Re: New version of SSH refusing login
Back it out... If you read the release notes you would have seen that the ssh upgrade has problems with PAM. Use something like IPCHAINS or IPTABLES to restrict which IP addresses are allowed to access your box via SSH until such time that SSH using privilege separation handles PAM properly. Oh, please check existing bug reports and file a new one if one dosen't already exist for your problem. Curt Howland wrote: Good evening, all. I just went through the upgrade of SSH, and now I cannot log into my potatoe box. Luckly, I did keep a session logged in, for debugging don't you know. So I can say that the debug error is as follows: Jun 25 21:35:33 ian sshd[12644]: debug1: Starting up PAM with username howland Jun 25 21:35:33 ian sshd[12644]: Could not reverse map address 165.76.163.213. Jun 25 21:35:33 ian sshd[12644]: debug1: PAM setting rhost to 165.76.163.213 Jun 25 21:35:33 ian sshd[12644]: Failed none for howland from 165.76.163.213 port 33226 ssh2 That's a great debug message, Failed none. None what? Any help would be greatly appreciated. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | Linux, the OS Microsoft doesn't want you to know about.. | | -Bryan Andersen| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Apache chunk handling vulnerability and Apache 1.3.24-3
René Seindal wrote: On Wed, 2002-06-19 at 13:39, NANTENAINA Tianarivo ulrich wrote: Hi folk, We have some machine with testing and the version of the Apache on those servers is 1.3.24-3. I would like to know if this version of apache debian is also vulnerable. I've checked the announcement sent about the patch but didn't find inside the patch for this version. As the advisory said that Apache version 1.3.24 is still vulnerable, it worried me. I believe it is. If you use 32 bit machines you are 'only' vulnerable to a DoS attack, not a real compromise of your servers. Note: Both Apache and CERT dispute that claim made by ISS that 32 bit machines can only be DoSed. What should I do? I have decided to wait a while to give the maintainers a fair chance to make the packages. You could compile your own... News is the fix is out. http://www.theregister.co.uk/content/4/25779.html -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | Linux, the OS Microsoft doesn't want you to know about.. | | -Bryan Andersen| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: does virus ELF.OSF.8759 affect debian?
Anne Carasik wrote: On Wed, Apr 10, 2002 at 10:52:38AM -0700, Brandon High wrote: And another reason not to run as root... Compile from source is a good idea too. It's amazing what you can find in the source. I found a couple of stupid Trojans that way. system(mail /etc/passwd [EMAIL PROTECTED]); Yeh, and it's buggy too Take a close look at what really happens. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | Linux, the OS Microsoft doesn't want you to know about.. | | -Bryan Andersen| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
SpamAssassin (Was Re: SOME ITEMS THAT YOU MAY BE INTERESTED IN OR BE ABLE TO ADVISE ME ON)
Sebastian Rittau wrote: On Thu, Jan 24, 2002 at 09:34:35AM +0100, Robert van der Meulen wrote: Quoting James ([EMAIL PROTECTED]): We could start by blocking @aol.com =) Or by all running good anti-spam measures and not replying to spam; I didn't even know it was there until people started replying to it, and i had to look up the original posting in my spam folder.. That's unfortunately not the solution. [EMAIL PROTECTED]:~$ ls -l .mail/junk -rw---1 srittau srittau 2766614 24. Jan 09:39 .mail/junk [EMAIL PROTECTED]:~$ And that's only the SPAM mail from this year. I have to download this over ad 56kBit link and I pay by the minute. My ISP uses SpamAssassin and it works quite nicely. Not perfectly, but well enough that I like it. It's filtered out about 8M bytes of spam in the past 16 days. SpamAssassin puts some new headers into the message that tell it's spam status. X-Spam-Status: No, hits=0 required=6 tests= version=2.0 is the spam status header for the message I'm replying to. This is the spam status headers from a spam message: X-Spam-Status: Yes, hits=18 required=6 tests=INVALID_DATE_NO_TZ,NONEXISTENT_CHARSET,EXCUSE_3,EXCUSE_7,REPLY_REMOVE_SUBJECT,REMOVE_SUBJ,TO_BE_REMOVED_REPLY,CHARSET_FARAWAY,DATE_IN_FUTURE,RCVD_IN_5_10,RCVD_IN_OUT_ORBZ version=2.0 X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.0 (devel $Id: SpamAssassin.pm,v 1.51 2001/12/19 05:20:44 jmason Exp $) X-Spam-Report: 18.7 hits, 6 required; * 2.0 -- Invalid Date: header (no timezone) * 2.0 -- Character set doesn't exist * 2.5 -- BODY: Claims you can be removed from the list * 0.1 -- BODY: Claims you can be removed from the list * 0.1 -- BODY: List removal information * 3.3 -- BODY: List removal information * 1.7 -- BODY: Says: to be removed, reply via email or similar * 3.0 -- Character set indicates a foreign language * 2.0 -- Date: is in the future or unparseable * 1.0 -- Received via a relay in blackholes.five-ten-sg.com [RBL check: found 4.84.114.211.blackholes.five-ten-sg.com.] * 1.0 -- Received via a relay in outputs.orbz.org [RBL check: found 101.156.42.208.outputs.orbz.org.] I still end up download the spam, but I know it is possible for an email program to filter on the headers before downloading the body of the message. It would be even nicer if Debian filtered on it and rejected messages that it marks as spam. It wouldn't be perfect, but it would cut down on alot of them. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | Linux, the OS Microsoft doesn't want you to know about.. | | -Bryan Andersen|
Re: allowing users to change passwords
Wichert Akkerman wrote: Previously martin f krafft wrote: what would speak against setting the user's login shell to /usr/bin/passwd? Nothing, works just fine. It might be a bit confusing for users though since they will have to enter their original password twice as well. You may wish to set the motd specifically for them and explain in it what they need to do. I would also audit the passwd program carefully for security problems like buffer overflows, etc. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | Linux, the OS Microsoft doesn't want you to know about.. | | -Bryan Andersen| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: buffer overflow in /bin/gzip?
John Galt wrote: On Wed, 21 Nov 2001, Guillaume Morin wrote: Dans un message du 20 nov à 23:33, Anders Gjære écrivait : in gzip.c the line: strcpy(nbuf,dir); should maybe be replaced with: strncpy(nbuf, dir,sizeof(nbuf)); gzip runs with user privileges, therefore this is not a security problem. gzip is in vuln-dev for a buffer overflow in the argv handler. Debian is apparently invulnerable, but it's a good thing to do everything we can to figure out more bugs in the flavor-of-the-month exploit target before the black hats do. I second this. On thing I think is quite important is to get rid of calls to routines that it is possible to buffer overflow. OpenBSD has a feature in their version of gcc that will cause a compile time error message telling you when one of the standard library routines known to be overflowable is used. I'd love to see all open source software put through that chack. It dosen't need to be an error output, but atleast a warning would be good. At this point it needs to be switchable and not manditory. this is due to the volue of code that would need to be changed. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen|
Re: buffer overflow in /bin/gzip?
John Galt wrote: On Wed, 21 Nov 2001, Guillaume Morin wrote: Dans un message du 20 nov à 23:33, Anders Gjære écrivait : in gzip.c the line: strcpy(nbuf,dir); should maybe be replaced with: strncpy(nbuf, dir,sizeof(nbuf)); gzip runs with user privileges, therefore this is not a security problem. gzip is in vuln-dev for a buffer overflow in the argv handler. Debian is apparently invulnerable, but it's a good thing to do everything we can to figure out more bugs in the flavor-of-the-month exploit target before the black hats do. I second this. On thing I think is quite important is to get rid of calls to routines that it is possible to buffer overflow. OpenBSD has a feature in their version of gcc that will cause a compile time error message telling you when one of the standard library routines known to be overflowable is used. I'd love to see all open source software put through that chack. It dosen't need to be an error output, but atleast a warning would be good. At this point it needs to be switchable and not manditory. this is due to the volue of code that would need to be changed. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mutt tmp files
martin f krafft wrote: * Craig Dickson [EMAIL PROTECTED] [2001.11.15 10:28:33-0800]: Also note that root owns sendmail, or whatever MTA you're using. If he really wants to read your mail, it would be much easier for him to do it by configuring the MTA to silently copy him on all your messages, so all this concern about temporary files and de-allocated disk sectors seems a bit silly to me. except he's GPG encrypting, which then even root can't read... Your mail can also be spied on by packet sniffers or a compromise of the mail servers of your correspondents. ditto... B... Wrong. If you don't trust root, your hosed. Root can change the app so he has your keys... Root can also change the tty drivers so they are all silently logged. There is no way to secure it fully unless you type it in encrypted form. At some point you have to decide you've done enough and run with it. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen|
Re: question about something, but don't know if it exists...
[EMAIL PROTECTED] wrote: Hallo there, I really don't know if it should be asked there or somewhere else, but my problem is followin I live in untrusted enviroment which is running 50 computers (it is school and packets are running up and down everywhere). I need to use outside HTML sites and POP accounts, but they, as many providers in Czech, don't support SSL or anything else than just clear autentification. So is there a software which connets onto server (for example proxy) through SSL and then redirect data channels onto right ports as an clear connection outside (I cannot solve the situation on provider routers of course, but it has happen few times that students stole their passwords and so on and mainly they could steal even teacher's these days.) Can you get a shell account on the outside of your local network? If so SSH over to it, then access the pop mail server. Without having a machine to serve as the endpoint for an excrypted pipe on the outside of your network I don't see a way to secure the communications. Another possibility would be to have them replace the hubs with switches, this assumes you are using twisted pair, not thin net or thick net. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: question about something, but don't know if it exists...
[EMAIL PROTECTED] wrote: Hallo there, I really don't know if it should be asked there or somewhere else, but my problem is followin I live in untrusted enviroment which is running 50 computers (it is school and packets are running up and down everywhere). I need to use outside HTML sites and POP accounts, but they, as many providers in Czech, don't support SSL or anything else than just clear autentification. So is there a software which connets onto server (for example proxy) through SSL and then redirect data channels onto right ports as an clear connection outside (I cannot solve the situation on provider routers of course, but it has happen few times that students stole their passwords and so on and mainly they could steal even teacher's these days.) Can you get a shell account on the outside of your local network? If so SSH over to it, then access the pop mail server. Without having a machine to serve as the endpoint for an excrypted pipe on the outside of your network I don't see a way to secure the communications. Another possibility would be to have them replace the hubs with switches, this assumes you are using twisted pair, not thin net or thick net. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen|
OT: Re: TREAT URGENT
Nugzar Nebieridze wrote: Sorry for off-topic, but I'm curious, WHY do people write such messages? WHAT do they need? My account information? They are running a scam. The idea is to get you to fork over smaller sums of money[1] to get the transaction to happen. When in reality they are pocketing the sums you fork over. Other ones try to get you to give them access to your account so they can drain it. Some combine the two. Some have other things they try to do. My responce to them is to report the suckers to any ISP or email service they are using, and also email the open relay they sent the messages through. Basically cut off their links. If they only give phone number or fax numbers I report them to the FBI so they can have that number cutoff at the international exchanges. In a couple of african countries scams like this are not illegal if the victims are outside the country. [1] like $1000-$5000 or whatever they think you will bear. Links: http://www.rcmp-grc.gc.ca/news/nr-01-11.htm http://www.msp.state.mi.us/news/0389.pdf http://www.state.ct.us/dob/pages/419scams.htm Search under Nigeria FBI scam for more information. Wednesday, October 17, 2001, 7:03:06, Hubert Chan wrote: Dansuki == Dansuki Ahmed [EMAIL PROTECTED] writes: HC [...] Dansuki I am prepared to invest 20m pounds sterling in your company if HC ^^^ HC [...] HC Woohoo! 20 milli-pounds! I'll be rich! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen|
Re: What about doing security updates automatically?
On the question: What about doing security updates automatically? I don't know about the rest of you, but here is my opinion... As a sysadmin, programmer, jack of to many trades I maintain a number of systems under a number of different operating systems. As such I have to keep track of bug fixes as well as security updates, etc. I feel if one goes to making a security update system, one should spend the time to make it more general and do it for regular bug fixes as well as general package upgrades too. I have nothing against automatic systems so long as I can selectively turn them on and off at the package and general levels. Ideally I'd like to be able to make a test suite that if it passes on an update the update is automatically accepted, but if it fails the update is backed out and I'm notified. It should track what changes have been made, and have the ability to undo those changes at a latter date. This means replaced, modified and or removed files, etc. must be saved so they can be restored. I feel that this is an esential ingrediant to the sucess of the system. This backups function must be done. I can see a local option that allows for disabling the backup function, but it should be on by default. Another thing to think about is if the update can't figure out how to upgrade the system in a safe manner it should not do the upgrade, but instead spool it for administrator input. As an example, think of changing a configuration file. If the admin has made local customizations then the upgrade system should not do the upgrade, but instead spool it for admin interaction. Here ends my input for now... -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: What about doing security updates automatically?
On the question: What about doing security updates automatically? I don't know about the rest of you, but here is my opinion... As a sysadmin, programmer, jack of to many trades I maintain a number of systems under a number of different operating systems. As such I have to keep track of bug fixes as well as security updates, etc. I feel if one goes to making a security update system, one should spend the time to make it more general and do it for regular bug fixes as well as general package upgrades too. I have nothing against automatic systems so long as I can selectively turn them on and off at the package and general levels. Ideally I'd like to be able to make a test suite that if it passes on an update the update is automatically accepted, but if it fails the update is backed out and I'm notified. It should track what changes have been made, and have the ability to undo those changes at a latter date. This means replaced, modified and or removed files, etc. must be saved so they can be restored. I feel that this is an esential ingrediant to the sucess of the system. This backups function must be done. I can see a local option that allows for disabling the backup function, but it should be on by default. Another thing to think about is if the update can't figure out how to upgrade the system in a safe manner it should not do the upgrade, but instead spool it for administrator input. As an example, think of changing a configuration file. If the admin has made local customizations then the upgrade system should not do the upgrade, but instead spool it for admin interaction. Here ends my input for now... -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen|
Re: testing owner files and integrity
Samu wrote: last night i did a chown -R nobody. / as root. i tried to establish the right owner of all files, so i start to check how to do that under debian ( i remembered it was possible under rh) and surprise nothing. so i started to manually changin owner of my files ( with the help of another machine debian too). If you have a backup you can use it to get the owner/group for every file at that time. Using a short perl script one could take a listing of a backup and use it to apply the owner and group to each matching file. You should even be able to get back thisngs like the sticky bits if you bother to interpret that data from the backup. A tripwire database file will also have that information. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: testing owner files and integrity
Samu wrote: last night i did a chown -R nobody. / as root. i tried to establish the right owner of all files, so i start to check how to do that under debian ( i remembered it was possible under rh) and surprise nothing. so i started to manually changin owner of my files ( with the help of another machine debian too). If you have a backup you can use it to get the owner/group for every file at that time. Using a short perl script one could take a listing of a backup and use it to apply the owner and group to each matching file. You should even be able to get back thisngs like the sticky bits if you bother to interpret that data from the backup. A tripwire database file will also have that information. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen|
Re: NTP security
Jamie Heilman wrote: So what is the most secure way of syncing time on a server ? Coupling your server directly to an atomic clock, or some other source of "hard" time, yeilds no network reliance at all, and is the most secure way. Using bug free software is the most secure way to synchronize over a network. ntpd could probably benefit from a good auditing as it is a reference implmentation and those tend to get a rather unwieldy code-base. (BIND being a prime example) See Ultra-Link, http://www.ulio.com/ for a low cost battery powerable atomic clock radio receiver. It has a 3V inverted TTL RS-232 link that runs at 2400 or 9600 baud. Power draw is +3.5V to 15V at 600uA. Last I knew the ntp daemon knew how to talk to this guy. It's available as a board set or in cases with proper RS-232 signal levels, power supply, etc. I noticed that /etc/services has a tcp entry for ntp. Is there any way (short of changing the code) to coax ntp to use tcp instead of udp ? No, UDP is intrinsic to how NTP works. Actually it isn't. A bi-directional link is usually needed, but it seams the latest version also supports connecting to a multicast network for broadcasting the current time or for receiving it. In this case there is an unknown amount of network lag between the transmitter and receiver. For most computers this isn't a problem as it's unlikely the lag will be over 500 ms. Most computers only need 1 second accuracy if that even. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NTP security
Jamie Heilman wrote: So what is the most secure way of syncing time on a server ? Coupling your server directly to an atomic clock, or some other source of hard time, yeilds no network reliance at all, and is the most secure way. Using bug free software is the most secure way to synchronize over a network. ntpd could probably benefit from a good auditing as it is a reference implmentation and those tend to get a rather unwieldy code-base. (BIND being a prime example) See Ultra-Link, http://www.ulio.com/ for a low cost battery powerable atomic clock radio receiver. It has a 3V inverted TTL RS-232 link that runs at 2400 or 9600 baud. Power draw is +3.5V to 15V at 600uA. Last I knew the ntp daemon knew how to talk to this guy. It's available as a board set or in cases with proper RS-232 signal levels, power supply, etc. I noticed that /etc/services has a tcp entry for ntp. Is there any way (short of changing the code) to coax ntp to use tcp instead of udp ? No, UDP is intrinsic to how NTP works. Actually it isn't. A bi-directional link is usually needed, but it seams the latest version also supports connecting to a multicast network for broadcasting the current time or for receiving it. In this case there is an unknown amount of network lag between the transmitter and receiver. For most computers this isn't a problem as it's unlikely the lag will be over 500 ms. Most computers only need 1 second accuracy if that even. -- | Bryan Andersen | [EMAIL PROTECTED] | http://www.nerdvest.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen|
Re: port-scanning. advise?
Bradley M Alexander wrote: Fortunately, that is the vast minority of the hacker community. But the true professionals are probably not gunning for your home machine. Ordinarily they are the ones that are doing industrial espionage, intelligence etc. Not hacking home machines. However, securing your machines and staying aware is still the best advice. Just because you machine dosen't have specific data that is of interest to a profesional, don't assume he dosen't care about breaking into it. It can still be used as a base of operations for scanning, and attacking. Also it may be that your home machine has a VPN to work, and as such is a conduit into your work. -- | Bryan Andersen | [EMAIL PROTECTED] | http://softail.visi.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: port-scanning. advise?
Bradley M Alexander wrote: Fortunately, that is the vast minority of the hacker community. But the true professionals are probably not gunning for your home machine. Ordinarily they are the ones that are doing industrial espionage, intelligence etc. Not hacking home machines. However, securing your machines and staying aware is still the best advice. Just because you machine dosen't have specific data that is of interest to a profesional, don't assume he dosen't care about breaking into it. It can still be used as a base of operations for scanning, and attacking. Also it may be that your home machine has a VPN to work, and as such is a conduit into your work. -- | Bryan Andersen | [EMAIL PROTECTED] | http://softail.visi.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen|