Re: [OT] Re: email notifications when users login
On Thu, Sep 21, 2006 at 03:37:56PM -0400, Morgan Walker wrote: Thanks Michelle that worked perfect. Is there an easy variable I could throw in there that you know off hand which would include the time (MM/DD/) as well? Apart from the suggestions to use ${ date }, does the date of the mail not suffice? Gruss, Horst -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problem downloading secrity updates.
On Thu, Mar 30, 2006 at 12:03:59PM +0300, Cataract wrote: Hello there. i have a problem with the security packages. i can not download them from debian.org. i use synaptic and after the reload some packages says me fail to download them. what can i do about it? What does your sources.list (/etc/apt/sources.list) look like? Which packages fail to download? Which versions of these actually are installed? regards Horst -- devkev yeah i saw the lightning gun and where you were going, thinking you were gonna kick some ass :) devkev didnt realise it would be your own :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: first A record of security.debian.org extremely slow
On Thu, Mar 02, 2006 at 10:36:16PM +0100, Marc Haber wrote: On Thu, Mar 02, 2006 at 08:06:48PM +0100, Florian Weimer wrote: * Geoff Crompton: I'm also wondering if security.debian.org has enough resources for every single debian box on the planet checking it every X minutes. You can use the DSA posting as a trigger. Usually, cron-apt has already noticed that there is an update available before the DSA posting comes in. How would you implement the automatism to trigger the update on the incoming e-mail? How about a procmail rule? There ought to be several ways for an implementation, each one will have to rely on your mailserver or procmail positively identifying a security-announcement. then you can - make the procmail rule call aptitude update aptitude upgrade directly - save the mail to a special place and make some other program trigger the update (via a db or perhaps FAM or a cron-job) Greetings Horst -- The income tax has made more liars out of the American people than golf has. Even when you make a tax form out on the level, you don't know when it's through if you are a crook or a martyr. -- Will Rogers -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: encrpyt harddrive without passphrase/userinput
On Sun, Feb 26, 2006 at 10:11:44PM +0100, Mario Ohnewald wrote: Hello security list! I would like to secure the harddrive/partitions of linux box. The whole setup must fulfill the following requirements: a) it must be able to boot (remotely) without userinput/passphrase b) the importtant partitions such as /etc, /var, /usr and /home must be encrypted/protected. I just ask myself why you bother encrypting a filesystem that will be accessible to anyone having access to the machine since it boots without password? Is this even possible? Is there a way? Is it something you'd really want? Encrypting a filesystem is a protection against someone having physical access to the machine or the harddrive. If the machine (the disk in another machine) boots without password, you might as well _not_ encrypt it. HIR (hope I'm right) Horst -- Real programmers don't bring brown-bag lunches. If the vending machine doesn't sell it, they don't eat it. Vending machines don't sell quiche. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: encrpyt harddrive without passphrase/userinput
On Sun, Feb 26, 2006 at 11:17:56PM +0100, Florian Weimer wrote: * Horst Pflugstaedt: I just ask myself why you bother encrypting a filesystem that will be accessible to anyone having access to the machine since it boots without password? You can return hard disks to the vendor for warranty claims even if they still contain sensitive data. even if the disk boots in another machine, thus revealing the sensitive data? If there is no protection to the encryption, encrypting a filesystem is just useless waste of cpu-time. As Jan pointed out: you need a secret for encryption. g'night Horst -- No, no, I don't mind being called the smartest man in the world. I just wish it wasn't this one. -- Adrian Veidt/Ozymandias, WATCHMEN -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: EAC - Armored Car and SUV Specialist - Incentives for Referral
On Fri, Nov 25, 2005 at 04:53:45PM -0500, Barry Hawkins wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alexandr Rappoport wrote: Hi I have a client in Moscow who's looking to purchase two armored vehicles: Merceds G500 and Mercedes S500 or S600 Please give me some prices to start with. Thanks Sasha @ Rusway Inc. I think we have those as binary packages in unstable, but they have yet to make it into testing because of build issues with the engines on mips and mipsel. I thought they were removed because of some patent issues with the 240PS engine. regards Horst -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RFS: libpam-abl - PAM module to blacklist hosts/users with many login failures
On Mon, Oct 10, 2005 at 04:44:13PM +0200, Nicolai Ehemann wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello! I just (err, over the last 4 or 5 days) created a (hopefully standards-compliant) package for the pam_abl PAM module. The pam_abl module provides a fully configurable way to automatically blacklist users and/or hosts with many login failures within specified intervals of time to be temporarily blacklisted, so that any subsequent authentication attempt fails (without disclosing the attacker beeing blacklisted). As the number of password guessing attacks on ssh servers on the net has strongly grown in the past time, i think this is a useful addition to security on hosts exposed to the net. first off: I did not download or review the code and in the next lines I will trespass the border to wild guessing and sheer imagination... What about a personalized DoS? If you have remote users on your machine that need to log in from the internet and if any of those remote users has a common or even worse(?) known login a small botnet may lead to a DoS for that user. the attacker will just have to user enough different IPs to create false login-attempts for that user to make you block valid logins from that user himself. Possibly a bad idea for a company with some road-warriors... The configuration and use of such a module should be thought over very thoroughly. Kind regards Horst -- Murphy's Law is recursive. Washing your car to make it rain doesn't work. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Abwesenheit
On Fri, Sep 16, 2005 at 05:38:00PM +0200, Evgeni Golov wrote: On Fri, 16 Sep 2005 17:19:37 +0200 Peer Janssen [EMAIL PROTECTED] wrote: Isn't sending such mails a security risk? Not only this. It's also quite annoying for the ML readers... I don't like this vacancy announcers. Think bout what would be, if all the ppl sending this messages would be subscribed to d-s too: their autoreply goin trough the list back to them and generating a new reply... and so on ;-( Normally a reasonnably configured utoresponder will only send this message once. So actually most of these ppl _are_ subscribed to d-s. Badhearts (why should a black hat as such be a bad thing?) might take advantage of a sysadmin's absence to break into systems, houses, relationships, ... You're right. Is he? I think the risk of potential harm is higher if people do _not_ know that you are not at work than if some people _do_ know you are not. Just think of a customer waiting for a reply to an email... cya Horst -- The biggest problem with communication is the illusion that it has occurred. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: policy change is needed to keep debian secure
On Sat, Aug 20, 2005 at 06:15:57PM -0700, Alvin Oga wrote: --- i'd like to see various providers of apps ( *.deb ) and upgrades be listed on a single page http://updates.debian.org/Updates instead of hunting for it in yahoo/google you know apt-get.org? Whoever wants to maintain a list of .deb-repositories needs these to register. If you know a repository, that cannot be found via apt-get.org, please ask the maintainer, if he wants to submit his url. Gruss Horst -- Because . doesn't match \n. [\0-\377] is the most efficient way to match everything currently. Maybe \e should match everything. And \E would of course match nothing. :-) -- Larry Wall in [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: On Mozilla-* updates
On Sun, Jul 31, 2005 at 10:29:46PM +0400, Nikita V. Youshchenko wrote: Requiring users to install an important component (which Mozilla is) from other sources is a bad idea in this context. I think it should not be the way how Debian solves it's problems. in thecase of mozilla this is not entirely true. I don't see any program depending on mozilla (and not belonging to the mozilla-family) that cannot be made dependant on other browsers. so it might be possible to write a script or dummy package that only integrates an upstream-mozilla in the current debian-system (just like those scripts that do the same for sun or ibm jre): - user/admin installs mozilla from upstream - installs mozilla-dummy - runs `gimme-mozilla-upstream --make-it-default-browser` - is - more or less - happy. The job for Debian would then be to - take care the script doesn't break anything - take care it works with current releases of mozilla. (as long as current mozilla runs on debian) (2). If binary incompatibility is detected, ... which is most probably going to happen... Do you have enough statistics to make this statement? it happened to Mozilla and woody: upstream made mozilla depend on e newer libc. There was no way to install a new mozilla on old stable. As a matter of fact things like this will happen again. it's just a matter of time. these packages should conflict with incompatible versions of all packages in Debian that depend on So you provide mozilla, but throw out other packages away? Of course no. We should provide upgrades for all packages in the set at the same time. this will be, as already has been said, a hard job, should one of these packages be one of the core libraries or packages (like libc, gnome-something or others). Some packages have a really huge set of dependencies, one way or the other. g'night Horst -- Whistler: I want peace on earth and good will toward man. Abbott: Oh, this is ridiculous! Bishop: He's serious. Whistler: I want peace on earth and goodwill towards men. Abbott: We're the United States Government! We don't do that sort of thing! Bishop: You're just gonna have to try. Abbott: All right, I'll see what I can do! Whistler: Thank you very much. That's all I ask. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Security Support in Place
On Fri, Jul 08, 2005 at 09:33:29AM -0400, Phillip Hofmeister wrote: On Fri, 08 Jul 2005 at 01:58:40AM -0400, Martin Schulze wrote: The security team will continue to support Debian GNU/Linux 3.0 alias woody until May 2006, or if the security support for the next release, codenamed etch, starts, whatever happens first. Now I LOVE Debian a lot. It is my favorite distro, and I hope this isn't seen as a flame. But, two Debian releases in one year? That's kind of funny grins. IIRC security-support for sarge started befor its release. Horst. -- For I perceive that behind this seemingly unrelated sequence of events, there lurks a singular, sinister attitude of mind. Whose? MINE! HA-HA! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: safety of encrypted filesystems
On Fri, Jun 17, 2005 at 09:03:57AM +0200, martin f krafft wrote: also sprach Florian Weimer [EMAIL PROTECTED] [2005.06.17.0848 +0200]: These are *cipher* blocks, and they are chained only within a *block device* block. Who guarantees that? If Cipherblock CB_x depends on CB_(x-1), then CB_last will indirectly depend on CB_first. If the data are large enough to span multiple block device blocks, damage to the beginning of the cipherfile makes the rest of the file unusable, no? wouldn't it be possible to test that? Scenario: encrypt /dev/hda7, mount, fill it with some hundred small files (with known content), unmount, change one bit/byte/block on /dev/hda7 (using dd), remount, look for the remaining files and their contents. I can imagine this might work; errors dont' have to be implemented in hardware, do they? Greetings Horst -- ... I don't know why but, suddenly, I want to discuss declining I.Q. LEVELS with a blue ribbon SENATE SUB-COMMITTEE! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question about : [Fwd: JULY 6th Lead Training 3 tips for working leads]
On Thu, Jul 08, 2004 at 06:39:50AM +0200, Mezig wrote: Phillip Hofmeister wrote: You should start by updating any Bayesian filters you have on your machine and then deleting the message. After you have done this you I always keep my spam archived in a separate mailbox; it's good for training new machines. By the way have you a good link about bayesian filters.., my spamassassin is very cheap as is my english :( ! i can read a little post, not all a documentation! I don't know any french documentation. To train your spamassassin you can sort all your spam to a single mailbox-file and the do a sa-learn --spam --mbox /path/to/file which makes sa learn that all mails in that file are to be recognized as spam. For good trainig you may need lots of spam and lots of ham (ask your friends for samples; sa-learn --ham ... makes sa learn 'nice' mails configuration is up to you. To end, i thought, someone could made something special against such a post. Sorry i mismake :(! AFAIK there is already a working spam-filter installed for the ML. That's why there are not really many spam-mails here. There's always a chance spam slips through. HTH Horst -- #debian.de stoffel_ was wurde aus sex drugs rock'n roll? Lam_al_Adie stoffel_: dieter bohlen, Harald juhnke und peter kraus? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: full disclosure, or not?
On Sun, Jun 27, 2004 at 01:43:45PM +0200, martin f krafft wrote: also sprach Horst Pflugstaedt [EMAIL PROTECTED] [2004.06.26.2155 +0200]: what would be the alternative? The security team would have to annonce there's a possible security flaw in package XY, we're on it, but it may take some more days to fix it What's the worth of such announcements? Users (You'd) know about a bug, but still could not do anything about it. After all, I'd strongly object to my web-host/ISP/Sys-Admin/... switching off apache/php/ssh/name-whatever-tool-you-really-need because they have heard of an yet unfixed security-problem. That's a thing of your webhoster. But if I knew of e.g. a root exploit in the HTTP part of a mission-critical server containing secret data, i want to turn it off, or take additional security precautions, like a firewall layer etc. If you can do so... you cannot switch off mission-critical services. (I'd love to see amazon/google/whoever switch off the webserver). Firewalling only helps, if you find a way to differentiate 'good' from 'bad' packets to your service. What if IPTables had a security flaw? I expect you are doing as much as you can to secure your system. The rest is hoping, that's enough. not knowing about it doesn't mean that the bad guys don't know about. and if the bad guys found out before you, they wouldn't tell. I don't know the translation for the german saying... waking up a sleeping dog. what else would a public announcement do? A no-delay-announcement of security issues would be a more dangerous threat to sites running that software than a policy of first developing a patch and thenn offering an instant solution. Not everybody has the capabilities to react in an appropriate way to a known but unfixed sec-issue. kind regards Horst last post for me. I'm no member of the security-team, nor am i developer. I don't know the earlier discussions, but these would have been my points. i can understand the wish to be up-to-date on security-issues. -- #debian.de stoffel_ was wurde aus sex drugs rock'n roll? Lam_al_Adie stoffel_: dieter bohlen, Harald juhnke und peter kraus? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: full disclosure, or not?
On Sat, Jun 26, 2004 at 02:39:02PM +0200, martin f krafft wrote: anything from its users. If a root exploit is out there, users want to know about it. Keeping it a secret is childish. what would be the alternative? The security team would have to annonce there's a possible security flaw in package XY, we're on it, but it may take some more days to fix it What's the worth of such announcements? Users (You'd) know about a bug, but still could not do anything about it. After all, I'd strongly object to my web-host/ISP/Sys-Admin/... switching off apache/php/ssh/name-whatever-tool-you-really-need because they have heard of an yet unfixed security-problem. So what is the official procedure of the security team? I guess it's work as hard ass posible to fix it as soon as possible and then release a fix on d.s.o. good night Horst. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: BF kernels (was: [DSA 479-2] New Linux 2.4.18 packages fix local root exploit (i386))
On Sat, Apr 17, 2004 at 10:00:23AM -0400, Michael Stone wrote: On Thu, Apr 15, 2004 at 08:19:24PM +1000, Joshua Goodall wrote: In other words, people are ready to pounce, and that short gap of time after server installation and before installing patched code cannot be considered safe. Quite the opposite. Note that if you're doing a network install you can point to security.d.o and never have any vulnerable network services installed on the machine. Let's rather say never have any network services with known vulnerabilities installed although an upgrade already is available. But, well, that is already a little off topic. Horst -- Wenn Dein einziges Werkzeug ein Hammer ist, sieht jedes Problem aus wie ein Nagel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: BF kernels (was: [DSA 479-2] New Linux 2.4.18 packages fix local root exploit (i386))
On Sat, Apr 17, 2004 at 10:00:23AM -0400, Michael Stone wrote: On Thu, Apr 15, 2004 at 08:19:24PM +1000, Joshua Goodall wrote: In other words, people are ready to pounce, and that short gap of time after server installation and before installing patched code cannot be considered safe. Quite the opposite. Note that if you're doing a network install you can point to security.d.o and never have any vulnerable network services installed on the machine. Let's rather say never have any network services with known vulnerabilities installed although an upgrade already is available. But, well, that is already a little off topic. Horst -- Wenn Dein einziges Werkzeug ein Hammer ist, sieht jedes Problem aus wie ein Nagel
Re: Fwd: Re: [ox-en] Walther
On Wed, Feb 25, 2004 at 02:47:57PM -0800, Jonathan Walther wrote: I have never endorsed any particular political point of view while using my debian.org address. I feel rather uncomfortable with the way the thread has been going; could you clarify whether you meant that I actually had done such, or just that it was a bad idea for anyone to do it? Hi Jonathan, I understood you had done such thing. If the critisized posting did not come from you debian.org address, I'm sorry and I apologize. As I also said in my posting, you are free to think, say and be what you like. Everyone should be. As long as one keeps politics out of debian, fanatics are a problem of the world, no debian-specific. Horst. I hope that was clarification enough for everyone. I hope we can stop this discussion since I understand it was been through already. -- Join the army, see the world, meet interesting, exciting people, and kill them. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: Re: [ox-en] Walther
On Wed, Feb 25, 2004 at 02:47:57PM -0800, Jonathan Walther wrote: I have never endorsed any particular political point of view while using my debian.org address. I feel rather uncomfortable with the way the thread has been going; could you clarify whether you meant that I actually had done such, or just that it was a bad idea for anyone to do it? Hi Jonathan, I understood you had done such thing. If the critisized posting did not come from you debian.org address, I'm sorry and I apologize. As I also said in my posting, you are free to think, say and be what you like. Everyone should be. As long as one keeps politics out of debian, fanatics are a problem of the world, no debian-specific. Horst. I hope that was clarification enough for everyone. I hope we can stop this discussion since I understand it was been through already. -- Join the army, see the world, meet interesting, exciting people, and kill them.
Re: Fwd: Re: [ox-en] Walther
On Wed, Feb 25, 2004 at 03:41:13PM +, Dale Amon wrote: Yes, as long as his personal beliefs are kept outside of Debian. I think a severe warning to keep his politics outside of Debian would be sufficient. I do strongly disagree with his personal thoughts, but I must grant him the right to be whatever as*#§$ he likes. Be it so. Just one more point: I think, keeping politics and extremist declarations outside Debian also means, that he/we should not declare such thoughts using official debian mail-addresses. Using corporate addresses means assigning those declarations to debian and thus putting politics _inside_ debian. So, feel free and feel encouraged to participate in political discussion and decision-making, but make sure to do this with your private address or make shure, that your opinion is supported by the community. Using corporate mail for disclaiming thoughts contrary to corporate politics/views is - iirc - good reason for lay off in all countries. Regards Horst. -- Join the army, see the world, meet interesting, exciting people, and kill them. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fwd: Re: [ox-en] Walther
On Wed, Feb 25, 2004 at 03:41:13PM +, Dale Amon wrote: Yes, as long as his personal beliefs are kept outside of Debian. I think a severe warning to keep his politics outside of Debian would be sufficient. I do strongly disagree with his personal thoughts, but I must grant him the right to be whatever as*#§$ he likes. Be it so. Just one more point: I think, keeping politics and extremist declarations outside Debian also means, that he/we should not declare such thoughts using official debian mail-addresses. Using corporate addresses means assigning those declarations to debian and thus putting politics _inside_ debian. So, feel free and feel encouraged to participate in political discussion and decision-making, but make sure to do this with your private address or make shure, that your opinion is supported by the community. Using corporate mail for disclaiming thoughts contrary to corporate politics/views is - iirc - good reason for lay off in all countries. Regards Horst. -- Join the army, see the world, meet interesting, exciting people, and kill them.
Re: Firewall: Need Advice
On Sat, Feb 07, 2004 at 10:38:51AM +0200, EErdem wrote: Hi, I've been using iptables (or i assuming that). But at boot time it gives an error: Aborting iptables load: unknown rulesets active . I you should first try zo find out, what ruleset iptables tries to load on boot-time (go, find /etc/init.d/firewall or /etc/init.d/iptables or something like that...). When you found out, which ruleset wants to be loaded at boottime, you should use your knowledge on iptables to find the error :-) couldn't find the problem. I searched via google, and found dpkg-reconfigure iptables. But it didn't help. I read a lot of iptables documents. But i think i lost some points, because i don't understand something. Before this i want to ask that, do i need firewall? Yes, i know this is Yes, you do need a firewall. A firewall is a big help to keep others outside your system. It's a help to detect attacs. It's a big help to anyone concerned about security. very important tool for whose, who taking care about security. And i can say i'm a paranoid about security. But all of my ports closed. There isn't any service listen. But sometimes i need httpd and ssh. and you probably have installed exim (smtpd), an nameservice caching daemon (dns)... the fact that on most of your ports no service is listening does not mean theyre closed... they are only not used. You need a firewall to actively close them to the world. This machine shares internet connection with a small network. So i have to becareful about this. yes. right. be careful and use iptables. Use the force, luke :-) Horst. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall: Need Advice
On Sat, Feb 07, 2004 at 10:38:51AM +0200, EErdem wrote: Hi, I've been using iptables (or i assuming that). But at boot time it gives an error: Aborting iptables load: unknown rulesets active . I you should first try zo find out, what ruleset iptables tries to load on boot-time (go, find /etc/init.d/firewall or /etc/init.d/iptables or something like that...). When you found out, which ruleset wants to be loaded at boottime, you should use your knowledge on iptables to find the error :-) couldn't find the problem. I searched via google, and found dpkg-reconfigure iptables. But it didn't help. I read a lot of iptables documents. But i think i lost some points, because i don't understand something. Before this i want to ask that, do i need firewall? Yes, i know this is Yes, you do need a firewall. A firewall is a big help to keep others outside your system. It's a help to detect attacs. It's a big help to anyone concerned about security. very important tool for whose, who taking care about security. And i can say i'm a paranoid about security. But all of my ports closed. There isn't any service listen. But sometimes i need httpd and ssh. and you probably have installed exim (smtpd), an nameservice caching daemon (dns)... the fact that on most of your ports no service is listening does not mean theyre closed... they are only not used. You need a firewall to actively close them to the world. This machine shares internet connection with a small network. So i have to becareful about this. yes. right. be careful and use iptables. Use the force, luke :-) Horst.
Re: security of apt
On Sun, Jan 25, 2004 at 04:12:59PM +0100, Erik Hjelmås wrote: Hi, I've spent a few hours searching, what Im looking for is a discussion of different security aspects of apt, questions like - What are the possible threats in terms of ip spoofing, dns cache poisoning? (are there any solutions in terms of PKI (PGP) or similar discussed somewhere?) that issue is the same as for every web-based download. apt-get relys on your sources.list which according to man sources.list currently knows entries for http, ftp, cd-rom and file. So apart from cd-rom, you ask for the security of http, ftp and i.e. nfs or any other remote-mountable filesystem. Horst. -- Join the army, see the world, meet interesting, exciting people, and kill them.
Re: get error: /bin/sh: line1: myfilter: command in boot messages...
On Wed, Jan 21, 2004 at 02:11:39PM -0500, Walter Tautz wrote: #! /bin/sh [...] which DOES work. I wonder why it's complaining about the line #! /bin/sh during the boot messages. Note no such output is in dmesg. Hi, ever tried the line #!/bin/sh ? all my scripts seem to lack the space. hope I'm right :-) Horst. -- Join the army, see the world, meet interesting, exciting people, and kill them. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: get error: /bin/sh: line1: myfilter: command in boot messages...
On Wed, Jan 21, 2004 at 02:11:39PM -0500, Walter Tautz wrote: #! /bin/sh [...] which DOES work. I wonder why it's complaining about the line #! /bin/sh during the boot messages. Note no such output is in dmesg. Hi, ever tried the line #!/bin/sh ? all my scripts seem to lack the space. hope I'm right :-) Horst. -- Join the army, see the world, meet interesting, exciting people, and kill them.
Re: secure file permissions
On Sun, Dec 07, 2003 at 09:27:04AM +0100, mi wrote: Hello, Can you tell me what are the default permissions for /etc/group and /etc/passwd ? %--(6)--$ ls -l /etc/passwd -rw-r--r--1 root root 1276 17. Sep 22:57 /etc/passwd I restricted them to rw for root only, but some things like exim (and possibly dpkg ?) seem to need read access there too. What's recommendet ? Unless you didn't enable shadow passwords the default ought to be safe. /etc/passwd 'only' tells names and login-shells. Not really much to worry about, is it? Horst -- Join the army, see the world, meet interesting, exciting people, and kill them. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure file permissions
On Sun, Dec 07, 2003 at 09:27:04AM +0100, mi wrote: Hello, Can you tell me what are the default permissions for /etc/group and /etc/passwd ? %--(6)--$ ls -l /etc/passwd -rw-r--r--1 root root 1276 17. Sep 22:57 /etc/passwd I restricted them to rw for root only, but some things like exim (and possibly dpkg ?) seem to need read access there too. What's recommendet ? Unless you didn't enable shadow passwords the default ought to be safe. /etc/passwd 'only' tells names and login-shells. Not really much to worry about, is it? Horst -- Join the army, see the world, meet interesting, exciting people, and kill them.
Re: loggin with iptables, syslog problem
On Sat, Aug 30, 2003 at 09:58:58PM +0200, Rudy Gevaert wrote: Hello, But nothing gets logged to /var/log/iptabels... It does show in dmesg... How can I correctly redirect logs with level debug to the /var/log/iptables file? perhaps it's not quite the answer you expected... I'm using syslog-ng becaus I found it much more adjustable. You can set up Rules with RegExps... Simply logging messages with log-level 'debug' may give you more entries in that special log-file than you might want! Gruss Horst. -- Have you noticed the way people's intelligence capabilities decline sharply the minute they start waving guns around? -- Dr. Who -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: help with firewall
On Wed, Jul 02, 2003 at 11:38:57PM +0200, [EMAIL PROTECTED] wrote: Hi, Can anyone help me with this firewall.I would like to change INTNET=192.168.0.0/24 to more exacts ips like 192.168.0.1,192.168.0.22 and so one. you will either have to rewrite every rule matching 192.168.0.0/24 to match every single host - so 10 hosts make ten rules - or you switch to a smaller subnet e.g. 192.168.0.0/27 going from IP 192.168.0.1 to 192.168.0.30 with a Broadcast .31 the later only leaves less free IP in your subnet, but will help to reduce work. Gruss Horst -- Have you noticed the way people's intelligence capabilities decline sharply the minute they start waving guns around? -- Dr. Who -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: help with firewall
On Wed, Jul 02, 2003 at 11:38:57PM +0200, [EMAIL PROTECTED] wrote: Hi, Can anyone help me with this firewall.I would like to change INTNET=192.168.0.0/24 to more exacts ips like 192.168.0.1,192.168.0.22 and so one. you will either have to rewrite every rule matching 192.168.0.0/24 to match every single host - so 10 hosts make ten rules - or you switch to a smaller subnet e.g. 192.168.0.0/27 going from IP 192.168.0.1 to 192.168.0.30 with a Broadcast .31 the later only leaves less free IP in your subnet, but will help to reduce work. Gruss Horst -- Have you noticed the way people's intelligence capabilities decline sharply the minute they start waving guns around? -- Dr. Who
Re: port forwarding issues
On Tue, Jul 01, 2003 at 05:52:35PM +0200, Peter A. Felvegi wrote: hello! i'm about to set up port forwarding on a firewall to be able to reach some hosts on the lan from the outside. i wish to use iptables prerouting rules. my question is, is there a way to detect the port forwarding, and/or get info about the host i forward to (ip address mainly) ? i mean: is an outsider able to do this? supposing that the service i reach is free of bugs. as of my understanding of prerouting, this is not likely. If I understood correctly, there's several ways to detect Port-Forwarding. One may be a slightly lower ttl of packets coming from the 'forwarded' box, another may be a port-scan announcing (port 80) Linux as server-os and an IIS as web-server. the internal ip of the forwarded host will most surely remain unknown to an outsider unless he manages to get _in_side. greetz Horst -- Have you noticed the way people's intelligence capabilities decline sharply the minute they start waving guns around? -- Dr. Who -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port forwarding issues
On Tue, Jul 01, 2003 at 05:52:35PM +0200, Peter A. Felvegi wrote: hello! i'm about to set up port forwarding on a firewall to be able to reach some hosts on the lan from the outside. i wish to use iptables prerouting rules. my question is, is there a way to detect the port forwarding, and/or get info about the host i forward to (ip address mainly) ? i mean: is an outsider able to do this? supposing that the service i reach is free of bugs. as of my understanding of prerouting, this is not likely. If I understood correctly, there's several ways to detect Port-Forwarding. One may be a slightly lower ttl of packets coming from the 'forwarded' box, another may be a port-scan announcing (port 80) Linux as server-os and an IIS as web-server. the internal ip of the forwarded host will most surely remain unknown to an outsider unless he manages to get _in_side. greetz Horst -- Have you noticed the way people's intelligence capabilities decline sharply the minute they start waving guns around? -- Dr. Who
Re: idea for improving security
On Tue, May 06, 2003 at 01:07:24PM -0500, Mark Edgington wrote: Hi, I'm not sure whether this idea has been considered or implemented anywhere, but I have been thinking about it, and believe it would provide a fairly high-level of security for systems which only run a few public services. The gist of it is this: incorporate functionality into inetd/xinetd/rinetd which listens for a predefined sequence of connection attempts on certain ports. Upon noticing the correct sequence (as specified somewhere in the config file), it opens up certain ports (i.e. SSH) for a specified amount of time or for the next connection attempt only. The parameters which could be set in the config file would be: 1) the trigger sequence (an ordered list of port numbers) what happens if another port is being connected during your transmission of the 'trigger-connects'? 2) the port(s) to make available upon receiving this trigger sequence 3) whether the ports to be made available are available for a) the next n connections only, what if someone else tries to connect exactly this one time? and/or b) the next n minutes what happens if you need more(tm) time? 3) how long to disable watching for the sequence after an invalid sequence has been detected. how do you define an invalid sequence? how would you determine wether someone else tries to trigger your port or is simply scanning you? I'd rather work with some other mechanism like granting acces to/from one single IP/Port. you migth for example realize this with two encrypted Emails where the server-generated Mail includes some random Data (for extra security) and the Client-generated Mail includes the Clients IP... The attacker would have to spoof the client-IP and would have to have access to the clients ssh-keys _and_ pgp/gnupg-keys... I guess you'd have to be quite paranoid to see this unsafe... makes a connection to 4385, this would invalidate the sequence) -- if these trigger-sequence ports are all connected to in order (and the disable-sequence-listen timeout has elapsed), then port 22 becomes open to connect to. You'll have to rely on many people not trying to connect to your magic ports while you don't want them to... Unless the hacker is on the same subnet that you (or your gateway) are on, it would seem a very difficult task for him/her to determine what the magic port-connection sequence is, and with appropriately chosen disable-sequence-listen timeouts, brute force techniques would seem pretty impractical. Yes Brute-Force cracs will be faily inefficient, bit a simple DNS will keep you off that machine as well. Another solution might be even better... some spare hardware granted you might want to take a dial-in solution. just my few cents. Horst. (no security expert at all. so read and think twice before you agree to my opinion.) -- Have you noticed the way people's intelligence capabilities decline sharply the minute they start waving guns around? -- Dr. Who
Re: Secure remote syslogging?
On Wed, Apr 23, 2003 at 07:43:36PM +0200, Stefan Neufeind wrote: Hi, what is the best way to remotely syslog? In RE: HELP, my Debian Server was hacked! by James Duncan he wrote to use syslog to log locally AND remotely. This is a good idea. But I wonder how to make it safe. Let's say I have two servers. Each could keep a second, separate log as backup-log of the server. But how do I make it secure that there can't exist any log-entries somebody faked into our remote-syslog-file? I don' know much about security issues for this one, but you might want to take a look at syslog-ng... as far as i understand, syslog(-ng) just collects the kernel-messages and writes them (more exactly: appends them) to a specified file. If you log into another server you have another instance of syslog running on that one which is collecting the messages that were given to it. An attacker needs to gain access to that file to remove treacherous messages which were collected while he tried to break in. So when these Messages were passed to another Machine, the attacker will have to crack the other box as well. Viele gruesse Horst. -- Have you noticed the way people's intelligence capabilities decline sharply the minute they start waving guns around? -- Dr. Who
Re: Firewall Logs on Dialup Server
Hi On Sun, Apr 13, 2003 at 12:14:32PM +0200, Kay-Michael Voit wrote: Hi, how do you suggest dealing with firewall logs from a computer which is connected through a dialup connection? For I receive a new IP every 24h hours, my logs are full of P2P connection attempts. How can I log iptables LOG outputs somewherer different from the standard output? And is there any program which I can view them properly formated with? I tried my logging rules with '--log-prefix IPTables DROP:' and use syslog-ng to filter them. If you google for iptables and syslog-ng there's some more help. What _I_ didn't figure out is, how to stop iptables from logging to standard-out;M syslog-ng seems only to additionally write it to my specified file. -- Have you noticed the way people's intelligence capabilities decline sharply the minute they start waving guns around? -- Dr. Who
Re: Firewall Logs on Dialup Server
On Fri, Apr 18, 2003 at 03:19:34PM +0200, Emmanuel Lacour wrote: On Fri, Apr 18, 2003 at 12:54:19PM +0200, Juerg Schneider wrote: On Freitag, 18. April 2003 11.16, Horst Pflugstaedt wrote: Hi I tried my logging rules with '--log-prefix IPTables DROP:' and use syslog-ng to filter them. If you google for iptables and syslog-ng there's some more help. What _I_ didn't figure out is, how to stop iptables from logging to standard-out;M syslog-ng seems only to additionally write it to my specified file. Right, this is done by klogd. man klogd I typically add -c 4 in KLOGD (/etc/init.d/klogd) to avoid the iptables logging to console. thanks a lot for all your help. I tried again with 'man iptables' and found an extra option: --log-level level since I do not want to stop other messages with priority 4 (warning) from apearing on my console I needed to find other means to help me. '--log-level debug' in my iptables-logging-rules seems to become my friend. (you may find the log-levels and their numeric values in /usr/include/linux/kernel.h) with best regards Horst. -- Have you noticed the way people's intelligence capabilities decline sharply the minute they start waving guns around? -- Dr. Who
Re: iptables forwarding to inside firewall
Working on running a SMTP server inside the firewall that takes incoming SMTP traffic from outside the firewall. The below rules are not working. The firewall refuses connections. Any input on what wrong? Thanks, internal mailserver = 192.168.1.2 #$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \ #-s 0/0 \ #--dport smtp -j DNAT --to-destination 192.168.1.2:25 this rule looks fine... you might want to replace the ip with $SMTP_HOST where SMTP_HOST=192.268.1.2 #$PROG -A FORWARD -i $NIC_EXTERNAL -s 0/0 \ #-o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport smtp \ #-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT I guess you won't need RELATED if you don't wnt your server to start a new connection... there's either a new request for a connection or an established connection #$PROG -A FORWARD -i $NIC_INTERNAL -s 192.168.1.2 \ #-o $NIC_EXTERNAL -d 0/0 -p tcp \ #-m state --state ESTABLISHED,RELATED -j ACCEPT I'd add a --sport 25to this rule... Are you sure, this is your firewall refusing the connection? I'm really just beginning to work with iptables but from what I know or understand this is correct... Have you tried some extra logging? where don't the packages go through? There's a great tutorial covering iptables: http://iptables-tutorial.frozentux.net Gruss, Horst. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables forwarding to inside firewall
Working on running a SMTP server inside the firewall that takes incoming SMTP traffic from outside the firewall. The below rules are not working. The firewall refuses connections. Any input on what wrong? Thanks, internal mailserver = 192.168.1.2 #$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \ #-s 0/0 \ #--dport smtp -j DNAT --to-destination 192.168.1.2:25 this rule looks fine... you might want to replace the ip with $SMTP_HOST where SMTP_HOST=192.268.1.2 #$PROG -A FORWARD -i $NIC_EXTERNAL -s 0/0 \ #-o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport smtp \ #-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT I guess you won't need RELATED if you don't wnt your server to start a new connection... there's either a new request for a connection or an established connection #$PROG -A FORWARD -i $NIC_INTERNAL -s 192.168.1.2 \ #-o $NIC_EXTERNAL -d 0/0 -p tcp \ #-m state --state ESTABLISHED,RELATED -j ACCEPT I'd add a --sport 25to this rule... Are you sure, this is your firewall refusing the connection? I'm really just beginning to work with iptables but from what I know or understand this is correct... Have you tried some extra logging? where don't the packages go through? There's a great tutorial covering iptables: http://iptables-tutorial.frozentux.net Gruss, Horst.
Re: Invalid Archive Signatures
On Wed, Jan 22, 2003 at 06:49:17PM -0600, Hanasaki JiJi wrote: eterm and feh, on sarge, are reporting invalid archive signatures of their dependancies. I have tried the US and Japan mirrors. As Jan Niehusman stated about two days ago: I assume this is because the 2002 Archive Signing Key has expired on 2003-01-18, and the 2003 key has not yet been installed for security.debian.org. So, while this is obviously a bad situation, it's probably not an attack on our servers. Gruss Horst. -- What do you have when you have six lawyers buried up to their necks in sand? Not enough sand.
Re: I'm searching for a network wide system update tool
On Sun, Jan 19, 2003 at 12:45:03PM +0100, Ivo Marino wrote: Hello debian-security folks, I'll post my question on this mailing list in the hope to find some interesting pointers and I'm quite sure someone in here has or has allready solved my same problems. Well, I admin different Debian GNU/Linux stable machines on different networks, each time a new security update comes out from the DSA I actually update by hand via ssh all the Debian GNU/Linux servers in my network. Although a cron-job is generally seen as insecure you might think about one local repository for downloaded .debs which you could use for all your other servers to use for a cron'd update/upgrade. Any suggestions? Greetings Horst. -- Up against the net, redneck mother, Mother who has raised your son so well; He's seventeen and hackin' on a Macintosh, Flaming spelling errors and raisin' hell... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I'm searching for a network wide system update tool
On Sun, Jan 19, 2003 at 12:45:03PM +0100, Ivo Marino wrote: Hello debian-security folks, I'll post my question on this mailing list in the hope to find some interesting pointers and I'm quite sure someone in here has or has allready solved my same problems. Well, I admin different Debian GNU/Linux stable machines on different networks, each time a new security update comes out from the DSA I actually update by hand via ssh all the Debian GNU/Linux servers in my network. Although a cron-job is generally seen as insecure you might think about one local repository for downloaded .debs which you could use for all your other servers to use for a cron'd update/upgrade. Any suggestions? Greetings Horst. -- Up against the net, redneck mother, Mother who has raised your son so well; He's seventeen and hackin' on a Macintosh, Flaming spelling errors and raisin' hell...
Re: unsubscribe
On Fri, Nov 15, 2002 at 06:46:25PM +0100, Thomas Horsten wrote: Are you thick or what? the last days it seems to me that those unsubscribe-messages more and more become a security-problem (health-risk) to the remaining members of this list... calm down, please. need some valium? :-) Greetings Horst. ps: anybody out there to translate what pebble wrote? On Fri, 15 Nov 2002, Stone wrote: Pozdrawiam Stone [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- WildCode Mercury, isn't debugging X a little like finding perfectly bugfree code in windows ?? Mercury WildCode: Debugging X is like trying to run a straight line through a maze. Mercury You just need to bend space-time so that the corners move around you and you won't have any problems. (=3D:] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: unsubscribe
On Fri, Nov 15, 2002 at 06:46:25PM +0100, Thomas Horsten wrote: Are you thick or what? the last days it seems to me that those unsubscribe-messages more and more become a security-problem (health-risk) to the remaining members of this list... calm down, please. need some valium? :-) Greetings Horst. ps: anybody out there to translate what pebble wrote? On Fri, 15 Nov 2002, Stone wrote: Pozdrawiam Stone [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- WildCode Mercury, isn't debugging X a little like finding perfectly bugfree code in windows ?? Mercury WildCode: Debugging X is like trying to run a straight line through a maze. Mercury You just need to bend space-time so that the corners move around you and you won't have any problems. (=3D:]