[SECURITY] [DSA 269-1] New heimdal packages fix authentication failure

2003-03-26 Thread Martin Schulze
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 269-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
March 26th, 2003http://www.debian.org/security/faq
- --

Package: heimdal
Vulnerability  : Cryptographic weakness
Problem-Type   : remote
Debian-specific: no
CVE Id : CAN-2003-0138
CERT advisory  : VU#623217

A cryptographic weakness in version 4 of the Kerberos protocol allows
an attacker to use a chosen-plaintext attack to impersonate any
principal in a realm.  Additional cryptographic weaknesses in the krb4
implementation permit the use of cut-and-paste attacks to fabricate
krb4 tickets for unauthorized client principals if triple-DES keys are
used to key krb4 services.  These attacks can subvert a site's entire
Kerberos authentication infrastructure.

This version of the heimdal package changes the default behavior and
disallows cross-realm authentication for Kerberos version 4.  Because
of the fundamental nature of the problem, cross-realm authentication
in Kerberos version 4 cannot be made secure and sites should avoid its
use.  A new option (--kerberos4-cross-realm) is provided to the kdc 
command to re-enable version 4 cross-realm authentication for those
sites that must use this functionality but desire the other security
fixes.

For the stable distribution (woody) this problem has been
fixed in version 0.4e-7.woody.6

The old stable distribution (potato) is not affected by this problem,
since it isn't compiled against kerberos 4.

For the unstable distribution (sid) this problem has been
fixed in version 0.5.2-1.

We recommend that you upgrade your heimdal packages imediately.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- 

  Source archives:

http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.4e-7.woody.6.dsc
  Size/MD5 checksum: 1063 f925f5c81bef908a62366670f311511e

http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.4e-7.woody.6.diff.gz
  Size/MD5 checksum:  1278560 ea0268363a4b9a986fc731ac64367948
http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.4e.orig.tar.gz
  Size/MD5 checksum:  2885718 1d27b06ec2f818f5b4ae2b90ca0e9cb8

  Architecture independent components:


http://security.debian.org/pool/updates/main/h/heimdal/heimdal-docs_0.4e-7.woody.6_all.deb
  Size/MD5 checksum:  1055480 e22766e034934ac5b6664468d1bd39c4

http://security.debian.org/pool/updates/main/h/heimdal/heimdal-lib_0.4e-7.woody.6_all.deb
  Size/MD5 checksum:19456 3be2de9ba824fd90ec6f0df606e9d716

  Alpha architecture:


http://security.debian.org/pool/updates/main/h/heimdal/heimdal-clients_0.4e-7.woody.6_alpha.deb
  Size/MD5 checksum:   274250 38719c545872e901bd7eeb9dad9d0b80

http://security.debian.org/pool/updates/main/h/heimdal/heimdal-clients-x_0.4e-7.woody.6_alpha.deb
  Size/MD5 checksum:60170 f5476c57a24af3c4ef9124bdc7908178

http://security.debian.org/pool/updates/main/h/heimdal/heimdal-dev_0.4e-7.woody.6_alpha.deb
  Size/MD5 checksum:   572102 a407490c744a95276ff8863672c44dbb

http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.4e-7.woody.6_alpha.deb
  Size/MD5 checksum:   132516 bac7e612f0d73d341a2a1fa5364051ae

http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.4e-7.woody.6_alpha.deb
  Size/MD5 checksum:   180996 554ac920d68041805185a036b9013e9c

http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.4e-7.woody.6_alpha.deb
  Size/MD5 checksum:39004 2795b39db81ef82f66d98ffc37a15466

http://security.debian.org/pool/updates/main/h/heimdal/libasn1-5-heimdal_0.4e-7.woody.6_alpha.deb
  Size/MD5 checksum:64542 699a4851fb0380eece24913650cc72ba

http://security.debian.org/pool/updates/main/h/heimdal/libcomerr1-heimdal_0.4e-7.woody.6_alpha.deb
  Size/MD5 checksum:23036 5502e63afbb41f53707344f59901b5f7

http://security.debian.org/pool/updates/main/h/heimdal/libgssapi1-heimdal_0.4e-7.woody.6_alpha.deb
  Size/MD5 checksum:42446 270c023c95cadd077bd2255c4b25a7b4

http://security.debian.org/pool/updates/main/h/heimdal/libhdb7-heimdal_0.4e-7.woody.6_alpha.deb
  Size/MD5 checksum:40994 4d6d2e9b23beacf3d8c1c4395ac5e16c


[SECURITY] [DSA 270-1] New Linux kernel packages (mips + mipsel) fix local root exploit

2003-03-26 Thread Martin Schulze
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
Debian Security Advisory DSA 270-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
March 27sh, 2003http://www.debian.org/security/faq
- --

Packages   : kernel-patch-2.4.17-mips, kernel-patch-2.4.19-mips
Vulnerability  : local privilege escalation
Problem-Type   : local
Debian-specific: no
CVE Id : CAN-2003-0127

The kernel module loader in Linux 2.2 and Linux 2.4 kernels has a flaw
in ptrace.  This hole allows local users to obtain root privileges by
using ptrace to attach to a child process that is spawned by the
kernel.  Remote exploitation of this hole is not possible.

This advisory only covers kernel packages for the big and little endian MIPS
architectures.  Other architectures will be covered by separate advisories.

For the stable distribution (woody) this problem has been fixed in version
2.4.17-0.020226.2.woody1 of kernel-patch-2.4.17-mips (mips+mipsel) and in
version 2.4.19-0.020911.1.woody1 of kernel-patch-2.4.19-mips (mips only).

The old stable distribution (potato) is not affected by this problem
for these architectures since mips and mipsel were first released with
Debian GNU/Linux 3.0 (woody).

For the unstable distribution (sid) this problem has been fixed in
version 2.4.19-0.020911.6 of kernel-patch-2.4.19-mips (mips+mipsel).

We recommend that you upgrade your kernel-images packages immediately.


Upgrade Instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- 

  Source archives:


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody1.dsc
  Size/MD5 checksum:  786 937c32a962c27f9461a10d4d2c98c350

http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody1.tar.gz
  Size/MD5 checksum:  1140097 e26c4406aa52e77b00df972335fdbb71


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody1.dsc
  Size/MD5 checksum:  832 4e431992276bcd65d34bd07b86784200

http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody1.tar.gz
  Size/MD5 checksum:  1035256 cd2e9213d798552a7ebc550903e45bf9

  Architecture independent components:


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-patch-2.4.17-mips_2.4.17-0.020226.2.woody1_all.deb
  Size/MD5 checksum:  1142510 b1c1c6d93281938651b91c0caa85b818


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-patch-2.4.19-mips_2.4.19-0.020911.1.woody1_all.deb
  Size/MD5 checksum:  1036948 8de25b980c15831460c844a535b76e3a

  Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-headers-2.4.17_2.4.17-0.020226.2.woody1_mips.deb
  Size/MD5 checksum:  3494700 3ebb5ff6d044f808b500dfb0f5beccad

http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r4k-ip22_2.4.17-0.020226.2.woody1_mips.deb
  Size/MD5 checksum:  2038950 baae9c9e139d2b5ef035f01adea32171

http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.17-mips/kernel-image-2.4.17-r5k-ip22_2.4.17-0.020226.2.woody1_mips.deb
  Size/MD5 checksum:  2039084 5bb6ad7c4207a6f351612fd4e330a337


http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-headers-2.4.19_2.4.19-0.020911.1.woody1_mips.deb
  Size/MD5 checksum:  3897722 8d096cf0e9286e175127dfb1763bfcd2

http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-image-2.4.19-r4k-ip22_2.4.19-0.020911.1.woody1_mips.deb
  Size/MD5 checksum:  2072292 3f49ce11a63309465f1ee5c31b54a1c4

http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/kernel-image-2.4.19-r5k-ip22_2.4.19-0.020911.1.woody1_mips.deb
  Size/MD5 checksum:  2072926 b4ac7b3f74a392c4f7482eb590eadcb2

http://security.debian.org/pool/updates/main/k/kernel-patch-2.4.19-mips/mips-tools_2.4.19-0.020911.1.woody1_mips.deb
  Size/MD5 checksum:12418 ec83e5bf008c27285768faffcbbd8534

  Little endian MIPS architecture:



Re: is iptables enough?

2003-03-26 Thread Steffen Burmeister
Hi all,

On Tue, Mar 25, 2003 at 01:46:32PM -0600, Jones wrote:
 One thing they forgot to mention was that they used Exchange for 
 email.  That means instead of running exim, I will have to forward 
 SMTP  POP traffic to their Exchange server.  The Exchange server 
 will not be directly connected to the Internet.

If you only port-forward the connections to the Exchange
Server you will expose it to the world like you would
run it on the firewall itself.

You are right about forwarding the traffic (how else should
they get their mail :), but IMHO it is far better to still 
use exim, but only as a smart-host to redirect mail from 
the internet to the Exchange-server and back. If you update 
your debian-box regularly, you don't have to worry about the 
security of the Exchange-server that much.

later

   Steffen Burmeister, Dipl. Wirtschaftsinformatiker (BA)

--
ebios informationssysteme volker birk
gut-betha-platz 1 88339 bad waldsee germany
phone +49 (7524) 93421fax +49 (7524) 93423   
mailto:[EMAIL PROTECTED]http://www.ebios.de



pgp0.pgp
Description: PGP signature


noboby with a shell !!

2003-03-26 Thread Yoann
hi,

I look at in the file /etc/passwd on my server today, and I saw the user 
nobody has a shell !!. When I installed my debian (sarge, I know it's 
bad, but it's just a server for me...) I put /bin/false. A few days ago, 
while an upgrade, apt asked to me to upgrade that file to the new 
version and answer yes, so I think it come from that action, but it 
could be unsecure to put /bin/sh for nobody ?

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 
I change to :
nobody:x:65534:65534:nobody:/dev/null:/bin/false

Yoann

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]


Re: noboby with a shell !!

2003-03-26 Thread Sven Hoexter
On Wed, Mar 26, 2003 at 11:35:38AM +0100, Yoann wrote:

Hi,

 I look at in the file /etc/passwd on my server today, and I saw the user 
 nobody has a shell !!. When I installed my debian (sarge, I know it's 
 bad, but it's just a server for me...) I put /bin/false. A few days ago, 
 while an upgrade, apt asked to me to upgrade that file to the new 
 version and answer yes, so I think it come from that action, but it 
 could be unsecure to put /bin/sh for nobody ?
Well yes it could :) As long as the user has no valid password it's not very
usefull. Take a look into the /etc/shadow and in the second field you'll find
! or * indicating that this user has a invalid password. See man 5 shadow.
 
 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
  
 I change to :
 
 nobody:x:65534:65534:nobody:/dev/null:/bin/false
This might be bad cause AFAIK a few cronjobs change from their root uid to
nobody via the su command. See your /var/log/syslog maybe you'll now get
some errors from cron jobs at night.

Sven

-- 
It really sucks to give your heart to a girl
You want to know her like she knows the whole world
But 10 seconds in, it's obvious, your going nowhere...
[Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: noboby with a shell !!

2003-03-26 Thread robjeh
Does the user nobody has got a password in /etc/shadow ?

greets
  Robbert

Citeren Yoann [EMAIL PROTECTED]:

 hi,
 
 I look at in the file /etc/passwd on my server today, and I saw the user 
 nobody has a shell !!. When I installed my debian (sarge, I know it's 
 bad, but it's just a server for me...) I put /bin/false. A few days ago, 
 while an upgrade, apt asked to me to upgrade that file to the new 
 version and answer yes, so I think it come from that action, but it 
 could be unsecure to put /bin/sh for nobody ?
 
 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
   
 I change to :
 
 nobody:x:65534:65534:nobody:/dev/null:/bin/false
 
 Yoann
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
 [EMAIL PROTECTED]
 
 
 





__


http://www.wanadoo.nl/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: noboby with a shell !!

2003-03-26 Thread Yoann
Hi,

I look at in the file /etc/passwd on my server today, and I saw the user
nobody has a shell !!. When I installed my debian (sarge, I know it's
bad, but it's just a server for me...) I put /bin/false. A few days ago,
while an upgrade, apt asked to me to upgrade that file to the new
version and answer yes, so I think it come from that action, but it
could be unsecure to put /bin/sh for nobody ?
Well yes it could :) As long as the user has no valid password it's 
not very
usefull. Take a look into the /etc/shadow and in the second field 
you'll find
! or * indicating that this user has a invalid password. See man 5 shadow.
there is an * in /etc/shadow for nobody, but all services (ftp, web...)
are running with the uid nobody so if there is an attack on an unknow
bug (I keep up to date all services) on those services (buffer overflow
for example),  It's will be unsercure.. .
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 ^^^
I change to :
nobody:x:65534:65534:nobody:/dev/null:/bin/false
This might be bad cause AFAIK a few cronjobs change from their root uid to
nobody via the su command. See your /var/log/syslog maybe you'll now get
some errors from cron jobs at night.
I will pay attention , thx

Sven
Yoann



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]


bind squid to interface

2003-03-26 Thread Michael West
I would like to bind squid to a specific interface.  

I thought the easy way to do this would be with xinetd, but I get:

Mar 26 06:05:09 localhost squid: Cannot open HTTP Port
Mar 26 06:05:49 localhost last message repeated 10 times

When I try to use it.  Normally this would mean there is a squid process
already running, but there is no other squid process.

service squid
{
disable = no
socket_type = stream
wait= no
user= root
bind= 192.0.0.1
server  = /usr/sbin/squid
server_args= -N -D -YC -u0
}

What am I doing wrong with xinetd?  What other ways are there to make
squid bind to an interface?

 ~Michael


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: noboby with a shell !!

2003-03-26 Thread François TOURDE
Yoann [EMAIL PROTECTED] writes:

 there is an * in /etc/shadow for nobody, but all services (ftp, web...)
 are running with the uid nobody so if there is an attack on an unknow
 bug (I keep up to date all services) on those services (buffer overflow
 for example),  It's will be unsercure.. .

It will be unsecure even if the shell field is filled with garbage...

1) The buffer overflow kind of attack is to launch a program from
within another, a shell for example.

2) The shell shield (more easy to write than to tell) is used by:

- /bin/login to launch a shell, or a pppd in some case
- /*/ftpd to allow (/bin/true) or disallow (/bin/false) ftp access
- probably lot of others programs.

HTH.

-- 
Reality always seems harsher in the early morning.
-- 
François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE
Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80
eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: bind squid to interface

2003-03-26 Thread Michael Streb
On Wednesday 26 March 2003 15:16, Michael West wrote:

Hi there,

how about :


http_port xxx.xxx.xxx.xxx:8000
tcp_outgoing_address xxx.xxx.xxx.xxx
udp_outgoing_address xxx.xxx.xxx.xxx


in the squid config and run squid as daemon ?

Michi

 I would like to bind squid to a specific interface.

 I thought the easy way to do this would be with xinetd, but I get:

 Mar 26 06:05:09 localhost squid: Cannot open HTTP Port
 Mar 26 06:05:49 localhost last message repeated 10 times

 When I try to use it.  Normally this would mean there is a squid process
 already running, but there is no other squid process.

 service squid
 {
 disable = no
 socket_type = stream
 wait= no
 user= root
 bind= 192.0.0.1
 server  = /usr/sbin/squid
 server_args= -N -D -YC -u0
 }

 What am I doing wrong with xinetd?  What other ways are there to make
 squid bind to an interface?

  ~Michael

-- 
Bisping  Bisping GmbH  Co. KG  Michael Streb
internet and network   [EMAIL PROTECTED]
Spitalstrasse 21-24-26 phone +49-9123-9740-630
D-91207 Lauf a. d. Pegnitzfax +49-9123-9740-97
 
http://photo.bisping.de   *http://bisping.de   *http://lauf.de


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: noboby with a shell !!

2003-03-26 Thread Noah L. Meyerhans
On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote:
 Well yes it could :) As long as the user has no valid password it's not very
 usefull. Take a look into the /etc/shadow and in the second field you'll find
 ! or * indicating that this user has a invalid password. See man 5 shadow.

That's hardly true.  If an attacker could somehow create an ssh
authorized_keys file, they could log in without a password.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgp0.pgp
Description: PGP signature


Re: Re: noboby with a shell !!

2003-03-26 Thread martin . j
Dit e-mail adres bestaat niet


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: bind squid to interface

2003-03-26 Thread Christoph Moench-Tegeder
## Michael West ([EMAIL PROTECTED]):

 I would like to bind squid to a specific interface.  

http_port hostname:port
http_port ip:port
http_port port

It's documented.

Regards,
cmt

-- 
Spare Space


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: bind squid to interface

2003-03-26 Thread Jens Schuessler
* Michael West [EMAIL PROTECTED] [26-03-03 15:16]:
 I would like to bind squid to a specific interface.  

Look at /etc/squid.conf:
  
# NETWORK OPTIONS
# -

#  TAG: http_port
#   Usage:  port
#   hostname:port
#   1.2.3.4:port
#
#   The socket addresses where Squid will listen for HTTP client
#   requests.  You may specify multiple socket addresses.
#   There are three forms: port alone, hostname with port, and
#   IP address with port.  If you specify a hostname or IP
#   address, then Squid binds the socket to that specific
#   address.  This replaces the old 'tcp_incoming_address'
#   option.  Most likely, you do not need to bind to a specific
#   address, so you can use the port number alone.
#
#   The default port number is 3128.
#
#   If you are running Squid in accelerator mode, then you
#   probably want to listen on port 80 also, or instead.
#
#   The -a command line option will override the *first* port
#   number listed here.   That option will NOT override an IP
#   address, however.
#
#   You may specify multiple socket addresses on multiple lines.
#
#Default:
http_port 127.0.0.1:3128

HTH
Jens


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: bind squid to interface

2003-03-26 Thread Frank Peters
Michael West wrote:
 
 I would like to bind squid to a specific interface.
[...]
 What am I doing wrong with xinetd?  What other ways are there to make
 squid bind to an interface?

IIRC there used to be an option tcp_incoming_adress in
/etc/squid.conf, but I think lately it was changed to be included in the
http_port option.

HTH

Frank


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Removing invalid keys from keyring

2003-03-26 Thread Kjetil Kjernsmo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all,

I guess this question might be more suited on gnupg-users, but as I'm 
not subscribed to that list, I hope you can forgive me for asking 
here... It is a really short question...

Is there a way to remove revoked/expired and otherwise invalid or 
useless keys from a GPG keyring, in batch?

I once downloaded the 4500 keys that were closest to me, but many of 
them are invalid now, and I'd like to remove those in a quick way? Are 
there possibly any scripts lying around? 

Cheers,

Kjetil
- -- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+gdVUlE/Gp2pqC7wRAuMfAJ0S6ZCqvbwqOWvniKll0VS2yFJ3GACdH7O5
n1/6EF0XsnD3E7QuCduh/WQ=
=Q6Zm
-END PGP SIGNATURE-


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: noboby with a shell !!

2003-03-26 Thread Sven Hoexter
On Wed, Mar 26, 2003 at 10:50:48AM -0500, Noah L. Meyerhans wrote:
 On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote:
  Well yes it could :) As long as the user has no valid password it's not very
  usefull. Take a look into the /etc/shadow and in the second field you'll find
  ! or * indicating that this user has a invalid password. See man 5 shadow.
 
 That's hardly true.  If an attacker could somehow create an ssh
 authorized_keys file, they could log in without a password.
and if he can somehow create the non existing home dir.
or if he can somehow change the $HOME ... oh forgot when he has the power to
somehow change the $HOME he can change the $SHELL or if he can edit the
/etc/passwd he's root ... who cares about nobody.

Yeah there are so many side conditions that could happen, what a horror - time
to take the internet offline. *hrhr*

Well at least you shouldn't run all your daemons under one uid. Create one for
the ftpd one for your httpd and so on.

SCNR
Sven
-- 
It really sucks to give your heart to a girl
You want to know her like she knows the whole world
But 10 seconds in, it's obvious, your going nowhere...
[Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



speaking of squid ports...

2003-03-26 Thread Jason Lunz
does anyone know what squid's udp sockets are for, and how to close
them? As far as I can tell, I don't need them, but I've been unable to
find a combination of squid directives to make them all go away. The icp
port can be closed using icp_port 0, but the other one is dynamic and
isn't referred to in the squid docs as far as I can tell:

[kahlua](0) # netstat -lp | grep squid
tcp0  0 *:3128  *:* LISTEN  673/(squid)
udp0  0 *:1414  *:* 673/(squid)

the udp port isn't there immediately after starting squid, but it always
shows up after a client uses the proxy. port 1414 isn't constant; it's
different every time.

Jason


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: speaking of squid ports...

2003-03-26 Thread Kevin Cheek

I believe that UDP port is for receiving DNS responses.

-Kevin

Jason Lunz [EMAIL PROTECTED] writes:

 does anyone know what squid's udp sockets are for, and how to close
 them? As far as I can tell, I don't need them, but I've been unable to
 find a combination of squid directives to make them all go away. The icp
 port can be closed using icp_port 0, but the other one is dynamic and
 isn't referred to in the squid docs as far as I can tell:
 
 [kahlua](0) # netstat -lp | grep squid
 tcp0  0 *:3128  *:*   LISTEN  673/(squid)
 udp0  0 *:1414  *:*   673/(squid)
 
 the udp port isn't there immediately after starting squid, but it always
 shows up after a client uses the proxy. port 1414 isn't constant; it's
 different every time.
 
 Jason


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: speaking of squid ports...

2003-03-26 Thread Noah L. Meyerhans
On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote:
 
 I believe that UDP port is for receiving DNS responses.

Umm...  No.

It's used for ICP, a protocol for intercommunication between squid
caches.  For example, at my site we have two different caches.  One is
basically transparent.  The other provides anonymizing services.  But,
through ICP, both caches can make use of each other's cached objects.

Dunno how you turn it off, though.  Iptables?  shrug

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgp0.pgp
Description: PGP signature


Re: speaking of squid ports...

2003-03-26 Thread Alexander Reelsen
On Wed, Mar 26, 2003 at 03:18:36PM -0500, Noah L. Meyerhans wrote:
 On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote:
  I believe that UDP port is for receiving DNS responses.
 It's used for ICP, a protocol for intercommunication between squid
 caches.  For example, at my site we have two different caches.  One is
 basically transparent.  The other provides anonymizing services.  But,
 through ICP, both caches can make use of each other's cached objects.
 
 Dunno how you turn it off, though.  Iptables?  shrug
Should work by setting the icp_port to '0'... If it is written via -u in
the init scripts the config file settings are overwritten, so beware.


Regards, Alexander

-- 
Alexander Reelsen
http://tretmine.org


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: speaking of squid ports...

2003-03-26 Thread Kevin Cheek
Noah L. Meyerhans [EMAIL PROTECTED] writes:

 On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote:
  
  I believe that UDP port is for receiving DNS responses.
 
 Umm...  No.
 
 It's used for ICP, a protocol for intercommunication between squid
 caches.  For example, at my site we have two different caches.  One is
 basically transparent.  The other provides anonymizing services.  But,
 through ICP, both caches can make use of each other's cached objects.
 
 Dunno how you turn it off, though.  Iptables?  shrug
 
 noah

He already said he turned off the ICP port, so I'm guessing that isn't
it.  Also, the ICP port is 3130 by default, not 1414.

Squid also can use a udp port for snmp (default 3401).

FWIW, I found a couple of references to squid's use of a random high
udp port on the squid-user list.  The only responses I could find
indicated that this port is used for DNS.

-Kevin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: speaking of squid ports...

2003-03-26 Thread Jason Lunz
[EMAIL PROTECTED] said:
 Umm...  No.
 
 It's used for ICP, a protocol for intercommunication between squid
 caches.  For example, at my site we have two different caches.  One is
 basically transparent.  The other provides anonymizing services.  But,
 through ICP, both caches can make use of each other's cached objects.

no, Kevin's right. squid has its own built-in caching dns resolver, and
since it's a client it shows up on a different port every time. It seems
the only way to turn it off is to disable squid's internal resolver and
use an external one, but that's a whole new can of worms. 

 Dunno how you turn it off, though.  Iptables?  shrug

As I said, icp can be turned off with icp_port 0, as noted in the
squid.conf comments. It uses udp port 3130 by default.

Jason


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: is iptables enough?

2003-03-26 Thread Steffen Burmeister
Hi all,

On Tue, Mar 25, 2003 at 01:46:32PM -0600, Jones wrote:
 One thing they forgot to mention was that they used Exchange for 
 email.  That means instead of running exim, I will have to forward 
 SMTP  POP traffic to their Exchange server.  The Exchange server 
 will not be directly connected to the Internet.

If you only port-forward the connections to the Exchange
Server you will expose it to the world like you would
run it on the firewall itself.

You are right about forwarding the traffic (how else should
they get their mail :), but IMHO it is far better to still 
use exim, but only as a smart-host to redirect mail from 
the internet to the Exchange-server and back. If you update 
your debian-box regularly, you don't have to worry about the 
security of the Exchange-server that much.

later

   Steffen Burmeister, Dipl. Wirtschaftsinformatiker (BA)

--
ebios informationssysteme volker birk
gut-betha-platz 1 88339 bad waldsee germany
phone +49 (7524) 93421fax +49 (7524) 93423   
mailto:[EMAIL PROTECTED]http://www.ebios.de



pgpCWb3BeQjTl.pgp
Description: PGP signature


noboby with a shell !!

2003-03-26 Thread Yoann

hi,

I look at in the file /etc/passwd on my server today, and I saw the user 
nobody has a shell !!. When I installed my debian (sarge, I know it's 
bad, but it's just a server for me...) I put /bin/false. A few days ago, 
while an upgrade, apt asked to me to upgrade that file to the new 
version and answer yes, so I think it come from that action, but it 
could be unsecure to put /bin/sh for nobody ?


nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 
I change to :

nobody:x:65534:65534:nobody:/dev/null:/bin/false

Yoann



Re: noboby with a shell !!

2003-03-26 Thread Sven Hoexter
On Wed, Mar 26, 2003 at 11:35:38AM +0100, Yoann wrote:

Hi,

 I look at in the file /etc/passwd on my server today, and I saw the user 
 nobody has a shell !!. When I installed my debian (sarge, I know it's 
 bad, but it's just a server for me...) I put /bin/false. A few days ago, 
 while an upgrade, apt asked to me to upgrade that file to the new 
 version and answer yes, so I think it come from that action, but it 
 could be unsecure to put /bin/sh for nobody ?
Well yes it could :) As long as the user has no valid password it's not very
usefull. Take a look into the /etc/shadow and in the second field you'll find
! or * indicating that this user has a invalid password. See man 5 shadow.
 
 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
  
 I change to :
 
 nobody:x:65534:65534:nobody:/dev/null:/bin/false
This might be bad cause AFAIK a few cronjobs change from their root uid to
nobody via the su command. See your /var/log/syslog maybe you'll now get
some errors from cron jobs at night.

Sven

-- 
It really sucks to give your heart to a girl
You want to know her like she knows the whole world
But 10 seconds in, it's obvious, your going nowhere...
[Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]



Re: noboby with a shell !!

2003-03-26 Thread robjeh
Does the user nobody has got a password in /etc/shadow ?

greets
  Robbert

Citeren Yoann [EMAIL PROTECTED]:

 hi,
 
 I look at in the file /etc/passwd on my server today, and I saw the user 
 nobody has a shell !!. When I installed my debian (sarge, I know it's 
 bad, but it's just a server for me...) I put /bin/false. A few days ago, 
 while an upgrade, apt asked to me to upgrade that file to the new 
 version and answer yes, so I think it come from that action, but it 
 could be unsecure to put /bin/sh for nobody ?
 
 nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
   
 I change to :
 
 nobody:x:65534:65534:nobody:/dev/null:/bin/false
 
 Yoann
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
 [EMAIL PROTECTED]
 
 
 





__


http://www.wanadoo.nl/



Re: noboby with a shell !!

2003-03-26 Thread Yoann

Hi,


I look at in the file /etc/passwd on my server today, and I saw the user
nobody has a shell !!. When I installed my debian (sarge, I know it's
bad, but it's just a server for me...) I put /bin/false. A few days ago,
while an upgrade, apt asked to me to upgrade that file to the new
version and answer yes, so I think it come from that action, but it
could be unsecure to put /bin/sh for nobody ?


Well yes it could :) As long as the user has no valid password it's 
not very
usefull. Take a look into the /etc/shadow and in the second field 
you'll find

! or * indicating that this user has a invalid password. See man 5 shadow.


there is an * in /etc/shadow for nobody, but all services (ftp, web...)
are running with the uid nobody so if there is an attack on an unknow
bug (I keep up to date all services) on those services (buffer overflow
for example),  It's will be unsercure.. .


nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
 ^^^
I change to :

nobody:x:65534:65534:nobody:/dev/null:/bin/false


This might be bad cause AFAIK a few cronjobs change from their root uid to
nobody via the su command. See your /var/log/syslog maybe you'll now get
some errors from cron jobs at night.


I will pay attention , thx


Sven


Yoann




bind squid to interface

2003-03-26 Thread Michael West
I would like to bind squid to a specific interface.  

I thought the easy way to do this would be with xinetd, but I get:

Mar 26 06:05:09 localhost squid: Cannot open HTTP Port
Mar 26 06:05:49 localhost last message repeated 10 times

When I try to use it.  Normally this would mean there is a squid process
already running, but there is no other squid process.

service squid
{
disable = no
socket_type = stream
wait= no
user= root
bind= 192.0.0.1
server  = /usr/sbin/squid
server_args= -N -D -YC -u0
}

What am I doing wrong with xinetd?  What other ways are there to make
squid bind to an interface?

 ~Michael



Re: noboby with a shell !!

2003-03-26 Thread François TOURDE
Yoann [EMAIL PROTECTED] writes:

 there is an * in /etc/shadow for nobody, but all services (ftp, web...)
 are running with the uid nobody so if there is an attack on an unknow
 bug (I keep up to date all services) on those services (buffer overflow
 for example),  It's will be unsercure.. .

It will be unsecure even if the shell field is filled with garbage...

1) The buffer overflow kind of attack is to launch a program from
within another, a shell for example.

2) The shell shield (more easy to write than to tell) is used by:

- /bin/login to launch a shell, or a pppd in some case
- /*/ftpd to allow (/bin/true) or disallow (/bin/false) ftp access
- probably lot of others programs.

HTH.

-- 
Reality always seems harsher in the early morning.
-- 
François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE
Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80
eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/



Re: bind squid to interface

2003-03-26 Thread Michael Streb
On Wednesday 26 March 2003 15:16, Michael West wrote:

Hi there,

how about :


http_port xxx.xxx.xxx.xxx:8000
tcp_outgoing_address xxx.xxx.xxx.xxx
udp_outgoing_address xxx.xxx.xxx.xxx


in the squid config and run squid as daemon ?

Michi

 I would like to bind squid to a specific interface.

 I thought the easy way to do this would be with xinetd, but I get:

 Mar 26 06:05:09 localhost squid: Cannot open HTTP Port
 Mar 26 06:05:49 localhost last message repeated 10 times

 When I try to use it.  Normally this would mean there is a squid process
 already running, but there is no other squid process.

 service squid
 {
 disable = no
 socket_type = stream
 wait= no
 user= root
 bind= 192.0.0.1
 server  = /usr/sbin/squid
 server_args= -N -D -YC -u0
 }

 What am I doing wrong with xinetd?  What other ways are there to make
 squid bind to an interface?

  ~Michael

-- 
Bisping  Bisping GmbH  Co. KG  Michael Streb
internet and network   [EMAIL PROTECTED]
Spitalstrasse 21-24-26 phone +49-9123-9740-630
D-91207 Lauf a. d. Pegnitzfax +49-9123-9740-97
 
http://photo.bisping.de   *http://bisping.de   *http://lauf.de



Re: noboby with a shell !!

2003-03-26 Thread Noah L. Meyerhans
On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote:
 Well yes it could :) As long as the user has no valid password it's not very
 usefull. Take a look into the /etc/shadow and in the second field you'll find
 ! or * indicating that this user has a invalid password. See man 5 shadow.

That's hardly true.  If an attacker could somehow create an ssh
authorized_keys file, they could log in without a password.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgpe68AZnJ3WP.pgp
Description: PGP signature


Re: Re: noboby with a shell !!

2003-03-26 Thread martin . j
Dit e-mail adres bestaat niet



Re: bind squid to interface

2003-03-26 Thread Christoph Moench-Tegeder
## Michael West ([EMAIL PROTECTED]):

 I would like to bind squid to a specific interface.  

http_port hostname:port
http_port ip:port
http_port port

It's documented.

Regards,
cmt

-- 
Spare Space



Re: bind squid to interface

2003-03-26 Thread Frank Peters
Michael West wrote:
 
 I would like to bind squid to a specific interface.
[...]
 What am I doing wrong with xinetd?  What other ways are there to make
 squid bind to an interface?

IIRC there used to be an option tcp_incoming_adress in
/etc/squid.conf, but I think lately it was changed to be included in the
http_port option.

HTH

Frank



Re: bind squid to interface

2003-03-26 Thread Jens Schuessler
* Michael West [EMAIL PROTECTED] [26-03-03 15:16]:
 I would like to bind squid to a specific interface.  

Look at /etc/squid.conf:
  
# NETWORK OPTIONS
# -

#  TAG: http_port
#   Usage:  port
#   hostname:port
#   1.2.3.4:port
#
#   The socket addresses where Squid will listen for HTTP client
#   requests.  You may specify multiple socket addresses.
#   There are three forms: port alone, hostname with port, and
#   IP address with port.  If you specify a hostname or IP
#   address, then Squid binds the socket to that specific
#   address.  This replaces the old 'tcp_incoming_address'
#   option.  Most likely, you do not need to bind to a specific
#   address, so you can use the port number alone.
#
#   The default port number is 3128.
#
#   If you are running Squid in accelerator mode, then you
#   probably want to listen on port 80 also, or instead.
#
#   The -a command line option will override the *first* port
#   number listed here.   That option will NOT override an IP
#   address, however.
#
#   You may specify multiple socket addresses on multiple lines.
#
#Default:
http_port 127.0.0.1:3128

HTH
Jens



Removing invalid keys from keyring

2003-03-26 Thread Kjetil Kjernsmo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all,

I guess this question might be more suited on gnupg-users, but as I'm 
not subscribed to that list, I hope you can forgive me for asking 
here... It is a really short question...

Is there a way to remove revoked/expired and otherwise invalid or 
useless keys from a GPG keyring, in batch?

I once downloaded the 4500 keys that were closest to me, but many of 
them are invalid now, and I'd like to remove those in a quick way? Are 
there possibly any scripts lying around? 

Cheers,

Kjetil
- -- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+gdVUlE/Gp2pqC7wRAuMfAJ0S6ZCqvbwqOWvniKll0VS2yFJ3GACdH7O5
n1/6EF0XsnD3E7QuCduh/WQ=
=Q6Zm
-END PGP SIGNATURE-



Re: noboby with a shell !!

2003-03-26 Thread Sven Hoexter
On Wed, Mar 26, 2003 at 10:50:48AM -0500, Noah L. Meyerhans wrote:
 On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote:
  Well yes it could :) As long as the user has no valid password it's not very
  usefull. Take a look into the /etc/shadow and in the second field you'll 
  find
  ! or * indicating that this user has a invalid password. See man 5 shadow.
 
 That's hardly true.  If an attacker could somehow create an ssh
 authorized_keys file, they could log in without a password.
and if he can somehow create the non existing home dir.
or if he can somehow change the $HOME ... oh forgot when he has the power to
somehow change the $HOME he can change the $SHELL or if he can edit the
/etc/passwd he's root ... who cares about nobody.

Yeah there are so many side conditions that could happen, what a horror - time
to take the internet offline. *hrhr*

Well at least you shouldn't run all your daemons under one uid. Create one for
the ftpd one for your httpd and so on.

SCNR
Sven
-- 
It really sucks to give your heart to a girl
You want to know her like she knows the whole world
But 10 seconds in, it's obvious, your going nowhere...
[Bowling for Soup - Drunk Enough To Dance - I Don't Wanna Rock]



speaking of squid ports...

2003-03-26 Thread Jason Lunz
does anyone know what squid's udp sockets are for, and how to close
them? As far as I can tell, I don't need them, but I've been unable to
find a combination of squid directives to make them all go away. The icp
port can be closed using icp_port 0, but the other one is dynamic and
isn't referred to in the squid docs as far as I can tell:

[kahlua](0) # netstat -lp | grep squid
tcp0  0 *:3128  *:* LISTEN  673/(squid)
udp0  0 *:1414  *:* 673/(squid)

the udp port isn't there immediately after starting squid, but it always
shows up after a client uses the proxy. port 1414 isn't constant; it's
different every time.

Jason



Re: speaking of squid ports...

2003-03-26 Thread Kevin Cheek

I believe that UDP port is for receiving DNS responses.

-Kevin

Jason Lunz [EMAIL PROTECTED] writes:

 does anyone know what squid's udp sockets are for, and how to close
 them? As far as I can tell, I don't need them, but I've been unable to
 find a combination of squid directives to make them all go away. The icp
 port can be closed using icp_port 0, but the other one is dynamic and
 isn't referred to in the squid docs as far as I can tell:
 
 [kahlua](0) # netstat -lp | grep squid
 tcp0  0 *:3128  *:*   LISTEN  673/(squid)
 udp0  0 *:1414  *:*   673/(squid)
 
 the udp port isn't there immediately after starting squid, but it always
 shows up after a client uses the proxy. port 1414 isn't constant; it's
 different every time.
 
 Jason



Re: speaking of squid ports...

2003-03-26 Thread Noah L. Meyerhans
On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote:
 
 I believe that UDP port is for receiving DNS responses.

Umm...  No.

It's used for ICP, a protocol for intercommunication between squid
caches.  For example, at my site we have two different caches.  One is
basically transparent.  The other provides anonymizing services.  But,
through ICP, both caches can make use of each other's cached objects.

Dunno how you turn it off, though.  Iptables?  shrug

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgpTmaxDw5SGb.pgp
Description: PGP signature


Re: speaking of squid ports...

2003-03-26 Thread Alexander Reelsen
On Wed, Mar 26, 2003 at 03:18:36PM -0500, Noah L. Meyerhans wrote:
 On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote:
  I believe that UDP port is for receiving DNS responses.
 It's used for ICP, a protocol for intercommunication between squid
 caches.  For example, at my site we have two different caches.  One is
 basically transparent.  The other provides anonymizing services.  But,
 through ICP, both caches can make use of each other's cached objects.
 
 Dunno how you turn it off, though.  Iptables?  shrug
Should work by setting the icp_port to '0'... If it is written via -u in
the init scripts the config file settings are overwritten, so beware.


Regards, Alexander

-- 
Alexander Reelsen
http://tretmine.org



Re: speaking of squid ports...

2003-03-26 Thread Kevin Cheek
Noah L. Meyerhans [EMAIL PROTECTED] writes:

 On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote:
  
  I believe that UDP port is for receiving DNS responses.
 
 Umm...  No.
 
 It's used for ICP, a protocol for intercommunication between squid
 caches.  For example, at my site we have two different caches.  One is
 basically transparent.  The other provides anonymizing services.  But,
 through ICP, both caches can make use of each other's cached objects.
 
 Dunno how you turn it off, though.  Iptables?  shrug
 
 noah

He already said he turned off the ICP port, so I'm guessing that isn't
it.  Also, the ICP port is 3130 by default, not 1414.

Squid also can use a udp port for snmp (default 3401).

FWIW, I found a couple of references to squid's use of a random high
udp port on the squid-user list.  The only responses I could find
indicated that this port is used for DNS.

-Kevin



Re: speaking of squid ports...

2003-03-26 Thread Jason Lunz
[EMAIL PROTECTED] said:
 Umm...  No.
 
 It's used for ICP, a protocol for intercommunication between squid
 caches.  For example, at my site we have two different caches.  One is
 basically transparent.  The other provides anonymizing services.  But,
 through ICP, both caches can make use of each other's cached objects.

no, Kevin's right. squid has its own built-in caching dns resolver, and
since it's a client it shows up on a different port every time. It seems
the only way to turn it off is to disable squid's internal resolver and
use an external one, but that's a whole new can of worms. 

 Dunno how you turn it off, though.  Iptables?  shrug

As I said, icp can be turned off with icp_port 0, as noted in the
squid.conf comments. It uses udp port 3130 by default.

Jason