Re: iptables logging
Jeff Coppock wrote on Sat Jul 21, 2001 at 10:59:08PM: What does syslog recognize as iptables log messages? I tried putting iptable.* in syslog.conf, but I'm not seeing messages. You need to tell iptables which packages should be logged. For example: iptables -N log # This table logs and hands package over to delete iptables -N delete - This table rejects anything iptables -A INPUT RULE -j log # Rule to be logged iptables -A INPUT RULE -j delete # Rule not to be logged iptables -A log -j LOG --log-prefix Rejected: # be verbose in syslog iptables -A log -j delete # hand over package to delete iptables -A delete -j REJECT # gracefully reject package It would be bad to have iptables log everything by default -- man DOS Matth¡as -- Matthias Richter --+- stud. soz. inf. -+-- http://www.uni-leipzig.de --GPG Public Key: http://www.matthias-richter.de/gpg.ascii-- · Projekt Deutscher Wortschatz: URL:http://wortschatz.uni-leipzig.de pgpVaeMjxUoEz.pgp Description: PGP signature
Re: iptables logging
Jeff Coppock wrote on Sat Jul 21, 2001 at 10:59:08PM: What does syslog recognize as iptables log messages? I tried putting iptable.* in syslog.conf, but I'm not seeing messages. You need to tell iptables which packages should be logged. For example: iptables -N log # This table logs and hands package over to delete iptables -N delete - This table rejects anything iptables -A INPUT RULE -j log # Rule to be logged iptables -A INPUT RULE -j delete # Rule not to be logged iptables -A log -j LOG --log-prefix Rejected: # be verbose in syslog iptables -A log -j delete # hand over package to delete iptables -A delete -j REJECT # gracefully reject package It would be bad to have iptables log everything by default -- man DOS Matth¡as -- Matthias Richter --+- stud. soz. inf. -+-- http://www.uni-leipzig.de --GPG Public Key: http://www.matthias-richter.de/gpg.ascii-- · Projekt Deutscher Wortschatz: URL:http://wortschatz.uni-leipzig.de PGP signature
Re: iptables install
Jeff Coppock wrote on Fri Jul 20, 2001 at 12:37:49PM: Dilemna: I want to run iptables, but I'm running stable. I have a clean, bootable 2.4.6 kernel (took awhile, but I got it), and then realized that the iptable package in not in stable, but is in testing and unstable. I looked for deb-src, but couldn't find any. I figured I could compile it on my stable machine. Do I need to dist-upgrade to woody to use iptables? No you don't have to, http://www.fs.tum.de/~bunk/kernel-24.html tells you how to upgrade stable to kernel 2.4.x --- including iptables. Works fine here. Matth¡as -- Matthias Richter --+- stud. soz. inf. -+-- http://www.uni-leipzig.de --GPG Public Key: http://www.matthias-richter.de/gpg.ascii-- · Projekt Deutscher Wortschatz: URL:http://wortschatz.uni-leipzig.de pgpPJF0rzaEE0.pgp Description: PGP signature
Re: How to write a secure C program..
Lukas Ruf wrote on Tue Jul 03, 2001 at 10:34:44AM: On Tue, 03 Jul 2001, SDiZ Cheng wrote: I am going to rewrite suexec.c of apache ( to suit my boss's need ). As this program is SUID, I don't want to make any mistake. Are you really sure you wanna do that? If so, there is a HOWTO out there that he might me interested in: URL:http://www.dwheeler.com/secure-programs Matthias pgpfN45OE14Gm.pgp Description: PGP signature
Re: Basic question about ipchains being useful
Julien Dupre wrote on Tue Jun 19, 2001 at 11:14:06PM: I'm using these packages with the latest versions in stable : postfix, apache 1.3.9 (quite old btw but not necessarily a problem), bind 8.2.3, openssh 1.2.3 [...] My idea is not to look at security alerts but trust that debian maintainers will do it, I have a daily cron job which mails me if apt-get -s upgrade says something should be upgraded, is this not reasonable ? hopefully, security.debian.org is in your /etc/apt/sources.list? Is there any case where a package with a known exploit was not upgraded quickly in stable ? ) with ipchains/iptables you have a choice of accepting, rejecting or dropping packets. If you reject them, they know you exist. If you drop them, they have to wait for a timeout before they know anything about you - you can play dead. Yes but what should I want to drop them, as I would only deny packets for services I'm not running, a potential attacker would just get a timeout for services which aren't running anyway. You've got the point. I had to learn that there is no sense in dropping packages instead of rejecting them. And ... once you offer services you cannot play dead anyway. Rigth, but more generally about the interest of ipchains : if I have to consider such packets are dangerous, it means that opened service are not secured, can't I just rely on having most recent versions installed and be confident but for zero day exploits ? Simple rule: reject anything that is not essential for the services you are offering. Put yourself in paranoia-mode while building your firewall. Matthias pgpYg4CEk15qu.pgp Description: PGP signature
Re: proftpd exploit??
Marcelo Drudi Miranda wrote on Sat May 26, 2001 at 02:49:02AM: Matthias Richter [EMAIL PROTECTED] escreveu: Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] Any solution?? This is a exploit or a Dos atack? *Dos*, of course. Sorry for being inaccurate ... regards, Matthias pgpxeCmb0076U.pgp Description: PGP signature
Re: proftpd exploit??
Marcelo Drudi Miranda wrote on Sat May 26, 2001 at 02:49:02AM: Matthias Richter [EMAIL PROTECTED] escreveu: Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] Any solution?? This is a exploit or a Dos atack? *Dos*, of course. Sorry for being inaccurate ... regards, Matthias PGP signature
Re: proftpd exploit??
Andres Herrera wrote on Thu May 24, 2001 at 07:43:50PM: [proftpd exploit ls ../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../] Any solution?? There was mentioned a suggested entry (ment as an intermediate solution until proftpd has been fixed) to /etc/proftpd.conf: DenyFilter \*.*/ hth, Matthias -- Matthias Richter --+- stud. soz. inf. -+-- http://www.uni-leipzig.de --GPG Public Key: http://www.matthias-richter.de/gpg.ascii-- «Reality must take precedence over public relations, for Mother Nature cannot be fooled.» -- R.P. Feynman pgpCuKMLd9tnI.pgp Description: PGP signature