iptables help to forward ports please
been trying to get the following to work for sometime input is most appreciated internet <=25= firewall iptablerule =port#x=> internalSMTPhost how can the firewall be told to: take all incoming tcp port 25 traffic and send it to smtp host on port X take all outgoing traffice from smtphost and send it out to the internet on port 25 Thank you.
Re: kernel ptrace bug
Yes, but no programmer may access production servers :-) M. Tr, 2003-03-19 18:26, Phillip Hofmeister rašė: > On Wed, 19 Mar 2003 at 05:18:05PM +0200, Martynas Domarkas wrote: > > Grsecurity patch can limit ordinary user use ptrace. Can it help avoid > > ptrace exploit? > > But if you are running a development system this pretty much breaks GDB > (the way I understand it). > > -- > Phil > > PGP/GPG Key: > http://www.zionlth.org/~plhofmei/ > wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import > -- > Excuse #218: The co-locator cannot verify the frame-relay gateway to the ISDN > server. -- Pagarbiai IT sistemų administratorius Martynas Domarkas tel.: +370 698 44331
Re: OT: Is it so easy to break into an NIS?
Quoting seph ([EMAIL PROTECTED]): > you might be thinking of Arla, which is a completely independent > opensource afs client. http://www.stacken.kth.se/projekt/arla/ Nope. Last I heard, Arla was going nowhere, on account of lost mindshare when IBM/Transrc put OpenAFS under the IBM PL. Has that changed? -- Cheers, "Not using Microsoft products is like being a non-smoker Rick Moen 40 or 50 years ago: You can choose not to smoke, yourself, [EMAIL PROTECTED] but it's hard to avoid second-hand smoke." -- M. Tiemann
iptables help to forward ports please
been trying to get the following to work for sometime input is most appreciated internet <=25= firewall iptablerule =port#x=> internalSMTPhost how can the firewall be told to: take all incoming tcp port 25 traffic and send it to smtp host on port X take all outgoing traffice from smtphost and send it out to the internet on port 25 Thank you. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Rick Moen <[EMAIL PROTECTED]> writes: > Quoting seph ([EMAIL PROTECTED]): > >> depends what you mean by free. Are you aware of openafs? >> http://www.openafs.org > > That is of course derived from the IBM Transarc software. Hmmm. Some > while back, I'd been lead to believe that only client-end software was > available in open source. you might be thinking of Arla, which is a completely independent opensource afs client. http://www.stacken.kth.se/projekt/arla/ (okay, so they also have an experimental afs server, but it's not stable) seph
Re: kernel ptrace bug
Yes, but no programmer may access production servers :-) M. Tr, 2003-03-19 18:26, Phillip Hofmeister rašė: > On Wed, 19 Mar 2003 at 05:18:05PM +0200, Martynas Domarkas wrote: > > Grsecurity patch can limit ordinary user use ptrace. Can it help avoid > > ptrace exploit? > > But if you are running a development system this pretty much breaks GDB > (the way I understand it). > > -- > Phil > > PGP/GPG Key: > http://www.zionlth.org/~plhofmei/ > wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import > -- > Excuse #218: The co-locator cannot verify the frame-relay gateway to the ISDN > server. -- Pagarbiai IT sistemų administratorius Martynas Domarkas tel.: +370 698 44331 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Quoting seph ([EMAIL PROTECTED]): > you might be thinking of Arla, which is a completely independent > opensource afs client. http://www.stacken.kth.se/projekt/arla/ Nope. Last I heard, Arla was going nowhere, on account of lost mindshare when IBM/Transrc put OpenAFS under the IBM PL. Has that changed? -- Cheers, "Not using Microsoft products is like being a non-smoker Rick Moen 40 or 50 years ago: You can choose not to smoke, yourself, [EMAIL PROTECTED] but it's hard to avoid second-hand smoke." -- M. Tiemann -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Rick Moen <[EMAIL PROTECTED]> writes: > Quoting seph ([EMAIL PROTECTED]): > >> depends what you mean by free. Are you aware of openafs? >> http://www.openafs.org > > That is of course derived from the IBM Transarc software. Hmmm. Some > while back, I'd been lead to believe that only client-end software was > available in open source. you might be thinking of Arla, which is a completely independent opensource afs client. http://www.stacken.kth.se/projekt/arla/ (okay, so they also have an experimental afs server, but it's not stable) seph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Ptrace patch for 2.4.x BREAKS kill() 2 interesting effects for .pid and dot locking? (was Re: Ptrace hole / Linux 2.2.25)
On Wed, 2003-03-19 at 22:43, Matthew Grant wrote: > I have been just digging harder, and the vulnerability is only > exploitable if you are using the kernel auto module loader, so compile Not the case in some situations > Could I please say this to the kernel developers, please fix it > properly! I take patches. Alan
Re: Ptrace patch for 2.4.x BREAKS kill() 2 interesting effects for .pid and dot locking? (was Re: Ptrace hole / Linux 2.2.25)
I am eating my own shorts here kill() 2 does actually behave the way it is supposed to. BUT these are correct: - Debian netsaint does definitely have problems with its Web frond end NOT being able to some see the netsaint process running as netsaint user from the Web server running as www-data. - User Mode Linux SKAs mode is definitely BORKED! Work around described below is correct as far as I have read.ie recompile kernel with no auto-module loading, or echo garbage executable name (one that does not exist) int /proc/sys/kernel/modprobe. Best Regards On Thu, 2003-03-20 at 10:43, Matthew Grant wrote: Hi There! Sorry about making a racket, but I am posting this for the edification of all, as there is a work around without breaking your server for this one. As you can read below, I have found that the patch on 2.4.x also BREAKS kill() 2 when executed for signal 0 on a process ID that the user is not the owner of, except for root of course. This has all sorts of interesting effects for processing .pid files, and probably dot locking. Makes the patch as it stands unacceptable for 2.4.21, and vendor kernels I would say... (See below for effects on Debian netsaint...) I have been just digging harder, and the vulnerability is only exploitable if you are using the kernel auto module loader, so compile your kernel with out auto module loader enabled, or echo some garbage into /proc/sys/kernel/modprobe after loading all your modules. It has to be an invalid executable name in there as any executable file will open the bug to exploit. Here are the effects on a netsaint box I look after: bucket: -foo- [~] $ ls -l /var/run/netsaint/netsaint.pid -rw-r--r--1 root root5 Mar 19 16:32 /var/run/netsaint/netsaint.pid bucket: -foo- [~] $ cat !$ cat /var/run/netsaint/netsaint.pid 4276 bucket: -foo- [~] $ kill -0 4276 bash: kill: (4276) - Operation not permitted and the netsaint Web front end can't find the process alive that it wants to talk to via a unix pipe so that it can start and stop notifications etc Could I please say this to the kernel developers, please fix it properly! Thanks heaps, Matthew Grant On Thu, 2003-03-20 at 09:34, Matthew Grant wrote: Dear All, The patch also breaks kill(2) on a process with signal number 0 - This is used by a lot of monitoring programs running as one user ID to make sure a process with another user ID is running. This causes trouble with packages like nagios and netsaint, as well as other stuff. Alan, don't want to bash you around, but isn't there another fix possible that doesn't break this function call and UML skas mode? Cheers, Matthew Grantal On Thu, 2003-03-20 at 08:09, Matthew Grant wrote: Mistyped linux-kernel address %-< -Forwarded Message- From: Matthew Grant <[EMAIL PROTECTED]> To: Alan Cox <[EMAIL PROTECTED]> Cc: Jeff Dike <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: Re: Ptrace hole / Linux 2.2.25 Date: 20 Mar 2003 07:55:45 +1200 Alan, This patch really breaks UML using the skas mode of thread tracing skas3 patch on quite a significant amount of machines out there. The skas mode is a lot more secure than the traditional UML tt mode. I guess this is related to the below... I am running a UML site that a lot of hospitals ad clinics in Bangldesh depend on for there email. It allows them to work around the corruption and agrandidement of the ISPs over there. The skas3 mode patch is needed for the site to run securely. Tracing thread mode does not cut it. There are also a large number of other telehoused ISP virtual hosting machines that use this stuff, and it is actually proving to be quite reliable. I have attached the skas3 patch that Jeff Dike is currently using, and the patch that you have produced. Could you please look into the clash between them, and get it fixed. Thank you - there are lots out there who will appreciate this. Cheers, Matthew Grant On Mon, 2003-03-17 at 18:39, Ben Pfaff wrote: > I am concerned about this change because it will break sandboxing > software that I have written, which uses prctl() to turn > dumpability back on so that it can open a fi
fw distros - Re: is iptables enough? (fwd)
rest of the "secure distro" or floppy-based distro for firewall grade OS -- or a hardened debian box.. http://www.Linux-Sec.net/Distro/ - but fromt he loosk of security advisories from some distro, its just like any other linux distro .. with more or less tweeking to be better than the average distro general firewall stuff ( config tools, fw testing, logging, and pre-config'd firewalls, http://www.Linux-Sec.net/FW/ c ya alvin > > Using a CDR gives you a lot more space. > Bah, bloatware! ;-) > I'm using Coyote Linux[1] the only place I currently require a router, > works great. Indeed based on LRP. .. > I looked at PicoBSD [2] too, just to insert some non-uniformity in the > network, but couldn't make too much sense of it... > [1] http://www.coyotelinux.com/ > [2] http://people.freebsd.org/~picobsd/picobsd.html Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: is iptables enough?
I run 2 cronjobs to apt update each machine every night and email me the updates, if I'm happy I login and do the upgrade. For protecting a single machine I have difficulty justifying a seperate firewall machine, I cannot see it achieving much unless the port forwarded ports are proxied, ie no direct connection from outside to the server is allowed. If its protecting multiple machines in a DMZ then yes it has value, however I run iptables on each machine in the DMZ as well such that another machine in the DMZ cannot get to another. I agree with the idea of having more than 1 firewall, using a different firewall system giving defence in depth. Even an ACL on a CISCO router before the firewall is a start. There have been cases of firewall 1 having security holes and being directly connected to the net, yet convincing others to allow me to put a linux box running simple iptables in front has fallen on deaf ears. I suppose it depends on how paranoid you wish to be, or if you prefer "once stung twice shy". If you have not been stung then there are other distractions taking your attention. regards Steven -Original Message- From: Stefan Neufeind [mailto:[EMAIL PROTECTED] Sent: Thursday, 20 March 2003 10:22 To: Ian Garrison Cc: debian-security@lists.debian.org Subject: Re: is iptables enough? What I find astonishing: Let's say you are running a webserver, maybe mailserver and a DNS on a server. What rules do you want to apply to the packets etc.? I would suggest to keep the open ports restricted, check for all current updates regularly (subscribe to several mailinglists etc.) and I guess that would be far enough. What other things does a firewall have to offer? It's good if you want to protect e.g. a network but for a single server I doubt it's that interesting or useful. What do others think? On 19 Mar 2003 at 16:07, Ian Garrison wrote: >Imo iptables is a reasonably good stateful firewall and is fine in >most > cases. However, a very wise person once said that the ideal setup is > to layer more than one implementation of packet filter and firewall > between the wild and a host/network you wish to protect. Ideally > implementations on diverse platforms. > >One example for consideration is a cisco packet filter (acls) that >may > allowed fragmented packets to traverse its filters, but once passed on > to an iptables ruleset might get discarded because iptables was > written seperately from cisco's implementation and happens to catch > this case and a few other cases that were missed. Make your network > an onion if you can engineer a method to easily manage your rules. > >That said, I use only iptables to filter my home network and either >it > is doing a great job or nobody is interested in attacking my host > (likely both). For me, it does the job as nothing is revenue > generating for myself or others -- its important, but not critical. > If I had a client that wanted to sell stuff on the web and handling > ccard ordering of a product, as well as all their corporate email, > then I would be more thoughtful of additional measures to protect the > network. In my work environment every so often developers or others > turn off our iptables rulesets without telling us, as it is easy (one > little command). In such cases the cisco packet filter will offer > some protection and disabling such filters is more work than our > developers care to struggle against. > >Iptables/ipf and any other stateful firewall that attempts to be a > modern contender in the firewalling ring is likely 'good enough'. My > point is that while I like iptables, it and every other filter out > there will fall subject to some method of circumvention/exploitation > at some point, and that how much effort you put into hardening your > network is up to you. Your question almost seems to be "is iptables > developed enough to compete with commercial solutions", to which I > would say "yes, if the person deploying the rules is experienced > enough to write a solid set of rules". If I was you, I would be > satisfied with iptables and the hardware you have selected -- but I am > not you, and this decision is not mine to make. No matter where you > set the bar there will still be more secure solutions. "secure > enough" is all a state of paranoia and budget. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Ptrace patch for 2.4.x BREAKS kill() 2 interesting effects for .pid and dot locking? (was Re: Ptrace hole / Linux 2.2.25)
Hi There! Sorry about making a racket, but I am posting this for the edification of all, as there is a work around without breaking your server for this one. As you can read below, I have found that the patch on 2.4.x also BREAKS kill() 2 when executed for signal 0 on a process ID that the user is not the owner of, except for root of course. This has all sorts of interesting effects for processing .pid files, and probably dot locking. Makes the patch as it stands unacceptable for 2.4.21, and vendor kernels I would say... (See below for effects on Debian netsaint...) I have been just digging harder, and the vulnerability is only exploitable if you are using the kernel auto module loader, so compile your kernel with out auto module loader enabled, or echo some garbage into /proc/sys/kernel/modprobe after loading all your modules. It has to be an invalid executable name in there as any executable file will open the bug to exploit. Here are the effects on a netsaint box I look after: bucket: -foo- [~] $ ls -l /var/run/netsaint/netsaint.pid -rw-r--r--1 root root5 Mar 19 16:32 /var/run/netsaint/netsaint.pid bucket: -foo- [~] $ cat !$ cat /var/run/netsaint/netsaint.pid 4276 bucket: -foo- [~] $ kill -0 4276 bash: kill: (4276) - Operation not permitted and the netsaint Web front end can't find the process alive that it wants to talk to via a unix pipe so that it can start and stop notifications etc Could I please say this to the kernel developers, please fix it properly! Thanks heaps, Matthew Grant On Thu, 2003-03-20 at 09:34, Matthew Grant wrote: Dear All, The patch also breaks kill(2) on a process with signal number 0 - This is used by a lot of monitoring programs running as one user ID to make sure a process with another user ID is running. This causes trouble with packages like nagios and netsaint, as well as other stuff. Alan, don't want to bash you around, but isn't there another fix possible that doesn't break this function call and UML skas mode? Cheers, Matthew Grantal On Thu, 2003-03-20 at 08:09, Matthew Grant wrote: Mistyped linux-kernel address %-< -Forwarded Message- From: Matthew Grant <[EMAIL PROTECTED]> To: Alan Cox <[EMAIL PROTECTED]> Cc: Jeff Dike <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: Re: Ptrace hole / Linux 2.2.25 Date: 20 Mar 2003 07:55:45 +1200 Alan, This patch really breaks UML using the skas mode of thread tracing skas3 patch on quite a significant amount of machines out there. The skas mode is a lot more secure than the traditional UML tt mode. I guess this is related to the below... I am running a UML site that a lot of hospitals ad clinics in Bangldesh depend on for there email. It allows them to work around the corruption and agrandidement of the ISPs over there. The skas3 mode patch is needed for the site to run securely. Tracing thread mode does not cut it. There are also a large number of other telehoused ISP virtual hosting machines that use this stuff, and it is actually proving to be quite reliable. I have attached the skas3 patch that Jeff Dike is currently using, and the patch that you have produced. Could you please look into the clash between them, and get it fixed. Thank you - there are lots out there who will appreciate this. Cheers, Matthew Grant On Mon, 2003-03-17 at 18:39, Ben Pfaff wrote: > I am concerned about this change because it will break sandboxing > software that I have written, which uses prctl() to turn > dumpability back on so that it can open a file, setuid(), and > then execve() through the open file via /proc/self/fd/#. Without > calling prctl(), the ownership of /proc/self/fd/* becomes root, > so the process cannot exec it after it drops privileges. It uses > prctl() in other places to get the same effect in /proc, but > that's one of the most critical. The dumpability is per mm, which means that you have to consider all the cases of a thread being created in parallel to dumpability being enabled. So consider a three threaded process. Thread one triggers kernel thread creation, thread two turns dumpability back on, thread three ptraces the new kernel thread. Proving that is safe is non trivial so the current patch chooses not to attempt it. For 2.4.21 proper someone can sit down and do the needed verification if they wish -- === Matt
Re: kernel ptrace bug
On Wednesday 19 March 2003 09:18, Martynas Domarkas wrote: > Grsecurity patch can limit ordinary user use ptrace. Can it help avoid > ptrace exploit? > > > Martynas yes for the most part limiting access to /proc/self/exe breaks the exploit. http://www.hardrock.org/kernel/2.4.20/linux-2.4.20-ptrace.patch The patch seems to remove all access to ptrace calls even for root though, I don't see how this _fixes_ anything other than breaking the exploit. didn't look into that much so correct me if I'm wrong. -- -- Orlando Padilla http://www.g0thead.com/xbud.asc --
Re: is iptables enough?
On Wednesday 19 March 2003 22:58, Rick Moen wrote: > You could do that with Linux Router Project floppy images -- but > booting from floppy is really cramped. Through some miracle of > economising on space, they finally migrated to libc6 and kernel > 2.2.x, but God only knows how. Hehe... > Using a CDR gives you a lot more space. Bah, bloatware! ;-) I'm using Coyote Linux[1] the only place I currently require a router, works great. Indeed based on LRP. But then, it doesn't have things like snort or tiger, which I guess, is a requirement for some. Personally, I have a problem with all the information generated by those... I just don't have time to deal with it. Keeping it at an absolute minimum seemed like good idea in that position, as I guess when having more stuff that can break, more stuff will break... I looked at PicoBSD [2] too, just to insert some non-uniformity in the network, but couldn't make too much sense of it... [1] http://www.coyotelinux.com/ [2] http://people.freebsd.org/~picobsd/picobsd.html Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Ptrace patch for 2.4.x BREAKS kill() 2 interesting effects for.pid and dot locking? (was Re: Ptrace hole / Linux 2.2.25)
On Wed, 2003-03-19 at 22:43, Matthew Grant wrote: > I have been just digging harder, and the vulnerability is only > exploitable if you are using the kernel auto module loader, so compile Not the case in some situations > Could I please say this to the kernel developers, please fix it > properly! I take patches. Alan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
What I find astonishing: Let's say you are running a webserver, maybe mailserver and a DNS on a server. What rules do you want to apply to the packets etc.? I would suggest to keep the open ports restricted, check for all current updates regularly (subscribe to several mailinglists etc.) and I guess that would be far enough. What other things does a firewall have to offer? It's good if you want to protect e.g. a network but for a single server I doubt it's that interesting or useful. What do others think? On 19 Mar 2003 at 16:07, Ian Garrison wrote: >Imo iptables is a reasonably good stateful firewall and is fine in >most > cases. However, a very wise person once said that the ideal setup is > to layer more than one implementation of packet filter and firewall > between the wild and a host/network you wish to protect. Ideally > implementations on diverse platforms. > >One example for consideration is a cisco packet filter (acls) that >may > allowed fragmented packets to traverse its filters, but once passed on > to an iptables ruleset might get discarded because iptables was > written seperately from cisco's implementation and happens to catch > this case and a few other cases that were missed. Make your network > an onion if you can engineer a method to easily manage your rules. > >That said, I use only iptables to filter my home network and either >it > is doing a great job or nobody is interested in attacking my host > (likely both). For me, it does the job as nothing is revenue > generating for myself or others -- its important, but not critical. > If I had a client that wanted to sell stuff on the web and handling > ccard ordering of a product, as well as all their corporate email, > then I would be more thoughtful of additional measures to protect the > network. In my work environment every so often developers or others > turn off our iptables rulesets without telling us, as it is easy (one > little command). In such cases the cisco packet filter will offer > some protection and disabling such filters is more work than our > developers care to struggle against. > >Iptables/ipf and any other stateful firewall that attempts to be a > modern contender in the firewalling ring is likely 'good enough'. My > point is that while I like iptables, it and every other filter out > there will fall subject to some method of circumvention/exploitation > at some point, and that how much effort you put into hardening your > network is up to you. Your question almost seems to be "is iptables > developed enough to compete with commercial solutions", to which I > would say "yes, if the person deploying the rules is experienced > enough to write a solid set of rules". If I was you, I would be > satisfied with iptables and the hardware you have selected -- but I am > not you, and this decision is not mine to make. No matter where you > set the bar there will still be more secure solutions. "secure > enough" is all a state of paranoia and budget. :)
Re: Ptrace patch for 2.4.x BREAKS kill() 2 interesting effects for.pid and dot locking? (was Re: Ptrace hole / Linux 2.2.25)
I am eating my own shorts here kill() 2 does actually behave the way it is supposed to. BUT these are correct: - Debian netsaint does definitely have problems with its Web frond end NOT being able to some see the netsaint process running as netsaint user from the Web server running as www-data. - User Mode Linux SKAs mode is definitely BORKED! Work around described below is correct as far as I have read.ie recompile kernel with no auto-module loading, or echo garbage executable name (one that does not exist) int /proc/sys/kernel/modprobe. Best Regards On Thu, 2003-03-20 at 10:43, Matthew Grant wrote: Hi There! Sorry about making a racket, but I am posting this for the edification of all, as there is a work around without breaking your server for this one. As you can read below, I have found that the patch on 2.4.x also BREAKS kill() 2 when executed for signal 0 on a process ID that the user is not the owner of, except for root of course. This has all sorts of interesting effects for processing .pid files, and probably dot locking. Makes the patch as it stands unacceptable for 2.4.21, and vendor kernels I would say... (See below for effects on Debian netsaint...) I have been just digging harder, and the vulnerability is only exploitable if you are using the kernel auto module loader, so compile your kernel with out auto module loader enabled, or echo some garbage into /proc/sys/kernel/modprobe after loading all your modules. It has to be an invalid executable name in there as any executable file will open the bug to exploit. Here are the effects on a netsaint box I look after: bucket: -foo- [~] $ ls -l /var/run/netsaint/netsaint.pid -rw-r--r--1 root root5 Mar 19 16:32 /var/run/netsaint/netsaint.pid bucket: -foo- [~] $ cat !$ cat /var/run/netsaint/netsaint.pid 4276 bucket: -foo- [~] $ kill -0 4276 bash: kill: (4276) - Operation not permitted and the netsaint Web front end can't find the process alive that it wants to talk to via a unix pipe so that it can start and stop notifications etc Could I please say this to the kernel developers, please fix it properly! Thanks heaps, Matthew Grant On Thu, 2003-03-20 at 09:34, Matthew Grant wrote: Dear All, The patch also breaks kill(2) on a process with signal number 0 - This is used by a lot of monitoring programs running as one user ID to make sure a process with another user ID is running. This causes trouble with packages like nagios and netsaint, as well as other stuff. Alan, don't want to bash you around, but isn't there another fix possible that doesn't break this function call and UML skas mode? Cheers, Matthew Grantal On Thu, 2003-03-20 at 08:09, Matthew Grant wrote: Mistyped linux-kernel address %-< -Forwarded Message- From: Matthew Grant <[EMAIL PROTECTED]> To: Alan Cox <[EMAIL PROTECTED]> Cc: Jeff Dike <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: Re: Ptrace hole / Linux 2.2.25 Date: 20 Mar 2003 07:55:45 +1200 Alan, This patch really breaks UML using the skas mode of thread tracing skas3 patch on quite a significant amount of machines out there. The skas mode is a lot more secure than the traditional UML tt mode. I guess this is related to the below... I am running a UML site that a lot of hospitals ad clinics in Bangldesh depend on for there email. It allows them to work around the corruption and agrandidement of the ISPs over there. The skas3 mode patch is needed for the site to run securely. Tracing thread mode does not cut it. There are also a large number of other telehoused ISP virtual hosting machines that use this stuff, and it is actually proving to be quite reliable. I have attached the skas3 patch that Jeff Dike is currently using, and the patch that you have produced. Could you please look into the clash between them, and get it fixed. Thank you - there are lots out there who will appreciate this. Cheers, Matthew Grant On Mon, 2003-03-17 at 18:39, Ben Pfaff wrote: > I am concerned about this change because it will break sandboxing > software that I have written, which uses prctl() to turn > dumpability back on so that it can open a file, setui
Re: is iptables enough?
Quoting Kjetil Kjernsmo ([EMAIL PROTECTED]): > Well, I'm primarily responding to your second question, but the way I > would do it, if I had the resources, would be to get a small Pentium > 133 MHz box, booting from a floppy and use it as a router and firewall. > No harddrive, a complete wasteland. You could do that with Linux Router Project floppy images -- but booting from floppy is really cramped. Through some miracle of economising on space, they finally migrated to libc6 and kernel 2.2.x, but God only knows how. Using a CDR gives you a lot more space. -- Cheers, "Java is COBOL 2.0." Rick Moen -- Deirdre Saoirse Moen [EMAIL PROTECTED]
Re: is iptables enough?
On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote: > This should be more than enough. I have been running a mailserver on a > Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot > mail --- never had a problem. Hah! Is nothing! I run a cablemodem firewall, multiple VPN's, DNS, with snort, tiger, and other tools on a 486 with 16MB of RAM! *amon wonders how many know the MP old men from Northumberland skit... -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org --
fw distros - Re: is iptables enough? (fwd)
rest of the "secure distro" or floppy-based distro for firewall grade OS -- or a hardened debian box.. http://www.Linux-Sec.net/Distro/ - but fromt he loosk of security advisories from some distro, its just like any other linux distro .. with more or less tweeking to be better than the average distro general firewall stuff ( config tools, fw testing, logging, and pre-config'd firewalls, http://www.Linux-Sec.net/FW/ c ya alvin > > Using a CDR gives you a lot more space. > Bah, bloatware! ;-) > I'm using Coyote Linux[1] the only place I currently require a router, > works great. Indeed based on LRP. .. > I looked at PicoBSD [2] too, just to insert some non-uniformity in the > network, but couldn't make too much sense of it... > [1] http://www.coyotelinux.com/ > [2] http://people.freebsd.org/~picobsd/picobsd.html Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
Imo iptables is a reasonably good stateful firewall and is fine in most cases. However, a very wise person once said that the ideal setup is to layer more than one implementation of packet filter and firewall between the wild and a host/network you wish to protect. Ideally implementations on diverse platforms. One example for consideration is a cisco packet filter (acls) that may allowed fragmented packets to traverse its filters, but once passed on to an iptables ruleset might get discarded because iptables was written seperately from cisco's implementation and happens to catch this case and a few other cases that were missed. Make your network an onion if you can engineer a method to easily manage your rules. That said, I use only iptables to filter my home network and either it is doing a great job or nobody is interested in attacking my host (likely both). For me, it does the job as nothing is revenue generating for myself or others -- its important, but not critical. If I had a client that wanted to sell stuff on the web and handling ccard ordering of a product, as well as all their corporate email, then I would be more thoughtful of additional measures to protect the network. In my work environment every so often developers or others turn off our iptables rulesets without telling us, as it is easy (one little command). In such cases the cisco packet filter will offer some protection and disabling such filters is more work than our developers care to struggle against. Iptables/ipf and any other stateful firewall that attempts to be a modern contender in the firewalling ring is likely 'good enough'. My point is that while I like iptables, it and every other filter out there will fall subject to some method of circumvention/exploitation at some point, and that how much effort you put into hardening your network is up to you. Your question almost seems to be "is iptables developed enough to compete with commercial solutions", to which I would say "yes, if the person deploying the rules is experienced enough to write a solid set of rules". If I was you, I would be satisfied with iptables and the hardware you have selected -- but I am not you, and this decision is not mine to make. No matter where you set the bar there will still be more secure solutions. "secure enough" is all a state of paranoia and budget. :) -ian On Wed, 19 Mar 2003, Jones wrote: > I am planning to replace a (dead) Windows 2000 computer that was used > as a web server and email server with a Debian Linux solution. This > machine is connected to the net via DSL and would run apache and > exim/qpopper and sshd. Everything else would be turned off. It is a > small church and their current site is not very busy, but she says > they do get a lot of email. > > Am I right in assuming that iptabes is enough as a firewall solution > and that I would not need to buy any additional software. That is > what I understand from my past experience with Debian/iptables as a > server and from the files at debian.org security howto at > (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) > > On a less related note, what hardware config would you recommend for > such a system? She has a number of machines that I could choose > from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. > > thanks > jmb > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > >
RE: is iptables enough?
I run 2 cronjobs to apt update each machine every night and email me the updates, if I'm happy I login and do the upgrade. For protecting a single machine I have difficulty justifying a seperate firewall machine, I cannot see it achieving much unless the port forwarded ports are proxied, ie no direct connection from outside to the server is allowed. If its protecting multiple machines in a DMZ then yes it has value, however I run iptables on each machine in the DMZ as well such that another machine in the DMZ cannot get to another. I agree with the idea of having more than 1 firewall, using a different firewall system giving defence in depth. Even an ACL on a CISCO router before the firewall is a start. There have been cases of firewall 1 having security holes and being directly connected to the net, yet convincing others to allow me to put a linux box running simple iptables in front has fallen on deaf ears. I suppose it depends on how paranoid you wish to be, or if you prefer "once stung twice shy". If you have not been stung then there are other distractions taking your attention. regards Steven -Original Message- From: Stefan Neufeind [mailto:[EMAIL PROTECTED] Sent: Thursday, 20 March 2003 10:22 To: Ian Garrison Cc: [EMAIL PROTECTED] Subject: Re: is iptables enough? What I find astonishing: Let's say you are running a webserver, maybe mailserver and a DNS on a server. What rules do you want to apply to the packets etc.? I would suggest to keep the open ports restricted, check for all current updates regularly (subscribe to several mailinglists etc.) and I guess that would be far enough. What other things does a firewall have to offer? It's good if you want to protect e.g. a network but for a single server I doubt it's that interesting or useful. What do others think? On 19 Mar 2003 at 16:07, Ian Garrison wrote: >Imo iptables is a reasonably good stateful firewall and is fine in >most > cases. However, a very wise person once said that the ideal setup is > to layer more than one implementation of packet filter and firewall > between the wild and a host/network you wish to protect. Ideally > implementations on diverse platforms. > >One example for consideration is a cisco packet filter (acls) that >may > allowed fragmented packets to traverse its filters, but once passed on > to an iptables ruleset might get discarded because iptables was > written seperately from cisco's implementation and happens to catch > this case and a few other cases that were missed. Make your network > an onion if you can engineer a method to easily manage your rules. > >That said, I use only iptables to filter my home network and either >it > is doing a great job or nobody is interested in attacking my host > (likely both). For me, it does the job as nothing is revenue > generating for myself or others -- its important, but not critical. > If I had a client that wanted to sell stuff on the web and handling > ccard ordering of a product, as well as all their corporate email, > then I would be more thoughtful of additional measures to protect the > network. In my work environment every so often developers or others > turn off our iptables rulesets without telling us, as it is easy (one > little command). In such cases the cisco packet filter will offer > some protection and disabling such filters is more work than our > developers care to struggle against. > >Iptables/ipf and any other stateful firewall that attempts to be a > modern contender in the firewalling ring is likely 'good enough'. My > point is that while I like iptables, it and every other filter out > there will fall subject to some method of circumvention/exploitation > at some point, and that how much effort you put into hardening your > network is up to you. Your question almost seems to be "is iptables > developed enough to compete with commercial solutions", to which I > would say "yes, if the person deploying the rules is experienced > enough to write a solid set of rules". If I was you, I would be > satisfied with iptables and the hardware you have selected -- but I am > not you, and this decision is not mine to make. No matter where you > set the bar there will still be more secure solutions. "secure > enough" is all a state of paranoia and budget. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Ptrace patch for 2.4.x BREAKS kill() 2 interesting effects for .pidand dot locking? (was Re: Ptrace hole / Linux 2.2.25)
Hi There! Sorry about making a racket, but I am posting this for the edification of all, as there is a work around without breaking your server for this one. As you can read below, I have found that the patch on 2.4.x also BREAKS kill() 2 when executed for signal 0 on a process ID that the user is not the owner of, except for root of course. This has all sorts of interesting effects for processing .pid files, and probably dot locking. Makes the patch as it stands unacceptable for 2.4.21, and vendor kernels I would say... (See below for effects on Debian netsaint...) I have been just digging harder, and the vulnerability is only exploitable if you are using the kernel auto module loader, so compile your kernel with out auto module loader enabled, or echo some garbage into /proc/sys/kernel/modprobe after loading all your modules. It has to be an invalid executable name in there as any executable file will open the bug to exploit. Here are the effects on a netsaint box I look after: bucket: -foo- [~] $ ls -l /var/run/netsaint/netsaint.pid -rw-r--r--1 root root5 Mar 19 16:32 /var/run/netsaint/netsaint.pid bucket: -foo- [~] $ cat !$ cat /var/run/netsaint/netsaint.pid 4276 bucket: -foo- [~] $ kill -0 4276 bash: kill: (4276) - Operation not permitted and the netsaint Web front end can't find the process alive that it wants to talk to via a unix pipe so that it can start and stop notifications etc Could I please say this to the kernel developers, please fix it properly! Thanks heaps, Matthew Grant On Thu, 2003-03-20 at 09:34, Matthew Grant wrote: Dear All, The patch also breaks kill(2) on a process with signal number 0 - This is used by a lot of monitoring programs running as one user ID to make sure a process with another user ID is running. This causes trouble with packages like nagios and netsaint, as well as other stuff. Alan, don't want to bash you around, but isn't there another fix possible that doesn't break this function call and UML skas mode? Cheers, Matthew Grantal On Thu, 2003-03-20 at 08:09, Matthew Grant wrote: Mistyped linux-kernel address %-< -Forwarded Message- From: Matthew Grant <[EMAIL PROTECTED]> To: Alan Cox <[EMAIL PROTECTED]> Cc: Jeff Dike <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: Re: Ptrace hole / Linux 2.2.25 Date: 20 Mar 2003 07:55:45 +1200 Alan, This patch really breaks UML using the skas mode of thread tracing skas3 patch on quite a significant amount of machines out there. The skas mode is a lot more secure than the traditional UML tt mode. I guess this is related to the below... I am running a UML site that a lot of hospitals ad clinics in Bangldesh depend on for there email. It allows them to work around the corruption and agrandidement of the ISPs over there. The skas3 mode patch is needed for the site to run securely. Tracing thread mode does not cut it. There are also a large number of other telehoused ISP virtual hosting machines that use this stuff, and it is actually proving to be quite reliable. I have attached the skas3 patch that Jeff Dike is currently using, and the patch that you have produced. Could you please look into the clash between them, and get it fixed. Thank you - there are lots out there who will appreciate this. Cheers, Matthew Grant On Mon, 2003-03-17 at 18:39, Ben Pfaff wrote: > I am concerned about this change because it will break sandboxing > software that I have written, which uses prctl() to turn > dumpability back on so that it can open a file, setuid(), and > then execve() through the open file via /proc/self/fd/#. Without > calling prctl(), the ownership of /proc/self/fd/* becomes root, > so the process cannot exec it after it drops privileges. It uses > prctl() in other places to get the same effect in /proc, but > that's one of the most critical. The dumpability is per mm, which means that you have to consider all the cases of a thread being created in parallel to dumpability being enabled. So consider a three threaded process. Thread one triggers kernel thread creation, thread two turns dumpability back on, thread three ptraces the new kernel thread. Proving that is safe is non trivial so the current patch chooses not to attempt it. For 2.4.21 proper someone can sit down and do the needed verification if they wish -- === Matthe
Re: is iptables enough?
Hello, On Wednesday 19 March 2003 11:44 am, Jones wrote: > I am planning to replace a (dead) Windows 2000 computer that was used > as a web server and email server with a Debian Linux solution. This > machine is connected to the net via DSL and would run apache and > exim/qpopper and sshd. Everything else would be turned off. It is a > small church and their current site is not very busy, but she says > they do get a lot of email. I would imagine that their 'lot of email' will be quite negligible to whatever server you can come up with. > Am I right in assuming that iptabes is enough as a firewall solution > and that I would not need to buy any additional software. That is > what I understand from my past experience with Debian/iptables as a > server and from the files at debian.org security howto at > (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) Absolutely. Dedicated firewall hardware in such a small installation would seem ridiculously paranoid, to me. I'm not even sure what "additional software" you could consider. > On a less related note, what hardware config would you recommend for > such a system? She has a number of machines that I could choose > from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. I'd say even without any additional RAM, you will be home free. Doubling it will make it fly, but I strongly doubt you will see any noticeable swapping at 256. The actual requirements of the installation you're describing are ridiculously small. Good luck, and happy Debian-ing! - Keegan
Re: is iptables enough?
On Wed, 2003-03-19 at 20:44, Jones wrote: > On a less related note, what hardware config would you recommend for > such a system? She has a number of machines that I could choose > from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. This should be more than enough. I have been running a mailserver on a Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot mail --- never had a problem. Janus -- Janus N. Tøndering <[EMAIL PROTECTED]>
Re: kernel ptrace bug
On Wednesday 19 March 2003 09:18, Martynas Domarkas wrote: > Grsecurity patch can limit ordinary user use ptrace. Can it help avoid > ptrace exploit? > > > Martynas yes for the most part limiting access to /proc/self/exe breaks the exploit. http://www.hardrock.org/kernel/2.4.20/linux-2.4.20-ptrace.patch The patch seems to remove all access to ptrace calls even for root though, I don't see how this _fixes_ anything other than breaking the exploit. didn't look into that much so correct me if I'm wrong. -- -- Orlando Padilla http://www.g0thead.com/xbud.asc -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
On Wednesday 19 March 2003 22:58, Rick Moen wrote: > You could do that with Linux Router Project floppy images -- but > booting from floppy is really cramped. Through some miracle of > economising on space, they finally migrated to libc6 and kernel > 2.2.x, but God only knows how. Hehe... > Using a CDR gives you a lot more space. Bah, bloatware! ;-) I'm using Coyote Linux[1] the only place I currently require a router, works great. Indeed based on LRP. But then, it doesn't have things like snort or tiger, which I guess, is a requirement for some. Personally, I have a problem with all the information generated by those... I just don't have time to deal with it. Keeping it at an absolute minimum seemed like good idea in that position, as I guess when having more stuff that can break, more stuff will break... I looked at PicoBSD [2] too, just to insert some non-uniformity in the network, but couldn't make too much sense of it... [1] http://www.coyotelinux.com/ [2] http://people.freebsd.org/~picobsd/picobsd.html Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
Hi! On Wednesday 19 March 2003 20:44, Jones wrote: > Am I right in assuming that iptabes is enough as a firewall solution > and that I would not need to buy any additional software. Well, I'm primarily responding to your second question, but the way I would do it, if I had the resources, would be to get a small Pentium 133 MHz box, booting from a floppy and use it as a router and firewall. No harddrive, a complete wasteland. But then, I'm really a newbie in all this, so you might want to listen to the pros... :-) > Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. My main server is a Pentium PRO 180 MHz with 96 MB RAM. It gets a lot of e-mail, and has a whole bunch of mailinglists distributing many hundred messages a day. It had some problems when it was overwhelmed by a old Mailman bug that resulted in it receiving a few ~200 KB messages a second, and tried to scan all those with SpamAssassin (it took me half an hour to type "reboot" :-) ), but other than that, the CPU is mostly idle. Also, I tried to run Apache Cocoon on it, it worked, but it clearly had too little RAM for that. If you plan to run Cocoon, then 512 MB would be nice, but similar solutions, like AxKit, demands much less. So, I think you would be fine with a much smaller box than that, but a 1 GHz with 256 MB is cool, if that is what you've got. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: is iptables enough?
What I find astonishing: Let's say you are running a webserver, maybe mailserver and a DNS on a server. What rules do you want to apply to the packets etc.? I would suggest to keep the open ports restricted, check for all current updates regularly (subscribe to several mailinglists etc.) and I guess that would be far enough. What other things does a firewall have to offer? It's good if you want to protect e.g. a network but for a single server I doubt it's that interesting or useful. What do others think? On 19 Mar 2003 at 16:07, Ian Garrison wrote: >Imo iptables is a reasonably good stateful firewall and is fine in >most > cases. However, a very wise person once said that the ideal setup is > to layer more than one implementation of packet filter and firewall > between the wild and a host/network you wish to protect. Ideally > implementations on diverse platforms. > >One example for consideration is a cisco packet filter (acls) that >may > allowed fragmented packets to traverse its filters, but once passed on > to an iptables ruleset might get discarded because iptables was > written seperately from cisco's implementation and happens to catch > this case and a few other cases that were missed. Make your network > an onion if you can engineer a method to easily manage your rules. > >That said, I use only iptables to filter my home network and either >it > is doing a great job or nobody is interested in attacking my host > (likely both). For me, it does the job as nothing is revenue > generating for myself or others -- its important, but not critical. > If I had a client that wanted to sell stuff on the web and handling > ccard ordering of a product, as well as all their corporate email, > then I would be more thoughtful of additional measures to protect the > network. In my work environment every so often developers or others > turn off our iptables rulesets without telling us, as it is easy (one > little command). In such cases the cisco packet filter will offer > some protection and disabling such filters is more work than our > developers care to struggle against. > >Iptables/ipf and any other stateful firewall that attempts to be a > modern contender in the firewalling ring is likely 'good enough'. My > point is that while I like iptables, it and every other filter out > there will fall subject to some method of circumvention/exploitation > at some point, and that how much effort you put into hardening your > network is up to you. Your question almost seems to be "is iptables > developed enough to compete with commercial solutions", to which I > would say "yes, if the person deploying the rules is experienced > enough to write a solid set of rules". If I was you, I would be > satisfied with iptables and the hardware you have selected -- but I am > not you, and this decision is not mine to make. No matter where you > set the bar there will still be more secure solutions. "secure > enough" is all a state of paranoia and budget. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
On Wed, Mar 19, 2003 at 01:44:13PM -0600, Jones remarked: > I am planning to replace a (dead) Windows 2000 computer that > was used as a web server and email server with a Debian Linux > solution. This machine is connected to the net via DSL and > would run apache and exim/qpopper and sshd. Everything else > would be turned off. It is a small church and their current > site is not very busy, but she says they do get a lot of > email. > > Am I right in assuming that iptabes is enough as a firewall > solution and that I would not need to buy any additional > software. Yes the iptables tool is sufficient to construct a reliable firewall. Network topology is another issue, and one people enjoy debating ;) > That is what I understand from my past experience > with Debian/iptables as a server and from the files at > debian.org security howto at > (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) I would recommend you take a look at the 'Shoreline Firewall', more commonly known as 'Shorewall'. It's a good firewall solution and DEBs are available. Takes a while to get used to (i.e. figure out how it works) but it is reasonably well documented, and most importantly, well done. > On a less related note, what hardware config would you > recommend for such a system? She has a number of machines > that I could choose from. Most of them are 1.x Ghz Pentium > systems with 256MB RAM and 10 GB IDE hard drives. After > increasing the RAM to 512MB, I think this should more than > adequate for a system doing nothing but HTTP and SMTP/POP > requests. More than enough, yes. > thanks > jmb My $0.02, Raymond pgpp2o47gZn74.pgp Description: PGP signature
Re: is iptables enough?
Quoting Kjetil Kjernsmo ([EMAIL PROTECTED]): > Well, I'm primarily responding to your second question, but the way I > would do it, if I had the resources, would be to get a small Pentium > 133 MHz box, booting from a floppy and use it as a router and firewall. > No harddrive, a complete wasteland. You could do that with Linux Router Project floppy images -- but booting from floppy is really cramped. Through some miracle of economising on space, they finally migrated to libc6 and kernel 2.2.x, but God only knows how. Using a CDR gives you a lot more space. -- Cheers, "Java is COBOL 2.0." Rick Moen -- Deirdre Saoirse Moen [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
is iptables enough?
I am planning to replace a (dead) Windows 2000 computer that was used as a web server and email server with a Debian Linux solution. This machine is connected to the net via DSL and would run apache and exim/qpopper and sshd. Everything else would be turned off. It is a small church and their current site is not very busy, but she says they do get a lot of email. Am I right in assuming that iptabes is enough as a firewall solution and that I would not need to buy any additional software. That is what I understand from my past experience with Debian/iptables as a server and from the files at debian.org security howto at (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) On a less related note, what hardware config would you recommend for such a system? She has a number of machines that I could choose from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 GB IDE hard drives. After increasing the RAM to 512MB, I think this should more than adequate for a system doing nothing but HTTP and SMTP/POP requests. thanks jmb
Re: is iptables enough?
On Wed, Mar 19, 2003 at 09:45:48PM +0100, Janus N. T?ndering wrote: > This should be more than enough. I have been running a mailserver on a > Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot > mail --- never had a problem. Hah! Is nothing! I run a cablemodem firewall, multiple VPN's, DNS, with snort, tiger, and other tools on a 486 with 16MB of RAM! *amon wonders how many know the MP old men from Northumberland skit... -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
Imo iptables is a reasonably good stateful firewall and is fine in most cases. However, a very wise person once said that the ideal setup is to layer more than one implementation of packet filter and firewall between the wild and a host/network you wish to protect. Ideally implementations on diverse platforms. One example for consideration is a cisco packet filter (acls) that may allowed fragmented packets to traverse its filters, but once passed on to an iptables ruleset might get discarded because iptables was written seperately from cisco's implementation and happens to catch this case and a few other cases that were missed. Make your network an onion if you can engineer a method to easily manage your rules. That said, I use only iptables to filter my home network and either it is doing a great job or nobody is interested in attacking my host (likely both). For me, it does the job as nothing is revenue generating for myself or others -- its important, but not critical. If I had a client that wanted to sell stuff on the web and handling ccard ordering of a product, as well as all their corporate email, then I would be more thoughtful of additional measures to protect the network. In my work environment every so often developers or others turn off our iptables rulesets without telling us, as it is easy (one little command). In such cases the cisco packet filter will offer some protection and disabling such filters is more work than our developers care to struggle against. Iptables/ipf and any other stateful firewall that attempts to be a modern contender in the firewalling ring is likely 'good enough'. My point is that while I like iptables, it and every other filter out there will fall subject to some method of circumvention/exploitation at some point, and that how much effort you put into hardening your network is up to you. Your question almost seems to be "is iptables developed enough to compete with commercial solutions", to which I would say "yes, if the person deploying the rules is experienced enough to write a solid set of rules". If I was you, I would be satisfied with iptables and the hardware you have selected -- but I am not you, and this decision is not mine to make. No matter where you set the bar there will still be more secure solutions. "secure enough" is all a state of paranoia and budget. :) -ian On Wed, 19 Mar 2003, Jones wrote: > I am planning to replace a (dead) Windows 2000 computer that was used > as a web server and email server with a Debian Linux solution. This > machine is connected to the net via DSL and would run apache and > exim/qpopper and sshd. Everything else would be turned off. It is a > small church and their current site is not very busy, but she says > they do get a lot of email. > > Am I right in assuming that iptabes is enough as a firewall solution > and that I would not need to buy any additional software. That is > what I understand from my past experience with Debian/iptables as a > server and from the files at debian.org security howto at > (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) > > On a less related note, what hardware config would you recommend for > such a system? She has a number of machines that I could choose > from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. > > thanks > jmb > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
Hello, On Wednesday 19 March 2003 11:44 am, Jones wrote: > I am planning to replace a (dead) Windows 2000 computer that was used > as a web server and email server with a Debian Linux solution. This > machine is connected to the net via DSL and would run apache and > exim/qpopper and sshd. Everything else would be turned off. It is a > small church and their current site is not very busy, but she says > they do get a lot of email. I would imagine that their 'lot of email' will be quite negligible to whatever server you can come up with. > Am I right in assuming that iptabes is enough as a firewall solution > and that I would not need to buy any additional software. That is > what I understand from my past experience with Debian/iptables as a > server and from the files at debian.org security howto at > (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) Absolutely. Dedicated firewall hardware in such a small installation would seem ridiculously paranoid, to me. I'm not even sure what "additional software" you could consider. > On a less related note, what hardware config would you recommend for > such a system? She has a number of machines that I could choose > from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. I'd say even without any additional RAM, you will be home free. Doubling it will make it fly, but I strongly doubt you will see any noticeable swapping at 256. The actual requirements of the installation you're describing are ridiculously small. Good luck, and happy Debian-ing! - Keegan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
On Wed, 2003-03-19 at 20:44, Jones wrote: > On a less related note, what hardware config would you recommend for > such a system? She has a number of machines that I could choose > from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. This should be more than enough. I have been running a mailserver on a Pentium 133MHz 96 RAM + SCSI for a few years. It can handle quite a lot mail --- never had a problem. Janus -- Janus N. Tøndering <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
Hi! On Wednesday 19 March 2003 20:44, Jones wrote: > Am I right in assuming that iptabes is enough as a firewall solution > and that I would not need to buy any additional software. Well, I'm primarily responding to your second question, but the way I would do it, if I had the resources, would be to get a small Pentium 133 MHz box, booting from a floppy and use it as a router and firewall. No harddrive, a complete wasteland. But then, I'm really a newbie in all this, so you might want to listen to the pros... :-) > Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 > GB IDE hard drives. After increasing the RAM to 512MB, I think this > should more than adequate for a system doing nothing but HTTP and > SMTP/POP requests. My main server is a Pentium PRO 180 MHz with 96 MB RAM. It gets a lot of e-mail, and has a whole bunch of mailinglists distributing many hundred messages a day. It had some problems when it was overwhelmed by a old Mailman bug that resulted in it receiving a few ~200 KB messages a second, and tried to scan all those with SpamAssassin (it took me half an hour to type "reboot" :-) ), but other than that, the CPU is mostly idle. Also, I tried to run Apache Cocoon on it, it worked, but it clearly had too little RAM for that. If you plan to run Cocoon, then 512 MB would be nice, but similar solutions, like AxKit, demands much less. So, I think you would be fine with a much smaller box than that, but a 1 GHz with 256 MB is cool, if that is what you've got. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
On Wed, Mar 19, 2003 at 01:44:13PM -0600, Jones remarked: > I am planning to replace a (dead) Windows 2000 computer that > was used as a web server and email server with a Debian Linux > solution. This machine is connected to the net via DSL and > would run apache and exim/qpopper and sshd. Everything else > would be turned off. It is a small church and their current > site is not very busy, but she says they do get a lot of > email. > > Am I right in assuming that iptabes is enough as a firewall > solution and that I would not need to buy any additional > software. Yes the iptables tool is sufficient to construct a reliable firewall. Network topology is another issue, and one people enjoy debating ;) > That is what I understand from my past experience > with Debian/iptables as a server and from the files at > debian.org security howto at > (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) I would recommend you take a look at the 'Shoreline Firewall', more commonly known as 'Shorewall'. It's a good firewall solution and DEBs are available. Takes a while to get used to (i.e. figure out how it works) but it is reasonably well documented, and most importantly, well done. > On a less related note, what hardware config would you > recommend for such a system? She has a number of machines > that I could choose from. Most of them are 1.x Ghz Pentium > systems with 256MB RAM and 10 GB IDE hard drives. After > increasing the RAM to 512MB, I think this should more than > adequate for a system doing nothing but HTTP and SMTP/POP > requests. More than enough, yes. > thanks > jmb My $0.02, Raymond pgp0.pgp Description: PGP signature
is iptables enough?
I am planning to replace a (dead) Windows 2000 computer that was used as a web server and email server with a Debian Linux solution. This machine is connected to the net via DSL and would run apache and exim/qpopper and sshd. Everything else would be turned off. It is a small church and their current site is not very busy, but she says they do get a lot of email. Am I right in assuming that iptabes is enough as a firewall solution and that I would not need to buy any additional software. That is what I understand from my past experience with Debian/iptables as a server and from the files at debian.org security howto at (http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html) On a less related note, what hardware config would you recommend for such a system? She has a number of machines that I could choose from. Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 GB IDE hard drives. After increasing the RAM to 512MB, I think this should more than adequate for a system doing nothing but HTTP and SMTP/POP requests. thanks jmb -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
On Tue, 2003-03-18 at 08:04, Giacomo Mulas wrote: > Alan Cox apparently just made public a vulnerability in the stock > kernel which would permit a local user to gain root privileges (see e.g. > Linux Today, LWN, the LK mailing list...). Is a patched source package in > the making already or should we humble users, in the meantime, take the > original patch and apply it, while the "official" thing gets worked out? Hi, I've a unofficial Debian package called kernel-patch-ptrace in my own deb repository[1].It was tested on i386, the patch applies fine over kernel-source-2.4.20 package.Feel free to use it at your own risk and send me any feedback. Only two modifications from the original patch by Alan Cox: - The arch/um was commented because kernel-source-2.4.20 doesn't have user mode linux! - The third hunk of sched.h was commented because the associated function wasn't found in kernel-source-2.4.20. [1] = deb http://legolas.alternex.com.br/~stratus/debian/ ./ Cheers, -- Gustavo Franco <[EMAIL PROTECTED]>
Re: kernel ptrace bug
On Wed, 19 Mar 2003 at 05:18:05PM +0200, Martynas Domarkas wrote: > Grsecurity patch can limit ordinary user use ptrace. Can it help avoid > ptrace exploit? But if you are running a development system this pretty much breaks GDB (the way I understand it). -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #218: The co-locator cannot verify the frame-relay gateway to the ISDN server. pgpodlDGuHNls.pgp Description: PGP signature
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote: > > As I understand it, OpenAFS is IBM sortware that was opensourced. Coda > was a wholely opensource project to implement AFS. Please feel free to > correct me if I'm wrong. Coda is another CMU SCS project (as was AFS, which btw stands for Andrew Files System, eg Andrew Carnegie and Andrew Mellon). It was commercialized in conjunction with IBM (the Transarc guys were all CMU SCS). AFAIK, Coda is a new system. However I've been away from the department since '89 although I still stay in touch with some of the SCS crowd. -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org --
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote: > As I understand it, OpenAFS is IBM sortware that was opensourced. Coda > was a wholely opensource project to implement AFS. Please feel free to > correct me if I'm wrong. No, CODA is not simply an AFS implementation. It is based on AFS, but it supports things like offline use that are not supported by AFS. The complete feature list from http://www.coda.cs.cmu.edu/ is: 1. disconnected operation for mobile computing 2. is freely available under a liberal license 3. high performance through client side persistent caching 4. server replication 5. security model for authentication, encryption and access control 6. continued operation during partial network failures in server network 7. network bandwith adaptation 8. good scalability 9. well defined semantics of sharing, even in the presence of network failures I tried setting it up a couple of years ago. It was evil. I gave up and haven't looked at it since. At that time, there were sid packages in experimental. I don't know if they've actually been uploaded to unstable or not. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpLZMxSvRXa8.pgp Description: PGP signature
Re: OT: Is it so easy to break into an NIS?
Hanasaki JiJi wrote: What is OpenAFS vs CODA? IIRC CODA has the limitation of needing 4% of volume size in RAM. And performance is very bad (IIRC like 150 kbytes/sec max on pentium 400). On a second thought: This was in a fully redundant setup - probably it has better performance in other setups. regards, Thiemo Nagel [EMAIL PROTECTED] wrote: On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: Quoting seph ([EMAIL PROTECTED]): depends what you mean by free. Are you aware of openafs? http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim
Re: OT: Is it so easy to break into an NIS?
As I understand it, OpenAFS is IBM sortware that was opensourced. Coda was a wholely opensource project to implement AFS. Please feel free to correct me if I'm wrong. David. On Wed, 19 Mar 2003, Hanasaki JiJi wrote: > What is OpenAFS vs CODA? > > [EMAIL PROTECTED] wrote: > > On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: > > > >>Quoting seph ([EMAIL PROTECTED]): > >> > >> > >>>depends what you mean by free. Are you aware of openafs? > >>>http://www.openafs.org > >> > >>That is of course derived from the IBM Transarc software. Hmmm. Some > >>while back, I'd been lead to believe that only client-end software was > >>available in open source. A quick perusal of that site plus some Google > >>hits suggests that such is not the case now, if it ever was. Can > >>someone confirm from experience that AFS can be done with all open > >>source, both ends? (Yes, I do consider IBM PL code to qualify.) > > > > > > Yes, both sides are fully opensource now. > > > > Tim > > > > -- > = > = Management is doing things right; leadership is doing the = > = right things.- Peter Drucker= > =___= > = http://www.sun.com/service/sunps/jdc/javacenter.pdf = > = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = > = > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: Apache Virtual Hosts Chroot ?
http://httpd.apache.org/docs-2.0/mod/perchild.html I tried that one, but the child-processes directly died. As it says, work is ongoing to make it functional.
unsubscribe
unsubscribe
kernel ptrace bug
Grsecurity patch can limit ordinary user use ptrace. Can it help avoid ptrace exploit? Martynas
Re: OT: Is it so easy to break into an NIS?
What is OpenAFS vs CODA? [EMAIL PROTECTED] wrote: On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: Quoting seph ([EMAIL PROTECTED]): depends what you mean by free. Are you aware of openafs? http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = =
unsubscribe
unsubscribe
Re: ptrace vulnerability?
On Tue, 2003-03-18 at 08:04, Giacomo Mulas wrote: > Alan Cox apparently just made public a vulnerability in the stock > kernel which would permit a local user to gain root privileges (see e.g. > Linux Today, LWN, the LK mailing list...). Is a patched source package in > the making already or should we humble users, in the meantime, take the > original patch and apply it, while the "official" thing gets worked out? Hi, I've a unofficial Debian package called kernel-patch-ptrace in my own deb repository[1].It was tested on i386, the patch applies fine over kernel-source-2.4.20 package.Feel free to use it at your own risk and send me any feedback. Only two modifications from the original patch by Alan Cox: - The arch/um was commented because kernel-source-2.4.20 doesn't have user mode linux! - The third hunk of sched.h was commented because the associated function wasn't found in kernel-source-2.4.20. [1] = deb http://legolas.alternex.com.br/~stratus/debian/ ./ Cheers, -- Gustavo Franco <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache Virtual Hosts Chroot ?
On Wed, Mar 19, 2003 at 02:35:53PM +0100, Ralf Dreibrodt wrote: > Paul Hampson wrote: > > > > You can effectively chroot php files with: > > php_admin_value open_basedir /directory/where/files/are > > in the Apache virtual host config. Then: > > a) php4 won't let files outside that directory be accessed; ... directly. > No: > - Hard links I wouldn't expect hard-links to be uploadable... Besides, don't they also work across chroots? Surely hardlinks work below the directory tree level... > - Commands executed with "system" can access files outside this > directory open_safe_mode_exec_dir or disable_functions 'system' and other such... It depends on what you let your users upload and run. > - you can also access files in /directory/where/files/are2 or is this > bug already solved? Sorry, good point. php_admin_value open_basedir /directory/where/files/are/ (This is not a bug, it's a listed feature...) > There are probably other possibilities to access files outside this > directory. True. None come to mind though... (Not that that's worth much. :-) > open_basedir has nothing to do with chroot, they are two different > things. Fair point. I shouldn't have said chroot. However, it addresses the _other_ suggestions in the original email, with a little bit more thought. Another suggestion I've come across is a User per Virtual Server: http://luxik.cdi.cz/~devik/apache/ Mind you, this patch has deficiencies... Once a child process has served one of these virtualhosts, it exits. And it uses seteuid, so if someone can inject seteuid(0) into the server, they're root again. Apparently Apache2 has a module to do user per virtual host... Hmm. :-) If it does group per virtual host, I might look at upgrading... -- --- Paul "TBBle" Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. -- Kristian Wilson, Nintendo, Inc, 1989 This email is licensed to the recipient for non-commercial use, duplication and distribution. --- pgpVpPjye5OBi.pgp Description: PGP signature
Re: kernel ptrace bug
On Wed, 19 Mar 2003 at 05:18:05PM +0200, Martynas Domarkas wrote: > Grsecurity patch can limit ordinary user use ptrace. Can it help avoid > ptrace exploit? But if you are running a development system this pretty much breaks GDB (the way I understand it). -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #218: The co-locator cannot verify the frame-relay gateway to the ISDN server. pgp0.pgp Description: PGP signature
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote: > > As I understand it, OpenAFS is IBM sortware that was opensourced. Coda > was a wholely opensource project to implement AFS. Please feel free to > correct me if I'm wrong. Coda is another CMU SCS project (as was AFS, which btw stands for Andrew Files System, eg Andrew Carnegie and Andrew Mellon). It was commercialized in conjunction with IBM (the Transarc guys were all CMU SCS). AFAIK, Coda is a new system. However I've been away from the department since '89 although I still stay in touch with some of the SCS crowd. -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote: > As I understand it, OpenAFS is IBM sortware that was opensourced. Coda > was a wholely opensource project to implement AFS. Please feel free to > correct me if I'm wrong. No, CODA is not simply an AFS implementation. It is based on AFS, but it supports things like offline use that are not supported by AFS. The complete feature list from http://www.coda.cs.cmu.edu/ is: 1. disconnected operation for mobile computing 2. is freely available under a liberal license 3. high performance through client side persistent caching 4. server replication 5. security model for authentication, encryption and access control 6. continued operation during partial network failures in server network 7. network bandwith adaptation 8. good scalability 9. well defined semantics of sharing, even in the presence of network failures I tried setting it up a couple of years ago. It was evil. I gave up and haven't looked at it since. At that time, there were sid packages in experimental. I don't know if they've actually been uploaded to unstable or not. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp0.pgp Description: PGP signature
Re: OT: Is it so easy to break into an NIS?
Hanasaki JiJi wrote: What is OpenAFS vs CODA? IIRC CODA has the limitation of needing 4% of volume size in RAM. And performance is very bad (IIRC like 150 kbytes/sec max on pentium 400). On a second thought: This was in a fully redundant setup - probably it has better performance in other setups. regards, Thiemo Nagel [EMAIL PROTECTED] wrote: On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: Quoting seph ([EMAIL PROTECTED]): depends what you mean by free. Are you aware of openafs? http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
As I understand it, OpenAFS is IBM sortware that was opensourced. Coda was a wholely opensource project to implement AFS. Please feel free to correct me if I'm wrong. David. On Wed, 19 Mar 2003, Hanasaki JiJi wrote: > What is OpenAFS vs CODA? > > [EMAIL PROTECTED] wrote: > > On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: > > > >>Quoting seph ([EMAIL PROTECTED]): > >> > >> > >>>depends what you mean by free. Are you aware of openafs? > >>>http://www.openafs.org > >> > >>That is of course derived from the IBM Transarc software. Hmmm. Some > >>while back, I'd been lead to believe that only client-end software was > >>available in open source. A quick perusal of that site plus some Google > >>hits suggests that such is not the case now, if it ever was. Can > >>someone confirm from experience that AFS can be done with all open > >>source, both ends? (Yes, I do consider IBM PL code to qualify.) > > > > > > Yes, both sides are fully opensource now. > > > > Tim > > > > -- > = > = Management is doing things right; leadership is doing the = > = right things.- Peter Drucker= > =___= > = http://www.sun.com/service/sunps/jdc/javacenter.pdf = > = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = > = > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache Virtual Hosts Chroot ?
http://httpd.apache.org/docs-2.0/mod/perchild.html I tried that one, but the child-processes directly died. As it says, work is ongoing to make it functional. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache Virtual Hosts Chroot ?
Paul Hampson wrote: > > You can effectively chroot php files with: > php_admin_value open_basedir /directory/where/files/are > in the Apache virtual host config. Then: > a) php4 won't let files outside that directory be accessed; No: - Hard links - Commands executed with "system" can access files outside this directory - you can also access files in /directory/where/files/are2 or is this bug already solved? There are probably other possibilities to access files outside this directory. open_basedir has nothing to do with chroot, they are two different things. Regards, Ralf Dreibrodt -- MesosTelefon 49 221 4855798-1 Eupener Str. 150 Fax 49 221 4855798-9 50933 Koeln Mail[EMAIL PROTECTED]
unsubscribe
unsubscribe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
kernel ptrace bug
Grsecurity patch can limit ordinary user use ptrace. Can it help avoid ptrace exploit? Martynas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
What is OpenAFS vs CODA? [EMAIL PROTECTED] wrote: On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: Quoting seph ([EMAIL PROTECTED]): depends what you mean by free. Are you aware of openafs? http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = = -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache Virtual Hosts Chroot ?
On Tue, Feb 25, 2003 at 10:15:15AM +0100, debian-isp wrote: > I am just asking myself how to secure our webserver with a couple of virtual > hosts. > Currently we have a large installation of typo3 running. It has a feature > called > fileadmin with which you can easily upload files. As it is thereby possible to > upload php scripts and execute via the browser it is to my opionion possible > to > access other users files. As the webserver and the files all have the same > user, > needed by the system. > Is there a way to secure this: > > - chrooting virtual hosts in apache ? > - running multiple instances of apache > - some kind of security system with users and groups > - using directory settings ? You can effectively chroot php files with: php_admin_value open_basedir /directory/where/files/are in the Apache virtual host config. Then: a) php4 won't let files outside that directory be accessed; b) apacheconfig will recognise php4 as being a required module, as apacheconfig recognises module requirements by checking for their configuration directives... :-) (See bug #158391) I realise this is php4 specific, but any other enabled scripting languages should also have a similar option. (If you're using the cgi version, then this might not work... Then of course you can use suexec or SetEnv PHPRC to do it... See bug #161627) -- --- Paul "TBBle" Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. -- Kristian Wilson, Nintendo, Inc, 1989 This email is licensed to the recipient for non-commercial use, duplication and distribution. --- pgpjYECBzZsmd.pgp Description: PGP signature
unsubscribe
unsubscribe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache Virtual Hosts Chroot ?
On Wed, Mar 19, 2003 at 02:35:53PM +0100, Ralf Dreibrodt wrote: > Paul Hampson wrote: > > > > You can effectively chroot php files with: > > php_admin_value open_basedir /directory/where/files/are > > in the Apache virtual host config. Then: > > a) php4 won't let files outside that directory be accessed; ... directly. > No: > - Hard links I wouldn't expect hard-links to be uploadable... Besides, don't they also work across chroots? Surely hardlinks work below the directory tree level... > - Commands executed with "system" can access files outside this > directory open_safe_mode_exec_dir or disable_functions 'system' and other such... It depends on what you let your users upload and run. > - you can also access files in /directory/where/files/are2 or is this > bug already solved? Sorry, good point. php_admin_value open_basedir /directory/where/files/are/ (This is not a bug, it's a listed feature...) > There are probably other possibilities to access files outside this > directory. True. None come to mind though... (Not that that's worth much. :-) > open_basedir has nothing to do with chroot, they are two different > things. Fair point. I shouldn't have said chroot. However, it addresses the _other_ suggestions in the original email, with a little bit more thought. Another suggestion I've come across is a User per Virtual Server: http://luxik.cdi.cz/~devik/apache/ Mind you, this patch has deficiencies... Once a child process has served one of these virtualhosts, it exits. And it uses seteuid, so if someone can inject seteuid(0) into the server, they're root again. Apparently Apache2 has a module to do user per virtual host... Hmm. :-) If it does group per virtual host, I might look at upgrading... -- --- Paul "TBBle" Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. -- Kristian Wilson, Nintendo, Inc, 1989 This email is licensed to the recipient for non-commercial use, duplication and distribution. --- pgp0.pgp Description: PGP signature
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: > Quoting seph ([EMAIL PROTECTED]): > > > depends what you mean by free. Are you aware of openafs? > > http://www.openafs.org > > That is of course derived from the IBM Transarc software. Hmmm. Some > while back, I'd been lead to believe that only client-end software was > available in open source. A quick perusal of that site plus some Google > hits suggests that such is not the case now, if it ever was. Can > someone confirm from experience that AFS can be done with all open > source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)924-3728 (888) 924-3728 >> << ><
Re: Apache Virtual Hosts Chroot ?
Paul Hampson wrote: > > You can effectively chroot php files with: > php_admin_value open_basedir /directory/where/files/are > in the Apache virtual host config. Then: > a) php4 won't let files outside that directory be accessed; No: - Hard links - Commands executed with "system" can access files outside this directory - you can also access files in /directory/where/files/are2 or is this bug already solved? There are probably other possibilities to access files outside this directory. open_basedir has nothing to do with chroot, they are two different things. Regards, Ralf Dreibrodt -- MesosTelefon 49 221 4855798-1 Eupener Str. 150 Fax 49 221 4855798-9 50933 Koeln Mail[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache Virtual Hosts Chroot ?
On Tue, Feb 25, 2003 at 10:15:15AM +0100, debian-isp wrote: > I am just asking myself how to secure our webserver with a couple of virtual hosts. > Currently we have a large installation of typo3 running. It has a feature called > fileadmin with which you can easily upload files. As it is thereby possible to > upload php scripts and execute via the browser it is to my opionion possible to > access other users files. As the webserver and the files all have the same user, > needed by the system. > Is there a way to secure this: > > - chrooting virtual hosts in apache ? > - running multiple instances of apache > - some kind of security system with users and groups > - using directory settings ? You can effectively chroot php files with: php_admin_value open_basedir /directory/where/files/are in the Apache virtual host config. Then: a) php4 won't let files outside that directory be accessed; b) apacheconfig will recognise php4 as being a required module, as apacheconfig recognises module requirements by checking for their configuration directives... :-) (See bug #158391) I realise this is php4 specific, but any other enabled scripting languages should also have a similar option. (If you're using the cgi version, then this might not work... Then of course you can use suexec or SetEnv PHPRC to do it... See bug #161627) -- --- Paul "TBBle" Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. -- Kristian Wilson, Nintendo, Inc, 1989 This email is licensed to the recipient for non-commercial use, duplication and distribution. --- pgp0.pgp Description: PGP signature
Re: OT: Is it so easy to break into an NIS?
Quoting seph ([EMAIL PROTECTED]): > depends what you mean by free. Are you aware of openafs? > http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) -- Cheers, Rick MoenThis space for rant. [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Quoting Tarjei Huse ([EMAIL PROTECTED]): > Doesn't NFS v4 answer some of these problems? Certainly it does when/if fully implemented. When last I checked, the U. of Michigan development effort for Linux were still pretty far from production code. -- Cheers, kill -9 them all. Rick Moen Let init sort it out. [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 02:09:51AM -0800, Rick Moen wrote: > Quoting seph ([EMAIL PROTECTED]): > > > depends what you mean by free. Are you aware of openafs? > > http://www.openafs.org > > That is of course derived from the IBM Transarc software. Hmmm. Some > while back, I'd been lead to believe that only client-end software was > available in open source. A quick perusal of that site plus some Google > hits suggests that such is not the case now, if it ever was. Can > someone confirm from experience that AFS can be done with all open > source, both ends? (Yes, I do consider IBM PL code to qualify.) Yes, both sides are fully opensource now. Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631)924-3728 (888) 924-3728 << >< -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Rick Moen <[EMAIL PROTECTED]> writes: > Networks needing a greater degree of privacy and authentication can try > AFS/Kerberos (entailing non-free server-end software). depends what you mean by free. Are you aware of openafs? http://www.openafs.org seph
Re: OT: Is it so easy to break into an NIS?
Networks needing a greater degree of privacy and authentication can try AFS/Kerberos (entailing non-free server-end software). Substituting LDAP-SSL for NIS is arguably a step forward, but then NFS remains a problem (No Friggin' Security). Doesn't NFS v4 answer some of these problems? Does anyone know of when we'll see nfs v4 and what it's security features are? Regarding AFS/Kerberos, isn't openafs an OSS solution? Tarjei
Re: Current OpenSSL vulnerability (CAN-2003-0147)
Am Mittwoch, 19. März 2003 00:15 schrieb Timm Gleason: > I have not seen any mention of this on this list. Is the current version > (0.9.6c-2.woody.2) vulnerable to this current RSA issue? I've mentioned that one yesterday, too. This raised no reaction, probably because the subject "Fwd: [ADVISORY] Timing Attack on OpenSSL" sounds much like the issue in February. (My mail is a forward of Ben Laurie's mail on bugtraq on Monday.) Leppo > > Tuesday, March 18 2003 > -- | When a religion is good, I conceive > Timm Gleason| it will support itself; and when it > http://www.gleason.to/ | does not support itself, and God does > http://www.uranushertz.to/ | not take care to support it so that > Quis custodiet iposos custodes? | its professors are obliged to call > > | for help of the civil power, 'tis a > | sign, I apprehend, of its being a bad > | one. -- Benjamin Franklin > > -PGP PUBLIC KEY BLOCK AVAILABLE- -- "War isn't politics, my dear. It is indeed the only human activity that is rottener than politics." (Rex Stout)
Re: ptrace vulnerability?
> > His announcement is Slashdotted, and I'm seeing no notice of which versions > > are affected! I'm running 2.4.18 on all my Debian servers, please tell me > > what's going on. same here...:( Why most this patch does is change kernel_thread into arch_kernel_thread? only usefull thing I see is addedd check for 'is_dumpable' in ptrace_check_attach, and is_dumpable macro that checks tsk and also tsk->mm for 'is_dumpable'. Is this ok? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: OT: Is it so easy to break into an NIS?
Quoting Tarjei Huse ([EMAIL PROTECTED]): > Doesn't NFS v4 answer some of these problems? Certainly it does when/if fully implemented. When last I checked, the U. of Michigan development effort for Linux were still pretty far from production code. -- Cheers, kill -9 them all. Rick Moen Let init sort it out. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Quoting seph ([EMAIL PROTECTED]): > depends what you mean by free. Are you aware of openafs? > http://www.openafs.org That is of course derived from the IBM Transarc software. Hmmm. Some while back, I'd been lead to believe that only client-end software was available in open source. A quick perusal of that site plus some Google hits suggests that such is not the case now, if it ever was. Can someone confirm from experience that AFS can be done with all open source, both ends? (Yes, I do consider IBM PL code to qualify.) -- Cheers, Rick MoenThis space for rant. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Rick Moen <[EMAIL PROTECTED]> writes: > Networks needing a greater degree of privacy and authentication can try > AFS/Kerberos (entailing non-free server-end software). depends what you mean by free. Are you aware of openafs? http://www.openafs.org seph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: OT: Is it so easy to break into an NIS?
Networks needing a greater degree of privacy and authentication can try AFS/Kerberos (entailing non-free server-end software). Substituting LDAP-SSL for NIS is arguably a step forward, but then NFS remains a problem (No Friggin' Security). Doesn't NFS v4 answer some of these problems? Does anyone know of when we'll see nfs v4 and what it's security features are? Regarding AFS/Kerberos, isn't openafs an OSS solution? Tarjei -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Current OpenSSL vulnerability (CAN-2003-0147)
Am Mittwoch, 19. März 2003 00:15 schrieb Timm Gleason: > I have not seen any mention of this on this list. Is the current version > (0.9.6c-2.woody.2) vulnerable to this current RSA issue? I've mentioned that one yesterday, too. This raised no reaction, probably because the subject "Fwd: [ADVISORY] Timing Attack on OpenSSL" sounds much like the issue in February. (My mail is a forward of Ben Laurie's mail on bugtraq on Monday.) Leppo > > Tuesday, March 18 2003 > -- | When a religion is good, I conceive > Timm Gleason| it will support itself; and when it > http://www.gleason.to/ | does not support itself, and God does > http://www.uranushertz.to/ | not take care to support it so that > Quis custodiet iposos custodes? | its professors are obliged to call > > | for help of the civil power, 'tis a > | sign, I apprehend, of its being a bad > | one. -- Benjamin Franklin > > -PGP PUBLIC KEY BLOCK AVAILABLE- -- "War isn't politics, my dear. It is indeed the only human activity that is rottener than politics." (Rex Stout) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
> > His announcement is Slashdotted, and I'm seeing no notice of which versions > > are affected! I'm running 2.4.18 on all my Debian servers, please tell me > > what's going on. same here...:( Why most this patch does is change kernel_thread into arch_kernel_thread? only usefull thing I see is addedd check for 'is_dumpable' in ptrace_check_attach, and is_dumpable macro that checks tsk and also tsk->mm for 'is_dumpable'. Is this ok? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]