Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
but isn't there a trick to surpass the bug while waiting for debian updates ? What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. echo unexisting_binary /proc/sys/kernel/modprobe Can we trust this solution ? What's the effect ? It seems to work fine, and to block the exploit on my box. But i don't know the effect on the system, since i guess this file has a good reason to be present on a debian box ... So is it a good idea to modify it this way ? Thanx. -- __o _`\,_ Marc Demlenne Public Key on www.keyserver.net (_)/ (_) GPG/768FA483 BFD8 E61B 180C 3E7A 3435 D393 B605 9979 768F A483 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]
but isn't there a trick to surpass the bug while waiting for debian updates ? What's the real effect of modifying /proc/sys/kernel/modprobe by, e.g. echo unexisting_binary /proc/sys/kernel/modprobe Can we trust this solution ? What's the effect ? It seems to work fine, and to block the exploit on my box. But i don't know the effect on the system, since i guess this file has a good reason to be present on a debian box ... So is it a good idea to modify it this way ? Thanx. -- __o _`\,_ Marc Demlenne Public Key on www.keyserver.net (_)/ (_) GPG/768FA483 BFD8 E61B 180C 3E7A 3435 D393 B605 9979 768F A483
Re: iptables and apt-get
Hi ! It depends how you fetch your packages. Ftp or http ? You have thus to open either the 80(http) or 21(ftp) port as well. Maybe you can also limit this to your mirror only, and not to everybody. Note: If you log the packets you drop, you can take a look on the logs, and you'll see why your connexion is blocked... Hoping this helps you. On Tue, Mar 11, 2003 at 12:45:48AM -, Ian Goodall wrote: Hi Guys, I am setting up iptables on my debain woody box. I have decided to close everyting and then open up just ssh and ssl. This obviously prevents my apt-get update from working. What ports do I need to open for this to work. If it helps I am going through a proxy to get to the internet. Thanks ijg0 -- __o _`\,_ Marc Demlenne Public Key on www.keyserver.net (_)/ (_) GPG/768FA483 BFD8 E61B 180C 3E7A 3435 D393 B605 9979 768F A483 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables and apt-get
Yes, there's a problem with ICMP ... A ICMP type 3 code 1 (so host unreachable) is sent to you, but blocked by your firewall... And it's about 172.16.250.1 Is everything well configured ? Maybe you could also accept some ICMP msg on your INPUT chain ? e.g. : iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply-j ACCEPT iptables -A INPUT -j log-icmp On Tue, Mar 11, 2003 at 01:51:38AM -, Ian Goodall wrote: Here are the logs: ID=56596 PROTO=ICMP TYPE=3 CODE=1 [SRC=172.16.5.92 DST=172.16.250.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15353 DF PROTO=TCP SPT=1031 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ] Mar 11 01:40:08 dev1 kernel: DROPITIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=172.16.5.92 DST=172.16.5.92 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=56597 PROTO=ICMP TYPE=3 CODE=1 [SRC=172.16.5.92 DST=172.16.250.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24795 DF PROTO=TCP SPT=1030 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ] Mar 11 01:40:08 dev1 kernel: DROPITIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=172.16.5.92 DST=172.16.5.92 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=56598 PROTO=ICMP TYPE=3 CODE=1 [SRC=172.16.5.92 DST=172.16.250.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15354 DF PROTO=TCP SPT=1031 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ] It seams that there is a problem with icmp. 172.16.5.92 is the linux box and 172.16.250.1:8080 is the proxy server... -- __o _`\,_ Marc Demlenne Public Key on www.keyserver.net (_)/ (_) GPG/768FA483 BFD8 E61B 180C 3E7A 3435 D393 B605 9979 768F A483 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables and apt-get
Maybe you can simply take a look at this ... http://www.debian.org/doc/manuals/securing-debian-howto/ap-fw-security-update.en.html On Tue, Mar 11, 2003 at 12:45:48AM -, Ian Goodall wrote: Hi Guys, I am setting up iptables on my debain woody box. I have decided to close everyting and then open up just ssh and ssl. This obviously prevents my apt-get update from working. What ports do I need to open for this to work. If it helps I am going through a proxy to get to the internet. Thanks ijg0 -- __o _`\,_ Marc Demlenne Public Key on www.keyserver.net (_)/ (_) GPG/768FA483 BFD8 E61B 180C 3E7A 3435 D393 B605 9979 768F A483 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: iptables and apt-get
Hi ! It depends how you fetch your packages. Ftp or http ? You have thus to open either the 80(http) or 21(ftp) port as well. Maybe you can also limit this to your mirror only, and not to everybody. Note: If you log the packets you drop, you can take a look on the logs, and you'll see why your connexion is blocked... Hoping this helps you. On Tue, Mar 11, 2003 at 12:45:48AM -, Ian Goodall wrote: Hi Guys, I am setting up iptables on my debain woody box. I have decided to close everyting and then open up just ssh and ssl. This obviously prevents my apt-get update from working. What ports do I need to open for this to work. If it helps I am going through a proxy to get to the internet. Thanks ijg0 -- __o _`\,_ Marc Demlenne Public Key on www.keyserver.net (_)/ (_) GPG/768FA483 BFD8 E61B 180C 3E7A 3435 D393 B605 9979 768F A483
Re: iptables and apt-get
Yes, there's a problem with ICMP ... A ICMP type 3 code 1 (so host unreachable) is sent to you, but blocked by your firewall... And it's about 172.16.250.1 Is everything well configured ? Maybe you could also accept some ICMP msg on your INPUT chain ? e.g. : iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply-j ACCEPT iptables -A INPUT -j log-icmp On Tue, Mar 11, 2003 at 01:51:38AM -, Ian Goodall wrote: Here are the logs: ID=56596 PROTO=ICMP TYPE=3 CODE=1 [SRC=172.16.5.92 DST=172.16.250.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15353 DF PROTO=TCP SPT=1031 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ] Mar 11 01:40:08 dev1 kernel: DROPITIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=172.16.5.92 DST=172.16.5.92 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=56597 PROTO=ICMP TYPE=3 CODE=1 [SRC=172.16.5.92 DST=172.16.250.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24795 DF PROTO=TCP SPT=1030 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ] Mar 11 01:40:08 dev1 kernel: DROPITIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=172.16.5.92 DST=172.16.5.92 LEN=88 TOS=0x00 PREC=0xC0 TTL=255 ID=56598 PROTO=ICMP TYPE=3 CODE=1 [SRC=172.16.5.92 DST=172.16.250.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15354 DF PROTO=TCP SPT=1031 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ] It seams that there is a problem with icmp. 172.16.5.92 is the linux box and 172.16.250.1:8080 is the proxy server... -- __o _`\,_ Marc Demlenne Public Key on www.keyserver.net (_)/ (_) GPG/768FA483 BFD8 E61B 180C 3E7A 3435 D393 B605 9979 768F A483
Re: iptables and apt-get
Maybe you can simply take a look at this ... http://www.debian.org/doc/manuals/securing-debian-howto/ap-fw-security-update.en.html On Tue, Mar 11, 2003 at 12:45:48AM -, Ian Goodall wrote: Hi Guys, I am setting up iptables on my debain woody box. I have decided to close everyting and then open up just ssh and ssl. This obviously prevents my apt-get update from working. What ports do I need to open for this to work. If it helps I am going through a proxy to get to the internet. Thanks ijg0 -- __o _`\,_ Marc Demlenne Public Key on www.keyserver.net (_)/ (_) GPG/768FA483 BFD8 E61B 180C 3E7A 3435 D393 B605 9979 768F A483