Re: Decent iptables script for bridging?
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: I'm currently setting up a bridge on Debian, which is meant to act as an invisible filter in our network which is otherwise directly exposed to the internet (every host directly reachable from the internet, no NAT or anything like that). I found a good Debian howto that describes this setup, but I was wondering if there is an iptables firewall script which is meant for that kind of setup. All iptables scripts I know are for NAT or Home Firewalling (including dialup etc). Thanks in advance for useful hints. You may want to consider a single-address proxy-arp firewall instead. See http://www.blars.org/sapaf.html -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html With Microsoft, failure is not an option. It is a standard feature. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: What is a security bug?
In article [EMAIL PROTECTED] you write: Unfortunatly it is not possibel to open two instances of mozilla. ( Which may crash seperatly :-/ ) Untrue. Use mozilla --SelectProfile . Create as many profiles as you want. Each has its own settings, only use the insecure settings like allow javascript and allow cookies on sites you trust. (IMHO this should be default on mozilla. When I start mozilla, I am NOT asking to access a mozilla window that is open on another window.) -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html With Microsoft, failure is not an option. It is a standard feature. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: upgrading sendmail package when postfix installed
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: because it would=20 remove apache and many other packages wich are depending on a MTA. So=20 can I fake the sendmail installation, so apt-get would see that=20 sendmail has been upgraded, or do I have upgrade sendmail (for security=20 reasons) and then re-install postfix all over again? Use equivs to create a package that supplies mail-transport-agent. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html With Microsoft, failure is not an option. It is a standard feature. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[EMAIL] [rt-abuse.free.fr #681200] AutoReply: Important
The following was sent to a debian mailing list Please delete your spammers account and charge appropriate cleanup fees. proxad.net: the message came from you or your customer Received: from murphy.debian.org (murphy.debian.org [146.82.138.6]) by renig.nat.blars.org (8.12.3/8.12.3/Debian-6.6) with ESMTP id i7CBbbpW018328 for [EMAIL PROTECTED]; Thu, 12 Aug 2004 04:37:37 -0700 Received: from localhost (localhost [127.0.0.1]) by murphy.debian.org (Postfix) with QMQP id 1E54EEC41; Thu, 12 Aug 2004 06:37:00 -0500 (CDT) Old-Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62]) by murphy.debian.org (Postfix) with ESMTP id 83C3BE910 for [EMAIL PROTECTED]; Thu, 12 Aug 2004 06:07:04 -0500 (CDT) Received: from rtabuse-a.free.fr (rtabuse-a.free.fr [213.228.0.84]) by postfix4-1.free.fr (Postfix) with ESMTP id 17E9C17256E for [EMAIL PROTECTED]; Thu, 12 Aug 2004 13:07:09 +0200 (CEST) Received: by rtabuse-a.free.fr (Postfix, from userid 33) id E65D74DA92; Thu, 12 Aug 2004 13:19:03 +0200 (MEST) Subject: [rt-abuse.free.fr #681200] AutoReply: Important From: Service Abuse Free via RT [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] X-RT-Loop-Prevention: rt-abuse.free.fr RT-Ticket: rt-abuse.free.fr #681200 Managed-by: RT 3.0.6 (http://www.bestpractical.com/rt/) RT-Originator: [EMAIL PROTECTED] To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 X-RT-Original-Encoding: utf-8 Date: Thu, 12 Aug 2004 13:19:03 +0200 (MEST) X-Rc-Spam: 2004-07-19_01 X-Rc-Virus: 2004-07-20_01 X-Rc-Spam: 2004-07-19_01 Resent-Message-ID: [EMAIL PROTECTED] Resent-From: [EMAIL PROTECTED] X-Mailing-List: [EMAIL PROTECTED] archive/latest/16139 X-Loop: [EMAIL PROTECTED] List-Id: debian-security.lists.debian.org List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] List-Archive: http://lists.debian.org/debian-security/ Precedence: list Resent-Sender: [EMAIL PROTECTED] Resent-Date: Thu, 12 Aug 2004 06:37:00 -0500 (CDT) References: [EMAIL PROTECTED] *** French answer *** (english below) Bonjour, Ce message est envoy automatiquement suite au mail que vous avez adress au service Abuse Important, Vous n'avez pas besoin de rpondre ce message maintenant. Nous avons attribu le numro d'identification [rt-abuse.free.fr #681200] votre demande. Merci d'ajouter la mention (en incluant les crochets): [rt-abuse.free.fr #681200]. dans le sujet des prochaines correspondances que vous pourriez nous adresser sur ce sujet. Veuillez vrifier que vous avez bien fournis toutes les informations dont nous pourrions avoir besoin pour pouvoir traiter votre demande (nature de votre demande, dates et leurs fuseaux horaires, entetes des messages concerns ou logs, etc.) Merci. Le Service Abuse [EMAIL PROTECTED] *** English answer *** Greetings, This message has been automatically generated in response to the creation of a trouble ticket regarding: Important, a summary of which appears below. There is no need to reply to this message right now. Your ticket has been assigned an ID of [rt-abuse.free.fr #681200]. Please include the string: [rt-abuse.free.fr #681200] in the subject line of all future correspondence about this issue. To do so, you may reply to this message. Please check you have included all informations we need to investigate your request (request object, dates timezones, messages headers or logs, etc.) Thank you, Abuse team [EMAIL PROTECTED] *** - Important data! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ecartis?
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: Hi, there are still two critical bugs filed against ecartis, one is 1 year old, another is 203 days old. Second one seems to have been closed, and then reopened. Does this mean ecartis is still vulnerable ( I don't care about first, postfix-related too much, but it's still depressing )...? Both bugs have been fixed in unstable for a long time. The security team recently fixed the security problems in DSA-467-1, but forgot to close the associated bug 210444. I am doing so now. As the current maintainer of the debian ecartis package, I was happy to see the DSA for the long-standing bugs. I had looked at building patches, but the information on the ecartis web site was incomplete and the standard policy is not to allow new releases in stable. The security team did not consult me before doing the DSA. (They may have consulted one of the previous maintainers.) It is possible they may have fixed the other bug at the same time. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html With Microsoft, failure is not an option. It is a standard feature.
Re: Mirroring security.debian.org for internal use
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: Like some others who have mentioned this in the past, I would like to mirror security.debian.org for internal use How about apt-move mirror? -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html With Microsoft, failure is not an option. It is a standard feature. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mirroring security.debian.org for internal use
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: Like some others who have mentioned this in the past, I would like to mirror security.debian.org for internal use How about apt-move mirror? -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html With Microsoft, failure is not an option. It is a standard feature.
Re: Transparent bridge firewall with bridge-nf
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: I administer a LAN that will soon be moved from private to public IP space. The LAN is inside a university network and as such in a rather hostile environment. Another alternative is a proxy-arp firewall. See http://www.blars.org/sapaf.html for some information on how to do this without needing multiple subnets. The bridging code was too experimental for me at the time I implemented a firewall with over 200 computers on 5 segments. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html With Microsoft, failure is not an option. It is a standard feature. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Transparent bridge firewall with bridge-nf
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: I administer a LAN that will soon be moved from private to public IP space. The LAN is inside a university network and as such in a rather hostile environment. Another alternative is a proxy-arp firewall. See http://www.blars.org/sapaf.html for some information on how to do this without needing multiple subnets. The bridging code was too experimental for me at the time I implemented a firewall with over 200 computers on 5 segments. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html With Microsoft, failure is not an option. It is a standard feature.
encrrypting messages to security team
Shouldn't the security team have a gpg key available so confidential messages to [EMAIL PROTECTED] can be sent encrypted? -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden
Re: chroot, su and sudo
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: Hello! I want to chroot a application/gameserver. What is the better/securest way? 1.) Chroot /path and then do a su -s /bin/sh user -c start.sh or 2.) su -s /bin/sh user and then do the chroot /path as normal user and execute the start.sh in the chroot? Solution 2 does not need a root shell at all, why i think it is a little more secure. What do you think? WHat do u recommend? How would do solve this? chroot is a priveleged system call that can be used to bypass security. If you let me chroot as a normal user in a directory I set up, you might as well have just given me the root password. Best would be a setuid root program that is paranoid about any paramaters or directories it is passed, that only runs untrusted code as a non-priveleged user. chroot is not a mystical incantation to make things safe. Used properly, it can enhance security, used poorly it will bypass security. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chroot, su and sudo
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: Hello! I want to chroot a application/gameserver. What is the better/securest way? 1.) Chroot /path and then do a su -s /bin/sh user -c start.sh or 2.) su -s /bin/sh user and then do the chroot /path as normal user and execute the start.sh in the chroot? Solution 2 does not need a root shell at all, why i think it is a little more secure. What do you think? WHat do u recommend? How would do solve this? chroot is a priveleged system call that can be used to bypass security. If you let me chroot as a normal user in a directory I set up, you might as well have just given me the root password. Best would be a setuid root program that is paranoid about any paramaters or directories it is passed, that only runs untrusted code as a non-priveleged user. chroot is not a mystical incantation to make things safe. Used properly, it can enhance security, used poorly it will bypass security. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden
Re: arpwatch exclusion ?
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: I am using arpwatch, but I use a few machines with 2 ethernet cards, and they often flip-flop... As I know them, I want to exclude the flip-flop mails from my mailbox... How could I tune arpwatch so that it does not listen to those flip-flops, or it does not send mails for these ? Use the -s program option to send the mail via a program that does whatever filtering you want. I'm filtering out the proxy-arp responces this way. (There are hundreds of them every day on my firewall.) Unless you know all flip-flops will be noise, I'd recomend only filtering the ones you know about. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: arpwatch exclusion ?
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: I am using arpwatch, but I use a few machines with 2 ethernet cards, and they often flip-flop... As I know them, I want to exclude the flip-flop mails from my mailbox... How could I tune arpwatch so that it does not listen to those flip-flops, or it does not send mails for these ? Use the -s program option to send the mail via a program that does whatever filtering you want. I'm filtering out the proxy-arp responces this way. (There are hundreds of them every day on my firewall.) Unless you know all flip-flops will be noise, I'd recomend only filtering the ones you know about. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden
Re: Scanning with reverse connections?
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: I've noticed some strange traffic on our firewalls recently. Someone (Or multiple someones) are attempting to send tcp packets inbound to our network FROM well known ports (e.g. port 80) Some firewalls that don't do proper connection tracking can be bypassed that way. With a properly configured iptables firewall this shouldn't be a problem. ipchains based firewalls are more likely to fall victom to this trick. Treat it the same as any other attempt to break into your systems. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Scanning with reverse connections?
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: I've noticed some strange traffic on our firewalls recently. Someone (Or multiple someones) are attempting to send tcp packets inbound to our network FROM well known ports (e.g. port 80) Some firewalls that don't do proper connection tracking can be bypassed that way. With a properly configured iptables firewall this shouldn't be a problem. ipchains based firewalls are more likely to fall victom to this trick. Treat it the same as any other attempt to break into your systems. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden
Re: promiscuous mode
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: Yes, more expensive switches will have support for VLANs, which you can use to segment broadcast domains. You don't need cisco, most (but not all) managed switches can do vlans. Linksys has one with the features, but they can't manage to get working firmware for it. (The old release crashes, the new one makes some ports not work.) SMCs work fine, but are a pain to configure. (To move a port from one vlan to another means 7 changes in the configuration.) -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden
rp_filter (was Re: is iptables enough?)
In article [EMAIL PROTECTED]
[EMAIL PROTECTED] writes:
Also, I would set some no-spoof rules, like accept 127.0.0.0/8 only from
interface lo, and drop
non-routable stuff coming from public interface.
for dev in default eth0 eth1 eth2 eth3 eth4 eth5 eth6
do
echo 1 /proc/sys/net/ipv4/conf/${dev}/rp_filter
done
Much better than trying to put such stuff in iptables. This changes with
your routing tables, and you don't need to duplicate them.
--
Blars Blarson [EMAIL PROTECTED]
http://www.blars.org/blars.html
Text is a way we cheat time. -- Patrick Nielsen Hayden
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
rp_filter (was Re: is iptables enough?)
In article [EMAIL PROTECTED]
[EMAIL PROTECTED] writes:
Also, I would set some no-spoof rules, like accept 127.0.0.0/8 only from
interface lo, and drop
non-routable stuff coming from public interface.
for dev in default eth0 eth1 eth2 eth3 eth4 eth5 eth6
do
echo 1 /proc/sys/net/ipv4/conf/${dev}/rp_filter
done
Much better than trying to put such stuff in iptables. This changes with
your routing tables, and you don't need to duplicate them.
--
Blars Blarson [EMAIL PROTECTED]
http://www.blars.org/blars.html
Text is a way we cheat time. -- Patrick Nielsen Hayden
Re: [work] Integrity of Debian packages
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: If the FBI has the power, time and energy to install a proxy between my router and my ISP to spoof a package host (i.e. security.debian.org) just to root my servers, then they are clearly a heck of lot more geeky than I thought. Hell, why go through that trouble, why not just grab my traffic and sniff all my packet's... sheesh. If they can spoof a proxy on me, then they certianly can put a line sniffer between me and my ISP... isn't that easier?!?! No need to put it between, their packet sniffer is already in place at your ISP. Please read about CARNIVORE, which made many news headlines before 9/11/01. It hasn't gone away, the news media just shut up about it. (If you're outside of the USA, the CIA has been doing more for longer, but it doesn't make the news as much.) -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [work] Integrity of Debian packages
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: If the FBI has the power, time and energy to install a proxy between my router and my ISP to spoof a package host (i.e. security.debian.org) just to root my servers, then they are clearly a heck of lot more geeky than I thought. Hell, why go through that trouble, why not just grab my traffic and sniff all my packet's... sheesh. If they can spoof a proxy on me, then they certianly can put a line sniffer between me and my ISP... isn't that easier?!?! No need to put it between, their packet sniffer is already in place at your ISP. Please read about CARNIVORE, which made many news headlines before 9/11/01. It hasn't gone away, the news media just shut up about it. (If you're outside of the USA, the CIA has been doing more for longer, but it doesn't make the news as much.) -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden
Re: apache 1.3.27
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: When wil apache 1.3.27 be available for Debian Sarge ? When it's ready. packages.qa.debian.org shows it would have entered testing already if it's dependancies were up to date. The dependances are glibc and expat. Expat is ready, waiting for glibc. Glibc is more buggy that the version currently in testing, so it won't go in until the bugs are fixed. (Or the release-manager forces it.) You can look at the bugs in glibc, and send patches for them to the appropriate # @ bugs.debian.org. Many packages are waiting for the new glibc to move to sarge. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: raw disk access
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: i am looking for forensics tools that can be used in computer crime investigations, and am particularly interesting in a tool that provides raw drive (hard, floppy, CD, DVD, etc.) access in order to create complete and accurate drive images. Low level tools are no trick at all. If you are root or root has given you access (recomended), you can use any normal tools (dd, grep, perl) on the appropriate /dev/hd* or /dev/sd* . You can mount the filesystem read-only if you don't want to access deleted files, etc. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: raw disk access
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: i am looking for forensics tools that can be used in computer crime investigations, and am particularly interesting in a tool that provides raw drive (hard, floppy, CD, DVD, etc.) access in order to create complete and accurate drive images. Low level tools are no trick at all. If you are root or root has given you access (recomended), you can use any normal tools (dd, grep, perl) on the appropriate /dev/hd* or /dev/sd* . You can mount the filesystem read-only if you don't want to access deleted files, etc. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden
Re: Need an advise about isolating a host in the DMZ
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: create a second DMZ, but that would cost me the lost of three ip's, so I'm trying to figure out ways to isolate him without putting it in another subnet. There's no need to use extra IPs just to set up another subnet. Just use the same IP on multiple interfaces of your firewall, and with proxy arp routing nothing but your firewall needs to know the details. The only thing I've found with broken assuptions about how IP works is DHCPD, so your firewall will need a real IP for each segment it acts as a DHCP server for. The ip command is your freind, it allows much finer-grained control than the commands it replaces. I've got a /24 split haphazardly into six subnets. The routing table on the firewall is something like 50 entries just for that /24, but none of the other systmes known the details -- they just arp and send. (Even if I renumbered this beast, the routing table wouldn't be tiny, there are over 200 hosts unevenly split between the segments.) -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden
Re: spam
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: how can i block these bastards from korea from spaming me 10 times per day? You can configure your email server to use korea.blackholes.us or cn-kr.blackholes.us as a dnsbl. (The latter also includes china.) -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: spam
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: how can i block these bastards from korea from spaming me 10 times per day? You can configure your email server to use korea.blackholes.us or cn-kr.blackholes.us as a dnsbl. (The latter also includes china.) -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden
Re: Sendmail + RBL
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: Is there other ways to configure sendmail with RBL If you arn't using ancient sendmail, (woody's is fine) use the dnsbl feature in your sendmail.mc: (examples from my sendmail.mc, see the web pages before you use any dnsbl) FEATURE(`dnsbl',`relays.osirusoft.com',`mail from open relays and spammers refused, see http://relays.osirusoft.com;')dnl FEATURE(`dnsbl',`relays.ordb.org',`mail from open relays refused, see http://www.ordb.org;')dnl FEATURE(`dnsbl',`block.blars.org',`mail from spamming sites refused, see http://www.blars.org/errors/block.html;')dnl see www.sendmail.org for details, they have an antispam page. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail + RBL
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: Is there other ways to configure sendmail with RBL If you arn't using ancient sendmail, (woody's is fine) use the dnsbl feature in your sendmail.mc: (examples from my sendmail.mc, see the web pages before you use any dnsbl) FEATURE(`dnsbl',`relays.osirusoft.com',`mail from open relays and spammers refused, see http://relays.osirusoft.com;')dnl FEATURE(`dnsbl',`relays.ordb.org',`mail from open relays refused, see http://www.ordb.org;')dnl FEATURE(`dnsbl',`block.blars.org',`mail from spamming sites refused, see http://www.blars.org/errors/block.html;')dnl see www.sendmail.org for details, they have an antispam page. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden
Re: export problems on security updates?
In article 20021009202131.GA1759@shire you write: In other words, is http://security.debian.org/ located outside the US?. Yes. Using hinfo (I plan on packaging it for debian soon, current beta on my web site): Processing security.debian.org (130.89.175.34) abuse.net addresses: [EMAIL PROTECTED] (default, no info) [EMAIL PROTECTED] (default, no info) 130.89.175.34 is satie.debian.org. abuse.net addresses: [EMAIL PROTECTED] (default, no info) [EMAIL PROTECTED] (default, no info) 130.89.175.34 is debian.snt.utwente.nl. abuse.net addresses: [EMAIL PROTECTED] (for utwente.nl) IPQuery: 130.89.175.34 Server: whois.arin.net OrgName:University Twente OrgID: UNIVER-181 NetRange: 130.89.0.0 - 130.89.255.255 CIDR: 130.89.0.0/16 NetName:UTNET NetHandle: NET-130-89-0-0-1 Parent: NET-130-0-0-0-0 NetType:Direct Assignment NameServer: NS1.UTWENTE.NL NameServer: NS2.UTWENTE.NL NameServer: NS1.SURFNET.NL Comment: RegDate:1988-07-05 Updated:2002-02-25 TechHandle: GAM32-ARIN TechName: Meijerink, Gert TechPhone: +31 53 489 2326 TechEmail: [EMAIL PROTECTED] [Good that it's not listed in any of the 30 blackhole lists checked. Perhaps debian.org should submit [EMAIL PROTECTED] to abuse.net. This would qualify for a ipwhois.rfc-ignorant.org listing, University Twente should add a working snailmail address.] -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: export problems on security updates?
In article [EMAIL PROTECTED] you write: In other words, is http://security.debian.org/ located outside the US?. Yes. Using hinfo (I plan on packaging it for debian soon, current beta on my web site): Processing security.debian.org (130.89.175.34) abuse.net addresses: [EMAIL PROTECTED] (default, no info) [EMAIL PROTECTED] (default, no info) 130.89.175.34 is satie.debian.org. abuse.net addresses: [EMAIL PROTECTED] (default, no info) [EMAIL PROTECTED] (default, no info) 130.89.175.34 is debian.snt.utwente.nl. abuse.net addresses: [EMAIL PROTECTED] (for utwente.nl) IPQuery: 130.89.175.34 Server: whois.arin.net OrgName:University Twente OrgID: UNIVER-181 NetRange: 130.89.0.0 - 130.89.255.255 CIDR: 130.89.0.0/16 NetName:UTNET NetHandle: NET-130-89-0-0-1 Parent: NET-130-0-0-0-0 NetType:Direct Assignment NameServer: NS1.UTWENTE.NL NameServer: NS2.UTWENTE.NL NameServer: NS1.SURFNET.NL Comment: RegDate:1988-07-05 Updated:2002-02-25 TechHandle: GAM32-ARIN TechName: Meijerink, Gert TechPhone: +31 53 489 2326 TechEmail: [EMAIL PROTECTED] [Good that it's not listed in any of the 30 blackhole lists checked. Perhaps debian.org should submit [EMAIL PROTECTED] to abuse.net. This would qualify for a ipwhois.rfc-ignorant.org listing, University Twente should add a working snailmail address.] -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden
Re: Apache Log Files
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: On Wed, 14 Aug 2002, Matthew Sackman wrote: Does anyone know of a simple program that will return info on whois IP lookup in a set format? You might want to have a look at this: http://www.blars.org/hinfo.html It returns some interesting info in this format: , | Processing zesa.co.zw (196.2.69.9) | abuse.net addresses: | [EMAIL PROTECTED] (default, no info) | 196.2.69.9 is zesa.co.zw | 196.2.69.9 is in ORDB open relays as 127.0.0.2 | 196.2.69.9 is in osirusoft relays as 127.0.0.2 | Verified open relay | 196.2.69.9 is in njabl as 127.0.0.2 | spam source or open relay | 196.2.69.9 is in rfc-ignorant ipwhois as 127.0.0.6 ` It doesn't seem to be packaged for Debian, which is a pitty. Should I consider this a request? I'm not a debian developer, but packaging this would probably be a good first one starting as a new maintainer, since I'm the upstream. I've done some rewriting since the last time I've released, it's more efficient on most non-us queries, as well as knowing about lacnic and having some restructuring on the configuration. It still needs a man page, and some more work on the config setup. (I just thought of a few ideas on that while I was writing this.) While hinfo does do whois queries (that part of the code started out as a copy of the geektools whois server, but it has diverged significantly), the results are not easy for a computer to parse since the various whois servers aren't consistent. The abuse.net and DNSBL sections of the code are consistent, but it might be better to use them as examples of how to do it rather than calling hinfo from a program. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden
Re: sendmail
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: In the last weeks I`ve installed twice Debian 3.0 * with sendmail .12.3-5 ). And I get some stupid error every few minutes: May 6 16:40:01 velikov sm-msp-queue[26216]: STARTTLS=client: file /etc/mail/ssl/sendmail-server.crt unsafe: No such file or directory This bug was caused by making sendmail-tls the default sendmail after the security to main transition. It's fixed in the -6 version (where you have to enable tls if you want it), -7 is currently in unstable. If you need -6 rather than -7 for some reason, it's on my web site. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: sendmail
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: In the last weeks I`ve installed twice Debian 3.0 * with sendmail .12.3-5 ). And I get some stupid error every few minutes: May 6 16:40:01 velikov sm-msp-queue[26216]: STARTTLS=client: file /etc/mail/ssl/sendmail-server.crt unsafe: No such file or directory This bug was caused by making sendmail-tls the default sendmail after the security to main transition. It's fixed in the -6 version (where you have to enable tls if you want it), -7 is currently in unstable. If you need -6 rather than -7 for some reason, it's on my web site. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I haven't seen this in iplogger.log yet.
In article 20020414101948.GA5339@erpland [EMAIL PROTECTED] writes: This morning, I was looking through iplogger's log, and I found something I haven't seen before: Sat Apr 13 20:28:06 destination unreachable from alvinetcore2-pos3-0.swe.sonera.net [213.50.162.77] destination unreachable just means that a router along the path couldn't deliver your IP packet. Frequently they just mean that some link between routers is down, sometimes the IP isn't currently routed anywhere (but a larger block that contains it may be, so the packet has to travel to a router that knows the details before being rejected). Usually it's just a transient error. Try a traceroute to the final destination to see where the error is. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I haven't seen this in iplogger.log yet.
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: This morning, I was looking through iplogger's log, and I found something I haven't seen before: Sat Apr 13 20:28:06 destination unreachable from alvinetcore2-pos3-0.swe.sonera.net [213.50.162.77] destination unreachable just means that a router along the path couldn't deliver your IP packet. Frequently they just mean that some link between routers is down, sometimes the IP isn't currently routed anywhere (but a larger block that contains it may be, so the packet has to travel to a router that knows the details before being rejected). Usually it's just a transient error. Try a traceroute to the final destination to see where the error is. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: NEOMAIL - as big kev in OZ would say, IM EXCITED !
In article 20020408094142.GA3342@espresso [EMAIL PROTECTED] writes: On Mon, Apr 08, 2002 at 08:51:50AM +0800, Marcel Welschbillig wrote: Just wanted to make it clear the the email i sent about Neomail was=20 purely to let other people know about a program that i thought was worth= mentioning, it had nothing to do with Ernie Miller and was not intended= to be SPAM. Don't take my warning the wrong way. By all means, feel free to spread the word on good opensource software. Please just keep it to appropriate places and times (eg. debian-user) or in the course of a on-topic discussion. I would have treated it as just another off-topic message was it not for the fact that your message had already previously been reported to razor.sourceforge.net as spam (which probably means that debian-security was not the only mailing list you posted it to). Since I did report the copy I got on debian-security with spamassassin -r, in this case it is quite possible that the message was only sent to one list. If this had been sent to several lists, the razor tagging would have helped me sort it out into my probable spam area. I agree with netsnipe about keeping messages on topic. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: NEOMAIL - as big kev in OZ would say, IM EXCITED !
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: On Mon, Apr 08, 2002 at 08:51:50AM +0800, Marcel Welschbillig wrote: Just wanted to make it clear the the email i sent about Neomail was=20 purely to let other people know about a program that i thought was worth= mentioning, it had nothing to do with Ernie Miller and was not intended= to be SPAM. Don't take my warning the wrong way. By all means, feel free to spread the word on good opensource software. Please just keep it to appropriate places and times (eg. debian-user) or in the course of a on-topic discussion. I would have treated it as just another off-topic message was it not for the fact that your message had already previously been reported to razor.sourceforge.net as spam (which probably means that debian-security was not the only mailing list you posted it to). Since I did report the copy I got on debian-security with spamassassin -r, in this case it is quite possible that the message was only sent to one list. If this had been sent to several lists, the razor tagging would have helped me sort it out into my probable spam area. I agree with netsnipe about keeping messages on topic. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: failed ssh breakins on my exposed www box ..
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: What's the best way to figure out the admin for a subnet from a machine's IP? As others have pointed out, whois is the normal tool to do it, but they forgot to mention the complexities you get with servers pointing to each other and sometimes to rwhois servers, etc. There are some whois servers (like geektools) that try to work through this mess, but I've written hinfo, a tool I use to get this info as well as looking them up in several DNSBL lists, etc. I mainly use it on spammers addresses and URLs so I can complain to their IP block owner. (and add the block to BlarsBL (http://www.blars.org/errors/block.html) if the ISP doesn't take care of their spamming problem) hinfo is avilable from http://www.blars.org/hinfo.html . I may package it for debian, if people want me to, after some more cleanup and documentation. Here is the hinfo output for that address: Processing 213.26.96.103 (213.26.96.103) 213.26.96.103 is in selwerd XBL as 127.0.0.4 IPQuery: 213.26.96.103 Server: whois.arin.net IPQuery: 213.26.96.103 Server: whois.ripe.net Referering Data: European Regional Internet Registry/RIPE NCC (NETBLK-213-RIPE) These addresses have been further assigned to European users. Contact info can be found in the RIPE database, via the WHOIS and TELNET servers at whois.ripe.net, and at http://www.ripe.net/perl/whois/ NL Netname: RIPE-213 Netblock: 213.0.0.0 - 213.255.255.255 Maintainer: RIPE Coordinator: Reseaux IP European Network Co-ordination Centre Singel 258 (RIPE-NCC-ARIN) [EMAIL PROTECTED] +31 20 535 Domain System inverse mapping provided by: NS.RIPE.NET 193.0.0.193 NS.EU.NET192.16.202.11 AUTH00.NS.UU.NET 198.6.1.65 NS3.NIC.FR 192.134.0.49 SUNIC.SUNET.SE 192.36.125.2 MUNNARI.OZ.AU128.250.1.21 NS.APNIC.NET 203.37.255.97 SVC00.APNIC.NET 202.12.28.131 Record last updated on 08-Apr-1999. Database last updated on 23-Mar-2002 19:56:37 EDT. % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit http://www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 213.26.96.96 - 213.26.96.127 netname: SATEL-GROUP descr:Satel Group Srl country: IT admin-c: SB10545-RIPE tech-c: FC3284-RIPE status: ASSIGNED PA notify: [EMAIL PROTECTED] mnt-by: INTERB-MNT changed: [EMAIL PROTECTED] 2605 source: RIPE route:213.26.0.0/16 descr:INTERBUSINESS origin: AS3269 remarks: Send report of network abuse/spam remarks: only to: [EMAIL PROTECTED] . remarks: If you report abuse to any other address remarks: you will get no response. notify: [EMAIL PROTECTED] mnt-by: INTERB-MNT changed: [EMAIL PROTECTED] 20011009 source: RIPE person: Sonia Ballaben address: Satel Group Srl address: Centro Commerciale A1/12 address: I- 33170 Pordenone address: Italy phone:+39 0434 571110 fax-no: +39 0434 572830 e-mail: [EMAIL PROTECTED] nic-hdl: SB10545-RIPE changed: [EMAIL PROTECTED] 2605 source: RIPE person: Fabio Cardin address: Satel Group Srl address: Centro Commerciale A1/12 address: I- 33170 Pordenone address: Italy phone:+39 0434 571110 fax-no: +39 0434 572830 e-mail: [EMAIL PROTECTED] nic-hdl: FC3284-RIPE changed: [EMAIL PROTECTED] 2605 source: RIPE kk -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: failed ssh breakins on my exposed www box ..
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: What's the best way to figure out the admin for a subnet from a machine's IP? As others have pointed out, whois is the normal tool to do it, but they forgot to mention the complexities you get with servers pointing to each other and sometimes to rwhois servers, etc. There are some whois servers (like geektools) that try to work through this mess, but I've written hinfo, a tool I use to get this info as well as looking them up in several DNSBL lists, etc. I mainly use it on spammers addresses and URLs so I can complain to their IP block owner. (and add the block to BlarsBL (http://www.blars.org/errors/block.html) if the ISP doesn't take care of their spamming problem) hinfo is avilable from http://www.blars.org/hinfo.html . I may package it for debian, if people want me to, after some more cleanup and documentation. Here is the hinfo output for that address: Processing 213.26.96.103 (213.26.96.103) 213.26.96.103 is in selwerd XBL as 127.0.0.4 IPQuery: 213.26.96.103 Server: whois.arin.net IPQuery: 213.26.96.103 Server: whois.ripe.net Referering Data: European Regional Internet Registry/RIPE NCC (NETBLK-213-RIPE) These addresses have been further assigned to European users. Contact info can be found in the RIPE database, via the WHOIS and TELNET servers at whois.ripe.net, and at http://www.ripe.net/perl/whois/ NL Netname: RIPE-213 Netblock: 213.0.0.0 - 213.255.255.255 Maintainer: RIPE Coordinator: Reseaux IP European Network Co-ordination Centre Singel 258 (RIPE-NCC-ARIN) [EMAIL PROTECTED] +31 20 535 Domain System inverse mapping provided by: NS.RIPE.NET 193.0.0.193 NS.EU.NET192.16.202.11 AUTH00.NS.UU.NET 198.6.1.65 NS3.NIC.FR 192.134.0.49 SUNIC.SUNET.SE 192.36.125.2 MUNNARI.OZ.AU128.250.1.21 NS.APNIC.NET 203.37.255.97 SVC00.APNIC.NET 202.12.28.131 Record last updated on 08-Apr-1999. Database last updated on 23-Mar-2002 19:56:37 EDT. % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit http://www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 213.26.96.96 - 213.26.96.127 netname: SATEL-GROUP descr:Satel Group Srl country: IT admin-c: SB10545-RIPE tech-c: FC3284-RIPE status: ASSIGNED PA notify: [EMAIL PROTECTED] mnt-by: INTERB-MNT changed: [EMAIL PROTECTED] 2605 source: RIPE route:213.26.0.0/16 descr:INTERBUSINESS origin: AS3269 remarks: Send report of network abuse/spam remarks: only to: [EMAIL PROTECTED] . remarks: If you report abuse to any other address remarks: you will get no response. notify: [EMAIL PROTECTED] mnt-by: INTERB-MNT changed: [EMAIL PROTECTED] 20011009 source: RIPE person: Sonia Ballaben address: Satel Group Srl address: Centro Commerciale A1/12 address: I- 33170 Pordenone address: Italy phone:+39 0434 571110 fax-no: +39 0434 572830 e-mail: [EMAIL PROTECTED] nic-hdl: SB10545-RIPE changed: [EMAIL PROTECTED] 2605 source: RIPE person: Fabio Cardin address: Satel Group Srl address: Centro Commerciale A1/12 address: I- 33170 Pordenone address: Italy phone:+39 0434 571110 fax-no: +39 0434 572830 e-mail: [EMAIL PROTECTED] nic-hdl: FC3284-RIPE changed: [EMAIL PROTECTED] 2605 source: RIPE kk -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Potato 2.2r3 and Kernel 2.2.19 Questions
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: On Wed, Oct 24, 2001 at 01:18:52AM +, Martin WHEELER wrote: On Tue, 23 Oct 2001, Ethan Benson wrote: kernels are never upgraded automatically by apt, you have to do it yourself: That's not quite true -- should you recompile your own kernel, and for whatever reason, NOT give that new kernel a debian-style name which conforms *exactly* to the debian naming conventions, you will be pestered for evermore with attempts by apt to 'upgrade' to the latest (plain vanilla) version. Watch out when dselect (and I assume apt) desides to upgrade a kernel image -- I just had the 2.2.19 kernel image upgraded on my testing box and it made the /vmlinuz link point to the 2.2.19 kernel, when it had been 2.4.9 before. Since the 2.4.9 needed initrd, I assume neither would have had trouble booting if I hadn't fixed things. (Fortunatly, I had a third kernel not using the links as the default to boot, and I noticed and fixed things up.) -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Potato 2.2r3 and Kernel 2.2.19 Questions
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: On Wed, Oct 24, 2001 at 01:18:52AM +, Martin WHEELER wrote: On Tue, 23 Oct 2001, Ethan Benson wrote: kernels are never upgraded automatically by apt, you have to do it yourself: That's not quite true -- should you recompile your own kernel, and for whatever reason, NOT give that new kernel a debian-style name which conforms *exactly* to the debian naming conventions, you will be pestered for evermore with attempts by apt to 'upgrade' to the latest (plain vanilla) version. Watch out when dselect (and I assume apt) desides to upgrade a kernel image -- I just had the 2.2.19 kernel image upgraded on my testing box and it made the /vmlinuz link point to the 2.2.19 kernel, when it had been 2.4.9 before. Since the 2.4.9 needed initrd, I assume neither would have had trouble booting if I hadn't fixed things. (Fortunatly, I had a third kernel not using the links as the default to boot, and I noticed and fixed things up.) -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden
chroot (was Re: Need Help with the Debian Securing Manual (contributions accepted))
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: I am not sure everybody is aware of the Securing Debian Manual which can be found at http://www.debian.org/doc/manuals/securing-debian-howto/. In any case, I'm asking for some help with this document due to the current overload of information I'm suffering. One major problem I've noticed is it seems to perpetuate common misconseptions about chroot. If you have root access in a chroot enviornment, it's quite possible to break out and take over the whole system. (I've know of two ways off the top of my head, I'm sure there are others.) Giving untrusted code root access in a chroot enviornment is security by obscurity -- worthless against a determined attacker and the people setting it up are deluding themselves that their system are protected. (Perhaps you should consider a section on security by obscurity and why it is useless.) Running non-root in a chroot enviornment does add a level of protection. (You can't access world-readable files.) Chroot was designed as a software testing tool, not a security tool. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Printer security (was Re: Need Help with the Debian Securing Manual (contributions accepted))
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: I am not sure everybody is aware of the Securing Debian Manual which can be found at http://www.debian.org/doc/manuals/securing-debian-howto/. In any case, I'm asking for some help with this document due to the current overload of information I'm suffering. cups aka cupsys should be mentioned in the secion on printer daemons. (I've only recently started using it, so am unqualitfied to write about its security.) While not debian-specific, I think ethernet connected printers should be mentioned. Something like: Network connected printers are frequently a security hole. HP printers and emulators accept connections on port 9100 (and 9101, 9102, etc. on multi-printer servers) and print anything sent. They may also be able to run the postscript programs sent to them that may be used to create bigger security holes than just printing. Some models also talk a subset the lpd protocol on port 515. Later models have a telnet client on port 23, and by default have no password. I've even heard of (non-HP) printers that are running a stripped-down version of unix and have an open-relay sendmail running. You should consider putting your printers behind a firewall, and at the minimum not configuring a default gateway unless needed. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden
chroot (was Re: Need Help with the Debian Securing Manual (contributions accepted))
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: I am not sure everybody is aware of the Securing Debian Manual which can be found at http://www.debian.org/doc/manuals/securing-debian-howto/. In any case, I'm asking for some help with this document due to the current overload of information I'm suffering. One major problem I've noticed is it seems to perpetuate common misconseptions about chroot. If you have root access in a chroot enviornment, it's quite possible to break out and take over the whole system. (I've know of two ways off the top of my head, I'm sure there are others.) Giving untrusted code root access in a chroot enviornment is security by obscurity -- worthless against a determined attacker and the people setting it up are deluding themselves that their system are protected. (Perhaps you should consider a section on security by obscurity and why it is useless.) Running non-root in a chroot enviornment does add a level of protection. (You can't access world-readable files.) Chroot was designed as a software testing tool, not a security tool. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden
Re: Security on debian
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: debian security howto http://www.debian.org/doc/manuals/securing-debian-howto/ ( url seemed slow to me too...gave up after 10 sec of waiting ) www.debian.org was/is having problems -- I wound up getting the document off of www.uk.debian.org. I'll have comments on the document in a while, it obviously is still under contstruction. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden
