Re: sshd attack?
On Wed, Aug 15, 2001 at 09:37:51AM +0200, Siegbert Baude wrote: Hello, I get about 100 log entries of the following pattern: Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation attack: network attack detected What´s this? I do not know. How can I find out, from where this attack is originating? Must I increase the verbositiy level of sshd to achieve this? sshd might be able to do it. I'm logging the originating adress through my internet services daemon. I happen to use tcpserver[1] but inetd[2] and xinetd[3] ought to be able to do it as well. A second alternative is to do it through a tcpwrapper like Venemas[4]. Jörgen [1] http://cr.yp.to/ucspi.tcp/tcpserver.html [2] ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/ [3] http://www.xinetd.org/ [4] ftp://ftp.porcupine.org/pub/security/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: sshd attack?
On Wed, Aug 15, 2001 at 09:37:51AM +0200, Siegbert Baude wrote: Hello, I get about 100 log entries of the following pattern: Aug 14 01:29:01 myserver sshd[27175]: Disconnecting: crc32 compensation attack: network attack detected What´s this? I do not know. How can I find out, from where this attack is originating? Must I increase the verbositiy level of sshd to achieve this? sshd might be able to do it. I'm logging the originating adress through my internet services daemon. I happen to use tcpserver[1] but inetd[2] and xinetd[3] ought to be able to do it as well. A second alternative is to do it through a tcpwrapper like Venemas[4]. Jörgen [1] http://cr.yp.to/ucspi.tcp/tcpserver.html [2] ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/ [3] http://www.xinetd.org/ [4] ftp://ftp.porcupine.org/pub/security/
Re: use of /tmp by installers
On Sat, May 19, 2001 at 12:51:08PM +1000, Ian wrote: Hi, i have my /tmp mounted noexec, but I was suprised to see the Postfix installer (in testing) want to execute some temporary scripts out of /tmp. [snip] I'm no Postfix freak but doesn't it honour $TMP or $TMPDIR?? I prefer exporting them to $HOME/.tmp or something similar than mounting /tmp noexec. Jörgen
Re: Allow FTP in, but not shell login
On Tue, Mar 13, 2001 at 12:08:17PM -0800, Eric N. Valor wrote: Try setting the shell to /bin/true (and make sure this is listed in /etc/shells). /bin/true returns a zero result and exits. It allows you to "log in" via daemons that require a valid shell, yet won't allow telnet-style access (no real shell, just a "true" result). [snip] /usr/bin/passwd can sometimes be usefull as shell... By the way, check the bugtraq archives -- remote exploits for accounts with /bin/false as shell have been seen on there. Jrgen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Allow FTP in, but not shell login
On Wed, Mar 14, 2001 at 11:56:13AM -, Neil Grant wrote: /usr/bin/passwd can sometimes be usefull as shell... By the way, check the bugtraq archives -- remote exploits for accounts with /bin/false as shell have been seen on there. cant seem to find any for these and as I understand it, false and true used to be shell scripts - but are now c programs to increase their security I couldn't find the article I thought of myself -- maybe I read it somewhere else. The point is that many feel a false sense of security since they use /bin/false as shell. Though I did find an example as good as any at: http://www.securityfocus.com/archive/1/46449 Jörgen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Allow FTP in, but not shell login
On Tue, Mar 13, 2001 at 12:08:17PM -0800, Eric N. Valor wrote: Try setting the shell to /bin/true (and make sure this is listed in /etc/shells). /bin/true returns a zero result and exits. It allows you to log in via daemons that require a valid shell, yet won't allow telnet-style access (no real shell, just a true result). [snip] /usr/bin/passwd can sometimes be usefull as shell... By the way, check the bugtraq archives -- remote exploits for accounts with /bin/false as shell have been seen on there. Jörgen
Re: Allow FTP in, but not shell login
On Wed, Mar 14, 2001 at 11:56:13AM -, Neil Grant wrote: /usr/bin/passwd can sometimes be usefull as shell... By the way, check the bugtraq archives -- remote exploits for accounts with /bin/false as shell have been seen on there. cant seem to find any for these and as I understand it, false and true used to be shell scripts - but are now c programs to increase their security I couldn't find the article I thought of myself -- maybe I read it somewhere else. The point is that many feel a false sense of security since they use /bin/false as shell. Though I did find an example as good as any at: http://www.securityfocus.com/archive/1/46449 Jörgen
[ot] our hero (was: Is it possible to chroot scp?)
On Mon, Mar 12, 2001 at 12:03:51AM -0800, Alexander Hvostov wrote: [snip] A PAM module is apparently a work-in-progress to perform chroot() at the PAM level. Email Bruce Campbell [EMAIL PROTECTED] and ask about its status. interesting -- I wasn't aware Mr Campbell was about to protect us from the Evil Dead once more. sorry...couldn't resist :) Jörgen
howto check the integrity of installed packets
Well, the subject is clear enough... I'm looking for ''native'' support for checking the integrity of installed packets. Jörgen
