Re: own kernel vs debian kernel (was: ptrace exploit)
* Dale Amon ([EMAIL PROTECTED]) ha scritto: > I roll my own; nomodules for servers or secure machines, modules for > non-secure workstations. Configure them to the specific minimum requirements > of the particular use and not one option more. What you say here may lead to confusion. A monolithic kernel doesn't give you added security toward a modular kernel. To make the kernel a little bit more secure I'd use grsecurity (ie to prevent code injection, syscall hijacking and so on). Just use modules if you like them. > > Probably best recommendation is to build your own and make > kpkg's. > IMHO that's a "Good Thing"(TM). Cheers, fc
Re: VPN: SSH or IPSec???
Felipe Martínez Hermo, 2003-Apr-16 18:23 +0100: > > So far, I also prefer IPSec because it seems to be the most > standard-compliant implementation, but I want to know my options. > I have just bought Kolesnikov's book, but I have not started with it > yet. > One last thing: shold I set up a router (and so start with > Adv-router-HOWTO) > or should I go directly to FreeSwan Documentation? > > I am a little puzzled and I don't know what to start with. > > Thanks for your help Be careful in assuming that IPSec is "standard-compliant". It's more of a reference model for implimentors to use. Interoperability between different implimenations is sketchy and usaully only works in a very basic configuration, such as Main Mode (as opposed to Agressive Mode) and with Pre-shared keys (as opposed to certificates). Since you have Windows PC's on the road, be sure that there are available clients that interoperate with FreeSwan. jc -- Jeff CoppockSystems Engineer Diggin' Debian Admin and User
Re: VPN: SSH or IPSec???
* Quoting Florian Weimer ([EMAIL PROTECTED]): > Rolf Kutz <[EMAIL PROTECTED]> writes: > > > Use IPsec. It's a standard and it's supported by > > win2k natively. > > But Felipe still needs a VPN to run IPsec on. Of course, he could use > GRE tunneling for that. 8-) Would he? Why not use IPsecs tunnel mode? > But in his case, it might be better to terminate an encrypted VPN on > the routers. In this case, the Windows IPsec support doesn't matter. ACK, but he talked about road worriors with win2k. - Rolf
CORE - Snort stream4 pre-processor Integer Overflow
http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10 This went accross several lists a few days ago, I'm forwarding it in case anyone missed it. -- -- Orlando Padilla http://www.g0thead.com/xbud.asc --
Re: VPN: SSH or IPSec???
Rolf Kutz <[EMAIL PROTECTED]> writes: > Use IPsec. It's a standard and it's supported by > win2k natively. But Felipe still needs a VPN to run IPsec on. Of course, he could use GRE tunneling for that. 8-) But in his case, it might be better to terminate an encrypted VPN on the routers. In this case, the Windows IPsec support doesn't matter.
Re: [despammed] Re: VPN: SSH or IPSec???
Ed McMan grabbed a keyboard and typed... > The VPN howto shows how to use ssh to make a true VPN. It involves > ppp, not ssh's port forwarding. Unfortunately, the howto is very > dated, and it relies on a software package that is very difficult to > find. You do not want to do that. Tunnelling PPP over SSH gives you serious performance hits you have can reduced with other VPN implementations. Don't get me wrong--SSH is good for a lot of things--just a VPN is not one of them. I use SSH every day, and even maintain the SSH FAQ (okay, so it's out-of-date, but Steve and I are working on that), but I digress.. Here is a link on why PPP over SSH is a bad idea: http://sites.inka.de/sites/bigred/devel/tcp-tcp.html -Anne -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpfjmtt3BDRW.pgp Description: PGP signature
Re: VPN: SSH or IPSec???
Felipe Martínez Hermo <[EMAIL PROTECTED]> writes: > I have a 5-site network. Each with a Cable/DSL link. Currently > I have a Netscreen box on each site. I want to substitute the NS box > with Linux boxes so I can manage bandwith, set up a firewall and > have a configuration which is built up on standards. Do you need encryption while the traffic travels through the public network?
Re: Bug severity for substantial DoS vulnerability
Florian Weimer wrote: > What's the correct severity for substantial DoS vulnerabilities? I'd gauge it a little based on how popular the software is in the vulnerable configuration (which is something of a crapshoot). Sounds like you're talking about remotely exploitable as well, which I guess earns it a bonus point. -- Jamie Heilman http://audible.transient.net/~jamie/ "You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid." -Buddy
Re: [despammed] Re: VPN: SSH or IPSec???
Wednesday, April 16, 2003, 12:59:37 PM, Anne Carasik (Anne) wrote: Anne> A true VPN is something like IPSec. SSH and SSL only tunnel TCP-based Anne> traffic (at least that's what they are supposed to do). If you want a Anne> true VPN, do not use SSH or SSL. Anne> IPSec is a good choice, but there are other VPN apps around Anne> including CIPE, VTUN, and TINC. YMMV.. Anne> Check out "Building Linux VPNs" book by Kolesnikov and Hatch-- Anne> that would be your best best. Anne> I personally like IPSec because it's fairly standardized, but Anne> again YMMV :) The VPN howto shows how to use ssh to make a true VPN. It involves ppp, not ssh's port forwarding. Unfortunately, the howto is very dated, and it relies on a software package that is very difficult to find. -- | Eddie J Schwartz <[EMAIL PROTECTED]|m00.net]> | | AIM: Uncaring Eyes ICQ: 35576339 YHOO: edmcman2 | | "We Trills have an expression -- at forty, you| | think you know everything. At four hundred you| | realize you know nothing." - Dax, Startrek DS9| --
Re: VPN: SSH or IPSec???
* Anne Carasik <[EMAIL PROTECTED]> [2003-04-16 18:59 +0200]: > A true VPN is something like IPSec. SSH and SSL only tunnel TCP-based > traffic (at least that's what they are supposed to do). You can actually pipe ppp through ssh and thus tunnel arbitrary ip packets over ssh, as shown in http://www.jfranken.de/homepages/johannes/vortraege/ssh2.en.html#ToC12 > If you want a true VPN, do not use SSH or SSL. I'd rather say, it depends on your setup... Remember how easy it is to tunnel ssh over http proxies :-) (examples at http://www.jfranken.de/homepages/johannes/vortraege/ssh3.en.html ) -- Johannes Franken Professional unix/network development mailto:[EMAIL PROTECTED] http://www.jfranken.de/
Re: VPN: SSH or IPSec???
* Anne Carasik ([EMAIL PROTECTED]) [030416 10:58]: > A true VPN is something like IPSec. SSH and SSL only tunnel TCP-based > traffic (at least that's what they are supposed to do). If you want a > true VPN, do not use SSH or SSL. Well, PPP can be used over an SSH tunnel. This way, you can send all IP through the encrypted tunnel. It is still a VPN, just with a different tunneling method. Personally, I've never used the PPP/SSH method. I can see that it would be good for ease of setup for simple applications, like accessing a home DSL machine. For ease of interoperability, ipsec may be a better way to go. good times, Vineet -- http://www.doorstop.net/ -- --Nick Moffitt A: No. Q: Should I include quotations after my reply? pgp1QC2g71QEg.pgp Description: PGP signature
Re: VPN: SSH or IPSec???
* Quoting Felipe Martínez Hermo ([EMAIL PROTECTED]): > I have a 5-site network. Each with a Cable/DSL link. Currently I have a > Netscreen box on each site. I want to substitute the NS box with Linux boxes > so I can manage bandwith, set up a firewall and have a configuration which is > built up on standards. > I will have "road warriors" accessing through DSL or modems with Win2k > computers. Use IPsec. It's a standard and it's supported by win2k natively. - Rolf
Re: VPN: SSH or IPSec???
> Should I use SSH or IPSec to set up my VPN? > Which are the drawbacks and advantages of both? Read this: http://www.tldp.org/HOWTO/mini/ppp-ssh/ contains very nice drawbacks/benefits. ssh vpn seems to be easiest to setup. You just run ppp one one side, it runs ssh to another and runs ppp there. Voile'a. You've got tunnel set UP. You'll notice many problems though: - you need to monitor your link, if it dies, you need to rerun your ppp. apt-get install secvpn 'll help you with that part. It's not that easy to tell if your link died, and how should you bring it up ( is ppp on another side running? maybe it died? maybe it's just lagg ) - latency is high, data is going from kernel to userland, and from ppp to ssh... - it's also not very wise to run tcp inside tcp .. look: http://sites.inka.de/sites/bigred/devel/tcp-tcp.html - also ran into some strange problems trying to ssh via ssh based vpn with key based authentication - not quite clear how to set it up securely. You need to run ppp on another end of link as root. You can do this with sudo, with suid ppp or something like that. You need to be carefull. With IPsec you won't have those problems, you have a very nice daemon for bringing your link up ON DEMAND, latency is way lower, no problems with retransmission coming from tcp over tcp, and no running no ppp as root. But you'll have to compile your own kernel, you may use kernel-patch-freeswan. But anyhoo, freeswan is still evolving, and it's playing catch up on bsd's racoon. Actually there are some port-style activities in 2.5.x trying to run racoon on linux. FreeSWAN seems like it's not very stable piece of soft, not many people understand this well. For example I'm having problems with routing on wolk kernels, it's not freeswan's problem, but it triggers it. With ppp/ssh all parts of soft are known and tested well. On another hand, IPSec is widely known standard, used by largish enterprises, you can even buy hardware routers using ipsec, and ppp/ssh is more of a toy/temporary solution. regards, -- Dariush Pietrzak, She swore and she cursed, that she never would deceive me Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Bug severity for substantial DoS vulnerability
What's the correct severity for substantial DoS vulnerabilities? Substantial DoS vulnerabilities enable attackers to make a system completely unusable, with little effort (say, a stream of a few hundred small packets per second). If I read the guidelines correctly, it's either "important" or "grave". Is "grave" acceptable?
RE: SANS Alert - Snort Vulnerability - stil Vulnerabile ?
> > On Tue, Mar 11, 2003 at 06:53:48PM +0900, Hideki Yamane wrote: > > > > > > >This was added to the SANS Advisory on Sendmail last week. > > > >I have not seen any news nor postings related to Snort with > > > >Debian and was wondering about the status of Snort in stable > > > >at this time. > > > > > > snort vulnerability was posted in BTS. > > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=183719 > > > > > > # but, yes, DSA have not been released yet. > > > Is Woody version stil Vulnerabile to this serious security bug ? I believe so. I'm using the bug to track the issue. Currently it's tagged sarge and woody. Snort.org said the default distribution is vulnerable, and in the Debian diff I see no change to the affected sections (for both woody and sarge). I've informed the security team, but they're likely busy with other issues. A comment from them on the bug would be nice. Drew Daniels
Re: VPN: SSH or IPSec???
So far, I also prefer IPSec because it seems to be the most standard-compliant implementation, but I want to know my options. I have just bought Kolesnikov's book, but I have not started with it yet. One last thing: shold I set up a router (and so start with Adv-router-HOWTO) or should I go directly to FreeSwan Documentation? I am a little puzzled and I don't know what to start with. Thanks for your help El Mié 16 Abr 2003 18:59, escribió: > A true VPN is something like IPSec. SSH and SSL only tunnel TCP-based > traffic (at least that's what they are supposed to do). If you want a > true VPN, do not use SSH or SSL. > > IPSec is a good choice, but there are other VPN apps around > including CIPE, VTUN, and TINC. YMMV.. > > Check out "Building Linux VPNs" book by Kolesnikov and Hatch-- > that would be your best best. > > I personally like IPSec because it's fairly standardized, but > again YMMV :) > > -Anne > > Servicios Inform?ticos UGT Galicia grabbed a keyboard and typed... > > > I'm planning to set up a VPN. I started reading The VPN Howto, but I > > come to a crossroad as early as soon as I read past chapter 2: > > > > Should I use SSH or IPSec to set up my VPN? > > Which are the drawbacks and advantages of both? > > > > I would like to know what's your opinion about it so I can choose the > > most suitable option for me. > > > > Thank you > > -- > > > > == > > Felipe Mart?nez Hermo > > [EMAIL PROTECTED] > > [EMAIL PROTECTED] > > == > > Servicios Inform?ticos > > UGT Galicia > > [EMAIL PROTECTED] > > == > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] -- == Felipe Martínez Hermo [EMAIL PROTECTED] [EMAIL PROTECTED] == Servicios Informáticos UGT Galicia [EMAIL PROTECTED] ==
Re: VPN: SSH or IPSec???
El Mié 16 Abr 2003 18:43, escribió: > Servicios Informáticos UGT Galicia <[EMAIL PROTECTED]> writes: > > Should I use SSH or IPSec to set up my VPN? > > Which are the drawbacks and advantages of both? > > Can you tell us your requirements? I have a 5-site network. Each with a Cable/DSL link. Currently I have a Netscreen box on each site. I want to substitute the NS box with Linux boxes so I can manage bandwith, set up a firewall and have a configuration which is built up on standards. I will have "road warriors" accessing through DSL or modems with Win2k computers. -- == Felipe Martínez Hermo [EMAIL PROTECTED] [EMAIL PROTECTED] == Servicios Informáticos UGT Galicia [EMAIL PROTECTED] ==
Re: VPN: SSH or IPSec???
I haven't made use of SSH for VPN purposes as I tend to remove PPP completely from the system after I install as I don't use dial-up service for internet so I don't have it available for use with a SSH VPN connection... I have used the FreeS/WAN IPSec solution and still use it for a VPN solution for both Windows and Linux clients alike... On the Windows side I use SSH Sentinel by SSH Communication and of course FreeS/WAN for Linux both server and client side using X.509 certificate authentication... I haven't had any problems with IPSec that would make me want to bother trying to use SSH for a VPN connection... One disadvantage I could see with SSH is that you would have to have an account for the remote user to use to authenticate with to make the VPN tunnel... Or a shared acct, dislike that idea even more... I tend to run my IPSec VPN gateway machine with as few accts or access as possible so this doesn't appeal or apply to my network topography... With FreeS/WAN IPSec with X.509 certificates the configuration can be made to accept valid certificiates signed by a specific Certificate Authority (CA) which is easy enough to setup with OpenSSL provided scripts... Then if you need to revoke access for a given certificate you just issue the Certificate Revokation List (CRL), again using OpenSSL, and FreeS/WAN will no longer honor that certificate. Regards, Jeremy On Wed, Apr 16, 2003 at 04:49:45PM +0100, Servicios Inform?ticos UGT Galicia wrote: > > > I'm planning to set up a VPN. I started reading The VPN Howto, but I > come to a crossroad as early as soon as I read past chapter 2: > > Should I use SSH or IPSec to set up my VPN? > Which are the drawbacks and advantages of both? > > I would like to know what's your opinion about it so I can choose the > most suitable option for me. > > Thank you > -- > > == > Felipe Mart?nez Hermo > [EMAIL PROTECTED] > [EMAIL PROTECTED] > == > Servicios Inform?ticos > UGT Galicia > [EMAIL PROTECTED] > == > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: VPN: SSH or IPSec???
A true VPN is something like IPSec. SSH and SSL only tunnel TCP-based traffic (at least that's what they are supposed to do). If you want a true VPN, do not use SSH or SSL. IPSec is a good choice, but there are other VPN apps around including CIPE, VTUN, and TINC. YMMV.. Check out "Building Linux VPNs" book by Kolesnikov and Hatch-- that would be your best best. I personally like IPSec because it's fairly standardized, but again YMMV :) -Anne Servicios Inform?ticos UGT Galicia grabbed a keyboard and typed... > > > I'm planning to set up a VPN. I started reading The VPN Howto, but I > come to a crossroad as early as soon as I read past chapter 2: > > Should I use SSH or IPSec to set up my VPN? > Which are the drawbacks and advantages of both? > > I would like to know what's your opinion about it so I can choose the > most suitable option for me. > > Thank you > -- > > == > Felipe Mart?nez Hermo > [EMAIL PROTECTED] > [EMAIL PROTECTED] > == > Servicios Inform?ticos > UGT Galicia > [EMAIL PROTECTED] > == > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpzCjfmDHiMk.pgp Description: PGP signature
Re: VPN: SSH or IPSec???
Servicios Informáticos UGT Galicia <[EMAIL PROTECTED]> writes: > Should I use SSH or IPSec to set up my VPN? > Which are the drawbacks and advantages of both? Can you tell us your requirements?
VPN: SSH or IPSec???
I'm planning to set up a VPN. I started reading The VPN Howto, but I come to a crossroad as early as soon as I read past chapter 2: Should I use SSH or IPSec to set up my VPN? Which are the drawbacks and advantages of both? I would like to know what's your opinion about it so I can choose the most suitable option for me. Thank you -- == Felipe Martínez Hermo [EMAIL PROTECTED] [EMAIL PROTECTED] == Servicios Informáticos UGT Galicia [EMAIL PROTECTED] ==
Re: Kernel ptrace Hole - Fix For i386 ?
On Wed, 2003-04-16 at 02:21, Nick Boyce wrote: > On Mon, 14 Apr 2003 20:01:57 -0500, Greg Norris wrote: > > >On Tue, Apr 15, 2003 at 12:46:38AM +0100, Nick Boyce wrote: > >> The fix is in vanilla kernel 2.4.20 as I understand it, and it sounds > >> like some people here are downloading that source for their Woody i386 > >> systems. > > > >By "vanilla", do you mean the "Linus kernel" from kernel.org? If so, > >the fix was incorporated into 2.4.21-pre6... 2.4.20 wasn't updated. > > Yep - kernel.org is what I meant - thanks for that info. Thanks also > to a private email I've been advised that patched Debian versions of > 2.4.20 do exist in the main archive pool directories, so I guess the > wheels of a release are turning. > > Sorry everybody - I didn't notice that the same question got asked 3 > days ago ("ptrace exploit"). I would not agree that appology is necessary. The debian security team have said nothing about this bug that they have posted to announce or the site which has left 'users' in a state of not knowing. The package that is ready should have been up on security.debian.org weeks ago and I still think we are waiting a valid repsonse from the security team on this issue. Basically this has been a really bad show from debian, they claim to respond to security issues with 48 hours, which they clearly not done in this case. This causes the problem for me that I am trying to get the ISP that I work at to make the new linux platform they are planning to be debian based, this however is becomming a sticking point. However don't get me wrong, apart from this the security team are great and I thank them for their help in keeping my systems secure. Take care - RL -- MSN:[EMAIL PROTECTED] |"All that is etched in stone Yahoo:admroblaz AIM:admroblaz |is truly only scribbled in ICQ:66324927|sand" - RL Jabber:[EMAIL PROTECTED]|Join Eff http://www.eff.org e-mail:[EMAIL PROTECTED]|Take care all - Rob Laz
Re: cfengine client behind NAT
On Wed, 16 Apr 2003, Adrian Phillips wrote: > Not using 1.6.3 anymore but, what exactly are the messages ? Are you > getting Connection refused by cfservd or by the firewall ? > I'm getting connection refused by the cfd (cfservd) daemon, the firewall allows me to connect. It seems that cfd isn't able to authenticate due to the fact the my Ip address is natted. > [You might get more response from the cfengine mailing list]. > I'll consider it, thanks. > Sincerely, > > Adrian Phillips > Thanks for feedback, I. -- )/_ _.--..---"-,--c_Ivo Marino <[EMAIL PROTECTED]> \L..' ._O__)_ irc.FreeNode.net #debian-mentors -. _.+ _ \..--( / UIN 32463141 + JID [EMAIL PROTECTED] `\.-''__.-' \ ( \_ http://eimbox.org/~eim/ + http://eimbox.org `'''`\__ /\ ') pgpUwwO4MW7zG.pgp Description: PGP signature
Re: cfengine client behind NAT
> "Ivo" == Ivo Marino <[EMAIL PROTECTED]> writes: Ivo> Hello folks, I'm running cfengine on two different systems Ivo> which aren't connected to the same network but comunicate via Ivo> Internet. Ivo>Host A cfengine client system behind NAT Host B cfd server Ivo> system public IP Not using 1.6.3 anymore but, what exactly are the messages ? Are you getting Connection refused by cfservd or by the firewall ? [You might get more response from the cfengine mailing list]. Sincerely, Adrian Phillips -- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [OK]