Re: Firewall-troubleshooting
Michael Stone wrote: On Tue, Jul 05, 2005 at 11:57:37PM +1000, Daniel Pittman wrote: As to trusting the firewall, or not, there has been at least one bug where attackers could manipulate the content of the conntrack expect table remotely. Other bugs, local or remote, are not out of the question. No they're not. But if you cripple the firewall and rules to the extent you're doing you might as well just not use connection tracking. You've effectively turned the rules into stateless port filters anyway. Mike Stone I disagree. I think you're missing the point. Just imagine I have a firewall with a mailserver and a ssh server behind it. Let me use: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -p tcp -d mailserver --dport 25 -j ACCEPT iptables -A FORWARD -j DROP No one on the internet can reach the ssh server. Now we have a bug in the connection tracking module which permit an attacker to add expected tuples. Something like tcp 6 4 ESTABLISHED src=attacker dst=sshserver sport=1025 dport=22 ... You're exposed. But using iptables -A FORWARD -m state --state ESTABLISHED -p tcp -d mailserver --dport 25 -j ACCEPT you're fine. And you're not using iptables as a stateless firewall, because you're not allowing spurious packets, but only ESTABLISHED or NEW. Regards. Radel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
FIle access auditing
Hi all, I'm looking for an auditing method. I need to know who/if someone tried to access a group of file and if the action was permitted or denied. Any ideas? Thanks. Radel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Hash database
Hello all, I'm looking for hash of installed files. I already know debsums, but I need a something undependent from local hash database... Some ideas? I know also about tripwire, but tripwire create his reference db from the system itself, not from an unwriteable media. Many thanks. Radel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hash database
Almut Behrens wrote: Not exactly sure whether I understand what you need, but the most basic (and thus most flexible) way would be something like: Generate the list of checksums: $ find . -type f | xargs md5sum chksums Some time later, verify them: $ md5sum -c chksums Source (here '.', i.e. $PWD), and destination (chksums) can essentially be any path -- only chksums needs to be writable, of course. Before generating the hash list, think about how precisely you want the paths to end up in the file chksums, so that they'll be found when you later try to verify the files. This depends on what start-path you give to 'find' to recurse from, e.g. 'find .'will give you entries like ./some/relative/path, while 'find $PWD' will give you /the/absolute/path/to/the/file. Also, if you can't get it the way you need it right from the start, there's always sed/perl/whatever to fixup the path prefix to what it needs to be for md5sum to locate the files when verifying hashes. Is that roughly what you need? Almut Unfortunatly not. I want to verify each file installed using .deb's against the md5sum written inside the .deb itself. Debsum does this storing the hashes locally. I want the same control over a central db, independent from the machine I'm running debsums on. I know my english is poor, sorry;) Regards Radel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[OT]Re: unsubscribe
Note: this went from the tecnical support... I want to know their customers! It was VERY OT, sorry... -Original Message- From: Supporto Tecnico Protocomm [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Fri, 3 Dec 2004 15:54:30 +0100 Subject: unsubscribe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh chroot on debian documentation
-Original Message- From: Vincent Tantardini [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Tue, 2 Nov 2004 08:03:43 +0100 Subject: ssh chroot on debian documentation Hello, I juste write a little documentation about how I create a chrooted environment for ssh, you can find the doc at: http://vince.kerneled.org/files/ssh_chroot.txt Please, give me some comments about the method I adopt here. Regards, Is ssh chrooted useful? The only useful thing I can realize: require an ssh login into a machine with 2 nics and open another ssh session. In this way I have to exploit 2 sshd instead of one to get into... Mah. Am I missing something? Bye. Radel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Pseudo-cluster firewall
Hi all, I have a firewall with 3 NICs (LAN,DMZ,ROUTER); this is a single point of failure, of course! I've decided to build a backup firewall, with similar hardware (just in case) and the same config. Now the problem: I have only a cross-over cable from the router to the firewall, so I cannot connect the backup firewall. Using a switch is pointless: the switch may die too. Moreover I have a proxy in front of the lan, so I cannot connect 2 firewalls even on the lan side. How to cope with this? Someone have such problems going to sleep? Best regards. Radel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Antivirus for proxy
I'm replacing my windows proxy with a linux one. I'm using squid on debian (naturally); it works fine, but I need an antivirus. This antivirus should protect web clients, not the proxy itself: I'm quite sure I've already protected the server choosing debian... Regards Radel ** Questo messaggio puo' contenere informazioni di carattere estremamente riservato e confidenziale. Qualora non foste i destinatari, vogliate immediatamente informarci con lo stesso mezzo ed eliminare il messaggio, con gli eventuali allegati, senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio costituisce violazione dell'obbligo di non prendere cognizione della corrispondenza tra altri soggetti, salvo piu' grave illecito, ed espone il responsabile alle relative conseguenze civili e penali. This message is being sent from Starcom Italia Srl and may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. Any unauthorized use of the content of this message is a breach of your duty to respect the confidentiality of the correspondence between other persons and can expose the responsible party to civil and/or criminal penalties, and may constitute a more serious offense. ** -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Antivirus for proxy
I'm replacing my windows proxy with a linux one. I'm using squid on debian (naturally); it works fine, but I need an antivirus. This antivirus should protect web clients, not the proxy itself: I'm quite sure I've already protected the server choosing debian... Regards Radel ** Questo messaggio puo' contenere informazioni di carattere estremamente riservato e confidenziale. Qualora non foste i destinatari, vogliate immediatamente informarci con lo stesso mezzo ed eliminare il messaggio, con gli eventuali allegati, senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio costituisce violazione dell'obbligo di non prendere cognizione della corrispondenza tra altri soggetti, salvo piu' grave illecito, ed espone il responsabile alle relative conseguenze civili e penali. This message is being sent from Starcom Italia Srl and may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. Any unauthorized use of the content of this message is a breach of your duty to respect the confidentiality of the correspondence between other persons and can expose the responsible party to civil and/or criminal penalties, and may constitute a more serious offense. **
Re: Mail processing tool
-Original Message- From: Jonas J Linde [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Date: Mon, 26 Jan 2004 23:43:33 +0100 Subject: Re: Mail processing tool Great! 227kb of source tar ball... Netfilter's code is, much or less, the same. I think you consider netfilter a small tool, isn't you? Eh, we're talking about combining this with gnupg which is 3.5MB in source tar ball; so yes, I'd consider procmail a reasonably small tool considering that full customization was one of the requirements. This is true; but gnupg is a must. So it doesn't cont;) But of course. I'm not arguing that you should use these tools against your judgement. I would be interested in hearing if you find any better solution though. As was properly guessed I have been using the fetch- / procmail combination for ten years or so; apparently without loosing mail; the tricky part is to avoid mail loops. ;) I'll explain my project: I need a kind of secure remote control. I need to control a remote machine sending commands by email; of course the email needs to be encrypted and signed. I'll test this software on woody, but I want to port the solution in a live cd made by me; so depending on few libraries is preferred. At the moment I have found only one solution: write the script myself:(( However...thanks. At least for interesting on (in? i'm not english;) my project! Radel ** Questo messaggio puo' contenere informazioni di carattere estremamente riservato e confidenziale. Qualora non foste i destinatari, vogliate immediatamente informarci con lo stesso mezzo ed eliminare il messaggio, con gli eventuali allegati, senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio costituisce violazione dell'obbligo di non prendere cognizione della corrispondenza tra altri soggetti, salvo piu' grave illecito, ed espone il responsabile alle relative conseguenze civili e penali. This message is being sent from Starcom Italia Srl and may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. Any unauthorized use of the content of this message is a breach of your duty to respect the confidentiality of the correspondence between other persons and can expose the responsible party to civil and/or criminal penalties, and may constitute a more serious offense. ** -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mail processing tool
-Original Message- From: Jonas J Linde [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: debian-security@lists.debian.org Date: Mon, 26 Jan 2004 23:43:33 +0100 Subject: Re: Mail processing tool Great! 227kb of source tar ball... Netfilter's code is, much or less, the same. I think you consider netfilter a small tool, isn't you? Eh, we're talking about combining this with gnupg which is 3.5MB in source tar ball; so yes, I'd consider procmail a reasonably small tool considering that full customization was one of the requirements. This is true; but gnupg is a must. So it doesn't cont;) But of course. I'm not arguing that you should use these tools against your judgement. I would be interested in hearing if you find any better solution though. As was properly guessed I have been using the fetch- / procmail combination for ten years or so; apparently without loosing mail; the tricky part is to avoid mail loops. ;) I'll explain my project: I need a kind of secure remote control. I need to control a remote machine sending commands by email; of course the email needs to be encrypted and signed. I'll test this software on woody, but I want to port the solution in a live cd made by me; so depending on few libraries is preferred. At the moment I have found only one solution: write the script myself:(( However...thanks. At least for interesting on (in? i'm not english;) my project! Radel ** Questo messaggio puo' contenere informazioni di carattere estremamente riservato e confidenziale. Qualora non foste i destinatari, vogliate immediatamente informarci con lo stesso mezzo ed eliminare il messaggio, con gli eventuali allegati, senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio costituisce violazione dell'obbligo di non prendere cognizione della corrispondenza tra altri soggetti, salvo piu' grave illecito, ed espone il responsabile alle relative conseguenze civili e penali. This message is being sent from Starcom Italia Srl and may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. Any unauthorized use of the content of this message is a breach of your duty to respect the confidentiality of the correspondence between other persons and can expose the responsible party to civil and/or criminal penalties, and may constitute a more serious offense. **
Re: Mail processing tool
-Original Message- From: Florent Rougon [EMAIL PROTECTED] To: debian-security@lists.debian.org Date: Sun, 25 Jan 2004 23:00:36 +0100 Subject: Re: Mail processing tool Jonas J Linde [EMAIL PROTECTED] wrote: Procmail is a big tool, I need something different: small, reliable, secure. Big? The gzipped source tar ball is 227kB. If you want something that processes mail in a fully customizable way I'm pretty sure you won't find anything much smaller than that. Great! 227kb of source tar ball... Netfilter's code is, much or less, the same. I think you consider netfilter a small tool, isn't you? Well, the procmail source code is written in a very... bizarre style. In my book, it doesn't qualify as reliable. I agree. And please, don't think you can start flaming right away because you have been using procmail for the past ten years or so and never had the slightest impression of it losing a mail. That is not the point. The point is that its source code is very unpleasant to me, so *I* wouldn't rely on it for anything serious. That has nothing to do with your experience of its use. I agree again. Moreover I think fetchmail/procmail solution doesn't fit my needs. Stop. If someone has another idea...great. Otherwise...thanks. Radel ** Questo messaggio puo' contenere informazioni di carattere estremamente riservato e confidenziale. Qualora non foste i destinatari, vogliate immediatamente informarci con lo stesso mezzo ed eliminare il messaggio, con gli eventuali allegati, senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio costituisce violazione dell'obbligo di non prendere cognizione della corrispondenza tra altri soggetti, salvo piu' grave illecito, ed espone il responsabile alle relative conseguenze civili e penali. This message is being sent from Starcom Italia Srl and may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. Any unauthorized use of the content of this message is a breach of your duty to respect the confidentiality of the correspondence between other persons and can expose the responsible party to civil and/or criminal penalties, and may constitute a more serious offense. **
Mail processing tool
I need a tool that does the following work: checks for new mail in a maibox via pop3; verify the digital signature and decrypts the mail; parse the body; executes 1 or more action (completely customizzable); delete (archives) the mail; in an endless loop. Something like this already exists or I need to code it? Thanks, Radel ** Questo messaggio puo' contenere informazioni di carattere estremamente riservato e confidenziale. Qualora non foste i destinatari, vogliate immediatamente informarci con lo stesso mezzo ed eliminare il messaggio, con gli eventuali allegati, senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio costituisce violazione dell'obbligo di non prendere cognizione della corrispondenza tra altri soggetti, salvo piu' grave illecito, ed espone il responsabile alle relative conseguenze civili e penali. This message is being sent from Starcom Italia Srl and may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. Any unauthorized use of the content of this message is a breach of your duty to respect the confidentiality of the correspondence between other persons and can expose the responsible party to civil and/or criminal penalties, and may constitute a more serious offense. ** -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mail processing tool
-Original Message- From: s. keeling [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Sun, 25 Jan 2004 11:06:08 -0700 Subject: Re: Mail processing tool Incoming from Jonas J Linde: And [EMAIL PROTECTED] spoke unto the world. And said: I need a tool that does the following work: checks for new mail in a maibox via pop3; So, IMAP is the wrong answer. I've choosen pop3 because it's simpler, but it is not a MUST... verify the digital signature and decrypts the mail; GnuPG Of course parse the body; procmail/grep/sed/perl/bash/python/... Yeah, I have to write a lot of code... This kind of suggestion is like... c++,basic,cobol,java,asp,... I'm looking for something customizzable, but already written... executes 1 or more action (completely customizzable); procmail Procmail is a big tool, I need something different: small, reliable, secure. delete (archives) the mail; fetchmail Fetchmail has the bad habit of freeze itself while downloading... This sounds like an ideal job for the combination of the rather appropriately named tools fetchmail and procmail, which - to no big surprise - are suitable to fetch and process mail. Agreed. Add on gnupg for signature verification and decryption (perhaps callable by procmail). I'm not surprised there isn't one monolithic tool to do what you ask; you're asking a lot. Chaining one existing specific tool after another to build up your overall system is the way to go. I agree, but I'm looking for smaller tools: I hate installing a mailserver for handling an email... My idea is a group of 4-5 small routines in perl or C, but I haven't found those yet. Moreover the solution should depend on few system libraries. Any idea? Thanks, Radel ** Questo messaggio puo' contenere informazioni di carattere estremamente riservato e confidenziale. Qualora non foste i destinatari, vogliate immediatamente informarci con lo stesso mezzo ed eliminare il messaggio, con gli eventuali allegati, senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio costituisce violazione dell'obbligo di non prendere cognizione della corrispondenza tra altri soggetti, salvo piu' grave illecito, ed espone il responsabile alle relative conseguenze civili e penali. This message is being sent from Starcom Italia Srl and may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. Any unauthorized use of the content of this message is a breach of your duty to respect the confidentiality of the correspondence between other persons and can expose the responsible party to civil and/or criminal penalties, and may constitute a more serious offense. ** -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Mail processing tool
I need a tool that does the following work: checks for new mail in a maibox via pop3; verify the digital signature and decrypts the mail; parse the body; executes 1 or more action (completely customizzable); delete (archives) the mail; in an endless loop. Something like this already exists or I need to code it? Thanks, Radel ** Questo messaggio puo' contenere informazioni di carattere estremamente riservato e confidenziale. Qualora non foste i destinatari, vogliate immediatamente informarci con lo stesso mezzo ed eliminare il messaggio, con gli eventuali allegati, senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio costituisce violazione dell'obbligo di non prendere cognizione della corrispondenza tra altri soggetti, salvo piu' grave illecito, ed espone il responsabile alle relative conseguenze civili e penali. This message is being sent from Starcom Italia Srl and may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. Any unauthorized use of the content of this message is a breach of your duty to respect the confidentiality of the correspondence between other persons and can expose the responsible party to civil and/or criminal penalties, and may constitute a more serious offense. **
Re: Mail processing tool
-Original Message- From: s. keeling [EMAIL PROTECTED] To: debian-security@lists.debian.org Date: Sun, 25 Jan 2004 11:06:08 -0700 Subject: Re: Mail processing tool Incoming from Jonas J Linde: And [EMAIL PROTECTED] spoke unto the world. And said: I need a tool that does the following work: checks for new mail in a maibox via pop3; So, IMAP is the wrong answer. I've choosen pop3 because it's simpler, but it is not a MUST... verify the digital signature and decrypts the mail; GnuPG Of course parse the body; procmail/grep/sed/perl/bash/python/... Yeah, I have to write a lot of code... This kind of suggestion is like... c++,basic,cobol,java,asp,... I'm looking for something customizzable, but already written... executes 1 or more action (completely customizzable); procmail Procmail is a big tool, I need something different: small, reliable, secure. delete (archives) the mail; fetchmail Fetchmail has the bad habit of freeze itself while downloading... This sounds like an ideal job for the combination of the rather appropriately named tools fetchmail and procmail, which - to no big surprise - are suitable to fetch and process mail. Agreed. Add on gnupg for signature verification and decryption (perhaps callable by procmail). I'm not surprised there isn't one monolithic tool to do what you ask; you're asking a lot. Chaining one existing specific tool after another to build up your overall system is the way to go. I agree, but I'm looking for smaller tools: I hate installing a mailserver for handling an email... My idea is a group of 4-5 small routines in perl or C, but I haven't found those yet. Moreover the solution should depend on few system libraries. Any idea? Thanks, Radel ** Questo messaggio puo' contenere informazioni di carattere estremamente riservato e confidenziale. Qualora non foste i destinatari, vogliate immediatamente informarci con lo stesso mezzo ed eliminare il messaggio, con gli eventuali allegati, senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio costituisce violazione dell'obbligo di non prendere cognizione della corrispondenza tra altri soggetti, salvo piu' grave illecito, ed espone il responsabile alle relative conseguenze civili e penali. This message is being sent from Starcom Italia Srl and may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. Any unauthorized use of the content of this message is a breach of your duty to respect the confidentiality of the correspondence between other persons and can expose the responsible party to civil and/or criminal penalties, and may constitute a more serious offense. **
