Re: question about SSH / IPTABLES
El Jue 23 Ene 2003 13:45, DEFFONTAINES Vincent escribió: > 2. Mount /home, /tmp and any other place users might have write access on > with the "noexec" switch, so they can only use binaries installed (and > allowed to them) on the system. Beware that noexec can be easily cheated: <--> adelita:/tmp# dd if=/dev/zero of=mypartition bs=512 count=4K 4096+0 records in 4096+0 records out 2097152 bytes transferred in 0.034112 seconds (61478483 bytes/sec) adelita:/tmp# mkfs.ext2 mypartition mke2fs 1.30-WIP (30-Sep-2002) mypartition is not a block special device. Proceed anyway? (y,n) y Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) 256 inodes, 2048 blocks 102 blocks (4.98%) reserved for the super user First data block=1 1 block group 8192 blocks per group, 8192 fragments per group 256 inodes per group Writing inode tables: done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 20 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. adelita:/tmp# mkdir mounted adelita:/tmp# mount mypartition mounted/ -o loop,noexec adelita:/tmp# cd mounted/ adelita:/tmp/mounted# cp /bin/ls . adelita:/tmp/mounted# ./ls -su: ./ls: Permission denied adelita:/tmp/mounted# /lib/ld-linux.so.2 ./ls -la total 74 drwxr-xr-x3 root root 1024 Jan 24 03:39 . drwxrwxrwt9 root root 416 Jan 24 03:37 .. drwx--2 root root12288 Jan 24 03:37 lost+found -rwxr-xr-x1 root root59592 Jan 24 03:39 ls <---> That's the common proof of concept for the fact that noexec is (almost) useless. > You may also want to prevent users to run other programs such as telnet, > ping, nc, traceroute and so many others... ...and so many others that, simply, you can't. Either deny every kind of traffic originating from your machine, or give up :-( Regards Pope -- Luis Gomez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc
Re: question about SSH / IPTABLES
El Jue 23 Ene 2003 13:45, DEFFONTAINES Vincent escribió: > 2. Mount /home, /tmp and any other place users might have write access on > with the "noexec" switch, so they can only use binaries installed (and > allowed to them) on the system. Beware that noexec can be easily cheated: <--> adelita:/tmp# dd if=/dev/zero of=mypartition bs=512 count=4K 4096+0 records in 4096+0 records out 2097152 bytes transferred in 0.034112 seconds (61478483 bytes/sec) adelita:/tmp# mkfs.ext2 mypartition mke2fs 1.30-WIP (30-Sep-2002) mypartition is not a block special device. Proceed anyway? (y,n) y Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) 256 inodes, 2048 blocks 102 blocks (4.98%) reserved for the super user First data block=1 1 block group 8192 blocks per group, 8192 fragments per group 256 inodes per group Writing inode tables: done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 20 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. adelita:/tmp# mkdir mounted adelita:/tmp# mount mypartition mounted/ -o loop,noexec adelita:/tmp# cd mounted/ adelita:/tmp/mounted# cp /bin/ls . adelita:/tmp/mounted# ./ls -su: ./ls: Permission denied adelita:/tmp/mounted# /lib/ld-linux.so.2 ./ls -la total 74 drwxr-xr-x3 root root 1024 Jan 24 03:39 . drwxrwxrwt9 root root 416 Jan 24 03:37 .. drwx--2 root root12288 Jan 24 03:37 lost+found -rwxr-xr-x1 root root59592 Jan 24 03:39 ls <---> That's the common proof of concept for the fact that noexec is (almost) useless. > You may also want to prevent users to run other programs such as telnet, > ping, nc, traceroute and so many others... ...and so many others that, simply, you can't. Either deny every kind of traffic originating from your machine, or give up :-( Regards Pope -- Luis Gomez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: X Security Issues? [SOLVED]
El mié, 20-11-2002 a las 03:35, Edward Guldemond escribió: > Actually, I noticed something interesting when I was testing this out > on my home box. When I used "startx", X didn't listen on TCP. When I > used xinit, it did. I guess that xerverrc only gets read when you use > startx. IIRC, they advise of that when debconf'ing some X packages Regards Pope -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc
Re: X Security Issues? [SOLVED]
El mié, 20-11-2002 a las 03:35, Edward Guldemond escribió: > Actually, I noticed something interesting when I was testing this out > on my home box. When I used "startx", X didn't listen on TCP. When I > used xinit, it did. I guess that xerverrc only gets read when you use > startx. IIRC, they advise of that when debconf'ing some X packages Regards Pope -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Apache 1.3.27 is out...
El vie, 04-10-2002 a las 10:36, STOJICEVIC Edi EXPSIA escribió: > Does a deb already exist for this new version ? Not yet, I guess. At least officially: Reading Package Lists... Done Building Dependency Tree... Done Reading Package Lists... Done Building Dependency Tree... Done Calculating Upgrade... Done 0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc
RE: Apache 1.3.27 is out...
El vie, 04-10-2002 a las 10:36, STOJICEVIC Edi EXPSIA escribió: > Does a deb already exist for this new version ? Not yet, I guess. At least officially: Reading Package Lists... Done Building Dependency Tree... Done Reading Package Lists... Done Building Dependency Tree... Done Calculating Upgrade... Done 0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded. -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: debian-security-announce-$lang@lists?
El mié, 14-08-2002 a las 11:03, Javier Fernández-Sanguino Peña escribió: > I do not see the benefit of this "push" method if we take in > account that we already provide an RDF channel for advisories and users > can configure their user agents (like Evolution) to retrieve them > automatically. Hey, I knew nothing about it - Where can I learn more about polling such info with Evolution? Thanks! Pope -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc
Re: snort error starting
El vie, 19-07-2002 a las 19:53, Phillip Hofmeister escribió:
> On Fri, 19 Jul 2002 at 09:33:14AM -0700, Jeff wrote:
> > # /etc/init.d/snort start
> > /etc/init.d/snort: var: command not found
> >
> Looks like a bug in the init script. If I had Snort/woody I would look at it.
> Someone can probably make the changes, make a patch and file a bug with the
> patch flag set...
I have 3 occurrences for "var" in mi /etc/init.d/snort :
adelita:~# grep "var" /etc/init.d/snort
-l /var/log/snort \
if ls /var/run/snort_*pid >/dev/null 2>&1 ; then
rm -f /var/run/snort_*.pid
Probably in the second or in the third, you got a missing slash, I mean,
you have "var" instead of "/var" . I am attaching this script as of
snort 1.8.2 (build 86) in Woody.
Regards
Pope
--
Luis Gómez Miralles
InfoEmergencias - Technical Department
Phone (+34) 654 24 01 34
Fax (+34) 963 49 31 80
[EMAIL PROTECTED]
PGP Public Key available at http://www.infoemergencias.com/lgomez.asc
#!/bin/sh -e
test $DEBIAN_SCRIPT_DEBUG && set -v -x
test -f /usr/sbin/snort || exit 0
DAEMON=/usr/sbin/snort
CONFIG=/etc/snort/snort.debian.conf
test -f $CONFIG && . $CONFIG
test -z "$DEBIAN_SNORT_HOME_NET" && DEBIAN_SNORT_HOME_NET="192.168.0.0/16"
# to find the lib files
cd /etc/snort
case "$1" in
start)
test "$DEBIAN_SNORT_STARTUP" = "dialup" && exit 0
test "$DEBIAN_SNORT_STARTUP" = "manual" && \
echo $0 | grep -q 'S[0-9]' && exit 0
echo -n "Starting Network Intrusion Detection System: snort"
set +e
/sbin/start-stop-daemon --start --quiet --exec $DAEMON -- \
-D \
-S "HOME_NET=[$DEBIAN_SNORT_HOME_NET]" \
-h "$DEBIAN_SNORT_HOME_NET" \
-c /etc/snort/snort.conf \
-l /var/log/snort \
-b \
-d \
-u snort \
-g snort \
$DEBIAN_SNORT_OPTIONS >/dev/null
case "$?" in
0) echo "." ;;
1) echo "...already running." ;;
2) echo "...failed." ;;
esac
set -e
;;
stop)
echo -n "Stopping Network Intrusion Detection System: snort"
/sbin/start-stop-daemon --stop --quiet --oknodo --exec $DAEMON >/dev/null
# If it isn't willing we shoot it!
if ls /var/run/snort_*pid >/dev/null 2>&1 ; then
sleep 3
ps cax \
| grep '/usr/sbin/snort' \
| awk '{ print $1 }' \
| xargs --no-run-if-empty kill -9 >/dev/null
rm -f /var/run/snort_*.pid
fi
echo "."
;;
restart|force-restart|reload|force-reload)
/etc/init.d/snort stop
# stop will take care that the thing is really dead
/etc/init.d/snort start
;;
*)
echo "Usage: /etc/init.d/snort start|stop|restart"
exit 1
;;
esac
exit 0
loopback was down and with no IP
Hi Something strange has just happened to me. I've installed two very different boxes (nela is K7/1.3 GHz, yolanda is IBM Pentium 100) using ReiserFS boot disks for Woody, and one CD, and later upgraded via iNet. After finishing installation of base system, and adding some other packages (postfix, screen, bitchx, nmap, links-ssl, libncurses5-dev and little more), I nmapped me and this is what I got: yolanda:~# nmap localhost Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) WARNING: Could not determine what interface to route packets through to 127.0.0.1, changing ping scantype to ICMP ping only pcap_open_live: bind: No such device There are several possible reasons for this, depending on your operating system:LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled. *BSD: If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support. If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV ; or use mknod). SOLARIS: If you are trying to scan localhost and getting '/dev/lo0: No such file or directory', complain to Sun. I don't think Solaris can support advanced localhost scans. You can probably use "-P0 -sT localhost" though. QUITTING! yolanda:~# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:FC:4C:B6:51 inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:39080 errors:0 dropped:0 overruns:0 frame:0 TX packets:20737 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:56575180 (53.9 MiB) TX bytes:1424432 (1.3 MiB) Interrupt:11 Base address:0xfc00 yolanda:~# nmap 127.0.0.1 Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) WARNING: Could not determine what interface to route packets through to 127.0.0.1, changing ping scantype to ICMP ping only pcap_open_live: bind: No such device There are several possible reasons for this, depending on your operating system:LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled. *BSD: If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support. If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV ; or use mknod). SOLARIS: If you are trying to scan localhost and getting '/dev/lo0: No such file or directory', complain to Sun. I don't think Solaris can support advanced localhost scans. You can probably use "-P0 -sT localhost" though. QUITTING! yolanda:~# ifconfig -a eth0 Link encap:Ethernet HWaddr 00:50:FC:4C:B6:51 inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:39153 errors:0 dropped:0 overruns:0 frame:0 TX packets:20783 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:56581294 (53.9 MiB) TX bytes:1430956 (1.3 MiB) Interrupt:11 Base address:0xfc00 loLink encap:Local Loopback LOOPBACK MTU:3924 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) yolanda:~# ifconfig lo up yolanda:~# nmap 127.0.0.1 Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) WARNING: Could not determine what interface to route packets through to 127.0.0.1, changing ping scantype to ICMP ping only pcap_open_live: bind: No such device There are several possible reasons for this, depending on your operating system:LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled. There are several possible reasons for this, depending on your operating system: LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled. *BSD: If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support. If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV ; or use mknod). SOLARIS: If you are trying to scan localhost and getting '/dev/lo0: No such file or directory', complain to Sun. I don't think Solaris can support advanced localhost scans. You can probably use "-P0 -sT localhost" though. QUITTING! yolanda:~# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:FC:4C:B6:51 inet addr:192.168.1.4 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:39236 errors:0 dropped:0 overruns:0 frame:0 TX packets:20838 errors:0 dropped:0 overru
Re: DSA-134-1
El mar, 25-06-2002 a las 12:40, Robert van der Meulen escribió: > and disclosure is only done when it doesn't affect > openbsd (or the '5 years without..' line on openbsd.org). You'll love this one: "One remote hole in the default install, in nearly 6 years!" Great X'DD Depending on the language you see their web on, it may or may not have already changed... Luis -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PermitRootLogin enabled by default
El mié, 26-06-2002 a las 16:39, Sebastian Rittau escribió: > Yes, there is. For example I have some servers that retrieve their user > information from a database. If the database is not reachable, an > ordinary user can't login, but root can, since it's the only local > account with login privileges. Thanks to all of you for your replies. As I expected, there exist situations in which this is necessary, it's only I couldn't imagine those situations... So, again, thanks to all! -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
PermitRootLogin enabled by default
Hi all Messing up with sshd_config for all the privsep stuff, I've noticed that PermitRootLogin was set to yes in my three woody boxes. I usually consider this a problem (although it has been my fault - i should have checked and noticed this much time ago). What do you think of this? IMHO, we'd better set it to no. I always thought it was much better. Is there any landscape in which you may want to allow direct root login to your host? Regards, Luis -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
security.debian.org is down
The subject says it all... I'm in Spain, is it happening everywhere or is it just the phone company folks messing again with the DSL? Regards, Pope -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: named problem
A week ago or so I also got some strange responses in UDP packets. They came from DNS servers to my DNS server. Maybe something's screwed up out there... I dunno, but I think root DNSs will give us a bad surprise soon... El lun, 06-05-2002 a las 16:37, Jan Räther escribió: > Hi there, > > during the last few days i get a lot of messages like this: > > May 6 17:09:12 mink named[18150]: Malformed response from > [134.100.33.240].53 (out of data in final pass) > > Is there something to worry about? > > Jan > > - > Jan Räther > Universität Hamburg > Zentrum für Molekulare Neurobiologie > Service-Gruppe EDV > Falkenried 94 > 20251 Hamburg > Germany > Tel.: 040 - 428 - 03 - 6619 > Fax.: 040 - 428 - 03 - 6621 > > Tell a man there are 300 billion stars > in the universe and he'll believe you. > Tell him a bench has wet paint on it > and he'll have to touch to be sure. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: named problem
A week ago or so I also got some strange responses in UDP packets. They came from DNS servers to my DNS server. Maybe something's screwed up out there... I dunno, but I think root DNSs will give us a bad surprise soon... El lun, 06-05-2002 a las 16:37, Jan Räther escribió: > Hi there, > > during the last few days i get a lot of messages like this: > > May 6 17:09:12 mink named[18150]: Malformed response from > [134.100.33.240].53 (out of data in final pass) > > Is there something to worry about? > > Jan > > - > Jan Räther > Universität Hamburg > Zentrum für Molekulare Neurobiologie > Service-Gruppe EDV > Falkenried 94 > 20251 Hamburg > Germany > Tel.: 040 - 428 - 03 - 6619 > Fax.: 040 - 428 - 03 - 6621 > > Tell a man there are 300 billion stars > in the universe and he'll believe you. > Tell him a bench has wet paint on it > and he'll have to touch to be sure. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- Luis Gómez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
