Re: Logging User Activity
On Wed, May 14, 2003 at 06:26:16PM +0100, Michael Parkinson wrote: > [ I wrote ] > > On Wed, May 14, 2003 at 03:33:36PM +0100, Michael Parkinson wrote: > > > Dear All, > > > > > > Currently implementing a number of modifications to our internal security > > > policies and one addition I am attempting to add is the full logging of > > user > > > activity. > > > > > > I cannot find any simple way of achieving this within the standard doc's > > and > > > searching the web for "log user activity linux debian" does throw up some > > > not particularly useful links, including a package for filtering my users > > > output to the FBI, not much good for the UK. > > > > > > Can anyone point me in the right direction? > > > > Are you trying to log activity on machines or on the network? > > Hi Nathan, > > Logging over the network would be ideal but to the machine if that is all > that is available. [ Let's keep this on the list, please ] Well, where you log to is up to you, but that wasn't my question :-) What activity are you trying to log? Activity on machines (user a ran this, consumed this much cpu time, etc.) or activity on the network (user b accessed this site, consumed this much bandwidth, etc.) ? The latter is far more difficult: how do you know that a packet was caused by user b's activity? -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] Exhilaration is that feeling you get just after a great idea hits you, and just before you realize what's wrong with it.
Re: Logging User Activity
On Wed, May 14, 2003 at 03:33:36PM +0100, Michael Parkinson wrote: > Dear All, > > Currently implementing a number of modifications to our internal security > policies and one addition I am attempting to add is the full logging of user > activity. > > I cannot find any simple way of achieving this within the standard doc's and > searching the web for "log user activity linux debian" does throw up some > not particularly useful links, including a package for filtering my users > output to the FBI, not much good for the UK. > > Can anyone point me in the right direction? Are you trying to log activity on machines or on the network? -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] Q: What's tiny and yellow and very, very, dangerous? A: A canary with the super-user password.
Re: SPAMMED ONCE AGIN !!! (Was: Re: Under 10 bucks, cell phone antenna boosters. qmnh coxehywqphhnsg)
On Sun, Mar 30, 2003 at 09:44:05PM +0200, Bernard Lheureux wrote: > On Sunday 30 March 2003 16:03, wrote: > The previous one was a porono site promo, now this one !!! > WHY ISN'T THIS LIST PRIVATE ONLY !!! [ snip spam ] Hey spaz; Please don't quote spam back to the list; it hoses various spam filters already in place. -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] Quando omni flunkus moritati. -- Possum Lodge Motto
Re: SPAMMED ONCE AGIN !!! (Was: Re: Under 10 bucks, cell phone antenna boosters. qmnh coxehywqphhnsg)
On Sun, Mar 30, 2003 at 09:44:05PM +0200, Bernard Lheureux wrote: > On Sunday 30 March 2003 16:03, wrote: > The previous one was a porono site promo, now this one !!! > WHY ISN'T THIS LIST PRIVATE ONLY !!! [ snip spam ] Hey spaz; Please don't quote spam back to the list; it hoses various spam filters already in place. -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] Quando omni flunkus moritati. -- Possum Lodge Motto -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: determining which patches to apply...
On Fri, Mar 21, 2003 at 02:43:47PM -0600, Jeremy Choy wrote: [ please don't top post ] >> The original poster indicated that they were running potato. They should >> put the following line in /etc/apt/sources.list: >> >> deb http://security.debian.org/debian-security oldstable/updates main >> contrib non-free >> >> Note that security updates for potato are scheduled to end (June?). >> Turns out that we are running a developers version of Oracle (8.1.7) in >> which are dependant on potato's library's and if we were to run apt-get it >> would break Oracle and perhaps a few other apps running. > > again fairly new and trying to get my head around how exacally unix works. > if potato is no longer being supported, does that mean if there is a > vulnerability in, let's say an old library, will they update that in woody, > but not potato? Yes, that is what unsupported means. You would have to backport any packages to potato. Note that potato is still currently supported; that support is going to end at some point in the late spring/early summer. Is Oracle dependent on the older libc or some other library? Can you use LD_PRELOAD to solve your problem? -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] A young man wrote to Mozart and said: Q: "Herr Mozart, I am thinking of writing symphonies. Can you give me any suggestions as to how to get started?" A: "A symphony is a very complex musical form, perhaps you should begin with some simple lieder and work your way up to a symphony." Q: "But Herr Mozart, you were writing symphonies when you were 8 years old." A: "But I never asked anybody how."
Re: determining which patches to apply...
On Fri, Mar 21, 2003 at 02:43:47PM -0600, Jeremy Choy wrote: [ please don't top post ] >> The original poster indicated that they were running potato. They should >> put the following line in /etc/apt/sources.list: >> >> deb http://security.debian.org/debian-security oldstable/updates main >> contrib non-free >> >> Note that security updates for potato are scheduled to end (June?). >> Turns out that we are running a developers version of Oracle (8.1.7) in >> which are dependant on potato's library's and if we were to run apt-get it >> would break Oracle and perhaps a few other apps running. > > again fairly new and trying to get my head around how exacally unix works. > if potato is no longer being supported, does that mean if there is a > vulnerability in, let's say an old library, will they update that in woody, > but not potato? Yes, that is what unsupported means. You would have to backport any packages to potato. Note that potato is still currently supported; that support is going to end at some point in the late spring/early summer. Is Oracle dependent on the older libc or some other library? Can you use LD_PRELOAD to solve your problem? -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] A young man wrote to Mozart and said: Q: "Herr Mozart, I am thinking of writing symphonies. Can you give me any suggestions as to how to get started?" A: "A symphony is a very complex musical form, perhaps you should begin with some simple lieder and work your way up to a symphony." Q: "But Herr Mozart, you were writing symphonies when you were 8 years old." A: "But I never asked anybody how." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Peace is not off topic
On Tue, Mar 11, 2003 at 03:27:20PM +1100, Glenn McGrath wrote: > Your a blind fool. You're ::= You are :-) -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] Avoid gunfire in the bathroom tonight.
Re: Peace is not off topic
On Tue, Mar 11, 2003 at 03:16:49AM +0100, Andreas Kotes wrote: > P.S: something for the lawyers: are there any licenses explictly > disallowing the use of software in conjunction with war? would it be > debian-compatible? Of course there are such licenses, and of course they are not DFSG free ... license must not restrict fields of endeavour. See DFSG point 6. -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] prepBut nI vrbLike adjHungarian! qWhat's artThe adjBig nProblem? -- alec flett @netscape
Re: Peace is not off topic
On Tue, Mar 11, 2003 at 03:16:49AM +0100, Andreas Kotes wrote: > P.S: something for the lawyers: are there any licenses explictly > disallowing the use of software in conjunction with war? would it be > debian-compatible? Of course there are such licenses, and of course they are not DFSG free ... license must not restrict fields of endeavour. See DFSG point 6. -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] prepBut nI vrbLike adjHungarian! qWhat's artThe adjBig nProblem? -- alec flett @netscape -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Peace is not off topic
On Tue, Mar 11, 2003 at 03:27:20PM +1100, Glenn McGrath wrote: > Your a blind fool. You're ::= You are :-) -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] Avoid gunfire in the bathroom tonight. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: test of non-subscribed user
On Mon, Dec 02, 2002 at 11:48:23AM -0500, Raymond Wood wrote: > This makes sense to me, so I can accept the Spam I receive > through the debian lists. One thing I'm still unclear about > though is the recent post from someone who requested that people > *not* report Spam received through the debian lists to Razor. I > have set up a Mutt hotkey to report Spam to Razor, and I confess > I don't really understand why any and all Spam should not be > reported. > > Can anyone enlighten me, or is there a FAQ I should be reading > instead? Some people[1] report non-spam as spam to razor. For example, several security announcements from Debian have found their way into the razor database. This is obviously stupid. [1] At least, we think they are people, but the level of intelligence demonstrated leaves room for doubt. -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] I retract that silly statement. Somebody slap me. -- Roy Smith pgpZsPSs9syUC.pgp Description: PGP signature
Re: Abwesenheitsnotiz: test of non-subscribed user
On Mon, Dec 02, 2002 at 04:54:34PM +0100, "Janßen, Dirk" wrote: > Ich bin erst am 03.12.2002 wieder im Haus. Bei dringenden dienstlichen > Angelegenheiten wenden Sie sich bitte an Herrn Igor Spanz > (mailto:), Tel. -368. > === > I am absent till Dec. 3rd. In urgent official business you may contact my > colleague Igor Spanz (mailto:), Ext. -368. > > > MfG / Regards > > Dirk Janßen > IT/Organisation - Net Services > > [ snip address ] Here's some "spam" I received from a member of the list. Personally I find misconfigured autoresponders just as annoying as spam on the list. -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] A good plan today is better than a perfect plan tomorrow. -- Gen. George S. Patton, Jr.
Re: test of non-subscribed user
On Mon, Dec 02, 2002 at 03:21:28PM +0100, IT - Sven Mueller wrote: > However, I am not really able to tell why this kind of users is allowed to > post here. A pointer to a previous discussion would be enough for me, but I > couldn't find one in the archives (maybe I'm using the wrong keywords in the > search). It's in the archives, but here's a brief recap: Scenario 1. You are a debian user, but you don't subscribe to any debian lists. Suddenly you suspect you have a security issue. You immediately dash off an email to the debian-security list hoping someone there will be able to help you. Scenario 2, You are not a debian user, nor will you ever be one (perhaps you are a BSD person, or a redhat zealot; whatever). You find out about a vulnerability and decide to let the world know about it. Of course, one of the lists you post to is debian-security. I'm sure there are other plausible scenarios. -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] Ozymandias I met a traveler from an antique land Who said: "Two vast and trunkless legs of stone Stand in the desert. Near them, on the sand, Half sunk, a shattered visage lies, whose frown, And wrinkled lip, and sneer of cold command, Tell that its sculptor well those passions read Which yet survive (stamped on these lifeless things), The hand that mocked them and the heart that fed; And on the pedestal these words appear: 'My name is Ozymandias, king of kings; Look on my works, ye Mighty, and despair!' Nothing beside remains. Round the decay Of that colossal wreck, boundless and bare The lone and level sands stretch far away." -- Percy Bysshe Shelley
Re: test of non-subscribed user
On Mon, Dec 02, 2002 at 11:48:23AM -0500, Raymond Wood wrote: > This makes sense to me, so I can accept the Spam I receive > through the debian lists. One thing I'm still unclear about > though is the recent post from someone who requested that people > *not* report Spam received through the debian lists to Razor. I > have set up a Mutt hotkey to report Spam to Razor, and I confess > I don't really understand why any and all Spam should not be > reported. > > Can anyone enlighten me, or is there a FAQ I should be reading > instead? Some people[1] report non-spam as spam to razor. For example, several security announcements from Debian have found their way into the razor database. This is obviously stupid. [1] At least, we think they are people, but the level of intelligence demonstrated leaves room for doubt. -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] I retract that silly statement. Somebody slap me. -- Roy Smith msg07987/pgp0.pgp Description: PGP signature
Re: Abwesenheitsnotiz: test of non-subscribed user
On Mon, Dec 02, 2002 at 04:54:34PM +0100, "Janßen, Dirk" wrote: > Ich bin erst am 03.12.2002 wieder im Haus. Bei dringenden dienstlichen > Angelegenheiten wenden Sie sich bitte an Herrn Igor Spanz > (mailto:), Tel. -368. > === > I am absent till Dec. 3rd. In urgent official business you may contact my > colleague Igor Spanz (mailto:), Ext. -368. > > > MfG / Regards > > Dirk Janßen > IT/Organisation - Net Services > > [ snip address ] Here's some "spam" I received from a member of the list. Personally I find misconfigured autoresponders just as annoying as spam on the list. -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] A good plan today is better than a perfect plan tomorrow. -- Gen. George S. Patton, Jr. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: test of non-subscribed user
On Mon, Dec 02, 2002 at 03:21:28PM +0100, IT - Sven Mueller wrote: > However, I am not really able to tell why this kind of users is allowed to > post here. A pointer to a previous discussion would be enough for me, but I > couldn't find one in the archives (maybe I'm using the wrong keywords in the > search). It's in the archives, but here's a brief recap: Scenario 1. You are a debian user, but you don't subscribe to any debian lists. Suddenly you suspect you have a security issue. You immediately dash off an email to the debian-security list hoping someone there will be able to help you. Scenario 2, You are not a debian user, nor will you ever be one (perhaps you are a BSD person, or a redhat zealot; whatever). You find out about a vulnerability and decide to let the world know about it. Of course, one of the lists you post to is debian-security. I'm sure there are other plausible scenarios. -- Nathan Norman - Incanus Networking mailto:[EMAIL PROTECTED] Ozymandias I met a traveler from an antique land Who said: "Two vast and trunkless legs of stone Stand in the desert. Near them, on the sand, Half sunk, a shattered visage lies, whose frown, And wrinkled lip, and sneer of cold command, Tell that its sculptor well those passions read Which yet survive (stamped on these lifeless things), The hand that mocked them and the heart that fed; And on the pedestal these words appear: 'My name is Ozymandias, king of kings; Look on my works, ye Mighty, and despair!' Nothing beside remains. Round the decay Of that colossal wreck, boundless and bare The lone and level sands stretch far away." -- Percy Bysshe Shelley -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail relay attempts
[No need to Cc: me; I read the list. Please respect my M-F-T ] On Wed, Sep 04, 2002 at 07:45:14AM -0400, Anthony DeRobertis wrote: > > On Thursday, Aug 29, 2002, at 09:34 US/Eastern, Nathan E Norman wrote: > > >This is why all ISPs should apply filters at their ingress/egress > >points. Unfortunately, many do not. > > While I don't want to start a flame war here, as all discussions of > this topic seem to become, I'd just like to point out there are very > legitimate arguments that egress filtering is a bad thing. > > IP routing does not have to be symmetric. It is for certain situations > very useful to have data come in one connection and leave another. Even > if those connections are from different ISPs. A recent time I did this > was to transition to a new hosting facility; the router at the old > facility was configured to forward data to the new facility over a GRE > tunnel, where it was then passed through static NAT. The data coming > out of the new facility was sent out with the old facilities IPs as the > source. Tunneling that would of been bad, because the outgoing traffic > was much, much, larger than incoming. > > Another thing reverse path filtering breaks is having a mobile IP > address. Say you take your laptop with you --- it can be very useful to > have a constant IP address, especially if you want to keep, e.g., a ssh > connection open. That is fairly easily done by tunneling packets sent > to that address to the actual IP of the laptop. Data sent out from the > laptop is sent with the mobile IP address as source. No reason to > tunnel it back, that just wastes bandwidth and slows things down more. > > Spoofed addresses are annoying. However, it's not really something that > can be fixed. Please don't break useful features while failing I don't see how egress filtering prevents either scenario you describe. Therefore I conclude that when I say egress filtering it means something different than when you say egress filtering. in fact I'm sure that you mean something else because you mention reverse path filtering which isn't what I'm talking about. If you are an ISP, and you are not a transit AS, then at some point in your network you know that on one side of a device are "your" addresses, and on the other side are "not your" addresses. Thus you can set an ACL which prevents your customers from spoofing. If you are a transit AS things get more interesting; you can still apply ACLs but you have to make sure you know what you're doing. Here's a concrete example: I used to work for a cable ISP. We had a /18 that we doled out to customers. At each router that connected to the Internet (via some provider) we dropped outgoing packets that didn't come from our /18, and dropped incoming packets that purported to come from our /18. Again, note that I am talking about what ISPs can do to stop spoofing. In fact, ingress/egress filters are the only filtering an ISP should do, IMO. ISPs which filter port 80, port 25, force traffic through a proxy, etc. are evil and ususally end up breaking something. -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Q: What's the difference between a computer salesman and a used car salesman? A: A used car salesman knows when he's lying.
Re: Mail relay attempts
On Thu, Aug 29, 2002 at 05:47:10AM -0500, Daniel J. Rychlik wrote: > > If you use Iptables and you block spoofed addresses with Iptables, > will that stop the spoofing in their tracks, therefore decreasing the > chance of a DOS? No. For example, let's say someone manages to spoof "mailout.aol.com" [1] and then connects to you. You will now block all mail from AOL (hmm, perhaps that's a bad example :) In other words, unless the source address is a reserved address or one of your local addresses, you really don't know if it's spoofed or not (barring some sort of cryptographic challenge, like IPSEC). This is why all ISPs should apply filters at their ingress/egress points. Unfortunately, many do not. -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Whenever men attempt to suppress argument and free speech, we may be sure that they know their cause to be a bad one. -- R. G. Horton [1] I made up that host name; you get the idea. pgpmj91iBlucP.pgp Description: PGP signature
Re: SSH2 Encryption
On Sun, Jun 16, 2002 at 02:30:24PM +0200, Robert van der Meulen wrote: > > Quoting Matt Zimmerman ([EMAIL PROTECTED]): > > On Mon, Jun 10, 2002 at 08:29:15PM +0200, Robert van der Meulen wrote: > > > > > My data isn't worth one bit less because it's travelling over dark fiber > > > :) > > > > Eh? If your data is travelling over it, then it isn't dark. > > http://www.canet3.net/library/papers/FAQdarkfiber.htm Right; when you bought it, it was "dark". Once you put light into it, it's no longer dark. If someone thinks "dark" denotes who owns the tranceivers, well, they're deluded :) -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange opened ports.
On Mon, Jun 03, 2002 at 10:57:46PM +0200, Jacques Lav!gnotte wrote: > On Mon, Jun 03, 2002 at 04:46:36PM -0400, James wrote: > > Are you sure they are open and nmap isn't just returning a false > > positive? > > > > Try a #netstat -vatn on the local server and see if those ports really > > are open. > > news:~# netstat -vatn > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State > tcp0 0 195.6.210.99:22 80.9.25.228:654 > ESTABLISHED > tcp0 53 195.6.210.99:22 193.250.33.70:660 FIN_WAIT1 > tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN > > > Can anybody try this from elsewhere : > ># nmap -sU -p 1996-1997 news.pcl.fr [EMAIL PROTECTED]:~$ date Mon Jun 3 21:17:53 CDT 2002 [EMAIL PROTECTED]:~$ sudo nmap -sU -p 1996-1997 news.pcl.fr Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) All 2 scanned ports on news.pcl.fr (195.6.210.99) are: closed Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange opened ports.
On Mon, Jun 03, 2002 at 10:57:46PM +0200, Jacques Lav!gnotte wrote: > On Mon, Jun 03, 2002 at 04:46:36PM -0400, James wrote: > > Are you sure they are open and nmap isn't just returning a false > > positive? > > > > Try a #netstat -vatn on the local server and see if those ports really > > are open. > > news:~# netstat -vatn > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State > tcp0 0 195.6.210.99:22 80.9.25.228:654 ESTABLISHED > tcp0 53 195.6.210.99:22 193.250.33.70:660 FIN_WAIT1 > tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN > > > Can anybody try this from elsewhere : > ># nmap -sU -p 1996-1997 news.pcl.fr nnorman@argonath:~$ date Mon Jun 3 21:17:53 CDT 2002 nnorman@argonath:~$ sudo nmap -sU -p 1996-1997 news.pcl.fr Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) All 2 scanned ports on news.pcl.fr (195.6.210.99) are: closed Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: pam_unix and remember
On Mon, May 27, 2002 at 09:09:46PM -0500, Jor-el wrote: > On Mon, 27 May 2002, Jor-el wrote: > > > Hi, > > > > Has anyone gotten the remember= ... argument to pam_unix module to > > work? This is supposed to check if the new passwd is one of the old > > remembered passwords. Everytime I change the password, if this argument is > > set, it tells me that the new password has already been used even if I > > _know_ that the password has not been used before. From looking at the > > source code, it appears that the old passwords list is stored in > > /etc/security/opasswd , however, my system lacks such a file. Before I go > > out and create such a file, I would like to find out if I am missing some > > Hi, > > Nevermind. This appears to be the problem reported in bug number > 95324 . It looks like the maintainer is slacking on the job since not only > is the fix mentioned in the bugreport, but implementing the fix is > trivial, and yet the problem has been open for over a year now. I'm sure this message will win you points with the maintainer :) Did you try contacting him privately before posting your bombast? -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien pgpgS4WTWDwq6.pgp Description: PGP signature
Re: pam_unix and remember
On Mon, May 27, 2002 at 09:09:46PM -0500, Jor-el wrote: > On Mon, 27 May 2002, Jor-el wrote: > > > Hi, > > > > Has anyone gotten the remember= ... argument to pam_unix module to > > work? This is supposed to check if the new passwd is one of the old > > remembered passwords. Everytime I change the password, if this argument is > > set, it tells me that the new password has already been used even if I > > _know_ that the password has not been used before. From looking at the > > source code, it appears that the old passwords list is stored in > > /etc/security/opasswd , however, my system lacks such a file. Before I go > > out and create such a file, I would like to find out if I am missing some > > Hi, > > Nevermind. This appears to be the problem reported in bug number > 95324 . It looks like the maintainer is slacking on the job since not only > is the fix mentioned in the bugreport, but implementing the fix is > trivial, and yet the problem has been open for over a year now. I'm sure this message will win you points with the maintainer :) Did you try contacting him privately before posting your bombast? -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien msg06856/pgp0.pgp Description: PGP signature
Re: About user monitoring
On Tue, Apr 16, 2002 at 08:11:29PM +0300, Halil Demirezen wrote: > > I am planning to write code that will load the users terminal screens to > my screen. And root will surely manage that. Is there anyone to tell me > any link which contains information about this subject. [EMAIL PROTECTED]:~ $ apt-cache show ttysnoop Package: ttysnoop Priority: optional Section: admin Installed-Size: 116 Maintainer: Paul Haggart <[EMAIL PROTECTED]> Architecture: i386 Version: 0.12c-7 Depends: libc6 (>= 2.1) Filename: dists/potato/main/binary-i386/admin/ttysnoop_0.12c-7.deb Size: 13430 MD5sum: c8d903ea4a5e399a19eb1439e8eb01d7 Description: TTY Snoop - allows you to spy on telnet+serial connections TTYSnoop allows you to snoop on login tty's through another tty-device or pseudo-tty. The snoop-tty becomes a 'clone' of the original tty, redirecting both input and output from/to it. Looks like a good place to start. -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien pgpwiTj4p3pjW.pgp Description: PGP signature
Re: About user monitoring
On Tue, Apr 16, 2002 at 08:11:29PM +0300, Halil Demirezen wrote: > > I am planning to write code that will load the users terminal screens to > my screen. And root will surely manage that. Is there anyone to tell me > any link which contains information about this subject. nnorman@foo:~ $ apt-cache show ttysnoop Package: ttysnoop Priority: optional Section: admin Installed-Size: 116 Maintainer: Paul Haggart <[EMAIL PROTECTED]> Architecture: i386 Version: 0.12c-7 Depends: libc6 (>= 2.1) Filename: dists/potato/main/binary-i386/admin/ttysnoop_0.12c-7.deb Size: 13430 MD5sum: c8d903ea4a5e399a19eb1439e8eb01d7 Description: TTY Snoop - allows you to spy on telnet+serial connections TTYSnoop allows you to snoop on login tty's through another tty-device or pseudo-tty. The snoop-tty becomes a 'clone' of the original tty, redirecting both input and output from/to it. Looks like a good place to start. -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien msg06376/pgp0.pgp Description: PGP signature
Re: A question about some network services
On Fri, Apr 05, 2002 at 08:28:41AM -0600, Jay Kline wrote: > On Friday 05 April 2002 08:49 am, Juhan Kundla wrote: > > > How do you do that? I tried the following... > > Not remove- but not start. Remove all references to it from the /etc/rc*.d/ > directorys so that it dosnt start up anymore. If you are not useing any of > its services, its pointless to have it running. But some packages depend on > it, so you cant get rid of it. Actually, you'll want to leave at least one of the K links: otherwise when you upgrade, inetd will mysteriously be re-enabled. See update-rc.d(8) for details. -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien pgpN3BJlyYqSM.pgp Description: PGP signature
Re: A question about some network services
On Fri, Apr 05, 2002 at 08:28:41AM -0600, Jay Kline wrote: > On Friday 05 April 2002 08:49 am, Juhan Kundla wrote: > > > How do you do that? I tried the following... > > Not remove- but not start. Remove all references to it from the /etc/rc*.d/ > directorys so that it dosnt start up anymore. If you are not useing any of > its services, its pointless to have it running. But some packages depend on > it, so you cant get rid of it. Actually, you'll want to leave at least one of the K links: otherwise when you upgrade, inetd will mysteriously be re-enabled. See update-rc.d(8) for details. -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien msg06232/pgp0.pgp Description: PGP signature
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 03:22:39AM +0200, martin f krafft wrote: > dear list, > > look, i am really not here to start a flame war and heck no, i don't > want one. please excuse if my behaviour has been leading you onto this > belief (or maybe not). i am simply failing to grasp the arguments laid > out by wichert. that is, i don't disagree with him per se, but i have > the feeling that i am also not being understood. so, please read this > last attempt to clarify and then either respond, or give me a straight > "shut up" and i will. and i apologize up front to sven for posting > parts of his personal reply to the list. > > also sprach Sven Hoexter <[EMAIL PROTECTED]> [2002.04.02.2240 +0200]: > > Calm down :) It's "just" a DoS attack and if you use a Software you as > > the admin should look at the normal flood of information and pick out what > > you need. If you do so you know the problem and you can work around it in > > different ways. One way is the Deny directiv or some of the Ulimit options > > introduced into proftpd after the problem occured the first time. > > In the Debian way the deny directiv is the working one. > > well, i am calm, but i disagree. sure, it boils down to the question > who debian's audience are, but for all i am concerned, debian's > reputation _used_ to include "security", and the reason why i'd (as in > "would" and "had") install(ed) debian was because i didn't need to be > worrying about the obvious and hence i could spend my resources on > other things. had i wanted to patch one-year-old bugs in software that > installs from the "security archives", then i might have just chosen > to "fly" redhat. i don't understand why you aren't understanding this. > i am not at all against finding the real bug as well as investigating > why: See, paragraphs like this directly contradict you statement above that you don't want a flame war. Debian "used to include security"? Apparently you no longer run Debian? Does this mean you've wiothdrawn your name for the NM queue? Are you willing to abandon the hyperbole and put forward rational arguments as to why your solution is best? > > their is a patch that doesn't work and it seems like nobody proved > > the patch after it was applied for the first time. > > but give me at least one argument why these acts cannot combine with > a *temporary* fix uploaded to the so-called "security archives". The temporary patch is, well, temporary. It only works on a new install; otherwise the admin has to examine their config file by hand to make the change. Worst of all, since the bug was thought to be fixed but isn't, the temporary fix may not in fact prevent the exploit. If the exploit is part of libc globbing code, it may be exploitable in other code, not just proftpd. > > With this I'm falling back to another topic: Is the way of keeping > > exploit code behind bars realy good for the admin without the > > special coding skills or just new stones in the proccess of running > > a secure server? > > exactly my point. debian's the "hacker OS", but it's also damn good. > so why not take little steps such as this and keep it that way even > for the ones that don't spend 20 hours a day in front of a computer > and know assembler backwards... > > > Just my personal thoughts about your flames with Wichert. > > they really weren't intended to be flames. i am sorry if they felt > that way. i am really just trying to be concise since i don't have > much more to say than i did. I have to wonder. -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien pgpW8cs6OcoV1.pgp Description: PGP signature
Re: on potato's proftpd
On Wed, Apr 03, 2002 at 03:22:39AM +0200, martin f krafft wrote: > dear list, > > look, i am really not here to start a flame war and heck no, i don't > want one. please excuse if my behaviour has been leading you onto this > belief (or maybe not). i am simply failing to grasp the arguments laid > out by wichert. that is, i don't disagree with him per se, but i have > the feeling that i am also not being understood. so, please read this > last attempt to clarify and then either respond, or give me a straight > "shut up" and i will. and i apologize up front to sven for posting > parts of his personal reply to the list. > > also sprach Sven Hoexter <[EMAIL PROTECTED]> [2002.04.02.2240 +0200]: > > Calm down :) It's "just" a DoS attack and if you use a Software you as > > the admin should look at the normal flood of information and pick out what > > you need. If you do so you know the problem and you can work around it in > > different ways. One way is the Deny directiv or some of the Ulimit options > > introduced into proftpd after the problem occured the first time. > > In the Debian way the deny directiv is the working one. > > well, i am calm, but i disagree. sure, it boils down to the question > who debian's audience are, but for all i am concerned, debian's > reputation _used_ to include "security", and the reason why i'd (as in > "would" and "had") install(ed) debian was because i didn't need to be > worrying about the obvious and hence i could spend my resources on > other things. had i wanted to patch one-year-old bugs in software that > installs from the "security archives", then i might have just chosen > to "fly" redhat. i don't understand why you aren't understanding this. > i am not at all against finding the real bug as well as investigating > why: See, paragraphs like this directly contradict you statement above that you don't want a flame war. Debian "used to include security"? Apparently you no longer run Debian? Does this mean you've wiothdrawn your name for the NM queue? Are you willing to abandon the hyperbole and put forward rational arguments as to why your solution is best? > > their is a patch that doesn't work and it seems like nobody proved > > the patch after it was applied for the first time. > > but give me at least one argument why these acts cannot combine with > a *temporary* fix uploaded to the so-called "security archives". The temporary patch is, well, temporary. It only works on a new install; otherwise the admin has to examine their config file by hand to make the change. Worst of all, since the bug was thought to be fixed but isn't, the temporary fix may not in fact prevent the exploit. If the exploit is part of libc globbing code, it may be exploitable in other code, not just proftpd. > > With this I'm falling back to another topic: Is the way of keeping > > exploit code behind bars realy good for the admin without the > > special coding skills or just new stones in the proccess of running > > a secure server? > > exactly my point. debian's the "hacker OS", but it's also damn good. > so why not take little steps such as this and keep it that way even > for the ones that don't spend 20 hours a day in front of a computer > and know assembler backwards... > > > Just my personal thoughts about your flames with Wichert. > > they really weren't intended to be flames. i am sorry if they felt > that way. i am really just trying to be concise since i don't have > much more to say than i did. I have to wonder. -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien msg06182/pgp0.pgp Description: PGP signature
Re: mod_ssl pass phrase related question
On Fri, Mar 22, 2002 at 03:15:25PM +0100, eim wrote: > mod_ssl pass phrase related question > > > Hallo Debian folks, > > I've installed the Debian package "libapache-mod-ssl" > on my workstation box in order to learn how to setup > http secure transactions with my Apache webserver. > > Once installed mod_ssl I've created a sample ssl > certification for my local workstation, https works > quite well and everything is ok, well nearly everything :) > > When I restart the apache by hand or it comes up > through Debian's init.d script it requires that I provide > the daemon with the pass phrase because some of my private > key files are encripted. > > How can I avoid this ? I mean let me assume I need to restart > my box from a remote connection, when the init.d script > is going to start apache I must be fisically there to provide > the daemon with my pass phrase, that's not always possible. > > Should I keep my key files unencrypted, or is there another > solution which preserves security ? http://www.modssl.org/docs/2.8/ssl_reference.html#ToC2 -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien pgpbmtVgPEnuM.pgp Description: PGP signature
Re: mod_ssl pass phrase related question
On Fri, Mar 22, 2002 at 03:15:25PM +0100, eim wrote: > mod_ssl pass phrase related question > > > Hallo Debian folks, > > I've installed the Debian package "libapache-mod-ssl" > on my workstation box in order to learn how to setup > http secure transactions with my Apache webserver. > > Once installed mod_ssl I've created a sample ssl > certification for my local workstation, https works > quite well and everything is ok, well nearly everything :) > > When I restart the apache by hand or it comes up > through Debian's init.d script it requires that I provide > the daemon with the pass phrase because some of my private > key files are encripted. > > How can I avoid this ? I mean let me assume I need to restart > my box from a remote connection, when the init.d script > is going to start apache I must be fisically there to provide > the daemon with my pass phrase, that's not always possible. > > Should I keep my key files unencrypted, or is there another > solution which preserves security ? http://www.modssl.org/docs/2.8/ssl_reference.html#ToC2 -- Nathan Norman - Micromuse Ltd. mailto:[EMAIL PROTECTED] Gil-galad was an Elven-king.| The Fellowship Of him the harpers sadly sing: |of the last whose realm was fair and free | the Ring between the Mountains and the Sea. | J.R.R. Tolkien msg06044/pgp0.pgp Description: PGP signature
Re: Say, wheres 2.2.20?
On Thu, Mar 07, 2002 at 02:42:43PM -0800, Mike Fedyk wrote: > On Thu, Mar 07, 2002 at 10:54:57AM -0800, Xeno Campanoli wrote: > > Mike Fedyk wrote: > > > > > > On Thu, Mar 07, 2002 at 01:11:34PM +0800, Mo Zhen Guang wrote: > > > > as always, security update may be troublesome with testing distribution. > > > > stable is much easier > > > > Mo > > > > > > > > > > Version: 2.2.20-2 > > > Provides: kernel-image > > > Depends: fileutils (>= 4.0) > > > > > > What version of fileutils is in potato? > > > > > > All that the package supplies is the kernel. It will be as stable as any > > > other kernel package wheather it is in stable or not (it's the official > > > 2.2.20) so what's your prob? Maybe you should check before you assume > > > that > > > just because it's in testing that it's not stable. > > > > I'll keep that in mind. If it is really that difficult for it to go > > through the process to become formalized as stable, then is that > > difficulty all wasted effort? > > Debian's release/revision (from stable to stable) process is much slower > than the kernel's. That's a known fact. > > If you want to wait... that's up to you. If you want more recent stuff > (including kernels packaged by debian) you should use testing. [ not sure if the mail-followup-to: header is supposed to cc: two ppl; if not I apologize ] Erm, I don't quite follow this. If you need the new PHP, then yes, testing is about your only out. But if all you need is a new kernel, what's wrong with grabbing the kernel source from kernel.org and compiling using make-kpkg? New kernel, all the benefits of debian packaging ... Regards, -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpT7UQUV555W.pgp Description: PGP signature
Re: Say, wheres 2.2.20?
On Thu, Mar 07, 2002 at 02:42:43PM -0800, Mike Fedyk wrote: > On Thu, Mar 07, 2002 at 10:54:57AM -0800, Xeno Campanoli wrote: > > Mike Fedyk wrote: > > > > > > On Thu, Mar 07, 2002 at 01:11:34PM +0800, Mo Zhen Guang wrote: > > > > as always, security update may be troublesome with testing distribution. > > > > stable is much easier > > > > Mo > > > > > > > > > > Version: 2.2.20-2 > > > Provides: kernel-image > > > Depends: fileutils (>= 4.0) > > > > > > What version of fileutils is in potato? > > > > > > All that the package supplies is the kernel. It will be as stable as any > > > other kernel package wheather it is in stable or not (it's the official > > > 2.2.20) so what's your prob? Maybe you should check before you assume that > > > just because it's in testing that it's not stable. > > > > I'll keep that in mind. If it is really that difficult for it to go > > through the process to become formalized as stable, then is that > > difficulty all wasted effort? > > Debian's release/revision (from stable to stable) process is much slower > than the kernel's. That's a known fact. > > If you want to wait... that's up to you. If you want more recent stuff > (including kernels packaged by debian) you should use testing. [ not sure if the mail-followup-to: header is supposed to cc: two ppl; if not I apologize ] Erm, I don't quite follow this. If you need the new PHP, then yes, testing is about your only out. But if all you need is a new kernel, what's wrong with grabbing the kernel source from kernel.org and compiling using make-kpkg? New kernel, all the benefits of debian packaging ... Regards, -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton msg05898/pgp0.pgp Description: PGP signature
Re: [ot] how to create a user that can't log in?
No, it's not the right way. The daemons need to run as the project user, not the individual user. I know how to set up groups, permissions, etc. ... been doing that for several years now. What I'm wondering is if PAM or some other mechanism can be used to prevent a user from logging in via a network connection. It looks like people here don't know; that's fine, I'll continue researching. On Sun, Jan 20, 2002 at 01:39:48PM -0500, David Ehle wrote: > LOL, talk about not seeing the forest for the tree's... Yeah. Do it the > way he says. Its the "right" way of doing something like that. > > David. > > Alvin Oga wrote: > > > > hi ya nathan > > > > create a group "proj" > > > > add tom, dick, harry to belong to the proj group ( /etc/group ) > > - those NOT listed in proj will NOT be able to do anything > > > > make sure /home/project is owned by projectmanager and group proj > > make sure its chmod 775 or chmod 770 for /home/project > > > > make sure the shell for projectmanager is /dev/null ( no login shell ) > > > > each user ( tom, dick, harry ) can all run > > /home/project/scripts/start-me-up.sh > > w/o having to be projectmanager > > > > -- i claim there is no point to having a login account projectmanager/user > >if everybody can login into it... why bother ??? > > - you'd want to know who made the changes ... ( tom, dick, harry ) > > > > c ya > > alvin > > > > On Sun, 20 Jan 2002, Nathan E Norman wrote: > > > > > Hi, > > > > > > I'm setting up a project for some friends. I want each of them to > > > have their own account, but I want the project to be hosted (and run > > > under) a seperate account. Each user should be able to su to the > > > project account to restart daemons. No user should be able to log in > > > as the project user. > > > > > > How do I set this up? Is it possible? > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpXHyZA944aP.pgp Description: PGP signature
Re: [ot] how to create a user that can't log in?
No, it's not the right way. The daemons need to run as the project user, not the individual user. I know how to set up groups, permissions, etc. ... been doing that for several years now. What I'm wondering is if PAM or some other mechanism can be used to prevent a user from logging in via a network connection. It looks like people here don't know; that's fine, I'll continue researching. On Sun, Jan 20, 2002 at 01:39:48PM -0500, David Ehle wrote: > LOL, talk about not seeing the forest for the tree's... Yeah. Do it the > way he says. Its the "right" way of doing something like that. > > David. > > Alvin Oga wrote: > > > > hi ya nathan > > > > create a group "proj" > > > > add tom, dick, harry to belong to the proj group ( /etc/group ) > > - those NOT listed in proj will NOT be able to do anything > > > > make sure /home/project is owned by projectmanager and group proj > > make sure its chmod 775 or chmod 770 for /home/project > > > > make sure the shell for projectmanager is /dev/null ( no login shell ) > > > > each user ( tom, dick, harry ) can all run > > /home/project/scripts/start-me-up.sh > > w/o having to be projectmanager > > > > -- i claim there is no point to having a login account projectmanager/user > >if everybody can login into it... why bother ??? > > - you'd want to know who made the changes ... ( tom, dick, harry ) > > > > c ya > > alvin > > > > On Sun, 20 Jan 2002, Nathan E Norman wrote: > > > > > Hi, > > > > > > I'm setting up a project for some friends. I want each of them to > > > have their own account, but I want the project to be hosted (and run > > > under) a seperate account. Each user should be able to su to the > > > project account to restart daemons. No user should be able to log in > > > as the project user. > > > > > > How do I set this up? Is it possible? > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton msg05422/pgp0.pgp Description: PGP signature
[ot] how to create a user that can't log in?
Hi, I'm setting up a project for some friends. I want each of them to have their own account, but I want the project to be hosted (and run under) a seperate account. Each user should be able to su to the project account to restart daemons. No user should be able to log in as the project user. How do I set this up? Is it possible? Thanks, -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpHNTcBENgwc.pgp Description: PGP signature
[ot] how to create a user that can't log in?
Hi, I'm setting up a project for some friends. I want each of them to have their own account, but I want the project to be hosted (and run under) a seperate account. Each user should be able to su to the project account to restart daemons. No user should be able to log in as the project user. How do I set this up? Is it possible? Thanks, -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton msg05411/pgp0.pgp Description: PGP signature
Re: Securing bind..
On Sun, Dec 30, 2001 at 06:49:34PM +0100, Wichert Akkerman wrote: > Previously P Prince wrote: > > The eaisest and most failsafe way to secure bind is to install djbdns. > > And the simple answer to that is: > 1. bind is not DFSG-free and not packaged for Debian which makes it >off-topic here. May I quote you on this?? :) -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PS djbdns runs on debian, therefore it's topical. Please don't allow your feud with djb to cloud your judgement here. pgpsuKKiGkFmK.pgp Description: PGP signature
Re: Securing bind..
On Sun, Dec 30, 2001 at 06:49:34PM +0100, Wichert Akkerman wrote: > Previously P Prince wrote: > > The eaisest and most failsafe way to secure bind is to install djbdns. > > And the simple answer to that is: > 1. bind is not DFSG-free and not packaged for Debian which makes it >off-topic here. May I quote you on this?? :) -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PS djbdns runs on debian, therefore it's topical. Please don't allow your feud with djb to cloud your judgement here. msg04979/pgp0.pgp Description: PGP signature
Re: In Praise of Dos (RE: Mutt & tmp files)
On Tue, Nov 20, 2001 at 12:01:32PM -0800, J C Lawrence wrote: > On Mon, 19 Nov 2001 21:57:05 -0600 > Nathan E Norman wrote: > > > On Mon, Nov 19, 2001 at 03:26:50PM -0800, Petro wrote: > >> But his is hugely off topic, and I'll go no futher down this > >> road. > > > Could you at least honor my Mail-Followup-To: header? > > Mail-Followup-To is a non-standard, un-RFC documented, generally > unsupported header. The guy is using mutt. mutt supports M-F-T. You figure it out. M-F-T is generally used on debian mailing lists. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpeKW70FKv00.pgp Description: PGP signature
Re: In Praise of Dos (RE: Mutt & tmp files)
On Tue, Nov 20, 2001 at 12:01:32PM -0800, J C Lawrence wrote: > On Mon, 19 Nov 2001 21:57:05 -0600 > Nathan E Norman wrote: > > > On Mon, Nov 19, 2001 at 03:26:50PM -0800, Petro wrote: > >> But his is hugely off topic, and I'll go no futher down this > >> road. > > > Could you at least honor my Mail-Followup-To: header? > > Mail-Followup-To is a non-standard, un-RFC documented, generally > unsupported header. The guy is using mutt. mutt supports M-F-T. You figure it out. M-F-T is generally used on debian mailing lists. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton msg04309/pgp0.pgp Description: PGP signature
Re: In Praise of Dos (RE: Mutt & tmp files)
On Mon, Nov 19, 2001 at 03:26:50PM -0800, Petro wrote: > But his is hugely off topic, and I'll go no futher down this road. Could you at least honor my Mail-Followup-To: header? Thanks, -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpzIcTnflLEx.pgp Description: PGP signature
Re: In Praise of Dos (RE: Mutt & tmp files)
On Mon, Nov 19, 2001 at 03:26:50PM -0800, Petro wrote: > But his is hugely off topic, and I'll go no futher down this road. Could you at least honor my Mail-Followup-To: header? Thanks, -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton msg04281/pgp0.pgp Description: PGP signature
Re: In Praise of Dos (RE: Mutt & tmp files)
On Mon, Nov 19, 2001 at 01:47:40PM -0800, Petro wrote: > > enviroments and applications to figure out what it takes to make a > > system really consistent and usable for you. Even if you pick some > > things that aren't quite finished as part of your enviroment, if they > > are part of an active project, they will be working much better soon. > > Go into Netscape, open up some random web page. What's the key > command for find? > > Now open Lyx. What's the key command for find? Mutt? Opera? > OpenOffice? > > Just like Windows 3.11. > > Which was my point. Install Netscape 4.x, 6.x, Mozilla, and IE on a windows box. Good luck expecting the same key strokes to do the same thing in each application. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgp9YeB0NHUKS.pgp Description: PGP signature
Re: In Praise of Dos (RE: Mutt & tmp files)
On Mon, Nov 19, 2001 at 01:47:40PM -0800, Petro wrote: > > enviroments and applications to figure out what it takes to make a > > system really consistent and usable for you. Even if you pick some > > things that aren't quite finished as part of your enviroment, if they > > are part of an active project, they will be working much better soon. > > Go into Netscape, open up some random web page. What's the key > command for find? > > Now open Lyx. What's the key command for find? Mutt? Opera? > OpenOffice? > > Just like Windows 3.11. > > Which was my point. Install Netscape 4.x, 6.x, Mozilla, and IE on a windows box. Good luck expecting the same key strokes to do the same thing in each application. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton msg04277/pgp0.pgp Description: PGP signature
Re: firewall
On Tue, Sep 11, 2001 at 12:52:06AM +0100, Tom Breza wrote: > > There's recently been quite a discussion about this here or on > > debian-firewall. There are proposals to register somewhere whether you > > want an installed service started or not (on a per-service basis). Look > > at the archives for details. > > > > HTH, Erik. > > -- > hmmm do u know address of archive from this group? http://lists.debian.org/ , vgrep archives -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpgyQkK8Q0OI.pgp Description: PGP signature
Re: firewall
On Tue, Sep 11, 2001 at 12:52:06AM +0100, Tom Breza wrote: > > There's recently been quite a discussion about this here or on > > debian-firewall. There are proposals to register somewhere whether you > > want an installed service started or not (on a per-service basis). Look > > at the archives for details. > > > > HTH, Erik. > > -- > hmmm do u know address of archive from this group? http://lists.debian.org/ , vgrep archives -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: firewall
On Mon, Sep 10, 2001 at 07:38:10PM +0100, Tim Haynes wrote: > Adam Olsen <[EMAIL PROTECTED]> writes: > > > > It should be sufficient to do > > > update-rc.d -f portmap remove > > > update-rc.d -f lpd remove > > > update-rc.d -f bind remove > > > > As an aside, I did this with proftpd, but when I upgrade the install > > scripts restart it. Is there a proper way way to deal with this? Is there > > some debian policy relating to it? > > No real answer from me, but I've noticed this too - whenever I `apt-get > dist-upgrade' and get a new version of a package, it starts the services > required. Don't like it. I really want to be able to specify otherwise. If you read the manpage for update-rc.d, you'll note that it says If any files /etc/rcrunlevel.d/[SK]??name already exist then update-rc.d does nothing. This is so that the system administrator can rearrange the links, provided that they leave at least one link remaining, without having their configuration overwritten. So, to leave a service installed but not starting, you need to leave at least one K link. if you're saying "hey, that's not intuitive", you're right. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=67095&repeatmerged=yes for more discussion. Incidentally, debian has another daemon issue ... whether daemons should start immediately after installation. This is in fact why the above problem happens ... since no start/stop links are found, it's assumed that this is a new installation of the daemon, so it's started for you. However, many would like the ability to prevent daemons from automatically starting after installation even if this is a new install. There's been much discussion on d-devel about this problem, and how to solve it. While it's clear most everyone agrees it's a problem, I don't know that consensus has been reached on how to solve it. HTH, -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpKwviZihgMP.pgp Description: PGP signature
Re: firewall
On Mon, Sep 10, 2001 at 07:38:10PM +0100, Tim Haynes wrote: > Adam Olsen <[EMAIL PROTECTED]> writes: > > > > It should be sufficient to do > > > update-rc.d -f portmap remove > > > update-rc.d -f lpd remove > > > update-rc.d -f bind remove > > > > As an aside, I did this with proftpd, but when I upgrade the install > > scripts restart it. Is there a proper way way to deal with this? Is there > > some debian policy relating to it? > > No real answer from me, but I've noticed this too - whenever I `apt-get > dist-upgrade' and get a new version of a package, it starts the services > required. Don't like it. I really want to be able to specify otherwise. If you read the manpage for update-rc.d, you'll note that it says If any files /etc/rcrunlevel.d/[SK]??name already exist then update-rc.d does nothing. This is so that the system administrator can rearrange the links, provided that they leave at least one link remaining, without having their configuration overwritten. So, to leave a service installed but not starting, you need to leave at least one K link. if you're saying "hey, that's not intuitive", you're right. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=67095&repeatmerged=yes for more discussion. Incidentally, debian has another daemon issue ... whether daemons should start immediately after installation. This is in fact why the above problem happens ... since no start/stop links are found, it's assumed that this is a new installation of the daemon, so it's started for you. However, many would like the ability to prevent daemons from automatically starting after installation even if this is a new install. There's been much discussion on d-devel about this problem, and how to solve it. While it's clear most everyone agrees it's a problem, I don't know that consensus has been reached on how to solve it. HTH, -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
quote [was: Re: Bash scripting info needed.]
On Mon, Sep 10, 2001 at 01:34:17PM +0100, Ricardo B wrote: > "Your theory is nuts! But not enough to be true!" (Niels Bohr) We are all agreed that your theory is crazy. The question which divides us is whether it is crazy enough to have a chance of being correct. My own feeling is that it is not crazy enough. -- Niels Bohr -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpQtnVlJeUOX.pgp Description: PGP signature
quote [was: Re: Bash scripting info needed.]
On Mon, Sep 10, 2001 at 01:34:17PM +0100, Ricardo B wrote: > "Your theory is nuts! But not enough to be true!" (Niels Bohr) We are all agreed that your theory is crazy. The question which divides us is whether it is crazy enough to have a chance of being correct. My own feeling is that it is not crazy enough. -- Niels Bohr -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 08:18:58AM -1000, Joseph Dane wrote: > > "Alexander" == Alexander List <[EMAIL PROTECTED]> writes: > > Alexander> You might also consider the tip posted before to use rsync > Alexander> (rsync -e ssh) to transfer entire directory structures, > > or, since ssh will read from stdin, you can alter the old tar|tar > trick to copy a directory tree: > > here$ cd srcdir > here$ tar cf - . | ssh there 'cd dstdir; tar xf -' or even here$ tar cf - . | ssh there tar xCf dstdir - -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpVCUHhz2ADv.pgp Description: PGP signature
Re: File transfer using ssh
On Thu, Aug 23, 2001 at 08:18:58AM -1000, Joseph Dane wrote: > > "Alexander" == Alexander List <[EMAIL PROTECTED]> writes: > > Alexander> You might also consider the tip posted before to use rsync > Alexander> (rsync -e ssh) to transfer entire directory structures, > > or, since ssh will read from stdin, you can alter the old tar|tar > trick to copy a directory tree: > > here$ cd srcdir > here$ tar cf - . | ssh there 'cd dstdir; tar xf -' or even here$ tar cf - . | ssh there tar xCf dstdir - -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: Mutt and inline gpg
On Thu, Aug 09, 2001 at 03:51:14PM -0500, Rob VanFleet wrote: > On Thu, Aug 09, 2001 at 05:26:50PM +0200, Christian Kurz wrote: > > option "pgp_create_traditional". That option might help you very much, > > but instead I would suggest that the other MUA's get fixed. > > Um, wouldn't that be every other MUA asid from mutt and maybe one or two > others? For values of "one or two" at about 15 or so, sure. Someone recently posted a long list of MUAs which are PGP/MIME compliant - most of the important names were there. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpIvCj6lKPHO.pgp Description: PGP signature
Re: Mutt and inline gpg
On Thu, Aug 09, 2001 at 03:51:14PM -0500, Rob VanFleet wrote: > On Thu, Aug 09, 2001 at 05:26:50PM +0200, Christian Kurz wrote: > > option "pgp_create_traditional". That option might help you very much, > > but instead I would suggest that the other MUA's get fixed. > > Um, wouldn't that be every other MUA asid from mutt and maybe one or two > others? For values of "one or two" at about 15 or so, sure. Someone recently posted a long list of MUAs which are PGP/MIME compliant - most of the important names were there. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: what's the error?
On Thu, Aug 09, 2001 at 06:05:38PM +0200, Viljo Marrandi wrote: > > Hello, > > I'm not sure this is aan security issue, but i could be exploitable... > >From time to time one of my nic's just dies and in /var/log/messages i > have stuff like this: > > Aug 9 16:08:59 server kernel: eth1: Oversized Ethernet frame c7f9f460 vs > c7f9f460. > Aug 9 16:08:59 server kernel: eth1: Oversized Ethernet frame spanned > multiple buffers, entry 0xe852607 length 1546 status 60a8d00! > Aug 9 16:08:59 server kernel: eth1: Oversized Ethernet frame c7f9f470 vs > c7f9f470. > Aug 9 16:09:03 server kernel: eth1: Oversized Ethernet frame spanned > multiple buffers, entry 0xe852707 length 0 status 0600! > Aug 9 16:09:03 server kernel: eth1: Oversized Ethernet frame c7f9f470 vs > c7f9f470. > Aug 9 16:09:03 server kernel: eth1: Oversized Ethernet frame spanned > multiple buffers, entry 0xe852708 length 1546 status 60a8d00! > A > > eth1 is external nic which is connected to adsl router. Both cards are > D-Link DFE-530's. I tried to swap them but no luck, still eth1 (before was > eth0) died. Anyone sends oversized packets to cause this or what? Or maybe > adsl box and nic hate each other? In my opinion, the NIC on your adsl router is going bad - frames too large are often a harbinger of hardware failure. If it's under warranty, get a replacement. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpIOXWx6kdym.pgp Description: PGP signature
Re: what's the error?
On Thu, Aug 09, 2001 at 06:05:38PM +0200, Viljo Marrandi wrote: > > Hello, > > I'm not sure this is aan security issue, but i could be exploitable... > >From time to time one of my nic's just dies and in /var/log/messages i > have stuff like this: > > Aug 9 16:08:59 server kernel: eth1: Oversized Ethernet frame c7f9f460 vs > c7f9f460. > Aug 9 16:08:59 server kernel: eth1: Oversized Ethernet frame spanned > multiple buffers, entry 0xe852607 length 1546 status 60a8d00! > Aug 9 16:08:59 server kernel: eth1: Oversized Ethernet frame c7f9f470 vs > c7f9f470. > Aug 9 16:09:03 server kernel: eth1: Oversized Ethernet frame spanned > multiple buffers, entry 0xe852707 length 0 status 0600! > Aug 9 16:09:03 server kernel: eth1: Oversized Ethernet frame c7f9f470 vs > c7f9f470. > Aug 9 16:09:03 server kernel: eth1: Oversized Ethernet frame spanned > multiple buffers, entry 0xe852708 length 1546 status 60a8d00! > A > > eth1 is external nic which is connected to adsl router. Both cards are > D-Link DFE-530's. I tried to swap them but no luck, still eth1 (before was > eth0) died. Anyone sends oversized packets to cause this or what? Or maybe > adsl box and nic hate each other? In my opinion, the NIC on your adsl router is going bad - frames too large are often a harbinger of hardware failure. If it's under warranty, get a replacement. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:01:55AM -0700, Jacob Meuser wrote: > Well, someone has decided to attack me for using an analogy, so I will > refrain from saying how this doesn't go with what I'm saying. Oh, grow up. I did not "attack" you, I questioned the wisdom of comparing running services on a computer to the politically loaded question of guns. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpZ3ws3vVRRT.pgp Description: PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 09:28:35PM -0700, Jacob Meuser wrote: > PS We don't give guns to children, do we? What the hell does this have to do with running services on a freaking computer connected to the Internet? You are beginning to sound like a troll. HINT: It's difficult to kill someone with a computer without regard to whether the computer operator is a child. Obfuscating the issue with inane comparisons to loaded political issues generally means you can't argue your original position effectively. Besides, I was a great shot as a child. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpOZpmFM1nKg.pgp Description: PGP signature
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:01:55AM -0700, Jacob Meuser wrote: > Well, someone has decided to attack me for using an analogy, so I will > refrain from saying how this doesn't go with what I'm saying. Oh, grow up. I did not "attack" you, I questioned the wisdom of comparing running services on a computer to the politically loaded question of guns. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 09:28:35PM -0700, Jacob Meuser wrote: > PS We don't give guns to children, do we? What the hell does this have to do with running services on a freaking computer connected to the Internet? You are beginning to sound like a troll. HINT: It's difficult to kill someone with a computer without regard to whether the computer operator is a child. Obfuscating the issue with inane comparisons to loaded political issues generally means you can't argue your original position effectively. Besides, I was a great shot as a child. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 12:09:07AM -0800, Ethan Benson wrote: > On Fri, Jul 20, 2001 at 07:52:26PM -0700, Tim Uckun wrote: > > You really can not blame people for not hiring > > "expensive unix sysadmins" and letting some semi competent windows user run > > the NT network. > > oh? and whyever not? its this blatent irreponsibilty that we have > such a mess security wise on the internet today. > > that is sort of like saying `you really cannot blame people for not > hiring "expensive archetectural engineers" and letting some semi > competant carpenter design your 10 story office building' ... except at this point in the game, most businesses don't see server/network reliability in the same light they view reliability of a building. I never understood this attitude; most IT/IS managers track uptime and pay a lot of lip service to fault analysis, but when push comes to shove they don't really do anything about it. Security rarely enters the equation at all. It seems to be diffivult to grasp that better security often leads to better reliability (at least from the user's POV) At my previous job I was repeatedly told "we will not make security enhancements if they make the network harder to use", where "harder" might mean learning a new way to do something, or banning old insecure behavior (telnet). Oh well ... -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgptb4WcKloty.pgp Description: PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 12:09:07AM -0800, Ethan Benson wrote: > On Fri, Jul 20, 2001 at 07:52:26PM -0700, Tim Uckun wrote: > > You really can not blame people for not hiring > > "expensive unix sysadmins" and letting some semi competent windows user run > > the NT network. > > oh? and whyever not? its this blatent irreponsibilty that we have > such a mess security wise on the internet today. > > that is sort of like saying `you really cannot blame people for not > hiring "expensive archetectural engineers" and letting some semi > competant carpenter design your 10 story office building' ... except at this point in the game, most businesses don't see server/network reliability in the same light they view reliability of a building. I never understood this attitude; most IT/IS managers track uptime and pay a lot of lip service to fault analysis, but when push comes to shove they don't really do anything about it. Security rarely enters the equation at all. It seems to be diffivult to grasp that better security often leads to better reliability (at least from the user's POV) At my previous job I was repeatedly told "we will not make security enhancements if they make the network harder to use", where "harder" might mean learning a new way to do something, or banning old insecure behavior (telnet). Oh well ... -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: shared root account
On Fri, Jul 06, 2001 at 03:24:56PM -0800, Ethan Benson wrote: > On Fri, Jul 06, 2001 at 09:43:55AM -0500, Nathan E Norman wrote: > > > > OTOH if you restrict the user to a list of commands in /etc/sudoers, > > it's wise to consider whether the user might be able to leverage one of > > those commands to edit /etc/sudoers (or any other file). If you're > > going to list "emacs" or "vi" in /etc/sudoers, you might as well just > > list "ALL" :) > > or even seemingly innocuous things like less or even cat. > > sudo less anything > !/bin/sh > whoami > r00t! > > echo me ALL=ALL > s > sudo 'cat s >> /etc/sudoers' IOW, it's safe to say that allowing access to a shell via sudo means you trust that user as root. > sudo is a very large cannon which is difficult to keep aimed away from > the foot... Depends on how you use it. At my last job, we used sudo for two reasons: 1) I didn't have to inform all the admins whenever the root password changed. 2) techs had a script which ran as root under sudo for creating user accounts, etc. The script was written in perl ... I'm sure there was something wrong with it but it worked well for us and kept techs in the box where they did the least damage. Cheers, -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpJ8WZEmTXDr.pgp Description: PGP signature
Re: shared root account
On Fri, Jul 06, 2001 at 03:24:56PM -0800, Ethan Benson wrote: > On Fri, Jul 06, 2001 at 09:43:55AM -0500, Nathan E Norman wrote: > > > > OTOH if you restrict the user to a list of commands in /etc/sudoers, > > it's wise to consider whether the user might be able to leverage one of > > those commands to edit /etc/sudoers (or any other file). If you're > > going to list "emacs" or "vi" in /etc/sudoers, you might as well just > > list "ALL" :) > > or even seemingly innocuous things like less or even cat. > > sudo less anything > !/bin/sh > whoami > r00t! > > echo me ALL=ALL > s > sudo 'cat s >> /etc/sudoers' IOW, it's safe to say that allowing access to a shell via sudo means you trust that user as root. > sudo is a very large cannon which is difficult to keep aimed away from > the foot... Depends on how you use it. At my last job, we used sudo for two reasons: 1) I didn't have to inform all the admins whenever the root password changed. 2) techs had a script which ran as root under sudo for creating user accounts, etc. The script was written in perl ... I'm sure there was something wrong with it but it worked well for us and kept techs in the box where they did the least damage. Cheers, -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: shared root account
On Fri, Jul 06, 2001 at 09:29:54AM -0700, Robert L. Yelvington wrote: > admittedly, i am not very familiar with sudo because i have never seen the > practical advantages of making su'ing more of a hassle by having to manage > another set of conf files and keeping track of who's a sudoer and, > therefore, have chosen not to use it. > > what's to stop a person, once they've sudo'd, from editing /etc/sudoers and > giving themselves more privs? [ please avoid jeopardy style quoting ] If sudo already allows a user to run "ALL" commands as root, what privs could they possibly gain? OTOH if you restrict the user to a list of commands in /etc/sudoers, it's wise to consider whether the user might be able to leverage one of those commands to edit /etc/sudoers (or any other file). If you're going to list "emacs" or "vi" in /etc/sudoers, you might as well just list "ALL" :) -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpI4pZGDfr8C.pgp Description: PGP signature
Re: shared root account
On Fri, Jul 06, 2001 at 09:29:54AM -0700, Robert L. Yelvington wrote: > admittedly, i am not very familiar with sudo because i have never seen the > practical advantages of making su'ing more of a hassle by having to manage > another set of conf files and keeping track of who's a sudoer and, > therefore, have chosen not to use it. > > what's to stop a person, once they've sudo'd, from editing /etc/sudoers and > giving themselves more privs? [ please avoid jeopardy style quoting ] If sudo already allows a user to run "ALL" commands as root, what privs could they possibly gain? OTOH if you restrict the user to a list of commands in /etc/sudoers, it's wise to consider whether the user might be able to leverage one of those commands to edit /etc/sudoers (or any other file). If you're going to list "emacs" or "vi" in /etc/sudoers, you might as well just list "ALL" :) -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: Logging packets from iptables
On Wed, May 23, 2001 at 05:18:04PM +0200, Simon Huggins wrote: > On Tue, May 22, 2001 at 08:37:26PM +0100, Dave Smith wrote: > > (Please do not CC me on mail sent to this list; I subscribe to and > > read every list I post to.) > > But do you read every post of every list you post to? > (sorry it was too tempting) Few people read every post. Most read the threads they participate in. I see no reason to mock someone's courtesy request. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpEKfKK7O9PO.pgp Description: PGP signature
Re: Logging packets from iptables
On Wed, May 23, 2001 at 05:18:04PM +0200, Simon Huggins wrote: > On Tue, May 22, 2001 at 08:37:26PM +0100, Dave Smith wrote: > > (Please do not CC me on mail sent to this list; I subscribe to and > > read every list I post to.) > > But do you read every post of every list you post to? > (sorry it was too tempting) Few people read every post. Most read the threads they participate in. I see no reason to mock someone's courtesy request. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: strange files being created
On Sun, Apr 22, 2001 at 11:03:50AM -0400, Jacob Kuntz wrote: > from the secret journal of Nathan E Norman ([EMAIL PROTECTED]): > > Could be, except stdin is fd 1, not 0 (this is true in at least bash > > and ash.) > > >From bash(1): > > /dev/stdin > File descriptor 0 is duplicated. > /dev/stdout > File descriptor 1 is duplicated. > /dev/stderr > File descriptor 2 is duplicated. Er, yeah ... stdin != stdout. I shouldn't send email before ingesting proper amounts of caffeine ... -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpnOx1O9kWzw.pgp Description: PGP signature
Re: strange files being created
On Sun, Apr 22, 2001 at 11:02:21AM +0300, Martin Fluch wrote: > Hmm, this could be due to some bug in a bash/sh script, when somebody > wanted to redirect something to the sdtin (fd=0) and wrote "> 0" instead > of ">&0"... Could be, except stdin is fd 1, not 0 (this is true in at least bash and ash.) -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpI1pQNLlQCo.pgp Description: PGP signature
Re: strange files being created
On Sun, Apr 22, 2001 at 11:03:50AM -0400, Jacob Kuntz wrote: > from the secret journal of Nathan E Norman ([EMAIL PROTECTED]): > > Could be, except stdin is fd 1, not 0 (this is true in at least bash > > and ash.) > > >From bash(1): > > /dev/stdin > File descriptor 0 is duplicated. > /dev/stdout > File descriptor 1 is duplicated. > /dev/stderr > File descriptor 2 is duplicated. Er, yeah ... stdin != stdout. I shouldn't send email before ingesting proper amounts of caffeine ... -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: strange files being created
On Sun, Apr 22, 2001 at 11:02:21AM +0300, Martin Fluch wrote: > Hmm, this could be due to some bug in a bash/sh script, when somebody > wanted to redirect something to the sdtin (fd=0) and wrote "> 0" instead > of ">&0"... Could be, except stdin is fd 1, not 0 (this is true in at least bash and ash.) -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: empty log files
On Fri, Apr 06, 2001 at 03:07:42PM -0400, Damian M Gryski wrote: > On Fri, 06 Apr 2001, Steve Greenland wrote: > > On 06-Apr-01, 11:41 (CDT), Damian M Gryski <[EMAIL PROTECTED]> wrote: > > > > > >So, this for me pretty much nails it that something is borked with the > > >sysklogd cron.weekly script. > > > > I'd guess that the daemon wasn't restarted after the logs were rotated, > > so that all the messages since have been written to whereever those file > > descriptors point. You could poke around in /proc/(syslogdpid)/fd, or > > just run /etc/init.d/sysklogd restart. > >Nope, because the problem is persistent across reboots. So, even a >freshly started syslogd isn't writing to the logfiles. I'm late to the discussion so if you're not running unstable, sorry. [EMAIL PROTECTED]:~ $ dpkg -l klogd Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ NameVersion Description +++-===-===-== ii klogd 1.4.1-1 Kernel logging daemon [EMAIL PROTECTED]:~ $ dpkg -p klogd Package: klogd Priority: required Section: base Installed-Size: 124 Maintainer: Martin Schulze <[EMAIL PROTECTED]> Architecture: i386 Source: sysklogd Version: 1.4.1-1 Replaces: sysklogd Provides: linux-kernel-log-daemon Depends: libc6 (>= 2.2.1-2), sysklogd | system-log-daemon Conflicts: sysklogd (<= 1.3-33) Filename: pool/main/s/sysklogd/klogd_1.4.1-1_i386.deb Size: 34290 MD5sum: 487e6812964ee55a562c07fb0aa39b8e Description: Kernel logging daemon The klogd daemon listens to kernel message sources and is responsible for prioritizing and processing operating system messages. The klogd daemon can run as a client of syslogd or optionally as a standalone program. Klogd can now be used to decode EIP addresses if it can determine a System.map file. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpIMo5hrckMw.pgp Description: PGP signature
Re: empty log files
On Fri, Apr 06, 2001 at 03:07:42PM -0400, Damian M Gryski wrote: > On Fri, 06 Apr 2001, Steve Greenland wrote: > > On 06-Apr-01, 11:41 (CDT), Damian M Gryski <[EMAIL PROTECTED]> wrote: > > > > > >So, this for me pretty much nails it that something is borked with the > > >sysklogd cron.weekly script. > > > > I'd guess that the daemon wasn't restarted after the logs were rotated, > > so that all the messages since have been written to whereever those file > > descriptors point. You could poke around in /proc/(syslogdpid)/fd, or > > just run /etc/init.d/sysklogd restart. > >Nope, because the problem is persistent across reboots. So, even a >freshly started syslogd isn't writing to the logfiles. I'm late to the discussion so if you're not running unstable, sorry. nnorman@canaris:~ $ dpkg -l klogd Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ NameVersion Description +++-===-===-== ii klogd 1.4.1-1 Kernel logging daemon nnorman@canaris:~ $ dpkg -p klogd Package: klogd Priority: required Section: base Installed-Size: 124 Maintainer: Martin Schulze <[EMAIL PROTECTED]> Architecture: i386 Source: sysklogd Version: 1.4.1-1 Replaces: sysklogd Provides: linux-kernel-log-daemon Depends: libc6 (>= 2.2.1-2), sysklogd | system-log-daemon Conflicts: sysklogd (<= 1.3-33) Filename: pool/main/s/sysklogd/klogd_1.4.1-1_i386.deb Size: 34290 MD5sum: 487e6812964ee55a562c07fb0aa39b8e Description: Kernel logging daemon The klogd daemon listens to kernel message sources and is responsible for prioritizing and processing operating system messages. The klogd daemon can run as a client of syslogd or optionally as a standalone program. Klogd can now be used to decode EIP addresses if it can determine a System.map file. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: [SECURITY] [DSA 045-1] ntp remote root exploit fixed
On Thu, Apr 05, 2001 at 01:31:31PM -0500, Lindsey Simon wrote: > I've been wondering why I get so many probes on port 53, what's the popular > exploit on it? Myriad bugs in bind. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgp7WprsTL3R4.pgp Description: PGP signature
Re: [SECURITY] [DSA 045-1] ntp remote root exploit fixed
On Thu, Apr 05, 2001 at 01:31:31PM -0500, Lindsey Simon wrote: > I've been wondering why I get so many probes on port 53, what's the popular exploit >on it? Myriad bugs in bind. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: i've been port scanned. now what
On Tue, Mar 06, 2001 at 01:12:46AM +, Tim Haynes wrote: > > It's also possible that someone is just exploring. > > Then they need educating that scanning such a vast range of ports is an > unacceptable definition of `exploring'. Well, that's your opinion. I don't know that I agree ... presumably I've already tied down my services; why do I care if someone is checking which ports are open? When I did see an extensive portscan I usually fired off one of my own to see what was up at that end. More often than not it turned out to be a misconfigured monitoring box (ever seen Whatsup at work?) OTOH I'll always defend your right to apply your opinion to your machines; if you want to get after someone who's portscanning your machines I won't stop you :) > > As a former network administrator I wasn't too worried about portscans > > unless they were followed up with actual connections. I also used > > portscans when needed to discover what users on the network were up to. > > Sure, but I hope you didn't let rip with them on other networks or sections > of network over which you didn't have control. We had a /18; I had plenty of IPs to keep an eye on. Some people were less cooperative than others. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpJIvxJu7O3y.pgp Description: PGP signature
Re: i've been port scanned. now what
On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szabó Dániel wrote: > Hello. > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? Well, that all depends ... do you consider port scanning criminal activity or not? I do not - I think you should view a port scan as a possible indication that someone intends to attack you. It's also possible that someone is just exploring. As a former network administrator I wasn't too worried about portscans unless they were followed up with actual connections. I also used portscans when needed to discover what users on the network were up to. You could always send an email to the ISP in question and ask them what they think; whether they want a copy of the logs, etc. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpOvFEmd6J8R.pgp Description: PGP signature
Re: i've been port scanned. now what
On Tue, Mar 06, 2001 at 01:12:46AM +, Tim Haynes wrote: > > It's also possible that someone is just exploring. > > Then they need educating that scanning such a vast range of ports is an > unacceptable definition of `exploring'. Well, that's your opinion. I don't know that I agree ... presumably I've already tied down my services; why do I care if someone is checking which ports are open? When I did see an extensive portscan I usually fired off one of my own to see what was up at that end. More often than not it turned out to be a misconfigured monitoring box (ever seen Whatsup at work?) OTOH I'll always defend your right to apply your opinion to your machines; if you want to get after someone who's portscanning your machines I won't stop you :) > > As a former network administrator I wasn't too worried about portscans > > unless they were followed up with actual connections. I also used > > portscans when needed to discover what users on the network were up to. > > Sure, but I hope you didn't let rip with them on other networks or sections > of network over which you didn't have control. We had a /18; I had plenty of IPs to keep an eye on. Some people were less cooperative than others. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: i've been port scanned. now what
On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szabó Dániel wrote: > Hello. > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? Well, that all depends ... do you consider port scanning criminal activity or not? I do not - I think you should view a port scan as a possible indication that someone intends to attack you. It's also possible that someone is just exploring. As a former network administrator I wasn't too worried about portscans unless they were followed up with actual connections. I also used portscans when needed to discover what users on the network were up to. You could always send an email to the ISP in question and ask them what they think; whether they want a copy of the logs, etc. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: secure install
On Sat, Feb 17, 2001 at 06:21:04PM +0100, Carel Fellinger wrote: > On Sat, Feb 17, 2001 at 02:49:03PM +0100, Thor wrote: > ... > > Speak for cloning a single partition then i suggest a simple > > 'cp -ax /mount_point_of_original_parition /mount_point_of_target_partiton' > > the 'a' stand for archive (recursive and same permission) > > and with the 'x' the copy don't go out the indicated filesystem. > > you can find the same suggestion in How-To/Large-Disk > > The disadvantage of this command is that it doesn't preserve hardlinks. > So you can end up using a lot more diskspace than before, as I learned > the hardway when moving my debian mirror to a new disk:) To avoid this problem use "find . | cpio -padm /target" -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpVbkooFjUhv.pgp Description: PGP signature
Re: secure install
On Sat, Feb 17, 2001 at 06:21:04PM +0100, Carel Fellinger wrote: > On Sat, Feb 17, 2001 at 02:49:03PM +0100, Thor wrote: > ... > > Speak for cloning a single partition then i suggest a simple > > 'cp -ax /mount_point_of_original_parition /mount_point_of_target_partiton' > > the 'a' stand for archive (recursive and same permission) > > and with the 'x' the copy don't go out the indicated filesystem. > > you can find the same suggestion in How-To/Large-Disk > > The disadvantage of this command is that it doesn't preserve hardlinks. > So you can end up using a lot more diskspace than before, as I learned > the hardway when moving my debian mirror to a new disk:) To avoid this problem use "find . | cpio -padm /target" -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: The Next Yahoo
On Wed, Feb 07, 2001 at 11:26:24AM +1300, Matthew Sherborne wrote: > Who is the list maintainer ? > > GBY > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] ^^^ This guy might know ... -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpSXMuJRAFtY.pgp Description: PGP signature
Re: The Next Yahoo
On Wed, Feb 07, 2001 at 11:26:24AM +1300, Matthew Sherborne wrote: > Who is the list maintainer ? > > GBY > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] ^^^ This guy might know ... -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: mirroring security.debian.org?
On Fri, Jan 26, 2001 at 08:04:21AM -0600, Mike Renfro wrote: > On Thu, Jan 25, 2001 at 08:51:07PM +0100, Martin Schulze wrote: > > > Please don't do that. Security updates should come *only* from > > security.debian.org. This was discussed a while, you should be > > able to find some blurb about it in the debian-devel archive, I > > guess. > > Personally, I'd rather not mirror it, but our bandwidth is almost > completely saturated 17-19 hours/day, so if I (or any other local > Debian-using people) want to get security updates during the day, a > local mirror updated nightly appeared to be the easiest option. > > What are my other options -- I have frequently had timeouts trying to > make updates from security.debian.org during the day. Assume the > people in charge of managing our bandwidth are doing all they can, and > the saturation problem isn't going away anytime soon. You're talking about a private mirror. That wasn't the original poster's intent (my reading anyway). I believe the point is that people shouldn't be retrieving security updates from "untrusted" sources. I can see the point, although there's not really a guarantee that security.debian.org is who they say they are :-) It seems to me that if you're willing to update machines from a local private mirror due to bandwidth or connectivity constraints, that's your perogative. Making that mirror publically accessible would violate the spirit of security.debian.org however ... -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpkz825asHgM.pgp Description: PGP signature
Re: mirroring security.debian.org?
On Fri, Jan 26, 2001 at 08:04:21AM -0600, Mike Renfro wrote: > On Thu, Jan 25, 2001 at 08:51:07PM +0100, Martin Schulze wrote: > > > Please don't do that. Security updates should come *only* from > > security.debian.org. This was discussed a while, you should be > > able to find some blurb about it in the debian-devel archive, I > > guess. > > Personally, I'd rather not mirror it, but our bandwidth is almost > completely saturated 17-19 hours/day, so if I (or any other local > Debian-using people) want to get security updates during the day, a > local mirror updated nightly appeared to be the easiest option. > > What are my other options -- I have frequently had timeouts trying to > make updates from security.debian.org during the day. Assume the > people in charge of managing our bandwidth are doing all they can, and > the saturation problem isn't going away anytime soon. You're talking about a private mirror. That wasn't the original poster's intent (my reading anyway). I believe the point is that people shouldn't be retrieving security updates from "untrusted" sources. I can see the point, although there's not really a guarantee that security.debian.org is who they say they are :-) It seems to me that if you're willing to update machines from a local private mirror due to bandwidth or connectivity constraints, that's your perogative. Making that mirror publically accessible would violate the spirit of security.debian.org however ... -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: time for some OpenBSD-style auditing?
On Thu, Dec 28, 2000 at 08:46:23PM -0700, John Galt wrote: [ all developers should audit their code ] > > > > Sounds lovely, in theory. However, judging by the number of open bugs > > in some packages, out of date packages, etc, what makes you think > > developers would take this more seriously? What proof does one have > > Actually let me chime in at this point and say that personally I'd > probably prefer non-developers auditing. If you adopt code as an auditor, > you lose the objectivity to be able to junk bad code relatively > quickly... Auditors should have as little to do with a piece of code > they're auditing as possible: preferably not even use it. This way they > don't fall "in love" with the code and do what's necessary for security... This is the way to go. For this to actually work someone will probably have to form a "team" of decent auditors to start digging and file bugs as they find them ... I know I'm not qualified :) -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgptsq3z87Ogk.pgp Description: PGP signature
Re: time for some OpenBSD-style auditing?
On Thu, Dec 28, 2000 at 08:46:23PM -0700, John Galt wrote: [ all developers should audit their code ] > > > > Sounds lovely, in theory. However, judging by the number of open bugs > > in some packages, out of date packages, etc, what makes you think > > developers would take this more seriously? What proof does one have > > Actually let me chime in at this point and say that personally I'd > probably prefer non-developers auditing. If you adopt code as an auditor, > you lose the objectivity to be able to junk bad code relatively > quickly... Auditors should have as little to do with a piece of code > they're auditing as possible: preferably not even use it. This way they > don't fall "in love" with the code and do what's necessary for security... This is the way to go. For this to actually work someone will probably have to form a "team" of decent auditors to start digging and file bugs as they find them ... I know I'm not qualified :) -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: Speaking of broadcasts, is this a security threat?
On Fri, Aug 11, 2000 at 12:53:53PM -0600, Scott wrote: > > > > > > > > > Every few minutes I see the following show up in my log: > > > > > > > > Aug 8 00:03:17 riseup kernel: Packet log: input DENY eth0 PROTO=17 > > > > +10.0.0.1:1999 255.255.255.255:1999 L=94 S=0x00 I=638 F=0x4000 T=1 (#4) > > > > Aug 8 00:49:40 riseup kernel: Packet log: input DENY eth0 PROTO=17 > > > > +10.0.0.1:1999 255.255.255.255:1999 L=94 S=0x00 I=639 F=0x4000 T=1 (#4) > > > > Aug 8 00:03:17 riseup kernel: Packet log: input DENY eth0 PROTO=17 > > > > +10.0.0.1:1999 255.255.255.255:1999 L=94 S=0x00 I=638 F=0x4000 T=1 (#4) > > > > Aug 8 00:49:40 riseup kernel: Packet log: input DENY eth0 PROTO=17 > -This was a TCP packet Wrong, it was UDP. RFC 1700 can help here. > -This packet came from 10.0.0.1 with a return port of 1999 > -This packet was addressed to 255.255.255.255 on port 1999 So it's a subnet-only broadcast ... I would try to find out if 10.0.0.1 is a real host, and if so, who owns it. Cheers, -- Nathan Norman "Eschew Obfuscation" Network Engineer GPG Key ID 1024D/51F98BB7http://home.midco.net/~nnorman/ Key fingerprint = C5F4 A147 416C E0BF AB73 8BEF F0C8 255C 51F9 8BB7 PGP signature
