Re: Logauswertung (translation)
Hi Andreas, hello [EMAIL PROTECTED], > I'm at a company and would like to set up a Debian router/firewall. yeah, that's what I'am also planning at the moment. A firewall issue won't be my problem but I didn't install debian for seven years as I updated the distribution from the net. Hope the netinstaller works in the company in the case I get a job. > Debian is minimally installed and I've chosed Shorewall as the firewall. Did you read the tutorial from oscar andreason ? > I would additionally like to send the logs over Syslog-ng to a log > server. I stronly recommend not to do this. We had a ccc (chaos computer club) meeting while someone brought the logfile from his mailserver to meetings. By seeing the logfile without error messages it was quite easy to have a look at the employees and and their key qualification. By seeing logfiles unencrypted it's possible to have a look what's running on your server so I strongly recommend not to do this. Use logcheck local on your server and login over ssh which is quite secure. (There was just one vulnerability in the past years). I use a simple perl script fwlog to check the logfiles. > My problem is what tool do I use to evaluate the logs for attacks and > to for mail notifications? Don't forget to install aide, prelude and snort or nagios in the case it's a productive server system. (Nagios - There was a bug in nagios but you can update yes monitory tools which are not the best decisision but there's no workaround for this available). As a workaround you should use an crypted logfile transfer to your client. (Maybe something like netcat). You have to code a little bit around don't know if you have time in your company. AFAIK there no crypting tools available to handle logfile reading from server to the client. Found an Open Source Project to overcome this. Hope it helps I wouldn't do what your tryhing to do for security reasons. -- Best Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
nmap -sT and open ports from a friends
Hi, this is the nmap -sT scan from a friend: > nmap -sT internet_address Port State Service 25/tcp filteredsmtp 46/tcp openmpm-snd 80/tcp filtered http 119/tcp open nntp 445/tcp filtered microsoft-ds 1080/tcp filtered socks 6000/tcp open X11 6346/tcp open gnutella He has no firewall (like me) as he's saying a firewall is nothing good and not usefull but there's an open X11 server available in the internet. Isn't this vulnerable without a firewall ? -- Best Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: rkhunter / chkrootkit
Hi Rick, > Why don't you make a copy of one or more of those binaries, then > re-retrieve and install the Woody package of the same release, and > compare md5sums of the resulting binaries? (Note that you should make > very sure it's the same release, or you'll get a different md5sum for > entirely innocent reasons.) indeed, I could do it. After an established contact to one of the maintainer the previous advice to --update the md5sum from the rkhunter server solved the problem and it was not an irregularity within the debian server. So they've updated now which was required. > > Checking /dev for suspicious files... [ Warning! > > (unusual files found) ] > Well? What files? The fact that rkhunter has an opinion is not, by > itself, particularly interesting. You either have to know rkhunter > very, very well, such that you have a high degree of faith in its > opinions, or need to investigate for yourself what it claims is > suspicious. Preferably both. Don't know what files as there was no output and by the way it was the first time I used rkhunter. > > - ProFTPd 1.2.5rc1 [Vulnerable ] > > - OpenSSH 3.4p1[Vulnerable ] > > - GnuPG 1.0.6 [Vulnerable ] > Well? _Are_ those actually vulnerable, or is rkhunter making bad > assumptions? If you are running a conventional woody system, then > you're receiving backported security fixes -- which does not change the > package version number. Ergo, if rkhunter is stating the foregoing > strictly on the basis of version numbers, then it is making a common > elementary error. Hm, to be honest I wasn't able to read the source code but I don't think that my ProFTP is not vulnerable and I've to agree rkhunter is not able to detect the correct version so you're right. > > Incorrect MD5 checksums: 6 > Which ones? And on what basis is it saying they're incorrect? You > don't say. The binaries mentioned above. -- Best Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
rkhunter / chkrootkit
Hello, it now it was a couple of days ago but I've to concern another time to in this case a compromised woody system. chkrootkit found nothing but rkhunter found quite a lot: /bin/login /bin/su /usr/bin/locate /usr/sbin/useradd /usr/sbin/usermod /usr/sbin/vip All these binaries have been alerted within rkhunter. I got a message like this [ and there was indeed an debian update of passwd(login) but to get sure I need reilly competent advices]: Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced binaries or updated packages (which give other hashes). Be sure your hashes are fully updated (rkhunter --update). If you're in doubt about these hashes, contact the author ... And another alert was this: Checking /dev for suspicious files... [ Warning! (unusual files found) ] What's up now I would expect someone has replaced my /bin/login binary which makes me feel unhappy or is there nothing to worry about ? - ProFTPd 1.2.5rc1 [Vulnerable ] - OpenSSH 3.4p1[Vulnerable ] - GnuPG 1.0.6 [Vulnerable ] Ok, this could be solved by compiling from sources and indeed I've to do it. At last there was this error messages: Incorrect MD5 checksums: 6 Would this solve my problem and I've to update the hash within mkhunter as describe avove ? -- Best Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
symlink attack
Hello, I'am interested to obtain information how an unsecure usage of the directory /tmp is to be avoided within a project which is called symlink attack. Especially I'am interested if it's a difference to have quota deactivated and a user is filling your hardisk to the limit, or not. -- Best Regards, Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]