Re: suspicious smbd connections
On Wed, Dec 24, 2003 at 03:33:54PM +0100, outsider wrote: But I have a dynamic IP. Every time I boot my system I get another IP-address. The worms are targetting random IP addresses. The IP address you have tomorrow is just as likely to get scanned as the one you have today. (Technically not *just* as likely, due to the nature of pseudo-random number generators and the fact that all the Windows worms have bad PRNG implementations, but you get the idea.) noah pgp0.pgp Description: PGP signature
Re: suspicious smbd connections
On Wed, Dec 24, 2003 at 03:33:54PM +0100, outsider wrote: But I have a dynamic IP. Every time I boot my system I get another IP-address. The worms are targetting random IP addresses. The IP address you have tomorrow is just as likely to get scanned as the one you have today. (Technically not *just* as likely, due to the nature of pseudo-random number generators and the fact that all the Windows worms have bad PRNG implementations, but you get the idea.) noah pgpw3jP8uS40z.pgp Description: PGP signature
Re: Attempts to poison bayesian systems
On Tue, Dec 23, 2003 at 01:36:20PM +, Dale Amon wrote: I have yet to see a false positive caused by this even though I get quite a lot of this stuff and routinely mark it as spam. I can't think of any other reason for someone to do it though. There has to be a point. Someone is going to a lot of trouble. Could it be the case that they're using all these non-spam words to generate false-negatives, thus bypassing bayesian filters? I've seen lots of these messages get through spamassassin in the past week or so, all with very low bayes scores. Training the bayesian classifier with these messages is obviously not going to do me much good, because the next spam is going to have a completely different set of tokens. This method is especially effective in the case where the bayesian classifier only looks at the first MIME attachment, because the second is then free to contain whatever spam tokens they want to put in it. IIRC, this is how most bayesian filters behave. noah pgp0.pgp Description: PGP signature
Re: suspicious smbd connections
On Tue, Dec 23, 2003 at 07:01:01PM +0100, outsider wrote: Last time I frequently get messages like smbd[949]: refused connect from in my /var/log/syslog. Every time with new IP-address. What are these connections? Is somebody trying to scan me or what is the reason for these messages? You are being scanned. Get used to it. You're not specifically being targetted, but rather your IP address was randomly generated by some worm on some Windows box and a connection attempt was made. If you're feeling particularly motivated, you can try to track down the owner of the infected machine (or at least the owner of the netblock it lives on) and inform them, but it probably won't do you much good. I suspect that you'll quickly find that most owners are simply not responsive. noah -- Hello to all my friends and fans in domestic surveillance. pgp0.pgp Description: PGP signature
Re: Attempts to poison bayesian systems
On Tue, Dec 23, 2003 at 01:36:20PM +, Dale Amon wrote: I have yet to see a false positive caused by this even though I get quite a lot of this stuff and routinely mark it as spam. I can't think of any other reason for someone to do it though. There has to be a point. Someone is going to a lot of trouble. Could it be the case that they're using all these non-spam words to generate false-negatives, thus bypassing bayesian filters? I've seen lots of these messages get through spamassassin in the past week or so, all with very low bayes scores. Training the bayesian classifier with these messages is obviously not going to do me much good, because the next spam is going to have a completely different set of tokens. This method is especially effective in the case where the bayesian classifier only looks at the first MIME attachment, because the second is then free to contain whatever spam tokens they want to put in it. IIRC, this is how most bayesian filters behave. noah pgp1elFePZcQv.pgp Description: PGP signature
Re: suspicious smbd connections
On Tue, Dec 23, 2003 at 07:01:01PM +0100, outsider wrote: Last time I frequently get messages like smbd[949]: refused connect from in my /var/log/syslog. Every time with new IP-address. What are these connections? Is somebody trying to scan me or what is the reason for these messages? You are being scanned. Get used to it. You're not specifically being targetted, but rather your IP address was randomly generated by some worm on some Windows box and a connection attempt was made. If you're feeling particularly motivated, you can try to track down the owner of the infected machine (or at least the owner of the netblock it lives on) and inform them, but it probably won't do you much good. I suspect that you'll quickly find that most owners are simply not responsive. noah -- Hello to all my friends and fans in domestic surveillance. pgpKH8GwJbECh.pgp Description: PGP signature
Re: ipv6 and glibc
On Mon, Dec 22, 2003 at 01:21:37PM +0200, Baran YURDAGUL wrote: First of all sorry about this, because I am facing this problem on redhat. How can can I stop ipv6 resolving, when i make telnet to a host not in dns but in nis and files it take 1 minute to resolve this. nsswitch.conf is host : files nis dns . Is there any workaround ? I have sen a buglisted in redhat but no solution is given out ?? Why send this to debian-security? You need to recompile glibc to leave out support for IPv6. noah pgp0.pgp Description: PGP signature
Re: ipv6 and glibc
On Mon, Dec 22, 2003 at 01:21:37PM +0200, Baran YURDAGUL wrote: First of all sorry about this, because I am facing this problem on redhat. How can can I stop ipv6 resolving, when i make telnet to a host not in dns but in nis and files it take 1 minute to resolve this. nsswitch.conf is host : files nis dns . Is there any workaround ? I have sen a buglisted in redhat but no solution is given out ?? Why send this to debian-security? You need to recompile glibc to leave out support for IPv6. noah pgpV6Z7pL41A7.pgp Description: PGP signature
Re: Fwd: Cron root@mars apt-get update apt-get -y upgrade
On Sat, Nov 22, 2003 at 11:23:52AM +0100, Linux wrote: The following looks a lot worse to me... bsdutils, mount util-linux, console-data, procps, zlib1g, gnupg, util-linux-locales Suggestions + help how I should do that ? See http://slashdot.org/article.pl?sid=03/11/23/1730227mode=threadtid=185tid=90 Also note that there is no reason to believe that the archive was compromised in any way. noah pgp0.pgp Description: PGP signature
Re: Fwd: Cron root@mars apt-get update apt-get -y upgrade
On Sat, Nov 22, 2003 at 11:23:52AM +0100, Linux wrote: The following looks a lot worse to me... bsdutils, mount util-linux, console-data, procps, zlib1g, gnupg, util-linux-locales Suggestions + help how I should do that ? See http://slashdot.org/article.pl?sid=03/11/23/1730227mode=threadtid=185tid=90 Also note that there is no reason to believe that the archive was compromised in any way. noah pgpZyZag7HSkc.pgp Description: PGP signature
Re: Mysterious process talking on 799=2049 tcp - what is using the ports?
On Sat, Nov 08, 2003 at 10:25:43AM -0600, Hanasaki JiJi wrote: Nothing is using the port but it is in netstat add the -p switch to netstat, which will give you the PID that is associated with that socket. pgpyH61MipHbf.pgp Description: PGP signature
Re: logcheck thinks that system is under attack, related to ssl problem?
On Mon, Oct 06, 2003 at 05:31:05PM +0100, Andreas W?st wrote: Hmmm, so what? Are these problems somehow tied together? Furthermore, what is the probability that the system has really been cracked, and the logcheck message is not a false positive? I wonder, because it's not a server machine, it has no services running, except the dhcp client listening on a port. Nothing else. It sounds to me, from the symptoms you described, that /var has somehow been mounted read-only. Check that first. You don't have much evidence that it's a security issue at this point. Logcheck's active system attack messages rarely indicate such a thing. Don't do anything drastic like reinstall the system until you've got better evidence that you've been cracked. In this case, I doubt you have. noah pgp0.pgp Description: PGP signature
Re: logcheck thinks that system is under attack, related to ssl problem?
On Mon, Oct 06, 2003 at 10:07:23PM +0100, Andreas W?st wrote: I hope you've got some more ideas. I'm strictly following all the security updates, and have a light mix of woody and sid packages. run 'shutdown -rF now' See if the problem persists after the fsck. If it does, check the files manually and see if they're really corrupted or something. Sounds like you've just got a twisted and inconsistant filesystem. noah pgp0.pgp Description: PGP signature
Re: logcheck thinks that system is under attack, related to ssl problem?
On Mon, Oct 06, 2003 at 05:31:05PM +0100, Andreas W?st wrote: Hmmm, so what? Are these problems somehow tied together? Furthermore, what is the probability that the system has really been cracked, and the logcheck message is not a false positive? I wonder, because it's not a server machine, it has no services running, except the dhcp client listening on a port. Nothing else. It sounds to me, from the symptoms you described, that /var has somehow been mounted read-only. Check that first. You don't have much evidence that it's a security issue at this point. Logcheck's active system attack messages rarely indicate such a thing. Don't do anything drastic like reinstall the system until you've got better evidence that you've been cracked. In this case, I doubt you have. noah pgpemPt7kOxA8.pgp Description: PGP signature
Re: logcheck thinks that system is under attack, related to ssl problem?
On Mon, Oct 06, 2003 at 10:07:23PM +0100, Andreas W?st wrote: I hope you've got some more ideas. I'm strictly following all the security updates, and have a light mix of woody and sid packages. run 'shutdown -rF now' See if the problem persists after the fsck. If it does, check the files manually and see if they're really corrupted or something. Sounds like you've just got a twisted and inconsistant filesystem. noah pgpMkqcLrTNel.pgp Description: PGP signature
Re: Can anyone help me ID who is trying to hack my system?
On Fri, Oct 03, 2003 at 06:45:39PM -0700, Alderbrook wrote: Can anyone help me identify who is trying to get into my system? They aren't trying to hack your system. They're just scanning for open proxy ports that they can abuse. This is the sort of issue that, if you run machines on the internet for long, you'll quickly come to realize is entirely routine and really not worth bothering with. I see many open proxy scans on a regular basis. If you're not running a badly configured proxy server, they're not going to do anything. noah 10/1/03 6:45:25 PM Deny unknown 57 TCP 216.66.31.196 216.66.31.196 10/1/03 6:45:24 PM Deny unknown 57 TCP 216.66.31.196 216.66.31.196 10/1/03 6:45:23 PM Deny unknown 57 TCP 216.66.31.196 216.66.31.196 10/1/03 6:45:22 PM Deny unknown 57 TCP 216.66.31.196 216.66.31.196 I'm not actually sure what these are, but you're denying the connection attempts, so really, it's not anything to worry about. More noise. If you see repeated or unusual connections to a service that you run, then you should pay close attention. People can bang on closed ports all day and never get anywhere. If people were actually trying to break in to your system, there wouldn't be any reason for them to keep trying to connect to these closed ports. You should see the accounting logs on the routers where I work. We lit a /24 that had been dormant since basically the beginning of time, and saw the scans start up immediately. People had, of course, been scanning that block all along, but there simply hadn't been anything there. If you still do feel like tracking down the owner of the machine on the other end of these connections, try using whois to query ARIN's database to track down the owner of the network that they're on. http://www.arin.net/ will provide you with some more information. noah pgp0.pgp Description: PGP signature
Re: services installed and running out of the box
On Thu, Sep 25, 2003 at 08:19:43AM +0200, Stefano Salvi wrote: I think thisi is not wise: Only because you misunderstand my idea. - Why I must have services installed that I cannot use (are not started by default)? I didn't say anything about not starting by default. I said that they would not start immediately upon installation. Think about it. You apt-get install squid. What's the point of it being started immediately, before you've had a chance to configure it? - Why I must have services installed that I don't need? The scope of this discussion has grown broader since it began. Initially, we were talking about only things that are installed by default. But since then Mike Stone has brought up issues that arise even if a user explicitly and manually installs a package. - If I have a security choice as you suggest, I have a great probability to set high security and next not be able to have services running (how about selecting which services I want to be run by default?) That is why I suggested something simple. It doesn't require any configuration at all, unlike Mike's default firewall idea. My idea is simply that network services are not started immediately upon installation. Any time after that, they function exactly as they always have. I think the best choice is to leave in the default installation (where I select nothing in Tasksel and don't run dselect) the very minimum services needed, leaving to the user (tasksel is made for this) the choice to add the requested services. I agree that inetd, portmap, rpc.statd, and an MTA should not run by default. noah pgp0.pgp Description: PGP signature
Re: services installed and running out of the box
On Thu, Sep 25, 2003 at 08:19:43AM +0200, Stefano Salvi wrote: I think thisi is not wise: Only because you misunderstand my idea. - Why I must have services installed that I cannot use (are not started by default)? I didn't say anything about not starting by default. I said that they would not start immediately upon installation. Think about it. You apt-get install squid. What's the point of it being started immediately, before you've had a chance to configure it? - Why I must have services installed that I don't need? The scope of this discussion has grown broader since it began. Initially, we were talking about only things that are installed by default. But since then Mike Stone has brought up issues that arise even if a user explicitly and manually installs a package. - If I have a security choice as you suggest, I have a great probability to set high security and next not be able to have services running (how about selecting which services I want to be run by default?) That is why I suggested something simple. It doesn't require any configuration at all, unlike Mike's default firewall idea. My idea is simply that network services are not started immediately upon installation. Any time after that, they function exactly as they always have. I think the best choice is to leave in the default installation (where I select nothing in Tasksel and don't run dselect) the very minimum services needed, leaving to the user (tasksel is made for this) the choice to add the requested services. I agree that inetd, portmap, rpc.statd, and an MTA should not run by default. noah pgpJc1m4mtFSs.pgp Description: PGP signature
Re: services installed and running out of the box
On Wed, Sep 24, 2003 at 01:59:16PM -0500, Ryan Underwood wrote: Is there any effort to reduce the number of services running on a default debian install? For example: a typical workstation user doesn't really need to have inetd enabled, nor portmap (unless they are running fam or nfs -- which isn't enabled by default) What about a package like the harden-* package, but one that conflicts with packages that are pointless for a client/desktop system? Unless such a package is part of the standard installation, it's really of no use. The original poster specifically mentioned the default debian install. Personally, I think we really do need to reduce the number of open ports by default. Even Redhat has learned to do this, and Microsoft is quickly learning (the hard way, of course). It's quickly becoming best practice for operating system vendors. For starters, I think portmap, rpc.statd, and inetd should not run by default. Not running a mail server (or perhaps only running one on the loopback interface) would be nice, too. Users that need these services know it. Users that don't shouldn't be bothered by them, whether that be to turn them off or to get compromised due to some newly discovered vulnerability. noah pgp0.pgp Description: PGP signature
Re: services installed and running out of the box
On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote: For what its worth, and without wanting a distro-religious war about it, Mandrake has a variety of security levels, which can be locally configured, and which can allow exactly this sort of behavior; Honestly, I think we can get away with something vastly less complex: Just don't install network services by default. I don't see any need for security levels or anything like that. Really, just about any network service is going to require some amount of configuration before it can be used. Basically, I think that security levels don't gain you anything over don't install the package. And since, as I said, just about any network service is going to need configuration attention in order to be useful, the additional small step of apt-get install foo is not a lot to ask. noah pgp0.pgp Description: PGP signature
Re: services installed and running out of the box
On Wed, Sep 24, 2003 at 09:01:26PM -0400, Michael Stone wrote: Until installing a package has the side effect of installing a network service. Having a default-deny-incoming firewall or some such would go a long way toward preventing accidental vulnerability exposure. Well, remember that the scope of this discussion is the default Debian installation. I agree that there may be issues elsewhere, and that services (particularly complex ones like Squid, Apache, DBMS packages, etc) need to be configured before they can be usefully and securely run. I think that the default installation, which will be seen by all users, really should see an improvement. I'll put some effort into getting it done, but I'm not entirely clear on the process. Should the matter be brought up on -policy? noah pgp0.pgp Description: PGP signature
Re: services installed and running out of the box
On Wed, Sep 24, 2003 at 01:59:16PM -0500, Ryan Underwood wrote: Is there any effort to reduce the number of services running on a default debian install? For example: a typical workstation user doesn't really need to have inetd enabled, nor portmap (unless they are running fam or nfs -- which isn't enabled by default) What about a package like the harden-* package, but one that conflicts with packages that are pointless for a client/desktop system? Unless such a package is part of the standard installation, it's really of no use. The original poster specifically mentioned the default debian install. Personally, I think we really do need to reduce the number of open ports by default. Even Redhat has learned to do this, and Microsoft is quickly learning (the hard way, of course). It's quickly becoming best practice for operating system vendors. For starters, I think portmap, rpc.statd, and inetd should not run by default. Not running a mail server (or perhaps only running one on the loopback interface) would be nice, too. Users that need these services know it. Users that don't shouldn't be bothered by them, whether that be to turn them off or to get compromised due to some newly discovered vulnerability. noah pgppZCtSNFhN7.pgp Description: PGP signature
Re: services installed and running out of the box
On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote: For what its worth, and without wanting a distro-religious war about it, Mandrake has a variety of security levels, which can be locally configured, and which can allow exactly this sort of behavior; Honestly, I think we can get away with something vastly less complex: Just don't install network services by default. I don't see any need for security levels or anything like that. Really, just about any network service is going to require some amount of configuration before it can be used. Basically, I think that security levels don't gain you anything over don't install the package. And since, as I said, just about any network service is going to need configuration attention in order to be useful, the additional small step of apt-get install foo is not a lot to ask. noah pgpB5NvCp9vOw.pgp Description: PGP signature
Re: services installed and running out of the box
On Wed, Sep 24, 2003 at 09:01:26PM -0400, Michael Stone wrote: Until installing a package has the side effect of installing a network service. Having a default-deny-incoming firewall or some such would go a long way toward preventing accidental vulnerability exposure. Well, remember that the scope of this discussion is the default Debian installation. I agree that there may be issues elsewhere, and that services (particularly complex ones like Squid, Apache, DBMS packages, etc) need to be configured before they can be usefully and securely run. I think that the default installation, which will be seen by all users, really should see an improvement. I'll put some effort into getting it done, but I'm not entirely clear on the process. Should the matter be brought up on -policy? noah pgpD39LqvY916.pgp Description: PGP signature
Re: services installed and running out of the box
On Wed, Sep 24, 2003 at 09:52:07PM -0400, Michael Stone wrote: Except, what is default? If you install a workstation task should you assume that you'll get open ports? (As the task packages pull in dependencies, etc.) I think it makes more sense to provide a safety net then to try to predict which packages the user is going to install by default and fix only those packages. By default I was thinking the set of packages that you get if you don't select any. That is, if you don't select anything in tasksel during installation (but you *do* run tasksel, per the default) and you do not run dselect (again, per the default). Granted, I'm basing that definition on woody's installer. Sarge may end up presenting things differently. Unfortunately, none of my attempts at trying out the new installer met with any success. You're right, though. Network services may be installed by things like tasksel without the user actually explicitly asking for them. A safety net of some sort would be nice. I don't know that I like the firewall approach, though. I'd be happy if the service simply didn't start by default. A port with nothing listening on it is basically just as secure as a port with a firewall in front of it. How 'bout this idea: We can create a user-definable policy as to whether or not newly installed packages that provide init scripts actually have these init scripts run during their postinst. So, we have a file in /etc/defaults or something that is sourced by postinst. If a variable (START_ON_INSTALL, or something) is set, then the service will be run if this is a new install. If it's an upgrade, then the service will be restarted as usual. If START_ON_INSTALL is not set, however, the postinst will continue with its tasks but exit without actually starting the service. In the default installation, START_ON_INSTALL would be unset, and services wouldn't get started. It would require changing a whole mess of postinst scripts to implement, but really shouldn't be hard to do. I suppose it would be wise to limit this functionality to daemons that provide networks services. Things like cron or at or whatever should probably be started after installation, as they don't open a network port and don't require much if any configuration to be useful. noah pgptHZWR8DCJC.pgp Description: PGP signature
Re: Versign has hijacked www.xmms.org
On Tue, Sep 23, 2003 at 02:08:29AM +0200, Michelle Konzack wrote: I was surfing the Website http://www.xmms.org/ for new skins and at one klick... ...xmms was hijacked !!! No access on xmms posibel. Can anyone confirm this please... Please Cc: me. Nope. Worked just fine for me. I disabled proxy use and blew away my mozilla cache to be sure, and also tried it in w3m. No problems at all. noah pgp0tMuljsqK0.pgp Description: PGP signature
delegation-only patch for woody's bind9?
Does anybody have a copy of the patch for delegation-only functionality in woody's bind9? ISC seems to have taken it down from their site. It used to be listed at http://www.isc.org/products/BIND/delegation-only.html, but that page now only contains links to the latest versions of bind (which apparently incorporate the functionality without the need for patches). If you have a copy, please send it to me off-list or make it available for anonymous download. Thanks! noah pgp0.pgp Description: PGP signature
delegation-only patch for woody's bind9?
Does anybody have a copy of the patch for delegation-only functionality in woody's bind9? ISC seems to have taken it down from their site. It used to be listed at http://www.isc.org/products/BIND/delegation-only.html, but that page now only contains links to the latest versions of bind (which apparently incorporate the functionality without the need for patches). If you have a copy, please send it to me off-list or make it available for anonymous download. Thanks! noah pgpEezZLCImv3.pgp Description: PGP signature
Re: Default permissions for /dev/log
On Sat, Sep 20, 2003 at 08:33:29PM +0400, Nikita V. Youshchenko wrote: I've just found that on all my systems /dev/log has rw-rw-rw- permissions. Is that Debian default? It's the default just about everywhere. If it was not the case, then you'd have to put every user that you want to be able to write to log files in a group with each other. You can certainly do that, if you'd like. Define group log and add the various daemon users on your system to it. Then set more restrictive permissons on /dev/log. You might also check out the IETF's Secure Syslog working group. Maybe they are working on this problem. Then again, they're probably busy with the rest of the insecurities in the syslog protocol... noah pgp0.pgp Description: PGP signature
Re: Default permissions for /dev/log
On Sat, Sep 20, 2003 at 08:33:29PM +0400, Nikita V. Youshchenko wrote: I've just found that on all my systems /dev/log has rw-rw-rw- permissions. Is that Debian default? It's the default just about everywhere. If it was not the case, then you'd have to put every user that you want to be able to write to log files in a group with each other. You can certainly do that, if you'd like. Define group log and add the various daemon users on your system to it. Then set more restrictive permissons on /dev/log. You might also check out the IETF's Secure Syslog working group. Maybe they are working on this problem. Then again, they're probably busy with the rest of the insecurities in the syslog protocol... noah pgpSDeE6T4PgM.pgp Description: PGP signature
Re: Eric Allman has changed jobs
On Wed, Aug 27, 2003 at 06:29:23PM -0700, Ted Deppner wrote: On Wed, Aug 27, 2003 at 03:46:22PM -0700, Eric Allman's vacation droid wrote: I have left the University. Your mail is being forwarded to me. [blah blah blah] Am I the only one that finds the author of Sendmail spamming a mailing list with a vacation program amusing? [1] Probably. It shows your idiocy. His autoresponder was replying to a forged message. Not a thing he could do about it. noah pgp0.pgp Description: PGP signature
Re: Eric Allman has changed jobs
On Wed, Aug 27, 2003 at 06:29:23PM -0700, Ted Deppner wrote: On Wed, Aug 27, 2003 at 03:46:22PM -0700, Eric Allman's vacation droid wrote: I have left the University. Your mail is being forwarded to me. [blah blah blah] Am I the only one that finds the author of Sendmail spamming a mailing list with a vacation program amusing? [1] Probably. It shows your idiocy. His autoresponder was replying to a forged message. Not a thing he could do about it. noah pgpUBpcfukw6E.pgp Description: PGP signature
Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
On Tue, Aug 26, 2003 at 08:23:44AM -0700, Alan W. Irwin wrote: Thus, wouldn't it be the right thing to do to withdraw the Debian unstable libtool-1.5 package until GNU has a chance to check the tarball? (And of course after the checked version is available, the tarball used to create the current package should be checked against it to make sure nothing malicious got propagated while the libtool-1.5 package was available). Would it not be the right thing to simply run diff between the source in testing (assuming that predates the crack) and the one in unstable and look for suspicious code? It doesn't take somebody operating in an official GNU capacity to confirm that there's no malicious code there. noah pgp0.pgp Description: PGP signature
Re: The possibility of malicious code in the Debian unstable libtool-1.5 package
On Tue, Aug 26, 2003 at 08:23:44AM -0700, Alan W. Irwin wrote: Thus, wouldn't it be the right thing to do to withdraw the Debian unstable libtool-1.5 package until GNU has a chance to check the tarball? (And of course after the checked version is available, the tarball used to create the current package should be checked against it to make sure nothing malicious got propagated while the libtool-1.5 package was available). Would it not be the right thing to simply run diff between the source in testing (assuming that predates the crack) and the one in unstable and look for suspicious code? It doesn't take somebody operating in an official GNU capacity to confirm that there's no malicious code there. noah pgpwhJqV4WpGy.pgp Description: PGP signature
Re: Looking for a simple SSL-CA package
On Sat, Aug 23, 2003 at 07:38:25PM +0200, Adam ENDRODI wrote: Perhaps I just misinterpret the terminology, but I've had the impression that every certificate should be signed, so should the root of the tree too. Since they sit at the top of the hierarchy they must be self signed. Am I missing something? Nope, you've pretty much got it. At some point in the tree, you need to trust a key. It's not that hard to establish trust for one key, but it's very hard to establish trust for all keys. Thus, you establish trust in the certificate authority and trust keys signed by it. If you don't want to run your own certificate authority or pay a commercial one to sign your key, and you don't have a lot of certificates to deal with, you can have each key simply be self-signed, which I believe is what's being recommended here. noah pgp0.pgp Description: PGP signature
Re: Looking for a simple SSL-CA package
On Sat, Aug 23, 2003 at 07:38:25PM +0200, Adam ENDRODI wrote: Perhaps I just misinterpret the terminology, but I've had the impression that every certificate should be signed, so should the root of the tree too. Since they sit at the top of the hierarchy they must be self signed. Am I missing something? Nope, you've pretty much got it. At some point in the tree, you need to trust a key. It's not that hard to establish trust for one key, but it's very hard to establish trust for all keys. Thus, you establish trust in the certificate authority and trust keys signed by it. If you don't want to run your own certificate authority or pay a commercial one to sign your key, and you don't have a lot of certificates to deal with, you can have each key simply be self-signed, which I believe is what's being recommended here. noah pgpgmX3H7vhVZ.pgp Description: PGP signature
Re: Simple e-mail virus scanner
On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. I agree that it is not optimal. However, as I don't run Windows I don't expect to see any legitimate attachments whose file names match the regex in that filter. Same goes for the few other people who use this mail server. I would be much more careful about installing this filter in a setting where dozens or hundreds of users may be affected by it. And yes, it was based on Nigel Metheringham's filter. I just copypasted the chunks that I used. noah pgp0.pgp Description: PGP signature
Re: Debian Stable server hacked
On Wed, Aug 20, 2003 at 05:23:30PM +0200, Adam ENDRODI wrote: No, it really doesn't. It might stop some common implementations of exploits, but that's about it. There are many papers available which describe the shortcomings of this kind of prevention. Could you provide some pointers on the topic? There was recently a long thread on bugtraq about this very topic (Subject was Buffer overflow prevention). You'll find some valuable information in there. The thread got kicked off bugtraq to secprog by the moderator and may still be alive there. noah pgp0.pgp Description: PGP signature
Re: Simple e-mail virus scanner
On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote: So, I'm wondering, does anybody know about any such approach? After getting sick of all the virus crap in my inbox I installed the following in /etc/exim/system_filter.txt: This approach yields a high false positive rate. This can be a major annoyance on mailing lists, when you get unsubscribed because of a matching mail body. Your filter (which seems to be based on Nigel Metheringham's system_filter) does not parse MIME headers but just looks for filenames following Content-Type or begin. I agree that it is not optimal. However, as I don't run Windows I don't expect to see any legitimate attachments whose file names match the regex in that filter. Same goes for the few other people who use this mail server. I would be much more careful about installing this filter in a setting where dozens or hundreds of users may be affected by it. And yes, it was based on Nigel Metheringham's filter. I just copypasted the chunks that I used. noah pgplDJY1ZeoHP.pgp Description: PGP signature
Re: Debian Stable server hacked
On Wed, Aug 20, 2003 at 05:23:30PM +0200, Adam ENDRODI wrote: No, it really doesn't. It might stop some common implementations of exploits, but that's about it. There are many papers available which describe the shortcomings of this kind of prevention. Could you provide some pointers on the topic? There was recently a long thread on bugtraq about this very topic (Subject was Buffer overflow prevention). You'll find some valuable information in there. The thread got kicked off bugtraq to secprog by the moderator and may still be alive there. noah pgpmwBAqUcjtp.pgp Description: PGP signature
Re: Simple e-mail virus scanner
On Tue, Aug 19, 2003 at 10:56:29PM +0200, Kjetil Kjernsmo wrote:
So, I'm wondering, does anybody know about any such approach?
After getting sick of all the virus crap in my inbox I installed the
following in /etc/exim/system_filter.txt:
## ---
# Attempt to catch embedded VBS attachments
# in emails. These were used as the basis for
# the ILOVEYOU virus and its variants - many many varients
# Quoted filename - [body_quoted_fn_match]
if $message_body matches (?:Content-(?:Type:(?s*)[w-]+/[w-]+|Dispo
sition:(?s*)attachment);(?s*)(?:file)?name=|begin(?s+)[0-7]{3,4}(
?s+))(\[^\]+.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[
fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\)[
s;]
then
fail text This message has been rejected because it has\n\
a potentially executable attachment $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it.
seen finish
endif
# same again using unquoted filename [body_unquoted_fn_match]
if $message_body matches (?:Content-(?:Type:(?s*)[w-]+/[w-]+|Dispo
sition:(?s*)attachment);(?s*)(?:file)?name=|begin(?s+)[0-7]{3,4}(
?s+))(S+.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs
]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[
s;]
then
fail text This message has been rejected because it has\n\
a potentially executable attachment $1\n\
This form of attachment has been used by\n\
recent viruses or other malware.\n\
If you meant to send this file then please\n\
package it up as a zip file and resend it.
seen finish
endif
## ---
And put
message_filter = /etc/exim/system_filter.txt
in /etc/exim/exim.conf
It seems to be working. I've seen a couple of rejections get logged in
/var/log/exim/mainlog since I installed it an hour ago. Why these
rejections don't go to /var/log/exim/rejectlog I don't know, but the
point is that the junk is not cluttering my mailbox.
noah
pgp0.pgp
Description: PGP signature
Re: honeyd and libdnet
On Thu, Jul 31, 2003 at 06:41:01PM +0200, Thomas Bechtold wrote: Now my questions are: - How works DECnet[3]? DECnet has nothing to do with libdnet or honeyd. I don't know what gave you that idea. Unless you *really* know that you need DECnet, you don't need it. - How to configure dnet-common and the /etc/decnet.conf rm -rf is how I'd go about it. - Why needs honeyd this lib libdnet has nothing to do with decnet. Its feature list, as shown on http://libdnet.sourceforge.net/ indicates that it does the following: * network address manipulation * kernel arp(4) cache and route(4) table lookup and manipulation * network firewalling (IP filter, ipfw, ipchains, pf, ...) * network interface lookup and manipulation * raw IP packet and Ethernet frame transmission None of that indicates any involvement with DECnet. noah -- ___ | The economy is looking bad, let's start another war. |--Dead Kennedys | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgphNdInge2bu.pgp Description: PGP signature
Re: execute permissions in /tmp
On Sat, Jul 12, 2003 at 11:43:02PM -0300, Peter Cordes wrote: This is at least the third time this has come up that I remember. However, absolute statements like *can not* get me thinking: Is there any any sort of file that can't be executed from /tmp? What about statically linked ELF binaries? /lib/ld-linux.so.2 /sbin/e2fsck.static segfaults. In five minutes, I haven't thought of a way to execute one. Perhaps something like SELinux, employing ACLs, could do the job? I don't know a whole lot about it. noah pgp3cviLDX7zF.pgp Description: PGP signature
Re: execute permissions in /tmp
On Sat, Jul 12, 2003 at 09:22:45PM -0400, Jim Popovitch wrote: I have a complaint/opinion/statement to express. It seems that every now and then when I run 'apt-get upgrade' i get a lot of errors about Can't exec /tmp/config.x: Permission denied at I like to keep my Debian boxen nice and secure, so I 'chmod +t /tmp' to prevent temp files from being executed. It seems to me that some package maintainers aren't aware of issues such as these and are assuming that anything can be done in temp. Couple of things in response to this. First of all, the +t flag on /tmp/ has nothing to do with whether you can execute files there. From chmod(1): STICKY DIRECTORIES When the sticky bit is set on a directory, files in that directory may only be unlinked or renamed by root or their owner. (Without the sticky bit, anyone able to write to the directory can delete or rename files.) The sticky bit is commonly found on directories, such as /tmp, which are world-writable. Note that +t is the default on /tmp. Second of all, mounting a filesystem with the noexec flag (assuming /tmp is a separate filesystem on your system and this is, in fact, what you're doing) has been shown many many times to not provide any level of protection. Try this on your noexec mounted /tmp: # cp /bin/ls /tmp/ # /lib/ld-linux.so.2 /bin/ls Basically, what it comes down to is that you *can not* prevent files from being executed. Even if you remove the execute bits from /tmp/ls in the above example, you'll still be able to run it. So, save yourself the headache and just remove noexec from /tmp/ noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp0.pgp Description: PGP signature
Re: execute permissions in /tmp
On Sat, Jul 12, 2003 at 09:34:16PM -0400, Noah L. Meyerhans wrote: # cp /bin/ls /tmp/ # /lib/ld-linux.so.2 /bin/ls ^^^ Naturally I meant /tmp/ls on the second line there. I'm sure you figured that out on your own, but just for the record... noah pgp0.pgp Description: PGP signature
Re: execute permissions in /tmp
On Sat, Jul 12, 2003 at 11:43:02PM -0300, Peter Cordes wrote: This is at least the third time this has come up that I remember. However, absolute statements like *can not* get me thinking: Is there any any sort of file that can't be executed from /tmp? What about statically linked ELF binaries? /lib/ld-linux.so.2 /sbin/e2fsck.static segfaults. In five minutes, I haven't thought of a way to execute one. Perhaps something like SELinux, employing ACLs, could do the job? I don't know a whole lot about it. noah pgp0.pgp Description: PGP signature
Re: execute permissions in /tmp
On Sat, Jul 12, 2003 at 09:22:45PM -0400, Jim Popovitch wrote: I have a complaint/opinion/statement to express. It seems that every now and then when I run 'apt-get upgrade' i get a lot of errors about Can't exec /tmp/config.x: Permission denied at I like to keep my Debian boxen nice and secure, so I 'chmod +t /tmp' to prevent temp files from being executed. It seems to me that some package maintainers aren't aware of issues such as these and are assuming that anything can be done in temp. Couple of things in response to this. First of all, the +t flag on /tmp/ has nothing to do with whether you can execute files there. From chmod(1): STICKY DIRECTORIES When the sticky bit is set on a directory, files in that directory may only be unlinked or renamed by root or their owner. (Without the sticky bit, anyone able to write to the directory can delete or rename files.) The sticky bit is commonly found on directories, such as /tmp, which are world-writable. Note that +t is the default on /tmp. Second of all, mounting a filesystem with the noexec flag (assuming /tmp is a separate filesystem on your system and this is, in fact, what you're doing) has been shown many many times to not provide any level of protection. Try this on your noexec mounted /tmp: # cp /bin/ls /tmp/ # /lib/ld-linux.so.2 /bin/ls Basically, what it comes down to is that you *can not* prevent files from being executed. Even if you remove the execute bits from /tmp/ls in the above example, you'll still be able to run it. So, save yourself the headache and just remove noexec from /tmp/ noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpDabG1ZKPRw.pgp Description: PGP signature
Re: execute permissions in /tmp
On Sat, Jul 12, 2003 at 09:34:16PM -0400, Noah L. Meyerhans wrote: # cp /bin/ls /tmp/ # /lib/ld-linux.so.2 /bin/ls ^^^ Naturally I meant /tmp/ls on the second line there. I'm sure you figured that out on your own, but just for the record... noah pgph5wAJkMhjE.pgp Description: PGP signature
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. That's hardly true. If an attacker could somehow create an ssh authorized_keys file, they could log in without a password. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp0.pgp Description: PGP signature
Re: speaking of squid ports...
On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote: I believe that UDP port is for receiving DNS responses. Umm... No. It's used for ICP, a protocol for intercommunication between squid caches. For example, at my site we have two different caches. One is basically transparent. The other provides anonymizing services. But, through ICP, both caches can make use of each other's cached objects. Dunno how you turn it off, though. Iptables? shrug noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp0.pgp Description: PGP signature
Re: noboby with a shell !!
On Wed, Mar 26, 2003 at 12:11:58PM +0100, Sven Hoexter wrote: Well yes it could :) As long as the user has no valid password it's not very usefull. Take a look into the /etc/shadow and in the second field you'll find ! or * indicating that this user has a invalid password. See man 5 shadow. That's hardly true. If an attacker could somehow create an ssh authorized_keys file, they could log in without a password. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpe68AZnJ3WP.pgp Description: PGP signature
Re: speaking of squid ports...
On Wed, Mar 26, 2003 at 02:15:28PM -0500, Kevin Cheek wrote: I believe that UDP port is for receiving DNS responses. Umm... No. It's used for ICP, a protocol for intercommunication between squid caches. For example, at my site we have two different caches. One is basically transparent. The other provides anonymizing services. But, through ICP, both caches can make use of each other's cached objects. Dunno how you turn it off, though. Iptables? shrug noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpTmaxDw5SGb.pgp Description: PGP signature
Re: looking for a good source to start learning about kerberos
On Thu, Mar 20, 2003 at 12:18:23PM +0200, Haim Ashkenazi wrote: After reading the responses for my email about NIS security, I was convinced that it's time to learn about ldap w/kerberos. In the ldap-howto's I've read there were references to kerberos by MIT and hemidal. looking in my aptitude list I saw a lot of packages with different versions of kerberos and I've got a little confused. I was wondering what would be a good place to start with kerberos (keeping in mind that my main interest is to combine it with ldap)? Well, start with http://web.mit.edu/kerberos/www/ Then maybe procede to http://www.ofb.net/~jheiss/krbldap/ noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp0.pgp Description: PGP signature
Re: looking for a good source to start learning about kerberos
On Thu, Mar 20, 2003 at 12:18:23PM +0200, Haim Ashkenazi wrote: After reading the responses for my email about NIS security, I was convinced that it's time to learn about ldap w/kerberos. In the ldap-howto's I've read there were references to kerberos by MIT and hemidal. looking in my aptitude list I saw a lot of packages with different versions of kerberos and I've got a little confused. I was wondering what would be a good place to start with kerberos (keeping in mind that my main interest is to combine it with ldap)? Well, start with http://web.mit.edu/kerberos/www/ Then maybe procede to http://www.ofb.net/~jheiss/krbldap/ noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpCuKCgnnmcH.pgp Description: PGP signature
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote: As I understand it, OpenAFS is IBM sortware that was opensourced. Coda was a wholely opensource project to implement AFS. Please feel free to correct me if I'm wrong. No, CODA is not simply an AFS implementation. It is based on AFS, but it supports things like offline use that are not supported by AFS. The complete feature list from http://www.coda.cs.cmu.edu/ is: 1. disconnected operation for mobile computing 2. is freely available under a liberal license 3. high performance through client side persistent caching 4. server replication 5. security model for authentication, encryption and access control 6. continued operation during partial network failures in server network 7. network bandwith adaptation 8. good scalability 9. well defined semantics of sharing, even in the presence of network failures I tried setting it up a couple of years ago. It was evil. I gave up and haven't looked at it since. At that time, there were sid packages in experimental. I don't know if they've actually been uploaded to unstable or not. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp0.pgp Description: PGP signature
Re: OT: Is it so easy to break into an NIS?
On Wed, Mar 19, 2003 at 09:40:00AM -0600, David Ehle wrote: As I understand it, OpenAFS is IBM sortware that was opensourced. Coda was a wholely opensource project to implement AFS. Please feel free to correct me if I'm wrong. No, CODA is not simply an AFS implementation. It is based on AFS, but it supports things like offline use that are not supported by AFS. The complete feature list from http://www.coda.cs.cmu.edu/ is: 1. disconnected operation for mobile computing 2. is freely available under a liberal license 3. high performance through client side persistent caching 4. server replication 5. security model for authentication, encryption and access control 6. continued operation during partial network failures in server network 7. network bandwith adaptation 8. good scalability 9. well defined semantics of sharing, even in the presence of network failures I tried setting it up a couple of years ago. It was evil. I gave up and haven't looked at it since. At that time, there were sid packages in experimental. I don't know if they've actually been uploaded to unstable or not. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpLZMxSvRXa8.pgp Description: PGP signature
Re: OpenSSH updates
On Thu, Feb 20, 2003 at 04:44:26AM -0500, Odair wrote: Is there a .deb for OpenSSH 3.5p1 ? Yes, in unstable. Not stable. What makes you think you need it? noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08740/pgp0.pgp Description: PGP signature
Re: OpenSSH updates
On Thu, Feb 20, 2003 at 04:44:26AM -0500, Odair wrote: Is there a .deb for OpenSSH 3.5p1 ? Yes, in unstable. Not stable. What makes you think you need it? noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpXCplVB0iKx.pgp Description: PGP signature
Re: machine monitoring packages
On Fri, Feb 14, 2003 at 05:00:42PM +0100, Dariush Pietrzak wrote: It's great. But there is no alternative. And there should be. That's because there doesn't need to be an alternative. Rrdtool is a specialized application to fill a niche. Any old database will work in situation where you are willing to keep all your data forever. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08695/pgp0.pgp Description: PGP signature
Re: machine monitoring packages
On Fri, Feb 14, 2003 at 05:00:42PM +0100, Dariush Pietrzak wrote: It's great. But there is no alternative. And there should be. That's because there doesn't need to be an alternative. Rrdtool is a specialized application to fill a niche. Any old database will work in situation where you are willing to keep all your data forever. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpZJ6WMB7inx.pgp Description: PGP signature
Re: machine monitoring packages
On Thu, Feb 13, 2003 at 02:59:26PM +, gabe wrote: I would like to know what ppl think is the best package for monitor servers, at my last work place they were installing mon. In my new job they use Nagios, which I'm not to sure about due to the fact that installation / configuration goes wrong. Most importantly there's no deb package for Nagios which makes me not wanna use it in the first place. This is OT for this list. Having said that, snips (formerly nocol) is good. Upstream development has stagnated, but there are rumblings on the mailing list of getting new development going again. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08663/pgp0.pgp Description: PGP signature
Re: machine monitoring packages
On Thu, Feb 13, 2003 at 02:59:26PM +, gabe wrote: I would like to know what ppl think is the best package for monitor servers, at my last work place they were installing mon. In my new job they use Nagios, which I'm not to sure about due to the fact that installation / configuration goes wrong. Most importantly there's no deb package for Nagios which makes me not wanna use it in the first place. This is OT for this list. Having said that, snips (formerly nocol) is good. Upstream development has stagnated, but there are rumblings on the mailing list of getting new development going again. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpTHmTbdVMhb.pgp Description: PGP signature
Re: Question about snort binaries..
On Thu, Jan 30, 2003 at 09:35:05AM -0800, Anne Carasik wrote: Is there a way to define that I only want to use the unstable packages just related to snort or do I have to change my entire distribution to unstable? Testing distribution has 1.8.7. No. You would have to pull in all the dependencies from unstable as well, so you'd get all sorts of fun stuff like libc upgraded. It's possible that you could try 'apt-get -b source snort' and have the right thing happen. But then again, depending on the package in unstable, this might not be buildable on something else. Any other suggestions or recommendations are also welcome. Go to www.snort.org, get the tarball, and install it in /usr/local/. That's what I've been doing. This was discussed at quite a bit of length a month or two ago. Check the archives. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08525/pgp0.pgp Description: PGP signature
Re: Question about snort binaries..
On Thu, Jan 30, 2003 at 09:35:05AM -0800, Anne Carasik wrote: Is there a way to define that I only want to use the unstable packages just related to snort or do I have to change my entire distribution to unstable? Testing distribution has 1.8.7. No. You would have to pull in all the dependencies from unstable as well, so you'd get all sorts of fun stuff like libc upgraded. It's possible that you could try 'apt-get -b source snort' and have the right thing happen. But then again, depending on the package in unstable, this might not be buildable on something else. Any other suggestions or recommendations are also welcome. Go to www.snort.org, get the tarball, and install it in /usr/local/. That's what I've been doing. This was discussed at quite a bit of length a month or two ago. Check the archives. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpIzx3mrCUyU.pgp Description: PGP signature
Re: FW: Updated OPENSSL package for Debian?
On Tue, Jan 07, 2003 at 08:00:11AM -0700, Miles Beck wrote: Is there an updated OPENSSL package for Debian greater than OpenSSL-0.9.6c? Yes, 0.9.6c-2.woody.1. It contains all the security fixes present in openssl-0.9.6g. ~/Net_SSLeay.pm-1.21$ perl Makefile.PL Checking for OpenSSL-0.9.6g or newer... You have OpenSSL-0.9.6c installed in /usr openssl-0.9.6d and earlier versions have security flaws, see advisory at www.openssl.org, upgrading to openssl-0.9.6g is recommended. This perl module is being stupid. It is merely checking the version string and basing its idea of the security of openssl on that. The security problems it thinks are present are not, in fact, present. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08380/pgp0.pgp Description: PGP signature
Re: FW: Updated OPENSSL package for Debian?
On Tue, Jan 07, 2003 at 05:08:23PM +0100, Adrian 'Dagurashibanipal' von Bidder wrote: So the version from testing should do. You may want to download the source package and compile it yourself to avoid having to upgrade dependencies (I don't know, just speculating). Why tell him that? What the hell is wrong with the version of openssl from security.debian.org? There are no known security vulnerabilities there. Advising somebody to install packages from *testing* to get security updates is very unwise. Doing so would prevent them from getting a new version of the package in the event that it's updated by the security team again. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08385/pgp0.pgp Description: PGP signature
Re: FW: Updated OPENSSL package for Debian?
On Tue, Jan 07, 2003 at 05:08:23PM +0100, Adrian 'Dagurashibanipal' von Bidder wrote: So the version from testing should do. You may want to download the source package and compile it yourself to avoid having to upgrade dependencies (I don't know, just speculating). Why tell him that? What the hell is wrong with the version of openssl from security.debian.org? There are no known security vulnerabilities there. Advising somebody to install packages from *testing* to get security updates is very unwise. Doing so would prevent them from getting a new version of the package in the event that it's updated by the security team again. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpNmjsjTfTed.pgp Description: PGP signature
Re: Bind9 stopped after 34 days of uptime
On Thu, Dec 26, 2002 at 09:16:12AM -0500, Phillip Hofmeister wrote: This is on a Pentium 100 MHz with around 32 MB of RAM. The box itself has been up 134 days. This is the primary internet server for zionlth.org. Traffic to this domain is modest... I have a feeling that it's possible to misconfigure bind9 in such a way that it fails periodically. I had it running on a 200 MHz box with 32 MB RAM, and it failed occasionally, with no indication as to why. However, I've since re-worked named.conf, and have not experienced an unexpected failure in the past 6 months. The original named.conf was used with bind 8, and I just kept it when I upgraded to bind9 (except for the logging configuration, which changed significantly). It was when I ditched the old named.conf and re-wrote it for bind9, including more refined logging configuration, that stability was greatly improved. Of course, for a lot of the time that bind9 was crashing, it was running versions prior to the version that was actually released with woody, since this box was running woody before it was released. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08313/pgp0.pgp Description: PGP signature
Re: Bind9 stopped after 34 days of uptime
On Thu, Dec 26, 2002 at 09:16:12AM -0500, Phillip Hofmeister wrote: This is on a Pentium 100 MHz with around 32 MB of RAM. The box itself has been up 134 days. This is the primary internet server for zionlth.org. Traffic to this domain is modest... I have a feeling that it's possible to misconfigure bind9 in such a way that it fails periodically. I had it running on a 200 MHz box with 32 MB RAM, and it failed occasionally, with no indication as to why. However, I've since re-worked named.conf, and have not experienced an unexpected failure in the past 6 months. The original named.conf was used with bind 8, and I just kept it when I upgraded to bind9 (except for the logging configuration, which changed significantly). It was when I ditched the old named.conf and re-wrote it for bind9, including more refined logging configuration, that stability was greatly improved. Of course, for a lot of the time that bind9 was crashing, it was running versions prior to the version that was actually released with woody, since this box was running woody before it was released. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpfJ95cwuKeb.pgp Description: PGP signature
Re: Bug #173254 Submitted: Snort In Stable Unusable
On Tue, Dec 17, 2002 at 10:36:52AM +0100, Sander Smeenk wrote: Therefore I would more like to either remove the entire package *OR* add a debconf / other intrusive warning that tells users that the package gives them a fake sense of security and instead they should considder installing snort 1.9.0 from source by doing apt-get source -b snort from the unstable archives or by building it themselves. A third option might be to create a snort-tracker package that makes it easier to build an up-to-date snort binary, complete with up-to-date rules. Similar to pine-tracker, but for a different purpose. I'm not sure if that would be feasible, though. Does snort require significant patching to comply with our filesystem policies? noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpeEHnbtj6Qg.pgp Description: PGP signature
Re: SSH
On Tue, Dec 17, 2002 at 08:42:03AM +0800, Patrick Hsieh wrote: Woody is shipping OpenSSH_3.4p1. Before the security team confirm this vulnerability and release the upgrade package, is there any way to patch and repackage the woody openssh? I just can't find the patch against this vulnerability. Why would you want to? The advisory indicates that it is unlikely (for whatever that's worth) that any OpenSSH version are vulnerable at all. 3.5 certainly doesn't fix nonexistant problems, so I don't see any reason to view this advisory as a reason to upgrade. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08199/pgp0.pgp Description: PGP signature
Re: SSH
On Tue, Dec 17, 2002 at 08:42:03AM +0800, Patrick Hsieh wrote: Woody is shipping OpenSSH_3.4p1. Before the security team confirm this vulnerability and release the upgrade package, is there any way to patch and repackage the woody openssh? I just can't find the patch against this vulnerability. Why would you want to? The advisory indicates that it is unlikely (for whatever that's worth) that any OpenSSH version are vulnerable at all. 3.5 certainly doesn't fix nonexistant problems, so I don't see any reason to view this advisory as a reason to upgrade. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp1TWeEvKnjJ.pgp Description: PGP signature
Re: VPN + Roadwarrior
On Thu, Dec 12, 2002 at 09:39:27AM -0500, Phillip Hofmeister wrote:
If you implement IPSec, my experience (as of 6 months ago) with IPSec is
that it works great, as long as you use the same implementation on all
host.
I don't really agree with that. I have used several different IPsec
implementations and interoperated successfully. The latest combination
that I tried was the Linux 2.5 native IPsec communicating with
FreeS/WAN. No problem. I've documented the steps I had to go through
to get the {Free,Net}BSD IPsec implementation to interoperate with
FreeS/WAN using X.509 certs for authentication. Again, very few
problems.
www.freeswan.org has quite a bit of interoperability documentation.
Basically, the only difficulties come from the fact that the Internet
Key Exchange (IKE) protocol, defined in RFC 2409, has so damn many
configurable parameters that it's easy to missconfigure it. Since there
isn't (and probably won't ever be) a standard set of defaults, this can
get confusing.
noah
--
___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgpwzE6unxlbN.pgp
Description: PGP signature
Re: Updating Snort Signatures In Stable ?
On Sat, Dec 07, 2002 at 01:51:11PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: IIRC important new versions of existing packages are allowed into point releases, so maybe Woody's main Snort engine binary packages can be updated when 3.0r1 happens. That won't happen sorry. That's just not the way Debian works, 3.0r1 will have no new code, just important bug (and security) fixes. Well, a case could be made for the presense of an old, unmaintained, unusable snort being a security bug. The problem is that if the snort people change the engine _and_ the rulebase then Debian can never support new rules for old (stable) releases (which could be asked for point releases). Obviously this is a problem that will face other distributors, as well as Debian. Our policy WRT stable revisions, though, may be unique. Situations such as this do expose weaknesses in our policy, and warrant further thought. I don't believe we should leave our users in the state that they're in with the woody version of snort being the only supported version available. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08067/pgp0.pgp Description: PGP signature
Re: Updating Snort Signatures In Stable ?
On Sat, Dec 07, 2002 at 01:51:11PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: IIRC important new versions of existing packages are allowed into point releases, so maybe Woody's main Snort engine binary packages can be updated when 3.0r1 happens. That won't happen sorry. That's just not the way Debian works, 3.0r1 will have no new code, just important bug (and security) fixes. Well, a case could be made for the presense of an old, unmaintained, unusable snort being a security bug. The problem is that if the snort people change the engine _and_ the rulebase then Debian can never support new rules for old (stable) releases (which could be asked for point releases). Obviously this is a problem that will face other distributors, as well as Debian. Our policy WRT stable revisions, though, may be unique. Situations such as this do expose weaknesses in our policy, and warrant further thought. I don't believe we should leave our users in the state that they're in with the woody version of snort being the only supported version available. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpGrKFu2Agtc.pgp Description: PGP signature
Re: pop mail recommendations
On Fri, Dec 06, 2002 at 04:35:04PM +0100, Christian Storch wrote: Look at brand new http://packages.debian.org/unstable/mail/cyrus21-imapd.html ssl included! Cyrus definitely rocks, but it can't be described as lightweight in any sense of the word. It's very powerful, and would be my first choice for running a very large site (university campus, for example), but most people don't need something quite so industrial strength. Having said that, I should also mention that I run a Cyrus 2.1 installation for about 8 people at work. It works great, but it's overkill. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08050/pgp0.pgp Description: PGP signature
Re: pop mail recommendations
On Fri, Dec 06, 2002 at 04:35:04PM +0100, Christian Storch wrote: Look at brand new http://packages.debian.org/unstable/mail/cyrus21-imapd.html ssl included! Cyrus definitely rocks, but it can't be described as lightweight in any sense of the word. It's very powerful, and would be my first choice for running a very large site (university campus, for example), but most people don't need something quite so industrial strength. Having said that, I should also mention that I run a Cyrus 2.1 installation for about 8 people at work. It works great, but it's overkill. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpSLYEggjMsw.pgp Description: PGP signature
Re: File system integrity checkers - comparison?
On Wed, Dec 04, 2002 at 06:44:12PM -0800, Johannes Graumann wrote: and was wondering as to what this group is prefering and why or whether there are other more trusted alternatives. My main argument ageinst tripwire is it's pseudo-commercial source. I use tripwire and recommend it strongly. The version in unstable is 100% free software, and the quality is very good. It's probably best to build it from source if you want to install it on a non-unstable system. The source is available at www.tripwire.org. The only drawback to tripwire, IMHO, is that because it's written in C++, it may be difficult to get running on non-x86 systems. Presumably g++ 3.2 will help address that issue. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08026/pgp0.pgp Description: PGP signature
Re: Updating Snort Signatures In Stable ?
On Fri, Dec 06, 2002 at 04:18:52AM +, Nick Boyce wrote: I've been running Snort for a month or so now on a Woody box at work, and am now wondering whether the Debian Project (or packager) has a Plan for providing signature file updates to users of the stable distribution. This has been discussed before. The thing is, I think that if you're serious about using snort, you should not even consider using the one in Debian. snort.org doesn't even distribute up-to-date rules files for the version in stable. So if you want to have a useful ruleset, you either need to figure out how to write it for the version in stable, or you need to get a new version from snort.org. Either way, you're working outside the Debian system. There have been proposals for the creation of a dynamic section of the Debian distribution to contain data that frequently changes. However, in the case of snort, where the new data may well not work with the old software, this doesn't help. Really, I don't think snort should be packaged in Debian at all. It's one of those things that needs to be current in order to be useful, and we just can't provide that. Providing an ineffective version is doing a disservice to our users, since it provides them with incorrect data (e.g. by telling them that there are no known vulnerabilities on the machines they scan). noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08029/pgp0.pgp Description: PGP signature
Re: File system integrity checkers - comparison?
On Wed, Dec 04, 2002 at 06:44:12PM -0800, Johannes Graumann wrote: and was wondering as to what this group is prefering and why or whether there are other more trusted alternatives. My main argument ageinst tripwire is it's pseudo-commercial source. I use tripwire and recommend it strongly. The version in unstable is 100% free software, and the quality is very good. It's probably best to build it from source if you want to install it on a non-unstable system. The source is available at www.tripwire.org. The only drawback to tripwire, IMHO, is that because it's written in C++, it may be difficult to get running on non-x86 systems. Presumably g++ 3.2 will help address that issue. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpLmDLEP0jjH.pgp Description: PGP signature
Re: Updating Snort Signatures In Stable ?
On Fri, Dec 06, 2002 at 04:18:52AM +, Nick Boyce wrote: I've been running Snort for a month or so now on a Woody box at work, and am now wondering whether the Debian Project (or packager) has a Plan for providing signature file updates to users of the stable distribution. This has been discussed before. The thing is, I think that if you're serious about using snort, you should not even consider using the one in Debian. snort.org doesn't even distribute up-to-date rules files for the version in stable. So if you want to have a useful ruleset, you either need to figure out how to write it for the version in stable, or you need to get a new version from snort.org. Either way, you're working outside the Debian system. There have been proposals for the creation of a dynamic section of the Debian distribution to contain data that frequently changes. However, in the case of snort, where the new data may well not work with the old software, this doesn't help. Really, I don't think snort should be packaged in Debian at all. It's one of those things that needs to be current in order to be useful, and we just can't provide that. Providing an ineffective version is doing a disservice to our users, since it provides them with incorrect data (e.g. by telling them that there are no known vulnerabilities on the machines they scan). noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpaab3AC7nZ9.pgp Description: PGP signature
Re: test of non-subscribed user
On Tue, Nov 26, 2002 at 08:08:40AM -0800, Ted Parvu wrote: This is a test to see if a non-subscribed user can post to the debian security list. This is only a test. If you are reading this, then the answer is yes and that just doesn't seem right. *plonk* This has been discussed *at length* a huge number of times in the past. YES! Non-subscribed users have *ALWAYS* been able to post to Debian lists. This is *by design* and is not going to change! noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg07934/pgp0.pgp Description: PGP signature
Re: test of non-subscribed user
On Tue, Nov 26, 2002 at 08:08:40AM -0800, Ted Parvu wrote: This is a test to see if a non-subscribed user can post to the debian security list. This is only a test. If you are reading this, then the answer is yes and that just doesn't seem right. *plonk* This has been discussed *at length* a huge number of times in the past. YES! Non-subscribed users have *ALWAYS* been able to post to Debian lists. This is *by design* and is not going to change! noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpzEQy3lYGbS.pgp Description: PGP signature
Re: security updates for testing?
On Fri, Nov 22, 2002 at 03:19:30PM +0100, Sythos wrote: If someone has testing version on his machine should link stable or unstable for security update? Neither. Unstable doesn't get security updates. Security updates to stable will typically be to older versions of software than what exists in testing. As has been said before, if you are concerned about security, you should not run testing. That has always been the case, and it will continue to be the case for the forseeable future. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpikRSx7xHCl.pgp Description: PGP signature
Re: VPN question
On Mon, Nov 18, 2002 at 07:17:31PM +0100, Andrea Frigido wrote: I have just installed kernel-patch-freeswan STABLE package, in the make menuconfig menu it's possible to enable Blowfish and other additional chifer kernel modules. Do you think the unstable package is the better choice however? No. The freeswan patches in stable contain all the extended algorithms already. You don't need any other patch to get them on a stable system. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg07814/pgp0.pgp Description: PGP signature
Re: VPN question
On Mon, Nov 18, 2002 at 07:17:31PM +0100, Andrea Frigido wrote: I have just installed kernel-patch-freeswan STABLE package, in the make menuconfig menu it's possible to enable Blowfish and other additional chifer kernel modules. Do you think the unstable package is the better choice however? No. The freeswan patches in stable contain all the extended algorithms already. You don't need any other patch to get them on a stable system. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpW5DpHtnkZU.pgp Description: PGP signature
Re: Bind issues
On Thu, Nov 14, 2002 at 03:28:26PM +0800, Patrick Hsieh wrote: 1. apt-get source bind 2. wget the pacth file from www.isc.org 3. apply the patch 4. dpkg-buildpackage 5. dpkg -i bind*.deb That will conceivably work *now*. However, news of the vulnerability was announced before the patches were made available. The above method is probably safe, since you're not incrementing the package version. When the official fixes are released, they'll be installed by apt-get since they'll have a higher version. Also, you may wish to prepend apt-get build-dep bind to the above sequence. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg07744/pgp0.pgp Description: PGP signature
Re: Bind issues
On Wed, Nov 13, 2002 at 11:45:19PM -0500, Mike Dresser wrote: Any word from the security team on what's going on with potato's bind? Both potato and woody are vulnerable. Fixes are on there way, but disclosure of this vulnerability was very badly organized (not by the security team), and the security team had a difficult time determining exactly where the bugs were and how to go about fixing them. I believe we've got the updated code now and will be able to provide packages soon for both potato and woody. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp3JXDJq97bf.pgp Description: PGP signature
Re: Bind issues
On Thu, Nov 14, 2002 at 03:28:26PM +0800, Patrick Hsieh wrote: 1. apt-get source bind 2. wget the pacth file from www.isc.org 3. apply the patch 4. dpkg-buildpackage 5. dpkg -i bind*.deb That will conceivably work *now*. However, news of the vulnerability was announced before the patches were made available. The above method is probably safe, since you're not incrementing the package version. When the official fixes are released, they'll be installed by apt-get since they'll have a higher version. Also, you may wish to prepend apt-get build-dep bind to the above sequence. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpTpmrBGe4TW.pgp Description: PGP signature
Re: Bind issues
On Wed, Nov 13, 2002 at 11:45:19PM -0500, Mike Dresser wrote: Any word from the security team on what's going on with potato's bind? Both potato and woody are vulnerable. Fixes are on there way, but disclosure of this vulnerability was very badly organized (not by the security team), and the security team had a difficult time determining exactly where the bugs were and how to go about fixing them. I believe we've got the updated code now and will be able to provide packages soon for both potato and woody. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg07727/pgp0.pgp Description: PGP signature
Re: DHCP
On Tue, Oct 29, 2002 at 09:35:01AM -0500, Phillip Hofmeister wrote: Laptop (IPSEC CLient) - WAP - Server (DHCP AND IPSEC Host) - Local Network. In order to get inside the network you will have to get past the IPSEC Host, which of course will require a key that has a valid certificate from the local CA. IPsec has the added advantage that it can be used to protect all wireless traffic from eavesdroppers. At the USENIX Annual Technical Conference in Monterey, CA this past June, the company providing wireless network connectivity used such a system. Since it was IPsec, people using *BSD, Windows, Linux, etc were able to use it. They also had things configured in such a way that if you couldn't or didn't want to use IPsec, you could use guest mode, which didn't require anything other than basic 802.11b functionality, but meant that you could do only a limited amount of stuff on the network (i.e. most outgoing ports were filtered, especially ones that would have you sending your password in the clear over a wireless link). I forget the name of that company, but could dig it up if anybody wants it. Of course, all they really did was take a Linux box and configure it just right to get this functionality, so if time is more plentiful for you than money, you could likely build the same kind of system yourself. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg07574/pgp0.pgp Description: PGP signature
Re: DHCP - rootkit
On Tue, Oct 29, 2002 at 04:12:54PM -0800, Alvin Oga wrote: i say modifying files is a give away .. that says come find me which is trivial since its modified binaries If they do it right, it's not a giveaway. If they're quick, thorough, and accurate, they can certainly do it right. On the other hand, I've seen cracked Solaris boxes on which the rootkit installed a patched version of GNU's ls in place of the default ls. That was a pretty obvious giveaway. The thing with rootkits is that they're pretty target-specific. They're not usually robust enough to be installed on a different Linux distribution or even a different version of the intended target distro. Rootkits aren't what I usually worry about; It's the determined, knowledgeable attackers that I don't like. Fortunately there aren't as many of them to worry about. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg07581/pgp0.pgp Description: PGP signature
Re: DHCP
On Tue, Oct 29, 2002 at 09:35:01AM -0500, Phillip Hofmeister wrote: Laptop (IPSEC CLient) - WAP - Server (DHCP AND IPSEC Host) - Local Network. In order to get inside the network you will have to get past the IPSEC Host, which of course will require a key that has a valid certificate from the local CA. IPsec has the added advantage that it can be used to protect all wireless traffic from eavesdroppers. At the USENIX Annual Technical Conference in Monterey, CA this past June, the company providing wireless network connectivity used such a system. Since it was IPsec, people using *BSD, Windows, Linux, etc were able to use it. They also had things configured in such a way that if you couldn't or didn't want to use IPsec, you could use guest mode, which didn't require anything other than basic 802.11b functionality, but meant that you could do only a limited amount of stuff on the network (i.e. most outgoing ports were filtered, especially ones that would have you sending your password in the clear over a wireless link). I forget the name of that company, but could dig it up if anybody wants it. Of course, all they really did was take a Linux box and configure it just right to get this functionality, so if time is more plentiful for you than money, you could likely build the same kind of system yourself. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpQZrZelUnL3.pgp Description: PGP signature
Re: DHCP - rootkit
On Tue, Oct 29, 2002 at 04:12:54PM -0800, Alvin Oga wrote: i say modifying files is a give away .. that says come find me which is trivial since its modified binaries If they do it right, it's not a giveaway. If they're quick, thorough, and accurate, they can certainly do it right. On the other hand, I've seen cracked Solaris boxes on which the rootkit installed a patched version of GNU's ls in place of the default ls. That was a pretty obvious giveaway. The thing with rootkits is that they're pretty target-specific. They're not usually robust enough to be installed on a different Linux distribution or even a different version of the intended target distro. Rootkits aren't what I usually worry about; It's the determined, knowledgeable attackers that I don't like. Fortunately there aren't as many of them to worry about. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpY6PFenwrHX.pgp Description: PGP signature
Re: AIDE Information Overload
On Tue, Oct 22, 2002 at 11:36:06PM +0800, Dion Mendel wrote: Which files do people exclude when using integrity checkers (e.g. aide/tripwire etc)? I don't typically exclude many files, but I often limit the changes that tripwire notifies me about. For example, if one of my users changes their password, I don't need to know that the md5 checksum of /etc/shadow has changed. However, if the link count, ownership, or permissions of /etc/shadow change, I want to know about it. Configuring tripwire is fairly easy for this type of thing. I'll happily share bits of my policy file if you want. I have very little experience with AIDE, so I don't know if it's possible to do this type of thing with it. I installed it for a short while and found it unpleasant to work with. I found tripwire to be superior, and contarary to popular belief, it is at least as free as AIDE. See www.tripwire.org. And note that this is not the same tripwire that shipped with potato. That version was ancient and slow and bad. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg07497/pgp0.pgp Description: PGP signature
Re: AIDE Information Overload
On Tue, Oct 22, 2002 at 11:36:06PM +0800, Dion Mendel wrote: Which files do people exclude when using integrity checkers (e.g. aide/tripwire etc)? I don't typically exclude many files, but I often limit the changes that tripwire notifies me about. For example, if one of my users changes their password, I don't need to know that the md5 checksum of /etc/shadow has changed. However, if the link count, ownership, or permissions of /etc/shadow change, I want to know about it. Configuring tripwire is fairly easy for this type of thing. I'll happily share bits of my policy file if you want. I have very little experience with AIDE, so I don't know if it's possible to do this type of thing with it. I installed it for a short while and found it unpleasant to work with. I found tripwire to be superior, and contarary to popular belief, it is at least as free as AIDE. See www.tripwire.org. And note that this is not the same tripwire that shipped with potato. That version was ancient and slow and bad. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpdgNEHBaFA6.pgp Description: PGP signature
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
On Fri, Oct 18, 2002 at 12:41:37PM -0700, Chris Majewski wrote: Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. Towards the end of the Debian installation process, when you're asked whether you want to run tasksel or dselect, you can choose dselect and exit it before installing any packages. If you do that, you're left with a really minimal install. You might be able to base your work on this. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg07463/pgp0.pgp Description: PGP signature
Re: [OT] secure, minimal Debian installation for linux-based thin clients?
On Fri, Oct 18, 2002 at 12:41:37PM -0700, Chris Majewski wrote: Now, we're looking to upgrade the Linux on these thin clients. I like Debian, so that's one obvious choice. However, a standard Debian install (e.g. what I run on my machine) gives us much more than we need. Towards the end of the Debian installation process, when you're asked whether you want to run tasksel or dselect, you can choose dselect and exit it before installing any packages. If you do that, you're left with a really minimal install. You might be able to base your work on this. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgptOgzTLJCET.pgp Description: PGP signature
Re: port 16001 and 111
On Thu, Oct 17, 2002 at 07:15:08PM +0300, Jussi Ekholm wrote: The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... What do you get from: netstat -ntlp | grep 16001 -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg07534/pgp0.pgp Description: PGP signature
Re: port 16001 and 111
On Thu, Oct 17, 2002 at 07:15:08PM +0300, Jussi Ekholm wrote: The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... What do you get from: netstat -ntlp | grep 16001 -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpAtGwhAEKMw.pgp Description: PGP signature
