Re: OT: An Idea for an IDS
Greetings! On Mon, 30 Jun 2003 18:38:33 -0400 Phillip Hofmeister [EMAIL PROTECTED] wrote: This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. ...which is the official license to shoot yourself into the foot. What happens if I send you a forged, suspicious packet with source-IP equal to the IP address of your gateway router, your DNS server, your internal system(s), ... Because of this reason automated systems did not get much acceptance as they were/are more a hassle than useful. Today there are only very few systems left that still implement some automated IP-killing scheme. Bye Volker Tanger -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: FTP servers that ban abusers?
Hmm, seems the list has lost my earlier mail, second try. Sorry for possible double posts. On Monday 30 June 2003 17:22, Andrew Sayers wrote: Ideally. whenever someone tries to FTP in as root, ftp, backup, or some other administrative account, I'd like iptables to DROP further incoming FTP traffic from that address, and an e-mail to be sent automatically to me and their network's administrator. Blocking FTP traffic immediately has the added benefit that they won't receive a login refused message, which might slow down any scanning attempts. Well, IMHO this isn't job of the FTP daemon, it's the job of a log monitoring program. You can use logsurfer to monitor your logfiles in realtime and run a programm if an attack happens. http://www.cert.dfn.de/eng/logsurf/ seems that there are no debian packages at the moment, but it's easy to compile. - Andrew best regards, Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why is proftpd always started when one update it?
On Mon, Jun 30, 2003 at 12:51:46PM -0500, CARMICHAEL, SHAWN (ASI) wrote: That occurs because that is how it is packaged in the .deb when you download and update it. Unless you package your own from source there is no work around. There is no need for a work-around. What is needed is to read the documentation for the proper way to disable startup of a daemon. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Not really a good idea. Consider what happens when someone forges the IP addresses. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: samba woody
On Tue, Jul 01, 2003 at 12:39:29AM +0200, Bencsath Boldizsar wrote: Do You (We) really surely want to include buggy samba 2.2.3a-12, more than half year old in 'testing' release? I already know one guy with a 1 week old 'testing' debian hacked through samba. (I know, it's -12.3 on security for stable, and samba is not secure at all, but I think this one needs an upgrade ASAP...) I am pleased to hear of your interest in helping to improve Debian testing. Here are some links to get you started in your efforts to help get a new version of samba into testing: http://buildd.debian.org/fetch.php?pkg=sambaver=3.0.0beta1-1arch=armstamp=1055147113file=logas=raw http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=pkgdata=slapdsev-inc=criticalsev-inc=gravesev-inc=serious http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=pkgdata=aclsev-inc=criticalsev-inc=gravesev-inc=serious All of those things need to be fixed in order to get a new samba into testing. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: samba woody
What about something like this 5-minutes-change?: Template: samba/security_warning Type: boolean Default: false Description: Warning! Serious Warning! This version of samba contains remotely exploitable SERIOUS vulnerabilities! If you continue the install You will be definetly target of CRACKING activity! DO NOT INSTALL THIS VERSION OF SAMBA UNLESS YOU KNOW WHAT YOU ARE DOING! If You don't know why are you going to install this version, you should check your debian version and security fixes lists (e.g. /etc/apt/sources.list) and Debian Security announcements! Do not use testing release if You cannot afford to keep up with the latest news!!! Are You really-really want to install this vulnerable version of samba? and some db_get samba/security_warning in preinst script... BTW, It could be standardized throughout the packages that dpkg would invoke such a dialog for every package marked with some notes. I know Your reasons not to include a bad version, but some reasons from the practical side: -Many users do not read security mailing lists -Many users have some reasons to use unstable/testing distribution (e.g. libc6 compatibility issues with some not-debian-software) -They also need to be secure -Or at least, we should push some warning for them -Or at least, we should maintain some extra security effort to the following packages: exim,sendmail,apache,php,mysql,samba,ftpd,proftpd,pop3's. These are the main packages and if they have a _remotely_ exploitable security hole, then it is a bad policy to leave these packages in -even the unstable- distro. boldizsar On Mon, 30 Jun 2003, Matt Zimmerman wrote: On Tue, Jul 01, 2003 at 12:39:29AM +0200, Bencsath Boldizsar wrote: Do You (We) really surely want to include buggy samba 2.2.3a-12, more than half year old in 'testing' release? I already know one guy with a 1 week old 'testing' debian hacked through samba. (I know, it's -12.3 on security for stable, and samba is not secure at all, but I think this one needs an upgrade ASAP...) I am pleased to hear of your interest in helping to improve Debian testing. Here are some links to get you started in your efforts to help get a new version of samba into testing: http://buildd.debian.org/fetch.php?pkg=sambaver=3.0.0beta1-1arch=armstamp=1055147113file=logas=raw http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=pkgdata=slapdsev-inc=criticalsev-inc=gravesev-inc=serious http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=pkgdata=aclsev-inc=criticalsev-inc=gravesev-inc=serious All of those things need to be fixed in order to get a new samba into testing. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
Hi, There is an Intrusion Detection System(IDS) named Snort (http://www.snort.org) There you can log to syslog, database, tcpdump-file,... And there are some Preprozessors which can block 'bad' Traffic. Snort can do much more. Read the FAQ http://www.snort.org/docs/FAQ.txt Thomas Bechtold On Tuesday 01 July 2003 00:38, Phillip Hofmeister wrote: Greets all, A previous post spawned an idea of mine. I am not sure if there is a project available for this or not. Here we go: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Just throwing out a random conscious thought, -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #202: That's easy to fix but I can't be bothered. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. google for adaptive firewall, maybe you get some hits. I remember some guardian project; but it was conceptually not that convincing. some combination of snort and perl script... speaking of snort: wasn't there an option named react: block ? btw, if you suck on syslog, anyone who is able to fake syslog entries (and thats about any local user, and maybe some more), can easily DoS arbitrary ips unless these are on a whitelist... no good! hth, Lars Ellenberg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
Check out psad, which is similar to what you want (and I use it)... You can see psad at http://www.cipherdyne.com/psad/, which is somehow related to Bastille Linux http://www.bastille-linux.org/. Or just apt-get install psad. --jordan On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: Greets all, A previous post spawned an idea of mine. I am not sure if there is a project available for this or not. Here we go: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Just throwing out a random conscious thought, -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #202: That's easy to fix but I can't be bothered. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: samba woody
On Tue, Jul 01, 2003 at 12:47:36PM +0200, Boldizsar BENCSATH wrote: What about something like this 5-minutes-change?: Template: samba/security_warning Type: boolean Default: false Description: Warning! Serious Warning! This version of samba contains remotely exploitable SERIOUS vulnerabilities! If you continue the install You will be definetly target of CRACKING activity! DO NOT INSTALL THIS VERSION OF SAMBA UNLESS YOU KNOW WHAT YOU ARE DOING! If You don't know why are you going to install this version, you should check your debian version and security fixes lists (e.g. /etc/apt/sources.list) and Debian Security announcements! Do not use testing release if You cannot afford to keep up with the latest news!!! Are You really-really want to install this vulnerable version of samba? and some db_get samba/security_warning in preinst script... I would rather see the bugs fixed. They already have been; it's just that a few showstopper bugs need to be fixed before the new version goes in. I know Your reasons not to include a bad version, but some reasons from the practical side: -Many users do not read security mailing lists They have already lost if they do not AT LEAST subscribe to the notification lists that we provide. -Many users have some reasons to use unstable/testing distribution (e.g. libc6 compatibility issues with some not-debian-software) Then they should upgrade selective packages and monitor those packages for (e.g.) security problems. This is no reason to upgrade the entire system (for example, samba). -They also need to be secure They need to work at this. It is not automatic. -Or at least, we should push some warning for them We prominently declare on the web site that unreleased packages may have security problems and other bad bugs. -Or at least, we should maintain some extra security effort to the following packages: exim,sendmail,apache,php,mysql,samba,ftpd,proftpd,pop3's. These are the main packages and if they have a _remotely_ exploitable security hole, then it is a bad policy to leave these packages in -even the unstable- distro. If you know of any such bugs, report them if they are not reported already, and (if you can) fix them by providing patches. This is an old argument and I do not wish to go over it again. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Strongest linux
Hi all, I want to setup a new linux server in internet (apache, php, postfix, mysql, dns...), and I would like to patch the standard kernel with some security patches. but my question is, what patches are the best?? - Openwall ?? - TrustedDebian ?? - LIDS?? Any suggestions?? thx a lot. Javier. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
On Tue, Jul 01, 2003 at 10:22:33AM +0200, Volker Tanger wrote: ...which is the official license to shoot yourself into the foot. What happens if I send you a forged, suspicious packet with source-IP equal to the IP address of your gateway router, your DNS server, your internal system(s), ... This is not necessarily a serious problem. In case of using Snort as an IDS you can make it send alerts only for established TCP sessions. You are right when you assume that a single IP packet with a spoofed source address makes your system go nuts. However running snort with options -z est does exactly this. It's very hard (if not hardly possible) to spoof established TCP sessions. I was already thinking about packaging guardian which creates iptables/ipchains rules for every established connection which looks dangerous. Unfortunately the quality of the upstream package is currently 'garbage'. In addition any script doing such dynamic blocking of other hosts should be able to know which network is friend and which is foe. :) Christoph -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Volker Tanger said: ...which is the official license to shoot yourself into the foot. What happens if I send you a forged, suspicious packet with source-IP equal to the IP address of your gateway router, your DNS server, your internal system(s), ... I think that if you implement some good whitelists, the problem does not exist. There's a plugin (or something like this) in snort that works in a similar way. I don't know if someone is interested, but i started a new project of a mdids on Sourceforge. I post the project proposal to Sourceforge: Project Descriptive Name: Astu mdids Project UNIX Name: astu Project Description: Multiplatform distributed intrusion detection system Registration Description: The project should be a distributed intrusion detection system. It should be composed by a central server which communicates securely with satellites on the perimeter of the lan. The central server shuold admin all the sensors (changing dinamically firewall rules) and receive all the alerts, and manage them by filtering and sending them by mail, sms, or print. The server itself is managed by a web interface. The perimetral sensors should be firstly based on snort engine, but the goal of the project is to provide a fully centralized system which can operate with various oss and technologies (firewalls, etc.). It shuold be interesting to develop Windows sensors, which few idss implement, but important in a real mutiplatform lan. License: GNU General Public License (GPL) The project has been approved, and i have found lots of people interested in it. We're going start it in the next few weeks... If you're interested please reply me. I'm a debian user, so it would be nice to develop it for deb. Bye PS: please forgive me if I am too OT - -- Lucius in fabula - --www.lucius.it-- Open PGPKey: www.lucius.it/lucius.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iQEVAwUBPwGdvRPJoalLltY2AQL21Qf/Ux0UNyt/VC/kAO8UFSWQYGPffHTUVBu2 aKsc1CIl3Cp/UStwyreCe5mJor5+xp66Ap1pih3EXxJssfC/jXOszw9GCmuf3L+3 EuQOFwtpXK1OSwHNYyJSSb2+3+HvtTZRjvEpRXtRnGEVvNnVRI07pbFme/8Bt7z7 v8CBXtZngQJY62DCKpsLX/65FUuiQBpV1q5yauj2hBWWO7TMMD/mn3XTsUgpsRLM g35WrADSnsSim47pz8qIeGpJWJOmJAMGhT1kNJhabV+vJuN51Z3CnO2p+P4WKkEG /20pyhBN7X9oDprV1aPKwRuWQKrcLrHl1+rTjTorHDFYLiQZM996wQ== =j0YF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Announcement: APT Secure
[EMAIL PROTECTED] said: That answer is pretty easy to find, too. Look at the description of the debian-keyring package. The Debian project wants developers to digitally sign the announcements of their packages with GnuPG, to protect against forgeries. This package contains keyrings of GnuPG and (deprecated) PGP keys of developers. Read literally, I guess you're saying the archive key isn't in there because it's not a developer's key. More broadly, though, if one of the goals of debian developers using gpg keys is to protect against forgeries, and debian-keyring contains their keys to further this goal, and apt-secure is a further advancement of this same goal, then wouldn't debian-keyring be a logical way to distribute the archive's public key? Distributing the key this way would be akin to the way ssl CA certificates are distributed via the ca-certificates package. It's not perfect, but it's better than downloading the public key from the first hit your google search turns up. At least when it's distributed with the OS, you can compare your installed version with the one on an old CD or something. Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
port forwarding issues
hello! i'm about to set up port forwarding on a firewall to be able to reach some hosts on the lan from the outside. i wish to use iptables prerouting rules. my question is, is there a way to detect the port forwarding, and/or get info about the host i forward to (ip address mainly) ? i mean: is an outsider able to do this? supposing that the service i reach is free of bugs. as of my understanding of prerouting, this is not likely. thanks, p -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why is proftpd always started when one update it?
Matt Zimmerman a dit#160;: On Mon, Jun 30, 2003 at 12:51:46PM -0500, CARMICHAEL, SHAWN (ASI) wrote: That occurs because that is how it is packaged in the .deb when you download and update it. Unless you package your own from source there is no work around. There is no need for a work-around. What is needed is to read the documentation for the proper way to disable startup of a daemon. I agree with you for the /etc/rcX.d symlinks but various packages (not sure about proftpd) start their daemon when upgraded even if it was not started before and there is no start link in /etc/rcX.d, only stop links : I had this behaviour with tomcat4 for example or fetchmail. I, too, find this behaviour a little annoying and don't know if there is a defined Debian policy. Philippe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: request to german speaking users
Christoph Haas wrote: hm, patches. i'm not good at creating patches. would it help too if i/we send you this word, sentence, page XX.. and the like? That's a terrible burden for Alexander to create text from it. Please get the docbook formatted code and do a revision. Then just do a diff and sent the output. hm, ok, i'll try. -- BOFH excuse #413: Cow-tippers tipped a cow onto the server. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: crypto filesystem
Dale Amon wrote: You should probably go over to linux-crypto. If it's loop-aes, ask Jaari; otherwise one of the others might. yes, i've done so and Jari was as helpful as you said :-) Thanks, Christian. -- BOFH excuse #413: Cow-tippers tipped a cow onto the server. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote: On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Not really a good idea. Consider what happens when someone forges the IP addresses. One can predefine trusted or other very important IP addresses which cannot be blocked. In fact, such an utility exists and is present in Debian Woody: fwlogwatch. HTH -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
On Martes, 1 de Julio de 2003 04:39, Matt Zimmerman wrote: On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Not really a good idea. Consider what happens when someone forges the IP addresses. Unless you only apply this kind of rule based on traffic which implies a negotiation. If _there is_ a negotiation between the client and the server (they exchange SYN, ACKs and so on), then you do know that the source IP is one of: a) The real client. b) Another computer in their same LAN sniffing the traffic and generating the appropiate responses, ala Man In The Middle, in which case, hey you lost service because another computer in your network was bugging me and I cut your traffic. -- OR -- c) Someone in _your own LAN_ trying to fuck you, but not, wait, that can't happen because then they would come from a different network interface and so you'd know the IP has been forged (you cannot have a petition from 213.96.93.221 coming from your internal interface, as you cannot have one from 192.168.1.1 coming from the external one). If I'm wrong, please tell me Regards The Pope -- Luis Gomez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
Look snort 2.0.0 [1] It's an Intrusion Detection System. Theres an Preprozessor for Snort called 'Guardian'[2] to do things like you want. But read the other answers in this thread carefully! Thomas Bechtold [1] http://snort.org [2] http://www.chaotic.org/guardian/ On Tuesday 01 July 2003 00:38, Phillip Hofmeister wrote: Greets all, A previous post spawned an idea of mine. I am not sure if there is a project available for this or not. Here we go: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Just throwing out a random conscious thought, -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #202: That's easy to fix but I can't be bothered. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
A daemon sits running in the background listening to a special device Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Abacus Portsentry binds itself to ports and detects IP/UDP Scans and Hostsentry looks over login activity and issues countermesaures. Both can issue a wide range of (actually customizable) firewalling rules. I've been running portsentry for some years now and can say, you definitely have to exclude some hosts (which is configurable), lowering the security effect. Hostsentry isn't too far developed, but both come in handy together with Abacus Logcheck. Portsentry and Logcheck are in sid, but (surely because of the experimental state of it) Hostsentry isn't. Also I have not seen progress with it during the last years, staying version 0.2... If you want to start your own project, you'll have to guarantee _you_ can always login. Also, with dynamic IPs those rules should be outdated after some time. Portsentry for example writes entries to /etc/hosts,deny, which you'll have to clean out for yourself. This is ugly. But, with 2-3 XML Parsers for config files defining patterns, actions and rules (pattern-action), you could build a rather easy to maintain threat reaction system in Perl with little effort. If you're interested in building one, I am... Greetings, -- Thomas Ritter Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety. - Benjamin Franklin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
At 22:39 on Jun 30, Matt Zimmerman shook the earth with: On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Not really a good idea. Consider what happens when someone forges the IP addresses. You can combat some of this with a simple list of IP addresses/hostnames/networks that should never under any circumstances be blocked. Another problem seems to be that script kiddies aren't always doing recon before they do an attack, it seems to be fairly common lately to just run a series of scripted attacks against a range of IPs (so if you are vulnerable, you could be exploited at the same time the IDS detects the attack, if it is detected). Just need to be sure that your IDS and signatures/detection scheme is up to date, and also possibly use a TCP reset when you do the block. SnortSam does something just like this for commercial products and also IPtables (among other packet filtering schemes), they do include the ability to timeout a block and to whitelist IPs. http://www.snortsam.net -nicole -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strongest linux
On Tue, Jul 01, 2003 at 02:36:37PM +0200, Javier Castillo Alcibar wrote: Hi all, I want to setup a new linux server in internet (apache, php, postfix, mysql, dns...), and I would like to patch the standard kernel with some security patches. but my question is, what patches are the best?? - Openwall ?? - TrustedDebian ?? - LIDS?? Any suggestions?? Check this out: http://www.grsecurity.net/features.php -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding issues
Peter A. Felvegi [EMAIL PROTECTED] wrote: i'm about to set up port forwarding on a firewall to be able to reach some hosts on the lan from the outside. i wish to use iptables prerouting rules. my question is, is there a way to detect the port forwarding, and/or get info about the host i forward to (ip address mainly) ? i mean: is an outsider able to do this? supposing that the service i reach is free of bugs. as of my understanding of prerouting, this is not likely. You are right. If the host the connection is forwarded to does not tell the client its IP real address, the client will never get to know it. Paul -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why is proftpd always started when one update it?
On Tue, Jul 01, 2003 at 05:49:58PM +0200, Philippe Marzouk wrote: I agree with you for the /etc/rcX.d symlinks but various packages (not sure about proftpd) start their daemon when upgraded even if it was not started before and there is no start link in /etc/rcX.d, only stop links : I had this behaviour with tomcat4 for example or fetchmail. I am not sure whether it is strictly required, but it is very easy to support this (not starting on upgrade if the service is disabled), so you should file bugs if this still happens with the most recent versions of these packages. http://www.debian.org/doc/debian-policy/ch-opersys.html#s10.3.3.2 -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
On Tue, Jul 01, 2003 at 05:57:27PM +0200, Tomasz Papszun wrote: On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote: Not really a good idea. Consider what happens when someone forges the IP addresses. One can predefine trusted or other very important IP addresses which cannot be blocked. In fact, such an utility exists and is present in Debian Woody: fwlogwatch. Which ones are important? For example, one could forge packets from millions of random IP addresses, popular web sites, etc. and easily DoS such a system. -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
xfree86 4.2.1-9, cve CAN-2003-0063 and CAN-2003-0071
According to http://packages.qa.debian.org/x/xfree86/news/1.html xfree86 4.2.1-9 fixes some security issues (just in xterm?) along with doing some other things. Drew Daniels -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: samba woody
- Original message - On Tue, 1 Jul 2003 00:39:29 +0200 (CEST) Bencsath Boldizsar [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]: Hi, Do You (We) really surely want to include buggy samba 2.2.3a-12, more than half year old in 'testing' release? I already know one guy with a 1 week old 'testing' debian hacked through samba. (I know, it's -12.3 on security for stable, and samba is not secure at all, but I think this one needs an upgrade ASAP...) Forgive my intrusion, but why would you want to bind samba to your NIC which is connected directly to the Internet? If it's possible to bind samba to another NIC (for your LAN only) and/or to firewall it off with iptables and tcpwrappers, then do so. /etc/samba/smb.conf ;interface stuff bind interfaces only = yes interfaces = eth1 192.168.0.33 127.0.0.1 socket address = 192.168.0.33 This works perfectly for my LAN, which consists of a total of 8 workstations. Met vriendelijke groet, / Kind regards, Jan reilink -- /\ ASCII Ribbon Campaign \ / No HTML in mail or news! X / \ DSINet: http://www.dsinet.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding issues
On Tue, Jul 01, 2003 at 05:52:35PM +0200, Peter A. Felvegi wrote: hello! i'm about to set up port forwarding on a firewall to be able to reach some hosts on the lan from the outside. i wish to use iptables prerouting rules. my question is, is there a way to detect the port forwarding, and/or get info about the host i forward to (ip address mainly) ? i mean: is an outsider able to do this? supposing that the service i reach is free of bugs. as of my understanding of prerouting, this is not likely. If I understood correctly, there's several ways to detect Port-Forwarding. One may be a slightly lower ttl of packets coming from the 'forwarded' box, another may be a port-scan announcing (port 80) Linux as server-os and an IIS as web-server. the internal ip of the forwarded host will most surely remain unknown to an outsider unless he manages to get _in_side. greetz Horst -- Have you noticed the way people's intelligence capabilities decline sharply the minute they start waving guns around? -- Dr. Who -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Announcement: APT Secure
On Mon, Jun 30, 2003 at 04:16:39PM +, Jason Lunz wrote: [EMAIL PROTECTED] said: Where should I get the key? And why isn't it in debian-keyring? I've got the current sid version. http://www.debian.org/releases/ Well, that wasn't too hard to find, of course. The where question was mostly rhetorical. More importantly, why on earth isn't the archive master key in debian-keyring? That answer is pretty easy to find, too. Look at the description of the debian-keyring package. -- - mdz
Re: OT: An Idea for an IDS
Greetings! On Mon, 30 Jun 2003 18:38:33 -0400 Phillip Hofmeister [EMAIL PROTECTED] wrote: This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. ...which is the official license to shoot yourself into the foot. What happens if I send you a forged, suspicious packet with source-IP equal to the IP address of your gateway router, your DNS server, your internal system(s), ... Because of this reason automated systems did not get much acceptance as they were/are more a hassle than useful. Today there are only very few systems left that still implement some automated IP-killing scheme. Bye Volker Tanger --
Re: Why is proftpd always started when one update it?
On Mon, Jun 30, 2003 at 12:51:46PM -0500, CARMICHAEL, SHAWN (ASI) wrote: That occurs because that is how it is packaged in the .deb when you download and update it. Unless you package your own from source there is no work around. There is no need for a work-around. What is needed is to read the documentation for the proper way to disable startup of a daemon. -- - mdz
Re: OT: An Idea for an IDS
On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Not really a good idea. Consider what happens when someone forges the IP addresses. -- - mdz
Re: samba woody
On Tue, Jul 01, 2003 at 12:39:29AM +0200, Bencsath Boldizsar wrote: Do You (We) really surely want to include buggy samba 2.2.3a-12, more than half year old in 'testing' release? I already know one guy with a 1 week old 'testing' debian hacked through samba. (I know, it's -12.3 on security for stable, and samba is not secure at all, but I think this one needs an upgrade ASAP...) I am pleased to hear of your interest in helping to improve Debian testing. Here are some links to get you started in your efforts to help get a new version of samba into testing: http://buildd.debian.org/fetch.php?pkg=sambaver=3.0.0beta1-1arch=armstamp=1055147113file=logas=raw http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=pkgdata=slapdsev-inc=criticalsev-inc=gravesev-inc=serious http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=pkgdata=aclsev-inc=criticalsev-inc=gravesev-inc=serious All of those things need to be fixed in order to get a new samba into testing. -- - mdz
Re: samba woody
What about something like this 5-minutes-change?: Template: samba/security_warning Type: boolean Default: false Description: Warning! Serious Warning! This version of samba contains remotely exploitable SERIOUS vulnerabilities! If you continue the install You will be definetly target of CRACKING activity! DO NOT INSTALL THIS VERSION OF SAMBA UNLESS YOU KNOW WHAT YOU ARE DOING! If You don't know why are you going to install this version, you should check your debian version and security fixes lists (e.g. /etc/apt/sources.list) and Debian Security announcements! Do not use testing release if You cannot afford to keep up with the latest news!!! Are You really-really want to install this vulnerable version of samba? and some db_get samba/security_warning in preinst script... BTW, It could be standardized throughout the packages that dpkg would invoke such a dialog for every package marked with some notes. I know Your reasons not to include a bad version, but some reasons from the practical side: -Many users do not read security mailing lists -Many users have some reasons to use unstable/testing distribution (e.g. libc6 compatibility issues with some not-debian-software) -They also need to be secure -Or at least, we should push some warning for them -Or at least, we should maintain some extra security effort to the following packages: exim,sendmail,apache,php,mysql,samba,ftpd,proftpd,pop3's. These are the main packages and if they have a _remotely_ exploitable security hole, then it is a bad policy to leave these packages in -even the unstable- distro. boldizsar On Mon, 30 Jun 2003, Matt Zimmerman wrote: On Tue, Jul 01, 2003 at 12:39:29AM +0200, Bencsath Boldizsar wrote: Do You (We) really surely want to include buggy samba 2.2.3a-12, more than half year old in 'testing' release? I already know one guy with a 1 week old 'testing' debian hacked through samba. (I know, it's -12.3 on security for stable, and samba is not secure at all, but I think this one needs an upgrade ASAP...) I am pleased to hear of your interest in helping to improve Debian testing. Here are some links to get you started in your efforts to help get a new version of samba into testing: http://buildd.debian.org/fetch.php?pkg=sambaver=3.0.0beta1-1arch=armstamp=1055147113file=logas=raw http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=pkgdata=slapdsev-inc=criticalsev-inc=gravesev-inc=serious http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=pkgdata=aclsev-inc=criticalsev-inc=gravesev-inc=serious All of those things need to be fixed in order to get a new samba into testing. -- - mdz
Re: OT: An Idea for an IDS
On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. google for adaptive firewall, maybe you get some hits. I remember some guardian project; but it was conceptually not that convincing. some combination of snort and perl script... speaking of snort: wasn't there an option named react: block ? btw, if you suck on syslog, anyone who is able to fake syslog entries (and thats about any local user, and maybe some more), can easily DoS arbitrary ips unless these are on a whitelist... no good! hth, Lars Ellenberg
Re: OT: An Idea for an IDS
Check out psad, which is similar to what you want (and I use it)... You can see psad at http://www.cipherdyne.com/psad/, which is somehow related to Bastille Linux http://www.bastille-linux.org/. Or just apt-get install psad. --jordan On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: Greets all, A previous post spawned an idea of mine. I am not sure if there is a project available for this or not. Here we go: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Just throwing out a random conscious thought, -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #202: That's easy to fix but I can't be bothered. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: samba woody
On Tue, Jul 01, 2003 at 12:47:36PM +0200, Boldizsar BENCSATH wrote: What about something like this 5-minutes-change?: Template: samba/security_warning Type: boolean Default: false Description: Warning! Serious Warning! This version of samba contains remotely exploitable SERIOUS vulnerabilities! If you continue the install You will be definetly target of CRACKING activity! DO NOT INSTALL THIS VERSION OF SAMBA UNLESS YOU KNOW WHAT YOU ARE DOING! If You don't know why are you going to install this version, you should check your debian version and security fixes lists (e.g. /etc/apt/sources.list) and Debian Security announcements! Do not use testing release if You cannot afford to keep up with the latest news!!! Are You really-really want to install this vulnerable version of samba? and some db_get samba/security_warning in preinst script... I would rather see the bugs fixed. They already have been; it's just that a few showstopper bugs need to be fixed before the new version goes in. I know Your reasons not to include a bad version, but some reasons from the practical side: -Many users do not read security mailing lists They have already lost if they do not AT LEAST subscribe to the notification lists that we provide. -Many users have some reasons to use unstable/testing distribution (e.g. libc6 compatibility issues with some not-debian-software) Then they should upgrade selective packages and monitor those packages for (e.g.) security problems. This is no reason to upgrade the entire system (for example, samba). -They also need to be secure They need to work at this. It is not automatic. -Or at least, we should push some warning for them We prominently declare on the web site that unreleased packages may have security problems and other bad bugs. -Or at least, we should maintain some extra security effort to the following packages: exim,sendmail,apache,php,mysql,samba,ftpd,proftpd,pop3's. These are the main packages and if they have a _remotely_ exploitable security hole, then it is a bad policy to leave these packages in -even the unstable- distro. If you know of any such bugs, report them if they are not reported already, and (if you can) fix them by providing patches. This is an old argument and I do not wish to go over it again. -- - mdz
Strongest linux
Hi all, I want to setup a new linux server in internet (apache, php, postfix, mysql, dns...), and I would like to patch the standard kernel with some security patches. but my question is, what patches are the best?? - Openwall ?? - TrustedDebian ?? - LIDS?? Any suggestions?? thx a lot. Javier.
Re: OT: An Idea for an IDS
On Tue, Jul 01, 2003 at 10:22:33AM +0200, Volker Tanger wrote: ...which is the official license to shoot yourself into the foot. What happens if I send you a forged, suspicious packet with source-IP equal to the IP address of your gateway router, your DNS server, your internal system(s), ... This is not necessarily a serious problem. In case of using Snort as an IDS you can make it send alerts only for established TCP sessions. You are right when you assume that a single IP packet with a spoofed source address makes your system go nuts. However running snort with options -z est does exactly this. It's very hard (if not hardly possible) to spoof established TCP sessions. I was already thinking about packaging guardian which creates iptables/ipchains rules for every established connection which looks dangerous. Unfortunately the quality of the upstream package is currently 'garbage'. In addition any script doing such dynamic blocking of other hosts should be able to know which network is friend and which is foe. :) Christoph -- ~ ~ .signature [Modified] 3 lines --100%--3,41 All
Re: Announcement: APT Secure
[EMAIL PROTECTED] said: That answer is pretty easy to find, too. Look at the description of the debian-keyring package. The Debian project wants developers to digitally sign the announcements of their packages with GnuPG, to protect against forgeries. This package contains keyrings of GnuPG and (deprecated) PGP keys of developers. Read literally, I guess you're saying the archive key isn't in there because it's not a developer's key. More broadly, though, if one of the goals of debian developers using gpg keys is to protect against forgeries, and debian-keyring contains their keys to further this goal, and apt-secure is a further advancement of this same goal, then wouldn't debian-keyring be a logical way to distribute the archive's public key? Distributing the key this way would be akin to the way ssl CA certificates are distributed via the ca-certificates package. It's not perfect, but it's better than downloading the public key from the first hit your google search turns up. At least when it's distributed with the OS, you can compare your installed version with the one on an old CD or something. Jason
port forwarding issues
hello! i'm about to set up port forwarding on a firewall to be able to reach some hosts on the lan from the outside. i wish to use iptables prerouting rules. my question is, is there a way to detect the port forwarding, and/or get info about the host i forward to (ip address mainly) ? i mean: is an outsider able to do this? supposing that the service i reach is free of bugs. as of my understanding of prerouting, this is not likely. thanks, p
Re: Why is proftpd always started when one update it?
Matt Zimmerman a dit#160;: On Mon, Jun 30, 2003 at 12:51:46PM -0500, CARMICHAEL, SHAWN (ASI) wrote: That occurs because that is how it is packaged in the .deb when you download and update it. Unless you package your own from source there is no work around. There is no need for a work-around. What is needed is to read the documentation for the proper way to disable startup of a daemon. I agree with you for the /etc/rcX.d symlinks but various packages (not sure about proftpd) start their daemon when upgraded even if it was not started before and there is no start link in /etc/rcX.d, only stop links : I had this behaviour with tomcat4 for example or fetchmail. I, too, find this behaviour a little annoying and don't know if there is a defined Debian policy. Philippe
Re: OT: An Idea for an IDS
On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote: On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Not really a good idea. Consider what happens when someone forges the IP addresses. One can predefine trusted or other very important IP addresses which cannot be blocked. In fact, such an utility exists and is present in Debian Woody: fwlogwatch. HTH -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros.
Re: OT: An Idea for an IDS
On Martes, 1 de Julio de 2003 04:39, Matt Zimmerman wrote: On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Not really a good idea. Consider what happens when someone forges the IP addresses. Unless you only apply this kind of rule based on traffic which implies a negotiation. If _there is_ a negotiation between the client and the server (they exchange SYN, ACKs and so on), then you do know that the source IP is one of: a) The real client. b) Another computer in their same LAN sniffing the traffic and generating the appropiate responses, ala Man In The Middle, in which case, hey you lost service because another computer in your network was bugging me and I cut your traffic. -- OR -- c) Someone in _your own LAN_ trying to fuck you, but not, wait, that can't happen because then they would come from a different network interface and so you'd know the IP has been forged (you cannot have a petition from 213.96.93.221 coming from your internal interface, as you cannot have one from 192.168.1.1 coming from the external one). If I'm wrong, please tell me Regards The Pope -- Luis Gomez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc
Re: OT: An Idea for an IDS
Look snort 2.0.0 [1] It's an Intrusion Detection System. Theres an Preprozessor for Snort called 'Guardian'[2] to do things like you want. But read the other answers in this thread carefully! Thomas Bechtold [1] http://snort.org [2] http://www.chaotic.org/guardian/ On Tuesday 01 July 2003 00:38, Phillip Hofmeister wrote: Greets all, A previous post spawned an idea of mine. I am not sure if there is a project available for this or not. Here we go: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Just throwing out a random conscious thought, -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #202: That's easy to fix but I can't be bothered.
Re: OT: An Idea for an IDS
A daemon sits running in the background listening to a special device Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Abacus Portsentry binds itself to ports and detects IP/UDP Scans and Hostsentry looks over login activity and issues countermesaures. Both can issue a wide range of (actually customizable) firewalling rules. I've been running portsentry for some years now and can say, you definitely have to exclude some hosts (which is configurable), lowering the security effect. Hostsentry isn't too far developed, but both come in handy together with Abacus Logcheck. Portsentry and Logcheck are in sid, but (surely because of the experimental state of it) Hostsentry isn't. Also I have not seen progress with it during the last years, staying version 0.2... If you want to start your own project, you'll have to guarantee _you_ can always login. Also, with dynamic IPs those rules should be outdated after some time. Portsentry for example writes entries to /etc/hosts,deny, which you'll have to clean out for yourself. This is ugly. But, with 2-3 XML Parsers for config files defining patterns, actions and rules (pattern-action), you could build a rather easy to maintain threat reaction system in Perl with little effort. If you're interested in building one, I am... Greetings, -- Thomas Ritter Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety. - Benjamin Franklin
Re: OT: An Idea for an IDS
At 22:39 on Jun 30, Matt Zimmerman shook the earth with: On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: Are there any projects out there to do this right now. If not, is this a good idea? If it is who would be a person/group that would be qualified and have the time/interest to develop it. Not really a good idea. Consider what happens when someone forges the IP addresses. You can combat some of this with a simple list of IP addresses/hostnames/networks that should never under any circumstances be blocked. Another problem seems to be that script kiddies aren't always doing recon before they do an attack, it seems to be fairly common lately to just run a series of scripted attacks against a range of IPs (so if you are vulnerable, you could be exploited at the same time the IDS detects the attack, if it is detected). Just need to be sure that your IDS and signatures/detection scheme is up to date, and also possibly use a TCP reset when you do the block. SnortSam does something just like this for commercial products and also IPtables (among other packet filtering schemes), they do include the ability to timeout a block and to whitelist IPs. http://www.snortsam.net -nicole
Re: Strongest linux
On Tue, Jul 01, 2003 at 02:36:37PM +0200, Javier Castillo Alcibar wrote: Hi all, I want to setup a new linux server in internet (apache, php, postfix, mysql, dns...), and I would like to patch the standard kernel with some security patches. but my question is, what patches are the best?? - Openwall ?? - TrustedDebian ?? - LIDS?? Any suggestions?? Check this out: http://www.grsecurity.net/features.php
Re: port forwarding issues
Peter A. Felvegi [EMAIL PROTECTED] wrote: i'm about to set up port forwarding on a firewall to be able to reach some hosts on the lan from the outside. i wish to use iptables prerouting rules. my question is, is there a way to detect the port forwarding, and/or get info about the host i forward to (ip address mainly) ? i mean: is an outsider able to do this? supposing that the service i reach is free of bugs. as of my understanding of prerouting, this is not likely. You are right. If the host the connection is forwarded to does not tell the client its IP real address, the client will never get to know it. Paul
Re: Why is proftpd always started when one update it?
On Tue, Jul 01, 2003 at 05:49:58PM +0200, Philippe Marzouk wrote: I agree with you for the /etc/rcX.d symlinks but various packages (not sure about proftpd) start their daemon when upgraded even if it was not started before and there is no start link in /etc/rcX.d, only stop links : I had this behaviour with tomcat4 for example or fetchmail. I am not sure whether it is strictly required, but it is very easy to support this (not starting on upgrade if the service is disabled), so you should file bugs if this still happens with the most recent versions of these packages. http://www.debian.org/doc/debian-policy/ch-opersys.html#s10.3.3.2 -- - mdz
Re: OT: An Idea for an IDS
On Tue, Jul 01, 2003 at 05:57:27PM +0200, Tomasz Papszun wrote: On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote: Not really a good idea. Consider what happens when someone forges the IP addresses. One can predefine trusted or other very important IP addresses which cannot be blocked. In fact, such an utility exists and is present in Debian Woody: fwlogwatch. Which ones are important? For example, one could forge packets from millions of random IP addresses, popular web sites, etc. and easily DoS such a system. -- - mdz
xfree86 4.2.1-9, cve CAN-2003-0063 and CAN-2003-0071
According to http://packages.qa.debian.org/x/xfree86/news/1.html xfree86 4.2.1-9 fixes some security issues (just in xterm?) along with doing some other things. Drew Daniels
Re: samba woody
- Original message - On Tue, 1 Jul 2003 00:39:29 +0200 (CEST) Bencsath Boldizsar [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]: Hi, Do You (We) really surely want to include buggy samba 2.2.3a-12, more than half year old in 'testing' release? I already know one guy with a 1 week old 'testing' debian hacked through samba. (I know, it's -12.3 on security for stable, and samba is not secure at all, but I think this one needs an upgrade ASAP...) Forgive my intrusion, but why would you want to bind samba to your NIC which is connected directly to the Internet? If it's possible to bind samba to another NIC (for your LAN only) and/or to firewall it off with iptables and tcpwrappers, then do so. /etc/samba/smb.conf ;interface stuff bind interfaces only = yes interfaces = eth1 192.168.0.33 127.0.0.1 socket address = 192.168.0.33 This works perfectly for my LAN, which consists of a total of 8 workstations. Met vriendelijke groet, / Kind regards, Jan reilink -- /\ ASCII Ribbon Campaign \ / No HTML in mail or news! X / \ DSINet: http://www.dsinet.org/
Re: port forwarding issues
On Tue, Jul 01, 2003 at 05:52:35PM +0200, Peter A. Felvegi wrote: hello! i'm about to set up port forwarding on a firewall to be able to reach some hosts on the lan from the outside. i wish to use iptables prerouting rules. my question is, is there a way to detect the port forwarding, and/or get info about the host i forward to (ip address mainly) ? i mean: is an outsider able to do this? supposing that the service i reach is free of bugs. as of my understanding of prerouting, this is not likely. If I understood correctly, there's several ways to detect Port-Forwarding. One may be a slightly lower ttl of packets coming from the 'forwarded' box, another may be a port-scan announcing (port 80) Linux as server-os and an IIS as web-server. the internal ip of the forwarded host will most surely remain unknown to an outsider unless he manages to get _in_side. greetz Horst -- Have you noticed the way people's intelligence capabilities decline sharply the minute they start waving guns around? -- Dr. Who
Re: Accounts for client programs
On Sun, Jun 29, 2003 at 11:22:42PM -0700, Simon Kirby wrote: It's probably possible for something to overflow an X packet or something in the middle and obtain root by opening a new shell and issuing commands, or maybe it's even possible for X clients to fake keystrokes to other windows, but most of the stuff I run is text-only anyway. A program could connect to your X server even if it looks like a text-only program. Unless you ldd every new binary before you run it, it could even be linked to X libraries. (It would probably bulk up the binary a lot (i.e. noticeably) to statically link in enough X library stuff to send keystrokes to other windows, etc.) Still, that's not the sort of thing a virus would usually do. It's more along the lines of what someone attacking you, personally, might try. (esp. after reading your message... :] -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BC