Re: howto block ssh brute-force
Hi! > Maybe there is a way to temporarily block ips upon such attempts (is > this a FAQ?), or maybe divert them like what portsentry does for > portscans? A friend recommended http://www.csc.liv.ac.uk/~greg/sshdfilter/ but I didn't try it myself. It runs as a daemon and blocks the IP if several non-existant users have been tried. A logfile looks like this: Jan 17 21:27:12 localhost sshd[14378]: Failed keyboard-interactive/pam for root from :::xx.xx.xx.xx port 53273 ssh2 Jan 17 21:27:12 localhost sshdfilt[14377]: Chanced xx.xx.xx.xx, tries=2 Jan 17 21:27:12 localhost sshd[14378]: Postponed keyboard-interactive for root from :::xx.xx.xx.xx port 53273 ssh2 Jan 17 21:27:16 localhost sshd[14378]: Connection closed by :::xx.xx.xx.xx Jan 17 21:27:23 localhost sshdfilt[14377]: Illegal user name, instant block of xx.xx.xx.xx Jan 17 21:27:23 localhost sshd[14378]: Illegal user admin from :::xx.xx.xx.xx Jan 17 21:27:23 localhost sshd[14378]: input_userauth_request: illegal user admin Jan 17 21:27:23 localhost sshd[14378]: Failed none for illegal user admin from :::xx.xx.xx.xx port 53289 ssh2 where xx.xx.xx.xx is the IP address of the offender. Bye Hansi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [SECURITY] [DSA 922-1] New Linux 2.6.8 packages fix several vulnerabilities
Hi! Am Mittwoch, den 14.12.2005, 23:34 +0100 schrieb Martin Schulze: > [...] > Debian Security Advisory DSA 922-1 [EMAIL PROTECTED] > [...] > CVE IDs: CVE-2004-2302 CVE-2005-0756 CVE-2005-0757 CVE-2005-1265 > CVE-2005-1761 CVE-2005-1762 CVE-2005-1763 CVE-2005-1765 >CVE-2005-1767 CVE-2005-2456 CVE-2005-2458 CVE-2005-2459 >CVE-2005-2548 CVE-2005-2801 CVE-2005-2872 CVE-2005-3105 >CVE-2005-3106 CVE-2005-3107 CVE-2005-3108 CVE-2005-3109 >CVE-2005-3110 CVE-2005-3271 CVE-2005-3272 CVE-2005-3273 >CVE-2005-3274 CVE-2005-3275 CVE-2005-3276 Do you know if these vulnerabilities are resolved in the current linux-source-2.6.12-10? Could you please point me to a location, where I can find out if all these CVEs have been addressed in the current kernel sources? Thanks Hansi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: local root exploit
Hi! > Christophe Chisogne a écrit : > > Vladislav Kurz a écrit : > > > >> mount -t tmpfs tmpfs /dev/shm > > > > With or without that, it fails with > > Oups, I'm sorry, it really works, with /dev/shm mounted :( > but for about 10% of executions. (yes, 'again' was the keyword) > > > Tested with 2.4.27-1-686 (2004-09-03) > > compiled with gcc (GCC) 3.3.5 (Debian 1:3.3.5-5) > > and 2.4.27 kernel headers > > (-I/usr/src/kernel-source-2.4.27/include/) I tried this too on a Linux 2.4.23 #10 SMP Sat Jan 3 15:31:27 CET 2004 i686 GNU/Linux and a Linux 2.4.27 #1 Wed Dec 22 11:28:59 CET 2004 i686 GNU/Linux machine and it didn't work on either. Even not when trying multiple times. I want to warn you because both machines got hurt. Type dmesg and see that messages like __alloc_pages: 0-order allocation failed (gfp=0x1d2/0) are there. Additionally, and this is more harmful, lines like these VM: killing process elflbl VM: killing process syslog-ng VM: killing process inetd VM: killing process nmbd VM: killing process bash show that the memory manager killed some processes to free memory for elflbl. I'm not sure if this happend when I ran elflbl as root (accidentially) or as normal user but I guess on both. Bye Hansi -- Johann Glaser <[EMAIL PROTECTED]> Vienna University of Technology Electrical Engineering http://www.johann-glaser.at/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
AIDE Log improvement
Hi! AIDE is quite nice to report added, changed and removed files. But in the (probably very long) list of new/changed files, one can't see, what kind of file that is. I'd like AIDE to tell me the type of the file. The result "file(1)" gives. With that improvement, one can see in the log file if a new file is e.g. a C program or shell script in a log directory. What do you think? Bye Hansi -- Johann Glaser <[EMAIL PROTECTED]> Vienna University of Technology Electrical Engineering http://www.johann-glaser.at/
AIDE Log improvement
Hi! AIDE is quite nice to report added, changed and removed files. But in the (probably very long) list of new/changed files, one can't see, what kind of file that is. I'd like AIDE to tell me the type of the file. The result "file(1)" gives. With that improvement, one can see in the log file if a new file is e.g. a C program or shell script in a log directory. What do you think? Bye Hansi -- Johann Glaser <[EMAIL PROTECTED]> Vienna University of Technology Electrical Engineering http://www.johann-glaser.at/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mergelist problem with security.debian.org_dists_woody_updates_main_binary-i386_Packages
Hi! Am Mit, 2003-07-23 um 10.03 schrieb Jeff: > Please forgive an apt newbie... > If I have this line in my /etc/apt/sources.list: > > deb http://ftp.uk.debian.org/debian/ unstable main non-free contrib > > then > > > apt-get update > > E: Dynamic MMap ran out of room > E: Dynamic MMap ran out of room > E: Error occured while processing teapop-mysql (NewVersion1) > E: Problem with MergeList > /var/lib/apt/lists/security.debian.org_dists_woody_updates_main_binary-i386_ > Packages > E: The package lists or status file could not be parsed or opened. > > Using Linux 2.4.21, 2G RAM 1G swap - free mem doesn't drop below 1.3G while > apt-get is running. Use the following line in your /etc/apt/apt.conf.d/70debconf APT::Cache-Limit 12582912; // = 12*1024*1024 (http://katspace.net/computers/linux_tips.shtml) Bye Hansi -- Johann Glaser <[EMAIL PROTECTED]> Vienna University of Technology Electrical Engineering http://www.johann-glaser.at/
Re: Mergelist problem withsecurity.debian.org_dists_woody_updates_main_binary-i386_Packages
Hi! Am Mit, 2003-07-23 um 10.03 schrieb Jeff: > Please forgive an apt newbie... > If I have this line in my /etc/apt/sources.list: > > deb http://ftp.uk.debian.org/debian/ unstable main non-free contrib > > then > > > apt-get update > > E: Dynamic MMap ran out of room > E: Dynamic MMap ran out of room > E: Error occured while processing teapop-mysql (NewVersion1) > E: Problem with MergeList > /var/lib/apt/lists/security.debian.org_dists_woody_updates_main_binary-i386_ > Packages > E: The package lists or status file could not be parsed or opened. > > Using Linux 2.4.21, 2G RAM 1G swap - free mem doesn't drop below 1.3G while > apt-get is running. Use the following line in your /etc/apt/apt.conf.d/70debconf APT::Cache-Limit 12582912; // = 12*1024*1024 (http://katspace.net/computers/linux_tips.shtml) Bye Hansi -- Johann Glaser <[EMAIL PROTECTED]> Vienna University of Technology Electrical Engineering http://www.johann-glaser.at/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]