Re: fail2ban vs. syslogd compression
In article <[EMAIL PROTECTED]> you wrote: >> Wouldn't a better option be to teach fail2ban how to parse the "last >> message repeated".. messages? > > Maxim or Dann: When you find out how to do that, please post it to the list > for archiving / information-sharing purposes. I can tell you the obvious: rember last and current line. If current line!="last message repeated" then store it as last line and read next line as current otherwise increment counter of the entry pointed to in last line by the number of lines skiped and read next line as current. *g* Sorry no coding today :) Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: fail2ban vs. syslogd compression
On Tuesday 28 August 2007 12:24, dann frazier wrote: > On Tue, Aug 28, 2007 at 12:43:10PM +0200, Maxim Kammerer wrote: > > > > I then sought to disable this kind of log compression, but it is not > > stated in the man pages how to do that. > > > > So I ended up with not knowing what to do and turned to the debian > > security list. you people have any idea, or what are you doing? > > Wouldn't a better option be to teach fail2ban how to parse the "last > message repeated".. messages? Maxim or Dann: When you find out how to do that, please post it to the list for archiving / information-sharing purposes. Thanks. -- -- System Administrator - Cedar Creek Software http://www.cedarcreeksoftware.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [DSA 1359-1] New dovecot packages fix directory traversal
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Simon Valiquette un jour écrivit: > > There is no updated packages for Debian Etch PowerPC, contrarily > to what is stated on the previous line. > > > In case sec.deb.org/dists/etch/updates/main/binary-powerpc/Packages.gz > would not have been up to date, I searched in the email for the direct > link to the rsync_2.6.9-2etch1_powerpc.deb file, but realized the > whole section was also missing in the advisory. > > Actually, the file have not been uploaded at all on security.debian.org > > > Is there again a problem with the build host or something? > I forgot to mention that the same problem existed with Dovecot, which is why I suspected a problem with the build host, or at least the upload to security.debian.org Simon Valiquette -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (Linux PPC) iD8DBQFG1HgCJPE+P+aMAJIRAw6rAKDIVRFGq1r8AHS2TpGHISjlE9cV0QCgzRp4 w6zvJGH56H9CPvOnmBcJBYw= =ceOE -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [DSA 1360-1] New rsync packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Steve Kemp un jour écrivit: > > Sebastian Krahmer discovered that rsync, a fast remote file copy > program, contains an off-by-one error which might allow remote > attackers to execute arbitary code via long directory names. > > For the stable distribution (etch), this problem has been fixed > in version 2.6.9-2etch1. > > Debian GNU/Linux 4.0 alias etch > - > > Stable updates are available for alpha, amd64, arm, hppa, i386, > ia64, mips, mipsel, powerpc, s390 and sparc. > There is no updated packages for Debian Etch PowerPC, contrarily to what is stated on the previous line. In case sec.deb.org/dists/etch/updates/main/binary-powerpc/Packages.gz would not have been up to date, I searched in the email for the direct link to the rsync_2.6.9-2etch1_powerpc.deb file, but realized the whole section was also missing in the advisory. Actually, the file have not been uploaded at all on security.debian.org Is there again a problem with the build host or something? Simon Valiquette -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (Linux PPC) iD8DBQFG1HZDJPE+P+aMAJIRAwJPAKCmLg7fUG0YSywkQexoPL+L3JpQtACgs20s DuKsOulPJx4bGfArpN101zE= =yuFl -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: fail2ban vs. syslogd compression
On Tue, Aug 28, 2007 at 12:43:10PM +0200, Maxim Kammerer wrote: > Hello everybody, > > I believe this belongs to the security-mailing list. I recently took a > server online and it was immediately hit by pop3-cracking attempts. Well, > they were quite stupid, since they were attempting once for each name taken > from a 'frequent names list', so I guess somebody was looking for > non-password protected accounts. However, being annoyed, I wanted to tweak > fail2ban, which I am already using for ssh, to pop3 and imap, too. No > problem, standard debian /etc/fail2ban/jail.conf issue has the relevant > sections, so I went ahead. > > But then I ran a test, and fail2ban didn't respond. The reason was that I > hit the server 5 times (my fail2ban max-retry) in quite a short time, so > instead of logging 'pop3: login failed ' 5 times to mail.log, it > logged the message once and afterwards issued 'last message repeated 4 > times', which is not helpful at all to fail2ban. However, I consider it a > realworld scenario that a cracker/script kiddy would hit the server in a > short time. > > I then sought to disable this kind of log compression, but it is not stated > in the man pages how to do that. While the freebsd syslogd seems to have > such a commandline switch (-c -c ), the syslogd shipped with debian doesn't > have it, and syslogd-ng seems to not have it, either. > > So I ended up with not knowing what to do and turned to the debian security > list. you people have any idea, or what are you doing? Wouldn't a better option be to teach fail2ban how to parse the "last message repeated".. messages? -- dann frazier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
fail2ban vs. syslogd compression
Hello everybody, I believe this belongs to the security-mailing list. I recently took a server online and it was immediately hit by pop3-cracking attempts. Well, they were quite stupid, since they were attempting once for each name taken from a 'frequent names list', so I guess somebody was looking for non-password protected accounts. However, being annoyed, I wanted to tweak fail2ban, which I am already using for ssh, to pop3 and imap, too. No problem, standard debian /etc/fail2ban/jail.conf issue has the relevant sections, so I went ahead. But then I ran a test, and fail2ban didn't respond. The reason was that I hit the server 5 times (my fail2ban max-retry) in quite a short time, so instead of logging 'pop3: login failed ' 5 times to mail.log, it logged the message once and afterwards issued 'last message repeated 4 times', which is not helpful at all to fail2ban. However, I consider it a realworld scenario that a cracker/script kiddy would hit the server in a short time. I then sought to disable this kind of log compression, but it is not stated in the man pages how to do that. While the freebsd syslogd seems to have such a commandline switch (-c -c ), the syslogd shipped with debian doesn't have it, and syslogd-ng seems to not have it, either. So I ended up with not knowing what to do and turned to the debian security list. you people have any idea, or what are you doing? kind regards Maxim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
