Re: Package management and security
Ok, so apt-get update/upgrade -y in a cron job will work but what about my first question ? Lets say debian stable has foo-1.0 package. I does apt-get upgrade -y in my cron job and one day I have foo-1.0 updated to foo-1.0.1 for bugfix reason. Meanwhile the author of foo release version 2, debian stable will not upgrade the package because the version 2 add more features, have new dependencies, ... And now, the author release version 2.1, a critical security fix, there is a flaw found from version 1 to 2. The debian security team does it's work and first try to backport the security fix but that time it's not possible so they have no other choice to package version 2.1 in the security channel. As version 2.1 has new dependencies requirements wich are not installed, apt-get upgrade will not update that package, right ? Even if in 99% of the time, this will work great, I can't let this 1%. I could let this 1% risk only if I have a way to be warned, the server sending me automatically a mail for example, but I think there is no way to do that because there is no way to interface ourself with apt (no plugin system at that time) I am right ? FP 2007/6/7, Riku Valli [EMAIL PROTECTED]: Frédéric PICA wrote: Thanks for your answer, So I need to do an apt-get dist-upgrade in my cron job to be sure to always have the latest security fixes ? What's the risk to have a needed package uninstalled by that way ? My goal is to have the latest security fixes for a server, but I have to be sure that dist-upgrade will not broke my server by removing needed pacakges, for example mod_php for apache or things like that. FP 2007/6/7, Riku Valli [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: Frédéric PICA wrote: Greets, I saw in 'man apt-get' that using apt-get upgrade does not install new packages or remove an already installed package. Is it possible that I did'nt get the latest security fixes using apt-get upgade in a cron job ? I think particularly about security fixes that can't be retro-ported to the debian stable version and needs to upgrade the package to the latest author available version, what's going on if the package dependencies changes ? Does the security patched will be installed with it's new dependencies anyway or does the package will not be upgraded ? Thanks for your help, FP Hi apt-get upgrade only upgrade your packages for newer version. When package is upgraded this way at it need new extra packages, then upgrade can't upgrade your package. You must install it. -- Riku Hi In normal case when you used Debian stable. You made only update/upgrade and possible need switch -y (assume yes for every question). At stable debencies normally never changes. This dist-upgrade is (at stable) only used when you updated Debian releases from older to newer. Older stable there was only one kernel upgrade which needed manually intervention. Maybe this is better explained man aptitude, see below. upgrade Upgrades installed packages to their most recent version. Installed packages will not be removed unless they are unused (see the section Managing Automatically Installed Packages in the aptitude reference manual); packages which are not currently installed will not be installed. If a package cannot be upgraded without violating these constraints, it will be kept at its current version. Use the dist-upgrade command to upgrade these packages as well. dist-upgrade Upgrades installed packages to their most recent version, removing or installing packages as necessary. This command is less conservative than upgrade and thus more likely to perform unwanted actions. Users are advised to either use upgrade instead or to carefully inspect the list of packages to be installed and removed. -- Riku
Re: iptables and nmap
Joan Hérisson wrote: Chain INPUT (policy DROP 17 packets, 1088 bytes) pkts bytes target prot opt in out source destination 164 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 225 18816 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- eth1 * 192.168.0.3 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth1 * 192.168.0.12 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth1 * 192.168.0.31 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- eth1 * 192.168.0.28 0.0.0.0/0 tcp dpt:22 0 0 REJECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable 162 18088 ACCEPT all -- eth1 * 192.168.0.0/24 0.0.0.0/0 you accept all eth1 packets from the inner network. 10 1219 ACCEPT all -- lo * 127.0.0.1 0.0.0.0/0 4 156 ACCEPT all -- lo * 192.168.0.1 0.0.0.0/0 8 528 ACCEPT all -- lo * 193.51.128.146 0.0.0.0/0 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68 hmm 140 10422 ACCEPT all -- * * 0.0.0.0/0 193.51.128.146 state RELATED,ESTABLISHED 20 1280 tcp_packets tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 chain tcp_packets is parsed only for eth0 traffic. so your rules with -i eth1 in tcp_packets will never be hit. 0 0 udp_packets udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 10 640 icmp_packets icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- eth0 * 0.0.0.0/0 224.0.0.0/8 3 192 LOGall -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT INPUT packet died: ' Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0 2 152 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 2 152 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 LOGall -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT FORWARD packet died: ' Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 169 22018 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0 10 1219 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 166 16632 ACCEPT all -- * * 192.168.0.1 0.0.0.0/0 120 16559 ACCEPT all -- * * 193.51.128.146 0.0.0.0/0 0 0 LOGall -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT OUTPUT packet died: ' iptables will drop (and log) all outgoing packets? So you cannot have a tcp connection if you are not in one of the 3 named machines. Chain allowed (20 references) pkts bytes target prot opt in out source destination 3 192 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 Chain bad_tcp_packets (3 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset 140 LOGtcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `New not syn:' The author don't understand what NEW means. (NEW (first hit) connection in netfilter, not a new (--syn) tcp connection) 140 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW Chain icmp_packets (1 references) pkts bytes target prot opt in out source destination 10 640 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
Re: Package management and security
The security team looks at the diffs for the patch to version 2 of the software, identifies the parts that fix the bug in version 1 and manually back port the bug fix to version 1. We end up with a Debian specific version that doesn¹t introduce new dependencies or features. This works with great success (through a huge amount of effort) the majority of the time. Some packages are more difficult to do this with then others (i.e. Firefox you can search the archives of this list for specific details about why). On 6/8/07 3:56 AM, Frédéric PICA [EMAIL PROTECTED] wrote: Ok, so apt-get update/upgrade -y in a cron job will work but what about my first question ? Lets say debian stable has foo-1.0 package. I does apt-get upgrade -y in my cron job and one day I have foo-1.0 updated to foo-1.0.1 for bugfix reason. Meanwhile the author of foo release version 2, debian stable will not upgrade the package because the version 2 add more features, have new dependencies, ... And now, the author release version 2.1 , a critical security fix, there is a flaw found from version 1 to 2. The debian security team does it's work and first try to backport the security fix but that time it's not possible so they have no other choice to package version 2.1 in the security channel. As version 2.1 has new dependencies requirements wich are not installed, apt-get upgrade will not update that package, right ? Even if in 99% of the time, this will work great, I can't let this 1%. I could let this 1% risk only if I have a way to be warned, the server sending me automatically a mail for example, but I think there is no way to do that because there is no way to interface ourself with apt (no plugin system at that time) I am right ? FP 2007/6/7, Riku Valli [EMAIL PROTECTED]: Frédéric PICA wrote: Thanks for your answer, So I need to do an apt-get dist-upgrade in my cron job to be sure to always have the latest security fixes ? What's the risk to have a needed package uninstalled by that way ? My goal is to have the latest security fixes for a server, but I have to be sure that dist-upgrade will not broke my server by removing needed pacakges, for example mod_php for apache or things like that. FP 2007/6/7, Riku Valli [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: Frédéric PICA wrote: Greets, I saw in 'man apt-get' that using apt-get upgrade does not install new packages or remove an already installed package. Is it possible that I did'nt get the latest security fixes using apt-get upgade in a cron job ? I think particularly about security fixes that can't be retro-ported to the debian stable version and needs to upgrade the package to the latest author available version, what's going on if the package dependencies changes ? Does the security patched will be installed with it's new dependencies anyway or does the package will not be upgraded ? Thanks for your help, FP Hi apt-get upgrade only upgrade your packages for newer version. When package is upgraded this way at it need new extra packages, then upgrade can't upgrade your package. You must install it. -- Riku Hi In normal case when you used Debian stable. You made only update/upgrade and possible need switch -y (assume yes for every question). At stable debencies normally never changes. This dist-upgrade is (at stable) only used when you updated Debian releases from older to newer. Older stable there was only one kernel upgrade which needed manually intervention. Maybe this is better explained man aptitude, see below. upgrade Upgrades installed packages to their most recent version. Installed packages will not be removed unless they are unused (see the section Managing Automatically Installed Packages in the aptitude reference manual); packages which are not currently installed will not be installed. If a package cannot be upgraded without violating these constraints, it will be kept at its current version. Use the dist-upgrade command to upgrade these packages as well. dist-upgrade Upgrades installed packages to their most recent version, removing or installing packages as necessary. This command is less conservative than upgrade and thus more likely to perform unwanted actions. Users are advised to either use upgrade instead or to carefully inspect the list of packages to be installed and removed. -- Riku
Re: Package management and security
You want to use a combination of these commands at different times: apt-get -qq update # necessary, no email desired apt-get -dy upgrade # download minor updates, do not install, send email apt-get -yupgrade # install minor updates, send email apt-get -qqdy dist-upgrade # download major updates, do not install, no email apt-get -dy dist-upgrade # download major updates, do not install, send email apt-get -ydist-upgrade # install major updates, send email This is what I do: daily: apt-get -qq update apt-get -qqdy dist-upgrade apt-get -dy upgrade weekly: apt-get -yupgrade apt-get -dy dist-upgrade monthly: apt-get -ydist-upgrade The daily cron job does not install anything and does not send email. It just loads the cache with everything (-qqdy dist-upgrade) and sends email about security updates (-dy upgrade). The weekly job installs upgrades and sends email about what it did, and also about which dist-upgrade packages it has downloaded (but not installed). The montly job does a dist-upgrade (I'm ok with this) and sends email. This approach is easy to tweak. What is important is that you can choose to download and send email and *not* install; this gives you a notice about what is available but requires you to manually log in and install them. For an environment with more critical servers you would scale this back; use apt-get dist-upgrade (no -y) or possibly even apt-get upgrade (no -y), which will send you email but not install anything automatically. ~mark Frédéric PICA wrote: Ok, so apt-get update/upgrade -y in a cron job will work but what about my first question ? Lets say debian stable has foo-1.0 package. I does apt-get upgrade -y in my cron job and one day I have foo-1.0 updated to foo-1.0.1 for bugfix reason. Meanwhile the author of foo release version 2, debian stable will not upgrade the package because the version 2 add more features, have new dependencies, ... And now, the author release version 2.1, a critical security fix, there is a flaw found from version 1 to 2. The debian security team does it's work and first try to backport the security fix but that time it's not possible so they have no other choice to package version 2.1 in the security channel. As version 2.1 has new dependencies requirements wich are not installed, apt-get upgrade will not update that package, right ? Even if in 99% of the time, this will work great, I can't let this 1%. I could let this 1% risk only if I have a way to be warned, the server sending me automatically a mail for example, but I think there is no way to do that because there is no way to interface ourself with apt (no plugin system at that time) I am right ? FP 2007/6/7, Riku Valli [EMAIL PROTECTED]: Frédéric PICA wrote: Thanks for your answer, So I need to do an apt-get dist-upgrade in my cron job to be sure to always have the latest security fixes ? What's the risk to have a needed package uninstalled by that way ? My goal is to have the latest security fixes for a server, but I have to be sure that dist-upgrade will not broke my server by removing needed pacakges, for example mod_php for apache or things like that. FP 2007/6/7, Riku Valli [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: Frédéric PICA wrote: Greets, I saw in 'man apt-get' that using apt-get upgrade does not install new packages or remove an already installed package. Is it possible that I did'nt get the latest security fixes using apt-get upgade in a cron job ? I think particularly about security fixes that can't be retro- ported to the debian stable version and needs to upgrade the package to the latest author available version, what's going on if the package dependencies changes ? Does the security patched will be installed with it's new dependencies anyway or does the package will not be upgraded ? Thanks for your help, FP Hi apt-get upgrade only upgrade your packages for newer version. When package is upgraded this way at it need new extra packages, then upgrade can't upgrade your package. You must install it. -- Riku Hi In normal case when you used Debian stable. You made only update/upgrade and possible need switch -y (assume yes for every question). At stable debencies normally never changes. This dist- upgrade is (at stable) only used when you updated Debian releases from older to newer. Older stable there was only one kernel upgrade which needed manually intervention. Maybe this is better explained man aptitude, see below. upgrade Upgrades installed packages to their most recent version. Installed packages will not be removed unless they are unused (see thesection Managing Automatically Installed Packages in the aptitude reference manual); packages
Re: Package management and security
On Fri, Jun 08, 2007 at 09:56:09AM +0200, Frédéric PICA wrote: Ok, so apt-get update/upgrade -y in a cron job will work but what about my first question ? Don't do this :( The pace of change in Debian stable is very slow: as you correctly say, fixes are back ported and so on but it is still worth a human being checking what is to be upgraded - running this blind from a cron job may mean that you miss something important. Take the fact that Debian Sarge was updated 7 times over 2 1/2 years - the last time being just hours before release of Etch. Point releases fix security and serious packaging bugs - each point release probably only contained 30 - 50 packages over a period of a few months. apt-get update once a week to see how much has changed and whether it is worth your while: then update carefully. Lets say debian stable has foo-1.0 package. I does apt-get upgrade -y in my cron job and one day I have foo-1.0 updated to foo-1.0.1 for bugfix reason. This is fairly typical Meanwhile the author of foo release version 2, debian stable will not upgrade the package because the version 2 add more features, have new dependencies, ... 2 will probably be in testing, 1 will continue in stable. Critical fixes will be backported - if there are critical fixes which cannot be made, then it may be that the package will be considered for removal. This was one of the grounds for disagreement between Mozilla and Debian which led to Iceweasel: Mozilla don't want to support old versions, Debian don't want to just randomly change to new ones. And now, the author release version 2.1, a critical security fix, there is a flaw found from version 1 to 2. The debian security team does it's work and first try to backport the security fix but that time it's not possible so they have no other choice to package version 2.1 in the security channel. Fixed in testing, backported fix to stable is the rule. As version 2.1 has new dependencies requirements wich are not installed, apt-get upgrade will not update that package, right ? Not automatically: quite often, in these situations, maintainers produce a package to ease transitions. Even if in 99% of the time, this will work great, I can't let this 1%. Given the scale and pace of change, it's not infeasible to check what will be updated and update methodically. I could let this 1% risk only if I have a way to be warned, the server sending me automatically a mail for example, but I think there is no way to do that because there is no way to interface ourself with apt (no plugin system at that time) I am right ? FP 2007/6/7, Riku Valli [EMAIL PROTECTED]: Frédéric PICA wrote: Thanks for your answer, So I need to do an apt-get dist-upgrade in my cron job to be sure to always have the latest security fixes ? What's the risk to have a needed package uninstalled by that way ? My goal is to have the latest security fixes for a server, but I have to be sure that dist-upgrade will not broke my server by removing needed pacakges, for example mod_php for apache or things like that. FP 2007/6/7, Riku Valli [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: Frédéric PICA wrote: Greets, I saw in 'man apt-get' that using apt-get upgrade does not install new packages or remove an already installed package. Is it possible that I did'nt get the latest security fixes using apt-get upgade in a cron job ? I think particularly about security fixes that can't be retro-ported to the debian stable version and needs to upgrade the package to the latest author available version, what's going on if the package dependencies changes ? Does the security patched will be installed with it's new dependencies anyway or does the package will not be upgraded ? Thanks for your help, FP Hi apt-get upgrade only upgrade your packages for newer version. When package is upgraded this way at it need new extra packages, then upgrade can't upgrade your package. You must install it. -- Riku Hi In normal case when you used Debian stable. You made only update/upgrade and possible need switch -y (assume yes for every question). At stable debencies normally never changes. This dist-upgrade is (at stable) only used when you updated Debian releases from older to newer. Older stable there was only one kernel upgrade which needed manually intervention. Maybe this is better explained man aptitude, see below. upgrade Upgrades installed packages to their most recent version. Installed packages will not be removed unless they are unused (see the section Managing Automatically Installed Packages in the aptitude reference manual); packages which are not currently installed will not be installed.
Re: iptables and nmap
Hi ! * Manuel García [EMAIL PROTECTED] [2007-06-07 10:01]: On 6/7/07, Joan Hérisson [EMAIL PROTECTED] wrote: [...snip...] Results: - The server is still unreachable. - When I do nmap localhost, I have port 80 open but not 8080. - When I comment out the line for port 80 in firewall-start and I restart firewall, I do nmap localhost, port 80 is still open. man nmap: -p port ranges: Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 And if you have port 80 OPEN that's because you have some webserver running in your machine (maybe apache?) [...snip...] If you are not sure that tomcat is listening on the port you expect, run lsof -i :$PORT on the server. In your case, just run lsof -i :80 lsof -i :8080 This should give you an output like this: # lsof -i :80 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME apache2 7497 www-data3u IPv6 15254670 TCP *:www (LISTEN) apache2 8408 www-data3u IPv6 15254670 TCP *:www (LISTEN) apache2 8409 www-data3u IPv6 15254670 TCP *:www (LISTEN) apache2 8428 www-data3u IPv6 15254670 TCP *:www (LISTEN) apache2 11194 www-data3u IPv6 15254670 TCP *:www (LISTEN) In that case, apache2 with five instaces (different PIDs) running under the user www-data is listening on port 80 on all available interfaces. If you don't get back anything for port 8080, then nothing is listening on this port and you won't get any connection. (That's not completely true, you could for example redirect ports in iptables, but I assume that your iptables-script is not doing something like that.) BTW: As others already wrote, you should not use the iptables script if you don't understand what it really does. Otherwise you'll end up with problems and can't say if it's normal (because the script is doing it) or if you have a problem somewhere else. Write the rules by yourself, there are a lot of HOWTOs, tutorials and explained example scripts on the net. A good start might be http://netfilter.org/documentation/index.html mfg @ndy -- personal web site: http://skater.priv.at/~andy/ Nachtskaten / Friday Night Skating Vienna: http://night.skater.priv.at/ CCC Wien (CCC Erfa-Kreis Wien): http://metalab.at/wiki/Groups:CCC_Wien Verein fuer Internet-BEnutzer Oesterreichs (.AT) http://www.vibe.at/ signature.asc Description: Digital signature
Re: iptables and nmap
Joan Hérisson wrote: Hello, Config: - Debian 2.4.18 - iptables with many rules Problems: - I have installed a tomcat 5.5 server. The server is unreachable (connection failed from locahost or another host on my local network). Hey Joan, how do You installed tomcat? Because, if installed from Debian package tomcat is listening on port 8180 instead of the default tomcat setting 8080. This can be confusing. Regards, Tibor -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]