Re: Mass update deployment strategy
On Mon, Nov 27, 2006 at 08:37:42PM +0100, mario wrote: Hello List, i am responsible for 10 (ubuntu and debian) installations so far. I have installed apticron which informs me about updates frequently. Actually, its that often that i sometimes need to invest 1h a day just doing updates. Do you have a strategy or anything to automate this task a little more? The server farm is growing and i might have to look after 20 or 30 installations soon. I can already see myself updating ubuntu/debian installations all day long :(. My installations are most of the time small firewalls and samba servers. Any comments or field reports about this? on your master computer you could run a script somthing like this... #!/bin/sh set -e set -x ENV=set -e export TERM=$TERM . /etc/profile UPD=echo hostname Updating Package Lists... apt-get -qq update || true UPG=apt-get upgrade --show-upgraded UPC=apt-get clean for n in host1 host2 hostz; do ssh [EMAIL PROTECTED] $ENV $UPD ; $UPG $UPC done don't forget to have ssh-agent working beforehand. // George -- George Georgalis, systems architect, administrator IXOYE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security team support
On Tue, Jun 28, 2005 at 09:16:04PM +0200, Markus Kolb wrote: Sven Hoexter wrote on Tue, Jun 28, 2005 at 20:05:47 +0200: On Tue, Jun 28, 2005 at 05:45:41PM +0200, Markus Kolb wrote: Hi, why security team doesn't ask for help if they have not enough time for and problems with package fixing? I can help. I need only a security team member for contact and maybe a debian member to sign my gnupg key. And then the whole community should trust you? No that's not the way it should work. OpenSource is still about having reputation and other people who trust you. Does this make any sense? What do you want to say? What do you have read in my post to conclude something strange like that? Is it the heat? Right. You made a generous offer. And the whole world doesn't have to trust you just because you have a liaison with the debian security team. That sounds like a great idea, in fact the debian security 'team' should implement a mentor program to facilitate. I don't think Markus understood that you where looking for a direct way to communicate not commit. (not sure why you need your pgp signed though, web of trust is based on established relationships, your signed patches should be sufficient at this stage...:) // George -- George Georgalis, systems architect, administrator Linux BSD IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: changlog for bzip2
On Tue, Jun 07, 2005 at 02:18:52PM +1000, Anibal Monsalve Salazar wrote: CAN-2005-0953 is fixed in woody by bzip2 1.0.2-1.woody2. However, CAN-2005-1260 is not. I cannot see bzip2 1.0.2-1.woody3 in woody. You can find bzip2 1.0.2-1.woody3 and the patch for #310803 at: http://people.debian.org/~anibal/debian/bzip2/ Thanks for all the info, Anibal. BTW my initial contact was to that guy listed as contact in changelog.Debian.gz... // George -- George Georgalis, systems architect, administrator Linux BSD IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
changlog for bzip2
This was the changelog.Debian.gz entry for the last bzip2 update: bzip2 (1.0.2-1.woody2) stable-security; urgency=high * Non-maintainer upload by the Security Team * No changes rebuild because maintainer prevented distribution of security fix, thanks a lot! The only useful information I see threre is urgency=high -- but no clear explinaton. Was this just an incomplete log? The maintainer did not respond to my inquiry. Is there a CAN? Is there a better file to extract specific info from? I can read; but the second point is ambigous, the first point doesn't help, nor does the urgency level. So what exactly happened? // George -- George Georgalis, systems architect, administrator Linux BSD IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: changlog for bzip2
On Tue, Jun 07, 2005 at 12:25:51PM +1000, Anibal Monsalve Salazar wrote: On Tue, Jun 07, 2005 at 12:14:19PM +1000, Anibal Monsalve Salazar wrote: On Mon, Jun 06, 2005 at 09:31:05PM -0400, George Georgalis wrote: This was the changelog.Debian.gz entry for the last bzip2 update: bzip2 (1.0.2-1.woody2) stable-security; urgency=high * Non-maintainer upload by the Security Team * No changes rebuild because maintainer prevented distribution of security fix, thanks a lot! The only useful information I see threre is urgency=high -- but no clear explinaton. Was this just an incomplete log? The maintainer did not respond to my inquiry. Is there a CAN? Is there a better file to extract specific info from? I can read; but the second point is ambigous, the first point doesn't help, nor does the urgency level. So what exactly happened? I uploaded bzip2 1.0.2-1.1 to stable which clashed with Martin Schulze's plan. 1.0.2-1.woody2 is the same as 1.0.2-1.1. bzip2 (1.0.2-1.1) stable; urgency=medium . * Fixed RC bug file permissions modification race (CAN-2005-0953), closes: #303300. Patch by Santiago Ruano Rincon [EMAIL PROTECTED]. Original patch available at http://marc.theaimsgroup.com/?l=bugtraqm=111352423504277w=2 I submitted 1.0.2-1.woody3 and Martin included in the last release of woody. Aparently, he didn't include it in the last release of woody. bzip2 (1.0.2-1.woody3) stable-security; urgency=high . * Fixed CAN-2005-1260 decompression bomb vulnerability, closes: #310803. Patch by Martin Pitt [EMAIL PROTECTED]. Okay, so Woody is still exposed to CAN-2005-0953 and CAN-2005-1260, I've not tried a dist-upgrade yet... // George -- George Georgalis, systems architect, administrator Linux BSD IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: murphy in sbl.spamhaus.org
On Fri, Nov 26, 2004 at 10:57:31AM +0100, Florian Weimer wrote: * Christian Storch: Things which increase the load on the remote mail servers are *bad*. That would include responding with temporary errors unnecessairly and adding unnecessary delays in communication. pipelining by itself isn't necessairly terrible- adding things like 2 minute delays is bad though. What about greylisting depending on results of e.g. SA? Only above a limit of scores from SA greylisting would be become active. This is very impolite because it requires that the entire message is transferred at least twice. I thought greylisting closes the smtp connection with a temporary failure immediately to unfamiliar routers. Then they can transmit the message on a second attempt, but since spam relays don't queue, they won't try again. // George -- George Georgalis, systems architect, administrator Linux BSD IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: TCP SYN packets which have the FIN flag set.
On Mon, Nov 08, 2004 at 09:36:43AM +0100, Giacomo Mulas wrote: On Fri, 5 Nov 2004, George Georgalis wrote: and for anybody who is interested, I've found the limit function works well to manage logging and types of deny. -m limit --limit-burst 50 --limit 1/s At the end of my NEW ACCEPT set, I call a chain that, within the limit, logs and rejects remaining connections, beyond the limit it returns. the next two rules log some (with limit again) of the remaining connections and drops them all. The setup gives a balance between the problems of logging and rejecting everything bad and just dropping everything bad. Doesn't that open the possibility for a DOS, simply by sending a stream of new attempted connections to your computers? Then this would continuously saturate the rate of new attempted connections, and your legitimate connections would be virtually impossible. Or is the netfilter limit code as smart as to use separate limits to separate source IP numbers? Unfortunately the limit function doesn't easily apply to specific ip addresses (I think there is a way to do it but it's not easy and I don't know how). and a stream of new connections will dos me. :) Maybe I wasn't clear, I don't limit good connections. (though it might be a good idea to limit port 80 to a rate my apache can sustain, otherwise route to a lightweight httpd that responds with try again later). I'm using limit for REJECT of bad connections when they connect, when the limit is reached I stop rejecting the bad ones and just DROP them. for logging, I log the rejected ones but only some of the dropped ones. REJECT means I respond, DROP means the client may continue to try until it times out, So generally there is less bandwidth with REJECT, unless you are being attacked, then there is less with DROP. and for certain abusive subnets I request that they be dropped (or whatever) at my ISP router. // George -- George Georgalis, systems architect, administrator Linux BSD IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: TCP SYN packets which have the FIN flag set.
On Fri, Nov 05, 2004 at 03:04:34PM +, Baruch Even wrote: ESTABLISHED,RELATED NEW INVALID pick two to cover the spectrum of attacks. Why not all three in this order... INVALID -j REJECT ESTABLISHED,RELATED -j ACCEPT NEW -j ACCEPT (if allowed) I'm thinking PREROUTING is the best table (covers localhost, nat and bridge connections); but historically I've used it on INPUT. // George -- George Georgalis, systems architect, administrator Linux BSD IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: TCP SYN packets which have the FIN flag set.
On Fri, Nov 05, 2004 at 05:57:18PM +, Baruch Even wrote: On Fri, 2004-11-05 at 17:13, George Georgalis wrote: On Fri, Nov 05, 2004 at 03:04:34PM +, Baruch Even wrote: ESTABLISHED,RELATED NEW INVALID pick two to cover the spectrum of attacks. Why not all three in this order... INVALID -j REJECT ESTABLISHED,RELATED -j ACCEPT NEW -j ACCEPT (if allowed) If you checked INVALID and ESTABLISHED, the rest has to be NEW. You can check it if you want for completeness, you can avoid checking it to save a few bits compared. performance isn't really an issue for me. but I do accept only certain new connections from certain networks. and for anybody who is interested, I've found the limit function works well to manage logging and types of deny. -m limit --limit-burst 50 --limit 1/s At the end of my NEW ACCEPT set, I call a chain that, within the limit, logs and rejects remaining connections, beyond the limit it returns. the next two rules log some (with limit again) of the remaining connections and drops them all. The setup gives a balance between the problems of logging and rejecting everything bad and just dropping everything bad. // George -- George Georgalis, systems architect, administrator Linux BSD IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure temporary fifo creation
On Mon, May 17, 2004 at 07:45:17PM -0500, Greg Deitrick wrote: Hello, What is the recommended method for securely creating a temporary named pipe in C code? Looking at the man pages for various library calls it appears that tmpfile(3) is probably an acceptable means of creating a temporary file, but this returns a FILE *. The upstram source I'm packaging needs to make a temporary fifo. It uses tempnam(3) to get a temporary file name as a char *, and then mkfifo(3) to make the fifo named pipe from the file name. Is this sufficiently secure? I'm not a c programmer but I think I understand the problem. You could create a temp directory and a temp file, create the fifo in the temp dir then move it to the temp file and remove the temp dir -- Which might be better then the delay between getting the filename and making the fifo. I assumed a temp dir is as easy to make as a tmp file in c, but I cannot find how. Is it possible to make a temp file then change its file descriptor to a fifo? // George -- George Georgalis, Architect and administrator, Linux services. IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] Key fingerprint = 5415 2738 61CF 6AE1 E9A7 9EF0 0186 503B 9831 1631 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure temporary fifo creation
On Mon, May 17, 2004 at 07:45:17PM -0500, Greg Deitrick wrote: Hello, What is the recommended method for securely creating a temporary named pipe in C code? Looking at the man pages for various library calls it appears that tmpfile(3) is probably an acceptable means of creating a temporary file, but this returns a FILE *. The upstram source I'm packaging needs to make a temporary fifo. It uses tempnam(3) to get a temporary file name as a char *, and then mkfifo(3) to make the fifo named pipe from the file name. Is this sufficiently secure? I'm not a c programmer but I think I understand the problem. You could create a temp directory and a temp file, create the fifo in the temp dir then move it to the temp file and remove the temp dir -- Which might be better then the delay between getting the filename and making the fifo. I assumed a temp dir is as easy to make as a tmp file in c, but I cannot find how. Is it possible to make a temp file then change its file descriptor to a fifo? // George -- George Georgalis, Architect and administrator, Linux services. IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] Key fingerprint = 5415 2738 61CF 6AE1 E9A7 9EF0 0186 503B 9831 1631
Re: restricting process limit
On Wed, Apr 28, 2004 at 02:59:12PM +1000, Daniel Pittman wrote: On Tue, 27 Apr 2004, Dan Christensen wrote: Daniel Pittman [EMAIL PROTECTED] writes: On Mon, 26 Apr 2004, George Georgalis wrote: On Mon, Apr 26, 2004 at 06:44:35PM +0200, LeVA wrote: So when I'm getting a large amount of messages there is approx. 15-20 spamc/spamd running. I want to limit this to ~5. I suspect if spamc invokes spamd but spamd reached its max-children then spamc will act as if spamd timed out, or report ham. That depends on the options you pass to spamc; I pass -x which says report a temp failure in that case, and advise that for general use. I'm not sure if this is helpful to the original poster, but I invoke spamc from within procmail, and use a lockfile to limit it to one invocation at a time. Does anyone see a problem with this setup? (I use exim as my MTA.) No, no problem. This is a pretty high overhead solution, though, and the original question was about limiting that overhead. :) yep. SA is high overhead. the annoying thing is that besides all the regex work that needs being done, SA is very inefficient in the process. one very annoying observation is the load that persists after the tests complete. Find a slow host, put lots of SA modules on it and watch your spamd log and top, as you check a message... after the score is logged and the message is processed, spamd instances continue using a lot of resources, sometimes much longer than the time taken to process the message. Figuring out what this post process resource load is or even which modules cause how much processing load, has been, well, not easy. SA seems the only real choice for an OSS spam filter, but I find the api, poor, and looking at the code tells me resource efficiency was never a consideration either. I'm wanting to write a program that process mail through SA modules, but more efficiently. I'm surprised I've not found one out there already. Maybe scrubber is the answer? http://projects.gasperino.org/scrubber/ (don't know yet...) Back to my own scripts, I'm having a real hard time so much as finding doc (vs example) of the module format. Any tips on what I'm missing are more than welcome. thanks- // George -- George Georgalis, Architect and administrator, Linux services. IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] Key fingerprint = 5415 2738 61CF 6AE1 E9A7 9EF0 0186 503B 9831 1631 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: restricting process limit
On Wed, Apr 28, 2004 at 02:59:12PM +1000, Daniel Pittman wrote: On Tue, 27 Apr 2004, Dan Christensen wrote: Daniel Pittman [EMAIL PROTECTED] writes: On Mon, 26 Apr 2004, George Georgalis wrote: On Mon, Apr 26, 2004 at 06:44:35PM +0200, LeVA wrote: So when I'm getting a large amount of messages there is approx. 15-20 spamc/spamd running. I want to limit this to ~5. I suspect if spamc invokes spamd but spamd reached its max-children then spamc will act as if spamd timed out, or report ham. That depends on the options you pass to spamc; I pass -x which says report a temp failure in that case, and advise that for general use. I'm not sure if this is helpful to the original poster, but I invoke spamc from within procmail, and use a lockfile to limit it to one invocation at a time. Does anyone see a problem with this setup? (I use exim as my MTA.) No, no problem. This is a pretty high overhead solution, though, and the original question was about limiting that overhead. :) yep. SA is high overhead. the annoying thing is that besides all the regex work that needs being done, SA is very inefficient in the process. one very annoying observation is the load that persists after the tests complete. Find a slow host, put lots of SA modules on it and watch your spamd log and top, as you check a message... after the score is logged and the message is processed, spamd instances continue using a lot of resources, sometimes much longer than the time taken to process the message. Figuring out what this post process resource load is or even which modules cause how much processing load, has been, well, not easy. SA seems the only real choice for an OSS spam filter, but I find the api, poor, and looking at the code tells me resource efficiency was never a consideration either. I'm wanting to write a program that process mail through SA modules, but more efficiently. I'm surprised I've not found one out there already. Maybe scrubber is the answer? http://projects.gasperino.org/scrubber/ (don't know yet...) Back to my own scripts, I'm having a real hard time so much as finding doc (vs example) of the module format. Any tips on what I'm missing are more than welcome. thanks- // George -- George Georgalis, Architect and administrator, Linux services. IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] Key fingerprint = 5415 2738 61CF 6AE1 E9A7 9EF0 0186 503B 9831 1631
Re: restricting process limit
On Mon, Apr 26, 2004 at 06:44:35PM +0200, LeVA wrote: I have a 'spam' user, and I've set up postfix, to run a tiny little script as this 'spam' user. This script accepts messages thru the stdin, and it filters the message thru the spamd daemon with the spamc client. After the filtering, it sends the message using the 'sendmail' (postfix's sendmail) program. So when I'm getting a large amount of messages there is approx. 15-20 spamc/spamd running. I want to limit this to ~5. I suspect if spamc invokes spamd but spamd reached its max-children then spamc will act as if spamd timed out, or report ham. So, I think your fix will be to limit the max incoming concurrency on postfix, since that is really your problem. (can't help with details as I don't run postfix.) With a lower incoming concurrency, mail will stay queued on remote servers until they try again any your local box is not too busy. Regards, // George -- George Georgalis, Architect and administrator, Linux services. IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] Key fingerprint = 5415 2738 61CF 6AE1 E9A7 9EF0 0186 503B 9831 1631 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: restricting process limit
On Mon, Apr 26, 2004 at 06:44:35PM +0200, LeVA wrote: I have a 'spam' user, and I've set up postfix, to run a tiny little script as this 'spam' user. This script accepts messages thru the stdin, and it filters the message thru the spamd daemon with the spamc client. After the filtering, it sends the message using the 'sendmail' (postfix's sendmail) program. So when I'm getting a large amount of messages there is approx. 15-20 spamc/spamd running. I want to limit this to ~5. I suspect if spamc invokes spamd but spamd reached its max-children then spamc will act as if spamd timed out, or report ham. So, I think your fix will be to limit the max incoming concurrency on postfix, since that is really your problem. (can't help with details as I don't run postfix.) With a lower incoming concurrency, mail will stay queued on remote servers until they try again any your local box is not too busy. Regards, // George -- George Georgalis, Architect and administrator, Linux services. IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] Key fingerprint = 5415 2738 61CF 6AE1 E9A7 9EF0 0186 503B 9831 1631
Re: Hacked - is it my turn? - interesting
On Tue, Feb 03, 2004 at 03:48:46PM +0100, Fran?ois TOURDE wrote: Ok, but I don't want somebody debug on *my* machine. It's only allowed for me :) As long as your machine is working, I guess you don't need to debug it! // George -- George Georgalis, Admin/Architect cell: 646-331-2027IXOYE Linux Infrastructure, Security mailto:[EMAIL PROTECTED] Services, Multimedia and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hacked - is it my turn? - interesting
On Tue, Feb 03, 2004 at 03:48:46PM +0100, Fran?ois TOURDE wrote: Ok, but I don't want somebody debug on *my* machine. It's only allowed for me :) As long as your machine is working, I guess you don't need to debug it! // George -- George Georgalis, Admin/Architect cell: 646-331-2027IXOYE Linux Infrastructure, Security mailto:[EMAIL PROTECTED] Services, Multimedia and Metrics. http://www.galis.org/george
Re: Hacked - is it my turn? - interesting
On Mon, Feb 02, 2004 at 05:58:29PM -0500, Noah Meyerhans wrote: On Mon, Feb 02, 2004 at 02:54:33PM -0800, Alvin Oga wrote: If you run 'iptables -A INPUT -p tcp --dport 1524 -j REJECT' you'll get this exact behavior, with nothing listening on these ports. and am wondering, why explicitly reject those ports and not explicity reject other ports that is also not used ... Perhaps it's because some known back door or rarely used (but often running by default) service was one one of those ports. IIRC, some well known back door listened on port 31337. It's possible that the ISP is filtering it on their routers, and thus the scan showed it as filtered (assuming that the scan was done from elsewhere and its traffic passed through the ISP's routers). These might come in handy http://www.networkice.com/advice/Exploits/Ports/ List of frequently seen TCP and UDP ports and what they mean. http://www.portsdb.org/ internet ports database http://www.sans.org/resources/idfaq/oddports.php Default ports used by some known trojan horses The filter is prob an ISP one... 31337 Back Orifice // George -- George Georgalis, Admin/Architect cell: 646-331-2027IXOYE Linux Infrastructure, Security mailto:[EMAIL PROTECTED] Services, Multimedia and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hacked - is it my turn? - interesting
On Mon, Feb 02, 2004 at 05:58:29PM -0500, Noah Meyerhans wrote: On Mon, Feb 02, 2004 at 02:54:33PM -0800, Alvin Oga wrote: If you run 'iptables -A INPUT -p tcp --dport 1524 -j REJECT' you'll get this exact behavior, with nothing listening on these ports. and am wondering, why explicitly reject those ports and not explicity reject other ports that is also not used ... Perhaps it's because some known back door or rarely used (but often running by default) service was one one of those ports. IIRC, some well known back door listened on port 31337. It's possible that the ISP is filtering it on their routers, and thus the scan showed it as filtered (assuming that the scan was done from elsewhere and its traffic passed through the ISP's routers). These might come in handy http://www.networkice.com/advice/Exploits/Ports/ List of frequently seen TCP and UDP ports and what they mean. http://www.portsdb.org/ internet ports database http://www.sans.org/resources/idfaq/oddports.php Default ports used by some known trojan horses The filter is prob an ISP one... 31337 Back Orifice // George -- George Georgalis, Admin/Architect cell: 646-331-2027IXOYE Linux Infrastructure, Security mailto:[EMAIL PROTECTED] Services, Multimedia and Metrics. http://www.galis.org/george
Re: Strange file atttributes
On Thu, Jan 15, 2004 at 03:45:05PM +0200, Craig Schneider wrote: Hi Guys Am running 2.4.22 kernel on to Debian boxes and notice today that if I run an lsattr in the /bin and /sbin dir some of the files are coming up with strange attributes. Any ideas why ? Or has the box more than lightly been exploited ? depends what you mean by strange, this may come in handy: http://www.knowngoods.org/ Online hash database. It's a database of MD5 and SHA-1 hashs for standard OS files for various versions of FreeBSD, Linux, Mac OSX, and Solaris. on one of my computers (a dev box) I have ---c-- for all the sbin files on another I have st for some of the files and exclusive -- on another. the attributes don't look evil, I'm not sure exactly how they where changed, but their md5sums check out okay. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strange file atttributes
On Thu, Jan 15, 2004 at 03:45:05PM +0200, Craig Schneider wrote: Hi Guys Am running 2.4.22 kernel on to Debian boxes and notice today that if I run an lsattr in the /bin and /sbin dir some of the files are coming up with strange attributes. Any ideas why ? Or has the box more than lightly been exploited ? depends what you mean by strange, this may come in handy: http://www.knowngoods.org/ Online hash database. It's a database of MD5 and SHA-1 hashs for standard OS files for various versions of FreeBSD, Linux, Mac OSX, and Solaris. on one of my computers (a dev box) I have ---c-- for all the sbin files on another I have st for some of the files and exclusive -- on another. the attributes don't look evil, I'm not sure exactly how they where changed, but their md5sums check out okay. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: Infrastructer back online?
On Fri, Jan 09, 2004 at 10:51:55PM -0500, Tim Cunningham wrote: On Sat, 10 Jan 2004 03:22:15 + Nick Boyce [EMAIL PROTECTED] wrote: Which is the announcement about the November compromise. That makes it sound like it _is_ a security issue .. I think he ment that it wasn't important to maintaining the security of Debian. maybe, but when I read this: On Wed, Jan 07, 2004 at 06:54:32PM -0800, Matt Zimmerman wrote: On Wed, Jan 07, 2004 at 10:35:30PM +0100, Jan L??hr wrote: noticing the increasing amount of secure-adv I'd like to ask, wheter the buid-deamons are back or wheter another issue is increasing the amount of advs rapidly. Everything is working again. I have to think I'm either missing the meaning of everything or working. esp when I look on packages.debian.org, which I would intuitively refer to as the debian archive. Does this mean everything is correctly under construction? -- and I needn't worry about anything I cannot make sense of? (Things will only get better now..) I certainly feel I'm being wedged into the same corner as when I got security urgency=high updates before security.debian.org was taken off line and an announcement that debian.org was compromised. (Compulsion to audit _everything_.) But I did later learn that all that coincided with r2 (the new packages wern't urgent and all the urgent packages where old updates), and therefore I was current and safe through it, even though I didn't get an r2 announcement, or timely supplementary info. Maybe my nerves would have been calmer if I was following IRC, where I guess the news was? Hey, what happened, happened. My point is that even if there was no more information or more timely distribution of technical facts, more verbosity as to threat assessment, hypothesis and conclusion, would have made a world of difference for the humans depending on the debian integrity; via third party website or otherwise. If that can be accepted, then my second observation is the complete lack of post mortem commentary of the forensics used. What percentage of debian users know how to mount -oloop a dd image? What _is_ the next step? In the spirit of GNU/debian I would hope the technical leads would have some volition to mentor less skilled admins on the techniques used to unwind the messr. I haven't _looked_ for post mortem notes but I'm surprised not to have so much as heard that they are around. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: Infrastructer back online?
On Fri, Jan 09, 2004 at 10:51:55PM -0500, Tim Cunningham wrote: On Sat, 10 Jan 2004 03:22:15 + Nick Boyce [EMAIL PROTECTED] wrote: Which is the announcement about the November compromise. That makes it sound like it _is_ a security issue .. I think he ment that it wasn't important to maintaining the security of Debian. maybe, but when I read this: On Wed, Jan 07, 2004 at 06:54:32PM -0800, Matt Zimmerman wrote: On Wed, Jan 07, 2004 at 10:35:30PM +0100, Jan L??hr wrote: noticing the increasing amount of secure-adv I'd like to ask, wheter the buid-deamons are back or wheter another issue is increasing the amount of advs rapidly. Everything is working again. I have to think I'm either missing the meaning of everything or working. esp when I look on packages.debian.org, which I would intuitively refer to as the debian archive. Does this mean everything is correctly under construction? -- and I needn't worry about anything I cannot make sense of? (Things will only get better now..) I certainly feel I'm being wedged into the same corner as when I got security urgency=high updates before security.debian.org was taken off line and an announcement that debian.org was compromised. (Compulsion to audit _everything_.) But I did later learn that all that coincided with r2 (the new packages wern't urgent and all the urgent packages where old updates), and therefore I was current and safe through it, even though I didn't get an r2 announcement, or timely supplementary info. Maybe my nerves would have been calmer if I was following IRC, where I guess the news was? Hey, what happened, happened. My point is that even if there was no more information or more timely distribution of technical facts, more verbosity as to threat assessment, hypothesis and conclusion, would have made a world of difference for the humans depending on the debian integrity; via third party website or otherwise. If that can be accepted, then my second observation is the complete lack of post mortem commentary of the forensics used. What percentage of debian users know how to mount -oloop a dd image? What _is_ the next step? In the spirit of GNU/debian I would hope the technical leads would have some volition to mentor less skilled admins on the techniques used to unwind the messr. I haven't _looked_ for post mortem notes but I'm surprised not to have so much as heard that they are around. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Q. Should one mirror debian.security.org? Good or Bad Idea?
On Tue, Dec 09, 2003 at 11:45:22AM -0500, Walter Tautz wrote: just wondering if this would be a good idea. We currently have 80 machines that do an update once a day on this host so I think it may be a good idea to mirror the archive locally, say once a day via rsync? The Nov ?? Deb weekly news contained: Debian Package Caching. Jonathan Oxer [11]wrote about caching Debian packages in order to save bandwidth when updating or installing multiple Debian machines. The [12]apt-cacher utility was originally written by Nick Andrew to maintain two Debian systems over a slow modem connection. It runs as CGI program and only needs to be set up on one machine. 11. http://articles.linmagau.org/modules.php?op=modloadname=Sectionsfile=indexreq=viewarticleartid=451 12. http://packages.debian.org/apt-cacher Haven't tried it yet. Regards, // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Q. Should one mirror debian.security.org? Good or Bad Idea?
On Tue, Dec 09, 2003 at 11:45:22AM -0500, Walter Tautz wrote: just wondering if this would be a good idea. We currently have 80 machines that do an update once a day on this host so I think it may be a good idea to mirror the archive locally, say once a day via rsync? The Nov ?? Deb weekly news contained: Debian Package Caching. Jonathan Oxer [11]wrote about caching Debian packages in order to save bandwidth when updating or installing multiple Debian machines. The [12]apt-cacher utility was originally written by Nick Andrew to maintain two Debian systems over a slow modem connection. It runs as CGI program and only needs to be set up on one machine. 11. http://articles.linmagau.org/modules.php?op=modloadname=Sectionsfile=indexreq=viewarticleartid=451 12. http://packages.debian.org/apt-cacher Haven't tried it yet. Regards, // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: rsync attempts?
On Sat, Dec 06, 2003 at 12:25:09AM +0100, Igor Mozetic wrote: I see repeated attempts to connect to my public rsync Debian server: Dec 6 00:20:01 rsync connection attempt from 217.21.40.1 (217.21.40.1:29558-x.x.x.x:873) rsync and kernel are patched, but I wonder if there is anything one can do to identify/catch/??? a potential intruder. some ISPs will respond to complaints, if their customers ar staging attacks, most don't, you will want to script some kind of reporting tool, use whois to find the owner of the subnet... in this case they may do something about it: Belarusian State University There is aris too: Package: aris-extractor Priority: optional Section: admin Installed-Size: 164 Maintainer: Matt Zimmerman [EMAIL PROTECTED] Architecture: i386 Version: 1.6.2-4 Depends: debconf, libc6 (= 2.2.4-4), libcurl2-ssl (= 7.9.5-1), libssl0.9.6, libstdc++2.10-glibc2.2 Recommends: snort Filename: pool/main/a/aris-extractor/aris-extractor_1.6.2-4_i386.deb Size: 38072 MD5sum: 7e95297b99c3725d60c94f8a24acebb0 Description: Scan system logs for security incidents and report them to ARIS The Attack Registry and Intelligence Service (ARIS) is a free, user-integrated attack-trending system hosted by SecurityFocus that allows administrators and operators of Intrusion Detection Systems (IDSs) to track, evaluate and respond to security alerts and attacks in a proactive manner. . As an integral piece of the ARIS Analzyer service, SecurityFocus's open-source ARIS Extractor utility distills data provided by IDS attack-list logs to build client portfolios that provide meaningful, graphical analysis of potentially malicious network incidents. By filtering out insignificant or benign data and converting it to a common format (xml), ARIS Extractor streamlines incident reporting for both security professionals and home users in a way that allows IDS operators to focus only on relevant attacks and incidents. Additionally, ARIS Extractor ensures client confidentiality through secure file-transfer protocols and optional IP address suppression. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: rsync attempts?
On Sat, Dec 06, 2003 at 12:25:09AM +0100, Igor Mozetic wrote: I see repeated attempts to connect to my public rsync Debian server: Dec 6 00:20:01 rsync connection attempt from 217.21.40.1 (217.21.40.1:29558-x.x.x.x:873) rsync and kernel are patched, but I wonder if there is anything one can do to identify/catch/??? a potential intruder. some ISPs will respond to complaints, if their customers ar staging attacks, most don't, you will want to script some kind of reporting tool, use whois to find the owner of the subnet... in this case they may do something about it: Belarusian State University There is aris too: Package: aris-extractor Priority: optional Section: admin Installed-Size: 164 Maintainer: Matt Zimmerman [EMAIL PROTECTED] Architecture: i386 Version: 1.6.2-4 Depends: debconf, libc6 (= 2.2.4-4), libcurl2-ssl (= 7.9.5-1), libssl0.9.6, libstdc++2.10-glibc2.2 Recommends: snort Filename: pool/main/a/aris-extractor/aris-extractor_1.6.2-4_i386.deb Size: 38072 MD5sum: 7e95297b99c3725d60c94f8a24acebb0 Description: Scan system logs for security incidents and report them to ARIS The Attack Registry and Intelligence Service (ARIS) is a free, user-integrated attack-trending system hosted by SecurityFocus that allows administrators and operators of Intrusion Detection Systems (IDSs) to track, evaluate and respond to security alerts and attacks in a proactive manner. . As an integral piece of the ARIS Analzyer service, SecurityFocus's open-source ARIS Extractor utility distills data provided by IDS attack-list logs to build client portfolios that provide meaningful, graphical analysis of potentially malicious network incidents. By filtering out insignificant or benign data and converting it to a common format (xml), ARIS Extractor streamlines incident reporting for both security professionals and home users in a way that allows IDS operators to focus only on relevant attacks and incidents. Additionally, ARIS Extractor ensures client confidentiality through secure file-transfer protocols and optional IP address suppression. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: Debian servers hacked?
On Wed, Nov 26, 2003 at 12:47:40PM -0500, Matt Zimmerman wrote: On Sat, Nov 22, 2003 at 02:32:45AM -0500, George Georgalis wrote: I thought it was odd there where ~50 urgent security updates all in one evening. There weren't. Read the changelogs; these were normal bugfixes which entered stable as part of the 3.0r2 point release, whose announcement was delayed due to the cleanup efforts. Thanks, I appreciate the updates, and I sympathize re the post compromise workload. I've posted 3 or 4 messages re the changes and compromise, from these I really only want to raise one point: Is there a list of what has been validated and/or restored at debian? If so I see no reason to withhold it for a final report, and good reason to have it live, throughout the process. It would enable undertaking of realtime debian system threat analysis based on the trust established with debian last week verses after the compromise. In the same email I also said had there been no series of change announcements prior compromise, live progress reports would not as desirable as they are in this case (though everybody wants to know if it was an ssh bug or loose password... when known). That aside, I still wonder if we are talking about the same thing. It turns out about 160 packages where posted on [EMAIL PROTECTED] Nov 19. According to the change logs they don't appear as normal bugfixes, but many are like kernel-source-2.4.17 (2.4.17-1woody1) stable-security; urgency=high which includes at least one user to root vulnerability. Maybe I'm missing something, but I don't see any indication these changes don't effect current installs but are only relevant to r2. (not sure what the difference would be either) For me, only one of those 160 packages (when I use 'upgrade' on a typical box I administer) is marked 'urgency=high', debianutils. Why the program file is is not part of the list even with 'dist-upgrade'. oic the urgent ones really did come out earlier. I clearly don't understand the methodology of the announcements and the woody r1 to r2 process. Whether technically everything was presented sufficiently for everybody to determine validity and appropriateness is not my point in all this, only that a live progress report of the restore/verification process (ie we have verified or fixed host/service a, b and c) would have set many at ease and I imagine would have been fairly nominal to provide -- a suggestion. A few of the other important i386 changes that came out are below -- less their _actual_ dates and less relevant now that I see they've been available for a while -- as well to links to my other posts. In retrospect, a post-compromise clarification that the urgent packages are probably already installed vs people verifying and wondering when security.debian.org would come back so they could be obtained, would be as valuable as the progress report! Your follow up is much appreciated. -- thanks for all the hard work these days! // George http://lists.svlug.org/pipermail/svlug/2003-November/046244.html http://lists.svlug.org/pipermail/svlug/2003-November/046249.html Changes: ncompress (4.2.4-9.2) stable; urgency=high . * Disallow maxbits less than 10, to avoid data corruption (closes: #220820). Changes: atftp (0.6.0woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix buffer overflow in tftpd_send_file [tftpd_file.c] Changes: autorespond (2.0.2-2woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix buffer overflow with EXT and HOST environment variables (CAN-2003-0654) Changes: cupsys (1.1.14-5) stable-security; urgency=high . * Security fix: prevent denial of service by not freezing when an HTTP transaction is improperly terminated. * Fix Build-Depends to make sure that PAM support is always available. * CAN-2003-0195 Changes: ddskk (11.6.rel.0-2woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Apply patch from Takao Kawamura [EMAIL PROTECTED] to create temporary files safely Changes: debianutils (1.16.2woody1) stable; urgency=high . * Backport of Ian Zimmerman's run-parts program output loss patch, which fixes zombie problem. closes: #184710. Changes: ethereal (0.9.4-1woody5) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix vulnerabilities announced in enpa-sa-00010 - throw an error on zero-length bufsize in tvb_get_nstringz0 (CAN-2003-0431) [epan/tvbuff.c] - Fix over-allocation problem in DCERPC dissector (CAN-2003-0428) [packet-dcerpc-lsa.c] - Fix overflow with bad IPv4 or IPv6 prefix lengths (CAN-2003-0429) [packet
Re: Debian servers hacked?
On Tue, Nov 25, 2003 at 06:10:18PM -0500, Johann Koenig wrote: On Saturday November 22 at 02:32am George Georgalis [EMAIL PROTECTED] wrote: So, are these compromised updates or urgent patches? I'm guessing the former.. More likely part of 3.0r2. I've attached the message from debian-announce. thanks for the attachment. I thought I was on debian-announce but I didn't see that. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Wed, Nov 26, 2003 at 12:47:40PM -0500, Matt Zimmerman wrote: On Sat, Nov 22, 2003 at 02:32:45AM -0500, George Georgalis wrote: I thought it was odd there where ~50 urgent security updates all in one evening. There weren't. Read the changelogs; these were normal bugfixes which entered stable as part of the 3.0r2 point release, whose announcement was delayed due to the cleanup efforts. Thanks, I appreciate the updates, and I sympathize re the post compromise workload. I've posted 3 or 4 messages re the changes and compromise, from these I really only want to raise one point: Is there a list of what has been validated and/or restored at debian? If so I see no reason to withhold it for a final report, and good reason to have it live, throughout the process. It would enable undertaking of realtime debian system threat analysis based on the trust established with debian last week verses after the compromise. In the same email I also said had there been no series of change announcements prior compromise, live progress reports would not as desirable as they are in this case (though everybody wants to know if it was an ssh bug or loose password... when known). That aside, I still wonder if we are talking about the same thing. It turns out about 160 packages where posted on debian-changes@lists.debian.org Nov 19. According to the change logs they don't appear as normal bugfixes, but many are like kernel-source-2.4.17 (2.4.17-1woody1) stable-security; urgency=high which includes at least one user to root vulnerability. Maybe I'm missing something, but I don't see any indication these changes don't effect current installs but are only relevant to r2. (not sure what the difference would be either) For me, only one of those 160 packages (when I use 'upgrade' on a typical box I administer) is marked 'urgency=high', debianutils. Why the program file is is not part of the list even with 'dist-upgrade'. oic the urgent ones really did come out earlier. I clearly don't understand the methodology of the announcements and the woody r1 to r2 process. Whether technically everything was presented sufficiently for everybody to determine validity and appropriateness is not my point in all this, only that a live progress report of the restore/verification process (ie we have verified or fixed host/service a, b and c) would have set many at ease and I imagine would have been fairly nominal to provide -- a suggestion. A few of the other important i386 changes that came out are below -- less their _actual_ dates and less relevant now that I see they've been available for a while -- as well to links to my other posts. In retrospect, a post-compromise clarification that the urgent packages are probably already installed vs people verifying and wondering when security.debian.org would come back so they could be obtained, would be as valuable as the progress report! Your follow up is much appreciated. -- thanks for all the hard work these days! // George http://lists.svlug.org/pipermail/svlug/2003-November/046244.html http://lists.svlug.org/pipermail/svlug/2003-November/046249.html Changes: ncompress (4.2.4-9.2) stable; urgency=high . * Disallow maxbits less than 10, to avoid data corruption (closes: #220820). Changes: atftp (0.6.0woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix buffer overflow in tftpd_send_file [tftpd_file.c] Changes: autorespond (2.0.2-2woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix buffer overflow with EXT and HOST environment variables (CAN-2003-0654) Changes: cupsys (1.1.14-5) stable-security; urgency=high . * Security fix: prevent denial of service by not freezing when an HTTP transaction is improperly terminated. * Fix Build-Depends to make sure that PAM support is always available. * CAN-2003-0195 Changes: ddskk (11.6.rel.0-2woody1) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Apply patch from Takao Kawamura [EMAIL PROTECTED] to create temporary files safely Changes: debianutils (1.16.2woody1) stable; urgency=high . * Backport of Ian Zimmerman's run-parts program output loss patch, which fixes zombie problem. closes: #184710. Changes: ethereal (0.9.4-1woody5) stable-security; urgency=high . * Non-maintainer upload by the Security Team * Fix vulnerabilities announced in enpa-sa-00010 - throw an error on zero-length bufsize in tvb_get_nstringz0 (CAN-2003-0431) [epan/tvbuff.c] - Fix over-allocation problem in DCERPC dissector (CAN-2003-0428) [packet-dcerpc-lsa.c] - Fix overflow with bad IPv4 or IPv6 prefix lengths (CAN-2003-0429
Re: Debian servers hacked?
On Tue, Nov 25, 2003 at 06:10:18PM -0500, Johann Koenig wrote: On Saturday November 22 at 02:32am George Georgalis [EMAIL PROTECTED] wrote: So, are these compromised updates or urgent patches? I'm guessing the former.. More likely part of 3.0r2. I've attached the message from debian-announce. thanks for the attachment. I thought I was on debian-announce but I didn't see that. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: Debian servers hacked?
On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote: On Friday 21 November 2003 13:18, Thomas Sj?gren wrote: On Fri, Nov 21, 2003 at 01:13:35PM +0100, Jan Wagner wrote: http://luonnotar.infodrom.org/~joey/debian-announce.txt Read that a minute ago, but what happended? Thats ATM unknown. It seems, that nobody (except the bad boys) has access to the boxes. But there are ppl on the way to catch local access. Thats all I heared. I thought it was odd there where ~50 urgent security updates all in one evening. One of my computers managed to pull several deb updates before security.debian.org was taken off line: # ls -1 /var/cache/apt/archives/ bsdutils_1%3a2.11n-7_i386.deb console-data_1999.08.29-24.2_all.deb debianutils_1.16.2woody1_i386.deb lock mount_2.11n-7_i386.deb nano_1.0.6-3_i386.deb partial procmail_3.22-5_i386.deb procps_1%3a2.0.7-8.woody1_i386.deb util-linux_2.11n-7_i386.deb zlib1g_1%3a1.1.4-1.0woody0_i386.deb So, are these compromised updates or urgent patches? I'm guessing the former... // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian servers hacked?
On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote: On Friday 21 November 2003 13:18, Thomas Sj?gren wrote: On Fri, Nov 21, 2003 at 01:13:35PM +0100, Jan Wagner wrote: http://luonnotar.infodrom.org/~joey/debian-announce.txt Read that a minute ago, but what happended? Thats ATM unknown. It seems, that nobody (except the bad boys) has access to the boxes. But there are ppl on the way to catch local access. Thats all I heared. I thought it was odd there where ~50 urgent security updates all in one evening. One of my computers managed to pull several deb updates before security.debian.org was taken off line: # ls -1 /var/cache/apt/archives/ bsdutils_1%3a2.11n-7_i386.deb console-data_1999.08.29-24.2_all.deb debianutils_1.16.2woody1_i386.deb lock mount_2.11n-7_i386.deb nano_1.0.6-3_i386.deb partial procmail_3.22-5_i386.deb procps_1%3a2.0.7-8.woody1_i386.deb util-linux_2.11n-7_i386.deb zlib1g_1%3a1.1.4-1.0woody0_i386.deb So, are these compromised updates or urgent patches? I'm guessing the former... // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: OpenSSH in Woody
Most of my debian installs took the recent ssh updates without a hiccup, but two of them deposited the file /etc/ssh/sshd_not_to_be_run before restarting and left no daemon listening. I found this bit of code in /var/lib/dpkg/info/ssh.postinst setup_startup() { start=yes [ -e /usr/share/debconf/confmodule ] { db_get ssh/run_sshd start=$RET } if [ $start != true ] ; then /etc/init.d/ssh stop 21 /dev/null touch /etc/ssh/sshd_not_to_be_run else rm -f /etc/ssh/sshd_not_to_be_run 2/dev/null fi } but I don't see the intent of the logic, or why one box would touch the file but the other wouldn't? Ah, must have been in the initial debconf for ssh. but when I do dpkg --configure ssh I get: dpkg: error processing ssh (--configure): package ssh is already installed and configured Errors were encountered while processing: ssh Maybe --force-things would get around that, but I don't want to regenerate my host keys. How can I change this setting or control whether future updates create the file? // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OpenSSH in Woody
On Mon, Sep 22, 2003 at 02:32:10PM -0400, Michael Stone wrote: On Mon, Sep 22, 2003 at 01:56:14PM -0400, George Georgalis wrote: How can I change this setting or control whether future updates create the file? dpkg-reconfigure ssh Mike Stone thanks - -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OpenSSH in Woody
Most of my debian installs took the recent ssh updates without a hiccup, but two of them deposited the file /etc/ssh/sshd_not_to_be_run before restarting and left no daemon listening. I found this bit of code in /var/lib/dpkg/info/ssh.postinst setup_startup() { start=yes [ -e /usr/share/debconf/confmodule ] { db_get ssh/run_sshd start=$RET } if [ $start != true ] ; then /etc/init.d/ssh stop 21 /dev/null touch /etc/ssh/sshd_not_to_be_run else rm -f /etc/ssh/sshd_not_to_be_run 2/dev/null fi } but I don't see the intent of the logic, or why one box would touch the file but the other wouldn't? Ah, must have been in the initial debconf for ssh. but when I do dpkg --configure ssh I get: dpkg: error processing ssh (--configure): package ssh is already installed and configured Errors were encountered while processing: ssh Maybe --force-things would get around that, but I don't want to regenerate my host keys. How can I change this setting or control whether future updates create the file? // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: OpenSSH in Woody
On Mon, Sep 22, 2003 at 02:32:10PM -0400, Michael Stone wrote: On Mon, Sep 22, 2003 at 01:56:14PM -0400, George Georgalis wrote: How can I change this setting or control whether future updates create the file? dpkg-reconfigure ssh Mike Stone thanks - -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: Woody security updates report.
On Mon, Jul 28, 2003 at 09:18:31AM -0500, Andr?s Rold?n wrote: Hi all. I have a Debian Woody up-to-date'd production server (it's daily updated) and I need a report of the security updates made in the server since a given time ago (a month, a couple of months or so). Is there any way, a tool or something to do that? Thanks in advance. ls -rltu /var/lib/dpkg/info/*list will give you a pretty good indication, then use some regex and dpkg commands to identify the exact version installed. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Woody security updates report.
On Mon, Jul 28, 2003 at 09:18:31AM -0500, Andr?s Rold?n wrote: Hi all. I have a Debian Woody up-to-date'd production server (it's daily updated) and I need a report of the security updates made in the server since a given time ago (a month, a couple of months or so). Is there any way, a tool or something to do that? Thanks in advance. ls -rltu /var/lib/dpkg/info/*list will give you a pretty good indication, then use some regex and dpkg commands to identify the exact version installed. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027IXOYE Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
I think you'll find the bugtraq list at http://securityfocus.com/ to be the leading edge for security information. I like focus-linux too. http://securityfocus.com/archive To find more current news on issues / exploits, you would probably need to follow some particular IRC or whatever the evil side of the internet uses these days. The main problem with bugtraq is a *lot* of M$ (and other commercial software) issues are mixed in there. I find myself only reading the subjects of 70% of the posts. but for issues like ptrace, you'll find everything you need there. // George On Wed, May 07, 2003 at 02:53:35PM +0200, Peter Holm wrote: Hi, may I be allowed to ask some questions? I am a little bit confused about the latest discussions on the ptrace kernel bug. As I am not a regular reader of this mailing list but heavily relying on the debian security announce mailing list and apt-get, I was really wondering why I could not find anything about that ptrace kernel bug that can be found here http://sinuspl.net/ptrace/ on the debian security website / announcement list. As I keep my systems regularly (apt-)updated I thought there was no reason to panic, at least debian is known for it?s high claims on beeing secure and there would be some word about that if it was a problem. well, said that I tried, just for fun, if that exploit could do something on my actual debian installations and I really got slapped hard! All machines were exploitable! Ok, my questions: Why isn?t there a security warning about that ptrace bug? The actual kernel sources that one can get via apt-get, are they already patched? What about the kernel-images? As i read, there are some misfunctions with that kernel-patch, not allowing some tools to work properly (netsaint / nagios were mentioned). Are there any more sideeffects known? Is there a good website accumulating information about-that-prace-bug-and-patch-and-all-the-problems-that-are related-to this.org? And: which informtion sources do I have to follow to become informed about *all* security bugs in debian? Thanks for your attention and sorry for my clumsy english! Have a nice thread, Peter -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: Traffic monitoring
On Fri, Mar 14, 2003 at 08:03:17PM +0100, Nils wrote: We have two computer labs, with its respective ISP-connections, both with volume based rates. These two sites are also connected to each other through a VPN. The volume between the two sites should really be marginal. Due to what we get charge by the ISP, we suspect a lot of non-sanctioned material (mp3..) being transported over smb. I would like to at least be able to monitor the volume from respective computer going through the firewall (and the VPN). Here is a quick and dirty method. I wanted to see what ICMP types where being used so I created a rule on my firewall for each type. The rule just returns, but the statistics (iptables -vnL) reveal the frequency of each type: # Not sure about these, start logging them... # find them in stats... iptables -N icmpwach for n in `seq 0 255`; do echo -n . iptables -I icmpwach -p icmp --icmp-type $n -j RETURN done ; echo iptables -I INPUT -j icmpwach iptables -I FORWARD -j icmpwach i=iptables -I INPUT -p icmp you might modify the loop to generate a return rule for each ip iptables -I bandwatch -s $n -p all -j RETURN iptables -I bandwatch -d $n -p all -j RETURN Then you could look at the iptable stats and see which ip is using the gateway. This might be more politically desirable than knowing the IP and the port ;) On the other hand you could come up with some ports and port ranges to monitor too. There are tons of software to calculate and make presentations of this kind of info. http://ipaudit.sourceforge.net/ipaudit-web/ Would you like to summarize and/or log network activity down to the ip address and port level of detail, but not record every packet? http://freshmeat.net/projects/traffacct/ www.hughes.com.au/products/traffacct/ TraffAcct is a network traffic accounting package designed to simplify the process of tracking and billing network usage. http://bubba.sourceforge.net/ Bandwidth Utilization Billing and Basic Accounting http://netacct-mysql.sourceforge.net/ bandwidth utilization, accounting Netacct-mySQL is a monitor which can log traffic generated by a specific network (incoming/outgoing). In fact it works like sniffer, puts network interface in PROMISC mode and collects traffic. http://torus.lnet.lut.fi/vnstat/ vnStat is a network traffic monitor for Linux that keeps a log of daily network traffic for the selected interface. http://ifmonitor.preteritoimperfeito.com/ ifmonitor is a simple network interface traffic logger and grapher for linux. gkrellm mrtg The list goes on, let us know what you come up with. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Traffic monitoring
On Fri, Mar 14, 2003 at 08:03:17PM +0100, Nils wrote: We have two computer labs, with its respective ISP-connections, both with volume based rates. These two sites are also connected to each other through a VPN. The volume between the two sites should really be marginal. Due to what we get charge by the ISP, we suspect a lot of non-sanctioned material (mp3..) being transported over smb. I would like to at least be able to monitor the volume from respective computer going through the firewall (and the VPN). Here is a quick and dirty method. I wanted to see what ICMP types where being used so I created a rule on my firewall for each type. The rule just returns, but the statistics (iptables -vnL) reveal the frequency of each type: # Not sure about these, start logging them... # find them in stats... iptables -N icmpwach for n in `seq 0 255`; do echo -n . iptables -I icmpwach -p icmp --icmp-type $n -j RETURN done ; echo iptables -I INPUT -j icmpwach iptables -I FORWARD -j icmpwach i=iptables -I INPUT -p icmp you might modify the loop to generate a return rule for each ip iptables -I bandwatch -s $n -p all -j RETURN iptables -I bandwatch -d $n -p all -j RETURN Then you could look at the iptable stats and see which ip is using the gateway. This might be more politically desirable than knowing the IP and the port ;) On the other hand you could come up with some ports and port ranges to monitor too. There are tons of software to calculate and make presentations of this kind of info. http://ipaudit.sourceforge.net/ipaudit-web/ Would you like to summarize and/or log network activity down to the ip address and port level of detail, but not record every packet? http://freshmeat.net/projects/traffacct/ www.hughes.com.au/products/traffacct/ TraffAcct is a network traffic accounting package designed to simplify the process of tracking and billing network usage. http://bubba.sourceforge.net/ Bandwidth Utilization Billing and Basic Accounting http://netacct-mysql.sourceforge.net/ bandwidth utilization, accounting Netacct-mySQL is a monitor which can log traffic generated by a specific network (incoming/outgoing). In fact it works like sniffer, puts network interface in PROMISC mode and collects traffic. http://torus.lnet.lut.fi/vnstat/ vnStat is a network traffic monitor for Linux that keeps a log of daily network traffic for the selected interface. http://ifmonitor.preteritoimperfeito.com/ ifmonitor is a simple network interface traffic logger and grapher for linux. gkrellm mrtg The list goes on, let us know what you come up with. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: machine monitoring packages
On Fri, Feb 14, 2003 at 10:15:16AM -0500, Matt Zimmerman wrote: On Fri, Feb 14, 2003 at 02:53:20PM +0100, Dariush Pietrzak wrote: nice.. but design behind whole mrtg/rrdtool makes them useless in many situations - for example, try comparing trends in two julys from different years.. you can't, can you.. ) Of course you can, as long as you set up your RRDs at the start to hold all of the data that you will want. RRDs do not expand once they are created, so once it wraps and starts to overwrite old data, it is lost. RRDs are designed not to grow, hence the Round Robin they are not intended to archive historical data, but you could always save a png for the prior month at the first day of the month and compare the pictures later... // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: machine monitoring packages
On Thu, Feb 13, 2003 at 09:08:47PM +0100, Christian Hammers wrote: We (ISP) use several mechanisms: * a local watchdog shell script that is called by cron minutely and that - checks ps cax if every process is there else it restarts it I've seen services fail to work while they are still in the ps tree. Speaking from experience, I'd recommend the watchdog tries to use the service before it confirms it's working... // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: machine monitoring packages
On Thu, Feb 13, 2003 at 09:08:47PM +0100, Christian Hammers wrote: We (ISP) use several mechanisms: * a local watchdog shell script that is called by cron minutely and that - checks ps cax if every process is there else it restarts it I've seen services fail to work while they are still in the ps tree. Speaking from experience, I'd recommend the watchdog tries to use the service before it confirms it's working... // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
Re: Putting Apache, PHP, Tomcat and CGI in a jail
On Sun, Jan 05, 2003 at 01:16:31AM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: On Sat, Jan 04, 2003 at 09:00:45PM +0200, Martynas Domarkas wrote: Hi, I'm currently trying to use makejail... it does not work very good. Could you elaborate more on this? I would like to know which issues have you come up with. Also, you might want to take a loot at the (recent) Appendix added to the Securing Debian Manual on how to setup a chroot environment for Apache: http://www.debian.org/doc/manuals/securing-debian-howto/ap-chroot-apache-env.en.html Cool, here are some more links, http://penguin.epfl.ch/chroot.html apache chroot http://www-106.ibm.com/developerworks/linux/library/l-freevsd.html http://www.freevsd.org/ freeVSD is an advanced web-hosting platform. It allows multiple Virtual Servers to be created on a single hosting server. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george