Re: Just a test sorry
alt.humor.debian.org? At 01:24 PM 10/31/2001 +0100, Daniel Polombo wrote: Hans wrote: i did not get a massage for a while. I'm very sorry to hear that. As a matter of fact, neither did I. But are you sure this is appropriate content for this list? :) -- Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: Just a test sorry
alt.humor.debian.org? At 01:24 PM 10/31/2001 +0100, Daniel Polombo wrote: >Hans wrote: > > >>i did not get a massage for a while. > > >I'm very sorry to hear that. As a matter of fact, neither did I. But are >you sure this is appropriate content for this list? :) > >-- >Daniel > > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security Update
Yeah, sure Mark. Here's what you do: Make sure you have this entry in your /etc/apt/sources.list file: deb http://security.debian.org stable/updates main contrib non-free Be sure it's not commented-out (with a "#" in front of the line). Then do "apt-get update" and "apt-get upgrade" and you'll get all of the upgrades to your installed packages. You might want to try "apt-get dist-upgrade" as that seems to have better dependency handling. Read the manpage for apt-get for more info. I'd recommend doing this on a periodic basis, and continue to monitor both this list and BugTraq. Apt-get is one of the (many) pure joys of using Debian. At 03:21 AM 10/14/2001 +0700, Mark Rompies wrote: Hi! I've just use Debian for the first time in my life. I want to upgrade the applications or anything to mmake it more secure (i think it will use apps from security.debian.org). The problem is very simple: what commands should i type from the console to update the security fixes for a/any package(s)? Could i use apt-get? thx.. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security Update
Yeah, sure Mark. Here's what you do: Make sure you have this entry in your /etc/apt/sources.list file: deb http://security.debian.org stable/updates main contrib non-free Be sure it's not commented-out (with a "#" in front of the line). Then do "apt-get update" and "apt-get upgrade" and you'll get all of the upgrades to your installed packages. You might want to try "apt-get dist-upgrade" as that seems to have better dependency handling. Read the manpage for apt-get for more info. I'd recommend doing this on a periodic basis, and continue to monitor both this list and BugTraq. Apt-get is one of the (many) pure joys of using Debian. At 03:21 AM 10/14/2001 +0700, Mark Rompies wrote: >Hi! > >I've just use Debian for the first time in my life. I want to upgrade the >applications or anything to mmake it more secure (i think it will use apps >from security.debian.org). The problem is very simple: > >what commands should i type from the console to update the security fixes >for a/any package(s)? Could i use apt-get? > >thx.. > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: File transfer using ssh
Yeah.. try using "scp". It should come along with ssh. At 02:13 PM 8/23/2001 +0900, Curt Howland wrote: I've just made the change from a windows to Debian user machine, I've been running a Debian server for years. One of the features of the windows software that I liked was zmodem file transfer over the ssh link. Since changing over to ssh (1.2.3-9.3) from stable for both server and now client, it does not seem to be able to receive or send files through the link. Is there a file transfer method for utilizing ssh? I'm sure ftp could be tunneled, but for security reasons ftp is turned off. Until now, with zmodem, I didn't need it. Thank you for any suggestions, Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: File transfer using ssh
Yeah.. try using "scp". It should come along with ssh. At 02:13 PM 8/23/2001 +0900, Curt Howland wrote: >I've just made the change from a windows to Debian user machine, I've been >running a Debian server for years. > >One of the features of the windows software that I liked was zmodem file >transfer over the ssh link. Since changing over to ssh (1.2.3-9.3) from >stable for both server and now client, it does not seem to be able to >receive or send files through the link. > >Is there a file transfer method for utilizing ssh? I'm sure ftp could be >tunneled, but for security reasons ftp is turned off. Until now, with >zmodem, I didn't need it. > >Thank you for any suggestions, > >Curt- > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh problem
(closes eyes and stabs blindly in the dark) I've seen this where I've set to tunnel X and the remote site is refusing it. Luckily for me I owned the remote site and could see the X refusal in the logs. You might give that a look. At 12:34 AM 8/22/2001 +0200, An-Dee wrote: Hello I have a little problem with ssh. I cannot connect to 1 machine from home. [EMAIL PROTECTED]:~$ ssh -v webvision.hu SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Reading configuration data /etc/ssh/ssh_config debug: Seeding random number generator debug: ssh_connect: getuid 1000 geteuid 1000 anon 1 debug: Connecting to webvision.hu [217.13.33.203] port 22. debug: Connection established. ssh_exchange_identification: Connection closed by remote host debug: Calling cleanup 0x805e43c(0x0) [EMAIL PROTECTED]:~$ At home I have potato and there is woody where I would like to be connected. From home I can conn. to any other linux machine, and from any other machine I can conn. to webvison, expert my own pc at home. thx An-Dee +---+ ICQ#: 86538852 The Bat! 1.53d Win98-BeOSR5.0.3-Debian2.2 Kernel 2.4.9 Opera 3.62 & 5.12 \\|// 0:32:27 [EMAIL PROTECTED](o o) 2001. augusztus 22. +---oOOo-(_)-oOOo---+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: ssh problem
(closes eyes and stabs blindly in the dark) I've seen this where I've set to tunnel X and the remote site is refusing it. Luckily for me I owned the remote site and could see the X refusal in the logs. You might give that a look. At 12:34 AM 8/22/2001 +0200, An-Dee wrote: >Hello > > I have a little problem with ssh. > I cannot connect to 1 machine from home. > >andee@terra:~$ ssh -v webvision.hu >SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0. >Compiled with SSL (0x0090600f). >debug: Reading configuration data /etc/ssh/ssh_config >debug: Seeding random number generator >debug: ssh_connect: getuid 1000 geteuid 1000 anon 1 >debug: Connecting to webvision.hu [217.13.33.203] port 22. >debug: Connection established. >ssh_exchange_identification: Connection closed by remote host >debug: Calling cleanup 0x805e43c(0x0) >andee@terra:~$ > >At home I have potato and there is woody where I would like to be >connected. >From home I can conn. to any other linux machine, and from any >other machine I can conn. to webvison, expert my own pc at home. > >thx > An-Dee > > > >+---+ > ICQ#: 86538852 The Bat! 1.53d > Win98-BeOSR5.0.3-Debian2.2 Kernel 2.4.9 > Opera 3.62 & 5.12 \\|// 0:32:27 > [EMAIL PROTECTED](o o) 2001. augusztus 22. >+---oOOo-(_)-oOOo---+ > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: apt sources.list
At 01:24 PM 8/21/2001 -0700, Jeff Coppock wrote: Mike Renfro, 2001-Aug-21 14:40 -0500: > On Tue, Aug 21, 2001 at 09:36:02AM -0700, Jeff Coppock wrote: > > >Can I get a few recommendations on the proper sources.list for a > >system running woody, that includes the security updates? > > Woody would be my last choice for a automagically secure installation: Thanks for this explanation. I see what you mean, if I want security updates. I feel a bit stuck with woody though, since I want to use iptables instead of ipchains. I think I'll remove the security source until I figure out a better way. If you want to use IPTables, simply upgrade your kernel. ftp.kernel.org and schlurp down the linux-v2.4.x of your choice (I'm using 2.4.6 right now). Then apt-get install iptables and you're set. -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: apt sources.list
At 01:24 PM 8/21/2001 -0700, Jeff Coppock wrote: >Mike Renfro, 2001-Aug-21 14:40 -0500: > > On Tue, Aug 21, 2001 at 09:36:02AM -0700, Jeff Coppock wrote: > > > > >Can I get a few recommendations on the proper sources.list for a > > >system running woody, that includes the security updates? > > > > Woody would be my last choice for a automagically secure installation: > >Thanks for this explanation. I see what you mean, if I want >security updates. > >I feel a bit stuck with woody though, since I want to use >iptables instead of ipchains. I think I'll remove the >security source until I figure out a better way. If you want to use IPTables, simply upgrade your kernel. ftp.kernel.org and schlurp down the linux-v2.4.x of your choice (I'm using 2.4.6 right now). Then apt-get install iptables and you're set. -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: non-US security fixes URL
Good point. That works nicely - thanks! At 09:57 PM 7/19/2001 +, Thomas Poindessous wrote: [EMAIL PROTECTED] (Eric N. Valor) writes: > I know this doesn't really belong on the security list, but that's where=20 > this thread started. I thought I'd toss in my $.02 and bring attention to= > =20 > a broken deb-src address in out-of-box /etc/apt/sources.list file: > > deb-src http://non-us.debian.org/debian-non-US stable non-US > > should actually be: > > deb-src http://non-us.debian.org/debian-non-US stable non-US/main It should actually be : deb-src http://non-us.debian.org/debian-non-US stable/non-US main It's better because you can add non-free and contrib without adding non-US/ twice. -- Thomas Poindessous EpX asso GNU/Linux de l'Epita [EMAIL PROTECTED] && http://www.epita.fr/~epx -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: non-US security fixes URL
I know this doesn't really belong on the security list, but that's where this thread started. I thought I'd toss in my $.02 and bring attention to a broken deb-src address in out-of-box /etc/apt/sources.list file: deb-src http://non-us.debian.org/debian-non-US stable non-US should actually be: deb-src http://non-us.debian.org/debian-non-US stable non-US/main At 06:43 PM 7/19/2001 +0200, Philipp Hofmann wrote: according to http://www.debian.org/doc/manuals/securing-debian-howto/ch3.html#s-update its deb http://security.debian.org/debian-non-US stable/non-US main contrib non-free g phil On Thu, Jul 19, 2001 at 05:42:00PM +0300, Juha J?ykk? wrote: > What might be the URL/apt-get sources.list line for security fixes of > the non-US packages? > > -- > --- > | Juha Jäykkä, [EMAIL PROTECTED]| > | home: http://www.utu.fi/~juolja/ | > --- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: Linux box vs black box
At 04:37 PM 6/7/2001 +0200, Mathias Bocquet wrote: Hi everyone. This is perhaps off topics, but I'm searching for external opinions about firewalls ; 1 - a linux box with kernel 2.4.x and netfilter/NAT Currently using this, albeit with a 2.2.X kernel and IPChains (upgrade planned and slowly being implemented on a production system). Love it to death because I know exactly what's going on with it and configured it to meet exactly my security requirements. It's also not very fancy, which appeals to my belief that a minimalist approach to firewalls is best - too many "features" add potential security leaks. 2 - a linux box with a commercial firewall product I've used SunOS with TIS-FWTK (not exactly "commercial", but it is a 3rd party solution). Liked it because I could build my own from source code. Configuration was a minor pain, but it worked very well for my needs at the time. 3 - an integrated firewall you don't know much about what it is made of Used a Lucent gizmo (forgot the model). Config was a major pain in the ass, couldn't really tell what exactly it was doing, and didn't trust the admin interface except for the horrible ASCII panel available via serial connection. Put it back in the shipping box and stuffed it underneath the desk. I then went back to Option #1. Admin on #1 and #2 were good for me because if I wanted to change something I SSH'd into the system and changed rulesets as opposed to having a web-based interface for #3. Also a benefit of Options #1 and #2 is that I can harden the underlying operating system to my needs. Who knows what was buried underneath #3? Call me a control freak, but in certain situations I can accept nothing less... -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: Linux box vs black box
At 04:37 PM 6/7/2001 +0200, Mathias Bocquet wrote: >Hi everyone. > >This is perhaps off topics, but I'm searching for external opinions >about firewalls ; > >1 - a linux box with kernel 2.4.x and netfilter/NAT Currently using this, albeit with a 2.2.X kernel and IPChains (upgrade planned and slowly being implemented on a production system). Love it to death because I know exactly what's going on with it and configured it to meet exactly my security requirements. It's also not very fancy, which appeals to my belief that a minimalist approach to firewalls is best - too many "features" add potential security leaks. >2 - a linux box with a commercial firewall product I've used SunOS with TIS-FWTK (not exactly "commercial", but it is a 3rd party solution). Liked it because I could build my own from source code. Configuration was a minor pain, but it worked very well for my needs at the time. >3 - an integrated firewall you don't know much about what it is made of Used a Lucent gizmo (forgot the model). Config was a major pain in the ass, couldn't really tell what exactly it was doing, and didn't trust the admin interface except for the horrible ASCII panel available via serial connection. Put it back in the shipping box and stuffed it underneath the desk. I then went back to Option #1. Admin on #1 and #2 were good for me because if I wanted to change something I SSH'd into the system and changed rulesets as opposed to having a web-based interface for #3. Also a benefit of Options #1 and #2 is that I can harden the underlying operating system to my needs. Who knows what was buried underneath #3? Call me a control freak, but in certain situations I can accept nothing less... -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: port 812
I also like "lsof | grep ":[port#]"". At 10:56 AM 5/27/2001 +0100, Zak Kipling wrote: On Sun, 27 May 2001, Daniel Faller wrote: > I did a nmap scan (nmap -sT hostname) and found several ports open. The only > one I could not identify was 812. Have you tried "netstat -tp" or "fuser -vn tcp 812" on the machine in question to find out what process is listening on it? That's usually how I track them down... Zak. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: port 812
I also like "lsof | grep ":[port#]"". At 10:56 AM 5/27/2001 +0100, Zak Kipling wrote: >On Sun, 27 May 2001, Daniel Faller wrote: > > > I did a nmap scan (nmap -sT hostname) and found several ports open. The > only > > one I could not identify was 812. > >Have you tried "netstat -tp" or "fuser -vn tcp 812" on the machine in >question to find out what process is listening on it? That's usually how I >track them down... > >Zak. > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit??
There was a discussion on this on the proftpd mailing list. Go to www.proftpd.org and check the archives. If I can dredge the answer up from old saved email I'll post here. You might also want to join that mailing list for help on this and future issues. At 07:15 PM 5/24/2001 +0100, Zak Kipling wrote: On Thu, 24 May 2001, Andres Herrera wrote: > I've tried to exploit it by login and sending: > ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../ > and suddenly it began eating memory and getting slow all the system. ... > Any solution?? Resource limits on the ftp server process? Zak. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
RE: strange log entry
IPChains/Tables. All these services run on certain ports that they use even internally to the machine. Unless you're building a hardened firewall box (where you shouldn't be running RPC or X11 anyway) you should just either A) [preferable] have these systems behind a hardened firewall box, or B) install appropriate IPChains/Tables rules to block external access to those services. At 04:10 PM 5/24/2001 +0900, Curt Howland wrote: ok, with all this talking about rpc security holes, even though i've port-scanned and edited my initd.conf file, and pruned out everything i can think of to prune, the following still shows up in netstat -a: tcp0 0 *:sunrpc*:* LISTEN udp0 0 *:1171 *:* udp0 0 bogus.bogus.com:domain *:* udp0 0 localhost:domain*:* udp0 0 *:sunrpc*:* raw0 0 *:icmp *:*7 raw0 0 *:tcp *:*7 the last two i understand, as well as domain, but sunrpc and 1171? i've cleaned up everything i can think of, but X11R6 says it still needs the RPC packages. any suggestions? Curt- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: strange log entry
certainly does smell like some shell code (although some of the other characters look like an Asian character set being misinterpreted). Best bet is to set up some IPChains/Tables rules with a Default-Deny stance and then allow in from the outside only the very minimal required based on your security policy. I've got a few machines which require the rpc stuff (along with some other unsafe protocols). I disallow external connections (incoming *and* outgoing - with logging) while allowing the internal soft chewy center machines to communicate freely. At 03:30 AM 5/24/2001 -0300, Peter Cordes wrote: On Wed, May 23, 2001 at 10:58:43PM -0700, Wade Richards wrote: > Yep, it's a security problem. Someone is trying to hack into your system > using one of many known security bugs in the rpc daemon. > > If you don't need the rpc stuff running, then just disable it (better yet, > uninstall it). If you really do need it running, but it's only used > locally, then I suggest you use ipchains to drop any packets targeted to > port 111. But best is to simply remove it entirely. That only blocks portmap. Other UDP services can be found with a UDP port scan by e.g. nmap. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
RE: strange log entry
IPChains/Tables. All these services run on certain ports that they use even internally to the machine. Unless you're building a hardened firewall box (where you shouldn't be running RPC or X11 anyway) you should just either A) [preferable] have these systems behind a hardened firewall box, or B) install appropriate IPChains/Tables rules to block external access to those services. At 04:10 PM 5/24/2001 +0900, Curt Howland wrote: >ok, with all this talking about rpc security holes, even though i've >port-scanned and edited my initd.conf file, and pruned out everything i can >think of to prune, the following still shows up in netstat -a: > >tcp0 0 *:sunrpc*:* LISTEN >udp0 0 *:1171 *:* >udp0 0 bogus.bogus.com:domain *:* >udp0 0 localhost:domain*:* >udp0 0 *:sunrpc*:* >raw0 0 *:icmp *:*7 >raw0 0 *:tcp *:*7 > >the last two i understand, as well as domain, but sunrpc and 1171? > >i've cleaned up everything i can think of, but X11R6 says it still needs the >RPC packages. > >any suggestions? > >Curt- > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange log entry
certainly does smell like some shell code (although some of the other characters look like an Asian character set being misinterpreted). Best bet is to set up some IPChains/Tables rules with a Default-Deny stance and then allow in from the outside only the very minimal required based on your security policy. I've got a few machines which require the rpc stuff (along with some other unsafe protocols). I disallow external connections (incoming *and* outgoing - with logging) while allowing the internal soft chewy center machines to communicate freely. At 03:30 AM 5/24/2001 -0300, Peter Cordes wrote: >On Wed, May 23, 2001 at 10:58:43PM -0700, Wade Richards wrote: > > Yep, it's a security problem. Someone is trying to hack into your system > > using one of many known security bugs in the rpc daemon. > > > > If you don't need the rpc stuff running, then just disable it (better yet, > > uninstall it). If you really do need it running, but it's only used > > locally, then I suggest you use ipchains to drop any packets targeted to > > port 111. But best is to simply remove it entirely. > > That only blocks portmap. Other UDP services can be found with a UDP port >scan by e.g. nmap. > >-- >#define X(x,y) x##y >Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) > >"The gods confound the man who first found out how to distinguish the hours! > Confound him, too, who in this place set up a sundial, to cut and hack > my day so wretchedly into small pieces!" -- Plautus, 200 BCE > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Ports to block?
At 03:27 AM 4/6/2001 +0200, you wrote: On Thu, Apr 05, 2001 at 01:40:54PM -0700, Eric N. Valor wrote: > > I work from a default-deny stance. Usual things to then allow in would be > 25 (smtp), 80 (http), 22 (ssh, although be careful here), 53-UDP (DNS, if This strickes me as odd, warning to be careful with ssd in the same sentence were http and bind are mentioned without any warnings. Or am I missing something? Well, most folks like to connect to the Web, so port 80 is a must for that (it's 2-way on the same port). 53 is required only if you're running BIND so other servers can make information requests. But I warned about SSH because unless you're checking logs or have some other reporting system it's a way for someone to brute-force into your system. I've seen way too many bad username/password combinations and quite a lack of vigilance to not put up a warning. Also, there was an exploit put out on BugTraq a while ago regarding SSH-1. I use ssh on my external systems, but only where the security requirement is medium-low. Even then I make it a point to keep my eye on the logs. And an IDS isn't a bad idea, either. -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: Ports to block?
At 03:27 AM 4/6/2001 +0200, you wrote: >On Thu, Apr 05, 2001 at 01:40:54PM -0700, Eric N. Valor wrote: > > > > I work from a default-deny stance. Usual things to then allow in would be > > 25 (smtp), 80 (http), 22 (ssh, although be careful here), 53-UDP (DNS, if > >This strickes me as odd, warning to be careful with ssd in the same >sentence were http and bind are mentioned without any warnings. >Or am I missing something? Well, most folks like to connect to the Web, so port 80 is a must for that (it's 2-way on the same port). 53 is required only if you're running BIND so other servers can make information requests. But I warned about SSH because unless you're checking logs or have some other reporting system it's a way for someone to brute-force into your system. I've seen way too many bad username/password combinations and quite a lack of vigilance to not put up a warning. Also, there was an exploit put out on BugTraq a while ago regarding SSH-1. I use ssh on my external systems, but only where the security requirement is medium-low. Even then I make it a point to keep my eye on the logs. And an IDS isn't a bad idea, either. -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Ports to block?
It's better to do it this way: ipchains -P input DENY ipchains -A input -s (source add./port) -d (dest. add./port) -j ACCEPT . . . (acceptance rules) ipchains -A input -j DENY -l (logs all stuff not ACCEPTed above). I also put other DENY statements on top of the last logging DENY for things I don't care to log. The syslog will fill up rapidly with insignificant crap if you don't (I had my colo fill /var with sputter from a misconfigured router once). The reason you start out with a DENY is so that there is no chance of a packet coming through before all of the chains are parsed. Also a good idea is to build the chains before bringing up the interface(s). Haphazard security is marginally second to no security at all. At 12:09 AM 4/6/2001 +0200, Cherubini Enrico wrote: Ciao, Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote: > It is most secure to block everything and only open the ports that are > absolutely necessary. ok, this is clear. What's the way you ppl do that throught ipchains/iptables ? Is it better to use the ACCEPT policy and then DENY all or use the DENY policy and ACCEPT only ports needed ? I use the first 'cause so I can log all packet that are denied... # Start ipchains -P input ACCEPT ipchains -A input -j DENY -l # End -- Bye ++ Maybe you are searching for freedom | Enrico |Maybe you can't find it anywhere ++ I found it in linux... ``I think he has a Napoleonic concept of himself and his company, an arrogance that derives from power and unalloyed success, with no leavening hard experience, no reverses,'' Judge Thomas Penfield Jackson says of Bill Gates. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: Ports to block?
I work from a default-deny stance. Usual things to then allow in would be 25 (smtp), 80 (http), 22 (ssh, although be careful here), 53-UDP (DNS, if you have bind running), and various ICMP (echo-reply/request, source-quench, destination-unreachable, time-exceeded, and parameter-problem are good ones). I deny and log pretty much everything else, although I do have special DENY rules for stuff like NetBIOS (137/138) so they don't hit the trap line at the end which logs everything not caught above, filling up my logs. I believe the 1028-UDP port you're talking about is the syslogd talking to itself (you'll notice it's on the loopback address [127.0.0.1] and established to Port 514, which is the syslog port). If you've got an external address talking to your syslog port.. well... good luck. At 12:57 PM 4/5/2001 -0700, Brandon High wrote: Does anyone have a recommendation of ports that should be blocked (via ipchains/netfilter/etc) to make a system more secure? In light of the recent security holes, I did a netstat -an, then lsof -i for all ports that were listening and/or UDP. I put a filter in the way of everything that I didn't want externally visible, but UDP port 1028 shows nothing listening lsof. I blocked it out of principle, but does anyone know what it might be? -B -- Brandon High [EMAIL PROTECTED] We are Homer of Borg. Resistance is ... Ooo! Donuts! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: Ports to block?
It's better to do it this way: ipchains -P input DENY ipchains -A input -s (source add./port) -d (dest. add./port) -j ACCEPT . . . (acceptance rules) ipchains -A input -j DENY -l (logs all stuff not ACCEPTed above). I also put other DENY statements on top of the last logging DENY for things I don't care to log. The syslog will fill up rapidly with insignificant crap if you don't (I had my colo fill /var with sputter from a misconfigured router once). The reason you start out with a DENY is so that there is no chance of a packet coming through before all of the chains are parsed. Also a good idea is to build the chains before bringing up the interface(s). Haphazard security is marginally second to no security at all. At 12:09 AM 4/6/2001 +0200, Cherubini Enrico wrote: >Ciao, > Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote: > > > It is most secure to block everything and only open the ports that are > > absolutely necessary. >ok, this is clear. What's the way you ppl do that throught ipchains/iptables >? Is it better to use the ACCEPT policy and then DENY all or use the DENY >policy and ACCEPT only ports needed ? I use the first 'cause so I can log >all packet that are denied... > ># Start >ipchains -P input ACCEPT > >ipchains -A input -j DENY -l ># End > >-- > > >Bye > ++ Maybe you are searching for freedom > | Enrico |Maybe you can't find it anywhere > ++ I found it in linux... > >``I think he has a Napoleonic concept of himself and his company, an >arrogance > that derives from power and unalloyed success, with no leavening hard > experience, no reverses,'' Judge Thomas Penfield Jackson says of Bill Gates. > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 045-1] ntp remote root exploit fixed
Why look it up when it's more fun to ask questions on a mailing list? Here's a useful URL I have bookmarked: http://www.isi.edu/in-notes/iana/assignments/port-numbers At 03:55 PM 4/5/2001 -0300, Peter Cordes wrote: There's a file called /etc/services that has the answers to all these silly questions. Try looking this stuff up, people. llama:~$ grep 443 /etc/services https 443/tcp # MCom https 443/udp # MCom Duh. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: [SECURITY] [DSA 045-1] ntp remote root exploit fixed
53 is DNS. I get a lot of "probes" because I don't allow TCP connections (it's a UDP protocol, although TCP is used for zone xfers which I don't allow). Unless the same IP is hitting your port 53 repeatedly, it's probably nothing to worry about. To keep from being vulnerable to nasties such as the Lion worm, make sure to upgrade your BIND to a version later than 8.2.2 (ie, 8.2.3 (non-beta) and above). 111 is the SunRPC. Be sure that's blocked, although not all attempts at that port are "scans" (unless, of course, it's hammering away or hitting an entire block of addresses). 137 is NetBIOS and I write that off to someone using a PC (I see this on my webserver all the time). Nothing to worry about. The above is my personal opinion. YMMV. At 01:31 PM 4/5/2001 -0500, Lindsey Simon wrote: I've been wondering why I get so many probes on port 53, what's the popular exploit on it? JonesMB in message Re: [SECURITY] [DSA 045-1] ntp remote root exploit fixed (Thu, 04/05 12:40): > >>I guess we should expect a whole lot of attempts to connect to the ports > >>used by NTP once the script kiddies figure this one out. > >> > >>I probably average about 20 connect attempts to ports 53 and 111 every day. > > > >port 137 has also a good average. > > oh yeah, I forgot about that one, along with 27374. > > jmb > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: Ports to block?
I work from a default-deny stance. Usual things to then allow in would be 25 (smtp), 80 (http), 22 (ssh, although be careful here), 53-UDP (DNS, if you have bind running), and various ICMP (echo-reply/request, source-quench, destination-unreachable, time-exceeded, and parameter-problem are good ones). I deny and log pretty much everything else, although I do have special DENY rules for stuff like NetBIOS (137/138) so they don't hit the trap line at the end which logs everything not caught above, filling up my logs. I believe the 1028-UDP port you're talking about is the syslogd talking to itself (you'll notice it's on the loopback address [127.0.0.1] and established to Port 514, which is the syslog port). If you've got an external address talking to your syslog port.. well... good luck. At 12:57 PM 4/5/2001 -0700, Brandon High wrote: >Does anyone have a recommendation of ports that should be blocked (via >ipchains/netfilter/etc) to make a system more secure? > >In light of the recent security holes, I did a netstat -an, then lsof -i for >all ports that were listening and/or UDP. I put a filter in the way of >everything that I didn't want externally visible, but UDP port 1028 shows >nothing listening lsof. I blocked it out of principle, but does anyone know >what it might be? > >-B > >-- >Brandon High [EMAIL PROTECTED] >We are Homer of Borg. Resistance is ... Ooo! Donuts! > > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 045-1] ntp remote root exploit fixed
Why look it up when it's more fun to ask questions on a mailing list? Here's a useful URL I have bookmarked: http://www.isi.edu/in-notes/iana/assignments/port-numbers At 03:55 PM 4/5/2001 -0300, Peter Cordes wrote: > > There's a file called /etc/services that has the answers to all these silly >questions. Try looking this stuff up, people. > >llama:~$ grep 443 /etc/services >https 443/tcp # MCom >https 443/udp # MCom > >Duh. > >-- >#define X(x,y) x##y >Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) > >"The gods confound the man who first found out how to distinguish the hours! > Confound him, too, who in this place set up a sundial, to cut and hack > my day so wretchedly into small pieces!" -- Plautus, 200 BCE > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 045-1] ntp remote root exploit fixed
53 is DNS. I get a lot of "probes" because I don't allow TCP connections (it's a UDP protocol, although TCP is used for zone xfers which I don't allow). Unless the same IP is hitting your port 53 repeatedly, it's probably nothing to worry about. To keep from being vulnerable to nasties such as the Lion worm, make sure to upgrade your BIND to a version later than 8.2.2 (ie, 8.2.3 (non-beta) and above). 111 is the SunRPC. Be sure that's blocked, although not all attempts at that port are "scans" (unless, of course, it's hammering away or hitting an entire block of addresses). 137 is NetBIOS and I write that off to someone using a PC (I see this on my webserver all the time). Nothing to worry about. The above is my personal opinion. YMMV. At 01:31 PM 4/5/2001 -0500, Lindsey Simon wrote: >I've been wondering why I get so many probes on port 53, what's the >popular exploit on it? > >JonesMB in message Re: [SECURITY] [DSA 045-1] ntp remote root exploit >fixed (Thu, 04/05 12:40): > > > >>I guess we should expect a whole lot of attempts to connect to the ports > > >>used by NTP once the script kiddies figure this one out. > > >> > > >>I probably average about 20 connect attempts to ports 53 and 111 > every day. > > > > > >port 137 has also a good average. > > > > oh yeah, I forgot about that one, along with 27374. > > > > jmb > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Allow FTP in, but not shell login
Yes, we've got a bunch of people here using IE5x to update our sites via webDAV. You just open IE and click File->Open->(O)pen as web folder and then put in the URL. You then see the site much as you would if Indexing were somehow left enabled and can then drag-n-drop your files and folders. You'll need to have dav_module loaded in your webserver conf file, and then have a "DAV On" line in your directive. There are other options as well. The documentation for a first-time DAV newbie is pretty dismal.. maybe the latest versions of the various Apache books (I tend to gravitated towards O'Reilly & Assoc...) have better info. DAV is really great for this as it keeps users in their comfort zone of a GUI-based OS (you wouldn't believe the comical horror of some pure Windoze users at a command-line session...). At 01:01 PM 3/14/2001 +, Mike Moran wrote: Kenneth Pronovici wrote: > > > you can change user's shell to /dev/null > > Well... it doesn't look like I can log in via telnet or FTP without > a valid login shell. I tried that with various entries other than > /dev/null ... If all that is needed is web page upload access, you could try installing WebDAV[1] and then disabling ftp entirely. Passwords for WebDAV are those used by apache for restricting access. You'd have to get them to use a WebDAV client though. I use "sitecopy" on unix and "Goliath" on MacOS. Dunno about Windows. Hmm, I think the "web folders" feature of Windows is actually just WebDAV. [1]: http://www.webdav.org -- [EMAIL PROTECTED] Web: http://houseofmoran.com/ AvantGo: http://houseofmoran.com/Lite/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: Allow FTP in, but not shell login
Yes, we've got a bunch of people here using IE5x to update our sites via webDAV. You just open IE and click File->Open->(O)pen as web folder and then put in the URL. You then see the site much as you would if Indexing were somehow left enabled and can then drag-n-drop your files and folders. You'll need to have dav_module loaded in your webserver conf file, and then have a "DAV On" line in your directive. There are other options as well. The documentation for a first-time DAV newbie is pretty dismal.. maybe the latest versions of the various Apache books (I tend to gravitated towards O'Reilly & Assoc...) have better info. DAV is really great for this as it keeps users in their comfort zone of a GUI-based OS (you wouldn't believe the comical horror of some pure Windoze users at a command-line session...). At 01:01 PM 3/14/2001 +, Mike Moran wrote: >Kenneth Pronovici wrote: > > > > > you can change user's shell to /dev/null > > > > Well... it doesn't look like I can log in via telnet or FTP without > > a valid login shell. I tried that with various entries other than > > /dev/null ... > >If all that is needed is web page upload access, you could try >installing WebDAV[1] and then disabling ftp entirely. Passwords for >WebDAV are those used by apache for restricting access. > >You'd have to get them to use a WebDAV client though. I use "sitecopy" >on unix and "Goliath" on MacOS. Dunno about Windows. Hmm, I think the >"web folders" feature of Windows is actually just WebDAV. > >[1]: http://www.webdav.org > >-- >[EMAIL PROTECTED] >Web: http://houseofmoran.com/ > AvantGo: http://houseofmoran.com/Lite/ > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Allow FTP in, but not shell login
Try setting the shell to /bin/true (and make sure this is listed in /etc/shells). /bin/true returns a zero result and exits. It allows you to "log in" via daemons that require a valid shell, yet won't allow telnet-style access (no real shell, just a "true" result). At 11:48 AM 3/13/2001 -0800, Mike Fedyk wrote: On Tue, Mar 13, 2001 at 06:55:32PM +0200, Andrius Kasparavicius wrote: > On Tue, 13 Mar 2001, Kenneth Pronovici wrote: > > > without interactive access. I want to do this specifically for a set of > > users, not for all users on the machine. > > > you can change user's shell to /dev/null I change mine to /bin/false. It runs and gives a nonzero return code. If you try to su to a user with a shell set to /dev/null, what happens? /bin/false just exits the su, even from root. Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: Allow FTP in, but not shell login
Try setting the shell to /bin/true (and make sure this is listed in /etc/shells). /bin/true returns a zero result and exits. It allows you to "log in" via daemons that require a valid shell, yet won't allow telnet-style access (no real shell, just a "true" result). At 11:48 AM 3/13/2001 -0800, Mike Fedyk wrote: >On Tue, Mar 13, 2001 at 06:55:32PM +0200, Andrius Kasparavicius wrote: > > On Tue, 13 Mar 2001, Kenneth Pronovici wrote: > > > > > without interactive access. I want to do this specifically for a set of > > > users, not for all users on the machine. > > > > > > you can change user's shell to /dev/null > >I change mine to /bin/false. It runs and gives a nonzero return code. > >If you try to su to a user with a shell set to /dev/null, what happens? >/bin/false just exits the su, even from root. > >Mike > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: promiscuous eth0
This is really goofy. But I've been able to (at least in my case) narrow the "problem" down to using Xircom cards. The 3Com card that I use in my other Debian laptop works great (switching between the two demonstrates this behavior as well, so it isn't the laptop, and the 3Com card is Cardbus as well). If I switch the Xircom to promiscuous mode, ping the gateway, and then switch back, everything is great. Until I switch it into promiscuous, though, no traffic occurs. The really weird thing is that I *do* get enough traffic through to allow DHCP configuration on startup. Using a static IP address works (although I'm hijacking an address in the DHCP field.. can't wait 'till the guy in charge finds out...) At 06:37 PM 3/7/2001 -0800, you wrote: On Mon, 5 Mar 2001, Jaan Sarv wrote: > > Also, paranoid network administrators might be a little upset by it, since > > Linux sends out a frame indicating it is switching into (or out > > of) promiscuous mode. This is possible evidence that you're running a > > sniffer of some kind (such as snort). > > Hi, > > How can I recognize such frames/packets? I know this isn't very effective > method when trying to discover sniffers, but worth a shot. > > Is there a way to disable those frames/packets? > > Jaan > > a bit paranoid :) Unless I'm mistaken, there was an article in phrack magazine a while back about a kernel patch that disables the sending of the "promscuous mode" packet. For this reason, only misconfigured computers (or script kiddies) would be sending this out; truly skilled {cr,h}ackers are unlikely to not patch the kernel before doing any covert sniffing. Regards, Alex. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: promiscuous eth0
This is really goofy. But I've been able to (at least in my case) narrow the "problem" down to using Xircom cards. The 3Com card that I use in my other Debian laptop works great (switching between the two demonstrates this behavior as well, so it isn't the laptop, and the 3Com card is Cardbus as well). If I switch the Xircom to promiscuous mode, ping the gateway, and then switch back, everything is great. Until I switch it into promiscuous, though, no traffic occurs. The really weird thing is that I *do* get enough traffic through to allow DHCP configuration on startup. Using a static IP address works (although I'm hijacking an address in the DHCP field.. can't wait 'till the guy in charge finds out...) At 06:37 PM 3/7/2001 -0800, you wrote: >On Mon, 5 Mar 2001, Jaan Sarv wrote: > > > > Also, paranoid network administrators might be a little upset by it, > since > > > Linux sends out a frame indicating it is switching into (or out > > > of) promiscuous mode. This is possible evidence that you're running a > > > sniffer of some kind (such as snort). > > > > Hi, > > > > How can I recognize such frames/packets? I know this isn't very effective > > method when trying to discover sniffers, but worth a shot. > > > > Is there a way to disable those frames/packets? > > > > Jaan > > > > a bit paranoid :) >Unless I'm mistaken, there was an article in phrack magazine a while back >about a kernel patch that disables the sending of the "promscuous >mode" packet. For this reason, only misconfigured computers (or script >kiddies) would be sending this out; truly skilled {cr,h}ackers are >unlikely to not patch the kernel before doing any covert sniffing. > >Regards, > >Alex. > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Port Scanning...
A nice nastygram to the ISP admin is about all you can do. Often that makes the scans stop, and every so often you'll actually get a RESPONSE! Cut-n-paste the relevant info and include that in the nastygram (they like to be able to match IPs with login times to find and root out skr1pt K1dd13z. As far as opening false ports, I wouldn't play that game - it could come back to really bite you unless you absolutely know what you're doing (read Bellovin & Cheswick - "Repelling the Wily Hacker" regarding a good story of doing this sort of thing). At 08:18 PM 2/1/2001 -0600, Jason Arden wrote: Can anyone recommend a program to stop people from portscanning your server... or maybe put out some false information, like lets say 20 pages of open ports? -Jason Thanks for your time... -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -
Re: Port Scanning...
A nice nastygram to the ISP admin is about all you can do. Often that makes the scans stop, and every so often you'll actually get a RESPONSE! Cut-n-paste the relevant info and include that in the nastygram (they like to be able to match IPs with login times to find and root out skr1pt K1dd13z. As far as opening false ports, I wouldn't play that game - it could come back to really bite you unless you absolutely know what you're doing (read Bellovin & Cheswick - "Repelling the Wily Hacker" regarding a good story of doing this sort of thing). At 08:18 PM 2/1/2001 -0600, Jason Arden wrote: Can anyone recommend a program to stop people from portscanning your server... or maybe put out some false information, like lets say 20 pages of open ports? -Jason Thanks for your time... -- Eric N. Valor Webmeister/Inetservices Lutris Technologies [EMAIL PROTECTED] - This Space Intentionally Left Blank -