integrity checks and inodes
Hi All The various tools for integrity checks (aide, integrit, tripwire, etc) do check timestamp, uid/gui, permissions, checksum, inode etc. of the files on an system, compare them to the last know-good state and warn about changes. I'm wondering why I should care about inodes when I have checksums. Does anyone know an attack vector to modify a file and keep the checksum the same? (besides collisions/bugs in the checksum code). Would the inode change in such a case and couldn't this be avoided by an attacker as well? Background is that I move vserver from host to host with rsync and don't like to get a report that all the inodes have changed. cheers pascal -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110121171307.ga1...@pascalweller.net
Re: logging samba access
Am Sun, Jun 06, 2004 at 11:59:21AM +0200, LeVA sagte: > Hi! > > Is it possible to log the file/dir accesses to samba server? I.e. I got > a share, and when someone mounts (from win or unix) it and access file, > or write files I want samba to log it to the smb.log. Is this possible? > > Thanks! > > > Daniel "log level = 2" in the global section of smb.conf will do the trick. gruss pascal
Re: logging samba access
Am Sun, Jun 06, 2004 at 11:59:21AM +0200, LeVA sagte: > Hi! > > Is it possible to log the file/dir accesses to samba server? I.e. I got > a share, and when someone mounts (from win or unix) it and access file, > or write files I want samba to log it to the smb.log. Is this possible? > > Thanks! > > > Daniel "log level = 2" in the global section of smb.conf will do the trick. gruss pascal -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
Am Thu, Aug 21, 2003 at 04:23:45PM -0400, Michael Stone sagte: > On Thu, Aug 21, 2003 at 09:59:09PM +0200, Christoph Moench-Tegeder wrote: > >The optimum is rejecting unsolicited mails during the SMTP dialog, this > >way there will be no bounces to innocent bystanders (as caused by the > >latest epidemic disease). > > Not really. If the message goes through intermediate mx hosts a bounce > will be sent to the spoofed sender. The only way to handle these virus > messages is to drop them on the floor, but there are other reasons not > to do that. I don't know that there's a good solution. skip the "fail text" part and you will never see them again. deliver [EMAIL PROTECTED] or seen save /home/admin/Mail/viruses is much better. (the second one will complaining about permissions if it's not your own .forward) gruss pascal
Re: Simple e-mail virus scanner
Am Thu, Aug 21, 2003 at 04:23:45PM -0400, Michael Stone sagte: > On Thu, Aug 21, 2003 at 09:59:09PM +0200, Christoph Moench-Tegeder wrote: > >The optimum is rejecting unsolicited mails during the SMTP dialog, this > >way there will be no bounces to innocent bystanders (as caused by the > >latest epidemic disease). > > Not really. If the message goes through intermediate mx hosts a bounce > will be sent to the spoofed sender. The only way to handle these virus > messages is to drop them on the floor, but there are other reasons not > to do that. I don't know that there's a good solution. skip the "fail text" part and you will never see them again. deliver [EMAIL PROTECTED] or seen save /home/admin/Mail/viruses is much better. (the second one will complaining about permissions if it's not your own .forward) gruss pascal -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
Am Wed, Aug 20, 2003 at 10:40:13AM -0400, Noah L. Meyerhans sagte: > On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote: > > > > So, I'm wondering, does anybody know about any such approach? > > > After getting sick of all the virus crap in my inbox I installed the > > > following in /etc/exim/system_filter.txt: > > > > This approach yields a high false positive rate. This can be a major > > annoyance on mailing lists, when you get unsubscribed because of a > > "matching" mail body. Your filter (which seems to be based on Nigel > > Metheringham's system_filter) does not parse MIME headers but just > > looks for filenames following Content-Type or begin. > > I agree that it is not optimal. However, as I don't run Windows I don't > expect to see any legitimate attachments whose file names match the > regex in that filter. Same goes for the few other people who use this > mail server. I would be much more careful about installing this filter > in a setting where dozens or hundreds of users may be affected by it. > > And yes, it was based on Nigel Metheringham's filter. I just > copy&pasted the chunks that I used. > > noah > Isn't he saying that if i do the following: "hey I get a lot of these document_all.pif recently" this message here get filtered? This never happend to me using the example who was at the exim ftp-site for a while (can't find it anymore - who likes a copy of mine?) I was bitten by the more generall approach of "mailscanner" (apt-cache show mailscanner) where every "document1.sxw.pdf" is treated as bad. So I had to turn this feature off. As usual never ever take automated action based on a simple thing like filename or whatever. Sort them to a special mailbox and let a human look at it. (me beeing very annoyed about all these "there was a virus in your mail" I get on top of the mess) These filters can fend off a lot of this stuff and are very cheap (in price and CPU-time). I can only recommend using it (the right way). gruss pascal -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
Am Wed, Aug 20, 2003 at 10:40:13AM -0400, Noah L. Meyerhans sagte: > On Wed, Aug 20, 2003 at 08:44:08AM +0200, Christoph Moench-Tegeder wrote: > > > > So, I'm wondering, does anybody know about any such approach? > > > After getting sick of all the virus crap in my inbox I installed the > > > following in /etc/exim/system_filter.txt: > > > > This approach yields a high false positive rate. This can be a major > > annoyance on mailing lists, when you get unsubscribed because of a > > "matching" mail body. Your filter (which seems to be based on Nigel > > Metheringham's system_filter) does not parse MIME headers but just > > looks for filenames following Content-Type or begin. > > I agree that it is not optimal. However, as I don't run Windows I don't > expect to see any legitimate attachments whose file names match the > regex in that filter. Same goes for the few other people who use this > mail server. I would be much more careful about installing this filter > in a setting where dozens or hundreds of users may be affected by it. > > And yes, it was based on Nigel Metheringham's filter. I just > copy&pasted the chunks that I used. > > noah > Isn't he saying that if i do the following: "hey I get a lot of these document_all.pif recently" this message here get filtered? This never happend to me using the example who was at the exim ftp-site for a while (can't find it anymore - who likes a copy of mine?) I was bitten by the more generall approach of "mailscanner" (apt-cache show mailscanner) where every "document1.sxw.pdf" is treated as bad. So I had to turn this feature off. As usual never ever take automated action based on a simple thing like filename or whatever. Sort them to a special mailbox and let a human look at it. (me beeing very annoyed about all these "there was a virus in your mail" I get on top of the mess) These filters can fend off a lot of this stuff and are very cheap (in price and CPU-time). I can only recommend using it (the right way). gruss pascal
