Re: sysadmin in training

2023-05-13 Thread Olaf Dietsche
Michael Lazin  writes:

> SInce Ossec HIDS is GNU Public licensed I think this is not a bad idea to
> include this in the documentation.  The referenced article does describe
> securing Debian with open source tools and I honestly have seen this
> documentation for the first time tonight and I think it is very high
> quality. The thing that caught my eye is disabling execution for /tmp.  I

I don't know about the current state, but I did disable execution for /tmp
at some point, only to discover that installing some packages failed because
of this.

Although I don't remember, if it was the package or apt-get/dpkg needing
an executable /tmp.

> managed thousands of Debian servers at one time and I often found hacker
> scripts in ./tmp because of a Wordpress exploit.  This is because /tmp is
> world writable and presumably people who don't know better are unlikely to
> look for bad scripts there.



Re: crontab failure for daylight savings

2003-10-05 Thread Olaf Dietsche
Billy Naylor [EMAIL PROTECTED] writes:

 It appears that cronjobs running between 2am and 3am sunday morning
 seem to not have been run, i'm in New Zealand which went into summer
 daylight savings over the weekend.

If you go to daylight savings, the clock jumps from 2am to 3am. So,
there's no way how these jobs can run, because for example 2:37am
doesn't exist.

The reverse happens, when you go back from daylight savings to regular
time: the clock jumps from 3am to 2am. This means, all jobs between
2am and 3am run twice. I don't know, wether some cron implementation
compensates for daylight savings.

Regards, Olaf.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: crontab failure for daylight savings

2003-10-05 Thread Olaf Dietsche
Billy Naylor [EMAIL PROTECTED] writes:

 It appears that cronjobs running between 2am and 3am sunday morning
 seem to not have been run, i'm in New Zealand which went into summer
 daylight savings over the weekend.

If you go to daylight savings, the clock jumps from 2am to 3am. So,
there's no way how these jobs can run, because for example 2:37am
doesn't exist.

The reverse happens, when you go back from daylight savings to regular
time: the clock jumps from 3am to 2am. This means, all jobs between
2am and 3am run twice. I don't know, wether some cron implementation
compensates for daylight savings.

Regards, Olaf.



Re: Simple e-mail virus scanner

2003-08-20 Thread Olaf Dietsche
Hi,

  [EMAIL PROTECTED] writes:

 Does the same approach could be use with sendmail ? Any examples?

I guess, you could integrate this in http://www.spamassassin.org.
SpamAssassin already scans the email body for signs of spam, so it
shouldn't be too hard, to add another regex. Although, I never did
this myself. I just use SpamAssassin out of the box with procmail.

There's already a sendmail milter at
http://savannah.nongnu.org/projects/spamass-milt/
http://www.mimedefang.org/ is another milter for sendmail, which
uses SpamAssassin.

Regards, Olaf.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: Simple e-mail virus scanner

2003-08-20 Thread Olaf Dietsche
Hi,

Игорь Ляпин [EMAIL PROTECTED] writes:

 Does the same approach could be use with sendmail ? Any examples?

I guess, you could integrate this in http://www.spamassassin.org.
SpamAssassin already scans the email body for signs of spam, so it
shouldn't be too hard, to add another regex. Although, I never did
this myself. I just use SpamAssassin out of the box with procmail.

There's already a sendmail milter at
http://savannah.nongnu.org/projects/spamass-milt/
http://www.mimedefang.org/ is another milter for sendmail, which
uses SpamAssassin.

Regards, Olaf.



Re: snmp packets

2003-07-31 Thread Olaf Dietsche
ulrich berthold [EMAIL PROTECTED] writes:

 SCAN Proxy (8080) attempt the next outstanding alarm message was a
 SNMP public access udp. i looked into it and to my surprise found
 out, that these packages are originating on the server's external
 interface and going to two (nonexistent) privat ip addresses 10.0.1.80
 and 10.1.0.80, about every other hour. i ngrepped the packages and
[...]
 any hint on how i can find out which process is sending these out?
 might it be the hardware (networkcard) itself?

If it's about every hour, I would look into the crontabs, wether
there's an entry around that time.

Regards, Olaf.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: snmp packets

2003-07-31 Thread Olaf Dietsche
ulrich berthold [EMAIL PROTECTED] writes:

 SCAN Proxy (8080) attempt the next outstanding alarm message was a
 SNMP public access udp. i looked into it and to my surprise found
 out, that these packages are originating on the server's external
 interface and going to two (nonexistent) privat ip addresses 10.0.1.80
 and 10.1.0.80, about every other hour. i ngrepped the packages and
[...]
 any hint on how i can find out which process is sending these out?
 might it be the hardware (networkcard) itself?

If it's about every hour, I would look into the crontabs, wether
there's an entry around that time.

Regards, Olaf.



Re: capabilities

2003-07-24 Thread Olaf Dietsche
Adam ENDRODI [EMAIL PROTECTED] writes:

   -- Problem 3: I'd like to grant or revoke capabilities to/from
  a running process.

  This seems to be the easiest, except that the kernel in the
  default configuration doesn't permit this (cap_bound doesn't
  contain CAP_SETPCAP which is requirement of a succesful
  capset() where the target is not the current process.

  The simplies workaround would be to set CAP_SETPCAT in
  cap_bound (requires to recompile the kernel, for cap_bset
  cannot be extended by anyone except pid == 1 (init)).
  However, I don't see clearly the implications this
  modification would cause, and I don't really want to risk
  it.

I did this some time ago with a simple wrapper script around init:

---8--cut here---
#! /bin/sh
if test $$ -eq 1; then
mount /proc
echo -1 /proc/sys/kernel/cap-bound
fi

exec /sbin/init.bin $@
---cut here--8---

Regards, Olaf.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: capabilities

2003-07-24 Thread Olaf Dietsche
Adam ENDRODI [EMAIL PROTECTED] writes:

   -- Problem 3: I'd like to grant or revoke capabilities to/from
  a running process.

  This seems to be the easiest, except that the kernel in the
  default configuration doesn't permit this (cap_bound doesn't
  contain CAP_SETPCAP which is requirement of a succesful
  capset() where the target is not the current process.

  The simplies workaround would be to set CAP_SETPCAT in
  cap_bound (requires to recompile the kernel, for cap_bset
  cannot be extended by anyone except pid == 1 (init)).
  However, I don't see clearly the implications this
  modification would cause, and I don't really want to risk
  it.

I did this some time ago with a simple wrapper script around init:

---8--cut here---
#! /bin/sh
if test $$ -eq 1; then
mount /proc
echo -1 /proc/sys/kernel/cap-bound
fi

exec /sbin/init.bin $@
---cut here--8---

Regards, Olaf.



Re: odd process running /usr/sbin/sendmail -i -CronDaemon -odi -oem root

2003-06-19 Thread Olaf Dietsche
Robert Ebright [EMAIL PROTECTED] writes:

 I have had some problems with attempted hacks on
 my box and posted here the last few days. So
 I've been checking the processing running on my
 box and I see this.
   PID TTY  STAT   TIME COMMAND
 28406 ?S  0:00 /usr/sbin/sendmail -i
 -FCronDaemon -odi -oem root

 I have postfix installed, and I'm not sure if
 this is a normal thing, or else a rogue process,
 or just a cron job that got stuck. As around the

Nearly every MTA out there has a - more or less compatible - sendmail
interface.

Regards, Olaf.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: odd process running /usr/sbin/sendmail -i -CronDaemon -odi -oem root

2003-06-19 Thread Olaf Dietsche
Robert Ebright [EMAIL PROTECTED] writes:

 I have had some problems with attempted hacks on
 my box and posted here the last few days. So
 I've been checking the processing running on my
 box and I see this.
   PID TTY  STAT   TIME COMMAND
 28406 ?S  0:00 /usr/sbin/sendmail -i
 -FCronDaemon -odi -oem root

 I have postfix installed, and I'm not sure if
 this is a normal thing, or else a rogue process,
 or just a cron job that got stuck. As around the

Nearly every MTA out there has a - more or less compatible - sendmail
interface.

Regards, Olaf.



Re: Advice Needed On Recent Rootings

2003-05-28 Thread Olaf Dietsche
Jayson Vantuyl [EMAIL PROTECTED] writes:

 Thankfully, we don't have root passwords.  In our space, we find root to
 more of a concept than a user, so we disable the password and set up a
 group that can su to root.  That way we have a good handle on things.
 Root never logs in, so we know somethings up if we see that.  Also, if
 it is hacked from a su-able user, we get a log of that too.  I highly
 recommend this set up (although it wasn't enough in our case :).

Just curious, how do you su to root, if root's password is disabled?
Do you have a modified su replacement?

Regards, Olaf.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: Advice Needed On Recent Rootings

2003-05-28 Thread Olaf Dietsche
Jayson Vantuyl [EMAIL PROTECTED] writes:

 Thankfully, we don't have root passwords.  In our space, we find root to
 more of a concept than a user, so we disable the password and set up a
 group that can su to root.  That way we have a good handle on things.
 Root never logs in, so we know somethings up if we see that.  Also, if
 it is hacked from a su-able user, we get a log of that too.  I highly
 recommend this set up (although it wasn't enough in our case :).

Just curious, how do you su to root, if root's password is disabled?
Do you have a modified su replacement?

Regards, Olaf.



Re: Disabling netstat

2003-04-21 Thread Olaf Dietsche
Brian McGroarty [EMAIL PROTECTED] writes:

 So far as I can tell, there's no non-hackish way to accomplish what
 I'd like. I have to either hold a file open to make chmod changes stay
 in effect in /proc, or I have to patch the kernel.

 This sure seems kind of silly... why add all these things into Big
 Giant Namespace and not honor all of the conventions of the same? I
 think /proc/* not supporting chmod changes for the duration of a
 system's uptime could be classified as a bug or a major design
 flaw. :/

I guess it was just an oversight. Nobody needed it and nobody
complained. But I did a patch against 2.5 to honor chmod and chown in
procfs. Maybe you can adapt it to 2.4. The patch is available at:

http://groups.google.com/groups?selm=87zntm8cq8.fsf%40goat.bogus.local

Regards, Olaf.



Re: smtp auth

2003-04-01 Thread Olaf Dietsche
Arnold J. Fischer [EMAIL PROTECTED] writes:

 I'm trying to set up my dial-up system for mail relaying via mx.freenet.de 
 and they are using smtp-auth to accept every mail from someone who has an 
 email-account on their system. I read a couple of articles about the 
 configuration of postfix and set up /etc/postfix/main.cf with all mentioned 
 parameters and options. Postfix is seat up to reconfigure via the pon/poff 
 scripts.

 I have no idea why, but when I'm examing the mail-relay with
   telnet mx.freenet.de 25
 and an 
   EHLO linux.example.com
 it seems to me, as in the log file excerpt that they are using smtp-auth. But 
 I the only thing I'm seeing is No mechs available and no connection. 

 The box is a Debian 3.0r1.
 The attachment is a piece of from /var/log/mail.log 

 Any ideas?!

I don't know about postfix, but with sendmail I had a similar
message. It went away after installing libsasl-digestmd5-plain and/or
libsasl-modules-plain.

Regards, Olaf.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: smtp auth

2003-04-01 Thread Olaf Dietsche
Arnold J. Fischer [EMAIL PROTECTED] writes:

 I'm trying to set up my dial-up system for mail relaying via mx.freenet.de 
 and they are using smtp-auth to accept every mail from someone who has an 
 email-account on their system. I read a couple of articles about the 
 configuration of postfix and set up /etc/postfix/main.cf with all mentioned 
 parameters and options. Postfix is seat up to reconfigure via the pon/poff 
 scripts.

 I have no idea why, but when I'm examing the mail-relay with
   telnet mx.freenet.de 25
 and an 
   EHLO linux.example.com
 it seems to me, as in the log file excerpt that they are using smtp-auth. But 
 I the only thing I'm seeing is No mechs available and no connection. 

 The box is a Debian 3.0r1.
 The attachment is a piece of from /var/log/mail.log 

 Any ideas?!

I don't know about postfix, but with sendmail I had a similar
message. It went away after installing libsasl-digestmd5-plain and/or
libsasl-modules-plain.

Regards, Olaf.



Re: Permissions on /root/

2003-03-08 Thread Olaf Dietsche
Christian Jaeger [EMAIL PROTECTED] writes:

 I began working with (unix/)linux.)  And as written in my other reply
 I'm still missing a better alternative to
 /root/bin. /local-admin's-software/bin maybe? AFAIK, the FHS does
 not provide any.

Maybe /usr/local/sbin is, what you're looking for?

Regards, Olaf.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: Permissions on /root/

2003-03-08 Thread Olaf Dietsche
Christian Jaeger [EMAIL PROTECTED] writes:

 At 23:29 Uhr +0100 08.03.2003, Olaf Dietsche wrote:
Christian Jaeger [EMAIL PROTECTED] writes:

   I began working with (unix/)linux.)  And as written in my other reply
   I'm still missing a better alternative to
   /root/bin. /local-admin's-software/bin maybe? AFAIK, the FHS does
   not provide any.

Maybe /usr/local/sbin is, what you're looking for?

 No, this is still a directory generally used for local tar.gz
 installs. And sbin is for admins, bin for users, right?.

Yup, I misinterpreted, what you mean with /local-admin's-software/bin.

Regards, Olaf.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]



Re: Permissions on /root/

2003-03-08 Thread Olaf Dietsche
Christian Jaeger [EMAIL PROTECTED] writes:

 I began working with (unix/)linux.)  And as written in my other reply
 I'm still missing a better alternative to
 /root/bin. /local-admin's-software/bin maybe? AFAIK, the FHS does
 not provide any.

Maybe /usr/local/sbin is, what you're looking for?

Regards, Olaf.



Re: Permissions on /root/

2003-03-08 Thread Olaf Dietsche
Christian Jaeger [EMAIL PROTECTED] writes:

 At 23:29 Uhr +0100 08.03.2003, Olaf Dietsche wrote:
Christian Jaeger [EMAIL PROTECTED] writes:

   I began working with (unix/)linux.)  And as written in my other reply
   I'm still missing a better alternative to
   /root/bin. /local-admin's-software/bin maybe? AFAIK, the FHS does
   not provide any.

Maybe /usr/local/sbin is, what you're looking for?

 No, this is still a directory generally used for local tar.gz
 installs. And sbin is for admins, bin for users, right?.

Yup, I misinterpreted, what you mean with /local-admin's-software/bin.

Regards, Olaf.



Re: X Security Issues?

2002-11-19 Thread Olaf Dietsche
Edward Guldemond [EMAIL PROTECTED] writes:

 Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
 Interesting ports on (removed) (XX.XX.XXX.XX):
 (The 1552 ports scanned but not shown below are in state: closed)
 Port   State   Service
 22/tcp openssh
 1024/tcp   openkdm
[...]
 Port   State   Service
 22/tcp openssh
[...]
 Port   State   Service
 22/tcp openssh
 6000/tcp   openX11

You can see open ports with netstat -atuw, too.

 Now, is there any security implications of having this port open?  (I
 am nmap'ing this box's external Internet interface as it is my ipmasq
 box.)  If so, what files do I have to edit to get rid of it?  I don't
 need X listening on this interface.

This depends on the startup method (and maybe distribution), as you
already noticed. With xdm (and debian) it is /etc/X11/xdm/Xservers.
With xinit it is /etc/X11/xinit/xserverrc.

Look at man xinit and man Xserver. There you will find an option
-nolisten.

When this is your firewall, you might consider stopping X11 and not
using this as a desktop machine at all. Every program running and
every tool installed, might be used by an attacker against you.

Regards, Olaf.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]




Re: X Security Issues?

2002-11-19 Thread Olaf Dietsche
Edward Guldemond [EMAIL PROTECTED] writes:

 On Wed, Nov 20, 2002 at 12:53:27AM +0100, Olaf Dietsche wrote:
 
 Look at man xinit and man Xserver. There you will find an option
 -nolisten.

 In /etc/X11/xinit/xserverrc, I have the following line:
 exec /usr/bin/X11/X -dpi 100 -nolisten tcp

 So why is X still listening on TCP?

Well, it seems I should heed my own advice ;-). man xinit doesn't
mention xserverrc, maybe this is a debian thing. But it does mention
$HOME/.xserverrc; try to link or copy /etc/X11/xinit/xserverrc to your
home dir as .xserverrc and start xinit again.

Regards, Olaf.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]




Re: X Security Issues?

2002-11-19 Thread Olaf Dietsche
Edward Guldemond [EMAIL PROTECTED] writes:

 Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
 Interesting ports on (removed) (XX.XX.XXX.XX):
 (The 1552 ports scanned but not shown below are in state: closed)
 Port   State   Service
 22/tcp openssh
 1024/tcp   openkdm
[...]
 Port   State   Service
 22/tcp openssh
[...]
 Port   State   Service
 22/tcp openssh
 6000/tcp   openX11

You can see open ports with netstat -atuw, too.

 Now, is there any security implications of having this port open?  (I
 am nmap'ing this box's external Internet interface as it is my ipmasq
 box.)  If so, what files do I have to edit to get rid of it?  I don't
 need X listening on this interface.

This depends on the startup method (and maybe distribution), as you
already noticed. With xdm (and debian) it is /etc/X11/xdm/Xservers.
With xinit it is /etc/X11/xinit/xserverrc.

Look at man xinit and man Xserver. There you will find an option
-nolisten.

When this is your firewall, you might consider stopping X11 and not
using this as a desktop machine at all. Every program running and
every tool installed, might be used by an attacker against you.

Regards, Olaf.



Re: X Security Issues?

2002-11-19 Thread Olaf Dietsche
Edward Guldemond [EMAIL PROTECTED] writes:

 On Wed, Nov 20, 2002 at 12:53:27AM +0100, Olaf Dietsche wrote:
 
 Look at man xinit and man Xserver. There you will find an option
 -nolisten.

 In /etc/X11/xinit/xserverrc, I have the following line:
 exec /usr/bin/X11/X -dpi 100 -nolisten tcp

 So why is X still listening on TCP?

Well, it seems I should heed my own advice ;-). man xinit doesn't
mention xserverrc, maybe this is a debian thing. But it does mention
$HOME/.xserverrc; try to link or copy /etc/X11/xinit/xserverrc to your
home dir as .xserverrc and start xinit again.

Regards, Olaf.



Re: port 16001 and 111

2002-10-18 Thread Olaf Dietsche
Jussi Ekholm [EMAIL PROTECTED] writes:

 Olaf Dietsche olaf.dietsche#[EMAIL PROTECTED] wrote:
 Jussi Ekholm [EMAIL PROTECTED] writes:
 So, what would try to connect to my system's port 16001 and 111
 from within my own system? Should I be concerned? Should I expect
 the worst?  Any insight on this issue would calm me down...
 
 Port 111 is used by portmap. If you don't use RPC services, you can
 stop it. I don't use it on my desktop machine. Try rpcinfo -p to
 see, wether there's anything running on your computer.

 Well, at least knowingly I don't use any RPC services. :-) And this is
 what 'rpcinfo -p' gives me:

   rpcinfo: can't contact portmapper: RPC: Remote system error \
 - Connection refused

 (I split it in two lines)

 The same answer as a luser and as a root. What should I deduct from
 this? It's just so weird as I'm not running NFS, NIS or any other
 thingie that should use this port...

This means portmap isn't running. Connection refused means nothing
listens on port 111. So, whatever is trying to contact port 111,
there's no reason to be concerned.

This could be valid requests from programs trying to contact NIS
before DNS, however. Look at /etc/nsswitch.conf, wether NIS is
mentioned.

Regards, Olaf.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]




Re: port 16001 and 111

2002-10-18 Thread Olaf Dietsche
Jussi Ekholm [EMAIL PROTECTED] writes:

 Olaf Dietsche [EMAIL PROTECTED] wrote:
 Jussi Ekholm [EMAIL PROTECTED] writes:
 So, what would try to connect to my system's port 16001 and 111
 from within my own system? Should I be concerned? Should I expect
 the worst?  Any insight on this issue would calm me down...
 
 Port 111 is used by portmap. If you don't use RPC services, you can
 stop it. I don't use it on my desktop machine. Try rpcinfo -p to
 see, wether there's anything running on your computer.

 Well, at least knowingly I don't use any RPC services. :-) And this is
 what 'rpcinfo -p' gives me:

   rpcinfo: can't contact portmapper: RPC: Remote system error \
 - Connection refused

 (I split it in two lines)

 The same answer as a luser and as a root. What should I deduct from
 this? It's just so weird as I'm not running NFS, NIS or any other
 thingie that should use this port...

This means portmap isn't running. Connection refused means nothing
listens on port 111. So, whatever is trying to contact port 111,
there's no reason to be concerned.

This could be valid requests from programs trying to contact NIS
before DNS, however. Look at /etc/nsswitch.conf, wether NIS is
mentioned.

Regards, Olaf.



Re: port 16001 and 111

2002-10-15 Thread Olaf Dietsche

Hi there (from Germany),

Jussi Ekholm [EMAIL PROTECTED] writes:

 So, what would try to connect to my system's port 16001 and 111 from
 within my own system? Should I be concerned? Should I expect the worst?
 Any insight on this issue would calm me down...

Port 111 is used by portmap. If you don't use RPC services, you can
stop it. I don't use it on my desktop machine. Try rpcinfo -p to
see, wether there's anything running on your computer.

Regards, Olaf.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]




Re: port 16001 and 111

2002-10-15 Thread Olaf Dietsche
Hi there (from Germany),

Jussi Ekholm [EMAIL PROTECTED] writes:

 So, what would try to connect to my system's port 16001 and 111 from
 within my own system? Should I be concerned? Should I expect the worst?
 Any insight on this issue would calm me down...

Port 111 is used by portmap. If you don't use RPC services, you can
stop it. I don't use it on my desktop machine. Try rpcinfo -p to
see, wether there's anything running on your computer.

Regards, Olaf.



Re: Named daemon and port 32770? (and port 32985 on restart)

2002-10-15 Thread Olaf Dietsche
Javier Fernández-Sanguino Peña [EMAIL PROTECTED] writes:

 Is the first open port reasonable? I wonder why named is listening on UDP
 port 32770 which, after a brief google search, comes up as a port usually
 used by Solaris' rpcbind (which used to be vulnerable). 

IIRC, this port (could be any 32xxx) is for replies from other name servers.

Regards, Olaf.