re: Strange opened ports.
On Tue, Jun 04, 2002 at 03:13:06PM +0200, Johannes Weiss wrote: Perhaps try netcat -l -p port it binds a server-socket on udp-port port and then you try netcat machine port then enter some letters and if they don't arrive at the term which executes netcat -l -p port there is another proggi listening on this port The letters arrive right to the netcat on the host. At that time, those nasty ports seems to be closed :) pollux:~# nmap -v -sU -p 1990-2000 news.pcl.fr No ports open for host news.pcl.fr (195.6.210.99) pollux:~# Dont know what happened? Anyway, thanks to anyone for helping so kindly, Weissi Jacques -- 0CBE 3F8A 5A77 A35C 27C7 2D42 3EC5 806B 9178 088D -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security Updates Sources
[EMAIL PROTECTED] (Olaf Meeuwissen) wrote: Jean-Charles Preaux [EMAIL PROTECTED] writes: Hello Just a little question : is there a security updates sources for the woody release ? as : deb http://security.debian.org/ http://security.debian.org/ potato/updates main contrib non-free for the potato release ? Which i can put in my /etc/apt/sources.list ? Thanks Just put deb http://security.debian.org stable/updates main et cetera in your /etc/apt/sources.list and you'll get the woody security updates as soon as it has become stable What about this line : deb http://security.debian.org/woody/updates main ? It seems there's already a woody directory : ftp://security.debian.org/debian-security/dists/woody/updates/main/binary-i386/ -- Tuyen DINH RISC Technology France http://www.risc.fr/ APRIL http://www.april.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security Updates Sources
You mean deb http://security.debian.org/debian-security woody/updates main right? ~mark From: Tuyen DINH [EMAIL PROTECTED] What about this line : deb http://security.debian.org/woody/updates main ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure file transfer
On Tue, Jun 04, 2002 at 09:58:55AM -0400, Jon McCain wrote: Renato Lozano wrote: Hi All, I am trying to implement a way of transfering files securely over the snip You can remove the sftp-server program to disable sftp but you can't turn off the scp commands. They are part of ssh. So someone could still use something like winscp and be able to browse everything. You can break scp by making the users shell a menu script (i.e. /usr/bin/yourmenu instead of /usr/bin/bash) so they can not get to a $ prompt. You also have to define your menu script as a shell (/etc/shell) so regular ftp will still work. In proftpd.conf: RequireValidShell off ;-) -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
asynchronous socket error 10060
Hi guys, I am having this error asynchronous socket error 10060 when I try to get some archives from a socket software who was behind a iptables firewall(doing redirection port). FTP is working with this redirection. Anyone know what was happened? I configure iptables to redirect some TCP request port to other machine and enables conectiontrack modules. tks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security Updates Sources
Tuyen DINH [EMAIL PROTECTED] writes: [EMAIL PROTECTED] (Olaf Meeuwissen) wrote: Just put deb http://security.debian.org stable/updates main et cetera in your /etc/apt/sources.list and you'll get the woody security updates as soon as it has become stable What about this line : deb http://security.debian.org/woody/updates main ? It seems there's already a woody directory : ftp://security.debian.org/debian-security/dists/woody/updates/main/binary-i386/ You'll be getting packages for which no DSA has been sent out. It is up to you whether you would want to blindly install these. Speaking for myself, I pull down security updates, manually check the MD5sum with those in the DSA (just matching the MD5sum in the Packages is not good enough for me) and only then install them. One of these days, I should also start checking the GPG signatures on DSAs for real. Right now, for binary-i386 you'll be getting packages for new upstream releases. Packages concerned: qpopper, qpopper-drac and squirrelmail. It looks pretty much the same for the other architectures I looked at. HTH, -- Olaf MeeuwissenEpson Kowa Corporation, CID GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 LPIC-2 -- I hack, therefore I am -- BOFH -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
SSH log weirdness
Whenever I logout from an SSH2 session now, I get the following in my /var/log/messages: June 4 19:36:26 firegate sshd[24364]: PAM pam_putenv: delete non-existent entry; MAIL What is this and how might I fix it? Perhaps it's because I no longer have Exim running, based on something I read earlier today (I have no need for any mail, except local delivery to postmaster for alerts, etc). Could this be the cause? TIA, Jeff Bonner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]