Re: Sendmail package version weirdness
On Fri, Sep 19, 2003 at 01:47:28AM -0400, Robert Brockway wrote: On Fri, 19 Sep 2003, Matt Zimmerman wrote: On Thu, Sep 18, 2003 at 10:58:49PM -0400, Robert Brockway wrote: Was there any particular reason that this newer fixed version has a version number the makes it look older than the exploitable version? Simple: it doesn't. The version in stable is 8.12.3-4, and the version on security.debian.org is 8.12.3-6.6. Your package came from someplace else. Hi Matt. Thanks for clearing that up. FYI I located the origin of the version I was using: http://people.debian.org/~cowboy/sendmail_8.12.3-7woody_i386.changes Just like anyone using debian.seabone.net for the debian-ipv6 repository for woody would have 8.12.9-3 installed... Regards, Jeremy Rob -- Robert Brockway B.Sc. email: [EMAIL PROTECTED], [EMAIL PROTECTED] Linux counter project ID #16440 (http://counter.li.org) The earth is but one country and mankind its citizens -Baha'u'llah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] signature.asc Description: Digital signature
SSH on HPPA and Alpha?
Just finishing up doing updates on my machines after the recent exploit announcements and DSA issuances... I noticed both my HPPA and my Alpha machines which run woody/stable did not have any new version above 3.4p1-2 (hppa) and 3.4p1-1.woody.2 (alpha)... Are these versions safe from the recently found exploit or were they forgotten when the security update packages were built? Regards, Jeremy signature.asc Description: Digital signature
Re: Sendmail package version weirdness
On Fri, Sep 19, 2003 at 01:47:28AM -0400, Robert Brockway wrote: On Fri, 19 Sep 2003, Matt Zimmerman wrote: On Thu, Sep 18, 2003 at 10:58:49PM -0400, Robert Brockway wrote: Was there any particular reason that this newer fixed version has a version number the makes it look older than the exploitable version? Simple: it doesn't. The version in stable is 8.12.3-4, and the version on security.debian.org is 8.12.3-6.6. Your package came from someplace else. Hi Matt. Thanks for clearing that up. FYI I located the origin of the version I was using: http://people.debian.org/~cowboy/sendmail_8.12.3-7woody_i386.changes Just like anyone using debian.seabone.net for the debian-ipv6 repository for woody would have 8.12.9-3 installed... Regards, Jeremy Rob -- Robert Brockway B.Sc. email: [EMAIL PROTECTED], [EMAIL PROTECTED] Linux counter project ID #16440 (http://counter.li.org) The earth is but one country and mankind its citizens -Baha'u'llah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] signature.asc Description: Digital signature
SSH on HPPA and Alpha?
Just finishing up doing updates on my machines after the recent exploit announcements and DSA issuances... I noticed both my HPPA and my Alpha machines which run woody/stable did not have any new version above 3.4p1-2 (hppa) and 3.4p1-1.woody.2 (alpha)... Are these versions safe from the recently found exploit or were they forgotten when the security update packages were built? Regards, Jeremy signature.asc Description: Digital signature
Re: about sendmail hole - relay restrictions bypassed
In all fairness, if this issue is in regards to the Verisign cluster fsck I don't think this has any place in Sendmail personally but rather in getting Verisign to un-fsck the problem and/or fix DNS servers not to respond in that manner as to allow that to happen... Regards, Jeremy On Thu, Sep 18, 2003 at 12:49:38PM +0900, Hideki Yamane wrote: Hi list, You know, as DSA-384-1, sendmail buffer overflow vulnerability is fixed but another hole sendmail relay access restrictions can be bypassed with bogus DNS(*) is NOT fixed yet. * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174907 Do you know why maintainer let this issue alone ? or not effect Debian package? (if so, this bug should be closed.) -- Regards, Hideki Yamanemailto:henrich @ iijmio-mail.jp -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] signature.asc Description: Digital signature
Re: about sendmail hole - relay restrictions bypassed
In all fairness, if this issue is in regards to the Verisign cluster fsck I don't think this has any place in Sendmail personally but rather in getting Verisign to un-fsck the problem and/or fix DNS servers not to respond in that manner as to allow that to happen... Regards, Jeremy On Thu, Sep 18, 2003 at 12:49:38PM +0900, Hideki Yamane wrote: Hi list, You know, as DSA-384-1, sendmail buffer overflow vulnerability is fixed but another hole sendmail relay access restrictions can be bypassed with bogus DNS(*) is NOT fixed yet. * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174907 Do you know why maintainer let this issue alone ? or not effect Debian package? (if so, this bug should be closed.) -- Regards, Hideki Yamanemailto:henrich @ iijmio-mail.jp -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] signature.asc Description: Digital signature
Re: evolution
On Thu, Jun 26, 2003 at 08:40:38AM +0300, Martynas Domarkas wrote: Hi, it's me again and I have another stupid question: my evolution mailer in a short period of time repeatedly tries connect to some strange hosts: tcp 0 1 192.168.0.1:33931 205.156.51.200:80 SYN_SENT 4055/evolution-exec This appears to be the National Weather Services... Prolly cause it has a summary page that has weather info. tcp 0 1 192.168.0.1:33932 206.14.209.40:80 SYN_SENT 4055/evolution-exec This appears to be Salon.com... Also I believe has a link for syndication postings on the summary page. tcp 0 1 192.168.0.1:33933 63.236.73.20:80 SYN_SENT 4055/evolution-exec This appears to be Linux Today... Also I believe as a link on the summary page for news articles... There are a LOT of connetcions: ~700 in a 5 minutes. I did not find any configuration options with that hosts. What could it be? -- Pagarbiai IT sistem? administratorius Martynas Domarkas tel.: +370 698 44331 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: evolution
On Thu, Jun 26, 2003 at 08:40:38AM +0300, Martynas Domarkas wrote: Hi, it's me again and I have another stupid question: my evolution mailer in a short period of time repeatedly tries connect to some strange hosts: tcp 0 1 192.168.0.1:33931 205.156.51.200:80 SYN_SENT 4055/evolution-exec This appears to be the National Weather Services... Prolly cause it has a summary page that has weather info. tcp 0 1 192.168.0.1:33932 206.14.209.40:80 SYN_SENT 4055/evolution-exec This appears to be Salon.com... Also I believe has a link for syndication postings on the summary page. tcp 0 1 192.168.0.1:33933 63.236.73.20:80 SYN_SENT 4055/evolution-exec This appears to be Linux Today... Also I believe as a link on the summary page for news articles... There are a LOT of connetcions: ~700 in a 5 minutes. I did not find any configuration options with that hosts. What could it be? -- Pagarbiai IT sistem? administratorius Martynas Domarkas tel.: +370 698 44331 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Kernel's and FreeSwan
One vital piece of information you have failed to mention is the exact version of freeswan you are trying to work with... I can say I'm running Debian 3.0 current with security updates which I have built a 2.4.20 kernel with the freeswan 1.99 from unstable... The kernel was patched with the kernel-patch-freeswan-ext patch to include the extra encryption algorithms and is working flawlessly so far... I've even got a Windows 2000 laptop running SSH Sentinel to connect with it using X.509 authentication... You keep saying your trying to patch freeswan but I think you may not be aware if you are using the Debian freeswan package source it is already patched with several patches not in the official freeswan distribution... The 1.99 package from unstable has the most recent X.509, AES ALGO, Notify Delete SA and NAT-Traversal patches already applied to it... If you would like to discuss things one-on-one you're free to contact me directly and I will try to assist you in your problems but the only real problem I had was in configuring the ipsec.conf for freeswan-freeswan and freeswan-sentinel connections with DHCP-over-IPSec and that now is a non-issue except for a few operational issues... Regards, Jeremy On Sat, Apr 05, 2003 at 09:04:54AM -0800, Steve Jr Ramage wrote: Well continuing the problem, I have moved from the original one, appended at the bottom. Now something else is wrong, basically the following out put. I had to use 'export PATCH_THE_KERNEL=YES' (thanks Kenneth). Now the kernel compile asks me a bunch of IPSEC questions and then later it does this. I have done a make-kpkg clean, and a make dep, on both systems. There doesn't seem to be anything wrong. I did download the freestwan package. Is there anything else I need? Steve Ramage /usr/src/kernel-fermat/net/ipsec/ext/ipsec_ext_aes-opt.c(.text+0x9c): multiple definition of `ipsec_aes_init' ipsec_aes.o(.text+0x10c):/usr/src/kernel-fermat/net/ipsec/ext/ipsec_ext_ aes.c: first defined here ld: Warning: size of symbol `ipsec_aes_init' changed from 283 to 123 in ipsec_aes-opt.o ipsec_aes-opt.o: In function `AES_cbc_encrypt': /usr/src/kernel-fermat/net/ipsec/ext/libaes-opt/aes_cbc.c:8: multiple definition of `aes_encrypt' ipsec_aes.o:/usr/src/kernel-fermat/net/ipsec/ext/libaes/aes_cbc.c:9: first defined here make[5]: *** [ipsec_ext_static.o] Error 1 make[5]: Leaving directory `/usr/src/kernel-fermat/net/ipsec/ext' make[4]: *** [ext/ipsec_ext_static.o] Error 2 make[4]: Leaving directory `/usr/src/kernel-fermat/net/ipsec' make[3]: *** [first_rule] Error 2 make[3]: Leaving directory `/usr/src/kernel-fermat/net/ipsec' make[2]: *** [_subdir_ipsec] Error 2 make[2]: Leaving directory `/usr/src/kernel-fermat/net' make[1]: *** [_dir_net] Error 2 make[1]: Leaving directory `/usr/src/kernel-fermat' make: *** [stamp-build] Error 2 -Original Message- From: Steve Jr Ramage [mailto:[EMAIL PROTECTED] Sent: April 5, 2003 05:36 To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: Debian Kernel's and FreeSwan First and foremost, as the issue will probably demonstrate I'm relative to Linux, so bare with me. Basically I am trying to get FreeSwan to run as server, but can't get the patch to work. All my system's are running debian 3.0r0, and kernel 2.4.18 (my own make). My System(s): 1) HP Netserver LS 5/166: 2 Intel Pentium 166, 128 MB RAM, running stable. 2) Pentium III-550, 128 MB RAM, running unstable/testing 3) Pentium 200 MMX , 64 MB RAM, running stable. For you freeswan people(this message was cross posted to freeswan and debian mail lists). Debian has its own method of installing/making a kernel, and although I can compile one with what I assume to be the regular way, I'd prefer to do it the Debian way, and I am having problems with that. Anyway I can succesfully complete and install a compiled kernel, but I am only trying to add a freeswan patch, so I have no idea if it's just my syntax or the specific package. I have the freeswan kernel patch, it exists in /usr/src/kernel-patches/all/, aswell it exists in .../apply and .../unpatch. I then proceed to the kernel build directory and type make-kpkg --added-patches freeswan kernel_image, then install it dpkg -i (filename). I have also tried 'set PATCH_THE_KERNEL=YES' also tried sticking something akin to that in the .config file to know avail. I have searched google, can't find the guide I had a long time ago (been trying for a few months). Anyone have any ideas, or can point me towards a guide, that will go STEP by STEP. Thanks, Steve Ramage. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] pgp0.pgp Description: PGP signature
Re: Debian Kernel's and FreeSwan
One vital piece of information you have failed to mention is the exact version of freeswan you are trying to work with... I can say I'm running Debian 3.0 current with security updates which I have built a 2.4.20 kernel with the freeswan 1.99 from unstable... The kernel was patched with the kernel-patch-freeswan-ext patch to include the extra encryption algorithms and is working flawlessly so far... I've even got a Windows 2000 laptop running SSH Sentinel to connect with it using X.509 authentication... You keep saying your trying to patch freeswan but I think you may not be aware if you are using the Debian freeswan package source it is already patched with several patches not in the official freeswan distribution... The 1.99 package from unstable has the most recent X.509, AES ALGO, Notify Delete SA and NAT-Traversal patches already applied to it... If you would like to discuss things one-on-one you're free to contact me directly and I will try to assist you in your problems but the only real problem I had was in configuring the ipsec.conf for freeswan-freeswan and freeswan-sentinel connections with DHCP-over-IPSec and that now is a non-issue except for a few operational issues... Regards, Jeremy On Sat, Apr 05, 2003 at 09:04:54AM -0800, Steve Jr Ramage wrote: Well continuing the problem, I have moved from the original one, appended at the bottom. Now something else is wrong, basically the following out put. I had to use 'export PATCH_THE_KERNEL=YES' (thanks Kenneth). Now the kernel compile asks me a bunch of IPSEC questions and then later it does this. I have done a make-kpkg clean, and a make dep, on both systems. There doesn't seem to be anything wrong. I did download the freestwan package. Is there anything else I need? Steve Ramage /usr/src/kernel-fermat/net/ipsec/ext/ipsec_ext_aes-opt.c(.text+0x9c): multiple definition of `ipsec_aes_init' ipsec_aes.o(.text+0x10c):/usr/src/kernel-fermat/net/ipsec/ext/ipsec_ext_ aes.c: first defined here ld: Warning: size of symbol `ipsec_aes_init' changed from 283 to 123 in ipsec_aes-opt.o ipsec_aes-opt.o: In function `AES_cbc_encrypt': /usr/src/kernel-fermat/net/ipsec/ext/libaes-opt/aes_cbc.c:8: multiple definition of `aes_encrypt' ipsec_aes.o:/usr/src/kernel-fermat/net/ipsec/ext/libaes/aes_cbc.c:9: first defined here make[5]: *** [ipsec_ext_static.o] Error 1 make[5]: Leaving directory `/usr/src/kernel-fermat/net/ipsec/ext' make[4]: *** [ext/ipsec_ext_static.o] Error 2 make[4]: Leaving directory `/usr/src/kernel-fermat/net/ipsec' make[3]: *** [first_rule] Error 2 make[3]: Leaving directory `/usr/src/kernel-fermat/net/ipsec' make[2]: *** [_subdir_ipsec] Error 2 make[2]: Leaving directory `/usr/src/kernel-fermat/net' make[1]: *** [_dir_net] Error 2 make[1]: Leaving directory `/usr/src/kernel-fermat' make: *** [stamp-build] Error 2 -Original Message- From: Steve Jr Ramage [mailto:[EMAIL PROTECTED] Sent: April 5, 2003 05:36 To: '[EMAIL PROTECTED]'; 'debian-security@lists.debian.org' Subject: Debian Kernel's and FreeSwan First and foremost, as the issue will probably demonstrate I'm relative to Linux, so bare with me. Basically I am trying to get FreeSwan to run as server, but can't get the patch to work. All my system's are running debian 3.0r0, and kernel 2.4.18 (my own make). My System(s): 1) HP Netserver LS 5/166: 2 Intel Pentium 166, 128 MB RAM, running stable. 2) Pentium III-550, 128 MB RAM, running unstable/testing 3) Pentium 200 MMX , 64 MB RAM, running stable. For you freeswan people(this message was cross posted to freeswan and debian mail lists). Debian has its own method of installing/making a kernel, and although I can compile one with what I assume to be the regular way, I'd prefer to do it the Debian way, and I am having problems with that. Anyway I can succesfully complete and install a compiled kernel, but I am only trying to add a freeswan patch, so I have no idea if it's just my syntax or the specific package. I have the freeswan kernel patch, it exists in /usr/src/kernel-patches/all/, aswell it exists in .../apply and .../unpatch. I then proceed to the kernel build directory and type make-kpkg --added-patches freeswan kernel_image, then install it dpkg -i (filename). I have also tried 'set PATCH_THE_KERNEL=YES' also tried sticking something akin to that in the .config file to know avail. I have searched google, can't find the guide I had a long time ago (been trying for a few months). Anyone have any ideas, or can point me towards a guide, that will go STEP by STEP. Thanks, Steve Ramage. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] pgpgWDojYThtg.pgp Description: PGP signature
Re: Sendmail vulnerability : is Debian falling behind?
It's been discussed plenty on the Debian mailing lists as well as having the package maintainer give an update on the status of the packages that are being prepared/ready at this time... Might suggest checking a bit further before making such a rash judgement on issues arelady being dealt with... RedHat and SuSe have commerical money to throw at it... Debian is run by volunteers... As well RedHat and SuSe do not support nearly as many platforms as Debian, so it sometimes takes a bit to get all the packages compiled on all the platforms prior to making an annonouncement so they are all available... Jeremy On Mon, Mar 03, 2003 at 03:17:16PM -0600, Jor-el wrote: Hi, In case noone noticed, news of a Sendmail vulnerability appeared on Slashdot. The really interesting piece of the story for me was the portion of the blurb with said ...RedHat and OpenBSD have already issued patches.links to an update from SuSE, too. What about Debian? I just looked at http://security.debian.org and see no mention of this vulnerability. I dont use Sendmail myself. Nevertheless I am still concerned that the people who notify vendors are not notifying Debian ahead of time before vulnerabilities are publicly announced. Is that the case? Can someone in the know comment? Thanks, Jor-el -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail vulnerability : is Debian falling behind?
It's been discussed plenty on the Debian mailing lists as well as having the package maintainer give an update on the status of the packages that are being prepared/ready at this time... Might suggest checking a bit further before making such a rash judgement on issues arelady being dealt with... RedHat and SuSe have commerical money to throw at it... Debian is run by volunteers... As well RedHat and SuSe do not support nearly as many platforms as Debian, so it sometimes takes a bit to get all the packages compiled on all the platforms prior to making an annonouncement so they are all available... Jeremy On Mon, Mar 03, 2003 at 03:17:16PM -0600, Jor-el wrote: Hi, In case noone noticed, news of a Sendmail vulnerability appeared on Slashdot. The really interesting piece of the story for me was the portion of the blurb with said ...RedHat and OpenBSD have already issued patches.links to an update from SuSE, too. What about Debian? I just looked at http://security.debian.org and see no mention of this vulnerability. I dont use Sendmail myself. Nevertheless I am still concerned that the people who notify vendors are not notifying Debian ahead of time before vulnerabilities are publicly announced. Is that the case? Can someone in the know comment? Thanks, Jor-el -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: machine monitoring packages
Not sure what problems you're having with Nagios but my office was originally using Big Brother which the previous admin regime had installed before being handed over to our department to manage. Our team found BB to be a complete and utter pain in the ass so we removed it and replaced it with Netsaint. Now that Nagios is out we're working to migrate our configuration from Netsaint - Nagios, as well I'm part of the Nagios Plugin development and working to make the plugins AF-independent as our office requires the ability to monitor IPv4 and IPv6 hosts and services... With escalation schemes, contact groups, service host dependencies, planned downtime/outages and configurable notification methods we have found Netsaint/Nagios to be great. We have far less false-positive outage alerts than with BigBrother which makes us pay more attention to the notifications when they are sent out. With BB we would procmail them to a folder and ignore them because there were always so many. As for there not being any DEB for Nagios, there are several Nagios DEBs in unstable (nagios-text, nagios-pgsql and nagios-mysql). Currently there is no stable release of the Nagios Plugins (latest release has been 1.3beta2) but the plugin API has not changed so the netsaint-plugins package still works with Nagios. Not sure what configuration/installation issues you're having but I haven't had anything not work with the default configuration and ours is now fairly highly customized... Jeremy On Thu, Feb 13, 2003 at 02:59:26PM +, gabe wrote: I would like to know what ppl think is the best package for monitor servers, at my last work place they were installing mon. In my new job they use Nagios, which I'm not to sure about due to the fact that installation / configuration goes wrong. Most importantly there's no deb package for Nagios which makes me not wanna use it in the first place. Any comments or thoughts welcomed -- Gabriel Granger +-+ | .~. | | /V\ L I N U X - Debian| | // \\The force is strong in this one | | /( )\ | | ^^-^^ | +-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] msg08693/pgp0.pgp Description: PGP signature
Re: machine monitoring packages
Not sure what problems you're having with Nagios but my office was originally using Big Brother which the previous admin regime had installed before being handed over to our department to manage. Our team found BB to be a complete and utter pain in the ass so we removed it and replaced it with Netsaint. Now that Nagios is out we're working to migrate our configuration from Netsaint - Nagios, as well I'm part of the Nagios Plugin development and working to make the plugins AF-independent as our office requires the ability to monitor IPv4 and IPv6 hosts and services... With escalation schemes, contact groups, service host dependencies, planned downtime/outages and configurable notification methods we have found Netsaint/Nagios to be great. We have far less false-positive outage alerts than with BigBrother which makes us pay more attention to the notifications when they are sent out. With BB we would procmail them to a folder and ignore them because there were always so many. As for there not being any DEB for Nagios, there are several Nagios DEBs in unstable (nagios-text, nagios-pgsql and nagios-mysql). Currently there is no stable release of the Nagios Plugins (latest release has been 1.3beta2) but the plugin API has not changed so the netsaint-plugins package still works with Nagios. Not sure what configuration/installation issues you're having but I haven't had anything not work with the default configuration and ours is now fairly highly customized... Jeremy On Thu, Feb 13, 2003 at 02:59:26PM +, gabe wrote: I would like to know what ppl think is the best package for monitor servers, at my last work place they were installing mon. In my new job they use Nagios, which I'm not to sure about due to the fact that installation / configuration goes wrong. Most importantly there's no deb package for Nagios which makes me not wanna use it in the first place. Any comments or thoughts welcomed -- Gabriel Granger +-+ | .~. | | /V\ L I N U X - Debian| | // \\The force is strong in this one | | /( )\ | | ^^-^^ | +-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] pgpqzywV85ysv.pgp Description: PGP signature
Re: Your Confirmation Required
Can we not possibly get the mail servers configured to not accept mail from this domain/hostname until they resolve the issue on their side? Apparently someone is misusing/abusing a CGI to try and cause problems and some action should be taken... Jeremy pgpNtH91KVSot.pgp Description: PGP signature
Re: SSH2 Encryption
Should have absolutely no problems connecting to sshd on Woody or Sid from Windows using SecureCRT 3.4 or SecureFX 1.9 as I run 3.4.1 and 1.9.6 respectively from Windows 2000 with no problem on multiple machines... I set the SSH Server to Auto Detect and left all Ciphers and MAC options check'd... Works with or without compression... Jeremy On Mon, Jun 10, 2002 at 01:13:06PM -0400, Jeff Bonner wrote: I've been playing around with a Woody installation, connecting to it via SSH2, with SecureCRT 3.4 for Win32. I think I've finally figured out what encryption types this Debian package (ssh 3.0.2p1-9) supports, but please correct me if I'm wrong -- http://www.openssh.org/features.html lists *only* 3DES and Blowfish: AES-128 AES-192 AES-256 (isn't this Rijndael now?) Triple DES Blowfish RC4 rijndael-128cbc rijndael-192cbc rijndael-256cbc [EMAIL PROTECTED] [sic] CAST-128cbc Also, there's an option in SecureCRT called MAC which I guess refers to the hash: MD5, SHA1, MD5-96, and SHA1-96. Questions: 1) Are all those ciphers actually available in my SSH package? 2) The SHA1-96 hash should be better than MD5-96, correct? 3) Any reason you *wouldn't* want to use compression in SSH? Thanks in advance, Jeff Bonner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] pgpbmW5ShcuCp.pgp Description: PGP signature
Re: ssh allowing password logins even though its disabled
Have you verified that keyboard-interaction is not enabled as well? As I quote from the man page for sshd... PAMAuthenticationViaKbdInt Specifies whether PAM challenge response authentication is allowed. This allows the use of most PAM challenge response authentication modules, but it will allow password authentication regardless of whether PasswordAuthentication is disabled. The default is ``no''. Jeremy On Wed, Apr 03, 2002 at 09:39:21PM -0700, Tim Freeman wrote: I just rediscovered bug 109846 in ssh, SSH uses PAM password authentication in SSH2 even if disabled It's filed as a normal bug. Before I discovered the dup, I was going to file it as a grave bug, since the system involved has weak passwords (my kids have to be able to log in, and they can't type too well). If I had not tested that ssh disables passwords when you tell it to, it would have allowed fairly easy penetration, so there might be lots of vulnerable systems out there. Can anyone clue me in on why other people don't think this is grave, or lend me encouragment on pushing the priority up? -- Tim Freeman [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS Front page extensions for Linux
On Tue, Mar 12, 2002 at 11:31:34AM +0800, Marcel Welschbillig wrote: Hi, Is there any known security issues with installing micro$oft Front Page extensions on a Debian Apache web server? I am reluctant to infect my nice Linux web server with micro$oft code. Well you did use the right word infect... With micro$oft's track record do you really think the frontpage extensions would be any different? Jeremy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: MS Front page extensions for Linux
On Tue, Mar 12, 2002 at 11:31:34AM +0800, Marcel Welschbillig wrote: Hi, Is there any known security issues with installing micro$oft Front Page extensions on a Debian Apache web server? I am reluctant to infect my nice Linux web server with micro$oft code. Well you did use the right word infect... With micro$oft's track record do you really think the frontpage extensions would be any different? Jeremy
Re: Netsaint
I'm not aware of any security holes created by it... I originally start'd using it with Netsaint to monitor 2 networks but then changed over to NPRE as it had built-in mechanics for only allowing the checks to come from a specific host(s) thereby greatly limiting who could access that data... Jeremy On Thu, Feb 28, 2002 at 03:55:13PM +0100, Johan Jacobsson wrote: Hello! I am using netsaint_statd on a debian machine and I would like to know what I am doing, eg what security holes may this create? As I understand it, the netsaint_statd deamon makes it possible to extract information about CPU load, disk usage, memory load etc. Is this a security problem? Has anyone heard about security holes in netsaint_statd 2.13? The web page maintaining it is not so informative... /Johan Jacobsson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Netsaint
I'm not aware of any security holes created by it... I originally start'd using it with Netsaint to monitor 2 networks but then changed over to NPRE as it had built-in mechanics for only allowing the checks to come from a specific host(s) thereby greatly limiting who could access that data... Jeremy On Thu, Feb 28, 2002 at 03:55:13PM +0100, Johan Jacobsson wrote: Hello! I am using netsaint_statd on a debian machine and I would like to know what I am doing, eg what security holes may this create? As I understand it, the netsaint_statd deamon makes it possible to extract information about CPU load, disk usage, memory load etc. Is this a security problem? Has anyone heard about security holes in netsaint_statd 2.13? The web page maintaining it is not so informative... /Johan Jacobsson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache-ssl/woody cannot handle password protected keys?
One solution which I use is this... I have both my cert.pem and cert.key file in in a directory... I then run the following: openssl x509 -in cert.pem -out /etc/apache/ssl.crt/server.crt openssl rsa -in cert.key -out /etc/apache/ssl.key/server.key chown root:root /etc/apache/ssl.key/server.key chmod 0600 /etc/apache/ssl.key/server.key This allows me to restart apache without incident... Jeremy On Mon, Feb 25, 2002 at 03:30:08PM +0100, Thomas Gebhardt wrote: Hi, just upgraded a host from potato to woody, I observed that my apache-ssl failed to work. Well, it actually starts but goes down immediately: # /usr/sbin/apache-sslctl start Reading key for server my.server:443 Enter PEM pass phrase: Launching... /usr/lib/apache-ssl/gcache pid=22730 /usr/sbin/apache-sslctl start: httpsd started or similary: # /etc/init.d/apache-ssl start Starting web server: apache-sslReading key for server my.server:443 Enter PEM pass phrase: Launching... /usr/lib/apache-ssl/gcache pid=22999 . The error log says: [Mon Feb 25 15:20:36 2002] [crit] (22)Invalid argument: Error reading private key file /etc/apache-ssl/secret.key: [Mon Feb 25 15:20:36 2002] [crit] error:0906406D:PEM routines:DEF_CALLBACK:problems getting password [Mon Feb 25 15:20:36 2002] [crit] error:0906A068:PEM routines:PEM_do_header:bad password read My PEM pass phrase is ok; in case of a typo I get something like: # /usr/sbin/apache-sslctl start Reading key for server my.server:443 Enter PEM pass phrase: Bad passphrase - try again When I remove the passphrase from /etc/apache-ssl/secret.key (such that it is only proteced by its file permissions) then apache-ssl works fine. I also tried apache-ssl from unstable (1.3.23.1+1.45-1) which gives the same results. I would appreciate any hints! Is it my fault or is this a bug (a feature?) within apache-ssl? Thanks, Thomas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache-ssl/woody cannot handle password protected keys?
One solution which I use is this... I have both my cert.pem and cert.key file in in a directory... I then run the following: openssl x509 -in cert.pem -out /etc/apache/ssl.crt/server.crt openssl rsa -in cert.key -out /etc/apache/ssl.key/server.key chown root:root /etc/apache/ssl.key/server.key chmod 0600 /etc/apache/ssl.key/server.key This allows me to restart apache without incident... Jeremy On Mon, Feb 25, 2002 at 03:30:08PM +0100, Thomas Gebhardt wrote: Hi, just upgraded a host from potato to woody, I observed that my apache-ssl failed to work. Well, it actually starts but goes down immediately: # /usr/sbin/apache-sslctl start Reading key for server my.server:443 Enter PEM pass phrase: Launching... /usr/lib/apache-ssl/gcache pid=22730 /usr/sbin/apache-sslctl start: httpsd started or similary: # /etc/init.d/apache-ssl start Starting web server: apache-sslReading key for server my.server:443 Enter PEM pass phrase: Launching... /usr/lib/apache-ssl/gcache pid=22999 . The error log says: [Mon Feb 25 15:20:36 2002] [crit] (22)Invalid argument: Error reading private key file /etc/apache-ssl/secret.key: [Mon Feb 25 15:20:36 2002] [crit] error:0906406D:PEM routines:DEF_CALLBACK:problems getting password [Mon Feb 25 15:20:36 2002] [crit] error:0906A068:PEM routines:PEM_do_header:bad password read My PEM pass phrase is ok; in case of a typo I get something like: # /usr/sbin/apache-sslctl start Reading key for server my.server:443 Enter PEM pass phrase: Bad passphrase - try again When I remove the passphrase from /etc/apache-ssl/secret.key (such that it is only proteced by its file permissions) then apache-ssl works fine. I also tried apache-ssl from unstable (1.3.23.1+1.45-1) which gives the same results. I would appreciate any hints! Is it my fault or is this a bug (a feature?) within apache-ssl? Thanks, Thomas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
Just an attempt at a very old syslog exploit that has since been fix'd... Jeremy On Thu, Feb 21, 2002 at 09:02:13AM +0800, Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Feb 21 14:03:35 jbeam C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\2 11F3B0^KCD\200B0^ACD\200E8\177FF Thanks in advance ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syslog messages
Just an attempt at a very old syslog exploit that has since been fix'd... Jeremy On Thu, Feb 21, 2002 at 09:02:13AM +0800, Marcel Welschbillig wrote: Hi, Im getting these strange entries in my syslog file. Can anyone shed some light on what this means ? Feb 21 14:03:35 jbeam Feb 21 14:03:35 jbeam syslogd: Cannot glue message parts together Feb 21 14:03:35 jbeam /sbin/rpc.statd[198]: gethostbyname error for ^XF7FF BF^XF7FFBF^YF7FFBF^YF7FFBF^ZF7FFBF^ZF7FFBF^[F7 FFBF^[F7FFBF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Feb 21 14:03:35 jbeam C7^F/binC7F^D/shA0C0\210F^G\211v^L\215V^P\215N^L\2 11F3B0^KCD\200B0^ACD\200E8\177FF Thanks in advance ! Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh ip address
Have you taken a look at the environment variables that get set when you log in over SSH? For me I find I have a variable appropriately call'd SSH_CLIENT that contains the IP address, local port, and remote port... As simple IP=$(echo ${SSH_CLIENT} | awk '{print $1}') inside your script should get what you want... Jeremy On Tue, Feb 19, 2002 at 05:35:13PM -0300, Eduardo J. Gargiulo wrote: Hi all. Is there any way to obtain the IP address of a ssh client and use it on a shell script? I want to put a crontab like ssh server script but I need the IP address i'm connecting from in the shell script and the address is assigned dynamically. thanks ~ejg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh ip address
Have you taken a look at the environment variables that get set when you log in over SSH? For me I find I have a variable appropriately call'd SSH_CLIENT that contains the IP address, local port, and remote port... As simple IP=$(echo ${SSH_CLIENT} | awk '{print $1}') inside your script should get what you want... Jeremy On Tue, Feb 19, 2002 at 05:35:13PM -0300, Eduardo J. Gargiulo wrote: Hi all. Is there any way to obtain the IP address of a ssh client and use it on a shell script? I want to put a crontab like ssh server script but I need the IP address i'm connecting from in the shell script and the address is assigned dynamically. thanks ~ejg
Re: iptables with a linux bridge
If I'm not mistaken I believe the bridging code runs before the firewall code so the bridging by-passes the firewall filters completely... Please if I'm incorrect in this would someone care to correct me but that is what information I've found through my research on the subject... Jeremy On Wed, Nov 28, 2001 at 05:48:52PM +0100, Fran?ois Bayart wrote: Hi , I've installed a linux bridge with 2.4.14 kernel and the bridge-utils packages brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig eth0 0.0.0.0 ifconfig eth1 0.0.0.0 ifconfig br0 62.4.8.2 netmask 255.255.255.0 broadcast 62.4.8.255 That correctly works but now I would like create some filtering rules and I try with iptables and it doesn't work ex, just drop the icmp : iptables -F INPUT iptables -P INPUT ACCEPT iptables -F OUTPUT iptables -P OUTPUT ACCEPT iptables -F FORWARD iptables -P FORWARD ACCEPT iptables -A FORWARD -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -A INPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -A OUTPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -t mangle -A PREROUTING -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -t mangle -A OUTPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -t nat -A POSTROUTING -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -t nat -A PREROUTING -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -t nat -A OUTPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -N br0 iptables -A br0 -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -A br0 -d 62.4.8.73 -s 0/0 -p ICMP -j DROP -i br0 iptables -A FORWARD -d 62.4.8.73 -s 0/0 -p ICMP -j DROP -i br0 iptables -A INPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP -i br0 and I can ping without problem, I have try all rules because I don't understand the problem, normally I don't have NAT n this network. Si if someone can give me a solution or informations thx Francois --- Fran?ois Bayart [EMAIL PROTECTED] +33 1 49 27 98 30 +33 6 87 84 18 82 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables with a linux bridge
If I'm not mistaken I believe the bridging code runs before the firewall code so the bridging by-passes the firewall filters completely... Please if I'm incorrect in this would someone care to correct me but that is what information I've found through my research on the subject... Jeremy On Wed, Nov 28, 2001 at 05:48:52PM +0100, Fran?ois Bayart wrote: Hi , I've installed a linux bridge with 2.4.14 kernel and the bridge-utils packages brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig eth0 0.0.0.0 ifconfig eth1 0.0.0.0 ifconfig br0 62.4.8.2 netmask 255.255.255.0 broadcast 62.4.8.255 That correctly works but now I would like create some filtering rules and I try with iptables and it doesn't work ex, just drop the icmp : iptables -F INPUT iptables -P INPUT ACCEPT iptables -F OUTPUT iptables -P OUTPUT ACCEPT iptables -F FORWARD iptables -P FORWARD ACCEPT iptables -A FORWARD -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -A INPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -A OUTPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -t mangle -A PREROUTING -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -t mangle -A OUTPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -t nat -A POSTROUTING -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -t nat -A PREROUTING -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -t nat -A OUTPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -N br0 iptables -A br0 -d 62.4.8.73 -s 0/0 -p ICMP -j DROP iptables -A br0 -d 62.4.8.73 -s 0/0 -p ICMP -j DROP -i br0 iptables -A FORWARD -d 62.4.8.73 -s 0/0 -p ICMP -j DROP -i br0 iptables -A INPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP -i br0 and I can ping without problem, I have try all rules because I don't understand the problem, normally I don't have NAT n this network. Si if someone can give me a solution or informations thx Francois --- Fran?ois Bayart [EMAIL PROTECTED] +33 1 49 27 98 30 +33 6 87 84 18 82
Re: red worm amusement
Wichert Akkerman was said to been seen saying: For amusement I checked the web logs for a few debian machines to see if they had some red worm attempts. Seems we've been probed a fair bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 on www.debian.org. Almost all attempts were made on July 19. Aren't we glad we all run Linux? :) My one web server has over 40 logged attempts all from unique host addresses/IP addresses... Makes me laugh at the stupid IIS exploits that so many execs order unwilling admins to install :) Scratch another win for Linux... Respectfully, Jeremy T. Bouse -- ,-, |Jeremy T. Bouse, CCNA - UnderGrid Network Services, LLC - www.UnderGrid.net | |Public PGP/GPG fingerprint and location in headers of message| | If received unsigned (without requesting as such) DO NOT trust it! | | [EMAIL PROTECTED] - NIC Whois: JB5713 - [EMAIL PROTECTED] | `-' PGP signature
Re: red worm amusement
Wichert Akkerman was said to been seen saying: For amusement I checked the web logs for a few debian machines to see if they had some red worm attempts. Seems we've been probed a fair bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 on www.debian.org. Almost all attempts were made on July 19. Aren't we glad we all run Linux? :) My one web server has over 40 logged attempts all from unique host addresses/IP addresses... Makes me laugh at the stupid IIS exploits that so many execs order unwilling admins to install :) Scratch another win for Linux... Respectfully, Jeremy T. Bouse -- ,-, |Jeremy T. Bouse, CCNA - UnderGrid Network Services, LLC - www.UnderGrid.net | |Public PGP/GPG fingerprint and location in headers of message| | If received unsigned (without requesting as such) DO NOT trust it! | | [EMAIL PROTECTED] - NIC Whois: JB5713 - [EMAIL PROTECTED] | `-' pgpDGvl7sIgKv.pgp Description: PGP signature
Re: Snort
Snort actually dumps the raw packet details into log files in the /var/log/snort directory... These can be open'd using Ethereal and you are able to take a closer look at the packets themselves with relative ease... Respectfully, Jeremy T. Bouse dude was said to been seen saying: Is there any way to get snort to send more than daily reports from snort? I've looked and cant fidn the answer. Thanks, G -- ,-, |Jeremy T. Bouse, CCNA - UnderGrid Network Services, LLC - www.UnderGrid.net | |Public PGP/GPG fingerprint and location in headers of message| | If received unsigned (without requesting as such) DO NOT trust it! | | [EMAIL PROTECTED] - NIC Whois: JB5713 - [EMAIL PROTECTED] | `-' PGP signature
Re: Snort
Snort actually dumps the raw packet details into log files in the /var/log/snort directory... These can be open'd using Ethereal and you are able to take a closer look at the packets themselves with relative ease... Respectfully, Jeremy T. Bouse dude was said to been seen saying: Is there any way to get snort to send more than daily reports from snort? I've looked and cant fidn the answer. Thanks, G -- ,-, |Jeremy T. Bouse, CCNA - UnderGrid Network Services, LLC - www.UnderGrid.net | |Public PGP/GPG fingerprint and location in headers of message| | If received unsigned (without requesting as such) DO NOT trust it! | | [EMAIL PROTECTED] - NIC Whois: JB5713 - [EMAIL PROTECTED] | `-' pgpukEso74Ehe.pgp Description: PGP signature
Re: Snort
There are probably others out there that can read the snort logs as they are merely tcpdumps of the offending packets but I have found that Ethereal is very handy and convient to examing them... So that's my personal choice... If you find another app that views and interprets the packet logs like Ethereal mention it and I'll take a look at it... Respectfully, Jeremy T. Bouse dude was said to been seen saying: On Tue, 10 Jul 2001, Jeremy T. Bouse wrote: Snort actually dumps the raw packet details into log files in the /var/log/snort directory... These can be open'd using Ethereal and you are able to take a closer look at the packets themselves with relative ease... So i should use etheral to look at way dumps? G -- ,-, |Jeremy T. Bouse, CCNA - UnderGrid Network Services, LLC - www.UnderGrid.net | |Public PGP/GPG fingerprint and location in headers of message| | If received unsigned (without requesting as such) DO NOT trust it! | | [EMAIL PROTECTED] - NIC Whois: JB5713 - [EMAIL PROTECTED] | `-' pgpfoH9use1Hw.pgp Description: PGP signature