Re: Large, constant incoming traffic
/ 2004-05-13 19:53:33 +0200 \ Kjetil Kjernsmo: On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote: The best way to see what is going on is to dump the traffic to a file and analyse it. Tcpdump and ethereal are great tools for that purpose. Great! Reagan Blundell also told me about them offline. Ethereal will make the job easier and should give you a clue. If you are affraid the server has been compromised you have to use another computer to get reliable information. I don't know your network setup and what you have at disposal. If it is cable/DSL you could connect your server through a hub, hook up the other computer to the hub and do the dump (you may have to use a crossover cable between the modem and the hub). Yup. It's in server hosting at a provider, and I don't have physical access there... So, I have no option but to do it remotely (or perhaps I could if eth0 was promiscuous, but it isn't?). Anyway, what I see in tcpdump after filtering out my own ssh traffic, and some DNS traffic (which might have something to do with it, but makes a lot of noise), I see (easynet.no is my provider): 19:41:29.459644 217.77.34.162.2090 226.122.204.181.1434: udp 376 [ttl 1] 19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:29.675637 217.77.34.162.2090 234.195.198.113.1434: udp 376 [ttl 1] ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server, was infected, and now tries to compromise the world, and its own subnet, where you happen to be in. iirc there has been some worm targetting Microsoft SQL server early 2003, maybe it is still active sometimes, maybe there is a new one. you are safe, but this should show in some DROP or REJECT statistics. have a look at the output of iptables -vnL you want to tell the guy responsible for 217.77.34.162, and the hostmaster at easynet.no, that they have a compromised machine, and should take it offline. and that you want them to pay for the traffic they are causing you. Lars Ellenberg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
/ 2004-05-13 19:53:33 +0200 \ Kjetil Kjernsmo: On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote: The best way to see what is going on is to dump the traffic to a file and analyse it. Tcpdump and ethereal are great tools for that purpose. Great! Reagan Blundell also told me about them offline. Ethereal will make the job easier and should give you a clue. If you are affraid the server has been compromised you have to use another computer to get reliable information. I don't know your network setup and what you have at disposal. If it is cable/DSL you could connect your server through a hub, hook up the other computer to the hub and do the dump (you may have to use a crossover cable between the modem and the hub). Yup. It's in server hosting at a provider, and I don't have physical access there... So, I have no option but to do it remotely (or perhaps I could if eth0 was promiscuous, but it isn't?). Anyway, what I see in tcpdump after filtering out my own ssh traffic, and some DNS traffic (which might have something to do with it, but makes a lot of noise), I see (easynet.no is my provider): 19:41:29.459644 217.77.34.162.2090 226.122.204.181.1434: udp 376 [ttl 1] 19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:29.675637 217.77.34.162.2090 234.195.198.113.1434: udp 376 [ttl 1] ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server, was infected, and now tries to compromise the world, and its own subnet, where you happen to be in. iirc there has been some worm targetting Microsoft SQL server early 2003, maybe it is still active sometimes, maybe there is a new one. you are safe, but this should show in some DROP or REJECT statistics. have a look at the output of iptables -vnL you want to tell the guy responsible for 217.77.34.162, and the hostmaster at easynet.no, that they have a compromised machine, and should take it offline. and that you want them to pay for the traffic they are causing you. Lars Ellenberg
Re: USB Stick, GPG and CryptoFS in a startup script
/ 2004-04-28 20:51:50 +0200 \ Clemens Bier: Hallo Goswin, Goswin von Brederlow schrieb: Clemens Bier [EMAIL PROTECTED] writes: snip cannot open '/dev/tty' : no such device or address Error: Password must be at least 20 characters /snip I think you need to redirect input from /dev/tty or /dev/console explicitly or you need to setup an utmp entry first (like login would do). Could you explain more precisely what you mean by utmp and /or explicit redirecting? Looking at the line that starts with gpg, I try to redirect the input from /dev/console. But I still ge the same error. I do also get a cannot open '/dev/tty' : no such device or address if I insert a debug statement like 'echo Debug /dev/tty' into my script. try gpg --passphrase-fd 0 /dev/console Lars Ellenberg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: USB Stick, GPG and CryptoFS in a startup script
/ 2004-04-28 20:51:50 +0200 \ Clemens Bier: Hallo Goswin, Goswin von Brederlow schrieb: Clemens Bier [EMAIL PROTECTED] writes: snip cannot open '/dev/tty' : no such device or address Error: Password must be at least 20 characters /snip I think you need to redirect input from /dev/tty or /dev/console explicitly or you need to setup an utmp entry first (like login would do). Could you explain more precisely what you mean by utmp and /or explicit redirecting? Looking at the line that starts with gpg, I try to redirect the input from /dev/console. But I still ge the same error. I do also get a cannot open '/dev/tty' : no such device or address if I insert a debug statement like 'echo Debug /dev/tty' into my script. try gpg --passphrase-fd 0 /dev/console Lars Ellenberg
Re: Checking what running program are using old libraries
/ 2004-03-18 11:07:18 + \ Dale Amon: While we're on the subject, what is apache doing? apache26756 root memDEL0,5 393216 /SYSV apache26757 www-data memDEL0,5 393216 /SYSV apache26758 www-data memDEL0,5 393216 /SYSV is it opening tmp files and immediately deleting them like mailers do so they vanish if the program dies? hint: SysV shared memory man 3 mm Lars Ellenberg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Checking what running program are using old libraries
/ 2004-03-18 11:07:18 + \ Dale Amon: While we're on the subject, what is apache doing? apache26756 root memDEL0,5 393216 /SYSV apache26757 www-data memDEL0,5 393216 /SYSV apache26758 www-data memDEL0,5 393216 /SYSV is it opening tmp files and immediately deleting them like mailers do so they vanish if the program dies? hint: SysV shared memory man 3 mm Lars Ellenberg
Re: setting up iptables
/ 2004-03-04 17:14:50 +0200 \ Costas Magkos: Hi all, Can someone give me some best-practices for setting up iptables on a Debian system? I'm looking for things like where should the rules be placed, what startup script to use [1], good configuration tools [2] and so on. URLs are appreciated, I dont mind reading :-) I'm currently setting up iptables on a single-server enviroment (no routing), but since I will be using iptables a lot, general concepts are also welcome. If you like editing config files more than clicking some colorful frontend, you may want to have a look at SuSEfirewall2 by Marc Heuse. [Note the 2. And, btw, current version of it is 3.1 :)] This is only a bash script wrapper for iptables with a well commented configuration file. It should work with little effort on Debian, too. I like it. Much brainwork went in it. I'd love to see something similar (based on it?) in Debian. AFAIK, the most recent version can be found here, and on the suse mirrors of course: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/noarch/SuSEfirewall2.rpm (I don't know of any tgz, sorry, but there is rpm2cpio * | cpio --extract --make-dir ) Lars Ellenberg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: setting up iptables
/ 2004-03-04 19:17:10 +0100 \ Marcus Frings: If you like editing config files more than clicking some colorful frontend, you may want to have a look at SuSEfirewall2 by Marc Heuse. I like it. Much brainwork went in it. I'd love to see something similar (based on it?) in Debian. Have a look at `firehol'. Available in sid but it can also be used for woody. Upstream source is http://firehol.sourceforge.net/ YES! Nice one. Thank you for the pointer. I'm not so sure whether I like the default ACCEPT during activation. But this was only a first glance at this amazing script. Lars Ellenberg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: setting up iptables
/ 2004-03-04 19:17:10 +0100 \ Marcus Frings: If you like editing config files more than clicking some colorful frontend, you may want to have a look at SuSEfirewall2 by Marc Heuse. I like it. Much brainwork went in it. I'd love to see something similar (based on it?) in Debian. Have a look at `firehol'. Available in sid but it can also be used for woody. Upstream source is http://firehol.sourceforge.net/ YES! Nice one. Thank you for the pointer. I'm not so sure whether I like the default ACCEPT during activation. But this was only a first glance at this amazing script. Lars Ellenberg
Re: Mail processing tool
/ 2004-01-25 11:06:08 -0700
\ s. keeling:
This sounds like an ideal job for the combination of the rather
appropriately named tools fetchmail and procmail, which - to no big
surprise - are suitable to fetch and process mail.
Agreed. Add on gnupg for signature verification and decryption
(perhaps callable by procmail).
I'm not surprised there isn't one monolithic tool to do what you ask;
you're asking a lot. Chaining one existing specific tool after
another to build up your overall system is the way to go.
maybe below helps ;)
Lars Ellenberg
# --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
#!/bin/bash
# Example proof of concept script to sign and encrypt a bash script,
# decrypt it, and execute it when it verifies ok.
#
# you obviously want to add some error handling, archive and log functionality,
# and work in some exclusive, (maybe `mktemp -d`ed ?) directory.
#
# of course you want to have more than one key, and a more
# interessting passphrase ...
#
# copyleft today, no rights reserved ;)
#
KEYRING=./foo
GPGOP=--no-default-keyring --keyring $KEYRING.pub --secret-keyring
$KEYRING.sec
MANTRA=abc
REALNAME=Joe Tester
EMAIL=[EMAIL PROTECTED]
COMMENT=with stupid passphrase
SAMPLE_SCRIPT=./dummy-script
umask 077
export LANG=
export PATH=/bin:/usr/bin
#
# --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
#
#
# CAREFULL! this does rm $KEYRING.*
#
gen_key()
{
rm $KEYRING.*
cat -___ $KEYRING.mantra
$MANTRA
___
cat -___ | gpg --batch --gen-key
%echo Generating a standard key
Key-Type: DSA
Key-Length: 1024
Subkey-Type: ELG-E
Subkey-Length: 1024
Name-Real: $REALNAME
Name-Comment: $COMMENT
Name-Email: $EMAIL
Expire-Date: 0
Passphrase: $MANTRA
%pubring $KEYRING.pub
%secring $KEYRING.sec
# Do a commit here, so that we can later print done :-)
%commit
%echo done
___
}
encrypt()
{
10$KEYRING.mantra \
gpg $GPGOP --passphrase-fd 10 --no-encrypt-to --batch \
-u $REALNAME -r $REALNAME \
--sign --encrypt --armor --output - $1
}
decrypt()
{
10$KEYRING.mantra \
gpg $GPGOP --passphrase-fd 10 --decrypt --batch $1
}
# gen_key# === uncomment for the first run
PUBID=`gpg $GPGOP --with-colons --list-keys $REALNAME | grep ^pub: | head -1
| cut -d: -f 5`
SECID=`gpg $GPGOP --with-colons --list-keys $REALNAME | grep ^sub: | head -1
| cut -d: -f 5`
GPGOP=$GPGOP --trusted-key $SECID
#
# this is used later to verify the authenticity of the message.
# you may need to adjust it if your gpg version has a different
# output format. This is for gpg (GnuPG) 1.0.7
#
CREATION_DATE=* # put here the creation data, if you like
EXPECTED_GPG_OUTPUT=\
gpg: encrypted with 1024-bit ELG-E key, ID ${SECID: -8}, created $CREATION_DATE
\$REALNAME ($COMMENT) $EMAIL\
gpg: Signature made * using DSA key ID ${PUBID: -8}
gpg: Good signature from \$REALNAME ($COMMENT) $EMAIL\\
#
# --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
#
#
# prepare a demo script
#
rm $SAMPLE_SCRIPT{,.asc,.clear}
cat -'___' $SAMPLE_SCRIPT
echo executing dummy-script
echo as $0 $*
echo done.
___
#
# encrypt it
#
encrypt $SAMPLE_SCRIPT $SAMPLE_SCRIPT.asc
#
# --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
#
# mail it: mail -s asdf $TARGET $SAMPLE_SCRIPT.asc
# the nice thing about gpg -se --armor is, that the gpg --decrypt
# later ignores the additional mail headers...
#
# receive it: fetchmail ...
#
# if you choose to let fetchmail deliver into maildir, you
# can simply have a daemon process check ./new/ every so often,
# then process every single file, and move it to ./cur/ if you are
# done with it...
#
# --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
#
# now:
#
# decrypt it, capture the gpg output
#
OUTPUT=`decrypt $SAMPLE_SCRIPT.asc 21 $SAMPLE_SCRIPT.clear`
if [[ $OUTPUT == $EXPECTED_GPG_OUTPUT ]] ; then
# maybe you rather choose to:
# /bin/bash -e $SAMPLE_SCRIPT.clear
/bin/bash $SAMPLE_SCRIPT.clear
# don't forget to cleanup now
exit 0
else
exec 12
echo =
echo $OUTPUT
echo =
echo FAILED
# don't forget to cleanup now
exit 77 # which according to /usr/include/sysexits.h is EX_NOPERM
fi
Re: gpg -- duplicated key -- how to get rid of it?
/ 2004-01-10 15:03:46 +0100 \ Lukas Ruf: when I switched from my pgp 2.x installation a couple of years ago, obviously I made a mistake, at least I do not know what I made wrong... However, I get the following message all the time I refresh-keys: uccellina:~/Conf!80 gpg --refresh-keys [EMAIL PROTECTED] gpg: refreshing 1 key from wwwkeys.ch.pgp.net gpg: key D20BA2ED: duplicated user ID detected - merged gpg: key D20BA2ED: Lukas Ruf (PGP 2.x) [EMAIL PROTECTED] not changed gpg: Total number processed: 1 gpg: unchanged: 1 I fiddled around with 'edit-key' -- but could not manage to get rid of the duplicated user ID. So, my question: does anyone know a) what I did the wrong way? b) what I need to do to get rid of this error? make a backup of your key ring read /usr/share/doc/packages/gpg/DETAILS or wherever that is on your box, try gpg --list-keys --with-colons, which should make it easier to find what exactly may be wrong use gpg --delete-key fingerprint to get rid of the key, if you really mean it if unlikely and inconvenient, it still may be legal to have duplicate UIDs ... Lars Ellenberg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: gpg -- duplicated key -- how to get rid of it?
/ 2004-01-10 15:03:46 +0100 \ Lukas Ruf: when I switched from my pgp 2.x installation a couple of years ago, obviously I made a mistake, at least I do not know what I made wrong... However, I get the following message all the time I refresh-keys: uccellina:~/Conf!80 gpg --refresh-keys [EMAIL PROTECTED] gpg: refreshing 1 key from wwwkeys.ch.pgp.net gpg: key D20BA2ED: duplicated user ID detected - merged gpg: key D20BA2ED: Lukas Ruf (PGP 2.x) [EMAIL PROTECTED] not changed gpg: Total number processed: 1 gpg: unchanged: 1 I fiddled around with 'edit-key' -- but could not manage to get rid of the duplicated user ID. So, my question: does anyone know a) what I did the wrong way? b) what I need to do to get rid of this error? make a backup of your key ring read /usr/share/doc/packages/gpg/DETAILS or wherever that is on your box, try gpg --list-keys --with-colons, which should make it easier to find what exactly may be wrong use gpg --delete-key fingerprint to get rid of the key, if you really mean it if unlikely and inconvenient, it still may be legal to have duplicate UIDs ... Lars Ellenberg
Re: Apache question
/ 2003-11-12 13:48:40 +0100 \ Eduard Ballester: Hi We have a lot of strange log entry in our NetScreen FireWall: Nov 12 11:42:51 172.20.125.1 NSNAME: NetScreen device_id=NSNAME [MYISP]system-notification-00257(traffic): start_time=2003-11-12 11:42:10 duration=0 policy_id=51 service=tcp/port:20158 proto=6 src zone=Trust-XXX dst zone=Untrust action=Deny sent=0 rcvd=0 src=62.XX.YYY.ZZZ dst=80.58.50.239 src_port=80 dst_port=20158 * 62.XX.YYY.ZZZ is a server with Apache1.3.x that it only serves static pages. * All the NICs have Public IP Address. Internet | | NetScreen | | Alteon(load balance) |_ | | | | Apache1 ... ApacheN Do you know why Apache has this behavior? Why Apache initiates the connections with src_port 80 and random dst_port? blind guess: the http queries come in with random source port, dst port 80, and dst IP of your load balancer, which redirects to one of the apaches. apache replies with src port 80, and the random dst port of the http client, but the load balancer *fails* to map back the apache IP. so your netscreen sees traffic without ever seeing the tcp handshake for this pair of IP:port-IP:port. Lars Ellenberg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Apache question
/ 2003-11-12 13:48:40 +0100 \ Eduard Ballester: Hi We have a lot of strange log entry in our NetScreen FireWall: Nov 12 11:42:51 172.20.125.1 NSNAME: NetScreen device_id=NSNAME [MYISP]system-notification-00257(traffic): start_time=2003-11-12 11:42:10 duration=0 policy_id=51 service=tcp/port:20158 proto=6 src zone=Trust-XXX dst zone=Untrust action=Deny sent=0 rcvd=0 src=62.XX.YYY.ZZZ dst=80.58.50.239 src_port=80 dst_port=20158 * 62.XX.YYY.ZZZ is a server with Apache1.3.x that it only serves static pages. * All the NICs have Public IP Address. Internet | | NetScreen | | Alteon(load balance) |_ | | | | Apache1 ... ApacheN Do you know why Apache has this behavior? Why Apache initiates the connections with src_port 80 and random dst_port? blind guess: the http queries come in with random source port, dst port 80, and dst IP of your load balancer, which redirects to one of the apaches. apache replies with src port 80, and the random dst port of the http client, but the load balancer *fails* to map back the apache IP. so your netscreen sees traffic without ever seeing the tcp handshake for this pair of IP:port-IP:port. Lars Ellenberg
Re: SYN rate statistics.
How to determine normal/peak rate of packets with SYN to my debian box, for using this value in iptables limit match. tcpdump plus perl? binary search with iptables limit and LOG target? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Possible buffer overflows = security problem?
/ 2003-09-05 16:47:30 +0200 \ Frank Lichtenheld: Hi. I recently adopted the magpie package (It reads in Packages files and produces HTML output) It was un/undermaintained a long time and has no separate upstream. While looking in the code to fix some outstanding bugs I found several code pieces like char path[256]; sprintf( path, some string/%s, packagename); There are no further checks as I can see. I'm not very experienced in C programming and don't know much about the details of exploiting buffer overflows or the like... Is such code (away from the fact that it can easily lead to segfaults) a security problem? imho, yes. thats why there is the int snprintf(char *str, size_t size, const char *format, ...); ^ ^^ counterpart. Lars Ellenberg -- pls sign http://petition.eurolinux.org against software patents in Europe!
Re: Simple e-mail virus scanner
On Wed, Aug 20, 2003 at 08:26:53AM +0400, ? ? wrote: Hello Noah, Does the same approach could be use with sendmail ? Any examples? NLM On Tue, Aug 19, 2003 at 10:56:29PM +0200, Kjetil Kjernsmo wrote: So, I'm wondering, does anybody know about any such approach? NLM After getting sick of all the virus crap in my inbox I installed the NLM following in /etc/exim/system_filter.txt: [ snip nice long Content-Type: regexp for exim ] I think sendmail can do similar, but I am not sure where to enable it... for postfix though, have a look at man 5 pcre_table and regexp_table. Lars Ellenberg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
On Wed, Aug 20, 2003 at 08:26:53AM +0400, ? ? wrote: Hello Noah, Does the same approach could be use with sendmail ? Any examples? NLM On Tue, Aug 19, 2003 at 10:56:29PM +0200, Kjetil Kjernsmo wrote: So, I'm wondering, does anybody know about any such approach? NLM After getting sick of all the virus crap in my inbox I installed the NLM following in /etc/exim/system_filter.txt: [ snip nice long Content-Type: regexp for exim ] I think sendmail can do similar, but I am not sure where to enable it... for postfix though, have a look at man 5 pcre_table and regexp_table. Lars Ellenberg
Re: OT: An Idea for an IDS
On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. google for adaptive firewall, maybe you get some hits. I remember some guardian project; but it was conceptually not that convincing. some combination of snort and perl script... speaking of snort: wasn't there an option named react: block ? btw, if you suck on syslog, anyone who is able to fake syslog entries (and thats about any local user, and maybe some more), can easily DoS arbitrary ips unless these are on a whitelist... no good! hth, Lars Ellenberg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: OT: An Idea for an IDS
On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote: A daemon sits running in the background listening to a special device (/dev) or an IPC which would originate from syslog-ng. This daemon would then parse the log and look for suspicious things. If it found something suspicious it would use regular expression to grab out pertinent parts of the log (say the IP address) and act on the log accordingly (in real time) by say dropping an IPTABLE rule down on the IP address. google for adaptive firewall, maybe you get some hits. I remember some guardian project; but it was conceptually not that convincing. some combination of snort and perl script... speaking of snort: wasn't there an option named react: block ? btw, if you suck on syslog, anyone who is able to fake syslog entries (and thats about any local user, and maybe some more), can easily DoS arbitrary ips unless these are on a whitelist... no good! hth, Lars Ellenberg
Re: chroot, su and sudo
On Mon, Jun 16, 2003 at 10:22:49AM +0200, Mario Ohnewald wrote: I want to chroot a application/gameserver. I played with pam_chroot recently... unfortunately I found not much documentation about its intended usage. whether it realy suits my needs, I don't know yet. I'd like to read your comments on this. you'd need something like user game group game, put into /etc/security/chroot.conf game/chroot/game and into each pam service configuration which should use this, e.g. /etc/pam.d/su account optional pam_chroot.so debug (whether optional is the right choice I don't know) restrict access to the user with pam_access. Lars -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: chroot, su and sudo
On Mon, Jun 16, 2003 at 10:22:49AM +0200, Mario Ohnewald wrote: I want to chroot a application/gameserver. I played with pam_chroot recently... unfortunately I found not much documentation about its intended usage. whether it realy suits my needs, I don't know yet. I'd like to read your comments on this. you'd need something like user game group game, put into /etc/security/chroot.conf game/chroot/game and into each pam service configuration which should use this, e.g. /etc/pam.d/su account optional pam_chroot.so debug (whether optional is the right choice I don't know) restrict access to the user with pam_access. Lars
Re: Keeping files away from users
On Thu, Jun 05, 2003 at 09:30:51AM +0200, Luis Gomez - InfoEmergencias wrote: We'd like to protect that content, so that even if someone unplugs the machine and connects the HD to another Linux box, they can't access that information. Of course it's difficult to do, but we think there might be a possibility to achieve success. encrypted loop device? with apropriate initrd you can even boot from encrypted root /, swap , /etc ... of course, you need to provide the passphrase on every boot, and if someone has it, its cleartext in any machine. btw, has someone an estimate on how long brute force will take on such a device to reveal the real data? or keep an encrypted copy of all relevant files separately, and on bootup / service startup you decrypt it temporarily to the correct location, start the service, and unlink it again (after you wiped it with garbage, of course ;-] ). (will probably not work if services try to be smart and reread their conf files on a regular basis...) Lars -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Keeping files away from users
On Thu, Jun 05, 2003 at 09:30:51AM +0200, Luis Gomez - InfoEmergencias wrote: We'd like to protect that content, so that even if someone unplugs the machine and connects the HD to another Linux box, they can't access that information. Of course it's difficult to do, but we think there might be a possibility to achieve success. encrypted loop device? with apropriate initrd you can even boot from encrypted root /, swap , /etc ... of course, you need to provide the passphrase on every boot, and if someone has it, its cleartext in any machine. btw, has someone an estimate on how long brute force will take on such a device to reveal the real data? or keep an encrypted copy of all relevant files separately, and on bootup / service startup you decrypt it temporarily to the correct location, start the service, and unlink it again (after you wiped it with garbage, of course ;-] ). (will probably not work if services try to be smart and reread their conf files on a regular basis...) Lars
Re: Have I been hacked?
On Wed, May 07, 2003 at 02:51:39PM +0100, Ian Goodall wrote: I am running a debian woody server and when I checked the last users yesterday I a large number of logins in the list. On running the command today I get the following: dev1:/home/ian# last ian pts/0172.16.3.195 Wed May 7 14:49 still logged in team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) I have run chkrootkit but nothing was found. I have never had this before. Am I being paranoid or is someone trying to cover up their tracks? cronjob, logrotate? ls -l /var/log/wtmp*
Re: Secure remote syslogging?
On Thu, Apr 24, 2003 at 08:52:10PM +0200, Jose Luis Domingo Lopez wrote:
8 syslog-ng -- named pipe -- perl script -- ssh tunnel -- SQL DB
destination d_logpipe { pipe(/tmp/pipe owner(someone) template(\(
'$HOST', '$ISODATE', '$FACILITY', +'$PRIORITY', '$MESSAGE' \)\n) ); };
you need syslog-ng = 1.5.3 for the template to work, iirc.
and if you go thus far, why not
template(INSERT INTO logs VALUES ... \( ... \);\n), and then simply
mysql -h 127.0.0.1 -... -D logs /tmp/pipe ?
what about forged messages containing queries themselves?
logger -p kern.err '); DELETE *.* FROM logs;# =]
you need to quote the input somehow.
so here my suggestion (despite the fact that you hit plenty stuff when
googling on that matter):
since the content of the other macros is well defined,
and you use a perl script anyways, why not use
template($HOST $ISODATE $FACILITY $PRIORITY $MESSAGE\n), which can
be split on the spaces into its parts, and let perl do the quoting?
and, btw, why not just use the syslog format as is?
works with syslog (old generation), too.
(ok, with -og, and the default format, to preserve facility/priority
you'd need to setup one pipe for each class you want to distinguish...)
and, if you don't mind, please use DBI/DBD::mysql
(or whatever DBD submodule you like).
old syslog.conf:
*.* |/some/fifo
-ng:
destination d_logpipe { pipe(/some/fifo); } ...
with $syslog_ng_template=0 below!
or
destination d_logpipe { pipe(/some/fifo);
template($HOST $ISODATE $FACILITY $PRIORITY $MESSAGE\n); }
and set $syslog_ng_template=1 below.
use strict;
use DBI ();
my $syslog_ng_template=1;
my $driver=mysql;
my $sqlhost=127.0.0.1; # possibly (ssh) tunnel to somewhere else
my $port=3306;
my $database=logs;
my $user=joseluis;
my $password=joseluis;
my ($sth,$dbh, $host,$time,$facility,$priority,$msg);
# RaiseError will raise an exception, i.e. die(), on errors.
# -prepare(... ?,?,? ) and execute(arg1,arg2,...) will do the
# necessary quoting and interpolation for you, and even perform better.
sub try_connect() {
# you may want to ping the db here
# or eval { $dbh-disconnect } if $dbh;
$dbh =
DBI-connect(DBI:$driver:database=$database;host=$sqlhost;port=$port;,
$user,$password,
{ RaiseError = 1 , AutoCommit = 1 });
if ($syslog_ng_template) {
$sth = $dbh-prepare(INSERT INTO logs.testbox
.(host,time,facility,priority,message)
.VALUES (?,?,?,?,?));
} else {
$sth = $dbh-prepare(INSERT INTO logs.testbox
.(host,time,message)
.VALUES (?,?,?));
}
}
# you might want to move this into the eval below
open ( LOGPIPE, /tmp/pipe ) or die open LOGPIP: $!\n;
while(1) { # forever
eval { # catch db errors
try_connect;
while ( my $log = LOGPIPE ) {
if ($syslog_ng_template) {
($host,$time,$facility,$priority,$msg) =
$log =~ /^(\S+) (\S+) (\S+) (\S+) (.*)$/;
$sth-execute($host,$time,$facility,$priority,$msg);
} else {
($time,$host,$msg) = $log =~ /^(\S+ \S+ \S+) (\S+) (.*)$/;
$sth-execute($host,$time,$msg);
}
};
};
warn($@) if $@;
}
Hope it helps.
dito :)
Lars
Re: Removing invalid keys from keyring
On Sat, Mar 29, 2003 at 03:26:33PM +0100, Kjetil Kjernsmo wrote:
On Thursday 27 March 2003 08:53, Lars Ellenberg wrote:
On Wed, Mar 26, 2003 at 05:28:35PM +0100, Kjetil Kjernsmo wrote:
Is there a way to remove revoked/expired and otherwise invalid or
useless keys from a GPG keyring, in batch?
well, I do not know how to automatically list only invalid keys.
OK.
#
# edit that file, _delete_ every line corresponding to a _valid_ key
#
Eh, well, that's really the issue. For with 4500 keys in that file,
that is going to take a long time... :-) So, that is the part that
needs automagicallization...
now, I read doc/DETAILS ...
2. Field: A letter describing the calculated trust. This is a single
letter, but be prepared that additional information may follow
in some future versions. (not used for secret keys)
o = Unknown (this key is new to the system)
i = The key is invalid (e.g. due to a missing self-signature)
d = The key has been disabled
r = The key has been revoked
e = The key has expired
q = Undefined (no value assigned)
n = Don't trust this key at all
m = There is marginal trust in this key
f = The key is full trusted.
u = The key is ultimately trusted; this is only used for
keys for which the secret key is also available.
5. Field: KeyID
so try if this reduces the number of invalid keys.
don't forget the cp -a ~/.gnupg{,.bak}
gpg --list-public-keys --with-colons | grep -a '^pub:[idre]:' |
cut -d: -f5 | xargs -l gpg --batch --yes --delete-keys
hth
Lars
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Removing invalid keys from keyring
On Sat, Mar 29, 2003 at 03:26:33PM +0100, Kjetil Kjernsmo wrote:
On Thursday 27 March 2003 08:53, Lars Ellenberg wrote:
On Wed, Mar 26, 2003 at 05:28:35PM +0100, Kjetil Kjernsmo wrote:
Is there a way to remove revoked/expired and otherwise invalid or
useless keys from a GPG keyring, in batch?
well, I do not know how to automatically list only invalid keys.
OK.
#
# edit that file, _delete_ every line corresponding to a _valid_ key
#
Eh, well, that's really the issue. For with 4500 keys in that file,
that is going to take a long time... :-) So, that is the part that
needs automagicallization...
now, I read doc/DETAILS ...
2. Field: A letter describing the calculated trust. This is a single
letter, but be prepared that additional information may follow
in some future versions. (not used for secret keys)
o = Unknown (this key is new to the system)
i = The key is invalid (e.g. due to a missing self-signature)
d = The key has been disabled
r = The key has been revoked
e = The key has expired
q = Undefined (no value assigned)
n = Don't trust this key at all
m = There is marginal trust in this key
f = The key is full trusted.
u = The key is ultimately trusted; this is only used for
keys for which the secret key is also available.
5. Field: KeyID
so try if this reduces the number of invalid keys.
don't forget the cp -a ~/.gnupg{,.bak}
gpg --list-public-keys --with-colons | grep -a '^pub:[idre]:' |
cut -d: -f5 | xargs -l gpg --batch --yes --delete-keys
hth
Lars
Re: Removing invalid keys from keyring
On Wed, Mar 26, 2003 at 05:28:35PM +0100, Kjetil Kjernsmo wrote: Is there a way to remove revoked/expired and otherwise invalid or useless keys from a GPG keyring, in batch? well, I do not know how to automatically list only invalid keys. but you could do: # backup you keyring, in case something goes wrong ;) cp -a ~/.gnupg ~/.gnupg.bak # list all main pub keys gpg --list-public-keys | grep ^pub | sort tmp.pubkey_list # # edit that file, _delete_ every line corresponding to a _valid_ key # # now, remove all keys still in that file in one run cut -d -f 5- tmp.pubkey_list \ | xargs -l gpg --batch --yes --delete-key # verify which keys are still there gpg --list-public-keys hth Lars -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
administrativa: moron autoreply from martin.j@sargas.nl
I got this autoreply on each of my recent posts to the list. maybe someone in charge of it can remove this address from the list. Lars - Forwarded message from [EMAIL PROTECTED] - Date: Thu, 27 Mar 2003 09:16:48 +0100 From: [EMAIL PROTECTED] To: Lars Ellenberg [EMAIL PROTECTED] Subject: Re: Re: Removing invalid keys from keyring Dit e-mail adres bestaat niet - End forwarded message - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: administrativa: moron autoreply from martin.j@sargas.nl
On Thu, Mar 27, 2003 at 01:36:31PM +0100, Sander Smeenk wrote: Quoting Lars Ellenberg ([EMAIL PROTECTED]): I got this autoreply on each of my recent posts to the list. maybe someone in charge of it can remove this address from the list. Dit e-mail adres bestaat niet This is dutch, and translates to 'This email address does not exist'. I know. And thats the reason why I ask the list (administrator) to unsubscribe [EMAIL PROTECTED] otherwise I'd flame that address directly for autoreplying to list posts. Lars -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Removing invalid keys from keyring
On Wed, Mar 26, 2003 at 05:28:35PM +0100, Kjetil Kjernsmo wrote: Is there a way to remove revoked/expired and otherwise invalid or useless keys from a GPG keyring, in batch? well, I do not know how to automatically list only invalid keys. but you could do: # backup you keyring, in case something goes wrong ;) cp -a ~/.gnupg ~/.gnupg.bak # list all main pub keys gpg --list-public-keys | grep ^pub | sort tmp.pubkey_list # # edit that file, _delete_ every line corresponding to a _valid_ key # # now, remove all keys still in that file in one run cut -d -f 5- tmp.pubkey_list \ | xargs -l gpg --batch --yes --delete-key # verify which keys are still there gpg --list-public-keys hth Lars
administrativa: moron autoreply from martin.j@sargas.nl
I got this autoreply on each of my recent posts to the list. maybe someone in charge of it can remove this address from the list. Lars - Forwarded message from [EMAIL PROTECTED] - Date: Thu, 27 Mar 2003 09:16:48 +0100 From: [EMAIL PROTECTED] To: Lars Ellenberg [EMAIL PROTECTED] Subject: Re: Re: Removing invalid keys from keyring Dit e-mail adres bestaat niet - End forwarded message -
Re: administrativa: moron autoreply from martin.j@sargas.nl
On Thu, Mar 27, 2003 at 01:36:31PM +0100, Sander Smeenk wrote: Quoting Lars Ellenberg ([EMAIL PROTECTED]): I got this autoreply on each of my recent posts to the list. maybe someone in charge of it can remove this address from the list. Dit e-mail adres bestaat niet This is dutch, and translates to 'This email address does not exist'. I know. And thats the reason why I ask the list (administrator) to unsubscribe [EMAIL PROTECTED] otherwise I'd flame that address directly for autoreplying to list posts. Lars
Re: PTRACE Fixed?
On Sat, Mar 22, 2003 at 10:58:24AM -0800, Jon wrote: On Sat, 2003-03-22 at 04:43, Markus Kolb wrote: Jon wrote: [...] Linux kmod + ptrace local root exploit by [EMAIL PROTECTED] = Simple mode, executing /usr/bin/id /dev/tty sizeof(shellcode)=95 = Child process started.. = Child process started.. [...] Does this mean the patch I downloaded worked? Yes. - Jon Mmh, well, I have a non-patched 2.4.19 and so there should be the bug. I've tried the k3m, too. In my environment it first told me that my kernel is attackable. I ran k3m a 2nd and 3rd time and it has only reported the Child process started... messages and produced child process zombies. probably a timeing issue, too. I guess km3 has problems on fast machines. Lars The exploit may need to start several child proceesses before one of them obtains root priviledges. If your kernel is vulnerable, you should get an ok! message after a few attempts (usually works the second or third time on my 2.4.20-k7 machine). When run without arguments, the exploit just starts a process, checks its priviledges, then kills the processes. I have not noticed any zombie processes after running the exploit - even after running it several times. If you *do* want it to start some processes, there are command-line options to do so. What is that? Is k3m buggy? Very strange... Works great on my machine... unfortunately. ;) - Jon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: PTRACE Fixed?
On Sat, Mar 22, 2003 at 10:58:24AM -0800, Jon wrote: On Sat, 2003-03-22 at 04:43, Markus Kolb wrote: Jon wrote: [...] Linux kmod + ptrace local root exploit by [EMAIL PROTECTED] = Simple mode, executing /usr/bin/id /dev/tty sizeof(shellcode)=95 = Child process started.. = Child process started.. [...] Does this mean the patch I downloaded worked? Yes. - Jon Mmh, well, I have a non-patched 2.4.19 and so there should be the bug. I've tried the k3m, too. In my environment it first told me that my kernel is attackable. I ran k3m a 2nd and 3rd time and it has only reported the Child process started... messages and produced child process zombies. probably a timeing issue, too. I guess km3 has problems on fast machines. Lars The exploit may need to start several child proceesses before one of them obtains root priviledges. If your kernel is vulnerable, you should get an ok! message after a few attempts (usually works the second or third time on my 2.4.20-k7 machine). When run without arguments, the exploit just starts a process, checks its priviledges, then kills the processes. I have not noticed any zombie processes after running the exploit - even after running it several times. If you *do* want it to start some processes, there are command-line options to do so. What is that? Is k3m buggy? Very strange... Works great on my machine... unfortunately. ;) - Jon
Re: iptables help to forward ports please
On Wed, Mar 19, 2003 at 11:26:10PM -0600, Hanasaki JiJi wrote: been trying to get the following to work for sometime input is most appreciated internet =25= firewall iptablerule =port#x= internalSMTPhost how can the firewall be told to: take all incoming tcp port 25 traffic and send it to smtp host on port X iptables .. redirect take all outgoing traffice from smtphost port25only and send it out to the internet on port 25 .. forward [ and masq ] Thank you. but to me it seems more appropriate to use a simple store and forward smtp deamon on the firewall. Lars -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Telnet forwarding ??
On Wed, Feb 19, 2003 at 06:49:26PM -0800, Ted Parvu wrote: What I really meant to say was that there are a plenty of good computer security consultants in need of work. You obviously have a need for corporate strength computer security. If you want this done right, and why would you ever want to do computer security any other way, you will need to hire some talent. Trolling for freebies on mailing lists is not the way to go. Thank you, Sir! :) Lars -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Telnet forwarding ??
On Wed, Feb 19, 2003 at 06:49:26PM -0800, Ted Parvu wrote: What I really meant to say was that there are a plenty of good computer security consultants in need of work. You obviously have a need for corporate strength computer security. If you want this done right, and why would you ever want to do computer security any other way, you will need to hire some talent. Trolling for freebies on mailing lists is not the way to go. Thank you, Sir! :) Lars
Re: Telnet forwarding ??
On Thu, Feb 20, 2003 at 05:35:01AM +, Dale Amon wrote: win2000, probably the server variant... ... but thats a different problem ... I doubt it. FreeSWAN uses Linux kernel patches and kernel crypto. I not meant to say problem with freeswan, but problem with windows IPSec solutions. at least that is what I experienced. That said, FreeSWAN is about as ipsec compliant as anything. yes. However beware: it's difficult to run FreeSWAN through NAT. thats true. but its doable. Lars
Re: Telnet forwarding ??
On Wed, Feb 19, 2003 at 04:51:04PM -0600, George Smith wrote: The basic goal is to provide a SSH connection to a machine running mvBase. MvBase is a operating system running on top of windows NT4.0 or windows 2000. It is where our applications reside in a blob - they are not windows applications. When you connect to a mvBase telnet server you can do not have access to the windows world. maybe I did not understand the question, but: if you want ssh connection to some machine, there obviously has to be a ssh server on that side. if you want ssh connection TO the mvBase, you need a ssh server implementation for mvBase, and install that. and you need a ssh client on the client PCs. if you have neither, and you want to tunnel all your ports through SSH between your debian box and the mvBase host system (winbox), you have the options to · install some ssh server on the winbox, and on the debian box do ssh -L 8031:mvBase:8031 -L 8032:mvBase:8032 [...] winbox and have GatewayPorts yes in $HOME/.ssh/config, or do some transparent redirection with iptables (if you don't say GatewayPorts yes, port forwarding is bound to the loopback device, and thus not reachable by your clients) · use some ssh client (e.g. putty) from you winbox to the debian box, and use remote port forwarding, which depends on the respective client you use. the equivalent of ssh -R 8031:mvBase:8031 [...] debian on the debian box this time you need GatewayPorts yes in the sshd_config (note the d for deamon). preferably you use a separate config file, and start a dedicated sshd server for this purpose on some other port, like sshd -p 10022 [...] -f /etc/ssh/sshd_config.telnet_tunnel so your standard ssh does not bind port forwardings to the wildcard adress. or, as above, don't use GatewayPorts, but redirect with iptables transparently. in any case, make sure you restrict access to the forwarded ports by some other means, like iptables. I'd prefer some kind of VPN. use FreeS/WAN on the debian, and some kind of VPN client on the winbox. AFAIK win nt has problems here, so use win2000, probably the server variant... or maybe a FreeS/WAN implementation for cygwin (is there a native win implementation?) ... but thats a different problem ... hth, Lars
Re: [OT} Need advice on rsync backups
suppose you have a file list like generated by find $BASEDIR -print
pipe through
# include all files with necessary paths
sed -ne s,^${BASEDIR//\\*/\\*}/,+ /,;'
:l1;/+ ../{p;s,/$,,;s,[^/]*$,,;b l1;};' |
sort -u tmp.rsync # sort and remove duplicates
# exclude evrything not explicitly included...
echo - * tmp.rsync
and do rsync -av --include-from tmp.rsync remote:$BASEDIR $LOCALTARGET
to understand whats happening:
On Sun, Feb 16, 2003 at 09:05:25PM -0800, Ted Deppner wrote:
Advice: Read the man page. Again. Repeat as necessary.
;)
hth,
Lars
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT} Need advice on rsync backups
suppose you have a file list like generated by find $BASEDIR -print
pipe through
# include all files with necessary paths
sed -ne s,^${BASEDIR//\\*/\\*}/,+ /,;'
:l1;/+ ../{p;s,/$,,;s,[^/]*$,,;b l1;};' |
sort -u tmp.rsync # sort and remove duplicates
# exclude evrything not explicitly included...
echo - * tmp.rsync
and do rsync -av --include-from tmp.rsync remote:$BASEDIR $LOCALTARGET
to understand whats happening:
On Sun, Feb 16, 2003 at 09:05:25PM -0800, Ted Deppner wrote:
Advice: Read the man page. Again. Repeat as necessary.
;)
hth,
Lars
Re: /usr/lib/libkssl.so.2.0.2
On Fri, Dec 20, 2002 at 06:30:49PM +0200, Juha Jäykkä wrote: I am wondering... what would be the correct md5sum of the above file? In three machines I get twice the value 4b68a1146dfd0e326c4396e339abc750 and once the value cd59e38dfd54eca39a99094fd85a1af0. This seems quite suspicious to me, especially since I JUST INSTALLED the kdelibs3-packages to all three machines, using ftp.fi.debian.org-mirror. How is this possible? hm, transfer error? or one of your machines has a via board... nothing against via, sorry, but I once had some via boards that flipflopped random bits on just about every couple of transfered Megabyte! Lars -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CFS problems
On Sat, Dec 21, 2002 at 02:51:29PM -0500, Oleg wrote: That is cmkdir gives an error, but creates a directory, while cattach fails altogether. Does anyone know why? And isn't CFS supposed to be file system agnostic? do a strace, maybe that helps to find the cause. guessing: it tries to chmod, _that_ fails, and the error message is misleading... look at the sourcecode, you probably will find lazy error checking. Lars -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: /usr/lib/libkssl.so.2.0.2
On Fri, Dec 20, 2002 at 06:30:49PM +0200, Juha Jäykkä wrote: I am wondering... what would be the correct md5sum of the above file? In three machines I get twice the value 4b68a1146dfd0e326c4396e339abc750 and once the value cd59e38dfd54eca39a99094fd85a1af0. This seems quite suspicious to me, especially since I JUST INSTALLED the kdelibs3-packages to all three machines, using ftp.fi.debian.org-mirror. How is this possible? hm, transfer error? or one of your machines has a via board... nothing against via, sorry, but I once had some via boards that flipflopped random bits on just about every couple of transfered Megabyte! Lars
Re: CFS problems
On Sat, Dec 21, 2002 at 02:51:29PM -0500, Oleg wrote: That is cmkdir gives an error, but creates a directory, while cattach fails altogether. Does anyone know why? And isn't CFS supposed to be file system agnostic? do a strace, maybe that helps to find the cause. guessing: it tries to chmod, _that_ fails, and the error message is misleading... look at the sourcecode, you probably will find lazy error checking. Lars
Re: firewall advice
On Sun, Dec 15, 2002 at 07:15:25PM -0800, Torrin wrote:
I'll also add connection tracking in my iptables script. Is
there anything I can do in my ipchains script?
did you ever look at the SuSEfirewall{,2} scripts by marc heuse?
GPL, will work with any distro, maybe small changes where to find the config
files etc.
v2 is for iptables, v1 for ipchains.
for a simple bash script quite cool. concept and all.
commented config file. good faq by togan somwhere in the suse faq on sf.net.
sorry, no url, but you'll find it for sure on the suse site and elsewhere.
Lars
--
no need to reinvent the wheel, though that is always enlightening fun :)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: firewall advice
On Sun, Dec 15, 2002 at 07:15:25PM -0800, Torrin wrote:
I'll also add connection tracking in my iptables script. Is
there anything I can do in my ipchains script?
did you ever look at the SuSEfirewall{,2} scripts by marc heuse?
GPL, will work with any distro, maybe small changes where to find the config
files etc.
v2 is for iptables, v1 for ipchains.
for a simple bash script quite cool. concept and all.
commented config file. good faq by togan somwhere in the suse faq on sf.net.
sorry, no url, but you'll find it for sure on the suse site and elsewhere.
Lars
--
no need to reinvent the wheel, though that is always enlightening fun :)
Re: unsubscribe
On Fri, Nov 15, 2002 at 01:16:25PM -0600, Steve Waterman wrote: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] this really gets annoying. is the list owner willing and able to filter those dumb messages, and maybe bounce them back? though this won't help that much... this is the first ML where I encounter so many people unable to distinguish between listname@listserver and listname-REQUEST@listserver. and I thought that people on a security ML would be able to read! Lars -- sorry to bother you with this spam, I should have just hit the d ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: unsubscribe
On Fri, Nov 15, 2002 at 01:16:25PM -0600, Steve Waterman wrote: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] this really gets annoying. is the list owner willing and able to filter those dumb messages, and maybe bounce them back? though this won't help that much... this is the first ML where I encounter so many people unable to distinguish between [EMAIL PROTECTED] and [EMAIL PROTECTED] and I thought that people on a security ML would be able to read! Lars -- sorry to bother you with this spam, I should have just hit the d ...
