Re: Is this an obsolete tiger file?

2003-03-31 Thread Dale Amon 
On Sun, Mar 23, 2003 at 09:44:18PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> This file is created by tiger's buildbins (look in the util/ dir) which is
> called by /usr/lib/tiger/bin/config which is called by tiger itself. It
> just gets created once when you build the binaries. However, you should not
> have built the binaries (since they are already provided compiled).
> 
> You can remove it, I wonder how it got created, however.

Thanks. Will do.

-- 
--
   IN MY NAME:Dale Amon, CEO/MD
  No Mushroom clouds over Islandone Society
London and New York.  www.islandone.org
--

Re: is this an attack ?

2003-03-31 Thread Kevin Buhr 
danilo lujambio <[EMAIL PROTECTED]> writes:
> 
> 18:59:06 web wu-ftpd[10527]: connect from 200.158.144.201
> Mar 28 18:59:07 web wu-ftpd[10527]: USER anonymous
> Mar 28 18:59:07 web wu-ftpd[10527]: PASS [EMAIL PROTECTED]
[ etc. ]

This log indicates that someone connected as an anonymous user and
attempted to upload a 104154-byte file named "528.258" to several
directories: the anonymous user's "/bin", "/lib", and "/pub".  The log
doesn't show whether or not the upload attempts were successful.  The
fact that they were repeated several times suggests they weren't.

I believe there's an automated tool that scans for FTP servers that
have one or more read/writable directories.  It uploads this file with
random names "number.number" and tries to retrieve it again.  The file
itself is harmless---it's just a test to find open directories that
can be used to trade pirated software or other files.  You'll note
that nowhere in your log did the person try to *retrieve* the file
again, so it's quite likely they failed to store the file anywhere and
gave up.  No harm done.

> Mar 28 19:00:02 web kernel: EXT2-fs warning: maximal mount count
> reached,
> running e2fsck is recommended
> Mar 28 19:00:02 web kernel: EXT2-fs warning: maximal mount count
> reached,
> running e2fsck is recommended

This is curious but not necessarily related.  Is it possible someone
mounted (or remounted) an EXT2 filesystem at this time?  Or that you
have an automounter running that might have mounted an EXT2
filesystem?

-- 
Kevin <[EMAIL PROTECTED]>

Re: iptables forwarding to inside firewall

2003-03-31 Thread Thomas Zimmerman 
On Mon, 31 Mar 2003 10:24:15 +1000
Paul Hampson <[EMAIL PROTECTED]> wrote:

> On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote:
> > On Fri, 28 Mar 2003, Hanasaki JiJi wrote:
[snip]
> > If you have more than 1 static address, an MTA running in a DMZ is
> > definately better.  This way you could still have your internal MTA
> > being port forwarded by restrict access through the firewall by
> > source address, such that only your MTA in the DMZ can access the
> > port redirect.  If you can restrict access by way of network
> > interface on the firewall[1] then you're much much better off again
> > as this protects against a spoof.
> 
> I don't quite follow this... Surely if one can break into the
> port-forwarded MTA, one can break into DMZ's MTA, which would
> then allow the attacker to access the port-forwarding anyway?

The truely paranoid run differening MTAs on the DMZ and internal
networks; hopfully there arn't two zero day exploites. Even on a single
ip (most users) you can always use UML virtual servers. Port-forward
onto a seperate subnet and do not trust other traffic on that subnet. 

Defence in depth, and all that. Or just keep on top of the latest
patches/updates and run small sites with low bandwidth...

Thomas


pgp36b0dEor2s.pgp
Description: PGP signature

Re: noboby with a shell !!

2003-03-31 Thread Dale Amon 
On Sat, Mar 29, 2003 at 12:55:21AM +0100, Sven Hoexter wrote:
> Ok then I'm out of arguments ;) but I think there is a reason for the 
> packagers
> to setup a lot of dummy users for daemons etc. with /bin/sh instead of
> /bin/false or /dev/null.

I have heard it so argued and remain to be convinced.
I have a cfengine script that overwrites the work of
debian packages in passwd within minutes of an upgrade.
All non-real users get /dev/false for a shell on my
systems.  If it breaks some arcane feature... tough.

-- 
--
   IN MY NAME:Dale Amon, CEO/MD
  No Mushroom clouds over Islandone Society
London and New York.  www.islandone.org
--

Re: iptables forwarding to inside firewall

2003-03-31 Thread Dale Amon 
On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote:
> [1] If you use the "3 legged firewall" setup, it is possible to
> distinguish DMZ traffic from other traffic based on which interface it is
> entering the firewall.

Just have two different NIC's to two different non-routable
LAN's; one is your private LAN, the other is for you public
services. Port redirect services into the public net
and firewall it so nothing can connect back out from it.
Then even if your MTA is hacked, all you've lost is the
machine on the public LAN. Your fw and private Lan are
still secure.

-- 
--
   IN MY NAME:Dale Amon, CEO/MD
  No Mushroom clouds over Islandone Society
London and New York.  www.islandone.org
--

Re: Is this an obsolete tiger file?

2003-03-31 Thread Dale Amon 
On Sun, Mar 23, 2003 at 09:44:18PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> This file is created by tiger's buildbins (look in the util/ dir) which is
> called by /usr/lib/tiger/bin/config which is called by tiger itself. It
> just gets created once when you build the binaries. However, you should not
> have built the binaries (since they are already provided compiled).
> 
> You can remove it, I wonder how it got created, however.

Thanks. Will do.

-- 
--
   IN MY NAME:Dale Amon, CEO/MD
  No Mushroom clouds over Islandone Society
London and New York.  www.islandone.org
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

[OT] Msec (was Re: Maybe an intruder?)

2003-03-31 Thread Cau de Alencar 
On Sun, 2003-03-30 at 12:40, Cau de Alencar wrote:
> Medusa is running. That's it generating security warnings.
> Something not well configured.
> 
> Thank you all.

Just correcting myself... the program generating the security
alerts (thread - Maybe an intruder?) seems to be Msec (distro
Mandrake).

# man msec
"...It enables the
system administrator to change the security level for that
system.   msec is provided with six preconfigured security
levels. These levels range from poor security and ease  of
use,  to  paranoid  config,  suitable  for  very sensitive
server applications, managed by experts..."

-- Cau

Re: is this an attack ?

2003-03-31 Thread Kevin Buhr 
danilo lujambio <[EMAIL PROTECTED]> writes:
> 
> 18:59:06 web wu-ftpd[10527]: connect from 200.158.144.201
> Mar 28 18:59:07 web wu-ftpd[10527]: USER anonymous
> Mar 28 18:59:07 web wu-ftpd[10527]: PASS [EMAIL PROTECTED]
[ etc. ]

This log indicates that someone connected as an anonymous user and
attempted to upload a 104154-byte file named "528.258" to several
directories: the anonymous user's "/bin", "/lib", and "/pub".  The log
doesn't show whether or not the upload attempts were successful.  The
fact that they were repeated several times suggests they weren't.

I believe there's an automated tool that scans for FTP servers that
have one or more read/writable directories.  It uploads this file with
random names "number.number" and tries to retrieve it again.  The file
itself is harmless---it's just a test to find open directories that
can be used to trade pirated software or other files.  You'll note
that nowhere in your log did the person try to *retrieve* the file
again, so it's quite likely they failed to store the file anywhere and
gave up.  No harm done.

> Mar 28 19:00:02 web kernel: EXT2-fs warning: maximal mount count
> reached,
> running e2fsck is recommended
> Mar 28 19:00:02 web kernel: EXT2-fs warning: maximal mount count
> reached,
> running e2fsck is recommended

This is curious but not necessarily related.  Is it possible someone
mounted (or remounted) an EXT2 filesystem at this time?  Or that you
have an automounter running that might have mounted an EXT2
filesystem?

-- 
Kevin <[EMAIL PROTECTED]>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables forwarding to inside firewall

2003-03-31 Thread Thomas Zimmerman 
On Mon, 31 Mar 2003 10:24:15 +1000
Paul Hampson <[EMAIL PROTECTED]> wrote:

> On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote:
> > On Fri, 28 Mar 2003, Hanasaki JiJi wrote:
[snip]
> > If you have more than 1 static address, an MTA running in a DMZ is
> > definately better.  This way you could still have your internal MTA
> > being port forwarded by restrict access through the firewall by
> > source address, such that only your MTA in the DMZ can access the
> > port redirect.  If you can restrict access by way of network
> > interface on the firewall[1] then you're much much better off again
> > as this protects against a spoof.
> 
> I don't quite follow this... Surely if one can break into the
> port-forwarded MTA, one can break into DMZ's MTA, which would
> then allow the attacker to access the port-forwarding anyway?

The truely paranoid run differening MTAs on the DMZ and internal
networks; hopfully there arn't two zero day exploites. Even on a single
ip (most users) you can always use UML virtual servers. Port-forward
onto a seperate subnet and do not trust other traffic on that subnet. 

Defence in depth, and all that. Or just keep on top of the latest
patches/updates and run small sites with low bandwidth...

Thomas


pgp0.pgp
Description: PGP signature

Re: noboby with a shell !!

2003-03-31 Thread Dale Amon 
On Sat, Mar 29, 2003 at 12:55:21AM +0100, Sven Hoexter wrote:
> Ok then I'm out of arguments ;) but I think there is a reason for the packagers
> to setup a lot of dummy users for daemons etc. with /bin/sh instead of
> /bin/false or /dev/null.

I have heard it so argued and remain to be convinced.
I have a cfengine script that overwrites the work of
debian packages in passwd within minutes of an upgrade.
All non-real users get /dev/false for a shell on my
systems.  If it breaks some arcane feature... tough.

-- 
--
   IN MY NAME:Dale Amon, CEO/MD
  No Mushroom clouds over Islandone Society
London and New York.  www.islandone.org
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables forwarding to inside firewall

2003-03-31 Thread Dale Amon 
On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote:
> [1] If you use the "3 legged firewall" setup, it is possible to
> distinguish DMZ traffic from other traffic based on which interface it is
> entering the firewall.

Just have two different NIC's to two different non-routable
LAN's; one is your private LAN, the other is for you public
services. Port redirect services into the public net
and firewall it so nothing can connect back out from it.
Then even if your MTA is hacked, all you've lost is the
machine on the public LAN. Your fw and private Lan are
still secure.

-- 
--
   IN MY NAME:Dale Amon, CEO/MD
  No Mushroom clouds over Islandone Society
London and New York.  www.islandone.org
--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

[OT] Msec (was Re: Maybe an intruder?)

2003-03-31 Thread Cau de Alencar 
On Sun, 2003-03-30 at 12:40, Cau de Alencar wrote:
> Medusa is running. That's it generating security warnings.
> Something not well configured.
> 
> Thank you all.

Just correcting myself... the program generating the security
alerts (thread - Maybe an intruder?) seems to be Msec (distro
Mandrake).

# man msec
"...It enables the
system administrator to change the security level for that
system.   msec is provided with six preconfigured security
levels. These levels range from poor security and ease  of
use,  to  paranoid  config,  suitable  for  very sensitive
server applications, managed by experts..."

-- Cau



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Port 635

2003-03-31 Thread Netnation - Diederik de Vries 

> Maybe it's related to that, maybe it's not.
> According to sans.org [1] RPC services are the number 1 exploitable part
to
> UNIX systems so it may just be one of those standard 'scans' you get now
and
> then.

For your information: on the hosts there ISN'T a RPC service. They get
trapped by Portsentry, but lately there was a increase in the number of
portscans.

Therefore, I think that the connections are not welcome, and thus an attempt
to hack.

Cheers!

Diederik de Vries

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

2003-03-31 Thread Maurizio Lemmo - Tannoiser 
On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote:
> Does someone know where is debian about this issue ?
> 
> 

i've noticed that there kernel 2.4.20 with ptrace patch included, in
proposed-update.

For my puorpose, i've backported that patch, for work with kernel 2.4.18
(from debian).

works for me.

patch with:

cd /path/to/source
patch -p1 < /path/to/patch

you may find it here:

http://erlug.linux.it/~tann/pkg/linux-2.4.18-ptrace-tann.patch

(there also a kernel image bf2.4 with patch incorporated, if you trust
me.. :) )

-- 
Master: "You killed the girl that sought the Slayer?"
Xander: "It was too easy."
Willow: "I felt cheap."
--Buffy the Vampire Slayer: The Wish

Re: Port 635

2003-03-31 Thread David Ramsden 
- Original Message -
From: "Netnation - Diederik de Vries" <[EMAIL PROTECTED]>
To: 
Sent: Monday, March 31, 2003 1:55 PM
Subject: Port 635


> Hi there!
>
> The last weeks, we frequently get portscanned at port 635. 635 is used for
> mountd. Is there some new form of exploit available, or am I getting plain
> paranoid? :)
>
I'm not sure if there is or not but a buffer overflow in Sun's RPC
implementation was found (see DSA 272-1).
So maybe it's something related to that? mountd uses RPC and NFS is all from
Sun, so I'd imagine it'd use this dietlibc?

Maybe it's related to that, maybe it's not.
According to sans.org [1] RPC services are the number 1 exploitable part to
UNIX systems so it may just be one of those standard 'scans' you get now and
then.

[1] http://www.sans.org/top20/#index

David.
--
David Ramsden
http://portal.hexstream.eu.org/

[Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

2003-03-31 Thread DouRiX 


Hi everybody,

Does someone know where is debian about this issue ?



I see that there is already an update but only for mips 
(http://www.debian.org/security/2003/dsa-270), do you know why ?


Thanks in advance,

--
DouRiX
 ["Don't fear, Just play the game ..." -- ]

Port 635

2003-03-31 Thread Netnation - Diederik de Vries 
Hi there!

The last weeks, we frequently get portscanned at port 635. 635 is used for
mountd. Is there some new form of exploit available, or am I getting plain
paranoid? :)

Thanks in advance,

Diederik de Vries
Rotterdam, The Netherlands

Re: Bug in Tiger check_listening_procs?

2003-03-31 Thread Javier Fernández-Sanguino Peña 
On Mon, Mar 31, 2003 at 10:29:48AM +1000, Paul Hampson wrote:
> >  If lose is found on the system 
> >  /usr/lib/tiger/systems/Linux/2/check_listeningprocs uses the
> >  command:
> > 
> >  $LSOF -nPi | $GREP "IPv" | $GREP -v "\->" | $AWK '{printf("%s %s %s
> >  %s\n", $1, $3, $7, $8)}' | $SORT | $UNIQ |
> >  
> >  It seems that it should `grep LISTEN` as well.  

No. See below.

> > 
> >  Comments?
> 
> I would guess that only TCP sockets get 'LISTEN' but I don't
> know the output of lsof to confirm this.
> 

Precisely. TCP sockets get 'LISTEN' UDP sockets don't, try starting a udp
service (echo, chargen are fine) and check lsof's output.

Tiger initial version did "grep LISTEN" instead of the "grep -v \"->\"" (to
remove ESTABLISHED connections) but it would not detect UDP trojans that
way.

Regards

Javi


pgpEMYGcu8qG2.pgp
Description: PGP signature

Re: Port 635

2003-03-31 Thread Netnation - Diederik de Vries 

> Maybe it's related to that, maybe it's not.
> According to sans.org [1] RPC services are the number 1 exploitable part
to
> UNIX systems so it may just be one of those standard 'scans' you get now
and
> then.

For your information: on the hosts there ISN'T a RPC service. They get
trapped by Portsentry, but lately there was a increase in the number of
portscans.

Therefore, I think that the connections are not welcome, and thus an attempt
to hack.

Cheers!

Diederik de Vries





-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

2003-03-31 Thread Maurizio Lemmo - Tannoiser 
On lunedì 31 marzo 2003, alle 16:02, DouRiX wrote:
> Does someone know where is debian about this issue ?
> 
> 

i've noticed that there kernel 2.4.20 with ptrace patch included, in
proposed-update.

For my puorpose, i've backported that patch, for work with kernel 2.4.18
(from debian).

works for me.

patch with:

cd /path/to/source
patch -p1 < /path/to/patch

you may find it here:

http://erlug.linux.it/~tann/pkg/linux-2.4.18-ptrace-tann.patch

(there also a kernel image bf2.4 with patch incorporated, if you trust
me.. :) )

-- 
Master: "You killed the girl that sought the Slayer?"
Xander: "It was too easy."
Willow: "I felt cheap."
--Buffy the Vampire Slayer: The Wish


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Port 635

2003-03-31 Thread David Ramsden 
- Original Message -
From: "Netnation - Diederik de Vries" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 31, 2003 1:55 PM
Subject: Port 635


> Hi there!
>
> The last weeks, we frequently get portscanned at port 635. 635 is used for
> mountd. Is there some new form of exploit available, or am I getting plain
> paranoid? :)
>
I'm not sure if there is or not but a buffer overflow in Sun's RPC
implementation was found (see DSA 272-1).
So maybe it's something related to that? mountd uses RPC and NFS is all from
Sun, so I'd imagine it'd use this dietlibc?

Maybe it's related to that, maybe it's not.
According to sans.org [1] RPC services are the number 1 exploitable part to
UNIX systems so it may just be one of those standard 'scans' you get now and
then.

[1] http://www.sans.org/top20/#index

David.
--
David Ramsden
http://portal.hexstream.eu.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

[Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

2003-03-31 Thread DouRiX 
Hi everybody,

Does someone know where is debian about this issue ?



I see that there is already an update but only for mips 
(http://www.debian.org/security/2003/dsa-270), do you know why ?

Thanks in advance,

--
DouRiX
 ["Don't fear, Just play the game ..." -- ]


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Port 635

2003-03-31 Thread Netnation - Diederik de Vries 
Hi there!

The last weeks, we frequently get portscanned at port 635. 635 is used for
mountd. Is there some new form of exploit available, or am I getting plain
paranoid? :)

Thanks in advance,

Diederik de Vries
Rotterdam, The Netherlands



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Unidentified subject!

2003-03-31 Thread list

*****SPAM***** Re: receive prescription drugs to your door, widest range of drugs..

2003-03-31 Thread Tameka Connell 
This is a multi-part message in MIME format.

--9F.3_AB7D6
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable









  

  

  

  

  

  =


  

  

  

  R

&nbs=
p;
&nbs=
p;
  
  

  X

&nbs=
p;
  
  
&nbs=
p;
&nbs=
p;
  

  
  =
FAST
  CONVENIENT
  AFFORDABLE
  ONLINE

  

  

  
  

  

  
FDA
Approved Prescriptions

One
Of Our Licensed Physicians Will Write
the prescription for you if you approve.
No
Embarrassing Doctors Visits!
Quick Online Consultation!
Discreet Shipping & Billing!
FAST AND SECURE !!!
http://169.207.147.103/a/m/htm/index.htm";>cli=
ck
here


  

  

  


  

  


WIDEST
Range of Drugs Online
  
  
 
  
  
PERIOD=
!
  

  


  

  

  
http://169.207.=
147.103/a/m/htm/index.htm">VALIUM
XANAX
Adipex
Diazepam
Ambien
VIAGRA
Prozac
Ultram
Zoloft
Many more prescription=

medications available!
  

  

  

  

  

  

  
  
  You
  received this email because you signed up at one of GroupRX websites or =
you
  signed up with a party that has contracted with GroupRX.
  To Opt Out, http://169.207.147.103/a/remove-all/goodbye.htm";>=
click
  here.
  





efszd tv kvmvrmfj
rsw 

drjfvs
--9F.3_AB7D6--

Re: Logcheck, Logsentry, LogRider etc.

2003-03-31 Thread Adrian 'Dagurashibanipal' von Bidder 
On Mon, 2003-03-31 at 01:24, Thomas Ritter wrote:
> Am Montag, 31. März 2003 00:27 schrieb Jan-Hendrik Palic:
> > I am using logcheck, personally installed on my Debian-Server/WS,
> > because, there are no debian-packages .. :(
> 
> I don't know about sarge and woody, but logcheck in sid, roughly 
> preconfigured 
> for debian systems.

It's there, also in stable.

And, more important, more and more packages bring their own
/etc/logcheck/ignore.d* files, so the logcheck maintainer doesn't have
to jump after every log-producing daemon.

Works fine here.

-- vbi

-- 
featured product: the GNU Compiler Collection - http://gcc.gnu.org


signature.asc
Description: This is a digitally signed message part

*****SPAM***** Problems obtaining a mortgage? We Can Help! SPI

2003-03-31 Thread pamela9721 

Mortgage giant Freddie mac reports that mortgage rates are taking a dip for the 
last time for the next 2-3 years.

Chief Economist Frank Nothaft believes that the market is improving and as the 
war draws closer to it's certain end the rates are destined to go up.

Last chance here! This is when you lock your rate OR miss out on the biggest 
mortgage refinance wave in 60 years!

CLICK FOR :

http://www.e-bestfinancerate.com/mortgage/index.asp?Afft=QM10

Re: iptables forwarding to inside firewall

2003-03-31 Thread Victor Calzado Mayo 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi
On Monday 31 March 2003 02:24, Paul Hampson wrote:
> On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote:
> > On Fri, 28 Mar 2003, Hanasaki JiJi wrote:
> > > Working on running a SMTP server inside the firewall that takes
> > > incoming SMTP traffic from outside the firewall.  The below rules are
> > > not working.  The firewall refuses connections.  Any input on what
> > > wrong?
> >
> > If a remote exploit is found in the MTA running on your internal host (as
> > has just occured with sendmail again), an attacker may be able to launch
> > a direct attack on this box.  Depending on your overall security
> > structure they may then be able to attack any number of hosts behind your
> > firewall.
> >
> > Some of the alteratives aren't much better.  Running an MTA on your
> > firewall is just as bad as a remote exploit here may allow an attack
> > access to the root on the firewall, allowing the firewall to be
> > circumvented again.
> >
> > If you have more than 1 static address, an MTA running in a DMZ is
> > definately better.  This way you could still have your internal MTA being
> > port forwarded by restrict access through the firewall by source address,
> > such that only your MTA in the DMZ can access the port redirect.  If you
> > can restrict access by way of network interface on the firewall[1] then
> > you're much much better off again as this protects against a spoof.
>
> I don't quite follow this... Surely if one can break into the
> port-forwarded MTA, one can break into DMZ's MTA, which would
> then allow the attacker to access the port-forwarding anyway?

I think so, if only depends how paranoid you are and how much levels of 
security you think you need. A lot of people could tell a lot o things 
against proxies, multiplexors , and talk about the virtues of a nated 
enviroment...

Going back to the original thread i think the problem should be in the forward 
rule of the internal interface, i can't see any rule like that in the rules 
and if the default policy of the forward hook is DROP the packets will be 
rejected at this point. A forward rule allowing this traffic should permit 
incoming traffic to the internal smtp server.

Best Regards
Victor





- -- 
- --
Marzo
Uno de los peores meses para andar metiendo al mundo en guerras absurdas
El resto de meses del mismo tipo son: Enero, Febrero, Abril, Mayo, Junio, 
Julio, Agosto, Septiembre, Octubre, Noviembre y Diciembre. 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+h/RxEzqHF8R72ekRAmbyAJ0RTNIiEzTKyGbJDQ/3IaIpJeffXACeMpVU
9/l6t23YWU2Lq3wjyHWjQdg=
=uety
-END PGP SIGNATURE-

Unidentified subject!

2003-03-31 Thread bounce-debian-security=archive=jab . org 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

*****SPAM***** Re: receive prescription drugs to your door, widest range of drugs..

2003-03-31 Thread Tameka Connell 
This is a multi-part message in MIME format.

--9F.3_AB7D6
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable









  

  

  

  

  

  =


  

  

  

  R

&nbs=
p;
&nbs=
p;
  
  

  X

&nbs=
p;
  
  
&nbs=
p;
&nbs=
p;
  

  
  =
FAST
  CONVENIENT
  AFFORDABLE
  ONLINE

  

  

  
  

  

  
FDA
Approved Prescriptions

One
Of Our Licensed Physicians Will Write
the prescription for you if you approve.
No
Embarrassing Doctors Visits!
Quick Online Consultation!
Discreet Shipping & Billing!
FAST AND SECURE !!!
http://169.207.147.103/a/m/htm/index.htm";>cli=
ck
here


  

  

  


  

  


WIDEST
Range of Drugs Online
  
  
 
  
  
PERIOD=
!
  

  


  

  

  
http://169.207.=
147.103/a/m/htm/index.htm">VALIUM
XANAX
Adipex
Diazepam
Ambien
VIAGRA
Prozac
Ultram
Zoloft
Many more prescription=

medications available!
  

  

  

  

  

  

  
  
  You
  received this email because you signed up at one of GroupRX websites or =
you
  signed up with a party that has contracted with GroupRX.
  To Opt Out, http://169.207.147.103/a/remove-all/goodbye.htm";>=
click
  here.
  





efszd tv kvmvrmfj
rsw 

drjfvs
--9F.3_AB7D6--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Logcheck, Logsentry, LogRider etc.

2003-03-31 Thread Adrian 'Dagurashibanipal' von Bidder 
On Mon, 2003-03-31 at 01:24, Thomas Ritter wrote:
> Am Montag, 31. März 2003 00:27 schrieb Jan-Hendrik Palic:
> > I am using logcheck, personally installed on my Debian-Server/WS,
> > because, there are no debian-packages .. :(
> 
> I don't know about sarge and woody, but logcheck in sid, roughly preconfigured 
> for debian systems.

It's there, also in stable.

And, more important, more and more packages bring their own
/etc/logcheck/ignore.d* files, so the logcheck maintainer doesn't have
to jump after every log-producing daemon.

Works fine here.

-- vbi

-- 
featured product: the GNU Compiler Collection - http://gcc.gnu.org


signature.asc
Description: This is a digitally signed message part

Re: Unidentified subject!

2003-03-31 Thread Sami Haahtinen 
On Sun, Mar 30, 2003 at 02:48:43PM -0600, David Ehle wrote:
> > 2.
> > Use spamassasin (i use procmail) as spamfilter. You won't see Spam
> > again. (And if you do, you have done something wrong. Really.)
> 
> On spamassasin, I havn't used it, so this may be a stupid question, but
> would it be impossible setup it or an equivelnt on the list?

If you take a look at the headers in the message, you will see that all
mail is being filtered through spamassassin before handing it over to
the list. I can only imagine how much of the incoming spam gets
filtered, keep in mind that this is a small persentage of the spam we
are actually seeing..

also, it's nice to run the mail through bogofilter, which gives me quite
accurate readings on how effective different spamassassin filters are ;)

Sami

-- 
  -< Sami Haahtinen >-
  -[ Notify immediately if you do not receive this message ]-
-< 2209 3C53 D0FB 041C F7B1  F908 A9B6 F730 B83D 761C >-


pgpr5khCopgVH.pgp
Description: PGP signature

*****SPAM***** Problems obtaining a mortgage? We Can Help! SPI

2003-03-31 Thread pamela9721 

Mortgage giant Freddie mac reports that mortgage rates are taking a dip for the last 
time for the next 2-3 years.

Chief Economist Frank Nothaft believes that the market is improving and as the war 
draws closer to it's certain end the rates are destined to go up.

Last chance here! This is when you lock your rate OR miss out on the biggest mortgage 
refinance wave in 60 years!

CLICK FOR :

http://www.e-bestfinancerate.com/mortgage/index.asp?Afft=QM10


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: iptables forwarding to inside firewall

2003-03-31 Thread Victor Calzado Mayo 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi
On Monday 31 March 2003 02:24, Paul Hampson wrote:
> On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote:
> > On Fri, 28 Mar 2003, Hanasaki JiJi wrote:
> > > Working on running a SMTP server inside the firewall that takes
> > > incoming SMTP traffic from outside the firewall.  The below rules are
> > > not working.  The firewall refuses connections.  Any input on what
> > > wrong?
> >
> > If a remote exploit is found in the MTA running on your internal host (as
> > has just occured with sendmail again), an attacker may be able to launch
> > a direct attack on this box.  Depending on your overall security
> > structure they may then be able to attack any number of hosts behind your
> > firewall.
> >
> > Some of the alteratives aren't much better.  Running an MTA on your
> > firewall is just as bad as a remote exploit here may allow an attack
> > access to the root on the firewall, allowing the firewall to be
> > circumvented again.
> >
> > If you have more than 1 static address, an MTA running in a DMZ is
> > definately better.  This way you could still have your internal MTA being
> > port forwarded by restrict access through the firewall by source address,
> > such that only your MTA in the DMZ can access the port redirect.  If you
> > can restrict access by way of network interface on the firewall[1] then
> > you're much much better off again as this protects against a spoof.
>
> I don't quite follow this... Surely if one can break into the
> port-forwarded MTA, one can break into DMZ's MTA, which would
> then allow the attacker to access the port-forwarding anyway?

I think so, if only depends how paranoid you are and how much levels of 
security you think you need. A lot of people could tell a lot o things 
against proxies, multiplexors , and talk about the virtues of a nated 
enviroment...

Going back to the original thread i think the problem should be in the forward 
rule of the internal interface, i can't see any rule like that in the rules 
and if the default policy of the forward hook is DROP the packets will be 
rejected at this point. A forward rule allowing this traffic should permit 
incoming traffic to the internal smtp server.

Best Regards
Victor





- -- 
- --
Marzo
Uno de los peores meses para andar metiendo al mundo en guerras absurdas
El resto de meses del mismo tipo son: Enero, Febrero, Abril, Mayo, Junio, 
Julio, Agosto, Septiembre, Octubre, Noviembre y Diciembre. 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+h/RxEzqHF8R72ekRAmbyAJ0RTNIiEzTKyGbJDQ/3IaIpJeffXACeMpVU
9/l6t23YWU2Lq3wjyHWjQdg=
=uety
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]