Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
I think you'll find the bugtraq list at http://securityfocus.com/ to be the leading edge for security information. I like focus-linux too. http://securityfocus.com/archive To find more current news on issues / exploits, you would probably need to follow some particular IRC or whatever the evil side of the internet uses these days. The main problem with bugtraq is a *lot* of M$ (and other commercial software) issues are mixed in there. I find myself only reading the subjects of 70% of the posts. but for issues like ptrace, you'll find everything you need there. // George On Wed, May 07, 2003 at 02:53:35PM +0200, Peter Holm wrote: >Hi, > >may I be allowed to ask some questions? > >I am a little bit confused about the latest discussions on the ptrace >kernel bug. > >As I am not a regular reader of this mailing list but heavily relying >on the debian security announce mailing list and apt-get, I was really >wondering why I could not find anything about that ptrace kernel bug >that can be found here > >http://sinuspl.net/ptrace/ > >on the debian security website / announcement list. > >As I keep my systems regularly (apt-)updated I thought there was no >reason to panic, at least debian is known for it?s high claims on >beeing secure and "there would be some word about that if it was a >problem." > >well, said that I tried, just for fun, if that exploit could do >something on my actual debian installations and I really got slapped >hard! All machines were exploitable! > >Ok, my questions: > >Why isn?t there a security warning about that ptrace bug? > >The actual kernel sources that one can get via apt-get, are they >already patched? > >What about the kernel-images? > >As i read, there are some misfunctions with that kernel-patch, not >allowing some tools to work properly (netsaint / nagios were >mentioned). Are there any more sideeffects known? > >Is there a good website accumulating information >about-that-prace-bug-and-patch-and-all-the-problems-that-are >related-to this.org? > >And: which informtion sources do I have to follow to become informed >about *all* security bugs in debian? > > >Thanks for your attention and sorry for my clumsy english! > > > > >Have a nice thread, >Peter > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: Apt-get only security patches
On Wed, 7 May 2003 10:35:45 +0200, Rudolph van Graan wrote: >... For example on one of my "stable" machines, >the following happens when I do apt-get upgrade -u: > >The following packages will be upgraded > kdewallpapers mime-support >2 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. >Need to get 0B/1030kB of archives. After unpacking 105kB will be freed. >Do you want to continue? [Y/n] > >Obviously neither is of real security importance The mime-support update *is* a security update ! See http://www.debian.org/security/2003/dsa-292 "When a temporary file is to be used it is created insecurely" "allows local users to overwrite arbitrary files via a symlink attack on temporary files" So if you're the only user on the machine then I suppose you needn't worry. Cheers Nick Boyce Bristol, UK -- There is no spoon.
Re: Apt-get only security patches
On Wed, May 07, 2003 at 10:03:40AM -0400, Mike Dresser said: > Actually, mime-support had a security fix not all that long ago. You > should let that one go through. > > http://www.debian.org/security/2003/dsa-292 > > I'm trying to picture how there could be a security hole in kdewallpapers, > but yet it's on the Security page. > > kdebase looks like it was updated, and kdewallpapers is a subpackage of > that and got updated for some reason. When a source package is updated for whatever reason, security included, all the .debs are automatically rebuilt from the new source package. I agree that kdewallpapers is perhaps a bit silly, but it's a by-product of the automated build process. -- -- | Stephen Gran | Buck-passing usually turns out to be a | | [EMAIL PROTECTED] | boomerang. | | http://www.lobefin.net/~steve | | -- pgpgWZ0GBnSTS.pgp Description: PGP signature
Re: Have I been hacked?
The error can also happen if there are a few boxes with ssh that have dynamic IPs.. On Wednesday 07 May 2003 10:36 am, Hobbs, Richard wrote: > Hello, > > The SSH error is usually caused by the SSH server (your machine) being > reformatted, or having SSH uninstalled and reinstalled, or have the > public/private keys regenerated for some reason. have you recently made any > changes to SSH, or reinstalled your system?? > > It could also happen if he has been making changes to his > "~/.ssh/known_hosts" file. > > HTH... > > Richard. > > Quoting Ian Goodall <[EMAIL PROTECTED]>: > > Thanks for your help Guys. > > > > It now says this: > > > wtmp begins Wed May 7 13:21:47 2003 > > > > I think that is what had happened. I am new to this and this just looked > > dodgy to me! > > > > A friend also has ssh shell access to the box and got the following error > > message when connecting to the same my box: > > > > @@@ > > > > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > > > > @@@ > > > > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > > > > Someone could be eavesdropping on you right now (man-in-the-middle > > attack)! > > > > It is also possible that the RSA host key has just been changed. > > > > The fingerprint for the RSA key sent by the remote host is > > > > 51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d. > > > > Please contact your system administrator. > > > > I don't get this from any other computers so is this just his computer? > > > > Thanks > > > > - Original Message - > > From: "Eric LeBlanc" <[EMAIL PROTECTED]> > > To: "Ian Goodall" <[EMAIL PROTECTED]> > > Cc: > > Sent: Wednesday, May 07, 2003 3:23 PM > > Subject: Re: Have I been hacked? > > > > > Check if your program have rotated the logs... > > > > > > cd /var/log > > > > > > ls -l wtmp* > > > > > > and, check in /etc/cron* or do a crontab -l (in user root) > > > > > > > > > E. > > > -- > > > Eric LeBlanc > > > [EMAIL PROTECTED] > > > -- > > > UNIX is user friendly. > > > It's just selective about who its friends are. > > > == > > > > > > On Wed, 7 May 2003, Ian Goodall wrote: > > > > I am running a debian woody server and when I checked the last users > > > > yesterday I a large number of logins in the list. On running the > > > > command today I get the following: > > > > > > > > dev1:/home/ian# last > > > > ian pts/0172.16.3.195 Wed May 7 14:49 still > > > > logged > > > > in > > > > > > team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 > > > > (00:35) > > > > > > > > I have run chkrootkit but nothing was found. > > > > > > > > I have never had this before. Am I being paranoid or is someone > > > > trying > > > > to > > > > > > cover up their tracks? > > > > > > > > Thanks > > > > > > > > ijg0 > > > > > > > > > > > > > > > > -- > > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > > with a subject of "unsubscribe". Trouble? Contact > > > > [EMAIL PROTECTED] > > > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED]
Re: idea for improving security
On Wed, May 07, 2003 at 11:27:16AM +0200, Tim van Erven wrote: > On Wed, 07/05/2003 07:40 +0200, Hans Spaans wrote: > > > > How are you going to handle firewalls and stuff? This because you need > > to accept traffic for those ports. > > You always need to let the trigger through your firewall. It's just > easier and less of a custom hack if it's sent on a single port. Something like Cisco CBAC maybe, but you don't want that performance wise. But back to the original suggestion, I think its better protect that one service better by for example using IPsec and strong authentication then using some obscure way of authentication that opens extra services and changes firewalls runtime. A little voice inside tells me that you don't want that ;-) -- Hans
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
HI, >This is unfortunate, but I guess it cannot be changed as the security team >reputedly is quite heavily loaded even now. so is the debian project facing a kind of DOS-Attack on an organizatory level? This seems to be a "social vulnerability" then. Have a nice thread, Peter
Re: Have I been hacked?
* Quoting Ian Goodall ([EMAIL PROTECTED]): > Thanks everyone for your help. > > It must be his computer as all the computers I usually log in from are all > fine. I am still quite new to all of this but we all have to start somewhere > :) Check the Fingerprint against the one from your machine. Check the keys in ~/.ssh/known_hosts on his machine against your public key and check the IP-Adress in there. Maybe the logged into another server with the same IP or configured name (in ~/.ssh/config) earlier and that caused the mismatch. - Rolf
Re: idea for improving security
On Wed, 7 May 2003 12:48:45 +0200 Alexander Reelsen <[EMAIL PROTECTED]> writes: > > what if the trigger sequence changed each time? then if someone > > intercepted the trigger sequence, it wouldn't do them any good, > unless > > they collected enough trigger sequences to be able to determine > the > > next > > one, but that would take a lot of work... > This is already implemented and is called "One time passwords" > > Why the heck would you want to do that on osi layers 3/4 instead of > the > application? > > And it would be hard to implement.. changing one flag per IP packet > sent > or what? In a random non guessable order? Hard work... useless IMO if i can implement it on a windows box, i'm sure it wouldn't be too hard on a linux one... > MfG/Regards, Alexander -- Robert Wilson (aka kuvazokad, eltirno, edeí...) http://www.kuvazokad.tk/ -- http://kuvazokad.free.fr/ vkky vnkynvj vknyknj ykkv knvy? karkalone kontoko? kinsi rorotan kinsa nadas? baitta ke farzaiyai? qxracc pqqattiircx iia kxqqhwiiallccre? spreken þu viserdya? pake biru ka pa rede? "boys speak in rhythm and girls just lie." -- anberlin - "foreign language" narav teraz' iroti kojes krat erarota kuna, ysivaz' entas naradas krat zuny narav kuraz dityvyszi, radyji, sa rodyji dimokrosi zosa endas d' erensa dades kirs ins wiz -BEGIN GEEK CODE BLOCK- Version: 3.1 GCS/M/O d-(---) s: a18 C++$ UL>$ P+>++ L+(++)> E--- W++(+++) N o? K--- w+(--) O?> M-- V? PS PE+ Y+(++) PGP++ t+(*) 5-- X+++ R- tv b+++ DI+ D--- G e h! r-- y- --END GEEK CODE BLOCK-- The best thing to hit the internet in years - Juno SpeedBand! Surf the web up to FIVE TIMES FASTER! Only $14.95/ month - visit www.juno.com to sign up today!
Re: idea for improving security
On Wed, 7 May 2003 08:53:40 +0200 Michael Bergbauer <[EMAIL PROTECTED]> writes: If you > think SSH (or any other component) is not trustworthy, just look for > alternatives (or create them yourself). what would be a more secure alternative to ssh? > Michael Bergbauer <[EMAIL PROTECTED]> -- Robert Wilson (aka kuvazokad, eltirno, edeí...) http://www.kuvazokad.tk/ -- http://kuvazokad.free.fr/ vkky vnkynvj vknyknj ykkv knvy? karkalone kontoko? kinsi rorotan kinsa nadas? baitta ke farzaiyai? qxracc pqqattiircx iia kxqqhwiiallccre? spreken þu viserdya? pake biru ka pa rede? "boys speak in rhythm and girls just lie." -- anberlin - "foreign language" narav teraz' iroti kojes krat erarota kuna, ysivaz' entas naradas krat zuny narav kuraz dityvyszi, radyji, sa rodyji dimokrosi zosa endas d' erensa dades kirs ins wiz -BEGIN GEEK CODE BLOCK- Version: 3.1 GCS/M/O d-(---) s: a18 C++$ UL>$ P+>++ L+(++)> E--- W++(+++) N o? K--- w+(--) O?> M-- V? PS PE+ Y+(++) PGP++ t+(*) 5-- X+++ R- tv b+++ DI+ D--- G e h! r-- y- --END GEEK CODE BLOCK-- The best thing to hit the internet in years - Juno SpeedBand! Surf the web up to FIVE TIMES FASTER! Only $14.95/ month - visit www.juno.com to sign up today!
Re: Have I been hacked?
On Wed, May 07, 2003 at 02:51:39PM +0100, Ian Goodall wrote: > I am running a debian woody server and when I checked the last users > yesterday I a large number of logins in the list. On running the command > today I get the following: > > dev1:/home/ian# last > ian pts/0172.16.3.195 Wed May 7 14:49 still logged in > team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) > > I have run chkrootkit but nothing was found. > > I have never had this before. Am I being paranoid or is someone trying to > cover up their tracks? cronjob, logrotate? ls -l /var/log/wtmp*
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
Am Mit, 2003-05-07 um 17.05 schrieb Adrian 'Dagurashibanipal' von Bidder: > On Wednesday 07 May 2003 14:53, Peter Holm wrote: > > > The actual kernel sources that one can get via apt-get, are they > > already patched? kernel-source-2.4.20 in unstable is patched. > I fear there's no such place. The security announcements are only made when a > fixed package is released, and to my knowledge there is no centralized debian > specific place to get security announcements for security bugs where no patch > is (yet) available. I am not quite sure how much the security team feels responsible for the kernel. The ptrace bug is not the only problem as there are other security problems (for example in the netfilter code) that have never been fixed in stable. Additionally, often patches are only available for current kernel versions, but not for older ones that are all available within woody. How far back must patches be backported? Is there a clear policy about this issue? Sebastian
Re: Have I been hacked?
You can check the fingerprint. Use ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key (or similar) to print the fingerprint of your RSA key to the screen. If it is '51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d' then your friend has cached an old key you have used in the past (fx. before a re-installation). Hope this helps Janus Tøndering On Wed, 2003-05-07 at 16:33, Ian Goodall wrote: > Thanks for your help Guys. > > It now says this: > > > wtmp begins Wed May 7 13:21:47 2003 > > I think that is what had happened. I am new to this and this just looked > dodgy to me! > > A friend also has ssh shell access to the box and got the following error > message when connecting to the same my box: > > @@@ > > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > > @@@ > > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > > Someone could be eavesdropping on you right now (man-in-the-middle attack)! > > It is also possible that the RSA host key has just been changed. > > The fingerprint for the RSA key sent by the remote host is > > 51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d. > > Please contact your system administrator. > > I don't get this from any other computers so is this just his computer? > > Thanks > > - Original Message - > From: "Eric LeBlanc" <[EMAIL PROTECTED]> > To: "Ian Goodall" <[EMAIL PROTECTED]> > Cc: > Sent: Wednesday, May 07, 2003 3:23 PM > Subject: Re: Have I been hacked? > > > > > > Check if your program have rotated the logs... > > > > cd /var/log > > > > ls -l wtmp* > > > > and, check in /etc/cron* or do a crontab -l (in user root) > > > > > > E. > > -- > > Eric LeBlanc > > [EMAIL PROTECTED] > > -- > > UNIX is user friendly. > > It's just selective about who its friends are. > > == > > > > On Wed, 7 May 2003, Ian Goodall wrote: > > > > > I am running a debian woody server and when I checked the last users > > > yesterday I a large number of logins in the list. On running the command > > > today I get the following: > > > > > > dev1:/home/ian# last > > > ian pts/0172.16.3.195 Wed May 7 14:49 still logged > in > > > team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) > > > > > > I have run chkrootkit but nothing was found. > > > > > > I have never had this before. Am I being paranoid or is someone trying > to > > > cover up their tracks? > > > > > > Thanks > > > > > > ijg0 > > > > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > -- Janus N. Tøndering <[EMAIL PROTECTED]>
Re: Have I been hacked?
Hi, which kernel are you using? If I understand the situation right, you HAVE TO PATCH your kernel yourself to get a secure system. Do it right know. Here http://sinuspl.net/ptrace/ is an exploit and the kernel patch. If you did not patch your kernel, every user on your machine will be able to root you easily. Have a nice thread, Peter
Re: Have I been hacked?
Hello, yeah, but they don't mean anything... i think they are just markers to say "yes - the daemon is still running". what is the first thing before all of those --MARK--'s, and when is it? Richard. Quoting Ian Goodall <[EMAIL PROTECTED]>: > just lots of > > May 7 06:03:06 dev1 -- MARK -- > > - Original Message - > From: "Hobbs, Richard" <[EMAIL PROTECTED]> > To: "Ian Goodall" <[EMAIL PROTECTED]> > Cc: > Sent: Wednesday, May 07, 2003 3:27 PM > Subject: Re: Have I been hacked? > > > > Hello, > > > > Check /var/log/messages to see if anything happened before 14:49 on 7 > May... are > > you running "logcheck"?? It emails you daily reports of important goings > on... > > like user's crontab changes, logins, su's and other important things. it's > very > > very useful for spotting non-normal operations like ls. > > > > HTH... > > > > Richard. > > > > > > Quoting Ian Goodall <[EMAIL PROTECTED]>: > > > > > I am running a debian woody server and when I checked the last users > > > yesterday I a large number of logins in the list. On running the command > > > today I get the following: > > > > > > dev1:/home/ian# last > > > ian pts/0172.16.3.195 Wed May 7 14:49 still logged > in > > > team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) > > > > > > I have run chkrootkit but nothing was found. > > > > > > I have never had this before. Am I being paranoid or is someone trying > to > > > cover up their tracks? > > > > > > Thanks > > > > > > ijg0 > > > > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact > > > [EMAIL PROTECTED] > > > > > > > > > > > > -- > > Richard Hobbs > > [EMAIL PROTECTED] > > http://mongeese.co.uk | http://unixforum.co.uk > > > > "There's only one way of life, and that's your own" - The Levellers > > > > _ > > Send all your jokes to [EMAIL PROTECTED] !! > > To subscribe, email: [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > -- Richard Hobbs [EMAIL PROTECTED] http://mongeese.co.uk | http://unixforum.co.uk "There's only one way of life, and that's your own" - The Levellers _ Send all your jokes to [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED]
RE: Have I been hacked?
Thanks everyone for your help. It must be his computer as all the computers I usually log in from are all fine. I am still quite new to all of this but we all have to start somewhere :) Cheers, ijg0 >= Original Message From "Hobbs, Richard" <[EMAIL PROTECTED]> = >Hello, > >The SSH error is usually caused by the SSH server (your machine) being >reformatted, or having SSH uninstalled and reinstalled, or have the >public/private keys regenerated for some reason. have you recently made any >changes to SSH, or reinstalled your system?? > >It could also happen if he has been making changes to his "~/.ssh/known_hosts" file. > >HTH... > >Richard. > > >Quoting Ian Goodall <[EMAIL PROTECTED]>: > >> Thanks for your help Guys. >> >> It now says this: >> >> > wtmp begins Wed May 7 13:21:47 2003 >> >> I think that is what had happened. I am new to this and this just looked >> dodgy to me! >> >> A friend also has ssh shell access to the box and got the following error >> message when connecting to the same my box: >> >> @@@ >> >> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ >> >> @@@ >> >> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! >> >> Someone could be eavesdropping on you right now (man-in-the-middle attack)! >> >> It is also possible that the RSA host key has just been changed. >> >> The fingerprint for the RSA key sent by the remote host is >> >> 51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d. >> >> Please contact your system administrator. >> >> I don't get this from any other computers so is this just his computer? >> >> Thanks >> >> - Original Message - >> From: "Eric LeBlanc" <[EMAIL PROTECTED]> >> To: "Ian Goodall" <[EMAIL PROTECTED]> >> Cc: >> Sent: Wednesday, May 07, 2003 3:23 PM >> Subject: Re: Have I been hacked? >> >> >> > >> > Check if your program have rotated the logs... >> > >> > cd /var/log >> > >> > ls -l wtmp* >> > >> > and, check in /etc/cron* or do a crontab -l (in user root) >> > >> > >> > E. >> > -- >> > Eric LeBlanc >> > [EMAIL PROTECTED] >> > -- >> > UNIX is user friendly. >> > It's just selective about who its friends are. >> > == >> > >> > On Wed, 7 May 2003, Ian Goodall wrote: >> > >> > > I am running a debian woody server and when I checked the last users >> > > yesterday I a large number of logins in the list. On running the command >> > > today I get the following: >> > > >> > > dev1:/home/ian# last >> > > ian pts/0172.16.3.195 Wed May 7 14:49 still logged >> in >> > > team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) >> > > >> > > I have run chkrootkit but nothing was found. >> > > >> > > I have never had this before. Am I being paranoid or is someone trying >> to >> > > cover up their tracks? >> > > >> > > Thanks >> > > >> > > ijg0 >> > > >> > > >> > > >> > > -- >> > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] >> > > with a subject of "unsubscribe". Trouble? Contact >> [EMAIL PROTECTED] >> > > >> > >> >> >> -- >> To UNSUBSCRIBE, email to [EMAIL PROTECTED] >> with a subject of "unsubscribe". Trouble? Contact >> [EMAIL PROTECTED] >> >> > > >-- >Richard Hobbs >[EMAIL PROTECTED] >http://mongeese.co.uk | http://unixforum.co.uk > >"There's only one way of life, and that's your own" - The Levellers > >_ >Send all your jokes to [EMAIL PROTECTED] !! >To subscribe, email: [EMAIL PROTECTED] -- Ian Goodall www.iangoodall.co.uk
Re: Have I been hacked?
Hello, The SSH error is usually caused by the SSH server (your machine) being reformatted, or having SSH uninstalled and reinstalled, or have the public/private keys regenerated for some reason. have you recently made any changes to SSH, or reinstalled your system?? It could also happen if he has been making changes to his "~/.ssh/known_hosts" file. HTH... Richard. Quoting Ian Goodall <[EMAIL PROTECTED]>: > Thanks for your help Guys. > > It now says this: > > > wtmp begins Wed May 7 13:21:47 2003 > > I think that is what had happened. I am new to this and this just looked > dodgy to me! > > A friend also has ssh shell access to the box and got the following error > message when connecting to the same my box: > > @@@ > > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > > @@@ > > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > > Someone could be eavesdropping on you right now (man-in-the-middle attack)! > > It is also possible that the RSA host key has just been changed. > > The fingerprint for the RSA key sent by the remote host is > > 51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d. > > Please contact your system administrator. > > I don't get this from any other computers so is this just his computer? > > Thanks > > - Original Message - > From: "Eric LeBlanc" <[EMAIL PROTECTED]> > To: "Ian Goodall" <[EMAIL PROTECTED]> > Cc: > Sent: Wednesday, May 07, 2003 3:23 PM > Subject: Re: Have I been hacked? > > > > > > Check if your program have rotated the logs... > > > > cd /var/log > > > > ls -l wtmp* > > > > and, check in /etc/cron* or do a crontab -l (in user root) > > > > > > E. > > -- > > Eric LeBlanc > > [EMAIL PROTECTED] > > -- > > UNIX is user friendly. > > It's just selective about who its friends are. > > == > > > > On Wed, 7 May 2003, Ian Goodall wrote: > > > > > I am running a debian woody server and when I checked the last users > > > yesterday I a large number of logins in the list. On running the command > > > today I get the following: > > > > > > dev1:/home/ian# last > > > ian pts/0172.16.3.195 Wed May 7 14:49 still logged > in > > > team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) > > > > > > I have run chkrootkit but nothing was found. > > > > > > I have never had this before. Am I being paranoid or is someone trying > to > > > cover up their tracks? > > > > > > Thanks > > > > > > ijg0 > > > > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > -- Richard Hobbs [EMAIL PROTECTED] http://mongeese.co.uk | http://unixforum.co.uk "There's only one way of life, and that's your own" - The Levellers _ Send all your jokes to [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED]
Re: Have I been hacked?
Check the shell history file of team1 user... if exists On (07/05/03 14:51), Ian Goodall wrote: > I am running a debian woody server and when I checked the last users > yesterday I a large number of logins in the list. On running the command > today I get the following: > > dev1:/home/ian# last > ian pts/0172.16.3.195 Wed May 7 14:49 still logged in > team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) > > I have run chkrootkit but nothing was found. > > I have never had this before. Am I being paranoid or is someone trying to > cover up their tracks? > > Thanks > > ijg0 > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- Bueno, Felippe <[EMAIL PROTECTED]>
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
On Wednesday 07 May 2003 14:53, Peter Holm wrote: > The actual kernel sources that one can get via apt-get, are they > already patched? I have to admit that I didn't follow this issue closely, you'll have to get this info elsewhere. > And: which informtion sources do I have to follow to become informed > about *all* security bugs in debian? I fear there's no such place. The security announcements are only made when a fixed package is released, and to my knowledge there is no centralized debian specific place to get security announcements for security bugs where no patch is (yet) available. This is unfortunate, but I guess it cannot be changed as the security team reputedly is quite heavily loaded even now. greets -- vbi -- this email is protected by a digital signature: http://fortytwo.ch/gpg pgpdOI8IGWLE2.pgp Description: signature
Re: Have I been hacked?
just lots of May 7 06:03:06 dev1 -- MARK -- - Original Message - From: "Hobbs, Richard" <[EMAIL PROTECTED]> To: "Ian Goodall" <[EMAIL PROTECTED]> Cc: Sent: Wednesday, May 07, 2003 3:27 PM Subject: Re: Have I been hacked? > Hello, > > Check /var/log/messages to see if anything happened before 14:49 on 7 May... are > you running "logcheck"?? It emails you daily reports of important goings on... > like user's crontab changes, logins, su's and other important things. it's very > very useful for spotting non-normal operations like ls. > > HTH... > > Richard. > > > Quoting Ian Goodall <[EMAIL PROTECTED]>: > > > I am running a debian woody server and when I checked the last users > > yesterday I a large number of logins in the list. On running the command > > today I get the following: > > > > dev1:/home/ian# last > > ian pts/0172.16.3.195 Wed May 7 14:49 still logged in > > team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) > > > > I have run chkrootkit but nothing was found. > > > > I have never had this before. Am I being paranoid or is someone trying to > > cover up their tracks? > > > > Thanks > > > > ijg0 > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > > > -- > Richard Hobbs > [EMAIL PROTECTED] > http://mongeese.co.uk | http://unixforum.co.uk > > "There's only one way of life, and that's your own" - The Levellers > > _ > Send all your jokes to [EMAIL PROTECTED] !! > To subscribe, email: [EMAIL PROTECTED]
Re: Have I been hacked?
On Wed May 07, 2003 at 02:5139PM +0100, Ian Goodall wrote: > I am running a debian woody server and when I checked the last users > yesterday I a large number of logins in the list. On running the command > today I get the following: > > dev1:/home/ian# last > ian pts/0172.16.3.195 Wed May 7 14:49 still logged in > team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) Who is the user "team1" > I have run chkrootkit but nothing was found. That's exactly what chkrootkit can tell you - nothing found, but not nothing installed. -- Michael Bergbauer <[EMAIL PROTECTED]> use your idle CPU cycles - See http://www.distributed.net for details. Visit our mud Geas at geas.franken.de Port
Re: Have I been hacked?
Thanks for your help Guys. It now says this: > wtmp begins Wed May 7 13:21:47 2003 I think that is what had happened. I am new to this and this just looked dodgy to me! A friend also has ssh shell access to the box and got the following error message when connecting to the same my box: @@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d. Please contact your system administrator. I don't get this from any other computers so is this just his computer? Thanks - Original Message - From: "Eric LeBlanc" <[EMAIL PROTECTED]> To: "Ian Goodall" <[EMAIL PROTECTED]> Cc: Sent: Wednesday, May 07, 2003 3:23 PM Subject: Re: Have I been hacked? > > Check if your program have rotated the logs... > > cd /var/log > > ls -l wtmp* > > and, check in /etc/cron* or do a crontab -l (in user root) > > > E. > -- > Eric LeBlanc > [EMAIL PROTECTED] > -- > UNIX is user friendly. > It's just selective about who its friends are. > == > > On Wed, 7 May 2003, Ian Goodall wrote: > > > I am running a debian woody server and when I checked the last users > > yesterday I a large number of logins in the list. On running the command > > today I get the following: > > > > dev1:/home/ian# last > > ian pts/0172.16.3.195 Wed May 7 14:49 still logged in > > team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) > > > > I have run chkrootkit but nothing was found. > > > > I have never had this before. Am I being paranoid or is someone trying to > > cover up their tracks? > > > > Thanks > > > > ijg0 > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > >
Re: Have I been hacked?
Hello, Check /var/log/messages to see if anything happened before 14:49 on 7 May... are you running "logcheck"?? It emails you daily reports of important goings on... like user's crontab changes, logins, su's and other important things. it's very very useful for spotting non-normal operations like ls. HTH... Richard. Quoting Ian Goodall <[EMAIL PROTECTED]>: > I am running a debian woody server and when I checked the last users > yesterday I a large number of logins in the list. On running the command > today I get the following: > > dev1:/home/ian# last > ian pts/0172.16.3.195 Wed May 7 14:49 still logged in > team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) > > I have run chkrootkit but nothing was found. > > I have never had this before. Am I being paranoid or is someone trying to > cover up their tracks? > > Thanks > > ijg0 > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > -- Richard Hobbs [EMAIL PROTECTED] http://mongeese.co.uk | http://unixforum.co.uk "There's only one way of life, and that's your own" - The Levellers _ Send all your jokes to [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED]
RE: Have I been hacked?
Check in /var/log and you should see a file called wtmp.1 or something similar. The logs just get rotated. You can view it with the -f flag to last. last -f /var/log/wtmp.1 Jason Antheunis -Original Message- From: Ian Goodall [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 07, 2003 9:52 AM To: debian-security@lists.debian.org Subject: Have I been hacked? I am running a debian woody server and when I checked the last users yesterday I a large number of logins in the list. On running the command today I get the following: dev1:/home/ian# last ian pts/0172.16.3.195 Wed May 7 14:49 still logged in team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) I have run chkrootkit but nothing was found. I have never had this before. Am I being paranoid or is someone trying to cover up their tracks? Thanks ijg0 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Have I been hacked?
On Wed, May 07, 2003 at 02:51:39PM +0100, Ian Goodall wrote: > I am running a debian woody server and when I checked the last users > yesterday I a large number of logins in the list. On running the command > today I get the following: > > dev1:/home/ian# last > ian pts/0172.16.3.195 Wed May 7 14:49 still logged in > team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) > > I have run chkrootkit but nothing was found. > [snip] Could it be that wtmp has been rotated? If the wtmp gets to a certain size or date (I can't remember exactly) it normally gets rotated. If you "cd /var/log" and then "ls -l |grep wtmp" you'll probably see wtmp.X - Where X is a number, like 1 where the file has been rotated. HTH, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpqcdsHsAim2.pgp Description: PGP signature
Re: Have I been hacked?
You are teh ian login, right? know anyone at the domain blue99.ex.ac.uk? or anyplace similar? did you hever create an id of "team1"? Ian Goodall wrote: I am running a debian woody server and when I checked the last users yesterday I a large number of logins in the list. On running the command today I get the following: dev1:/home/ian# last ian pts/0172.16.3.195 Wed May 7 14:49 still logged in team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) I have run chkrootkit but nothing was found. I have never had this before. Am I being paranoid or is someone trying to cover up their tracks? Thanks ijg0 -- = = Management is doing things right; leadership is doing the = = right things.- Peter Drucker= =___= = http://www.sun.com/service/sunps/jdc/javacenter.pdf = = www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = =
Re: Have I been hacked?
> I am running a debian woody server and when I checked the last users > yesterday I a large number of logins in the list. On running the command > today I get the following: > > dev1:/home/ian# last > ian pts/0172.16.3.195 Wed May 7 14:49 still logged in > team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) > > I have run chkrootkit but nothing was found. > > I have never had this before. Am I being paranoid or is someone trying to > cover up their tracks? logrotate? Sylvain. -- Sylvain Soliman <[EMAIL PROTECTED]>GnuPG Public Key: 0x0F53AF99 Secretaire adjoint - Fede. Francaise de Go http://ffg.jeudego.org/ffg-f.html Co-mainteneur de PilotGOnehttp://minas.ithil.org/pilotgone/pilotgone.html Page personelle http://contraintes.inria.fr/~soliman
Re: Have I been hacked?
Check if your program have rotated the logs... cd /var/log ls -l wtmp* and, check in /etc/cron* or do a crontab -l (in user root) E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. == On Wed, 7 May 2003, Ian Goodall wrote: > I am running a debian woody server and when I checked the last users > yesterday I a large number of logins in the list. On running the command > today I get the following: > > dev1:/home/ian# last > ian pts/0172.16.3.195 Wed May 7 14:49 still logged in > team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) > > I have run chkrootkit but nothing was found. > > I have never had this before. Am I being paranoid or is someone trying to > cover up their tracks? > > Thanks > > ijg0 > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: Apt-get only security patches
On Wed, 7 May 2003, Rudolph van Graan wrote: > The following packages will be upgraded > kdewallpapers mime-support > 2 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. > Need to get 0B/1030kB of archives. After unpacking 105kB will be freed. > Do you want to continue? [Y/n] > > Obviously neither is of real security importance, but will be updated > nevertheless. [I don't want to remove the standard stable source from > sources.list] Actually, mime-support had a security fix not all that long ago. You should let that one go through. http://www.debian.org/security/2003/dsa-292 I'm trying to picture how there could be a security hole in kdewallpapers, but yet it's on the Security page. kdebase looks like it was updated, and kdewallpapers is a subpackage of that and got updated for some reason. See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=191611 Mike
Re: idea for improving security
On Wednesday 07 May 2003 13:54, Jay Kline wrote: > This is still prety complex, if the end result is just to allow access to > port 22. > > SSH is pretty secure, there have been very few problems with ssh that allow > someone without an account to gain access to the system its on. If you > take all other precautions, your risk is pretty low. If your data is so > valuble that you still cant afford the risk, then you need to take measures > farther by having a that box on a private network where only specific hosts > can log in, and set up a secondary host just to authenticate in. I agree - this "security by obscurity" approach will most likely end up making it less secure than it was originally. Remember the most likely way the cracker will get in in the first place is through a vulnerability in a service you do need to have open unconditionally, e.g. in your http server. Let's say the cracker did get in with something like that, gets unprivileged access but enough that he is able to see that you have configured your ssh to use a "port locking" sequence as described. Now suddenly a very simple DoS attack becomes available, as a way to prevent the rightful admin to get into the box once it's been cracked, leaving the attacker time to get root. Don't do it. Either trust sshd (disable most of its features by tweaking its config, then it should be pretty secure!), or don't allow remote logins at all. If you do want some extra security there are other ways that would be more effective, e.g. you can delete /bin/sh and /bin/bash etc. in your rc script after your Apache and other services are started (so long as they don't depend on them), and have your proper SSH call a secret copy (/bin/secretshell or something) when you log in. This prevents many attacks where the attacker relies on spawning a shell on your system from whatever program he's using a vulnerability in. // Thomas
Have I been hacked?
I am running a debian woody server and when I checked the last users yesterday I a large number of logins in the list. On running the command today I get the following: dev1:/home/ian# last ian pts/0172.16.3.195 Wed May 7 14:49 still logged in team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) I have run chkrootkit but nothing was found. I have never had this before. Am I being paranoid or is someone trying to cover up their tracks? Thanks ijg0
Re: idea for improving security
On Tuesday 06 May 2003 06:29 pm, Alain Tesio wrote: > On Tue, 06 May 2003 13:07:24 -0500 > > Mark Edgington <[EMAIL PROTECTED]> wrote: > > it doesn't matter if others are > > connecting to port 80, etc. while he is doing these connections, as long > > as no-one else is trying to connect to any of the ports in the > > trigger-sequence list -- this is the only thing which will invalidate the > > sequence-recognition > > Hi,it seems you don't mention that the connection attempts can be memorized > associated to the originating IP, and then the wanted port made available > only for this IP. I agree. In fact, you could argue that this method is no more secure than just moving ssh to a different port. I have done that on boxes before- if sshd is listening on port 4321 or whatever you dont need to worry about the "hackers". If someone has the ability to notice you connecting to specific ports, they can also watch what sequence you use. > It looks a bit complex to me, only useful for a private use of a port which > is not publically available, which means only for ssh as other protocols > can pass through a ssh tunnel. > > This authentification system won't be vulnerable to ssh exploits, but > you're basically using port numbers as characters of an unencrypted > password. > > A simplification of your idea with no loss of feature without using ssh may > be to have incoming packets of an unique port appear as dropped from the > outside and still processed (how ??) by a daemon waiting for a password in > the packet body. Passwords can be OTP. One problem with this is reinenting the wheel.. it sounds a lot like a VPN solution if you take it to this level. > (a bit dirty) is it possible to use snort with a special rule to detect > such a traffic, eventually with another process reading snort log files ? This is still prety complex, if the end result is just to allow access to port 22. SSH is pretty secure, there have been very few problems with ssh that allow someone without an account to gain access to the system its on. If you take all other precautions, your risk is pretty low. If your data is so valuble that you still cant afford the risk, then you need to take measures farther by having a that box on a private network where only specific hosts can log in, and set up a secondary host just to authenticate in. -- Jay Kline http://www.slushpupie.com
Please clarifiy: kernel-sources / ptracebug / debian security announcenments
Hi, may I be allowed to ask some questions? I am a little bit confused about the latest discussions on the ptrace kernel bug. As I am not a regular reader of this mailing list but heavily relying on the debian security announce mailing list and apt-get, I was really wondering why I could not find anything about that ptrace kernel bug that can be found here http://sinuspl.net/ptrace/ on the debian security website / announcement list. As I keep my systems regularly (apt-)updated I thought there was no reason to panic, at least debian is known for it´s high claims on beeing secure and "there would be some word about that if it was a problem." well, said that I tried, just for fun, if that exploit could do something on my actual debian installations and I really got slapped hard! All machines were exploitable! Ok, my questions: Why isn´t there a security warning about that ptrace bug? The actual kernel sources that one can get via apt-get, are they already patched? What about the kernel-images? As i read, there are some misfunctions with that kernel-patch, not allowing some tools to work properly (netsaint / nagios were mentioned). Are there any more sideeffects known? Is there a good website accumulating information about-that-prace-bug-and-patch-and-all-the-problems-that-are related-to this.org? And: which informtion sources do I have to follow to become informed about *all* security bugs in debian? Thanks for your attention and sorry for my clumsy english! Have a nice thread, Peter
Re: idea for improving security
Hi On Tue, May 06, 2003 at 11:26:35PM +0200, Horst Pflugstaedt wrote: > On Tue, May 06, 2003 at 01:07:24PM -0500, Mark Edgington wrote: > > 2) the port(s) to make available upon receiving this trigger sequence > > 3) whether the ports to be made available are available for a) the next n > > connections only, > what if someone else tries to connect exactly this one time? You can always differentiate between different source ips. > > and/or b) the next n minutes > what happens if you need more(tm) time? You configure it with greater timeout values? > > 3) how long to disable watching for the sequence after an invalid sequence > > has been detected. > how do you define an invalid sequence? how would you determine wether > someone else tries to trigger your port or is simply scanning you? If you have a combination and 80% of that combination were guessed correctly (by say, 5 different ip packets, it would be quite a strange coincidence), you could define an invalid sequence. > I'd rather work with some other mechanism like granting acces to/from > one single IP/Port. you migth for example realize this with two > encrypted Emails where the server-generated Mail includes some random > Data (for extra security) and the Client-generated Mail includes the > Clients IP... Who said you need listening ports for that? Just use libpcap, open up a raw socket and catch the packets before they are processed. So you don't need any listening service but still can evaluate the packets. > > makes a connection to 4385, this would invalidate the sequence) -- if these > > trigger-sequence ports are all connected to in order (and the > > disable-sequence-listen timeout has elapsed), then port 22 becomes open to > > connect to. > You'll have to rely on many people not trying to connect to your magic > ports while you don't want them to... Who said ports? Specially crafted IP packets are absolutely sufficient :) I think the main goal of this question was not that end users can connect to the services, but only administrators. If you have 100 machines on the net placed at customers it might be pretty handy, if you dont have to worry about ssh auto rooters after the new 0day exploit, because they don't try the magic-ip-packet-sequence. This adds another layer of security against dumb attacks, not against directed attacks. MfG/Regards, Alexander -- Alexander Reelsen http://tretmine.org [EMAIL PROTECTED]
Re: idea for improving security
Hi On Tue, May 06, 2003 at 06:22:54PM -0600, Will Aoki wrote: > I believe that there are rootkits in the wild which do this. Yepp. Found some standard rootkits with that thing as addition. > Although I can't find the reference I had to it, I believe that some > listen for traffic on a rare or unallocated protocol before opening a > backdoor. http://www.phenoelit.de/stuff/cd00r.c has been used sometimes on compromised machines... MfG/Regards, Alexander -- Alexander Reelsen http://tretmine.org [EMAIL PROTECTED]
Re: idea for improving security
Hi On Tue, May 06, 2003 at 10:05:49PM -0400, Robert B Wilson wrote: > On Tue, 06 May 2003 20:13:41 + Deger Cenk Erdil > <[EMAIL PROTECTED]> writes: > > But, if I can intercept your "trigger sequence messages" as an > > attacker > > on your subnet, or even on the Net, I can replicate the same > > sequence > > quite easily! > what if the trigger sequence changed each time? then if someone > intercepted the trigger sequence, it wouldn't do them any good, unless > they collected enough trigger sequences to be able to determine the > next > one, but that would take a lot of work... This is already implemented and is called "One time passwords" Why the heck would you want to do that on osi layers 3/4 instead of the application? And it would be hard to implement.. changing one flag per IP packet sent or what? In a random non guessable order? Hard work... useless IMO MfG/Regards, Alexander -- Alexander Reelsen http://tretmine.org [EMAIL PROTECTED]
Re: idea for improving security
my idea is to add some rules to iptables eg iptables -A INPUT -p tcp --dport 1985 -j LOG --prefix "key port 1:" iptables -A INPUT -p tcp --dport 1985 -j DROP iptables -A INPUT -p tcp --dport 12731 -j LOG --prefix "key port 2:" iptables -A INPUT -p tcp --dport 12731 -j DROP iptables -A INPUT -p tcp --dport 200312 -j LOG --prefix "key port 3:" iptables -A INPUT -p tcp --dport 200312 -j DROP iptables -A INPUT -p tcp --dport 436093 -j LOG --prefix "key port 4:" iptables -A INPUT -p tcp --dport 436093 -j DROP iptables -A INPUT -p tcp --dport 1 -j LOG --prefix "key port 5:" iptables -A INPUT -p tcp --dport 1 -j DROP iptables -A INPUT -p tcp --dport 1123123 -j LOG --prefix "key port 6:" iptables -A INPUT -p tcp --dport 1123123 -j DROP so you get: 1. ports are DROPED everytime you try to access them (you can set the drop rule to something else (reply with reset or sth) 2. you have log entries like key port 2: SRC=xxx.xxx.xxx.xxx etc. so you just use bash/awk/grep/perl to find the sequence in order from the ip and open/close the port as you wish if you need i could write such scripts and send it to the group/to you Geetings, Kuba BIGHard Jakubik jid: [EMAIL PROTECTED]
Re: Apt-get only security patches
* Rudolph van Graan <[EMAIL PROTECTED]>: > Hi all, > > Probably a stupid question, but one I don't know the answer for. Is > there any simple way of telling apt or dpkg to *only* download and > install security patches instead of other changes to a release [thinking > testing or unstable here]. For example on one of my "stable" machines, > the following happens when I do apt-get upgrade -u: > > The following packages will be upgraded > kdewallpapers mime-support > 2 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. > Need to get 0B/1030kB of archives. After unpacking 105kB will be freed. > Do you want to continue? [Y/n] > > Obviously neither is of real security importance, but will be updated > nevertheless. [I don't want to remove the standard stable source from > sources.list] I'd do: # apt-get -o Dir::Etc::SourceList=/etc/apt/security_updates.list -o Dir::State::Lists=/var/lib/xxx/lists/ update and then # apt-get -o Dir::Etc::SourceList=/etc/apt/security_updates.list -o Dir::State::Lists=/var/lib/xxx/lists/ upgrade -- lorenzo
Re: idea for improving security
On Wed, 07/05/2003 07:40 +0200, Hans Spaans wrote: > On Wed, May 07, 2003 at 01:14:04AM +0200, Tim van Erven wrote: >> On Tue, 06/05/2003 13:07 -0500, Mark Edgington wrote: >>> incorporate functionality into inetd/xinetd/rinetd which listens for a >>> predefined sequence of connection attempts on certain ports. Upon noticing >>> the correct sequence (as specified somewhere in the config file), it opens >>> up certain ports (i.e. SSH) for a specified amount of time or for the next >>> connection attempt only. The parameters which could be set in the config >>> file would be: >>> 1) the "trigger" sequence (an ordered list of port numbers) >>> 2) the port(s) to make available upon receiving this trigger sequence >>> 3) whether the ports to be made available are available for a) the next n >>> connections only, and/or b) the next n minutes >>> 3) how long to disable watching for the sequence after an invalid sequence >>> has been detected. >> >> You could also run a daemon that listens on some port for a password and >> opens up other ports if it receives the right one, to get the same >> effect, but much easier to implement. > > How are you going to handle firewalls and stuff? This because you need > to accept traffic for those ports. You always need to let the trigger through your firewall. It's just easier and less of a custom hack if it's sent on a single port. -- Tim van Erven <[EMAIL PROTECTED]> Fingerprint: F6C9 61EE 242C C012 OpenPGP Key ID: 712CB811 36D5 BBF8 6310 D557 712C B811
Re: Apt-get only security patches
On Wednesday, 2003-05-07 at 10:35:45 +0200, Rudolph van Graan wrote: > The following packages will be upgraded > kdewallpapers mime-support > Obviously neither is of real security importance, but will be updated > nevertheless. [I don't want to remove the standard stable source from > sources.list] Please read DSA-292-3 and DSA-296-1. I suppose kdewallpapers is just updated to keep the version number in sync with the rest of kdebase. Had you updated the other KDE packages before? HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: Apt-get only security patches
Rudolph van Graan wrote: Hi all, Probably a stupid question, but one I don't know the answer for. Is there any simple way of telling apt or dpkg to *only* download and install security patches instead of other changes to a release [thinking testing or unstable here]. For example on one of my "stable" machines, the following happens when I do apt-get upgrade -u: [...] Ideas/suggestions? Regards, Rudolph Hi Rudolph This should do it: Put another sources list file into any directory. For example /etc/apt/sources.security. This file contains just the following line: deb http://security.debian.org/ stable/updates main contrib non-free For updating pass apt-get the sources list it should use. In this example the above file. apt-get -o=Dir::Etc::SourceList=/etc/apt/sources.security update This should do the job (except anyone would disagree ;-) ) Regards Marcel
Re: Apt-get only security patches
Rudolph van Graan wrote: Hi all, Probably a stupid question, but one I don't know the answer for. Is there any simple way of telling apt or dpkg to *only* download and install security patches instead of other changes to a release [thinking testing or unstable here]. For example on one of my "stable" machines, the following happens when I do apt-get upgrade -u: The following packages will be upgraded kdewallpapers mime-support 2 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 0B/1030kB of archives. After unpacking 105kB will be freed. Do you want to continue? [Y/n] Obviously neither is of real security importance, but will be updated nevertheless. [I don't want to remove the standard stable source from sources.list] Sources.list: deb ftp://ftp.is.co.za/linux/distributions/debian stable main contrib non-free deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free deb http://security.debian.org stable/updates main contrib non-free Ideas/suggestions? Regards, Rudolph My understanding is for security patches just use the security site only in sources.list, Otherwise I dont quite understand why you would not want to upgrade packages, its only bug fixes after all. I think the mime-support is a security fix btw. Otherwise you could say no and then apt-get install individually but that just gets long winded as your box falls behind. regards Thing
Apt-get only security patches
Hi all, Probably a stupid question, but one I don't know the answer for. Is there any simple way of telling apt or dpkg to *only* download and install security patches instead of other changes to a release [thinking testing or unstable here]. For example on one of my "stable" machines, the following happens when I do apt-get upgrade -u: The following packages will be upgraded kdewallpapers mime-support 2 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 0B/1030kB of archives. After unpacking 105kB will be freed. Do you want to continue? [Y/n] Obviously neither is of real security importance, but will be updated nevertheless. [I don't want to remove the standard stable source from sources.list] Sources.list: deb ftp://ftp.is.co.za/linux/distributions/debian stable main contrib non-free deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free deb http://security.debian.org stable/updates main contrib non-free Ideas/suggestions? Regards, Rudolph
Re: idea for improving security
Mark Edgington wrote: Hi, [..] Guess it's not a very good idea. An attacker could find out your sequence, by listening your trafic. So you there is no additional security by your trigger. There is a very simple Denial-Of-Service Attack to such a system, for someone who can listen to your traffic. Just send a paket to one of the ports in the sequence, when some one starts sending his. That would make your login attempt invalid every time. Sebastian
Re: idea for improving security
On Tue May 06, 2003 at 01:0724PM -0500, Mark Edgington wrote: > Hi, > I'm not sure whether this idea has been considered or implemented > anywhere, but I have been thinking about it, and believe it would provide a > fairly high-level of security for systems which only run a few public > services. The gist of it is this: > incorporate functionality into inetd/xinetd/rinetd which listens for a > predefined sequence of connection attempts on certain ports. Upon noticing > the correct sequence (as specified somewhere in the config file), it opens > up certain ports (i.e. SSH) for a specified amount of time or for the next > connection attempt only. I remember discussing this topic a while ago in a german usenet group. I didn't reread the posts now, but all I remember is that it all resulted in "rubbish", for a few reasons: -You're using port connects as a means of password, and this password is usually unencrypted, thus can be watched by anyone on the net -it's security by obscurity, and that usually doesn't work -you're getting a new component in the user authentifcation, that just adds complexity without a real gain in security I think the main goal should be to have only secure services on a server, and not to disguise unsecure ones in an obscure way. If you think SSH (or any other component) is not trustworthy, just look for alternatives (or create them yourself). -- Michael Bergbauer <[EMAIL PROTECTED]> use your idle CPU cycles - See http://www.distributed.net for details. Visit our mud Geas at geas.franken.de Port
Re: idea for improving security
On Wed, May 07, 2003 at 01:14:04AM +0200, Tim van Erven wrote: > On Tue, 06/05/2003 13:07 -0500, Mark Edgington wrote: > > incorporate functionality into inetd/xinetd/rinetd which listens for a > > predefined sequence of connection attempts on certain ports. Upon noticing > > the correct sequence (as specified somewhere in the config file), it opens > > up certain ports (i.e. SSH) for a specified amount of time or for the next > > connection attempt only. The parameters which could be set in the config > > file would be: > > 1) the "trigger" sequence (an ordered list of port numbers) > > 2) the port(s) to make available upon receiving this trigger sequence > > 3) whether the ports to be made available are available for a) the next n > > connections only, and/or b) the next n minutes > > 3) how long to disable watching for the sequence after an invalid sequence > > has been detected. > > You could also run a daemon that listens on some port for a password and > opens up other ports if it receives the right one, to get the same > effect, but much easier to implement. How are you going to handle firewalls and stuff? This because you need to accept traffic for those ports. -- Hans
