Re: blocking AXFR record query
* James Miller ([EMAIL PROTECTED]) wrote: > > > If memory serves.. AXFR is a zone transfer... So, at your firewall, would > want to only allowing TCP queries from your backup (secondary, > trinary..etc.) dns servers (on the outside of your firewall) and limit > everyone else to UDP queries. And for your bind9 config something like > this: It is not a good idea to block TCP packets to your DNS server, since TCP is not only used for zone transfer, it is also used when answering a DNS query with a response that does not fit in a normal UDP datagram.
Re: blocking AXFR record query
* James Miller ([EMAIL PROTECTED]) wrote: > > > If memory serves.. AXFR is a zone transfer... So, at your firewall, would > want to only allowing TCP queries from your backup (secondary, > trinary..etc.) dns servers (on the outside of your firewall) and limit > everyone else to UDP queries. And for your bind9 config something like > this: It is not a good idea to block TCP packets to your DNS server, since TCP is not only used for zone transfer, it is also used when answering a DNS query with a response that does not fit in a normal UDP datagram. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
* Dariush Pietrzak ([EMAIL PROTECTED]) wrote: > > One reason is security: > > it's relatively easy for an intruder to install a kernel module based > > rootkit, and then hide her processes, files or connections. > isn't it security-by-obscurity? > Determined hacker can still relatively easily insert code into kernel > (vide phreack magazine articles ) True, but not in a so-automated way and definetively more advanced skills would be needed. It's not security-by-obscurity at all, it's only one layer of basic protection.
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
* Dariush Pietrzak ([EMAIL PROTECTED]) wrote: > > One reason is security: > > it's relatively easy for an intruder to install a kernel module based > > rootkit, and then hide her processes, files or connections. > isn't it security-by-obscurity? > Determined hacker can still relatively easily insert code into kernel > (vide phreack magazine articles ) True, but not in a so-automated way and definetively more advanced skills would be needed. It's not security-by-obscurity at all, it's only one layer of basic protection. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
* Marcin Owsiany ([EMAIL PROTECTED]) wrote: > On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: > > On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: > > > In a server enviroment, where there no need to load modules at run-time, > > > could be a "usable workaorund", but, in a workstation machine, i don't > > > think thats a great idea. > > > > In a server environment it is preferable not to > > compile with modules at all. > > Why? One reason is security: it's relatively easy for an intruder to install a kernel module based rootkit, and then hide her processes, files or connections.
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
* Marcin Owsiany ([EMAIL PROTECTED]) wrote: > On Tue, Apr 01, 2003 at 02:30:17PM +0100, Dale Amon wrote: > > On Tue, Apr 01, 2003 at 03:36:15PM +0200, Maurizio Lemmo - Tannoiser wrote: > > > In a server enviroment, where there no need to load modules at run-time, > > > could be a "usable workaorund", but, in a workstation machine, i don't > > > think thats a great idea. > > > > In a server environment it is preferable not to > > compile with modules at all. > > Why? One reason is security: it's relatively easy for an intruder to install a kernel module based rootkit, and then hide her processes, files or connections. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Key servers
Hi, I use wwwkeys.eu.pgp.net, try this one. Hope this helps * Michal Tarana ([EMAIL PROTECTED]) wrote: > Hi, > > > I made my gpg signature with gpg tool in Woody and everything was O.K. > until I wanted to send it to some keyserver. I tried few servers from > www.keyserver.net, but everytime I got only this answer: > > gpg: error sending to 'www.keyserver.net' eof. > > Can somebody recomend me some other keyservers or help with this problem? > > Thank you very much. > > Michal > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- David Barroso aka tomac-- How do I type "for i in *.dvi do xdvi i [EMAIL PROTECTED] -- done" in a GUI? -- (Discussion in comp.os.linux.misc on http://www.somoslopeor.com -- the intuitiveness of interfaces.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Key servers
Hi, I use wwwkeys.eu.pgp.net, try this one. Hope this helps * Michal Tarana ([EMAIL PROTECTED]) wrote: > Hi, > > > I made my gpg signature with gpg tool in Woody and everything was O.K. > until I wanted to send it to some keyserver. I tried few servers from > www.keyserver.net, but everytime I got only this answer: > > gpg: error sending to 'www.keyserver.net' eof. > > Can somebody recomend me some other keyservers or help with this problem? > > Thank you very much. > > Michal > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- David Barroso aka tomac-- How do I type "for i in *.dvi do xdvi i [EMAIL PROTECTED] -- done" in a GUI? -- (Discussion in comp.os.linux.misc on http://www.somoslopeor.com -- the intuitiveness of interfaces.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Port 10 connections
Hi, I've just installed my new iptables rules in my debian box, and I've got plenty of connections from different hosts to port 10...What can it be? I'v searched about port 10 connections, but the only thing I know is that it's unassigned...Any ideas? Regards -- http://www.somoslopeor.com -- In order for something to become clean, something else must become dirty; but you can get everything dirty without getting anything clean. pgp2ET78nk5CF.pgp Description: PGP signature
Port 10 connections
Hi, I've just installed my new iptables rules in my debian box, and I've got plenty of connections from different hosts to port 10...What can it be? I'v searched about port 10 connections, but the only thing I know is that it's unassigned...Any ideas? Regards -- http://www.somoslopeor.com -- In order for something to become clean, something else must become dirty; but you can get everything dirty without getting anything clean. PGP signature
