Re: Intrusion Attempts
or use tcpwrappers and block them all together, or better yet, use Iptables and write a rule. g'times dan On Tuesday 03 December 2002 21:05, Phillip Hofmeister wrote: > On Tue, 03 Dec 2002 at 09:19:28PM -0500, [EMAIL PROTECTED] wrote: > > Hi. Can you help me. Who do I report the above to. I have 2 firewalls > > running and tonight I was attacked from the same address 172 times in > > less than an hour. These people want banning off the net. It is certainly > > a violation of my privacy. A dozen times is an excuse but 172, I ask you. > > Please come back. > > You can usually find the domain associated with the ip by doing a > reverse lookup: > > dig -x ipaddress > > Make sure to take the results from your lookup above and look that up to > make sure they match. > > IE: > > I do this first: > dig -x 127.0.0.1 > > and get: > 1.0.0.127.in-addr.arpa. 604800 IN PTR localhost. > > then I: > > dig localhost > > and I get: > localhost. 604800 IN A 127.0.0.1 > > They match, wonderful. Now I go to www.localhost and see if they have > an address to report logs of undesireables to. If not I'll: > > dig localhost SOA > and get: > > localhost. 604800 IN SOA localhost. > root.localhost. 1 604800 86400 2419200 604800 > > hmm...root.localhost, I bet you he can at least forward the email to the > right person (since they are too lame to list that person on their > web site). > > If all else fails do a whois lookup on the IP > > whois ipaddress > > and find one of the contacts listed there and bug them :) > > > There is always an iptables blacklist you can set up and block the > entire 24 (or 16, ouch) bit network if the admins do not take care of > the undesireables. > > Regards, -- Daniel J. Rychlik Java/Perl Developer http://daniel.rychlik.ws
Re: Intrusion Attempts
On Tue, 03 Dec 2002 at 09:19:28PM -0500, [EMAIL PROTECTED] wrote: > Hi. Can you help me. Who do I report the above to. I have 2 firewalls running > and tonight I was attacked from the same address 172 times in less than an > hour. These people want banning off the net. It is certainly a violation of > my privacy. A dozen times is an excuse but 172, I ask you. Please come back. You can usually find the domain associated with the ip by doing a reverse lookup: dig -x ipaddress Make sure to take the results from your lookup above and look that up to make sure they match. IE: I do this first: dig -x 127.0.0.1 and get: 1.0.0.127.in-addr.arpa. 604800 IN PTR localhost. then I: dig localhost and I get: localhost. 604800 IN A 127.0.0.1 They match, wonderful. Now I go to www.localhost and see if they have an address to report logs of undesireables to. If not I'll: dig localhost SOA and get: localhost. 604800 IN SOA localhost. root.localhost. 1 604800 86400 2419200 604800 hmm...root.localhost, I bet you he can at least forward the email to the right person (since they are too lame to list that person on their web site). If all else fails do a whois lookup on the IP whois ipaddress and find one of the contacts listed there and bug them :) There is always an iptables blacklist you can set up and block the entire 24 (or 16, ouch) bit network if the admins do not take care of the undesireables. Regards, -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #14: Somebody was calculating pi on the server
Intrusion Attempts
Hi. Can you help me. Who do I report the above to. I have 2 firewalls running and tonight I was attacked from the same address 172 times in less than an hour. These people want banning off the net. It is certainly a violation of my privacy. A dozen times is an excuse but 172, I ask you. Please come back. Kindest Regards Stewart.
Re: Intrusion Attempts
or use tcpwrappers and block them all together, or better yet, use Iptables and write a rule. g'times dan On Tuesday 03 December 2002 21:05, Phillip Hofmeister wrote: > On Tue, 03 Dec 2002 at 09:19:28PM -0500, [EMAIL PROTECTED] wrote: > > Hi. Can you help me. Who do I report the above to. I have 2 firewalls > > running and tonight I was attacked from the same address 172 times in > > less than an hour. These people want banning off the net. It is certainly > > a violation of my privacy. A dozen times is an excuse but 172, I ask you. > > Please come back. > > You can usually find the domain associated with the ip by doing a > reverse lookup: > > dig -x ipaddress > > Make sure to take the results from your lookup above and look that up to > make sure they match. > > IE: > > I do this first: > dig -x 127.0.0.1 > > and get: > 1.0.0.127.in-addr.arpa. 604800 IN PTR localhost. > > then I: > > dig localhost > > and I get: > localhost. 604800 IN A 127.0.0.1 > > They match, wonderful. Now I go to www.localhost and see if they have > an address to report logs of undesireables to. If not I'll: > > dig localhost SOA > and get: > > localhost. 604800 IN SOA localhost. > root.localhost. 1 604800 86400 2419200 604800 > > hmm...root.localhost, I bet you he can at least forward the email to the > right person (since they are too lame to list that person on their > web site). > > If all else fails do a whois lookup on the IP > > whois ipaddress > > and find one of the contacts listed there and bug them :) > > > There is always an iptables blacklist you can set up and block the > entire 24 (or 16, ouch) bit network if the admins do not take care of > the undesireables. > > Regards, -- Daniel J. Rychlik Java/Perl Developer http://daniel.rychlik.ws -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Intrusion Attempts
On Tue, 03 Dec 2002 at 09:19:28PM -0500, [EMAIL PROTECTED] wrote: > Hi. Can you help me. Who do I report the above to. I have 2 firewalls running > and tonight I was attacked from the same address 172 times in less than an > hour. These people want banning off the net. It is certainly a violation of > my privacy. A dozen times is an excuse but 172, I ask you. Please come back. You can usually find the domain associated with the ip by doing a reverse lookup: dig -x ipaddress Make sure to take the results from your lookup above and look that up to make sure they match. IE: I do this first: dig -x 127.0.0.1 and get: 1.0.0.127.in-addr.arpa. 604800 IN PTR localhost. then I: dig localhost and I get: localhost. 604800 IN A 127.0.0.1 They match, wonderful. Now I go to www.localhost and see if they have an address to report logs of undesireables to. If not I'll: dig localhost SOA and get: localhost. 604800 IN SOA localhost. root.localhost. 1 604800 86400 2419200 604800 hmm...root.localhost, I bet you he can at least forward the email to the right person (since they are too lame to list that person on their web site). If all else fails do a whois lookup on the IP whois ipaddress and find one of the contacts listed there and bug them :) There is always an iptables blacklist you can set up and block the entire 24 (or 16, ouch) bit network if the admins do not take care of the undesireables. Regards, -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #14: Somebody was calculating pi on the server -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Intrusion Attempts
Hi. Can you help me. Who do I report the above to. I have 2 firewalls running and tonight I was attacked from the same address 172 times in less than an hour. These people want banning off the net. It is certainly a violation of my privacy. A dozen times is an excuse but 172, I ask you. Please come back. Kindest Regards Stewart. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Removing stupid HTTP methods from Apache
Hi Anne, > I'm running Apache on a Woody machine, and I can't figure > out for the life of me how to disable certain insecure HTTP > methods like PROPFIND and PUT. I hope this helps: http://www.daemon.be/~maarten/apache-1.3.27-stripping.patch Limit and LimitExcept are also possible solutions, but you can't use them to disable all methods. Some are immune to this :-) Cheers, Maarten -- Maarten Van HorenbeeckUbizen Network Security Analyst We Secure e-Business Phone +32 16 28 70 00 http://www.ubizen.com Fax +32 16 28 71 00 http://www.onlineguardian.com The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient, please contact the sender by E-Mail return and then delete this message from your system. You should not copy or use it or disclose its contents to any other person. If any part of this message is illegible or if you suspect that the message may have been intercepted or amended, please contact the sender. Ubizen N.V. cannot accept any responsibility for the accuracy or completeness of this message without further investigation.
Re: Removing stupid HTTP methods from Apache
Anne Carasik wrote: > I'm running Apache on a Woody machine, and I can't figure > out for the life of me how to disable certain insecure HTTP > methods like PROPFIND and PUT. Don't run software that answers requests with these methods if you don't want them enabled, nothing in apache (1.3 anyway) will service those by default. Otherwise, yeah, Limit and LimitExcept are the directives you're interested in. -- Jamie Heilman http://audible.transient.net/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway." -Holly
Re: Removing stupid HTTP methods from Apache
This is what people suggest for Subversion: AuthType Basic AuthName "Subversion repository" AuthUserFile /usr/local/etc/apache2/svn-pass Require valid-user DAV svn SVNPath /var/svn/test On Tue, Dec 03, 2002 at 01:27:36PM -0800, Anne Carasik wrote: > Hi all, > > I'm running Apache on a Woody machine, and I can't figure > out for the life of me how to disable certain insecure HTTP > methods like PROPFIND and PUT. > > Can someone please help me out? I've been searching through > the docs and google, and I'm hoping I just overlooked something > obvious. > > TIA, > > -Anne > -- > .-"".__."``". Anne Carasik, System Administrator > .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu > (O/ O) \-' ` -="""=.', Center for Advanced Computing Research > ~`~~ >
Removing stupid HTTP methods from Apache
Hi all, I'm running Apache on a Woody machine, and I can't figure out for the life of me how to disable certain insecure HTTP methods like PROPFIND and PUT. Can someone please help me out? I've been searching through the docs and google, and I'm hoping I just overlooked something obvious. TIA, -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpL5ibW0IS60.pgp Description: PGP signature
Re: port 113
also sprach Anne Carasik <[EMAIL PROTECTED]> [2002.12.02.1703 +0100]: > Port 113 is auth/identd. > > IMHO, it makes sense to not let these in through your > firewall. Yes. You should DROP the Windoze crap (135-139, 445) and REJECT the ident requests. or else you might have to wait ages to connect to certain FTP or IRC servers. -- .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system NOTE: The public PGP keyservers are broken! Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc pgpWas00GXkSz.pgp Description: PGP signature
Re: Removing stupid HTTP methods from Apache
Hi Anne, > I'm running Apache on a Woody machine, and I can't figure > out for the life of me how to disable certain insecure HTTP > methods like PROPFIND and PUT. I hope this helps: http://www.daemon.be/~maarten/apache-1.3.27-stripping.patch Limit and LimitExcept are also possible solutions, but you can't use them to disable all methods. Some are immune to this :-) Cheers, Maarten -- Maarten Van HorenbeeckUbizen Network Security Analyst We Secure e-Business Phone +32 16 28 70 00 http://www.ubizen.com Fax +32 16 28 71 00 http://www.onlineguardian.com The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient, please contact the sender by E-Mail return and then delete this message from your system. You should not copy or use it or disclose its contents to any other person. If any part of this message is illegible or if you suspect that the message may have been intercepted or amended, please contact the sender. Ubizen N.V. cannot accept any responsibility for the accuracy or completeness of this message without further investigation. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Using Razor and Debian Mailing lists
Hiya Debian, On Mon, Dec 02, 2002 at 11:23:11PM -0500, Phillip Hofmeister wrote: > Please do not have your procmail or anything else automatically mark > mail sent from debian's list as spam. Several valid emails have ended > up in my "Junk" folder because someone is reporting them to razor. I noticed this with bugtraq mails (yes, ok I know bugtraq is moderated but it was easier to filter all my mail than select stuff). This is the reason I stopped using razor. Surely if people can do this, razor is worthless? SpamAssassin's Bayes modules look interesting - should be in 1.50 when that's released as stable. Hopefully they will catch the spam that spamassassin doesn't quite catch for me. -- _[EMAIL PROTECTED] -+*+- fou, con et anglais _ (_) If at first you don't succeed, destroy all evidence that (_) (_) you tried. (_) \______/
Re: Removing stupid HTTP methods from Apache
Anne Carasik wrote: > I'm running Apache on a Woody machine, and I can't figure > out for the life of me how to disable certain insecure HTTP > methods like PROPFIND and PUT. Don't run software that answers requests with these methods if you don't want them enabled, nothing in apache (1.3 anyway) will service those by default. Otherwise, yeah, Limit and LimitExcept are the directives you're interested in. -- Jamie Heilman http://audible.transient.net/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway." -Holly -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Removing stupid HTTP methods from Apache
This is what people suggest for Subversion: AuthType Basic AuthName "Subversion repository" AuthUserFile /usr/local/etc/apache2/svn-pass Require valid-user DAV svn SVNPath /var/svn/test On Tue, Dec 03, 2002 at 01:27:36PM -0800, Anne Carasik wrote: > Hi all, > > I'm running Apache on a Woody machine, and I can't figure > out for the life of me how to disable certain insecure HTTP > methods like PROPFIND and PUT. > > Can someone please help me out? I've been searching through > the docs and google, and I'm hoping I just overlooked something > obvious. > > TIA, > > -Anne > -- > .-"".__."``". Anne Carasik, System Administrator > .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu > (O/ O) \-' ` -="""=.', Center for Advanced Computing Research > ~`~~ > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Removing stupid HTTP methods from Apache
Hi all, I'm running Apache on a Woody machine, and I can't figure out for the life of me how to disable certain insecure HTTP methods like PROPFIND and PUT. Can someone please help me out? I've been searching through the docs and google, and I'm hoping I just overlooked something obvious. TIA, -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ msg08004/pgp0.pgp Description: PGP signature
Re: port 113
also sprach Anne Carasik <[EMAIL PROTECTED]> [2002.12.02.1703 +0100]: > Port 113 is auth/identd. > > IMHO, it makes sense to not let these in through your > firewall. Yes. You should DROP the Windoze crap (135-139, 445) and REJECT the ident requests. or else you might have to wait ages to connect to certain FTP or IRC servers. -- .''`. martin f. krafft <[EMAIL PROTECTED]> : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system NOTE: The public PGP keyservers are broken! Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc msg08003/pgp0.pgp Description: PGP signature
Re: Using Razor and Debian Mailing lists
Hiya Debian, On Mon, Dec 02, 2002 at 11:23:11PM -0500, Phillip Hofmeister wrote: > Please do not have your procmail or anything else automatically mark > mail sent from debian's list as spam. Several valid emails have ended > up in my "Junk" folder because someone is reporting them to razor. I noticed this with bugtraq mails (yes, ok I know bugtraq is moderated but it was easier to filter all my mail than select stuff). This is the reason I stopped using razor. Surely if people can do this, razor is worthless? SpamAssassin's Bayes modules look interesting - should be in 1.50 when that's released as stable. Hopefully they will catch the spam that spamassassin doesn't quite catch for me. -- _[EMAIL PROTECTED] -+*+- fou, con et anglais _ (_) If at first you don't succeed, destroy all evidence that (_) (_) you tried. (_) \______/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Using Razor and Debian Mailing lists
Raymond Wood: > Someone else mentioned that one should also remove the Debian > 'unsubscribe' line at the end of the offending email. Since > this is more work than simply forwarding the email unchanged to > Razor, can you or someone else confirm whether this additional > step is really necessary? A munged message would "contaminate" razor database with extra things which do not really belong to the original spam message. I don't think this is good. Many more people will benefit if nobody submit munged messages. If you want a quick method to remove the footer, this is what I use: #!/bin/sed -f : mas $!N s/\n/&/2; t vale $!b mas : vale /^-- \nTo UNSUBSCRIBE, email to .*\nwith a subject of .*/d P;D
Re: Using Razor and Debian Mailing lists
On Tue, 03 Dec 2002 at 12:00:44AM -0500, andrew lattis wrote: > -- > :0fw > | /usr/bin/spamassassin > > :0: > * ^X-Spam-Status: Yes > spam > -- > > or you could put a > > -- > :0 > * [EMAIL PROTECTED] > $DEFAULT > -- > > before that to have most debian emails avoid the check. The source of most of my Spam is debian-related mail...:( -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #175: Someone thought The Big Red Button was a light switch. pgpAjySYVC9z4.pgp Description: PGP signature
Re: Using Razor and Debian Mailing lists
Raymond Wood: > Someone else mentioned that one should also remove the Debian > 'unsubscribe' line at the end of the offending email. Since > this is more work than simply forwarding the email unchanged to > Razor, can you or someone else confirm whether this additional > step is really necessary? A munged message would "contaminate" razor database with extra things which do not really belong to the original spam message. I don't think this is good. Many more people will benefit if nobody submit munged messages. If you want a quick method to remove the footer, this is what I use: #!/bin/sed -f : mas $!N s/\n/&/2; t vale $!b mas : vale /^-- \nTo UNSUBSCRIBE, email to .*\nwith a subject of .*/d P;D -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: test of non-subscribed user
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 02 December 2002 18:25, Raymond Wood wrote: > OK, so the problem is not with reporting genuine Spam to Razor; > rather the problem is with incorrectly reporting legitimate > email as Spam to Razor? Well, AFAICT razor seems to derive keyword lists from the reported spam messages, so it would be possible for it to see "@lists.debian.org" is a known spam source or spam keyword. Regards, Sven Müller - - IT - Network&Infrastructure - - -- * Heinrich Berndes Haushaltstechnik GmbH & Co KG * Wiebelsheidestrasse 55, 59757 Arnsberg, Germany * Phone: +49 2932 475-282 / FAX: -325 * http://www.berndes.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE97IgTss2fOBI6SZ0RAm/0AJ9kjTrvJPspnYQKK+byFLVOXg7aXACdFTev 1qMwAHc9aWYMAXnvEkc05qM= =7Xeu -END PGP SIGNATURE-
Re: Using Razor and Debian Mailing lists
On Tue, 03 Dec 2002 at 12:00:44AM -0500, andrew lattis wrote: > -- > :0fw > | /usr/bin/spamassassin > > :0: > * ^X-Spam-Status: Yes > spam > -- > > or you could put a > > -- > :0 > * ^TO.*@lists.debian.org > $DEFAULT > -- > > before that to have most debian emails avoid the check. The source of most of my Spam is debian-related mail...:( -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #175: Someone thought The Big Red Button was a light switch. msg08000/pgp0.pgp Description: PGP signature
Re: test of non-subscribed user
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 02 December 2002 18:25, Raymond Wood wrote: > OK, so the problem is not with reporting genuine Spam to Razor; > rather the problem is with incorrectly reporting legitimate > email as Spam to Razor? Well, AFAICT razor seems to derive keyword lists from the reported spam messages, so it would be possible for it to see "@lists.debian.org" is a known spam source or spam keyword. Regards, Sven Müller - - IT - Network&Infrastructure - - -- * Heinrich Berndes Haushaltstechnik GmbH & Co KG * Wiebelsheidestrasse 55, 59757 Arnsberg, Germany * Phone: +49 2932 475-282 / FAX: -325 * http://www.berndes.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE97IgTss2fOBI6SZ0RAm/0AJ9kjTrvJPspnYQKK+byFLVOXg7aXACdFTev 1qMwAHc9aWYMAXnvEkc05qM= =7Xeu -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]