Bypassing allowed_users with PAM in sshd?
Hi - I noticed in logwatch reports today that someone had tried logging in as root to one of my servers recently. No surprise there as this happens every day. However I have explicitly set up a set of users in allowed_users and root isnt one of them (I also have AllowRootLogin set to false). Whats strange is that I get a report of: Authentication Failures: root (xxx.208.3.xxx): 2 Time(s) in the sshd report in logwatch and a report of: xxx.208.3.xxx: 3 times root/keyboard-interactive/pam: 2 times root/none: 1 time in the Illegal users report. And yet the number of users being blocked by the allowed users list is being reported as 2 less than it should be. This could be coincidence but I've never seen a report of root/keyboard-interactive/pam failures and they happen to be the same number that I'm missing. This is on an up to date (with security apt repos as well) debian sarge. Anybody got any idea? Thanks Marcus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Grsecurity patches on Debian
Hi - Has anyone any advice on using grsecurity on a server running Debian (testing) - I'm thinking about patching my new kernel with the grsecurity stuff and starting to use it but I'm unsure of what I can expect. Are the defaults going to break (or stop from functioning) anything obvious (namely sshd/apache etc)? This is a remote box so I want to avoid losing network access etc. Initially I'm going to set it up as in the Quick Start docs on the grsecurity site. Has anyone advice where to start after that? Cheers Marcus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: doing an ssh into a compromised host
On 03/11/2004, Andrew Pimlott wrote: Do you have such a thing? I would absolutely love an ssh agent that only asks for pass-phrases as needed, times them out eventually, and can prompt before answering a challenge. quintuple-agent does something like this. Not sure if it supports ssh or not - its really for gpg and such. Looks like you could write a wrapper script so that it supported ssh though. Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Recommended firewall package?
On 01/11/2004, Daniel Pittman wrote: My recommendation is the 'firehol' package, found in testing/unstable, and trivial to backport[1] to stable. I'd second this - firehol is fantastic. Someone recommended it a while ago in a lug mail list I was on and I thought I'd give it a once over. Never gone back to the iptables mess I had (it still generates an iptables script but I dont have to look at/maintain it, which can only be good thing IMNSHO). Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Providing secure file access on a colo-server
Hi - I need to provide a way for users to upload/download files from their shell accounts on a colo server I admin. The majority of the users wont want to use scp/sftp and are clueless as far as ssh tunneling goes. This pretty much leaves ftp as far as I can see (although I suppose webdav might be possible, but I havnt tried setting a dav server up on an internet box and I'm not sure of the security implications). I'm looking at either proftpd or vsftpd but what I want is to set it up so that users can login with a password that is different to their shell password so that their shell passwords are not broadcast in plaintext every time they update their websites etc. Is this the best way to go about something like this or are there better ways of setting up secure file access? A few of the users want to publish files directly from something like Frontpage which doesnt support sftp (dav server might be possible?) Cheers Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Providing secure file access on a colo-server
On 08/10/2004, Roger Sels wrote: I'd recommend sticking to scp, as you can give your users winscp. Its interface resembles major ftp clients out there and is very intuitive, so they should not have any issues using it. Yeah, the only problem with this is Frontpage doesnt support sftp and the users that use Frontpage might not be willing to have that extra step involved (publish to local drive - drag to winscp). Not that they'll have the choice in the end :) Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Encrypted backups
Hi - I am investigating ways of producing encrypted backups. Currently I use afio and gpg (via tob) with something like: afio -b 10240 -c 1000 -U -Z -P gpg -Q --symmetric -Q \ --passphrase-fd=3 -Q --no-verbose -Q --batch -Q --no-options \ -3 3 -o /dev/nst0 $FILELIST 3$PASSPHRASE where $FILELIST is the list of files, and $PASSPHRASE is a path to a file containing the passphrase for the backup set. After a few tests, this method appears to be extremely slow (on a simple 4mb archive, non encrypted method takes less than .5 secs, encrypted takes about 7 secs) compared to non-encrypted backup sets (which I was expecting). Does anyone know of ways to speed the process up? Are there any other ways of getting an encrypted backup set that might be faster? Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypted backups
On 13/01/2004, [EMAIL PROTECTED] wrote: First of all, don't use the 'Z' option. GPG compresses itself and this would slow down the process a lot. I'm pretty sure the 'Z' option is needed - coupled with the 'P' option that tells afio to 'compress' using an external program that happens to be gpg. I've also tried switching off compression on gpg (by adding -Q -z0) but that doesnt speed up the backup either. Whats annoying is, I think the main slow down isnt from the encryption, its from having to start gpg for every file in the backup (afio compresses file by file). Encrypting a 4mb file on its own is relatively quick with gpg. I cant backup to a file based archive, encrypt that and write the encrypted archive to tape in case of media errors. I'm assuming that even a 1 bit error in an encrypted archive will break the whole archive, or at least the rest of the archive following the error. This is what afio is good for because a media error only corrupts the file that it occurs in, not the whole archive. [I also neglected to mention that I need to backup to tape as the tapes are taken offsite as a further security measure (in case of fire etc). This rules out backups to encrypted filesystems on a harddrive as hard drives are easily breakable (if dropped for instance)] Thanks, Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypted backups
On 13/01/2004, Alexander Neumann wrote: Did you try duplicity? No - I just took a look at it though and I suspect that its not an option because it uploads the encrypted archive offsite. Not really an option on our ADSL line (we're talking about 60+Gb of data on a full backup) Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypted backups
[I meant to send this to the list] On 13/01/2004, Alexander Neumann wrote: You are able to store the backup-files on a local disk... Yes, but then we lose the ability to take them offsite. Well, unless I then move them to a tape. Worth thinking about though. Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypted backups
On 13/01/2004, Alexander Neumann wrote: * Marcus Williams [EMAIL PROTECTED] wrote: [I meant to send this to the list] Thanks. I was just writing a mail about honoring the Mail-Followup-To:-Header... ;) [snip] Sigh.. one of my wish list items for TheBat! is proper reply actions such as this. One day I'll get my arse into gear and try to write a macro for it but until then. You are able to store the backup-files on a local disk... Yes, but then we lose the ability to take them offsite. Hu? Why that? Using duplicity you usually end up with a lot of files (all around 5MB in size) and you are freee to move them whereever you like. [snip] Oh, ok. Perhaps I will give it a try. Obviously the next problem will be how stable it is (theres mention of use in non-production environment on the homepage). This is for my company's backups so it has to be rock solid. Cheers Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypted backups
On 13/01/2004, Bill wrote: - make sure your kernel support encrypted loopback your encryption of choice - configure a crypto loop to your tape device losetup -e twofish /dev/loop0 /dev/nst0 Well, you learn a new thing every day. Never thought you could do that! What happens with media errors on the tape when you read it back? Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Encrypted backups
Hi - I am investigating ways of producing encrypted backups. Currently I use afio and gpg (via tob) with something like: afio -b 10240 -c 1000 -U -Z -P gpg -Q --symmetric -Q \ --passphrase-fd=3 -Q --no-verbose -Q --batch -Q --no-options \ -3 3 -o /dev/nst0 $FILELIST 3$PASSPHRASE where $FILELIST is the list of files, and $PASSPHRASE is a path to a file containing the passphrase for the backup set. After a few tests, this method appears to be extremely slow (on a simple 4mb archive, non encrypted method takes less than .5 secs, encrypted takes about 7 secs) compared to non-encrypted backup sets (which I was expecting). Does anyone know of ways to speed the process up? Are there any other ways of getting an encrypted backup set that might be faster? Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*]
Re: Encrypted backups
[I meant to send this to the list] On 13/01/2004, Alexander Neumann wrote: You are able to store the backup-files on a local disk... Yes, but then we lose the ability to take them offsite. Well, unless I then move them to a tape. Worth thinking about though. Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*]
Re: Encrypted backups
On 13/01/2004, Alexander Neumann wrote: Did you try duplicity? No - I just took a look at it though and I suspect that its not an option because it uploads the encrypted archive offsite. Not really an option on our ADSL line (we're talking about 60+Gb of data on a full backup) Thanks Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*]
Re: Encrypted backups
On 13/01/2004, Alexander Neumann wrote: * Marcus Williams [EMAIL PROTECTED] wrote: [I meant to send this to the list] Thanks. I was just writing a mail about honoring the Mail-Followup-To:-Header... ;) [snip] Sigh.. one of my wish list items for TheBat! is proper reply actions such as this. One day I'll get my arse into gear and try to write a macro for it but until then. You are able to store the backup-files on a local disk... Yes, but then we lose the ability to take them offsite. Hu? Why that? Using duplicity you usually end up with a lot of files (all around 5MB in size) and you are freee to move them whereever you like. [snip] Oh, ok. Perhaps I will give it a try. Obviously the next problem will be how stable it is (theres mention of use in non-production environment on the homepage). This is for my company's backups so it has to be rock solid. Cheers Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*]
Re: Encrypted backups
On 13/01/2004, Bill wrote: - make sure your kernel support encrypted loopback your encryption of choice - configure a crypto loop to your tape device losetup -e twofish /dev/loop0 /dev/nst0 Well, you learn a new thing every day. Never thought you could do that! What happens with media errors on the tape when you read it back? Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*]