Re: [SECURITY] [DSA-200-1] Samba buffer overflow
Matt Zimmerman <[EMAIL PROTECTED]> writes: > On Mon, Nov 25, 2002 at 08:24:45PM +0900, Olaf Meeuwissen wrote: > > > Hmm, from the version numbers (2.2.3a-6 to 2.2.3a-12) and changelog > > entries since the version in stable it looks as if this upgrade does a > > little more than just fix the security problem. Whatever happened to > > just backporting the security fix? > > The samba maintainers had already prepared an update for stable > which contained backported fixes for important bugs. These fixes > were appropriate for the next point release, so rather than build a > security update based on 2.2.3a-6 and then a new stable upload based > on 2.2.3a-9, the security update was based on 2.2.3a-9 with its > fixes. You did not get any changes which were not already destined > for stable. It'd be nice if the DSA could say so much. BTW, thanks for all the good work getting security.debian.org back up so fast. -- Olaf MeeuwissenEPSON KOWA Corporation, ECS GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 Penguin's lib! -- I hack, therefore I am -- LPIC-2
Re: Spammers using a non-existant address as return-path
We have the same problem here. Someone has been using our domain name in their headers since January. At times, we were getting a few thousand bounces from mail to over-quota or non-existant accounts. I added the following line to my exim.conf receiver_try_verify = true This results in an immediate error result to the RCPT command if the user is unknown. I run a script to grep for these errors in the log file just after they are rotated so I know how many of these messages were rejected in the last 24 hours. Currently, there are up to 100 messages a day that get rejected this way. Once in a while, I accept the messages and comb through them to find valid headers, but there is a startling number of USELESS error messages (ie. only From, To, Date, and Subject of bounced message). Patrick. On Mon, Nov 25, 2002 at 10:38:10PM +0100, Kjetil Kjernsmo wrote: > I have just received a spam complaint, and unfortunately, some spammers > have been using an address on one of my domains in their Return-Path > and From-headers. How nice of them :-( . This address has never > existed. I'm using the Exim packages from Woody. [...] > Kjetil
Re: Spammers using a non-existant address as return-path
On Monday 25 November 2002 23:05, you wrote: > I dont want to teach you to suck eggs, but I would suggest this test > is run as an independant way to verify your safe. I always run it > after a sendmail change, as i pay for volume personally and at 2 gig > + a day a spam hit would do to me would break me finiancially. Oh, that's not the problem. My box doesn't relay (that is, it relays for the IP of my workstation and for the computer of my parents.), and I've had ORDB checking it. It is just that somebody has forged an address, which happens to have my domain name in it, so I risk getting some trouble with it. Thanks for the reply anyway! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
RE: Spammers using a non-existant address as return-path
ive had a few cases of this myself, an irrate admin somewhere else whining its my fault ad i have , yet the relay test via telent shows all OK. I wonder if they firge known addresses on purpsoe to seed discontent. I dont want to teach you to suck eggs, but I would suggest this test is run as an independant way to verify your safe. I always run it after a sendmail change, as i pay for volume personally and at 2 gig + a day a spam hit would do to me would break me finiancially. I have found Debian always passes by default, but sleeping at night is good. regards Thing -Original Message- From: Kjetil Kjernsmo [mailto:[EMAIL PROTECTED] Sent: Tuesday, 26 November 2002 10:39 To: debian-security@lists.debian.org Subject: Spammers using a non-existant address as return-path Dear all, I have just received a spam complaint, and unfortunately, some spammers have been using an address on one of my domains in their Return-Path and From-headers. How nice of them :-( . This address has never existed. I'm using the Exim packages from Woody. For quite some time, I have seen it show up in my server logs, I'm rotating them too often, I guess, and I don't remember exactly what I have seen long ago, but recently I have seen things like: 2002-11-15 01:48:08 verify failed for SMTP recipient [EMAIL PROTECTED] from <> H=mta458.mail.yahoo.com [216.136.130.123] I allow VRFY, and most of these come from yahoo.com or hotmail.com, I guess that has to do with spam filters they use. This address is probably getting a lot of bounces, which is then bounced off my server, and I don't want to waste my resources with accepting those, all in all I want to conserve as much as I can. But, is there something I _should_ do in this situation, like including some text in the bounce saying that this address has never existed, and is being abused by spammers? If yes, _how_ should I do it? I hope this is the right forum to ask... Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spammers using a non-existant address as return-path
That is something that Ive always wanted to know, is how to turn verify off, but alas, due to sheer laziness, I havent read up on it... On Monday 25 November 2002 15:38, Kjetil Kjernsmo wrote: > Dear all, > > I have just received a spam complaint, and unfortunately, some spammers > have been using an address on one of my domains in their Return-Path > and From-headers. How nice of them :-( . This address has never > existed. I'm using the Exim packages from Woody. > > For quite some time, I have seen it show up in my server logs, I'm > rotating them too often, I guess, and I don't remember exactly what I > have seen long ago, but recently I have seen things like: > 2002-11-15 01:48:08 verify failed for SMTP recipient > [EMAIL PROTECTED] from <> H=mta458.mail.yahoo.com > [216.136.130.123] > > I allow VRFY, and most of these come from yahoo.com or hotmail.com, I > guess that has to do with spam filters they use. This address is > probably getting a lot of bounces, which is then bounced off my server, > and I don't want to waste my resources with accepting those, all in all > I want to conserve as much as I can. > > But, is there something I _should_ do in this situation, like including > some text in the bounce saying that this address has never existed, and > is being abused by spammers? If yes, _how_ should I do it? > > I hope this is the right forum to ask... > > Cheers, > > Kjetil -- Daniel J. Rychlik Java/Perl Developer http://daniel.rychlik.ws
Re: [SECURITY] [DSA-200-1] Samba buffer overflow
Matt Zimmerman <[EMAIL PROTECTED]> writes: > On Mon, Nov 25, 2002 at 08:24:45PM +0900, Olaf Meeuwissen wrote: > > > Hmm, from the version numbers (2.2.3a-6 to 2.2.3a-12) and changelog > > entries since the version in stable it looks as if this upgrade does a > > little more than just fix the security problem. Whatever happened to > > just backporting the security fix? > > The samba maintainers had already prepared an update for stable > which contained backported fixes for important bugs. These fixes > were appropriate for the next point release, so rather than build a > security update based on 2.2.3a-6 and then a new stable upload based > on 2.2.3a-9, the security update was based on 2.2.3a-9 with its > fixes. You did not get any changes which were not already destined > for stable. It'd be nice if the DSA could say so much. BTW, thanks for all the good work getting security.debian.org back up so fast. -- Olaf MeeuwissenEPSON KOWA Corporation, ECS GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 Penguin's lib! -- I hack, therefore I am -- LPIC-2 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Spammers using a non-existant address as return-path
Dear all, I have just received a spam complaint, and unfortunately, some spammers have been using an address on one of my domains in their Return-Path and From-headers. How nice of them :-( . This address has never existed. I'm using the Exim packages from Woody. For quite some time, I have seen it show up in my server logs, I'm rotating them too often, I guess, and I don't remember exactly what I have seen long ago, but recently I have seen things like: 2002-11-15 01:48:08 verify failed for SMTP recipient [EMAIL PROTECTED] from <> H=mta458.mail.yahoo.com [216.136.130.123] I allow VRFY, and most of these come from yahoo.com or hotmail.com, I guess that has to do with spam filters they use. This address is probably getting a lot of bounces, which is then bounced off my server, and I don't want to waste my resources with accepting those, all in all I want to conserve as much as I can. But, is there something I _should_ do in this situation, like including some text in the bounce saying that this address has never existed, and is being abused by spammers? If yes, _how_ should I do it? I hope this is the right forum to ask... Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
Re: Spammers using a non-existant address as return-path
We have the same problem here. Someone has been using our domain name in their headers since January. At times, we were getting a few thousand bounces from mail to over-quota or non-existant accounts. I added the following line to my exim.conf receiver_try_verify = true This results in an immediate error result to the RCPT command if the user is unknown. I run a script to grep for these errors in the log file just after they are rotated so I know how many of these messages were rejected in the last 24 hours. Currently, there are up to 100 messages a day that get rejected this way. Once in a while, I accept the messages and comb through them to find valid headers, but there is a startling number of USELESS error messages (ie. only From, To, Date, and Subject of bounced message). Patrick. On Mon, Nov 25, 2002 at 10:38:10PM +0100, Kjetil Kjernsmo wrote: > I have just received a spam complaint, and unfortunately, some spammers > have been using an address on one of my domains in their Return-Path > and From-headers. How nice of them :-( . This address has never > existed. I'm using the Exim packages from Woody. [...] > Kjetil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spammers using a non-existant address as return-path
On Monday 25 November 2002 23:05, you wrote: > I dont want to teach you to suck eggs, but I would suggest this test > is run as an independant way to verify your safe. I always run it > after a sendmail change, as i pay for volume personally and at 2 gig > + a day a spam hit would do to me would break me finiancially. Oh, that's not the problem. My box doesn't relay (that is, it relays for the IP of my workstation and for the computer of my parents.), and I've had ORDB checking it. It is just that somebody has forged an address, which happens to have my domain name in it, so I risk getting some trouble with it. Thanks for the reply anyway! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Spammers using a non-existant address as return-path
ive had a few cases of this myself, an irrate admin somewhere else whining its my fault ad i have , yet the relay test via telent shows all OK. I wonder if they firge known addresses on purpsoe to seed discontent. I dont want to teach you to suck eggs, but I would suggest this test is run as an independant way to verify your safe. I always run it after a sendmail change, as i pay for volume personally and at 2 gig + a day a spam hit would do to me would break me finiancially. I have found Debian always passes by default, but sleeping at night is good. regards Thing -Original Message- From: Kjetil Kjernsmo [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 26 November 2002 10:39 To: [EMAIL PROTECTED] Subject: Spammers using a non-existant address as return-path Dear all, I have just received a spam complaint, and unfortunately, some spammers have been using an address on one of my domains in their Return-Path and From-headers. How nice of them :-( . This address has never existed. I'm using the Exim packages from Woody. For quite some time, I have seen it show up in my server logs, I'm rotating them too often, I guess, and I don't remember exactly what I have seen long ago, but recently I have seen things like: 2002-11-15 01:48:08 verify failed for SMTP recipient [EMAIL PROTECTED] from <> H=mta458.mail.yahoo.com [216.136.130.123] I allow VRFY, and most of these come from yahoo.com or hotmail.com, I guess that has to do with spam filters they use. This address is probably getting a lot of bounces, which is then bounced off my server, and I don't want to waste my resources with accepting those, all in all I want to conserve as much as I can. But, is there something I _should_ do in this situation, like including some text in the bounce saying that this address has never existed, and is being abused by spammers? If yes, _how_ should I do it? I hope this is the right forum to ask... Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spammers using a non-existant address as return-path
That is something that Ive always wanted to know, is how to turn verify off, but alas, due to sheer laziness, I havent read up on it... On Monday 25 November 2002 15:38, Kjetil Kjernsmo wrote: > Dear all, > > I have just received a spam complaint, and unfortunately, some spammers > have been using an address on one of my domains in their Return-Path > and From-headers. How nice of them :-( . This address has never > existed. I'm using the Exim packages from Woody. > > For quite some time, I have seen it show up in my server logs, I'm > rotating them too often, I guess, and I don't remember exactly what I > have seen long ago, but recently I have seen things like: > 2002-11-15 01:48:08 verify failed for SMTP recipient > [EMAIL PROTECTED] from <> H=mta458.mail.yahoo.com > [216.136.130.123] > > I allow VRFY, and most of these come from yahoo.com or hotmail.com, I > guess that has to do with spam filters they use. This address is > probably getting a lot of bounces, which is then bounced off my server, > and I don't want to waste my resources with accepting those, all in all > I want to conserve as much as I can. > > But, is there something I _should_ do in this situation, like including > some text in the bounce saying that this address has never existed, and > is being abused by spammers? If yes, _how_ should I do it? > > I hope this is the right forum to ask... > > Cheers, > > Kjetil -- Daniel J. Rychlik Java/Perl Developer http://daniel.rychlik.ws -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Spammers using a non-existant address as return-path
Dear all, I have just received a spam complaint, and unfortunately, some spammers have been using an address on one of my domains in their Return-Path and From-headers. How nice of them :-( . This address has never existed. I'm using the Exim packages from Woody. For quite some time, I have seen it show up in my server logs, I'm rotating them too often, I guess, and I don't remember exactly what I have seen long ago, but recently I have seen things like: 2002-11-15 01:48:08 verify failed for SMTP recipient [EMAIL PROTECTED] from <> H=mta458.mail.yahoo.com [216.136.130.123] I allow VRFY, and most of these come from yahoo.com or hotmail.com, I guess that has to do with spam filters they use. This address is probably getting a lot of bounces, which is then bounced off my server, and I don't want to waste my resources with accepting those, all in all I want to conserve as much as I can. But, is there something I _should_ do in this situation, like including some text in the bounce saying that this address has never existed, and is being abused by spammers? If yes, _how_ should I do it? I hope this is the right forum to ask... Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Execute binaries from an encrypted file system [SOLVED]
Thanx, you gave me the idea to solve this. I forgot that I've added the user option in '/etc/fstab' (stupid me). "user" implies noexec, so you have to add exec after the user option. Bye On Mon, 2002-11-25 at 14:32, DEFFONTAINES Vincent wrote: > > From: Haim Ashkenazi [mailto:[EMAIL PROTECTED] > > > > When making an encrypted file system (AES on both occasion) everything > > works great except I can't run binaries (or even shell scripts without > > running "bash
Re: [SECURITY] [DSA-200-1] Samba buffer overflow
On Mon, Nov 25, 2002 at 08:24:45PM +0900, Olaf Meeuwissen wrote: > Hmm, from the version numbers (2.2.3a-6 to 2.2.3a-12) and changelog > entries since the version in stable it looks as if this upgrade does a > little more than just fix the security problem. Whatever happened to > just backporting the security fix? The samba maintainers had already prepared an update for stable which contained backported fixes for important bugs. These fixes were appropriate for the next point release, so rather than build a security update based on 2.2.3a-6 and then a new stable upload based on 2.2.3a-9, the security update was based on 2.2.3a-9 with its fixes. You did not get any changes which were not already destined for stable. -- - mdz
Error in logcheck - /usr/bin/mlock[2298]: (64) not setgid mail
logcheck has started noticing the above error. I did a ls -lsa /usr/bin/mlock and the result is: 8 -rwxr-sr-x1 root root 5668 Jan 13 2002 mlock Does this mean that somehow the permissions have changed? Should they have changed - and why? How should I correct this? (Has my box been cracked?) It's a Debian 3.0 testing box. Any advice would be helpful. Cheers, Andrew
RE: Execute binaries from an encrypted file system [SOLVED]
Thanx, you gave me the idea to solve this. I forgot that I've added the user option in '/etc/fstab' (stupid me). "user" implies noexec, so you have to add exec after the user option. Bye On Mon, 2002-11-25 at 14:32, DEFFONTAINES Vincent wrote: > > From: Haim Ashkenazi [mailto:[EMAIL PROTECTED]] > > > > When making an encrypted file system (AES on both occasion) everything > > works great except I can't run binaries (or even shell scripts without > > running "bash
Re: [SECURITY] [DSA-200-1] Samba buffer overflow
On Mon, Nov 25, 2002 at 08:24:45PM +0900, Olaf Meeuwissen wrote: > Hmm, from the version numbers (2.2.3a-6 to 2.2.3a-12) and changelog > entries since the version in stable it looks as if this upgrade does a > little more than just fix the security problem. Whatever happened to > just backporting the security fix? The samba maintainers had already prepared an update for stable which contained backported fixes for important bugs. These fixes were appropriate for the next point release, so rather than build a security update based on 2.2.3a-6 and then a new stable upload based on 2.2.3a-9, the security update was based on 2.2.3a-9 with its fixes. You did not get any changes which were not already destined for stable. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Error in logcheck - /usr/bin/mlock[2298]: (64) not setgid mail
logcheck has started noticing the above error. I did a ls -lsa /usr/bin/mlock and the result is: 8 -rwxr-sr-x1 root root 5668 Jan 13 2002 mlock Does this mean that somehow the permissions have changed? Should they have changed - and why? How should I correct this? (Has my box been cracked?) It's a Debian 3.0 testing box. Any advice would be helpful. Cheers, Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: unknown udp port
> What I figured out is that the server uses an unpriviliged random udp > port when originating queries to other name servers and that named binds > that udp port a priori and listens on that port waiting for replies to > questions it will make. I hope I got it right, could someone please > confirm that? Yeah, that sounds like BIND. http://cr.yp.to/djbdns/forgery.html -- Jamie Heilman http://audible.transient.net/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway." -Holly
Re: NetFilter connection tracking
> > ports you want. Only associated packets will be accepted IN. > Thanks for the feedback. All I am still a little worried about is what > are associated packets, I guess. So suppose I initiate a non-anonymous > FTP session, I've seen that generate ident packets. Are these > associated? Similar worries about other protocols. Ident/Auth (same thing) connections are normal when a FTP (or IRC or MANY things) make a connection I.e. when connected to remote ftp server -- the ftp server may CONNECT BACK to your IP address/machine on the ident/auth "113" port and attempt to request the username using the client/program... This is quite normal and non-harmful... You must at least allow 'returned' connection on port 113 to be refused with TCP RESET using target 'REJECT' and "--reject-with tcp-reset" in iptables somewhere... You can of course run a safe identd and allow connections to that identd. I know a "nathost.[domain].[domain].ac.uk" machine that acts as a single IP address 'NAT' host -- taking connections leaving that institution -- seems to 'DROP' connection packets aimed at most ports on it -- BUT -- sends back a TCP RESET in response to connection packet going to the auth/ident (113) port on that 'nathost' machine. If you DROP packets coming to ident port on your machine -- you may find some telnet/smtp/ftp/irc/other sessions from that machine take a long time to give login-prompt / work (or not work at all) as the remote server you connect to is trying, trying, trying, to connect back to your port 113 (auth/ident port) and ... eventually times out -- you should either accept this connection or refuse it properly. I wonder if iptables 'related' matches returned ident connections and/or can forward ident connection to machine that actually originated outgoing connection instead of only recieving ident connection on iptables/netfilter machine itself. -enyc
RE: Execute binaries from an encrypted file system
> From: Haim Ashkenazi [mailto:[EMAIL PROTECTED] > > When making an encrypted file system (AES on both occasion) everything > works great except I can't run binaries (or even shell scripts without > running "bash
Re: unknown udp port
ok, I get it now. In the configuration file there is the commented out line // query-source address * port 53; which activates the default query-source address * port *; I couldn't understand the relation between the above configuration option (which specifies an address and port to use when _making_queries_) with the udp port that the server was already _listening_on_. What I figured out is that the server uses an unpriviliged random udp port when originating queries to other name servers and that named binds that udp port a priori and listens on that port waiting for replies to questions it will make. I hope I got it right, could someone please confirm that? Anyway, I should squeeze my brain a little more, before bothering the list ;-) ~kmag
Re: [SECURITY] [DSA-200-1] Samba buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Saturday 23 November 2002 05:21, Wichert Akkerman wrote: > Package : samba > Problem type : remote exploit > Debian-specific: no > > Steve Langasek found an exploitable bug in the password handling > code in samba: when converting from DOS code-page to little endian > UCS2 unicode a buffer length was not checked and a buffer could > be overflowed. There is no known exploit for this, but an upgrade > is strongly recommended. > > This problem has been fixed in version 2.2.3a-12 of the Debian > samba packages and upstream version 2.2.7. Hmm, from the version numbers (2.2.3a-6 to 2.2.3a-12) and changelog entries since the version in stable it looks as if this upgrade does a little more than just fix the security problem. Whatever happened to just backporting the security fix? - -- Olaf Meeuwissen GnuPG key: 91114EAF/C3E1 2D40 C7CC AEB2 FB15 8BDF 60C2 5B3F 9111 4EAF -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE94gh/YMJbP5ERTq8RAqqKAJ0dSXqwMlWAW8ybI/rypU3wK+yPlwCeOGG4 2KGV9KVjWT1tizDIgsBy8KM= =Sask -END PGP SIGNATURE-
Re: unknown udp port
> What I figured out is that the server uses an unpriviliged random udp > port when originating queries to other name servers and that named binds > that udp port a priori and listens on that port waiting for replies to > questions it will make. I hope I got it right, could someone please > confirm that? Yeah, that sounds like BIND. http://cr.yp.to/djbdns/forgery.html -- Jamie Heilman http://audible.transient.net/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway." -Holly -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NetFilter connection tracking
> > ports you want. Only associated packets will be accepted IN. > Thanks for the feedback. All I am still a little worried about is what > are associated packets, I guess. So suppose I initiate a non-anonymous > FTP session, I've seen that generate ident packets. Are these > associated? Similar worries about other protocols. Ident/Auth (same thing) connections are normal when a FTP (or IRC or MANY things) make a connection I.e. when connected to remote ftp server -- the ftp server may CONNECT BACK to your IP address/machine on the ident/auth "113" port and attempt to request the username using the client/program... This is quite normal and non-harmful... You must at least allow 'returned' connection on port 113 to be refused with TCP RESET using target 'REJECT' and "--reject-with tcp-reset" in iptables somewhere... You can of course run a safe identd and allow connections to that identd. I know a "nathost.[domain].[domain].ac.uk" machine that acts as a single IP address 'NAT' host -- taking connections leaving that institution -- seems to 'DROP' connection packets aimed at most ports on it -- BUT -- sends back a TCP RESET in response to connection packet going to the auth/ident (113) port on that 'nathost' machine. If you DROP packets coming to ident port on your machine -- you may find some telnet/smtp/ftp/irc/other sessions from that machine take a long time to give login-prompt / work (or not work at all) as the remote server you connect to is trying, trying, trying, to connect back to your port 113 (auth/ident port) and ... eventually times out -- you should either accept this connection or refuse it properly. I wonder if iptables 'related' matches returned ident connections and/or can forward ident connection to machine that actually originated outgoing connection instead of only recieving ident connection on iptables/netfilter machine itself. -enyc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Execute binaries from an encrypted file system
> From: Haim Ashkenazi [mailto:[EMAIL PROTECTED]] > > When making an encrypted file system (AES on both occasion) everything > works great except I can't run binaries (or even shell scripts without > running "bash
Re: NetFilter connection tracking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 19 November 2002 07:04, you wrote: > If it is a client machine and has a default DROP policy on > incoming packets, then ALLOW packets associated with open > connections. You probably don't need any other special > rules. Just set up policies to allow OUTPUT packets on the > ports you want. Only associated packets will be accepted IN. Thanks for the feedback. All I am still a little worried about is what are associated packets, I guess. So suppose I initiate a non-anonymous FTP session, I've seen that generate ident packets. Are these associated? Similar worries about other protocols. - -- Olaf Meeuwissen GnuPG key: 91114EAF/C3E1 2D40 C7CC AEB2 FB15 8BDF 60C2 5B3F 9111 4EAF -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE94f3zYMJbP5ERTq8RAjN5AKCAyPxuehx4PzfXJq80+2gja8pTtQCeMUv+ pp38qUZv8BkiWZ0u9d2dZLk= =WFzS -END PGP SIGNATURE-
Re: unknown udp port
ok, I get it now. In the configuration file there is the commented out line // query-source address * port 53; which activates the default query-source address * port *; I couldn't understand the relation between the above configuration option (which specifies an address and port to use when _making_queries_) with the udp port that the server was already _listening_on_. What I figured out is that the server uses an unpriviliged random udp port when originating queries to other name servers and that named binds that udp port a priori and listens on that port waiting for replies to questions it will make. I hope I got it right, could someone please confirm that? Anyway, I should squeeze my brain a little more, before bothering the list ;-) ~kmag -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA-200-1] Samba buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Saturday 23 November 2002 05:21, Wichert Akkerman wrote: > Package : samba > Problem type : remote exploit > Debian-specific: no > > Steve Langasek found an exploitable bug in the password handling > code in samba: when converting from DOS code-page to little endian > UCS2 unicode a buffer length was not checked and a buffer could > be overflowed. There is no known exploit for this, but an upgrade > is strongly recommended. > > This problem has been fixed in version 2.2.3a-12 of the Debian > samba packages and upstream version 2.2.7. Hmm, from the version numbers (2.2.3a-6 to 2.2.3a-12) and changelog entries since the version in stable it looks as if this upgrade does a little more than just fix the security problem. Whatever happened to just backporting the security fix? - -- Olaf Meeuwissen GnuPG key: 91114EAF/C3E1 2D40 C7CC AEB2 FB15 8BDF 60C2 5B3F 9111 4EAF -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE94gh/YMJbP5ERTq8RAqqKAJ0dSXqwMlWAW8ybI/rypU3wK+yPlwCeOGG4 2KGV9KVjWT1tizDIgsBy8KM= =Sask -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NetFilter connection tracking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 19 November 2002 07:04, you wrote: > If it is a client machine and has a default DROP policy on > incoming packets, then ALLOW packets associated with open > connections. You probably don't need any other special > rules. Just set up policies to allow OUTPUT packets on the > ports you want. Only associated packets will be accepted IN. Thanks for the feedback. All I am still a little worried about is what are associated packets, I guess. So suppose I initiate a non-anonymous FTP session, I've seen that generate ident packets. Are these associated? Similar worries about other protocols. - -- Olaf Meeuwissen GnuPG key: 91114EAF/C3E1 2D40 C7CC AEB2 FB15 8BDF 60C2 5B3F 9111 4EAF -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE94f3zYMJbP5ERTq8RAjN5AKCAyPxuehx4PzfXJq80+2gja8pTtQCeMUv+ pp38qUZv8BkiWZ0u9d2dZLk= =WFzS -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Mirroring from the new security.debian.org?
In the past I mirrored security.debian.org twice a day for debian users on our campus. After the fire the new site does not seem to have a "debian-security" module for the rsync-server. Is there a possibility that we can have it back please? Regards. Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Let us therefore come boldly unto the throne of grace, that we may obtain mercy, and find grace to help in time of need." Hebrews 4:16