Re: rm files owned by root?
On Wed, Dec 29, 2004 at 08:22:08PM +0100, dekkker wrote: It asks if I want to remove this file, since it's write protected. If I say y, then the file gets deleted. But it shouldn't be! Should it? As the others have said, this behaviour is to be expected. If your filesystem is ext2 or ext3, you can achieve what you want by using chattr as root to set the file's immutable bit. According to the manpage: A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute. Is something similar also available for other filing systems? Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT] Is calculating an MD5 hash of a Rjindael encrypted block and it's key insecure?
Hello, here's my ¤0.02... note that I would not call myself a crypto expert either. On Thu, Aug 12, 2004 at 11:54:14AM +0200, Marcel Weber wrote: My solution is a mod_perl module, that catches every request before the authentication module and supplies the credentials automatically. This works with ANY apache authentication modules using basic authentication. This strikes me as a weird solution. What's wrong with setting the cookie lifetime higher, so that people only need to log in e.g. once a day? Hmm, presumably the web application is closed-source or un-hackable due to other reasons... The cookie has a limited lifetime, is bound to the client's IP address and is AES256 encrypted, with a server side stored encryption key. If I understand this correctly, you have one central server-side AES key which never changes. From a security design POV, this is bad - a malicious user might be able to turn your Apache module into an oracle; he can supply a huge number of fake user/password strings and analyse the encrypted cookie's contents, with an intent of cracking the central key. I see no immediate way for him to succeed in this, or indeed a way to make use of the master key, but it does not feel good. An alternative approach to the whole problem could be to use a server-side database of user/password data. The cookie could contain just a random string of bits to reference the right database entry. I discovered, that if I changed this encryption key, the module would not return, as it could not decypher the credentials. Furthermore someone could send an invalid cookie which would cause some DoS attack. So I added a checksum over the encrypted credentials and the key itself. This checksum has the form of an md5 hex checksum and is checked before the decyphering of the credentials takes place. Again, this feels wrong if I think of abuse of the server as an oracle. Maybe consider encrypting the checksum with the rest of the data, i.e. $c = encrypt( $s . md5($s) ) I'm no cryptographic expert, so I'm asking this: Using AES256 in CBC mode, if I have a key $k and a string $s representing the credentials, that's encrypted with this key and if I calculate the checksum following this method $c = md5_hex( $s.$k ); Does $c compromise the security of the the encrypted credentials, resp. the key $k? For all practical purposes, this should be fine. For example, there are far easier attacks if I were to have access to your intranet, like intercepting the traffic between my victim users and your server via ARP poisoning, persuading them to try logging on on my machine, or just bribing them. :) But with my nitpicking-security-paranoia hat on, the solution is not ideal. This is important because $s and $c get stored in the cookie. Why $s? Surely you'll only store $c in the cookie, otherwise there's no point in encrypting the data. Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT] Is calculating an MD5 hash of a Rjindael encrypted block and it's key insecure?
On Thu, Aug 12, 2004 at 01:56:53PM +0200, Marcel Weber wrote: Richard Atterer wrote: This strikes me as a weird solution. What's wrong with setting the cookie lifetime higher, so that people only need to log in e.g. once a day? Hmm, presumably the web application is closed-source or un-hackable due to other reasons... No, not at all. The apache authentication Module used is auth_ldap, which in turn authenticates against a Windows 2000 AD Server. As auth_ldap uses basic authentication (which basically means, that the user has to enter his / her login / password everytime) No, it doesn't mean that. Current browsers will cache the password, AFAIK until the end of the session by default, and forever if you enable the option Remember this password or similar. - No more credentials that are sent in plain over the internal network (which is the case if you use basic authentication), except for the initial login. Hmm, but the initial time is enough... :-/ You will need to use SSL for that. The block size of the data to be encrypted has to come in chunks of 16 bytes. I always append random numbers to the credentials, ip and time strings to the next 16 bytes before encryption. Like this, the attacker cannot know or guess all of the content of the encrypted data, can he? This makes things more difficult for the attacker, yes. Presumably your code adds no random padding if the data already has the right length, but still... The trouble is, as far I figured out, that Crypt::Rjindael does not return, when you try to decrypt an encrypted string that's, a. damaged or b. encrypted with a different key. Don't know why. This cannot be. Rijndael gets bits as input, and it outputs bits. The only thing that will happen is that you'll get random-looking garbage if the input is incorrect in some way. (I don't know what Crypt::Rjindael does.) Why $s? Surely you'll only store $c in the cookie, otherwise there's no point in encrypting the data. Ahem, well $s is encrypted and $c is only a md5 checksum for $s and $k. Sorry, I misinterpreted your message and thought that $s was not encrypted. Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
You could also try installing snoopy, which logs all commands executed by users to auth.log. Then look for unusual commands executed by user www-data if you suspect insecure PHP scripts etc. Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
You could also try installing snoopy, which logs all commands executed by users to auth.log. Then look for unusual commands executed by user www-data if you suspect insecure PHP scripts etc. Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: Spam fights
On Thu, Jun 10, 2004 at 12:27:04PM +0300, Dmitry Golubev wrote: I second that. If I receive a confirmation message I never respond to it! If *I* receive a confirmation message, I always respond to it! That's because all confirmation messages I get are in response to spam with my address in the From field. If I confirm, the person sending me the confirmation message will be delivered the spam. If more people did this, confirmation senders would notice that the system doesn't work. Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spam fights
On Thu, Jun 10, 2004 at 12:27:04PM +0300, Dmitry Golubev wrote: I second that. If I receive a confirmation message I never respond to it! If *I* receive a confirmation message, I always respond to it! That's because all confirmation messages I get are in response to spam with my address in the From field. If I confirm, the person sending me the confirmation message will be delivered the spam. If more people did this, confirmation senders would notice that the system doesn't work. Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: Non-existent user able to log in??? hacked????
Hi Arnaud, just some points - I have no idea whether you've been hacked. On Tue, May 18, 2004 at 10:21:22PM +0200, A. Loonstra wrote: Last night I found the following in my wtmp: test ftpd19097141.222.42.5 Sat May 15 10:57 - 10:57 (00:00) I had this test account once but removed account rightaway. So this shouldn't show up in my logs anyhow. Are you sure there's nothing left over from that account? I know little about wu-ftpd configuration - maybe some .db files need refreshing from the respective user/password files, or similar? The weird thing is that syslog shows something else: May 15 10:57:41 matilda wu-ftpd[19097]: connect from 141.222.42.5 May 15 10:57:44 matilda wu-ftpd[19097]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FROM 141.222.42.5 [141.222.42.5], anonymous Looks a bit like the host tried a couple of very common login names. The IP is owned by skidmore.edu, so this could be some dorm room hacker... Regardless of whether that person was successful in getting on your machine, it might be a good idea to contact the skidmore.edu admins http://www2.skidmore.edu/cits/staffdir/staff_dir.cfm. They might be able to tell who was logged into the machine at the time, or has been assigned that IP. They most probably won't tell you who, but might educate the person in question about the fact that what they do is unlawful. (Dunno about America, but in Germany, the act of Daten ausspähen is a crime - roughly paraphrased, this means accessing files which are protected from being viewed by anyone. So trying to log in is the attempt of a crime, which is also a crime. IANAL though.) I have nothing in /etc/passwd, /etc/shadow or anywhere else... a grep test on passwd* or shadow* reveals nothing. So how is it possible that this test user is able to login. I think the first thing you should do is to check whether the binaries for your ftpd, PAM modules, inetd, tcp wrappers and all the related stuff have been modified. The correct, paranoid way to do this is to boot into, say, Knoppix, from CD, download known good packages, and compare the md5sums. It doesn't look like the attacker did anything once he was logged in (maybe he was just scanning the net for open FTP servers), but if any doubt remains, reinstall from scratch. Maybe also consider using a different ftpd... Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure temporary fifo creation
On Mon, May 17, 2004 at 07:45:17PM -0500, Greg Deitrick wrote: What is the recommended method for securely creating a temporary named pipe in C code? See this for an interesting discussion: http://en.tldp.org/HOWTO/Secure-Programs-HOWTO/avoid-race.html You can e.g. adapt the code from the GNOME guidelines mentioned there, and just create your fifo instead of doing the open(). Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: Non-existent user able to log in??? hacked????
Hi Arnaud, just some points - I have no idea whether you've been hacked. On Tue, May 18, 2004 at 10:21:22PM +0200, A. Loonstra wrote: Last night I found the following in my wtmp: test ftpd19097141.222.42.5 Sat May 15 10:57 - 10:57 (00:00) I had this test account once but removed account rightaway. So this shouldn't show up in my logs anyhow. Are you sure there's nothing left over from that account? I know little about wu-ftpd configuration - maybe some .db files need refreshing from the respective user/password files, or similar? The weird thing is that syslog shows something else: May 15 10:57:41 matilda wu-ftpd[19097]: connect from 141.222.42.5 May 15 10:57:44 matilda wu-ftpd[19097]: FTP LOGIN REFUSED (ftp not in /etc/passwd) FROM 141.222.42.5 [141.222.42.5], anonymous Looks a bit like the host tried a couple of very common login names. The IP is owned by skidmore.edu, so this could be some dorm room hacker... Regardless of whether that person was successful in getting on your machine, it might be a good idea to contact the skidmore.edu admins http://www2.skidmore.edu/cits/staffdir/staff_dir.cfm. They might be able to tell who was logged into the machine at the time, or has been assigned that IP. They most probably won't tell you who, but might educate the person in question about the fact that what they do is unlawful. (Dunno about America, but in Germany, the act of Daten ausspähen is a crime - roughly paraphrased, this means accessing files which are protected from being viewed by anyone. So trying to log in is the attempt of a crime, which is also a crime. IANAL though.) I have nothing in /etc/passwd, /etc/shadow or anywhere else... a grep test on passwd* or shadow* reveals nothing. So how is it possible that this test user is able to login. I think the first thing you should do is to check whether the binaries for your ftpd, PAM modules, inetd, tcp wrappers and all the related stuff have been modified. The correct, paranoid way to do this is to boot into, say, Knoppix, from CD, download known good packages, and compare the md5sums. It doesn't look like the attacker did anything once he was logged in (maybe he was just scanning the net for open FTP servers), but if any doubt remains, reinstall from scratch. Maybe also consider using a different ftpd... Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: i want to hide return path...
On Tue, May 04, 2004 at 02:45:58PM +0200, Marcin wrote: Hello, I am using debian postfix. When a mail from the PHP (under apache) the mail header contain: --- Return-Path: [EMAIL PROTECTED] --- I want to hide only this ONE user. It is possible ? [...] The only idea is change postfix sources ? I just compiled postfix from sources so this is not problem if it will help. What about changing your PHP? See http://www.zend.com/manual/function.mail.php#AEN50127 - you can add parameters to the mail() call in PHP and pass an -f switch to the sendmail invocation. That way, you can specify any sender address you like. HTH, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: i want to hide return path...
On Tue, May 04, 2004 at 02:45:58PM +0200, Marcin wrote: Hello, I am using debian postfix. When a mail from the PHP (under apache) the mail header contain: --- Return-Path: [EMAIL PROTECTED] --- I want to hide only this ONE user. It is possible ? [...] The only idea is change postfix sources ? I just compiled postfix from sources so this is not problem if it will help. What about changing your PHP? See http://www.zend.com/manual/function.mail.php#AEN50127 - you can add parameters to the mail() call in PHP and pass an -f switch to the sendmail invocation. That way, you can specify any sender address you like. HTH, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: name based virtual host and apache-ssl
On Wed, Mar 24, 2004 at 12:18:58PM +0100, J.H.M. Dassen (Ray) wrote: Yes, see How to use TLS in application protocols under http://www.gnu.org/software/gnutls/documentation/gnutls/gnutls.html for details. Interesting - I didn't know this was possible! There's even support for it in Apache 2... but do today's browsers support it? Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl
On Wed, Mar 24, 2004 at 12:18:58PM +0100, J.H.M. Dassen (Ray) wrote: Yes, see How to use TLS in application protocols under http://www.gnu.org/software/gnutls/documentation/gnutls/gnutls.html for details. Interesting - I didn't know this was possible! There's even support for it in Apache 2... but do today's browsers support it? Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: mozilla - the forgotten package?
On Tue, Mar 09, 2004 at 11:59:01AM -0800, Matt Zimmerman wrote: Anyone with the time and ability can work on a project like this without joining the security team. Mozilla in particular is a huge amount of work to bring up to date and so far no one has found it critical enough relative to the effort required. Is there a list of such unresolved security problems which is accessible by people not in the security team? There was talk once about providing such a list, but AFAICT nothing happened - hmm, or is it the list of security-tagged bugs? Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mozilla - the forgotten package?
On Tue, Mar 09, 2004 at 11:59:01AM -0800, Matt Zimmerman wrote: Anyone with the time and ability can work on a project like this without joining the security team. Mozilla in particular is a huge amount of work to bring up to date and so far no one has found it critical enough relative to the effort required. Is there a list of such unresolved security problems which is accessible by people not in the security team? There was talk once about providing such a list, but AFAICT nothing happened - hmm, or is it the list of security-tagged bugs? Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: Big VPN
On Wed, Mar 03, 2004 at 09:39:06AM +0100, Jaros?aw Tabor wrote: I don't know IPSec so good, so one question: if I will add new node (LAN), do I need to update configuration of all others about it ? This is my biggest concern... I'm not so sure about this - anybody else? But I think it's possible - with X.509 certificates, shouldn't you be able to 1) Set up one root CA (certificate authority), which issues certificates and a revocation list 2) Sign the individual LANs' certificates with that CA's key 3) Tell all IPSec routers in your LANs to trust certificates with a signature by the root CA 4) Now, when one LAN A connects to another B for the first time, A can send its own signed certificate. B allows the connection to be set up due to the fact that A's certificate carries a signature of the CA. This means that each of your 100 LANs only needs a copy of the root CA's certificate in order to connect to any other LAN. You must maintain a CRL (certificate revocation list) to be able to remove certain LANs from your big VPN without updating all nodes. See the PDF which is the first link on http://www.strongsec.com/freeswan/, sections 3.1 and 3.2. HTH, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
Hi, CCing the list again because other people might have cleverer ideas. I hope you don't mind, Jaroslaw. On Wed, Mar 03, 2004 at 11:36:27AM +0100, Jaros?aw Tabor wrote: That's OK. But what about routing ? How to inform other nodes, about new subnet ? I think, that this will require some kind of dynamic routing and IPSec on demand. But, as I see from freeswan and openswan doc, this isn't supported. Hmm, you are right... The only solution I see ATM is to pre-configure an appropriate amount of subnets on each LAN's IPSec router in advance, say 200. :-/ LAN number n gets the network 10.0.n.0/24, and its IPSec router is set up as ipsecn.mydomain.net. Later, when network number 42 has been set up to use 10.0.42.0/24, you only need to update the DNS entry of ipsec42.mydomain.net and all other LANs should be able to use it. (New IPSec links will be set up on demand once anyone tries to connect to the new network.) Obviously, an alternative would be to have one central node which acts as as a router between any two LANs. This will be much easier to maintain, I don't know if the resulting single point of failure and possibly lower performance are a problem for you. Each of the 100 LANs would just route all 10.0.0.0/16 addresses to the central node, and only the central node would be trusted, so you don't have to mess with CAs etc... Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
On Wed, Mar 03, 2004 at 09:39:06AM +0100, Jaros?aw Tabor wrote: I don't know IPSec so good, so one question: if I will add new node (LAN), do I need to update configuration of all others about it ? This is my biggest concern... I'm not so sure about this - anybody else? But I think it's possible - with X.509 certificates, shouldn't you be able to 1) Set up one root CA (certificate authority), which issues certificates and a revocation list 2) Sign the individual LANs' certificates with that CA's key 3) Tell all IPSec routers in your LANs to trust certificates with a signature by the root CA 4) Now, when one LAN A connects to another B for the first time, A can send its own signed certificate. B allows the connection to be set up due to the fact that A's certificate carries a signature of the CA. This means that each of your 100 LANs only needs a copy of the root CA's certificate in order to connect to any other LAN. You must maintain a CRL (certificate revocation list) to be able to remove certain LANs from your big VPN without updating all nodes. See the PDF which is the first link on http://www.strongsec.com/freeswan/, sections 3.1 and 3.2. HTH, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: Big VPN
Hi, CCing the list again because other people might have cleverer ideas. I hope you don't mind, Jaroslaw. On Wed, Mar 03, 2004 at 11:36:27AM +0100, Jaros?aw Tabor wrote: That's OK. But what about routing ? How to inform other nodes, about new subnet ? I think, that this will require some kind of dynamic routing and IPSec on demand. But, as I see from freeswan and openswan doc, this isn't supported. Hmm, you are right... The only solution I see ATM is to pre-configure an appropriate amount of subnets on each LAN's IPSec router in advance, say 200. :-/ LAN number n gets the network 10.0.n.0/24, and its IPSec router is set up as ipsecn.mydomain.net. Later, when network number 42 has been set up to use 10.0.42.0/24, you only need to update the DNS entry of ipsec42.mydomain.net and all other LANs should be able to use it. (New IPSec links will be set up on demand once anyone tries to connect to the new network.) Obviously, an alternative would be to have one central node which acts as as a router between any two LANs. This will be much easier to maintain, I don't know if the resulting single point of failure and possibly lower performance are a problem for you. Each of the 100 LANs would just route all 10.0.0.0/16 addresses to the central node, and only the central node would be trusted, so you don't have to mess with CAs etc... Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: Big VPN
On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote: You might want to check tinc (http://tinc.nl.linux.org) I strongly recommend *not* to use tinc. http://www.securityfocus.com/archive/1/249142 illustrates that the authors didn't have enough expertise to build a secure tool 2 years ago. The problems were still present last autumn, see http://www.mit.edu:8008/bloom-picayune/crypto/14238. What a track record! With VPN software, IPSec is the only real option if you want to be certain it is secure. Jaroslaw Tabor wrote: I'm looking for good linux (debian of course) based solution for VPN connecting about 100 LANs. The solution should be stable, easy for implementation and easy for management. I've some expirience with VPNs based on PPTPd, but not so big. PPTP is also believed not to be quite insecure, see http://www.schneier.com/pptp-faq.html (NB old!). A small number of people believe it's OK these days due to some improvements made by Microsoft http://www.schneier.com/paper-pptpv2.html, but I still wouldn't recommend it. Does each of these 100 LANs need to connect to *any* other LAN, or just to your LAN? Are the LANs real LANs or do you only want to connect single road warrior machines to your LAN? I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid about security. If I understand this solution right there is no authentication at all. So every one can connect to the LANs if he will spoof IP. I don't think it is the right thing for you, yes. Its main objective (in my eyes) is to protect general internet traffic from people who are not willing/able to do man-in-the-middle attacks, i.e. from people who just sniff on the wire. At least that's what it boils down to as long as no secure DNS is available... I need something better, because I cannot trust to LAN users. To avoid that, I have idea, to use some kind of secure DNS, which will answer only to authorized peers, but I don't know how to do it. What's wrong with IPSec with X.509 certificates? You can give out a signed certificate to all people who should get access to your network, and remove individual people from the allowed list if necessary. IPSec works with all OSes as clients. The only downside (IMHO) is that the server can be fairly complex to set up for this kind of scenario. Secure DNS doesn't exist today, does it? Finally, the questions: Did someone sucessfully build such network ? If yes, how? Well, since I'm in the mood of handing out URLs today ;-), here are some useful pages I found about IPSec setups involving both Linux and Windows clients. http://www.freeswan.org/ - you've seen this already I guess :) http://www.natecarlson.com/linux/ipsec-x509.php http://www.ipsec-howto.org/ - new kernel 2.6.0 IPSec http://ipsec.math.ucla.edu/services/ipsec.html http://lugbe.ch/action/reports/ipsec_htbe.phtml http://vpn.ebootis.de/ Is there any solution to easily manage keys in so big network, if I will choice freeswan (or other) without OE ? 100 VPN connections isn't /that/ much, I think FreeS/WAN or the 2.6.0 IPSec should be able to handle it. (Maybe ask the developers to ensure it does.) PS: Sorry, for my poor english, I'm not a native speaker. me neither :) Ditto. :-) ü, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Big VPN
On Tue, Mar 02, 2004 at 10:00:58PM +0100, I.R. van Dongen wrote: You might want to check tinc (http://tinc.nl.linux.org) I strongly recommend *not* to use tinc. http://www.securityfocus.com/archive/1/249142 illustrates that the authors didn't have enough expertise to build a secure tool 2 years ago. The problems were still present last autumn, see http://www.mit.edu:8008/bloom-picayune/crypto/14238. What a track record! With VPN software, IPSec is the only real option if you want to be certain it is secure. Jaroslaw Tabor wrote: I'm looking for good linux (debian of course) based solution for VPN connecting about 100 LANs. The solution should be stable, easy for implementation and easy for management. I've some expirience with VPNs based on PPTPd, but not so big. PPTP is also believed not to be quite insecure, see http://www.schneier.com/pptp-faq.html (NB old!). A small number of people believe it's OK these days due to some improvements made by Microsoft http://www.schneier.com/paper-pptpv2.html, but I still wouldn't recommend it. Does each of these 100 LANs need to connect to *any* other LAN, or just to your LAN? Are the LANs real LANs or do you only want to connect single road warrior machines to your LAN? I've reviewed freeswan and OE feauture. This looks nice, but I'm afraid about security. If I understand this solution right there is no authentication at all. So every one can connect to the LANs if he will spoof IP. I don't think it is the right thing for you, yes. Its main objective (in my eyes) is to protect general internet traffic from people who are not willing/able to do man-in-the-middle attacks, i.e. from people who just sniff on the wire. At least that's what it boils down to as long as no secure DNS is available... I need something better, because I cannot trust to LAN users. To avoid that, I have idea, to use some kind of secure DNS, which will answer only to authorized peers, but I don't know how to do it. What's wrong with IPSec with X.509 certificates? You can give out a signed certificate to all people who should get access to your network, and remove individual people from the allowed list if necessary. IPSec works with all OSes as clients. The only downside (IMHO) is that the server can be fairly complex to set up for this kind of scenario. Secure DNS doesn't exist today, does it? Finally, the questions: Did someone sucessfully build such network ? If yes, how? Well, since I'm in the mood of handing out URLs today ;-), here are some useful pages I found about IPSec setups involving both Linux and Windows clients. http://www.freeswan.org/ - you've seen this already I guess :) http://www.natecarlson.com/linux/ipsec-x509.php http://www.ipsec-howto.org/ - new kernel 2.6.0 IPSec http://ipsec.math.ucla.edu/services/ipsec.html http://lugbe.ch/action/reports/ipsec_htbe.phtml http://vpn.ebootis.de/ Is there any solution to easily manage keys in so big network, if I will choice freeswan (or other) without OE ? 100 VPN connections isn't /that/ much, I think FreeS/WAN or the 2.6.0 IPSec should be able to handle it. (Maybe ask the developers to ensure it does.) PS: Sorry, for my poor english, I'm not a native speaker. me neither :) Ditto. :-) ü, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: Tripwire (clone) which would you prefer?
Also see this page for a useful comparison between AIDE and tripwire: http://www.fbunet.de/aide.shtml Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Tripwire (clone) which would you prefer?
Also see this page for a useful comparison between AIDE and tripwire: http://www.fbunet.de/aide.shtml Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: Help! File permissions keep changing...
On Wed, Feb 18, 2004 at 02:15:36AM +0100, Javier Fernández-Sanguino Peña wrote: You can try to settle it by using umask (as other's have suggested) but users can defeat that. If you _really_ want to fix it, have a cronjob do this (quick and dirty, could be _really_ improved) -- DIR_TO_FIX=/home/groupX GROUP=mygroup PERM=g+rwX find $DIR_TO_FIX -type f -o -type d | xargs chown $GROUP # or chown -hR $GROUP $DIR_TO_FIX find $DIR_TO_FIX -type f -o -type d | xargs chmod $PERM # or chmod -hR $PERM $DIR_TO_FIX -- Waah, SCARY! Users can create hard links to arbitrary files in that directory, e.g. links to other users' private files or to /etc/shadow, and automatically get read access to those files. umask *is* the right solution (together with a sticky-bit dir). Set up a default umask which allows global read access and *let* users defeat it! If they know how to change their umask to something more restrictive, they're bound to know what they're doing! Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: arpwatch and arp packets ...urgent
On Wed, Feb 18, 2004 at 11:32:00AM +0100, m wrote: I want to be able to set public IP's for computers in LAN. Is any other solution ? I dont know about it - if you so - please let me know :) Have you tried explicit routing entries for the IPs in question? I'm not too sure if this actually works, but if eth1 is the interface on your router which is connected to 192.168.0.0/24 and you want to pass on packets for 1.2.3.4 to eth1, use this on your router: route add -host 1.2.3.4 dev eth0 This assumes that packets destined for 1.2.3.4 are sent to your router, and that one host in your LAN is configured to the address 1.2.3.4. Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Help! File permissions keep changing...
On Wed, Feb 18, 2004 at 02:15:36AM +0100, Javier Fernández-Sanguino Peña wrote: You can try to settle it by using umask (as other's have suggested) but users can defeat that. If you _really_ want to fix it, have a cronjob do this (quick and dirty, could be _really_ improved) -- DIR_TO_FIX=/home/groupX GROUP=mygroup PERM=g+rwX find $DIR_TO_FIX -type f -o -type d | xargs chown $GROUP # or chown -hR $GROUP $DIR_TO_FIX find $DIR_TO_FIX -type f -o -type d | xargs chmod $PERM # or chmod -hR $PERM $DIR_TO_FIX -- Waah, SCARY! Users can create hard links to arbitrary files in that directory, e.g. links to other users' private files or to /etc/shadow, and automatically get read access to those files. umask *is* the right solution (together with a sticky-bit dir). Set up a default umask which allows global read access and *let* users defeat it! If they know how to change their umask to something more restrictive, they're bound to know what they're doing! Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: arpwatch and arp packets ...urgent
On Wed, Feb 18, 2004 at 11:32:00AM +0100, m wrote: I want to be able to set public IP's for computers in LAN. Is any other solution ? I dont know about it - if you so - please let me know :) Have you tried explicit routing entries for the IPs in question? I'm not too sure if this actually works, but if eth1 is the interface on your router which is connected to 192.168.0.0/24 and you want to pass on packets for 1.2.3.4 to eth1, use this on your router: route add -host 1.2.3.4 dev eth0 This assumes that packets destined for 1.2.3.4 are sent to your router, and that one host in your LAN is configured to the address 1.2.3.4. Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: Hacked - is it my turn? - interesting
On Tue, Feb 03, 2004 at 05:38:40AM +0100, Philipp Schulte wrote: No, with REJECT they would show up as closed. DROP produces filtered. FWIW, you also need --reject-with tcp-reset to fool nmap. Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hacked - is it my turn? - interesting
On Tue, Feb 03, 2004 at 05:38:40AM +0100, Philipp Schulte wrote: No, with REJECT they would show up as closed. DROP produces filtered. FWIW, you also need --reject-with tcp-reset to fool nmap. Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: Need recomendations for https proxy that serves as a firewall proxy
On Wed, Dec 31, 2003 at 11:33:02AM +0200, Haim Ashkenazi wrote: I have a client that have an exchange server inside the LAN and he wants to access the web interface from the world. I thought I'll put a transparent proxy server on the DMZ. apt-cache search proxy gave a few options but except squid (which is a little overkill for this) I don't know any of them (especially in terms of security) and I'm looking for recommendations. Um, do I understand correctly that you want to allow access from the internet to a machine in your client's LAN? In that case, squid is indeed the wrong solution. Maybe have a look at sslwrap+redir, or stunnel, which can run on any machine in your DMZ and forward incoming connections to the internal machine, adding SSL encryption to make it more secure. Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Need recomendations for https proxy that serves as a firewall proxy
On Wed, Dec 31, 2003 at 11:33:02AM +0200, Haim Ashkenazi wrote: I have a client that have an exchange server inside the LAN and he wants to access the web interface from the world. I thought I'll put a transparent proxy server on the DMZ. apt-cache search proxy gave a few options but except squid (which is a little overkill for this) I don't know any of them (especially in terms of security) and I'm looking for recommendations. Um, do I understand correctly that you want to allow access from the internet to a machine in your client's LAN? In that case, squid is indeed the wrong solution. Maybe have a look at sslwrap+redir, or stunnel, which can run on any machine in your DMZ and forward incoming connections to the internal machine, adding SSL encryption to make it more secure. Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
