[SECURITY] [DSA 269-1] New heimdal packages fix authentication failure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 269-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 26th, 2003http://www.debian.org/security/faq - -- Package: heimdal Vulnerability : Cryptographic weakness Problem-Type : remote Debian-specific: no CVE Id : CAN-2003-0138 CERT advisory : VU#623217 A cryptographic weakness in version 4 of the Kerberos protocol allows an attacker to use a chosen-plaintext attack to impersonate any principal in a realm. Additional cryptographic weaknesses in the krb4 implementation permit the use of cut-and-paste attacks to fabricate krb4 tickets for unauthorized client principals if triple-DES keys are used to key krb4 services. These attacks can subvert a site's entire Kerberos authentication infrastructure. This version of the heimdal package changes the default behavior and disallows cross-realm authentication for Kerberos version 4. Because of the fundamental nature of the problem, cross-realm authentication in Kerberos version 4 cannot be made secure and sites should avoid its use. A new option (--kerberos4-cross-realm) is provided to the kdc command to re-enable version 4 cross-realm authentication for those sites that must use this functionality but desire the other security fixes. For the stable distribution (woody) this problem has been fixed in version 0.4e-7.woody.6 The old stable distribution (potato) is not affected by this problem, since it isn't compiled against kerberos 4. For the unstable distribution (sid) this problem has been fixed in version 0.5.2-1. We recommend that you upgrade your heimdal packages imediately. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.4e-7.woody.6.dsc Size/MD5 checksum: 1063 f925f5c81bef908a62366670f311511e http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.4e-7.woody.6.diff.gz Size/MD5 checksum: 1278560 ea0268363a4b9a986fc731ac64367948 http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.4e.orig.tar.gz Size/MD5 checksum: 2885718 1d27b06ec2f818f5b4ae2b90ca0e9cb8 Architecture independent components: http://security.debian.org/pool/updates/main/h/heimdal/heimdal-docs_0.4e-7.woody.6_all.deb Size/MD5 checksum: 1055480 e22766e034934ac5b6664468d1bd39c4 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-lib_0.4e-7.woody.6_all.deb Size/MD5 checksum:19456 3be2de9ba824fd90ec6f0df606e9d716 Alpha architecture: http://security.debian.org/pool/updates/main/h/heimdal/heimdal-clients_0.4e-7.woody.6_alpha.deb Size/MD5 checksum: 274250 38719c545872e901bd7eeb9dad9d0b80 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-clients-x_0.4e-7.woody.6_alpha.deb Size/MD5 checksum:60170 f5476c57a24af3c4ef9124bdc7908178 http://security.debian.org/pool/updates/main/h/heimdal/heimdal-dev_0.4e-7.woody.6_alpha.deb Size/MD5 checksum: 572102 a407490c744a95276ff8863672c44dbb http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.4e-7.woody.6_alpha.deb Size/MD5 checksum: 132516 bac7e612f0d73d341a2a1fa5364051ae http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.4e-7.woody.6_alpha.deb Size/MD5 checksum: 180996 554ac920d68041805185a036b9013e9c http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.4e-7.woody.6_alpha.deb Size/MD5 checksum:39004 2795b39db81ef82f66d98ffc37a15466 http://security.debian.org/pool/updates/main/h/heimdal/libasn1-5-heimdal_0.4e-7.woody.6_alpha.deb Size/MD5 checksum:64542 699a4851fb0380eece24913650cc72ba http://security.debian.org/pool/updates/main/h/heimdal/libcomerr1-heimdal_0.4e-7.woody.6_alpha.deb Size/MD5 checksum:23036 5502e63afbb41f53707344f59901b5f7 http://security.debian.org/pool/updates/main/h/heimdal/libgssapi1-heimdal_0.4e-7.woody.6_alpha.deb Size/MD5 checksum:42446 270c023c95cadd077bd2255c4b25a7b4 http://security.debian.org/pool/updates/main/h/heimdal/libhdb7-heimdal_0.4e-7.woody.6_alpha.deb Size/MD5 checksum:40994 4d6d2e9b23beacf3d8c1c4395ac5e16c
[SECURITY] [DSA 270-1] New Linux kernel packages (mips + mipsel) fix local root exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 270-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 27sh, 2003http://www.debian.org/security/faq - -- Packages : kernel-patch-2.4.17-mips, kernel-patch-2.4.19-mips Vulnerability : local privilege escalation Problem-Type : local Debian-specific: no CVE Id : CAN-2003-0127 The kernel module loader in Linux 2.2 and Linux 2.4 kernels has a flaw in ptrace. This hole allows local users to obtain root privileges by using ptrace to attach to a child process that is spawned by the kernel. Remote exploitation of this hole is not possible. This advisory only covers kernel packages for the big and little endian MIPS architectures. Other architectures will be covered by separate advisories. For the stable distribution (woody) this problem has been fixed in version 2.4.17-0.020226.2.woody1 of kernel-patch-2.4.17-mips (mips+mipsel) and in version 2.4.19-0.020911.1.woody1 of kernel-patch-2.4.19-mips (mips only). The old stable distribution (potato) is not affected by this problem for these architectures since mips and mipsel were first released with Debian GNU/Linux 3.0 (woody). For the unstable distribution (sid) this problem has been fixed in version 2.4.19-0.020911.6 of kernel-patch-2.4.19-mips (mips+mipsel). We recommend that you upgrade your kernel-images packages immediately. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody1.dsc Size/MD5 checksum: 786 937c32a962c27f9461a10d4d2c98c350 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody1.tar.gz Size/MD5 checksum: 1140097 e26c4406aa52e77b00df972335fdbb71 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody1.dsc Size/MD5 checksum: 832 4e431992276bcd65d34bd07b86784200 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody1.tar.gz Size/MD5 checksum: 1035256 cd2e9213d798552a7ebc550903e45bf9 Architecture independent components: http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody1_all.deb Size/MD5 checksum: 1142510 b1c1c6d93281938651b91c0caa85b818 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody1_all.deb Size/MD5 checksum: 1036948 8de25b980c15831460c844a535b76e3a Big endian MIPS architecture: http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-headers-2.4.17_2.4.17-0.020226.2.woody1_mips.deb Size/MD5 checksum: 3494700 3ebb5ff6d044f808b500dfb0f5beccad http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r4k-ip22_2.4.17-0.020226.2.woody1_mips.deb Size/MD5 checksum: 2038950 baae9c9e139d2b5ef035f01adea32171 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r5k-ip22_2.4.17-0.020226.2.woody1_mips.deb Size/MD5 checksum: 2039084 5bb6ad7c4207a6f351612fd4e330a337 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-headers-2.4.19_2.4.19-0.020911.1.woody1_mips.deb Size/MD5 checksum: 3897722 8d096cf0e9286e175127dfb1763bfcd2 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-image-2.4.19-r4k-ip22_2.4.19-0.020911.1.woody1_mips.deb Size/MD5 checksum: 2072292 3f49ce11a63309465f1ee5c31b54a1c4 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-image-2.4.19-r5k-ip22_2.4.19-0.020911.1.woody1_mips.deb Size/MD5 checksum: 2072926 b4ac7b3f74a392c4f7482eb590eadcb2 http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/mips-tools_2.4.19-0.020911.1.woody1_mips.deb Size/MD5 checksum:12418 ec83e5bf008c27285768faffcbbd8534 Little endian MIPS architecture:
Re: is iptables enough?
Hi all, On Tue, Mar 25, 2003 at 01:46:32PM -0600, Jones wrote: One thing they forgot to mention was that they used Exchange for email. That means instead of running exim, I will have to forward SMTP POP traffic to their Exchange server. The Exchange server will not be directly connected to the Internet. If you only port-forward the connections to the Exchange Server you will expose it to the world like you would run it on the firewall itself. You are right about forwarding the traffic (how else should they get their mail :), but IMHO it is far better to still use exim, but only as a smart-host to redirect mail from the internet to the Exchange-server and back. If you update your debian-box regularly, you don't have to worry about the security of the Exchange-server that much. later Steffen Burmeister, Dipl. Wirtschaftsinformatiker (BA) -- ebios informationssysteme volker birk gut-betha-platz 1 88339 bad waldsee germany phone +49 (7524) 93421fax +49 (7524) 93423 mailto:[EMAIL PROTECTED]http://www.ebios.de pgp0.pgp Description: PGP signature
noboby with a shell !!
hi, I look at in the file /etc/passwd on my server today, and I saw the user nobody has a shell !!. When I installed my debian (sarge, I know it's bad, but it's just a server for me...) I put /bin/false. A few days ago, while an upgrade, apt asked to me to upgrade that file to the new version and answer yes, so I think it come from that action, but it could be unsecure to put /bin/sh for nobody ? nobody:x:65534:65534:nobody:/nonexistent:/bin/sh I change to : nobody:x:65534:65534:nobody:/dev/null:/bin/false Yoann -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 11:35:38AM +0100, Yoann wrote: Hi, I look at in the file /etc/passwd on my server today, and I saw the user nobody has a shell !!. When I installed my debian (sarge, I know it's bad, but it's just a server for me...) I put /bin/false. A few days ago, while an upgrade, apt asked to me to upgrade that file to the new version and answer yes, so I think it come from that action, but it could be unsecure to put /bin/sh for nobody ? Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. nobody:x:65534:65534:nobody:/nonexistent:/bin/sh I change to : nobody:x:65534:65534:nobody:/dev/null:/bin/false This might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. See your /var/log/syslog maybe you'll now get some errors from cron jobs at night. Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
Does the user nobody has got a password in /etc/shadow ? greets Robbert Citeren Yoann [EMAIL PROTECTED]: hi, I look at in the file /etc/passwd on my server today, and I saw the user nobody has a shell !!. When I installed my debian (sarge, I know it's bad, but it's just a server for me...) I put /bin/false. A few days ago, while an upgrade, apt asked to me to upgrade that file to the new version and answer yes, so I think it come from that action, but it could be unsecure to put /bin/sh for nobody ? nobody:x:65534:65534:nobody:/nonexistent:/bin/sh I change to : nobody:x:65534:65534:nobody:/dev/null:/bin/false Yoann -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] __ http://www.wanadoo.nl/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
Hi, I look at in the file /etc/passwd on my server today, and I saw the user nobody has a shell !!. When I installed my debian (sarge, I know it's bad, but it's just a server for me...) I put /bin/false. A few days ago, while an upgrade, apt asked to me to upgrade that file to the new version and answer yes, so I think it come from that action, but it could be unsecure to put /bin/sh for nobody ? Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. there is an * in /etc/shadow for nobody, but all services (ftp, web...) are running with the uid nobody so if there is an attack on an unknow bug (I keep up to date all services) on those services (buffer overflow for example), It's will be unsercure.. . nobody:x:65534:65534:nobody:/nonexistent:/bin/sh ^^^ I change to : nobody:x:65534:65534:nobody:/dev/null:/bin/false This might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. See your /var/log/syslog maybe you'll now get some errors from cron jobs at night. I will pay attention , thx Sven Yoann -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
bind squid to interface
I would like to bind squid to a specific interface. I thought the easy way to do this would be with xinetd, but I get: Mar 26 06:05:09 localhost squid: Cannot open HTTP Port Mar 26 06:05:49 localhost last message repeated 10 times When I try to use it. Normally this would mean there is a squid process already running, but there is no other squid process. service squid { disable = no socket_type = stream wait= no user= root bind= 192.0.0.1 server = /usr/sbin/squid server_args= -N -D -YC -u0 } What am I doing wrong with xinetd? What other ways are there to make squid bind to an interface? ~Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
Yoann [EMAIL PROTECTED] writes: there is an * in /etc/shadow for nobody, but all services (ftp, web...) are running with the uid nobody so if there is an attack on an unknow bug (I keep up to date all services) on those services (buffer overflow for example), It's will be unsercure.. . It will be unsecure even if the shell field is filled with garbage... 1) The buffer overflow kind of attack is to launch a program from within another, a shell for example. 2) The shell shield (more easy to write than to tell) is used by: - /bin/login to launch a shell, or a pppd in some case - /*/ftpd to allow (/bin/true) or disallow (/bin/false) ftp access - probably lot of others programs. HTH. -- Reality always seems harsher in the early morning. -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: bind squid to interface
On Wednesday 26 March 2003 15:16, Michael West wrote: Hi there, how about : http_port xxx.xxx.xxx.xxx:8000 tcp_outgoing_address xxx.xxx.xxx.xxx udp_outgoing_address xxx.xxx.xxx.xxx in the squid config and run squid as daemon ? Michi I would like to bind squid to a specific interface. I thought the easy way to do this would be with xinetd, but I get: Mar 26 06:05:09 localhost squid: Cannot open HTTP Port Mar 26 06:05:49 localhost last message repeated 10 times When I try to use it. Normally this would mean there is a squid process already running, but there is no other squid process. service squid { disable = no socket_type = stream wait= no user= root bind= 192.0.0.1 server = /usr/sbin/squid server_args= -N -D -YC -u0 } What am I doing wrong with xinetd? What other ways are there to make squid bind to an interface? ~Michael -- Bisping Bisping GmbH Co. KG Michael Streb internet and network [EMAIL PROTECTED] Spitalstrasse 21-24-26 phone +49-9123-9740-630 D-91207 Lauf a. d. Pegnitzfax +49-9123-9740-97 http://photo.bisping.de *http://bisping.de *http://lauf.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. That's hardly true. If an attacker could somehow create an ssh authorized_keys file, they could log in without a password. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp0.pgp Description: PGP signature
Re: Re: noboby with a shell !!
Dit e-mail adres bestaat niet -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: bind squid to interface
## Michael West ([EMAIL PROTECTED]): I would like to bind squid to a specific interface. http_port hostname:port http_port ip:port http_port port It's documented. Regards, cmt -- Spare Space -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: bind squid to interface
* Michael West [EMAIL PROTECTED] [26-03-03 15:16]: I would like to bind squid to a specific interface. Look at /etc/squid.conf: # NETWORK OPTIONS # - # TAG: http_port # Usage: port # hostname:port # 1.2.3.4:port # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, then Squid binds the socket to that specific # address. This replaces the old 'tcp_incoming_address' # option. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # The default port number is 3128. # # If you are running Squid in accelerator mode, then you # probably want to listen on port 80 also, or instead. # # The -a command line option will override the *first* port # number listed here. That option will NOT override an IP # address, however. # # You may specify multiple socket addresses on multiple lines. # #Default: http_port 127.0.0.1:3128 HTH Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: bind squid to interface
Michael West wrote: I would like to bind squid to a specific interface. [...] What am I doing wrong with xinetd? What other ways are there to make squid bind to an interface? IIRC there used to be an option tcp_incoming_adress in /etc/squid.conf, but I think lately it was changed to be included in the http_port option. HTH Frank -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Removing invalid keys from keyring
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I guess this question might be more suited on gnupg-users, but as I'm not subscribed to that list, I hope you can forgive me for asking here... It is a really short question... Is there a way to remove revoked/expired and otherwise invalid or useless keys from a GPG keyring, in batch? I once downloaded the 4500 keys that were closest to me, but many of them are invalid now, and I'd like to remove those in a quick way? Are there possibly any scripts lying around? Cheers, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+gdVUlE/Gp2pqC7wRAuMfAJ0S6ZCqvbwqOWvniKll0VS2yFJ3GACdH7O5 n1/6EF0XsnD3E7QuCduh/WQ= =Q6Zm -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 10:50:48AM -0500, Noah L. Meyerhans wrote: On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. That's hardly true. If an attacker could somehow create an ssh authorized_keys file, they could log in without a password. and if he can somehow create the non existing home dir. or if he can somehow change the $HOME ... oh forgot when he has the power to somehow change the $HOME he can change the $SHELL or if he can edit the /etc/passwd he's root ... who cares about nobody. Yeah there are so many side conditions that could happen, what a horror - time to take the internet offline. *hrhr* Well at least you shouldn't run all your daemons under one uid. Create one for the ftpd one for your httpd and so on. SCNR Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
speaking of squid ports...
does anyone know what squid's udp sockets are for, and how to close them? As far as I can tell, I don't need them, but I've been unable to find a combination of squid directives to make them all go away. The icp port can be closed using icp_port 0, but the other one is dynamic and isn't referred to in the squid docs as far as I can tell: [kahlua](0) # netstat -lp | grep squid tcp0 0 *:3128 *:* LISTEN 673/(squid) udp0 0 *:1414 *:* 673/(squid) the udp port isn't there immediately after starting squid, but it always shows up after a client uses the proxy. port 1414 isn't constant; it's different every time. Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: speaking of squid ports...
I believe that UDP port is for receiving DNS responses. -Kevin Jason Lunz [EMAIL PROTECTED] writes: does anyone know what squid's udp sockets are for, and how to close them? As far as I can tell, I don't need them, but I've been unable to find a combination of squid directives to make them all go away. The icp port can be closed using icp_port 0, but the other one is dynamic and isn't referred to in the squid docs as far as I can tell: [kahlua](0) # netstat -lp | grep squid tcp0 0 *:3128 *:* LISTEN 673/(squid) udp0 0 *:1414 *:* 673/(squid) the udp port isn't there immediately after starting squid, but it always shows up after a client uses the proxy. port 1414 isn't constant; it's different every time. Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: speaking of squid ports...
On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote: I believe that UDP port is for receiving DNS responses. Umm... No. It's used for ICP, a protocol for intercommunication between squid caches. For example, at my site we have two different caches. One is basically transparent. The other provides anonymizing services. But, through ICP, both caches can make use of each other's cached objects. Dunno how you turn it off, though. Iptables? shrug noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp0.pgp Description: PGP signature
Re: speaking of squid ports...
On Wed, Mar 26, 2003 at 03:18:36PM -0500, Noah L. Meyerhans wrote: On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote: I believe that UDP port is for receiving DNS responses. It's used for ICP, a protocol for intercommunication between squid caches. For example, at my site we have two different caches. One is basically transparent. The other provides anonymizing services. But, through ICP, both caches can make use of each other's cached objects. Dunno how you turn it off, though. Iptables? shrug Should work by setting the icp_port to '0'... If it is written via -u in the init scripts the config file settings are overwritten, so beware. Regards, Alexander -- Alexander Reelsen http://tretmine.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: speaking of squid ports...
Noah L. Meyerhans [EMAIL PROTECTED] writes: On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote: I believe that UDP port is for receiving DNS responses. Umm... No. It's used for ICP, a protocol for intercommunication between squid caches. For example, at my site we have two different caches. One is basically transparent. The other provides anonymizing services. But, through ICP, both caches can make use of each other's cached objects. Dunno how you turn it off, though. Iptables? shrug noah He already said he turned off the ICP port, so I'm guessing that isn't it. Also, the ICP port is 3130 by default, not 1414. Squid also can use a udp port for snmp (default 3401). FWIW, I found a couple of references to squid's use of a random high udp port on the squid-user list. The only responses I could find indicated that this port is used for DNS. -Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: speaking of squid ports...
[EMAIL PROTECTED] said: Umm... No. It's used for ICP, a protocol for intercommunication between squid caches. For example, at my site we have two different caches. One is basically transparent. The other provides anonymizing services. But, through ICP, both caches can make use of each other's cached objects. no, Kevin's right. squid has its own built-in caching dns resolver, and since it's a client it shows up on a different port every time. It seems the only way to turn it off is to disable squid's internal resolver and use an external one, but that's a whole new can of worms. Dunno how you turn it off, though. Iptables? shrug As I said, icp can be turned off with icp_port 0, as noted in the squid.conf comments. It uses udp port 3130 by default. Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
Hi all, On Tue, Mar 25, 2003 at 01:46:32PM -0600, Jones wrote: One thing they forgot to mention was that they used Exchange for email. That means instead of running exim, I will have to forward SMTP POP traffic to their Exchange server. The Exchange server will not be directly connected to the Internet. If you only port-forward the connections to the Exchange Server you will expose it to the world like you would run it on the firewall itself. You are right about forwarding the traffic (how else should they get their mail :), but IMHO it is far better to still use exim, but only as a smart-host to redirect mail from the internet to the Exchange-server and back. If you update your debian-box regularly, you don't have to worry about the security of the Exchange-server that much. later Steffen Burmeister, Dipl. Wirtschaftsinformatiker (BA) -- ebios informationssysteme volker birk gut-betha-platz 1 88339 bad waldsee germany phone +49 (7524) 93421fax +49 (7524) 93423 mailto:[EMAIL PROTECTED]http://www.ebios.de pgpCWb3BeQjTl.pgp Description: PGP signature
noboby with a shell !!
hi, I look at in the file /etc/passwd on my server today, and I saw the user nobody has a shell !!. When I installed my debian (sarge, I know it's bad, but it's just a server for me...) I put /bin/false. A few days ago, while an upgrade, apt asked to me to upgrade that file to the new version and answer yes, so I think it come from that action, but it could be unsecure to put /bin/sh for nobody ? nobody:x:65534:65534:nobody:/nonexistent:/bin/sh I change to : nobody:x:65534:65534:nobody:/dev/null:/bin/false Yoann
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 11:35:38AM +0100, Yoann wrote: Hi, I look at in the file /etc/passwd on my server today, and I saw the user nobody has a shell !!. When I installed my debian (sarge, I know it's bad, but it's just a server for me...) I put /bin/false. A few days ago, while an upgrade, apt asked to me to upgrade that file to the new version and answer yes, so I think it come from that action, but it could be unsecure to put /bin/sh for nobody ? Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. nobody:x:65534:65534:nobody:/nonexistent:/bin/sh I change to : nobody:x:65534:65534:nobody:/dev/null:/bin/false This might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. See your /var/log/syslog maybe you'll now get some errors from cron jobs at night. Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]
Re: noboby with a shell !!
Does the user nobody has got a password in /etc/shadow ? greets Robbert Citeren Yoann [EMAIL PROTECTED]: hi, I look at in the file /etc/passwd on my server today, and I saw the user nobody has a shell !!. When I installed my debian (sarge, I know it's bad, but it's just a server for me...) I put /bin/false. A few days ago, while an upgrade, apt asked to me to upgrade that file to the new version and answer yes, so I think it come from that action, but it could be unsecure to put /bin/sh for nobody ? nobody:x:65534:65534:nobody:/nonexistent:/bin/sh I change to : nobody:x:65534:65534:nobody:/dev/null:/bin/false Yoann -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] __ http://www.wanadoo.nl/
Re: noboby with a shell !!
Hi, I look at in the file /etc/passwd on my server today, and I saw the user nobody has a shell !!. When I installed my debian (sarge, I know it's bad, but it's just a server for me...) I put /bin/false. A few days ago, while an upgrade, apt asked to me to upgrade that file to the new version and answer yes, so I think it come from that action, but it could be unsecure to put /bin/sh for nobody ? Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. there is an * in /etc/shadow for nobody, but all services (ftp, web...) are running with the uid nobody so if there is an attack on an unknow bug (I keep up to date all services) on those services (buffer overflow for example), It's will be unsercure.. . nobody:x:65534:65534:nobody:/nonexistent:/bin/sh ^^^ I change to : nobody:x:65534:65534:nobody:/dev/null:/bin/false This might be bad cause AFAIK a few cronjobs change from their root uid to nobody via the su command. See your /var/log/syslog maybe you'll now get some errors from cron jobs at night. I will pay attention , thx Sven Yoann
bind squid to interface
I would like to bind squid to a specific interface. I thought the easy way to do this would be with xinetd, but I get: Mar 26 06:05:09 localhost squid: Cannot open HTTP Port Mar 26 06:05:49 localhost last message repeated 10 times When I try to use it. Normally this would mean there is a squid process already running, but there is no other squid process. service squid { disable = no socket_type = stream wait= no user= root bind= 192.0.0.1 server = /usr/sbin/squid server_args= -N -D -YC -u0 } What am I doing wrong with xinetd? What other ways are there to make squid bind to an interface? ~Michael
Re: noboby with a shell !!
Yoann [EMAIL PROTECTED] writes: there is an * in /etc/shadow for nobody, but all services (ftp, web...) are running with the uid nobody so if there is an attack on an unknow bug (I keep up to date all services) on those services (buffer overflow for example), It's will be unsercure.. . It will be unsecure even if the shell field is filled with garbage... 1) The buffer overflow kind of attack is to launch a program from within another, a shell for example. 2) The shell shield (more easy to write than to tell) is used by: - /bin/login to launch a shell, or a pppd in some case - /*/ftpd to allow (/bin/true) or disallow (/bin/false) ftp access - probably lot of others programs. HTH. -- Reality always seems harsher in the early morning. -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/
Re: bind squid to interface
On Wednesday 26 March 2003 15:16, Michael West wrote: Hi there, how about : http_port xxx.xxx.xxx.xxx:8000 tcp_outgoing_address xxx.xxx.xxx.xxx udp_outgoing_address xxx.xxx.xxx.xxx in the squid config and run squid as daemon ? Michi I would like to bind squid to a specific interface. I thought the easy way to do this would be with xinetd, but I get: Mar 26 06:05:09 localhost squid: Cannot open HTTP Port Mar 26 06:05:49 localhost last message repeated 10 times When I try to use it. Normally this would mean there is a squid process already running, but there is no other squid process. service squid { disable = no socket_type = stream wait= no user= root bind= 192.0.0.1 server = /usr/sbin/squid server_args= -N -D -YC -u0 } What am I doing wrong with xinetd? What other ways are there to make squid bind to an interface? ~Michael -- Bisping Bisping GmbH Co. KG Michael Streb internet and network [EMAIL PROTECTED] Spitalstrasse 21-24-26 phone +49-9123-9740-630 D-91207 Lauf a. d. Pegnitzfax +49-9123-9740-97 http://photo.bisping.de *http://bisping.de *http://lauf.de
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. That's hardly true. If an attacker could somehow create an ssh authorized_keys file, they could log in without a password. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpe68AZnJ3WP.pgp Description: PGP signature
Re: Re: noboby with a shell !!
Dit e-mail adres bestaat niet
Re: bind squid to interface
## Michael West ([EMAIL PROTECTED]): I would like to bind squid to a specific interface. http_port hostname:port http_port ip:port http_port port It's documented. Regards, cmt -- Spare Space
Re: bind squid to interface
Michael West wrote: I would like to bind squid to a specific interface. [...] What am I doing wrong with xinetd? What other ways are there to make squid bind to an interface? IIRC there used to be an option tcp_incoming_adress in /etc/squid.conf, but I think lately it was changed to be included in the http_port option. HTH Frank
Re: bind squid to interface
* Michael West [EMAIL PROTECTED] [26-03-03 15:16]: I would like to bind squid to a specific interface. Look at /etc/squid.conf: # NETWORK OPTIONS # - # TAG: http_port # Usage: port # hostname:port # 1.2.3.4:port # # The socket addresses where Squid will listen for HTTP client # requests. You may specify multiple socket addresses. # There are three forms: port alone, hostname with port, and # IP address with port. If you specify a hostname or IP # address, then Squid binds the socket to that specific # address. This replaces the old 'tcp_incoming_address' # option. Most likely, you do not need to bind to a specific # address, so you can use the port number alone. # # The default port number is 3128. # # If you are running Squid in accelerator mode, then you # probably want to listen on port 80 also, or instead. # # The -a command line option will override the *first* port # number listed here. That option will NOT override an IP # address, however. # # You may specify multiple socket addresses on multiple lines. # #Default: http_port 127.0.0.1:3128 HTH Jens
Removing invalid keys from keyring
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I guess this question might be more suited on gnupg-users, but as I'm not subscribed to that list, I hope you can forgive me for asking here... It is a really short question... Is there a way to remove revoked/expired and otherwise invalid or useless keys from a GPG keyring, in batch? I once downloaded the 4500 keys that were closest to me, but many of them are invalid now, and I'd like to remove those in a quick way? Are there possibly any scripts lying around? Cheers, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+gdVUlE/Gp2pqC7wRAuMfAJ0S6ZCqvbwqOWvniKll0VS2yFJ3GACdH7O5 n1/6EF0XsnD3E7QuCduh/WQ= =Q6Zm -END PGP SIGNATURE-
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 10:50:48AM -0500, Noah L. Meyerhans wrote: On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. That's hardly true. If an attacker could somehow create an ssh authorized_keys file, they could log in without a password. and if he can somehow create the non existing home dir. or if he can somehow change the $HOME ... oh forgot when he has the power to somehow change the $HOME he can change the $SHELL or if he can edit the /etc/passwd he's root ... who cares about nobody. Yeah there are so many side conditions that could happen, what a horror - time to take the internet offline. *hrhr* Well at least you shouldn't run all your daemons under one uid. Create one for the ftpd one for your httpd and so on. SCNR Sven -- It really sucks to give your heart to a girl You want to know her like she knows the whole world But 10 seconds in, it's obvious, your going nowhere... [Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]
speaking of squid ports...
does anyone know what squid's udp sockets are for, and how to close them? As far as I can tell, I don't need them, but I've been unable to find a combination of squid directives to make them all go away. The icp port can be closed using icp_port 0, but the other one is dynamic and isn't referred to in the squid docs as far as I can tell: [kahlua](0) # netstat -lp | grep squid tcp0 0 *:3128 *:* LISTEN 673/(squid) udp0 0 *:1414 *:* 673/(squid) the udp port isn't there immediately after starting squid, but it always shows up after a client uses the proxy. port 1414 isn't constant; it's different every time. Jason
Re: speaking of squid ports...
I believe that UDP port is for receiving DNS responses. -Kevin Jason Lunz [EMAIL PROTECTED] writes: does anyone know what squid's udp sockets are for, and how to close them? As far as I can tell, I don't need them, but I've been unable to find a combination of squid directives to make them all go away. The icp port can be closed using icp_port 0, but the other one is dynamic and isn't referred to in the squid docs as far as I can tell: [kahlua](0) # netstat -lp | grep squid tcp0 0 *:3128 *:* LISTEN 673/(squid) udp0 0 *:1414 *:* 673/(squid) the udp port isn't there immediately after starting squid, but it always shows up after a client uses the proxy. port 1414 isn't constant; it's different every time. Jason
Re: speaking of squid ports...
On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote: I believe that UDP port is for receiving DNS responses. Umm... No. It's used for ICP, a protocol for intercommunication between squid caches. For example, at my site we have two different caches. One is basically transparent. The other provides anonymizing services. But, through ICP, both caches can make use of each other's cached objects. Dunno how you turn it off, though. Iptables? shrug noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpTmaxDw5SGb.pgp Description: PGP signature
Re: speaking of squid ports...
On Wed, Mar 26, 2003 at 03:18:36PM -0500, Noah L. Meyerhans wrote: On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote: I believe that UDP port is for receiving DNS responses. It's used for ICP, a protocol for intercommunication between squid caches. For example, at my site we have two different caches. One is basically transparent. The other provides anonymizing services. But, through ICP, both caches can make use of each other's cached objects. Dunno how you turn it off, though. Iptables? shrug Should work by setting the icp_port to '0'... If it is written via -u in the init scripts the config file settings are overwritten, so beware. Regards, Alexander -- Alexander Reelsen http://tretmine.org
Re: speaking of squid ports...
Noah L. Meyerhans [EMAIL PROTECTED] writes: On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote: I believe that UDP port is for receiving DNS responses. Umm... No. It's used for ICP, a protocol for intercommunication between squid caches. For example, at my site we have two different caches. One is basically transparent. The other provides anonymizing services. But, through ICP, both caches can make use of each other's cached objects. Dunno how you turn it off, though. Iptables? shrug noah He already said he turned off the ICP port, so I'm guessing that isn't it. Also, the ICP port is 3130 by default, not 1414. Squid also can use a udp port for snmp (default 3401). FWIW, I found a couple of references to squid's use of a random high udp port on the squid-user list. The only responses I could find indicated that this port is used for DNS. -Kevin
Re: speaking of squid ports...
[EMAIL PROTECTED] said: Umm... No. It's used for ICP, a protocol for intercommunication between squid caches. For example, at my site we have two different caches. One is basically transparent. The other provides anonymizing services. But, through ICP, both caches can make use of each other's cached objects. no, Kevin's right. squid has its own built-in caching dns resolver, and since it's a client it shows up on a different port every time. It seems the only way to turn it off is to disable squid's internal resolver and use an external one, but that's a whole new can of worms. Dunno how you turn it off, though. Iptables? shrug As I said, icp can be turned off with icp_port 0, as noted in the squid.conf comments. It uses udp port 3130 by default. Jason