RES: removing portsentry routes
Hi! I use iptables to block hosts denied by portsentry (you can configure it in porsentry.conf; KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"). Also, i have a script for setting up my firewall rules. All that i do to expire denied hosts was configure cron to flush my firewalls rules (with iptables -F) and run my firewall script again. - Samuel - Mensagem original - De: Hanasaki JiJi [SMTP:[EMAIL PROTECTED] Enviada em: quarta-feira, 2 de abril de 2003 13:11 Para: List - Debian Security Assunto:removing portsentry routes Anyway to tell portsentry to remove all routes it added? or to expire added deny routes after a period of time? -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = = -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RES: removing portsentry routes
Hi! I use iptables to block hosts denied by portsentry (you can configure it in porsentry.conf; KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"). Also, i have a script for setting up my firewall rules. All that i do to expire denied hosts was configure cron to flush my firewalls rules (with iptables -F) and run my firewall script again. - Samuel - Mensagem original - De: Hanasaki JiJi [SMTP:[EMAIL PROTECTED] Enviada em: quarta-feira, 2 de abril de 2003 13:11 Para: List - Debian Security Assunto:removing portsentry routes Anyway to tell portsentry to remove all routes it added? or to expire added deny routes after a period of time? -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = = -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
removing portsentry routes
Anyway to tell portsentry to remove all routes it added? or to expire added deny routes after a period of time? -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = =
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote: > > of proportion... Some things in security _have_ to be obscure. Your > > password, for example. Or the primes used to generate your PGP private > There's a difference between 'obscure' and 'secret'. In this context, I'd suggest that the difference is that things that need to be obscured _might_ be security risks, or are high-effort risks (your password-protected GPG secret key) and things that need to be kept secret are the low-effort risks, or things that are known to open up the security (your GPG secret key passphrase) > All you gain by removing kernel-loading capability from your kernel is to > force cracker to search memory to find entry points. > That's like hiding key to your door under your doormat. No, the key's the same. It's the lock that's been moved. Or rather, removed... Now the key must be inserted into the keyhole in such a way as to drop the tumblers. Sure, someone experienced enough could do it easily, but the guy who just wanders past and decides to look under your mat will get discouraged Not that I'm suggesting that the earlier poster's security setup (you have to _be_ root to make this work anyway) is a doormat level of security... But the metaphor needed stretching. :-) > > > Security-by-obscurity refers to securing things by relying on the > > obscurity of the _processes and functionality_ behind the security system, > that fits this description. No it doesn't. In this case, that would be hiding the Linux source code so that there was no reference to _find out_ how to load a module without modutils. Besides, security through obscurity isn't all it's cracked down to be... Ask distributed.net how well their keyblock uploading code works, security wise... -- --- Paul "TBBle" Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. -- Kristian Wilson, Nintendo, Inc, 1989 This email is licensed to the recipient for non-commercial use, duplication and distribution. --- pgpVqVnG2TPyz.pgp Description: PGP signature
Re: Is there a security update for the new sendmail exploit in woody?
On Wed, Apr 02, 2003 at 07:57:35AM -0700, Tom Clements wrote: > --Sendmail Users Face Second Major Security Flaw > (31 March 2003) Yes, it's on its way. Expect it very soon. I think the updated packages have all (or almost all) completed building. > Most versions of sendmail do not adequately check the length of > e-mail addresses, and a carefully crafted address can trigger a > stack overflow and potentially allow the attacker to take control of > the system. Sendmail developers published a patch to address this vulnerability. If you can't wait for the new packages, you can always download the source for the current packages, apply the patch, and build new packages yourself. Note that there is no *known* exploit for this vulnerability, though, and there have been no reports of compromises due to it. I'm sure somebody will correct me in short order if I'm sharing outdated info here. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpHqI8snTt6p.pgp Description: PGP signature
removing portsentry routes
Anyway to tell portsentry to remove all routes it added? or to expire added deny routes after a period of time? -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = = -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote: > > of proportion... Some things in security _have_ to be obscure. Your > > password, for example. Or the primes used to generate your PGP private > There's a difference between 'obscure' and 'secret'. In this context, I'd suggest that the difference is that things that need to be obscured _might_ be security risks, or are high-effort risks (your password-protected GPG secret key) and things that need to be kept secret are the low-effort risks, or things that are known to open up the security (your GPG secret key passphrase) > All you gain by removing kernel-loading capability from your kernel is to > force cracker to search memory to find entry points. > That's like hiding key to your door under your doormat. No, the key's the same. It's the lock that's been moved. Or rather, removed... Now the key must be inserted into the keyhole in such a way as to drop the tumblers. Sure, someone experienced enough could do it easily, but the guy who just wanders past and decides to look under your mat will get discouraged Not that I'm suggesting that the earlier poster's security setup (you have to _be_ root to make this work anyway) is a doormat level of security... But the metaphor needed stretching. :-) > > > Security-by-obscurity refers to securing things by relying on the > > obscurity of the _processes and functionality_ behind the security system, > that fits this description. No it doesn't. In this case, that would be hiding the Linux source code so that there was no reference to _find out_ how to load a module without modutils. Besides, security through obscurity isn't all it's cracked down to be... Ask distributed.net how well their keyblock uploading code works, security wise... -- --- Paul "TBBle" Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. -- Kristian Wilson, Nintendo, Inc, 1989 This email is licensed to the recipient for non-commercial use, duplication and distribution. --- pgp0.pgp Description: PGP signature
Re: Is there a security update for the new sendmail exploit in woody?
On Wed, Apr 02, 2003 at 07:57:35AM -0700, Tom Clements wrote: > --Sendmail Users Face Second Major Security Flaw > (31 March 2003) Yes, it's on its way. Expect it very soon. I think the updated packages have all (or almost all) completed building. > Most versions of sendmail do not adequately check the length of > e-mail addresses, and a carefully crafted address can trigger a > stack overflow and potentially allow the attacker to take control of > the system. Sendmail developers published a patch to address this vulnerability. If you can't wait for the new packages, you can always download the source for the current packages, apply the patch, and build new packages yourself. Note that there is no *known* exploit for this vulnerability, though, and there have been no reports of compromises due to it. I'm sure somebody will correct me in short order if I'm sharing outdated info here. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp0.pgp Description: PGP signature
Re: H323 Gateways
On Wed, 02 Apr 2003 at 09:35:08AM +0200, Daniel Husand wrote: > (sorry about that, just reinstalled and forgot that outlook uses HTML as > default) Fortunately, Outlook is a compliant (good Lord, something from MS being compliant?) MUA and it makes a multi-part message. One part clear, the other part marked up with HTML. So those of us with dumber (more secure) MUAs did not notice a thing. -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #18: Divide-by-zero error
Re: H323 Gateways
On Wed, Apr 02, 2003 at 03:44:56AM -0600, Warren Turkal wrote: > > I need to do this also, so I prepared a backport to woody of > > opengate-proxy, an h323 proxy present in sid. I will test this soon > > (this week probably). > > > > > > deb http://debian.home-dn.net/woody opengate-proxy/ > > Why, when there is already an h.323 proxy with forwarding capability in woody? > Because I check it too quickly... apt-cache search proxy | grep -i h323 apt-cache search proxy | grep -i 323 opengate-proxy - H.323 voice over IP gatekeeper with proxy support Ouuuppss ;-) AW, it tooks only few minutes to build it... -- Emmanuel Lacour Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote: > > of proportion... Some things in security _have_ to be obscure. Your > > password, for example. Or the primes used to generate your PGP private > There's a difference between 'obscure' and 'secret'. This is true. > All you gain by removing kernel-loading capability from your kernel is to > force cracker to search memory to find entry points. > That's like hiding key to your door under your doormat. Thats not true. Or rather if it is, then using the key is considerably harder than simply opening the door (which would be equivalent of having module support using your metaphor). But disabling module support isn't obscuring anything, its genuinely changing the system. The attacker is in fact going to have to do something different and more difficult to modify the kernel. You seem to be saying that if there is one way of achieving a security breach, then you shouldn't bother stopping other ways of achieving the same result. This is clearly ridiculas. Yours, Tim -- Tim Nicholas || Cilix Email: [EMAIL PROTECTED]||Wellington, New Zealand http://tim.nicholas.net.nz/ || Cell/SMS: +64 21 337 204 "Sir, I think you have a problem with your brain being missing."
Re: H323 Gateways
On Wed, Apr 02, 2003 at 09:07:51AM +0200, Daniel Husand wrote: > Hi, does anyone know if its possible to setup this: > > Clients - NAT - Internet - NAT - Clients with iptelephony without > opening your NAT servers to the world. Any software suggestions / > tricks / ideas? > I need to do this also, so I prepared a backport to woody of opengate-proxy, an h323 proxy present in sid. I will test this soon (this week probably). deb http://debian.home-dn.net/woody opengate-proxy/ -- Emmanuel Lacour Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com
Re: H323 Gateways
On Wed, 02 Apr 2003 at 09:35:08AM +0200, Daniel Husand wrote: > (sorry about that, just reinstalled and forgot that outlook uses HTML as > default) Fortunately, Outlook is a compliant (good Lord, something from MS being compliant?) MUA and it makes a multi-part message. One part clear, the other part marked up with HTML. So those of us with dumber (more secure) MUAs did not notice a thing. -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #18: Divide-by-zero error -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: H323 Gateways
a vpn between the 2 lans / clients On Wed, Apr 02, 2003 at 09:07:51AM +0200, Daniel Husand wrote: > Hi, does anyone know if its possible to setup this: > > Clients - NAT - Internet - NAT - Clients with iptelephony without opening > your NAT servers to the world. > Any software suggestions / tricks / ideas? > > > -- > Daniel -- -> Jean-Francois Dive --> [EMAIL PROTECTED] There is no such thing as randomness. Only order of infinite complexity. - Marquis de LaPlace - deterministic Principles -
Re: H323 Gateways
> You can use the ip_conntrack_h323 module from > netfilters patch-o-matic or a tunnel (ipsec, cipe, > ...) between the to networks. Last I heard about this, this module was rather crude and could cause corruption to passing packets. If situation has changed i'd be happy to hear about it. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: H323 Gateways
On Wed, Apr 02, 2003 at 03:44:56AM -0600, Warren Turkal wrote: > > I need to do this also, so I prepared a backport to woody of > > opengate-proxy, an h323 proxy present in sid. I will test this soon > > (this week probably). > > > > > > deb http://debian.home-dn.net/woody opengate-proxy/ > > Why, when there is already an h.323 proxy with forwarding capability in woody? > Because I check it too quickly... apt-cache search proxy | grep -i h323 apt-cache search proxy | grep -i 323 opengate-proxy - H.323 voice over IP gatekeeper with proxy support Ouuuppss ;-) AW, it tooks only few minutes to build it... -- Emmanuel Lacour Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
> of proportion... Some things in security _have_ to be obscure. Your > password, for example. Or the primes used to generate your PGP private There's a difference between 'obscure' and 'secret'. All you gain by removing kernel-loading capability from your kernel is to force cracker to search memory to find entry points. That's like hiding key to your door under your doormat. > Security-by-obscurity refers to securing things by relying on the > obscurity of the _processes and functionality_ behind the security system, that fits this description. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: H323 Gateways
* Quoting Daniel Husand ([EMAIL PROTECTED]): > Hi, does anyone know if its possible to setup this: > > Clients - NAT - Internet - NAT - Clients with iptelephony without opening > your NAT servers to the world. > Any software suggestions / tricks / ideas? You can use the ip_conntrack_h323 module from netfilters patch-o-matic or a tunnel (ipsec, cipe, ...) between the to networks. - rk -- http://www.stop1984.com/
H323 Gateways
Hi, does anyone know if its possible to setup this: Clients - NAT - Internet - NAT - Clients with iptelephony without opening your NAT servers to the world. Any software suggestions / tricks / ideas? (sorry about that, just reinstalled and forgot that outlook uses HTML as default) -- Daniel
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Wed, Apr 02, 2003 at 09:46:52AM +0200, Dariush Pietrzak wrote: > > of proportion... Some things in security _have_ to be obscure. Your > > password, for example. Or the primes used to generate your PGP private > There's a difference between 'obscure' and 'secret'. This is true. > All you gain by removing kernel-loading capability from your kernel is to > force cracker to search memory to find entry points. > That's like hiding key to your door under your doormat. Thats not true. Or rather if it is, then using the key is considerably harder than simply opening the door (which would be equivalent of having module support using your metaphor). But disabling module support isn't obscuring anything, its genuinely changing the system. The attacker is in fact going to have to do something different and more difficult to modify the kernel. You seem to be saying that if there is one way of achieving a security breach, then you shouldn't bother stopping other ways of achieving the same result. This is clearly ridiculas. Yours, Tim -- Tim Nicholas || Cilix Email: [EMAIL PROTECTED]||Wellington, New Zealand http://tim.nicholas.net.nz/ || Cell/SMS: +64 21 337 204 "Sir, I think you have a problem with your brain being missing." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: H323 Gateways
On Wed, Apr 02, 2003 at 09:07:51AM +0200, Daniel Husand wrote: > Hi, does anyone know if its possible to setup this: > > Clients - NAT - Internet - NAT - Clients with iptelephony without > opening your NAT servers to the world. Any software suggestions / > tricks / ideas? > I need to do this also, so I prepared a backport to woody of opengate-proxy, an h323 proxy present in sid. I will test this soon (this week probably). deb http://debian.home-dn.net/woody opengate-proxy/ -- Emmanuel Lacour Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
H323 Gateways
Hi, does anyone know if its possible to setup this: Clients - NAT - Internet - NAT - Clients with iptelephony without opening your NAT servers to the world. Any software suggestions / tricks / ideas? -- Daniel
Re: H323 Gateways
a vpn between the 2 lans / clients On Wed, Apr 02, 2003 at 09:07:51AM +0200, Daniel Husand wrote: > Hi, does anyone know if its possible to setup this: > > Clients - NAT - Internet - NAT - Clients with iptelephony without opening your NAT > servers to the world. > Any software suggestions / tricks / ideas? > > > -- > Daniel -- -> Jean-Francois Dive --> [EMAIL PROTECTED] There is no such thing as randomness. Only order of infinite complexity. - Marquis de LaPlace - deterministic Principles - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: H323 Gateways
> You can use the ip_conntrack_h323 module from > netfilters patch-o-matic or a tunnel (ipsec, cipe, > ...) between the to networks. Last I heard about this, this module was rather crude and could cause corruption to passing packets. If situation has changed i'd be happy to hear about it. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
On Tue, Apr 01, 2003 at 09:43:38PM +0200, Dariush Pietrzak wrote: > > One reason is security: > > it's relatively easy for an intruder to install a kernel module based > > rootkit, and then hide her processes, files or connections. > isn't it security-by-obscurity? No, that's stretching the definition of security-by-obscurity all out of proportion... Some things in security _have_ to be obscure. Your password, for example. Or the primes used to generate your PGP private key. Security-by-obscurity refers to securing things by relying on the obscurity of the _processes and functionality_ behind the security system, instead of the _data_ used to secure it. It's a bad idea because _processes and functionality_ is a much smaller search domain than _data_. -- --- Paul "TBBle" Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. -- Kristian Wilson, Nintendo, Inc, 1989 This email is licensed to the recipient for non-commercial use, duplication and distribution. --- pgpRnP4OTL1b9.pgp Description: PGP signature
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
> of proportion... Some things in security _have_ to be obscure. Your > password, for example. Or the primes used to generate your PGP private There's a difference between 'obscure' and 'secret'. All you gain by removing kernel-loading capability from your kernel is to force cracker to search memory to find entry points. That's like hiding key to your door under your doormat. > Security-by-obscurity refers to securing things by relying on the > obscurity of the _processes and functionality_ behind the security system, that fits this description. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: H323 Gateways
* Quoting Daniel Husand ([EMAIL PROTECTED]): > Hi, does anyone know if its possible to setup this: > > Clients - NAT - Internet - NAT - Clients with iptelephony without opening your NAT > servers to the world. > Any software suggestions / tricks / ideas? You can use the ip_conntrack_h323 module from netfilters patch-o-matic or a tunnel (ipsec, cipe, ...) between the to networks. - rk -- http://www.stop1984.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]