Re: Keeping the webserver safe
On Sunday 05 October 2008 05:37:17 pm Dusty Wilson wrote: > >From what I understand, /etc/passwd has to be world readable. If I'm > > wrong, correct me please. If it's world readable, anyone can read it > unless you use a chroot or use OS containers like OpenVZ (they'd still > see the file, but it just wouldn't be the whole server's file). > > Dusty > > On Sun, Oct 5, 2008 at 1:27 PM, Rico Secada <[EMAIL PROTECTED]> wrote: > > Hi. > > > > I have a webserver running with a couple of users as virtual hosts in > > Apache. > > > > I read this article from IBM > > http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/i > >ndex.html (look for "Guard your filesystem") and testet the PHP script on > > an Etch installation, and the script serves files such as /etc/passwd and > > others. > > > > What is the best and correct way to protect the server from users who > > might upload such a script on their web directory? > > > > I don't want to run Apache in a chroot. > > > > Best regards. > > > > Rico > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] Correct me if I've missed something, but isn't the /etc/passwd *supposed* to be world-readable, for example to translate UIDs to user names using the ls command? The /etc/shadow file should *not* be world-readable, but when you use the shadow file, you don't have passwords in /etc/passwd, so it's being world-readable doesn't affect security, unless by some weird mechanism usernames are insecure... unless you run PHP as root, you would have to find a privilege escalation bug in PHP itself to have this particular security implication. That's not to say there aren't other security implications, or that PHP doesn't have such a bug. Lacking much experience with PHP, i'm in no position to say either way on that one. -- Sincerely, Jack Mudge [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: What to do about SSH brute force attempts?
I don't mean to say that linux isn't vulnerable, as any operating system has its vulnerabilities, but it seems to me that with linux as a minority market share at the moment (for desktops), and in the fields where linux is common (servers), the people administering them are generally skilled enough to keep crackers out (for the most part), it seems like anyone trying to run a botnet would target windows, if only because of the number of (crackable) computers, and possibly because they wouldn't have to deal with the different varieties and configurations of linux, or the different kernels, or the permissions in a well-setup system where they couldn't be root, or any of a few other things I can think of. I'm quite open to other interpretations, and I'd be glad to hear what others think of this idea, but IMO, anyone attacking a linux machine is probably doing so for reasons other than running a botnet. Granted, unplugging generally means game over. I still think that other security measures should be used instead when possible (different ports, key authentication, honeypot, whatever), especially when sensitive data is at risk. I really don't like the idea of having to shut down my server every time some script kiddie decides to try and brute-force his way in. Not that brute forcing is all that effective on my system, but they keep trying. (I'm not on a nonstandard port, because I access my server from school, and too many ports are closed to find another open one). I find this discussion interesting, i'd like to hear some more new ideas :). On Saturday 23 August 2008 12:28:32 am Roger Bumgarner wrote: > I think they're more interested in using your computer to participate > in the botnet. sending spam / exploiting other machines is far more > lucrative that holding Joe Nobody's machine for ransom. unplug + > format = game over. > > -rb > > On Fri, Aug 22, 2008 at 9:27 AM, Carlos Antelo > > <[EMAIL PROTECTED]> wrote: > > El Thursday 21 August 2008 11:33:51 Michael Tautschnig escribió: > >> Hi all, > >> > >> since two days (approx.) I'm seeing an extremely high number of > >> apparently coordinated (well, at least they are trying the same list > >> of usernames) brute force attempts from IP addresses spread all over > >> the world. I've got denyhosts and an additional iptables based > >> firewall solution in place to mitigate these since quite some time > >> already and this seems to do the trick in terms of blocking them > >> fairly quickly. > >> > >> Nevertheless, I'd like to do something about it more proactively, so I > >> also contact the abuse mailboxes as obtained from whois. From time to > >> time I do even see responses stating that counter measures have been > >> taken. In the current case, however, there rather seems to be a need > >> for some more coordinated action instead of contacting the ISPs for > >> each single IP -- this host might get blocked/shut down, but there is > >> little hope of a more thorough investigation, trying to get closer to > >> the root of these attacks. > >> > >> Well, probably I'm pretty naive in hoping that one could do anything > >> about that at all, but maybe some of you are more experienced in > >> security issues/dealing with CERTs, etc. and have some ideas what > >> could be done. > >> > >> Further, what do you guys do about such attacks? Just sit back and > >> hope they don't get hold of any passwords? Any ideas are welcome... > >> > >> Thanks, > >> Michael > > > > redirect attackers to another port with a ssh honeypot with common > > attacked accounts and stupid passwords, let take over false information > > ( and information on to contact you) so they will try to contact you > > for money then call the police or do something similar but atackers > > will keep comming... this is most for you fun > > > > sorry for my bad english. > > > > -- > > Carlos Antelo ( aka CMA ) -- Sincerely, Jack Mudge [EMAIL PROTECTED] GPG Pubkey ID: 0x78BEC84C signature.asc Description: This is a digitally signed message part.
Re: www.juniorguide.com
On Monday 31 December 2007 02:02:53 pm Jim Popovitch wrote: > On Mon, 2007-12-31 at 16:38 -0500, Pls check this new site wrote: > > Please see this site in Subject > > SO... is someone at d.o doing something constructive about all these > The risk is that d.o might eventually start getting blocked elsewhere. > For instance, if I people telling gmail/yahoo/aol/elink/att/comcast/etc > that these is spam... they will eventually block d.o (the spam relay), > not the spam origin. > > -Jim P. Does this mean I'm not the only one receiving these? I thought the spammers were fiddling with headers to trick my mail client. Then again, I never really looked into it; just set a filter and figured I was done with it... -- Sincerely, Jack Mudge [EMAIL PROTECTED] My GPG Public Key can be found at: https://www.theanythingbox.com/pgp.htm Signatures are appreciated, email them to me. signature.asc Description: This is a digitally signed message part.
Re: fail2ban vs. syslogd compression
On Wednesday 29 August 2007 03:56, G.W. Haywood wrote: > Most offenders > are blocked permanently, at the last count we're blocking about 27,750 > ranges. Our scripts could handle the 'repeat' messages if they needed > to, but they don't. The script kiddies don't get five tries, we block > them after the first. :) Forgive me, but as I understand IP and the whole DHCP concept and whatnot, IP addresses ARE reused after some time. I rarely have the same internet address for more than a month -- and if I randomly ended up with one of your blocked addresses, wouldn't I be an innocent victim? Given the dynamic nature of the internet in general, doesn't it make more sense to block for, maybe 2 months, tops? This isn't meant to downcast your job or anything, I'd just like to know the reasoning behind permanent versus temporary blocks (I use temporary, and it's always done well for me). fail2ban blocks for 10 minutes; 10 minutes has thus far been enough to stop all but the most determined script kiddies, who are then blocked again (and again until they stop). Even using a 450mhz pentium II for my router/firewall, it's not even a noticeable load on the system. -- Sincerely, Jack [EMAIL PROTECTED] My GPG Public Key can be found at: https://www.theanythingbox.com/pgp.htm (top link is current) I appreciate signatures, but if you only know me online, please use the --lsign-key, not the --sign-key. I appreciate trust -- but too much makes it less valuable. pgpIp28y3ZZiN.pgp Description: PGP signature
Re: secure installation
On Monday 20 August 2007 10:47, alex black wrote: > > thus defeat the purpose). A default firewall simply can't work, > > even if we > > had some way to implement it perfectly for all packages (without > > breaking > > any, which we undoubtedly would). > > It all depends on context - I agree that a default firewall for > "debian" is stupid, but if you look at the way an OpenBSD box looks > when the default install is done, that is my ideal. I happen to > prefer the way thing generally are done in debian, but on the initial > install, OpenBSD whips any other OS I've seen. It has pf on by > default and only allows SSH connections. Ideal. > > Would that be a good idea for a workstation? No - nightmare. Is it a > good idea for a server? Yes absolutely. Servers, unless they are > packaged appliance distros or subdistros, should always have the bare > minimum of services and allow SSH only by default. > > $.02 > > _a > > > -- > alex black, founder > the turing studio, inc. I apologize if what I meant was clear. I declined to include the word 'debian' here, because the context is clear from previous posts in the thread. Excellent point, though. Workstations don't need a firewall. Servers probably do. I don't disagree (I wholly agree, actually). However, the typical server is set up by someone who knows what they're doing (not someone who would need help setting up a firewall), and has specific requirements. My intention wasn't to say a default firewall can never work, but that it can't work for debian, given the community/ideology and existing user-base surrounding it. -- Sincerely, Jack [EMAIL PROTECTED] My GPG Public Key can be found at: https://www.theanythingbox.com/pgp.htm (top link is current) I appreciate signatures, but if you only know me online, please use the --lsign-key, not the --sign-key. I appreciate trust -- but too much makes it less valuable. pgpF4DVf2mZid.pgp Description: PGP signature
Re: secure installation
It would be a great risk to a company TO offer a warranty, especially since most of us either: a) don't read warranties anyway, so they (e.g. M$) can say whatever they want, b) don't really care. I happen to fix PC's for people for some cash on the side (being 17 and in the U.S. with our crappy child labor laws, I can't get a job doing it). 90% of the people I fix computers for are cases of viruses and/or trojans that teenage or slightly younger children have downloaded from some page listed on Google. License agreements on these things, where it has 4 pages+ of legal jargon (incomprehensible to most people), a simple button to "accept" (frequently the default button where your mouse goes) and some fine print near the bottom stating that "we can download anything we want onto your computer", effectively do nothing. How often does a windows user just click 'accept' without even knowing //what// they are accepting? In windows, this happens because people will gladly shoot themselves in the foot and dump security out the window to keep convenience. It's why microsoft has remained so popular, and it's why Apple can't compete on Microsoft's grounds. The same would happen to Linux if we start producing binary-only applications and distributions. This is why a firewall during the installation is a bad idea. It's obvious to anyone that crackers and other malicious individuals DO exist, and DO try to do things. But to an expert, the automatic firewall will be setup all wrong no matter how you set it up (and thus create work for them). To the beginner, it gets in the way, and they'll throw it out the window when it does (and thus defeat the purpose). A default firewall simply can't work, even if we had some way to implement it perfectly for all packages (without breaking any, which we undoubtedly would). On Monday 20 August 2007 09:42, Jose Marrero wrote: > I believe Microsoft software comes with NO WARRANTY as well. > Hell, we should read the small print on all software... > > On Mon, August 20, 2007 8:18 am, Izak Burger wrote: > > On 8/20/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > >> Software failures *are* in the worst cases life threatening, and > >> everyday non-safety-critical systems can easily be a very serious > >> nuisiance to other users. > > > > I propose we stick a label on: This software is not meant to be run in > > life support systems. > > > > Oh wait, tis already there... Debian comes with ABSOLUTELY NO > > WARRANTY, to the extent permitted by applicable law. > > > > Settled then? > > > > :-P > > > > regards, > > Izak > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > -- > -JM. > > Estos días azules y este sol de la infancia.(Antonio Machado-1939) -- Sincerely, Jack [EMAIL PROTECTED] My GPG Public Key can be found at: https://www.theanythingbox.com/pgp.htm (top link is current) I appreciate signatures, but if you only know me online, please use the --lsign-key, not the --sign-key. I appreciate trust -- but too much makes it less valuable. pgpSQiutvDygG.pgp Description: PGP signature
Re: Secure Installation
On Thursday 16 August 2007 15:09, R. W. Rodolico wrote: > Unfortunately, I have to point to some of the > user oriented firewalls you get for windoze (which, to my knowledge, Linux > does not have). When they are installed, the shut down basically > everything incoming, and all but a few standard outgoing ports (http, > smtp, pop and imap). When an application tries to go out of another port, > a pop-up informs the user and they can choose to accept, accept or reject, > with a "forever" modifier on both, and the firewall changes its rules > appropriately. The problem with these lies on 2 levels. The first is that all network traffic would have to somehow be routed through this application, which in windows is no big deal as all that is already in place. But we haven't installed that infrastructure, so it would be tougher to get that running in the first place. This is not a primary concern regarding the firewall, but it is an issue if we do eventually decide to integrate a firewall like that. The second problem is what I pointed out earlier about Microsoft's "firewall" -- users are pacified by it. If it's there, they get the message, they have "ok", and "cancel", what does the average user do? The average user assumes the firewall will protect them no matter what they do, so they click the "ok" button and get on with what they are doing. The greatest security hole in any system is the user. You can plug every other hole there is, and still have break-ins because users haven't been trained properly. There is no way to secure a system used by uninformed users. A firewall is only one more thing the user can foul up. Linux (and debian especially) is inherently more secure than windows in one regard, firewall or not: we can all contribute to it. The only people contributing anything to windows are either microsoft, contributing bugs; or proprietary software companies, contributing proprietary software. This made a sink-hole where the user really doesn't know what's going on in the background, can't find out, and can't fix it even if they could find out. What more could the programmer of a trojan horse (IMO a bigger threat than anything a firewall will protect us from) ask for, than a user who completely trusts binary-only distributions? We're sitting here discussing specific ways debian operates and how we can fix it. Who can do that in windows? That in itself makes debian more secure. -- Sincerely, Jack [EMAIL PROTECTED] My GPG Public Key can be found at: https://www.theanythingbox.com/pgp.htm (top link is current) I appreciate signatures, but if you only know me online, please use the --lsign-key, not the --sign-key. I appreciate trust -- but too much makes it less valuable. pgplqBVm9g0Bs.pgp Description: PGP signature
Re: secure installation
On Thursday 16 August 2007 05:09, Robert Van Nostrand wrote: > The correct answer for the better of all now/future Debian users is to not > put a gun in the hands of a child. > For those mental midgets that are willing to put their CC info on a box > that they have no clue about then they deserve to have their identity > stolen. I agree with most of your sentiment: Debian isn't for the first-time linux user, generally. It's easier to break, harder to install, but the reward is that you get a much more powerful system. But does lack of information make anyone deserve identity theft? I don't think anyone deserves to have their identity stolen, because to deserve something bad you had to have done something bad. Being ignorant about debian isn't a bad thing. We all were once, and if everyone came at us with that attitude, would we have learned? I doubt it. My point is, that to debate if a firewall should be in the installer may circle around practical points, more/less how many people use a firewall or what benefit would a firewall have? But nobody should be pointing fingers. My personal view is that there are plenty of simpler distributions out there, knoppix for first-time users, Ubuntu/Suse for novices, and RedHat for people who need hand-holding. Debian is primarily for advanced users, and for users who have someone looking over their shoulder. We shouldn't over-simplify debian so that users not in it's target audience can use it. Putting a firewall in debian by default is also somewhat similar to Microsoft's attempts to pacify everyone: When windows' virus problem became worrisome to the average user, Microsoft added a firewall to their installation, to try to make users think that Windows was safe now. What happened? Well, security went down the toilet. Users thought they were safe without doing anything, so they didn't do anything. Microsoft succeeded at pacifying everyone, and so shot themselves in the other foot (the first foot is being so forceful and monopolizing the industry). I don't think a firewall by default is even a safe idea, just for that reason: Users who don't really know what it is, but hear "it makes me safe", will assume that it protects them from everything without them doing anything. -- Sincerely, Jack [EMAIL PROTECTED] My GPG Public Key can be found at: https://www.theanythingbox.com/pgp.htm (top link is current) I appreciate signatures, but if you only know me online, please use the --lsign-key, not the --sign-key. I appreciate trust -- but too much makes it less valuable. pgpWODb32Z3hq.pgp Description: PGP signature
Re: strange requests from Vanguard Securities: 53,137,138
On Sunday 12 August 2007 13:16, Wade Richards wrote: >Opening up ports >to stop log file messages is kind of like removing your armour because >you don't like the loud "ping" sound of bullets bouncing off it. Well said. I really couldn't have said it better myself. The only other thing I could add to your list is to make sure the problem is well-understood before attempting solutions. I know from my own experience that when you think (or know) something is wrong, don't really know what is wrong, and try to fix it by poking at it, it's like a brain surgeon trying to remove necrotic tissue blind. They really don't know what they're doing, or what they're removing. When I first began using linux, I generally tried windows-like solutions: If A file is causing problems, delete it. This lead me to delete my inittab file, which, as you (should) know, usually requires a system reinstall. Learn from my mistake ;). I don't mean you need to be a network Guru before you figure out where things are -- if you didn't know about whois or host, it could be tricky to figure out who, exactly, is 127.0.0.1. That's why mailing lists exist -- to ask questions. It's usually best to try to figure it out FIRST, *THEN* solve, and figuring it out may require asking questions. -- Sincerely, Jack [EMAIL PROTECTED] My GPG Public Key can be found at: https://www.theanythingbox.com/pgp.htm (top link is current) I appreciate signatures, but if you only know me online, please use the --lsign-key, not the --sign-key. I appreciate trust -- but too much makes it less valuable. pgpXZ10Kegx9z.pgp Description: PGP signature