Re: Secure rsync setup, bind-mount ro
> Debian packages... But let me qualify my statement. "Bind mounts are > just an aliasing mechanism in default kernels as distributed with any > major distribution I looked at." Satisfied? Nope, they are not an aliasing mechanism, otherwise it would be impossible to do the thing you've just seen. > > because "noone would use that", and "that was linux behaviour for years > > and noone complained yet". > The curse of backwards compatibility. Coming from somebody who routinely > breaks ABIs... AFAIK noone ever mentioned any problem with backwards compatibility (ie, noone mounts stuff with ,ro and then uses it as rw). > ... and you filed a bug to have them included in the Debian kernel It IS included in debian kernels, talk to debian-kernel, they maintain it: Linux abc 2.6.18-3-vserver-686 #1 SMP Thu Nov 23 23:10:59 UTC 2006 i686 GNU/Linux Package: linux-image-2.6.18-3-vserver-686 Priority: optional Section: admin Installed-Size: 49716 Maintainer: Debian Kernel Team Architecture: i386 > builds? After first packaging them as a Debian kernel patch package? I are you attacking me for not being annoying enough? I'm so sorry. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure rsync setup, bind-mount ro
On Mon, Dec 18, 2006 at 04:50:51PM +0100, Lupe Christoph wrote: > when I mean bind mounts. No, they are just an aliasing mechanism. Nope, they're not: ghost:/fs# mkdir testro ghost:/fs# mount -o bind,ro /tmp/ /fs/testro/ ghost:/fs# touch testro/q touch: cannot touch `testro/q': Read-only file system ghost:/fs# touch /tmp/q ghost:/fs# ls -l testro/q -rw-r--r-- 1 root root 0 2006-12-19 08:36 testro/q ghost:/fs# touch testro/q touch: cannot touch `testro/q': Read-only file system it's just that sometime in the past, someone took a shortcut and made bind-mounts ignore the options, and now it seems that noone can explain to Linus that that was an ommision, and patches fixing that get thrown out because "noone would use that", and "that was linux behaviour for years and noone complained yet". The patches were maintained as seperate 'bind mount extensions/bme' project here: http://www.13thfloor.at/patches/ and now they're part of vserver project, http://linux-vserver.org/ -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure rsync setup, bind-mount ro
> filesystems into the chroot you want to rsync. Since Linux does not > support read-only loopback mounts, this leaves them open not only for > reading but also for writing... It does support read-only bind mounts though. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: local root exploit
What about this: ./elflbl [+] SLAB cleanup child 1 VMAs 87 [+] moved stack bfffe000, task_size=0xc000, map_base=0xbf80 [+] vmalloc area 0xe040 - 0xd000 [-] FAILED: uselib (Exec format error) this is on woody, with vulnerable kernel (2.4.28 with ow1 and vserver), I don't quite understand why it isn't working though... -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: doing an ssh into a compromised host
> Thanks for the idea. However, ssh-agent has to speak the ssh-agent > challenge-response protocol, and provides no way to call out to another > program for pass-phrases. So hooking it up to quintuple-agent would > require some work, I believe. it would be easier to hack ssh-agent to pop up a message 'host sth requested auth .. grant yes/no?' (although hack would be easy, doing this correctly may require some work) -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Pseudo-cluster firewall
> > Now the problem: I have only a cross-over cable from the router to > > the firewall, so I cannot connect the backup firewall. Using > > a switch is pointless: the switch may die too. Switches are relatively easy to set up in failover configuration ( most cisco gear supports it ) (well, the problem would the be, how to connect such setup to router with single ethernet jack ). As far as fail-over firewalls go, they're pretty easy to set up, apt-cache show vrrd (or maybe even better apt-cache show ucarp ) This little daemon makes it easy to set up two firewalls, the only problem would be that in case of failure all nat-ted connections get dropped and you have to reconnect. If you want to avoid that, go for OpenBSD and their firewall sync. ( btw, with ucarp you can create dual firewall with one machine running Debain and the other running OpenBSD ). I used to set up such thingies with debian as primary and freebsd running as backup ( which theoretically 'protects' you from critical failures in debian ). -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: doing an ssh into a compromised host
> Nope. It is true. Copy the appropriate /tmp/ssh* directory, chown > it, set SSH_AUTH_SOCKET appropriately, and ssh away. hmm, but in /tmp/ssh* there's just a socket... so when agent is gone, what good is that file? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: doing an ssh into a compromised host
> If you forward your agent (-A, or ForwardAgent yes), then the > attacker now probably has access to all machines where the SSH key > you used has access. Is this indeed true? I was under an impression that ForwardAgent works more in challenge-response fashion? And as far as X-forwarding goes - AFAIK if you're setup is like you describe, then your ssh does not request X-forwarding, thus, there's no way for remote server to force this upon you. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: telnetd vulnerability from BUGTRAQ
> with an unknown host. SSH is dependant on a know_host. If information > about a host is not known (public/server key) then SSH is every bit as > easy to eaves drop as FTP. There are many tools that will easily in this case FTP is more secure, because it's easier to set up PKI and this way check server's certificate. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: telnetd vulnerability from BUGTRAQ
> Why, no. That specification being for TLS, it has very little to do correct, sorry, I pasted wrong link, > > http://www.faqs.org/ftp/internet-drafts/draft-murray-auth-ftp-ssl-13.txt but still, this draft is already several years old, I wrote perl ftp client based on it ~1 year ago, last time I looked at it it had ~1999 date on it, now it looks like it's moving further down the standarisation road... > standard. That isn't a strong basis for any claim that the standard > does include encryption, or that encryption is a standard part of FTP. I respectfully disagree with you on that point. But I think we've already driffted offtopic... -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: telnetd vulnerability from BUGTRAQ
> > I don't know what you imagine is "encrypted" in FTP, though, since that > is not part of the specification or the standard implementations. oh, not part of THIS: http://www.ietf.org/rfc/rfc2246.txt specification? that is like, what, 5 years old? Well, what about this: http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html and this: http://www.faqs.org/ftp/internet-drafts/draft-murray-auth-ftp-ssl-13.txt and this: http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html, and this http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html#client And this is fully supported by debian, we've got excellent client (lftp), excelent server (proftpd) and funky server (wzdftpd), so there's something for everyone. I think noone uploaded tlswrap yet, although I've been using it with success and on many platforms for ~2 years now. I would suggest updating one's knowledge at least every ~5 years or so... (it's easy for me to say, because i'm still learning, maybe people with decades of IT experience find it more difficult to follow development of standards) -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: preventing /dev/kmem and /dev/mem writes?
> /dev/kmem unusable. That, he says, will break lilo (I can't use GRUB as > it doesn't support booting off RAID devices properly) Strange... I've been booting off raid with grub and it seems to work. What do you mean by 'properly' ? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: logging samba access
On Sun, Jun 06, 2004 at 12:30:58PM +0200, Christoph Moench-Tegeder wrote: > ## LeVA ([EMAIL PROTECTED]): > > > Is it possible to log the file/dir accesses to samba server? I.e. I got > > a share, and when someone mounts (from win or unix) it and access file, > > or write files I want samba to log it to the smb.log. Is this possible? > > Ever had a look in /var/log/samba/? If you are missing something, > increase log level in smb.conf. The problem is - in order to see file/dir accesses you need to increase log level in smb.conf. This sounds innocent enough unless you actually do it - the level in which you see those accesses is one of 'DEBUG' ones, and you get GIGs of logfiles per day/hour, and then parsing this becomes a nightmare. So simple task like finding who created this 'John Doe is f***ing faggot' with porn on your samba fileserver is not as easy as with ftp servers (this is party because of protocol nature, but not that much ). btw, I'd be very interested if someone knew solution to this that does not require modifying samba source and then maintaining your own packages... -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: logging samba access
On Sun, Jun 06, 2004 at 12:30:58PM +0200, Christoph Moench-Tegeder wrote: > ## LeVA ([EMAIL PROTECTED]): > > > Is it possible to log the file/dir accesses to samba server? I.e. I got > > a share, and when someone mounts (from win or unix) it and access file, > > or write files I want samba to log it to the smb.log. Is this possible? > > Ever had a look in /var/log/samba/? If you are missing something, > increase log level in smb.conf. The problem is - in order to see file/dir accesses you need to increase log level in smb.conf. This sounds innocent enough unless you actually do it - the level in which you see those accesses is one of 'DEBUG' ones, and you get GIGs of logfiles per day/hour, and then parsing this becomes a nightmare. So simple task like finding who created this 'John Doe is f***ing faggot' with porn on your samba fileserver is not as easy as with ftp servers (this is party because of protocol nature, but not that much ). btw, I'd be very interested if someone knew solution to this that does not require modifying samba source and then maintaining your own packages... -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange bind error
> > For the first time I saw those curious errors. I don't understand where > > is the error, in my bind or in the remote client/server?? > > > > Any idea? > > > > Apr 21 22:00:50 volubilis named[12517]: socket.c:1100: unexpected error: > > Apr 21 22:00:50 volubilis named[12517]: internal_send: 203.147.0.49#0: > > Invalid argument > > DNS queries with source port 0 could cause this, I suppose. I don't think so. You shouldn't get an error binding to '0' port unless all your resources are used (AFAIK). I think there might be some race condition there, because I've seen similiar errors during peek load. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Strange bind error
> > For the first time I saw those curious errors. I don't understand where > > is the error, in my bind or in the remote client/server?? > > > > Any idea? > > > > Apr 21 22:00:50 volubilis named[12517]: socket.c:1100: unexpected error: > > Apr 21 22:00:50 volubilis named[12517]: internal_send: 203.147.0.49#0: > > Invalid argument > > DNS queries with source port 0 could cause this, I suppose. I don't think so. You shouldn't get an error binding to '0' port unless all your resources are used (AFAIK). I think there might be some race condition there, because I've seen similiar errors during peek load. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSL / VPN ??
> Due to the fact that this IIS server is exposed to the internet, we > obviously need to secure it as best we can. apt-cache show pound This is a tool built specifically for such purpose. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: SSL / VPN ??
> Due to the fact that this IIS server is exposed to the internet, we > obviously need to secure it as best we can. apt-cache show pound This is a tool built specifically for such purpose. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: VPN Firewall Kernel
> > at http://sourceforge.net/projects/wolk > It appears that WOLK is not in Debian. I would guess that given it's aim to > Neither the URL you provide nor the Freshmeat entry list what patches are > included in WOLK. Well, there used to be such list, but then WOLK turned into closed project for a year. I hear that 2.6 wolk is once again on the right track. ( /pub/linux/kernel/people/mcp/2.6-WOLK ) > In Debian there are patches for exec-shield, SE Linux, GRSecurity, and the > Adamantix kernel patch (PAX + RSBAC + maybe some other things). There are many patches in debian, but most of them are designed to work with 'generic debian kernel', not with 'generic debian kernel patched with several other debian-packaged patches', ie - combining few of those usually is similiar to maintaing your own kernel patchset. Unfortunatelly. And I don't think it would be technically easy to change that. > distribution. The "Hardened Gentoo" people are doing some interesting stuff > in regard to kernel security patches. Compiling Gentoo kernel source on and > for a Debian machine should not cause any problems. I hear gentoo kernel people are quite fond of wolk. When wolk was still an open project they used to consider using it as a base for their version. They didn't and rightly so. Anyway, if you want more then one feature provided by some patches, you either go with some ready-made source like wolk, gentoo or redhat(especially for databases), or you decide to roll you own. Middle-ground does not exist, the best you can do is go some route that makes rolling you own easier ( like picking patches from some greater patchset, or carefully chosing features you need(to avoid conflicting featuer) ) -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: VPN Firewall Kernel
> > at http://sourceforge.net/projects/wolk > It appears that WOLK is not in Debian. I would guess that given it's aim to > Neither the URL you provide nor the Freshmeat entry list what patches are > included in WOLK. Well, there used to be such list, but then WOLK turned into closed project for a year. I hear that 2.6 wolk is once again on the right track. ( /pub/linux/kernel/people/mcp/2.6-WOLK ) > In Debian there are patches for exec-shield, SE Linux, GRSecurity, and the > Adamantix kernel patch (PAX + RSBAC + maybe some other things). There are many patches in debian, but most of them are designed to work with 'generic debian kernel', not with 'generic debian kernel patched with several other debian-packaged patches', ie - combining few of those usually is similiar to maintaing your own kernel patchset. Unfortunatelly. And I don't think it would be technically easy to change that. > distribution. The "Hardened Gentoo" people are doing some interesting stuff > in regard to kernel security patches. Compiling Gentoo kernel source on and > for a Debian machine should not cause any problems. I hear gentoo kernel people are quite fond of wolk. When wolk was still an open project they used to consider using it as a base for their version. They didn't and rightly so. Anyway, if you want more then one feature provided by some patches, you either go with some ready-made source like wolk, gentoo or redhat(especially for databases), or you decide to roll you own. Middle-ground does not exist, the best you can do is go some route that makes rolling you own easier ( like picking patches from some greater patchset, or carefully chosing features you need(to avoid conflicting featuer) ) -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
ecartis?
Hi, there are still two critical bugs filed against ecartis, one is 1 year old, another is 203 days old. Second one seems to have been closed, and then reopened. Does this mean ecartis is still vulnerable ( I don't care about first, postfix-related too much, but it's still depressing )...? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
ecartis?
Hi, there are still two critical bugs filed against ecartis, one is 1 year old, another is 203 days old. Second one seems to have been closed, and then reopened. Does this mean ecartis is still vulnerable ( I don't care about first, postfix-related too much, but it's still depressing )...? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: VPN Firewall Kernel
> I need Freeswan 1.99+, MPPE for Poptop, patch-o-matic for pptp masq and > would like GrSecurity for it's chroot and randomized capabilities. > Applying all these patches to 2.4.25 fails with many files unpatched. I maintain patchset with similiar capabilities(eyck.forumakad.pl/Projects/bsd), try using openswan instead of freewswan, this should reduce number of conflicts, also, don't load all of POM, just the pieces you need. > Does anyone know of an existing Kernel that has similar features? You can count on WOLK (wolk.sf.net) having all the features you need, with having competent maintainer on top. I wouldn't recommend 2.4.x wolk since it's not very well tested and is non-free in spirit. Go with 2.6.x though. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: VPN Firewall Kernel
> I need Freeswan 1.99+, MPPE for Poptop, patch-o-matic for pptp masq and > would like GrSecurity for it's chroot and randomized capabilities. > Applying all these patches to 2.4.25 fails with many files unpatched. I maintain patchset with similiar capabilities(eyck.forumakad.pl/Projects/bsd), try using openswan instead of freewswan, this should reduce number of conflicts, also, don't load all of POM, just the pieces you need. > Does anyone know of an existing Kernel that has similar features? You can count on WOLK (wolk.sf.net) having all the features you need, with having competent maintainer on top. I wouldn't recommend 2.4.x wolk since it's not very well tested and is non-free in spirit. Go with 2.6.x though. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: end of Freeswan
> It's a pity. It's not a pity. I, for one, welcome our new openswan overlords. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Big VPN
> What is Racoon like in terms of configuration ease? I've used FreeSWAN and > wilst it's not the easiest to set up, once you've got your head around it, > it does make sense. Racoon makes sense from the start;) -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: end of Freeswan
> It's a pity. It's not a pity. I, for one, welcome our new openswan overlords. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
> What is Racoon like in terms of configuration ease? I've used FreeSWAN and > wilst it's not the easiest to set up, once you've got your head around it, > it does make sense. Racoon makes sense from the start;) -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
> FreeS/WAN is "orphaned" upstream. OpenSWAN is based on FreeS/WAN and as > such it does not work with 2.6. That is untrue. 1.x branch works with 2.4.x kernels, 2.x branch works with 2.6.x -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Big VPN
> think an acceptable user-land alternative might be openvpn. I would I don't think openvpn would easily handle such large number of connections, it would be also a configuration nightmare. tinc was designed to handle such scenario, but I wouldn't use anything user-land for ~100 lans, no metter how maintainable the configuration is. I guess best bet is kernel 2.6.x and racoon-based key management. Oh, and btw, if you're going to use FreeS/WAN, better look at http://www.openswan.org, they've got the good code. ( and backwards compatbile, if you've got frees/wan based network and want to upgrade to 2.4.25 you're out of luck with free s/wan - they migrated to 2.x with never kernel, and it means you need to upgrade your userland tools, and probably tune configuration a bit. Openswan works nicely with upgrades ). -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Big VPN
> FreeS/WAN is "orphaned" upstream. OpenSWAN is based on FreeS/WAN and as > such it does not work with 2.6. That is untrue. 1.x branch works with 2.4.x kernels, 2.x branch works with 2.6.x -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
> think an acceptable user-land alternative might be openvpn. I would I don't think openvpn would easily handle such large number of connections, it would be also a configuration nightmare. tinc was designed to handle such scenario, but I wouldn't use anything user-land for ~100 lans, no metter how maintainable the configuration is. I guess best bet is kernel 2.6.x and racoon-based key management. Oh, and btw, if you're going to use FreeS/WAN, better look at http://www.openswan.org, they've got the good code. ( and backwards compatbile, if you've got frees/wan based network and want to upgrade to 2.4.25 you're out of luck with free s/wan - they migrated to 2.x with never kernel, and it means you need to upgrade your userland tools, and probably tune configuration a bit. Openswan works nicely with upgrades ). -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Tripwire (clone) which would you prefer?
> In what sense? Logging to syslog/email/external database and signing the Bringing machine to knees seems pretty intrusive to me. Samhain runs as deamon, and IIRC it scans running processes and does other things in effort to detect trojans and lkms. This activity used to boost idle load avg from ~0.1-0.3 to ~1.0, and created serious problems with handling peak loads. AFAIK you can modify the way you want to run samhain, and it's been years since I tried using samhain, so samhain probably became more efficient, and todays 6G-ram 3Ghz cpus probably pack enough grunt to safely ignore additional load, but one should always be carefull with 'extra features'. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Tripwire (clone) which would you prefer?
> In what sense? Logging to syslog/email/external database and signing the Bringing machine to knees seems pretty intrusive to me. Samhain runs as deamon, and IIRC it scans running processes and does other things in effort to detect trojans and lkms. This activity used to boost idle load avg from ~0.1-0.3 to ~1.0, and created serious problems with handling peak loads. AFAIK you can modify the way you want to run samhain, and it's been years since I tried using samhain, so samhain probably became more efficient, and todays 6G-ram 3Ghz cpus probably pack enough grunt to safely ignore additional load, but one should always be carefull with 'extra features'. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Tripwire (clone) which would you prefer?
> samhain (in unstable, should be easy to backport) which has some > interesting features. And those interesting features should make you cautious before you deploy samhain in production environment. I find it rather intrusive. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Tripwire (clone) which would you prefer?
> I did a survey of intergity checkers. I didn't find bsign then, but I'd vote against bsign - it modifies original binaries, thus rendering debian md5 sums useless. ( It would be great if one could get packages with bsign-signed binaries, signed by DDs or release team ). I prefer integrit it's very convienient - and convenience comes with a price - in default mode of operation it updates your md5sums, so you can run it and get incremental notifies about what changes in your system. That might not be want you want. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Tripwire (clone) which would you prefer?
> samhain (in unstable, should be easy to backport) which has some > interesting features. And those interesting features should make you cautious before you deploy samhain in production environment. I find it rather intrusive. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Tripwire (clone) which would you prefer?
> I did a survey of intergity checkers. I didn't find bsign then, but I'd vote against bsign - it modifies original binaries, thus rendering debian md5 sums useless. ( It would be great if one could get packages with bsign-signed binaries, signed by DDs or release team ). I prefer integrit it's very convienient - and convenience comes with a price - in default mode of operation it updates your md5sums, so you can run it and get incremental notifies about what changes in your system. That might not be want you want. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: 2.2 Kernel Fix
> 2.2 series of kernels, sincee they're apparently vulnerable too?
You can find the patch on bugtraq/isec/etc, attached is a peek at it
--
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
--- linux/mm/mremap.c.security Sun Mar 25 20:31:03 2001
+++ linux/mm/mremap.c Thu Feb 19 05:10:34 2004
@@ -9,6 +9,7 @@
#include
#include
#include
+#include
#include
#include
@@ -25,7 +26,7 @@
if (pgd_none(*pgd))
goto end;
if (pgd_bad(*pgd)) {
- printk("move_one_page: bad source pgd (%08lx)\n",
pgd_val(*pgd));
+ printk("copy_one_page: bad source pgd (%08lx)\n",
pgd_val(*pgd));
pgd_clear(pgd);
goto end;
}
@@ -34,7 +35,7 @@
if (pmd_none(*pmd))
goto end;
if (pmd_bad(*pmd)) {
- printk("move_one_page: bad source pmd (%08lx)\n",
pmd_val(*pmd));
+ printk("copy_one_page: bad source pmd (%08lx)\n",
pmd_val(*pmd));
pmd_clear(pmd);
goto end;
}
@@ -57,34 +58,22 @@
return pte;
}
-static inline int copy_one_pte(pte_t * src, pte_t * dst)
+static int copy_one_page(struct mm_struct *mm, unsigned long old_addr,
unsigned long new_addr)
{
- int error = 0;
- pte_t pte = *src;
+ pte_t * src, * dst;
- if (!pte_none(pte)) {
- error++;
- if (dst) {
- pte_clear(src);
- set_pte(dst, pte);
- error--;
+ src = get_one_pte(mm, old_addr);
+ if (src && !pte_none(*src)) {
+ if ((dst = alloc_one_pte(mm, new_addr))) {
+ set_pte(dst, *src);
+ return 0;
}
+ return 1;
}
- return error;
-}
-
-static int move_one_page(struct mm_struct *mm, unsigned long old_addr,
unsigned long new_addr)
-{
- int error = 0;
- pte_t * src;
-
- src = get_one_pte(mm, old_addr);
- if (src)
- error = copy_one_pte(src, alloc_one_pte(mm, new_addr));
- return error;
+ return 0;
}
-static int move_page_tables(struct mm_struct * mm,
+static int copy_page_tables(struct mm_struct * mm,
unsigned long new_addr, unsigned long old_addr, unsigned long len)
{
unsigned long offset = len;
@@ -99,7 +88,7 @@
*/
while (offset) {
offset -= PAGE_SIZE;
- if (move_one_page(mm, old_addr + offset, new_addr + offset))
+ if (copy_one_page(mm, old_addr + offset, new_addr + offset))
goto oops_we_failed;
}
return 0;
@@ -113,8 +102,6 @@
*/
oops_we_failed:
flush_cache_range(mm, new_addr, new_addr + len);
- while ((offset += PAGE_SIZE) < len)
- move_one_page(mm, new_addr + offset, old_addr + offset);
zap_page_range(mm, new_addr, len);
flush_tlb_range(mm, new_addr, new_addr + len);
return -1;
@@ -129,7 +116,9 @@
if (new_vma) {
unsigned long new_addr = get_unmapped_area(addr, new_len);
- if (new_addr && !move_page_tables(current->mm, new_addr, addr,
old_len)) {
+ if (new_addr && !copy_page_tables(current->mm, new_addr, addr,
old_len)) {
+ unsigned long ret;
+
*new_vma = *vma;
new_vma->vm_start = new_addr;
new_vma->vm_end = new_addr+new_len;
@@ -138,9 +127,19 @@
new_vma->vm_file->f_count++;
if (new_vma->vm_ops && new_vma->vm_ops->open)
new_vma->vm_ops->open(new_vma);
+ if ((ret = do_munmap(addr, old_len))) {
+ if (new_vma->vm_ops && new_vma->vm_ops->close)
+ new_vma->vm_ops->close(new_vma);
+ if (new_vma->vm_file)
+ fput(new_vma->vm_file);
+ flush_cache_range(current->mm, new_addr,
new_addr + old_len);
+ zap_page_range(current->mm, new_addr, old_len);
+ flush_tlb_range(current->mm, new_addr, new_addr
+ old_len);
+ kmem_cache_free(vm_area_cachep, new_vma);
+ return ret;
+ }
insert_vm_struct(current->mm, new_vma);
merge_segments(current->mm, new_vma->vm_start,
new_vma->vm_end);
- do_munmap(addr, old_len);
current->mm->total_vm += new_len >> PAGE_SHIFT;
Re: 2.2 Kernel Fix
> 2.2 series of kernels, sincee they're apparently vulnerable too?
You can find the patch on bugtraq/isec/etc, attached is a peek at it
--
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
--- linux/mm/mremap.c.security Sun Mar 25 20:31:03 2001
+++ linux/mm/mremap.c Thu Feb 19 05:10:34 2004
@@ -9,6 +9,7 @@
#include
#include
#include
+#include
#include
#include
@@ -25,7 +26,7 @@
if (pgd_none(*pgd))
goto end;
if (pgd_bad(*pgd)) {
- printk("move_one_page: bad source pgd (%08lx)\n", pgd_val(*pgd));
+ printk("copy_one_page: bad source pgd (%08lx)\n", pgd_val(*pgd));
pgd_clear(pgd);
goto end;
}
@@ -34,7 +35,7 @@
if (pmd_none(*pmd))
goto end;
if (pmd_bad(*pmd)) {
- printk("move_one_page: bad source pmd (%08lx)\n", pmd_val(*pmd));
+ printk("copy_one_page: bad source pmd (%08lx)\n", pmd_val(*pmd));
pmd_clear(pmd);
goto end;
}
@@ -57,34 +58,22 @@
return pte;
}
-static inline int copy_one_pte(pte_t * src, pte_t * dst)
+static int copy_one_page(struct mm_struct *mm, unsigned long old_addr, unsigned long
new_addr)
{
- int error = 0;
- pte_t pte = *src;
+ pte_t * src, * dst;
- if (!pte_none(pte)) {
- error++;
- if (dst) {
- pte_clear(src);
- set_pte(dst, pte);
- error--;
+ src = get_one_pte(mm, old_addr);
+ if (src && !pte_none(*src)) {
+ if ((dst = alloc_one_pte(mm, new_addr))) {
+ set_pte(dst, *src);
+ return 0;
}
+ return 1;
}
- return error;
-}
-
-static int move_one_page(struct mm_struct *mm, unsigned long old_addr, unsigned long
new_addr)
-{
- int error = 0;
- pte_t * src;
-
- src = get_one_pte(mm, old_addr);
- if (src)
- error = copy_one_pte(src, alloc_one_pte(mm, new_addr));
- return error;
+ return 0;
}
-static int move_page_tables(struct mm_struct * mm,
+static int copy_page_tables(struct mm_struct * mm,
unsigned long new_addr, unsigned long old_addr, unsigned long len)
{
unsigned long offset = len;
@@ -99,7 +88,7 @@
*/
while (offset) {
offset -= PAGE_SIZE;
- if (move_one_page(mm, old_addr + offset, new_addr + offset))
+ if (copy_one_page(mm, old_addr + offset, new_addr + offset))
goto oops_we_failed;
}
return 0;
@@ -113,8 +102,6 @@
*/
oops_we_failed:
flush_cache_range(mm, new_addr, new_addr + len);
- while ((offset += PAGE_SIZE) < len)
- move_one_page(mm, new_addr + offset, old_addr + offset);
zap_page_range(mm, new_addr, len);
flush_tlb_range(mm, new_addr, new_addr + len);
return -1;
@@ -129,7 +116,9 @@
if (new_vma) {
unsigned long new_addr = get_unmapped_area(addr, new_len);
- if (new_addr && !move_page_tables(current->mm, new_addr, addr,
old_len)) {
+ if (new_addr && !copy_page_tables(current->mm, new_addr, addr,
old_len)) {
+ unsigned long ret;
+
*new_vma = *vma;
new_vma->vm_start = new_addr;
new_vma->vm_end = new_addr+new_len;
@@ -138,9 +127,19 @@
new_vma->vm_file->f_count++;
if (new_vma->vm_ops && new_vma->vm_ops->open)
new_vma->vm_ops->open(new_vma);
+ if ((ret = do_munmap(addr, old_len))) {
+ if (new_vma->vm_ops && new_vma->vm_ops->close)
+ new_vma->vm_ops->close(new_vma);
+ if (new_vma->vm_file)
+ fput(new_vma->vm_file);
+ flush_cache_range(current->mm, new_addr, new_addr +
old_len);
+ zap_page_range(current->mm, new_addr, old_len);
+ flush_tlb_range(current->mm, new_addr, new_addr +
old_len);
+ kmem_cache_free(vm_area_cachep, new_vma);
+ return ret;
+ }
insert_vm_struct(current->mm, new_vma);
merge_segments(current->mm, new_vma->vm_start,
new_vma->vm_end);
- do_munmap(addr, old_len);
current->mm->total_vm += new_len >> PAGE_SHIFT;
Re: strange sftp behaviour... man-in-the-middle?
> Is there some way to override this? :-) You can edit packets on your firewall ( something along the lines of iptables -t mangle -p tcp --dport 22 -j TOS --set-tos Minimize-Delay ), but in general it's not a good idea ( you don't want your bulk traffic eating your interactive sessions ). -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: strange sftp behaviour... man-in-the-middle?
> Is there some way to override this? :-) You can edit packets on your firewall ( something along the lines of iptables -t mangle -p tcp --dport 22 -j TOS --set-tos Minimize-Delay ), but in general it's not a good idea ( you don't want your bulk traffic eating your interactive sessions ). -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange sftp behaviour... man-in-the-middle?
> operations (that includes even checking the password at login) either > complete with a great delay, or time out with connection reset by peer. It looks like someone is shaping traffic ( sftp packets run with 'Bulk Transfer' bit enabled, ssh go with 'Low Latency Required' )... -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: strange sftp behaviour... man-in-the-middle?
> operations (that includes even checking the password at login) either > complete with a great delay, or time out with connection reset by peer. It looks like someone is shaping traffic ( sftp packets run with 'Bulk Transfer' bit enabled, ssh go with 'Low Latency Required' )... -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: creating password for a shadow file
> try to login with 'user' via ftp (using the newly created shadow file), ftp deamons usually provide command for creating passwd files, proftpd: ftpasswd, muddleftpd: mudpasswd. > user:$apr1$DlJ9I...$E8VL0rjQKdl1pVgH2q10C. > user:$1$NR.fOvEF$.hOr7l7msiIfz6sP4l0yS/ Even with the same tools passwds wont match: pokurcz:/tmp# passwd oracle Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully pokurcz:/tmp# grep oracle /etc/shadow oracle:$1$wRhm9QF5$3r41IcRFn0P/PO5Yg5VqK/:12387:0:9:7::: pokurcz:/tmp# passwd oracle Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully pokurcz:/tmp# grep oracle /etc/shadow oracle:$1$IEy1afpX$6F5lP3Axj8nA0s639qz441:12387:0:9:7::: And that was the same password. > So my question is, that is it possible to create passwords for a shadow > file with a command line tool? You could use PAM for that - create pam setting with alternative location for files, and point your passwd to that pam ( /etc/pam.d/passwd ). But in general, I'd like to hear the answer to that question. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: creating password for a shadow file
> try to login with 'user' via ftp (using the newly created shadow file), ftp deamons usually provide command for creating passwd files, proftpd: ftpasswd, muddleftpd: mudpasswd. > user:$apr1$DlJ9I...$E8VL0rjQKdl1pVgH2q10C. > user:$1$NR.fOvEF$.hOr7l7msiIfz6sP4l0yS/ Even with the same tools passwds wont match: pokurcz:/tmp# passwd oracle Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully pokurcz:/tmp# grep oracle /etc/shadow oracle:$1$wRhm9QF5$3r41IcRFn0P/PO5Yg5VqK/:12387:0:9:7::: pokurcz:/tmp# passwd oracle Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully pokurcz:/tmp# grep oracle /etc/shadow oracle:$1$IEy1afpX$6F5lP3Axj8nA0s639qz441:12387:0:9:7::: And that was the same password. > So my question is, that is it possible to create passwords for a shadow > file with a command line tool? You could use PAM for that - create pam setting with alternative location for files, and point your passwd to that pam ( /etc/pam.d/passwd ). But in general, I'd like to hear the answer to that question. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: getting started with SELinux
On Sat, Nov 29, 2003 at 12:05:58AM +0100, Peter Busser wrote: > it works fine. Oho ho, what a bold claim. Not even adamantix people claim that. I found it not working correctly in few scenarios, although I must say security was improved. Adamantix is a very nice project, I like it alot, but it can't replace debian. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: getting started with SELinux
On Sat, Nov 29, 2003 at 12:05:58AM +0100, Peter Busser wrote: > it works fine. Oho ho, what a bold claim. Not even adamantix people claim that. I found it not working correctly in few scenarios, although I must say security was improved. Adamantix is a very nice project, I like it alot, but it can't replace debian. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers "hacked"?
> information. To suggest possible problems without knowing the scope and > without reading their write up is premature. Better to ask questions > once they feel like they know the answers. :) Well since delayed woody release was released it surely means that 'they' know the answers. So I think this is a perfect time for post-mortem. > To speculate is to do a disservice. Trust the debian security team; > they do their job well and you should know that security is never guranteed. Well, latest events seem to suggest that debian still lacks paranoia. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Debian servers "hacked"?
> information. To suggest possible problems without knowing the scope and > without reading their write up is premature. Better to ask questions > once they feel like they know the answers. :) Well since delayed woody release was released it surely means that 'they' know the answers. So I think this is a perfect time for post-mortem. > To speculate is to do a disservice. Trust the debian security team; > they do their job well and you should know that security is never guranteed. Well, latest events seem to suggest that debian still lacks paranoia. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Transparent bridge firewall with bridge-nf
> as opposed to a setup with a firewall+router.
With Linux there are few problems with transparent firewalling setup - ie,
normal iptables don't work with such setup to well, you need to use special
bridge-iptables, ebtables IIRC. One drawback to that is that you can't do
everything your'e used to do with iptables, you need to limit yourself to
relatively simpler rules ( if all you need is filter out some ports then
there's not limitation here ).
{ Similiar setup using OpenBSD is very clean and works flawlessly out of the
box ( and using standard pf ) }
> and remains invisible at the cost of giving away the real IP addresses
I don't think being invisible is that much of security measure, it sure is
nice, but the real kick in being invisible is that you can firewall your
users without changing infrastructure, you can put your firewall about anywhere.
Being invisible doesen't make you invulnerable (as all comic readers know;),
if you've got snort on your firewall and there's a bug in it's parsing code,
you're still going to be sorry...
> keep hiding the real IP addresses of the servers or to hide the firewall
I don't get it, what do you accomplish by hiding real IP address of
something? Incoming-blocking firewalling is just a byproduct of NAT,
wouldn't you prefer the real thing?
--
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Transparent bridge firewall with bridge-nf
> as opposed to a setup with a firewall+router.
With Linux there are few problems with transparent firewalling setup - ie,
normal iptables don't work with such setup to well, you need to use special
bridge-iptables, ebtables IIRC. One drawback to that is that you can't do
everything your'e used to do with iptables, you need to limit yourself to
relatively simpler rules ( if all you need is filter out some ports then
there's not limitation here ).
{ Similiar setup using OpenBSD is very clean and works flawlessly out of the
box ( and using standard pf ) }
> and remains invisible at the cost of giving away the real IP addresses
I don't think being invisible is that much of security measure, it sure is
nice, but the real kick in being invisible is that you can firewall your
users without changing infrastructure, you can put your firewall about anywhere.
Being invisible doesen't make you invulnerable (as all comic readers know;),
if you've got snort on your firewall and there's a bug in it's parsing code,
you're still going to be sorry...
> keep hiding the real IP addresses of the servers or to hide the firewall
I don't get it, what do you accomplish by hiding real IP address of
something? Incoming-blocking firewalling is just a byproduct of NAT,
wouldn't you prefer the real thing?
--
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why do system users have valid shells
On Wed, Oct 22, 2003 at 07:41:33PM +1000, Russell Coker wrote: > On Wed, 22 Oct 2003 19:27, Dariush Pietrzak wrote: > > > 'su -s /bin/bash -c "cmd" user ' > > > > > > sounds like a very bs argument > > > > Â Do you understand the term 'breakage' ? > > Do you understand the term "testing"? Why should I? The question was - what can go wrong. Well, the thing I mentioned can go wrong. It's not a "bs argument", and not even "very bs argument", since I'm not arguing about anything, just pointing to potential source of problems. And before we can go on with testing maybe we should think for a second what could go wrong? If you ask question 'What can go wrong', answer 'ooh, probably nothing' has rather low informational value. > Some of us have run fairly complete Linux machines for years with most of > those accounts set to /bin/bash for their shell without any problems. I /bin/bash? It's a typo, right? > whinged at me all the time, and the other is that I have little need for such > measures now that I'm running SE Linux on all important machines. Good for you, I envy you, I ain't got enough time to setup and maintain SE Linux on my machines. > Linux I think that there are some good benefits to be achieved by making the > shells of those accounts be /bin/bash by default. I'm using ash instead of bash for non-interactive stuff, it's easier on resources;) > without breakage I am quite confident that we can get these things right. That's the point 'we can get these things right'. Of course we can, and we should, but I don't think we can just flip the switch and forget about this. The best course of action would be to gather possible sources of problems first, then test the change, etc.. > We can start with "bin", "daemon", "sys", and "sync" which are the least > likely accounts to need a login shell. After those changes have been tested > to everyone's satisfaction we can then move on to others. Now you're talking. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Why do system users have valid shells
> 'su -s /bin/bash -c "cmd" user ' > > sounds like a very bs argument Do you understand the term 'breakage' ? How about the idea that changing something in the system may force to you to rewrite parts of code? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Why do system users have valid shells
On Wed, Oct 22, 2003 at 07:41:33PM +1000, Russell Coker wrote: > On Wed, 22 Oct 2003 19:27, Dariush Pietrzak wrote: > > > 'su -s /bin/bash -c "cmd" user ' > > > > > > sounds like a very bs argument > > > > Â Do you understand the term 'breakage' ? > > Do you understand the term "testing"? Why should I? The question was - what can go wrong. Well, the thing I mentioned can go wrong. It's not a "bs argument", and not even "very bs argument", since I'm not arguing about anything, just pointing to potential source of problems. And before we can go on with testing maybe we should think for a second what could go wrong? If you ask question 'What can go wrong', answer 'ooh, probably nothing' has rather low informational value. > Some of us have run fairly complete Linux machines for years with most of > those accounts set to /bin/bash for their shell without any problems. I /bin/bash? It's a typo, right? > whinged at me all the time, and the other is that I have little need for such > measures now that I'm running SE Linux on all important machines. Good for you, I envy you, I ain't got enough time to setup and maintain SE Linux on my machines. > Linux I think that there are some good benefits to be achieved by making the > shells of those accounts be /bin/bash by default. I'm using ash instead of bash for non-interactive stuff, it's easier on resources;) > without breakage I am quite confident that we can get these things right. That's the point 'we can get these things right'. Of course we can, and we should, but I don't think we can just flip the switch and forget about this. The best course of action would be to gather possible sources of problems first, then test the change, etc.. > We can start with "bin", "daemon", "sys", and "sync" which are the least > likely accounts to need a login shell. After those changes have been tested > to everyone's satisfaction we can then move on to others. Now you're talking. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why do system users have valid shells
> Is there a reason why Debian chooses to specify /bin/sh for system don't know. > accounts? Do we risk breaking anything if we perform an > s/\/bin\/sh$/\/bin\/false/ ? Yes, you'll run into trouble trying to run cronjobs as those system users, also su user -c command won't work, you'll need to use sudo or suid bit, and that's a bit messy. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Why do system users have valid shells
> 'su -s /bin/bash -c "cmd" user ' > > sounds like a very bs argument Do you understand the term 'breakage' ? How about the idea that changing something in the system may force to you to rewrite parts of code? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Why do system users have valid shells
> Is there a reason why Debian chooses to specify /bin/sh for system don't know. > accounts? Do we risk breaking anything if we perform an > s/\/bin\/sh$/\/bin\/false/ ? Yes, you'll run into trouble trying to run cronjobs as those system users, also su user -c command won't work, you'll need to use sudo or suid bit, and that's a bit messy. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Need advise aobut allowing only sftp on woody
> > Can't SSH run in chroot ? > sorry, I made a mistake... I've meant that it allows shell login while I > wanted to disable it. Well... if you don't want shell logins you can't use hacks like scp/sftp, but you can use restricted shell like scponly. I'd recommend proftpd with tls, but it does not fullfill your certificate-only login ( at least the version from woody does not, there are quite many options there that you could check.. but you'd probably end up having to recompile it ), you could use some web-based system, that would be trivial to program around. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Need advise aobut allowing only sftp on woody
> > Can't SSH run in chroot ? > sorry, I made a mistake... I've meant that it allows shell login while I > wanted to disable it. Well... if you don't want shell logins you can't use hacks like scp/sftp, but you can use restricted shell like scponly. I'd recommend proftpd with tls, but it does not fullfill your certificate-only login ( at least the version from woody does not, there are quite many options there that you could check.. but you'd probably end up having to recompile it ), you could use some web-based system, that would be trivial to program around. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Need advise aobut allowing only sftp on woody
On Tue, Oct 14, 2003 at 11:31:10AM -0700, Yogesh Sharma wrote: > Can't SSH run in chroot ? not easily with priviliege separation turned on? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Need advise aobut allowing only sftp on woody
On Tue, Oct 14, 2003 at 11:31:10AM -0700, Yogesh Sharma wrote: > Can't SSH run in chroot ? not easily with priviliege separation turned on? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Need advise aobut allowing only sftp on woody
Hi, > 1. encrypted (ssh/ssl) proftpd can do that. > 2. key based authentication, no password!!! that's trickier, there are FTP/TLS servers with that capability, but I doubt you'll find anything in woody that can do that besides ssh. > 3. preferebly without the option for login (if used with scp, sftp) > 4. chroot again - proftpd. > want to start migrating unstable packages (to build rssh I need a higher How about: Package: scponly Version: 3.8-5 Priority: optional Section: utils Maintainer: Thomas Wana <[EMAIL PROTECTED]> Depends: libc6 (>= 2.2.4-4), debconf (>= 0.5), ssh Architecture: i386 Filename: ../woody/scponly_3.8-5_i386.deb Size: 20632 MD5sum: ac1c64d7b57ec3ca30a590e5bbe24e20 Description: Restricts the commands available to scp- and sftp-users "scponly" is an alternative 'shell' (of sorts) for system administrators who would like to provide access to remote users to both read and write local files without providing any remote execution priviledges. Functionally, it is best described as a wrapper to the mostly trusted suite of ssh applications. installed-size: 80 -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Need advise aobut allowing only sftp on woody
Hi, > 1. encrypted (ssh/ssl) proftpd can do that. > 2. key based authentication, no password!!! that's trickier, there are FTP/TLS servers with that capability, but I doubt you'll find anything in woody that can do that besides ssh. > 3. preferebly without the option for login (if used with scp, sftp) > 4. chroot again - proftpd. > want to start migrating unstable packages (to build rssh I need a higher How about: Package: scponly Version: 3.8-5 Priority: optional Section: utils Maintainer: Thomas Wana <[EMAIL PROTECTED]> Depends: libc6 (>= 2.2.4-4), debconf (>= 0.5), ssh Architecture: i386 Filename: ../woody/scponly_3.8-5_i386.deb Size: 20632 MD5sum: ac1c64d7b57ec3ca30a590e5bbe24e20 Description: Restricts the commands available to scp- and sftp-users "scponly" is an alternative 'shell' (of sorts) for system administrators who would like to provide access to remote users to both read and write local files without providing any remote execution priviledges. Functionally, it is best described as a wrapper to the mostly trusted suite of ssh applications. installed-size: 80 -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MS BS + Sorting out the virii
> ClamAV is supported in Debian and it's very well integrated with > amavisd-new (which, in turn, can be used also with spamassassin). Yes, but where can I find clamav for woody? Sid's package depends on whole lot of sid stuff, so recompiling it on woody requires significant effort. Data from apt-get.org suggests that www.debian.org/~aurel32/BACKPORTS would be the best source, is that correct? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Watch out! vsftpd anonymous access always enabled!
On Mon, Sep 22, 2003 at 10:18:20PM +0200, Bernd Eckenfels wrote: > In article <[EMAIL PROTECTED]> you wrote: > > Why do you think there's anything wrong with ftp? > > FTP is a firewal nightmare, You think? Firewalls are nightmare, and the only result of prefering http-only protocols is what you'll see in nearest future: Every single new protocol is http and work via 80/443 port. How's that for a firewall nightmare? Now you've got www traffic, file transfer, instant messaging, REMOTE PROCEDURE CALLS (soap/xml-rpc for example), all going through your precious firewall. > it is unsecure (plaintext), since when? It's only plaintext if you want it. You can choose/negotiate 'authentication, confidentiality and message integrity'. You can even change securelevels in runtime - encrypt only authentication ( cool for transferring non-sensitive bulk data like movies/allready encrypted backups ), encrypt selected files, etc etc.. Check: RFC 959 (FTP) RFC 2246 (TLS) RFC 1579 (Firewall-friendly data exchange) RFC 2228 (FTP security extensions) ( ftp://ftp.rfc-editor.org/in-notes/rfc2228.txt ) That RFC is from 1997... Of course there are servers that will let you in only if you present them with correct client certificate, and force you to use encryption. Nice thing is that I'm in control, when I need to transfer something big off the 486, I could choose to encrypt only authentication if the data is not sensitive. >the more advanced > features are not standadized. Nooo? Which 'advanced features'? Although you've got a point - there are way to many standards and advanced features in FTP. There are some ~two decades old RFC that describe how FTP is supposed to enable starting jobs on mainframes. And this 'advanced feature' is disabled on most FTP servers I've seen. Which other transfer method is better standardized? SFTP? Which SFTP? SFTP from RFC 913 from 1984? > Even parsing the directory output is terror to > the programmer. I found ftp protocol trivial to implement for programmer. Show me transfer method that easier to implement. greetings, -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: MS BS + Sorting out the virii
> ClamAV is supported in Debian and it's very well integrated with > amavisd-new (which, in turn, can be used also with spamassassin). Yes, but where can I find clamav for woody? Sid's package depends on whole lot of sid stuff, so recompiling it on woody requires significant effort. Data from apt-get.org suggests that www.debian.org/~aurel32/BACKPORTS would be the best source, is that correct? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Watch out! vsftpd anonymous access always enabled!
On Mon, Sep 22, 2003 at 10:18:20PM +0200, Bernd Eckenfels wrote: > In article <[EMAIL PROTECTED]> you wrote: > > Why do you think there's anything wrong with ftp? > > FTP is a firewal nightmare, You think? Firewalls are nightmare, and the only result of prefering http-only protocols is what you'll see in nearest future: Every single new protocol is http and work via 80/443 port. How's that for a firewall nightmare? Now you've got www traffic, file transfer, instant messaging, REMOTE PROCEDURE CALLS (soap/xml-rpc for example), all going through your precious firewall. > it is unsecure (plaintext), since when? It's only plaintext if you want it. You can choose/negotiate 'authentication, confidentiality and message integrity'. You can even change securelevels in runtime - encrypt only authentication ( cool for transferring non-sensitive bulk data like movies/allready encrypted backups ), encrypt selected files, etc etc.. Check: RFC 959 (FTP) RFC 2246 (TLS) RFC 1579 (Firewall-friendly data exchange) RFC 2228 (FTP security extensions) ( ftp://ftp.rfc-editor.org/in-notes/rfc2228.txt ) That RFC is from 1997... Of course there are servers that will let you in only if you present them with correct client certificate, and force you to use encryption. Nice thing is that I'm in control, when I need to transfer something big off the 486, I could choose to encrypt only authentication if the data is not sensitive. >the more advanced > features are not standadized. Nooo? Which 'advanced features'? Although you've got a point - there are way to many standards and advanced features in FTP. There are some ~two decades old RFC that describe how FTP is supposed to enable starting jobs on mainframes. And this 'advanced feature' is disabled on most FTP servers I've seen. Which other transfer method is better standardized? SFTP? Which SFTP? SFTP from RFC 913 from 1984? > Even parsing the directory output is terror to > the programmer. I found ftp protocol trivial to implement for programmer. Show me transfer method that easier to implement. greetings, -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ProFTPD ASCII File Remote Compromise Vulnerability
On Tue, Sep 23, 2003 at 04:13:02PM -0500, Jeff Bender wrote: > Thanks. Do you happen to have a link where this might be posted? Well.. Advisory talks about version higher then the one in woody. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: ProFTPD ASCII File Remote Compromise Vulnerability
On Tue, Sep 23, 2003 at 04:13:02PM -0500, Jeff Bender wrote: > Thanks. Do you happen to have a link where this might be posted? Well.. Advisory talks about version higher then the one in woody. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Watch out! vsftpd anonymous access always enabled!
> There's nothing wrong with offering data over ftp to the general public, > especially when you can guarantee the contents in some way. There is > something wrong when you need secure, private transfers. And what is wrong with it when you need secure, private transfers? > I wonder though, why no-one has mentioned ftp over TLS/SSL, which is a that's because it was oh so cool to use scp to transfer files, and now that's the only way l33t does it. scp is a hack, ftp/tls is an elegant solution, and who would want elegant solutions when they can feel l33t. What is wrong with people, someone ask for a solution, and everybody jumps up to shout - "Hey! I know what is scp!", "Dude, I know rsync". I SOO envy you, I never would've figured out how to use those highly sophisticated tools... About FTP/TLS: http://www.ietf.org/internet-drafts/draft-murray-auth-ftp-ssl-12.txt describes a mechanism that can be used by FTP clients and servers to implement security and authentication using the TLS protocol defined by [RFC-2246] and the extensions to the FTP protocol defined by [RFC-2228]. http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html contains a list of clients and servers that supports the FTP TLS/SSL protocols, plus alot of additional info. simple tools like lftp support those almost-decade-old specifications, there's no need to create shell accounts on your system for every person who wants to transfer files, specification is clean and simple. There ARE scenarios where scp/sftp would fit better - for example you want authentication based on private/public key. Support for that is very stable with ssh, with ftp you would be pressed hard to find server that works like that. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Watch out! vsftpd anonymous access always enabled!
> There's nothing wrong with offering data over ftp to the general public, > especially when you can guarantee the contents in some way. There is > something wrong when you need secure, private transfers. And what is wrong with it when you need secure, private transfers? > I wonder though, why no-one has mentioned ftp over TLS/SSL, which is a that's because it was oh so cool to use scp to transfer files, and now that's the only way l33t does it. scp is a hack, ftp/tls is an elegant solution, and who would want elegant solutions when they can feel l33t. What is wrong with people, someone ask for a solution, and everybody jumps up to shout - "Hey! I know what is scp!", "Dude, I know rsync". I SOO envy you, I never would've figured out how to use those highly sophisticated tools... About FTP/TLS: http://www.ietf.org/internet-drafts/draft-murray-auth-ftp-ssl-12.txt describes a mechanism that can be used by FTP clients and servers to implement security and authentication using the TLS protocol defined by [RFC-2246] and the extensions to the FTP protocol defined by [RFC-2228]. http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html contains a list of clients and servers that supports the FTP TLS/SSL protocols, plus alot of additional info. simple tools like lftp support those almost-decade-old specifications, there's no need to create shell accounts on your system for every person who wants to transfer files, specification is clean and simple. There ARE scenarios where scp/sftp would fit better - for example you want authentication based on private/public key. Support for that is very stable with ssh, with ftp you would be pressed hard to find server that works like that. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Watch out! vsftpd anonymous access always enabled!
> ssh for pretty much everything I can, and otherwise wget. I only Could all those security experts recommending using sftp/scp for data transfers please explain how did they come to conclusion that creating shell accounts is the best way of giving access to few files? > use ftp when I really, really have to. Well, I use ftp all day long... OpenBSD uses ftp all year long... Why do you think there's anything wrong with ftp? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Watch out! vsftpd anonymous access always enabled!
> ssh for pretty much everything I can, and otherwise wget. I only Could all those security experts recommending using sftp/scp for data transfers please explain how did they come to conclusion that creating shell accounts is the best way of giving access to few files? > use ftp when I really, really have to. Well, I use ftp all day long... OpenBSD uses ftp all year long... Why do you think there's anything wrong with ftp? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
> That's not true. Try this one: > $ apt-cache search ftp ssl > curl - Get a file from an FTP, GOPHER, HTTP or HTTPS server. that's not it. > ftp-ssl - The FTP client with SSL encryption support. Ok, this one works, i forgot about it because it's way to plain to really recommend to someone. It's like resume and sftp/scp - you can show someone how to do it using dd, but what they really need is client in which you can just tap 'reget file' and it works. Psftp works like that, nothing i've seen in woody does. > gnus - A versatile News and mailing list reader for Emacsen > octave2.0 - The GNU Octave language for numerical computations > octave2.1 - The GNU Octave language for numerical computations (2.1 branch) > sitecopy - A program for managing a WWW site via FTP, DAV or HTTP > xsitecopy - A program for managing a WWW site via FTP, DAV or HTTP(GNOME > version) > libwww-ssl-dev - The W3C WWW library - development files (SSL support) > libwww-ssl0 - The W3C-WWW library (SSL support) > libssl09 - SSL shared libraries (old version) > libssl095a - SSL shared libraries (old version) > lynx-ssl - Text-mode WWW Browser supporting SSL all the rest are false positives. -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: recommendations for FTP server
> That's not true. Try this one: > $ apt-cache search ftp ssl > curl - Get a file from an FTP, GOPHER, HTTP or HTTPS server. that's not it. > ftp-ssl - The FTP client with SSL encryption support. Ok, this one works, i forgot about it because it's way to plain to really recommend to someone. It's like resume and sftp/scp - you can show someone how to do it using dd, but what they really need is client in which you can just tap 'reget file' and it works. Psftp works like that, nothing i've seen in woody does. > gnus - A versatile News and mailing list reader for Emacsen > octave2.0 - The GNU Octave language for numerical computations > octave2.1 - The GNU Octave language for numerical computations (2.1 branch) > sitecopy - A program for managing a WWW site via FTP, DAV or HTTP > xsitecopy - A program for managing a WWW site via FTP, DAV or HTTP(GNOME version) > libwww-ssl-dev - The W3C WWW library - development files (SSL support) > libwww-ssl0 - The W3C-WWW library (SSL support) > libssl09 - SSL shared libraries (old version) > libssl095a - SSL shared libraries (old version) > lynx-ssl - Text-mode WWW Browser supporting SSL all the rest are false positives. -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
> Proftpd does support SSL/TLS. It's a module that comes with it, it's > just not enabled by default. Some nice docs here: > http://www.castaglia.org/proftpd/modules/mod_tls.html > http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html Actually... it's enabled by default, that's why it says 'no certificate found' when you start it the first time. Neither sftp nor anything else is a 'drop-in' replacement for ftp. The only problem with TLS/SSL in ftp is that there are not that many clients that support that - there are NONE in woody. You need to backport lftp from sid or compile it yourself ( I've got my backport available from http://eyck.forumakad.pl/woody ./ ) There are few other options - tlswrap changes every passive-capable ftp client into TLS-capable ftp client, there is this nice POSIX/Windoze lundfxp client etc.. The way I see it, sftp is way less secure way of providing access to files then tls/ftp, you see, you need to create valid ssh-able accounts for all your users, then it'll take you some time to secure those accounts just a bit ( scp-only acount? - great, if you wanna play around and compile special shell... there is no scp-shell in woody, there is one in sid. Is it safe enough? Who knows ). With ftp users need no shell, need no nothing. I create unlimited number of users and worry not -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
> Proftpd does support SSL/TLS. It's a module that comes with it, it's > just not enabled by default. Some nice docs here: > http://www.castaglia.org/proftpd/modules/mod_tls.html > http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html Actually... it's enabled by default, that's why it says 'no certificate found' when you start it the first time. Neither sftp nor anything else is a 'drop-in' replacement for ftp. The only problem with TLS/SSL in ftp is that there are not that many clients that support that - there are NONE in woody. You need to backport lftp from sid or compile it yourself ( I've got my backport available from http://eyck.forumakad.pl/woody ./ ) There are few other options - tlswrap changes every passive-capable ftp client into TLS-capable ftp client, there is this nice POSIX/Windoze lundfxp client etc.. The way I see it, sftp is way less secure way of providing access to files then tls/ftp, you see, you need to create valid ssh-able accounts for all your users, then it'll take you some time to secure those accounts just a bit ( scp-only acount? - great, if you wanna play around and compile special shell... there is no scp-shell in woody, there is one in sid. Is it safe enough? Who knows ). With ftp users need no shell, need no nothing. I create unlimited number of users and worry not -- Dariush Pietrzak, I ain't the sharpest tool in a shed. Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: kernel-source 2.4.20 + grsecurity + freeswan
> do you happen to have XFS patched onto that kernel? :) and what was the > order of the patching? I used to use wolk patchset, it contains both grsec and xfs. Unfortunatelly wolk no longer comes with patchset so you must accept it with all the bugs and non-server-grade code. -- Dariush Pietrzak, She swore and she cursed, that she never would deceive me Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: kernel-source 2.4.20 + grsecurity + freeswan
> do you happen to have XFS patched onto that kernel? :) and what was the > order of the patching? I used to use wolk patchset, it contains both grsec and xfs. Unfortunatelly wolk no longer comes with patchset so you must accept it with all the bugs and non-server-grade code. -- Dariush Pietrzak, She swore and she cursed, that she never would deceive me Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Keeping files away from users
> accesses the HD can do it as well. btw, what does SOL mean? So Out of Luck? -- Dariush Pietrzak, She swore and she cursed, that she never would deceive me Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Keeping files away from users
> We'd like to protect that content, so that even if someone unplugs the machine > and connects the HD to another Linux box, they can't access that information. Hm? Maybe you need encrypted filesystem, something like cfs? With schemes like this there are problems - you need to provide some kind of password on boottime, if you want your machine to boot automatically you're SOL. > Of course it's difficult to do, but we think there might be a possibility to > achieve success. The only way I see you can do this sort of thing is to provide some network server that would provide password. It would go something like this - machines boots, ask your server about password, decrypts the data. This way unplugging machine brings no immediate results. But if someone takes control of the machine they can fool you into providing them with a password. -- Dariush Pietrzak, She swore and she cursed, that she never would deceive me Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Keeping files away from users
> accesses the HD can do it as well. btw, what does SOL mean? So Out of Luck? -- Dariush Pietrzak, She swore and she cursed, that she never would deceive me Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Keeping files away from users
> We'd like to protect that content, so that even if someone unplugs the > machine > and connects the HD to another Linux box, they can't access that information. Hm? Maybe you need encrypted filesystem, something like cfs? With schemes like this there are problems - you need to provide some kind of password on boottime, if you want your machine to boot automatically you're SOL. > Of course it's difficult to do, but we think there might be a possibility to > achieve success. The only way I see you can do this sort of thing is to provide some network server that would provide password. It would go something like this - machines boots, ask your server about password, decrypts the data. This way unplugging machine brings no immediate results. But if someone takes control of the machine they can fool you into providing them with a password. -- Dariush Pietrzak, She swore and she cursed, that she never would deceive me Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: PHP4-package for using FTP-SSL?
> is there a package available (similar to the ftp-package which can be > found in the pear-lib) to use ftp with ssl? I'm not looking for SFTP > (SSH-filetransfer) but SSL with "AUTH SSL" at the beginning of the for server - proftpd, for client - for example lftp. -- Dariush Pietrzak, She swore and she cursed, that she never would deceive me Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: SSL proxy server
> > solution that I am thinking of (and prefer) is setting up a proxy > > apache-ssl server on the same machine (or another machine on the same > > DMZ) so that SSL communication is conducted with the proxy across the > > firewall and unecrypted traffic is confined in the DMZ. Is that And then there is pound, which does exactly that. I've got it packaged and hope to upload soon. It's also fairly easy to write something like this in DIY manner, i'm currently using such solution written in perl. -- Dariush Pietrzak, She swore and she cursed, that she never would deceive me Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: VPN: SSH or IPSec???
> Should I use SSH or IPSec to set up my VPN? > Which are the drawbacks and advantages of both? Read this: http://www.tldp.org/HOWTO/mini/ppp-ssh/ contains very nice drawbacks/benefits. ssh vpn seems to be easiest to setup. You just run ppp one one side, it runs ssh to another and runs ppp there. Voile'a. You've got tunnel set UP. You'll notice many problems though: - you need to monitor your link, if it dies, you need to rerun your ppp. apt-get install secvpn 'll help you with that part. It's not that easy to tell if your link died, and how should you bring it up ( is ppp on another side running? maybe it died? maybe it's just lagg ) - latency is high, data is going from kernel to userland, and from ppp to ssh... - it's also not very wise to run tcp inside tcp .. look: http://sites.inka.de/sites/bigred/devel/tcp-tcp.html - also ran into some strange problems trying to ssh via ssh based vpn with key based authentication - not quite clear how to set it up securely. You need to run ppp on another end of link as root. You can do this with sudo, with suid ppp or something like that. You need to be carefull. With IPsec you won't have those problems, you have a very nice daemon for bringing your link up ON DEMAND, latency is way lower, no problems with retransmission coming from tcp over tcp, and no running no ppp as root. But you'll have to compile your own kernel, you may use kernel-patch-freeswan. But anyhoo, freeswan is still evolving, and it's playing catch up on bsd's racoon. Actually there are some port-style activities in 2.5.x trying to run racoon on linux. FreeSWAN seems like it's not very stable piece of soft, not many people understand this well. For example I'm having problems with routing on wolk kernels, it's not freeswan's problem, but it triggers it. With ppp/ssh all parts of soft are known and tested well. On another hand, IPSec is widely known standard, used by largish enterprises, you can even buy hardware routers using ipsec, and ppp/ssh is more of a toy/temporary solution. regards, -- Dariush Pietrzak, She swore and she cursed, that she never would deceive me Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: H323 Gateways
> You can use the ip_conntrack_h323 module from > netfilters patch-o-matic or a tunnel (ipsec, cipe, > ...) between the to networks. Last I heard about this, this module was rather crude and could cause corruption to passing packets. If situation has changed i'd be happy to hear about it. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
> of proportion... Some things in security _have_ to be obscure. Your > password, for example. Or the primes used to generate your PGP private There's a difference between 'obscure' and 'secret'. All you gain by removing kernel-loading capability from your kernel is to force cracker to search memory to find entry points. That's like hiding key to your door under your doormat. > Security-by-obscurity refers to securing things by relying on the > obscurity of the _processes and functionality_ behind the security system, that fits this description. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: H323 Gateways
> You can use the ip_conntrack_h323 module from > netfilters patch-o-matic or a tunnel (ipsec, cipe, > ...) between the to networks. Last I heard about this, this module was rather crude and could cause corruption to passing packets. If situation has changed i'd be happy to hear about it. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
> of proportion... Some things in security _have_ to be obscure. Your > password, for example. Or the primes used to generate your PGP private There's a difference between 'obscure' and 'secret'. All you gain by removing kernel-loading capability from your kernel is to force cracker to search memory to find entry points. That's like hiding key to your door under your doormat. > Security-by-obscurity refers to securing things by relying on the > obscurity of the _processes and functionality_ behind the security system, that fits this description. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
> One reason is security: > it's relatively easy for an intruder to install a kernel module based > rootkit, and then hide her processes, files or connections. isn't it security-by-obscurity? Determined hacker can still relatively easily insert code into kernel (vide phreack magazine articles ) -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
> One reason is security: > it's relatively easy for an intruder to install a kernel module based > rootkit, and then hide her processes, files or connections. isn't it security-by-obscurity? Determined hacker can still relatively easily insert code into kernel (vide phreack magazine articles ) -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ptrace vulnerability?
> > His announcement is Slashdotted, and I'm seeing no notice of which versions > > are affected! I'm running 2.4.18 on all my Debian servers, please tell me > > what's going on. same here...:( Why most this patch does is change kernel_thread into arch_kernel_thread? only usefull thing I see is addedd check for 'is_dumpable' in ptrace_check_attach, and is_dumpable macro that checks tsk and also tsk->mm for 'is_dumpable'. Is this ok? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: ptrace vulnerability?
> > His announcement is Slashdotted, and I'm seeing no notice of which versions > > are affected! I'm running 2.4.18 on all my Debian servers, please tell me > > what's going on. same here...:( Why most this patch does is change kernel_thread into arch_kernel_thread? only usefull thing I see is addedd check for 'is_dumpable' in ptrace_check_attach, and is_dumpable macro that checks tsk and also tsk->mm for 'is_dumpable'. Is this ok? -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: machine monitoring packages
> of the data that you will want. RRDs do not expand once they are created, > so once it wraps and starts to overwrite old data, it is lost. Well, that's the idea behind rrd, and I don't like it. You don't overwrite your security logs, why would you like to overwrite this data? Actually I believe rrd is a wonderfull tool and a work of art, it's just it's not applicable to ANY situation and people seem to do that. Goes like this: what is some tool and plot graphs... Why it's mrtg/rrdtool. It's great. But there is no alternative. And there should be. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: machine monitoring packages
> of the data that you will want. RRDs do not expand once they are created, > so once it wraps and starts to overwrite old data, it is lost. Well, that's the idea behind rrd, and I don't like it. You don't overwrite your security logs, why would you like to overwrite this data? Actually I believe rrd is a wonderfull tool and a work of art, it's just it's not applicable to ANY situation and people seem to do that. Goes like this: what is some tool and plot graphs... Why it's mrtg/rrdtool. It's great. But there is no alternative. And there should be. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: machine monitoring packages
> Don't know all the tools u are talking about, but maybe BigBrother > (http://bb4.com/) is what u are looking for? Ehm, netsaint,nagios seems way more mature. And I don't intend to replace one of those tools. I want one tool for monitoring. Or maybe two ( monit needs to run as root, wouldn't be to wise to run all monitoring this way ). Of course I tried mon and cricket ( and tried == installed, configured and tried running for few months ), so I think i've got all main tools covered, and they don't fit the bill. ( for example -> when monitoring services, the tools notices states up/down/lagged. Good. But why won't it save the data that it gathers and display this as graph? And archive the data so that one can analyze it. And please don't be browser-centric. Flashy web page should be of least importance, not the main feature of the project ( vide early days of big-brother/big-sister ) ) regards, -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: machine monitoring packages
Hello, I believe there is a need for good monitoring tool, and none of existing tools qualify. As it stands now, I am using mix of different tools, quite similiar to each other... ie netsaint, mrtg, smokeping and monit. And add to that syslog with syslog monitoring tools, add ipsec for logging to single machine... It's a nightmare! And they still won't provide all the features i need ( i.e. -> mrtg graphs are nice.. but design behind whole mrtg/rrdtool makes them useless in many situations -> for example, try comparing trends in two julys from different years.. you can't, can you.. ) The task here is fairly simple, why do I need to set up so many different tools? If anyone decides to start writing monitoring tool, I'd be happy to join the team. -- Dariush Pietrzak, "Who are we helping? - the girl. - Typical." Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: machine monitoring packages
> Don't know all the tools u are talking about, but maybe BigBrother > (http://bb4.com/) is what u are looking for? Ehm, netsaint,nagios seems way more mature. And I don't intend to replace one of those tools. I want one tool for monitoring. Or maybe two ( monit needs to run as root, wouldn't be to wise to run all monitoring this way ). Of course I tried mon and cricket ( and tried == installed, configured and tried running for few months ), so I think i've got all main tools covered, and they don't fit the bill. ( for example -> when monitoring services, the tools notices states up/down/lagged. Good. But why won't it save the data that it gathers and display this as graph? And archive the data so that one can analyze it. And please don't be browser-centric. Flashy web page should be of least importance, not the main feature of the project ( vide early days of big-brother/big-sister ) ) regards, -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
